feat(ingress): route lk-jwt-service paths + bare domain well-known

Split livekit.* requests: /sfu/get, /healthz, /get_token → lk-jwt-service, everything else → livekit-server (WebSocket). Add sunbeam.pt bare domain route so Element X can discover RTC foci from the server_name.
2026-03-25 13:23:59 +00:00
parent 4837983380
commit 84c5548f2e
1 changed files with 27 additions and 17 deletions
--- a/base/ingress/pingora-config.yaml
+++ b/base/ingress/pingora-config.yaml
@@ -120,6 +120,10 @@ data:
      prefix  = "/oidc/"
      backend = "http://meet-backend.lasuite.svc.cluster.local:80"

+      [[routes.paths]]
+      prefix  = "/external-api/"
+      backend = "http://meet-backend.lasuite.svc.cluster.local:80"
+
      [[routes.paths]]
      prefix  = "/static/"
      backend = "http://meet-backend.lasuite.svc.cluster.local:80"
@@ -164,23 +168,6 @@ data:
      prefix  = "/.well-known/matrix"
      backend = "http://tuwunel.matrix.svc.cluster.local:6167"

-    [[routes]]
-    host_prefix = "people"
-    backend     = "http://people-frontend.lasuite.svc.cluster.local:80"
-
-      # Backend handles the API, Django admin, and OAuth2 provider.
-      [[routes.paths]]
-      prefix  = "/api/"
-      backend = "http://people-backend.lasuite.svc.cluster.local:80"
-
-      [[routes.paths]]
-      prefix  = "/admin/"
-      backend = "http://people-backend.lasuite.svc.cluster.local:80"
-
-      [[routes.paths]]
-      prefix  = "/o/"
-      backend = "http://people-backend.lasuite.svc.cluster.local:80"
-
    [[routes]]
    host_prefix = "find"
    backend     = "http://find-backend.lasuite.svc.cluster.local:8000"
@@ -255,6 +242,19 @@ data:
    backend     = "http://livekit-server.media.svc.cluster.local:80"
    websocket   = true

+      # lk-jwt-service: Element Call token exchange (MSC4143)
+      [[routes.paths]]
+      prefix  = "/sfu/get"
+      backend = "http://lk-jwt-service.media.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/healthz"
+      backend = "http://lk-jwt-service.media.svc.cluster.local:80"
+
+      [[routes.paths]]
+      prefix  = "/get_token"
+      backend = "http://lk-jwt-service.media.svc.cluster.local:80"
+
    [[routes]]
    host_prefix = "cal"
    backend     = "http://calendars-frontend.lasuite.svc.cluster.local:80"
@@ -348,6 +348,16 @@ data:
      backend      = "http://openbao.data.svc.cluster.local:8200"
      auth_request = "http://hydra-public.ory.svc.cluster.local:4444/userinfo"

+    # Bare domain (sunbeam.pt) — serves .well-known/matrix delegation only.
+    # The proxy splits on '.', so sunbeam.pt yields prefix "sunbeam".
+    [[routes]]
+    host_prefix = "sunbeam"
+    backend     = "http://tuwunel.matrix.svc.cluster.local:6167"
+
+      [[routes.paths]]
+      prefix  = "/.well-known/matrix"
+      backend = "http://tuwunel.matrix.svc.cluster.local:6167"
+
    # SSH TCP passthrough: port 22 → Gitea SSH pod (headless service → pod:2222).
    [ssh]
    listen  = "0.0.0.0:22"