fix: meet external-api route, drive media proxy, alertbot, misc tweaks

- Meet: add external-api backend path, CSRF trusted origins - Drive: fix media proxy regex for preview URLs and S3 key signing - OpenBao: enable Prometheus telemetry - Postgres alerts: fix metric name (cnpg_backends_total) - Gitea: bump memory limits for mirror workloads - Alertbot: expanded deployment config - Kratos: add find/cal/projects to allowed return URLs, settings path - Pingora: meet external-api route fix - Sol: config update
2026-03-25 18:01:15 +00:00
parent eab91eb85d
commit 9f15f5099e
10 changed files with 139 additions and 31 deletions
--- a/base/lasuite/drive-frontend-nginx-configmap.yaml
+++ b/base/lasuite/drive-frontend-nginx-configmap.yaml
@@ -50,9 +50,15 @@ data:
      }

      # Protected media: auth via Drive backend, then proxy to S3 with signed headers.
-      # media-auth returns S3 SigV4 Authorization/X-Amz-Date headers; nginx captures
-      # and forwards them so SeaweedFS can verify the request.
-      location /media/ {
+      # media-auth returns SigV4 Authorization/X-Amz-Date/X-Amz-Content-SHA256
+      # headers signed for the S3 key (item/UUID/file). nginx captures them and
+      # forwards to SeaweedFS. The regex strips /media/ and optional /preview/
+      # so the proxy path matches the signed S3 key exactly.
+      location ~ ^/media/(preview/)?(.*) {
+        set $original_uri $request_uri;
+        set $s3_key $2;
+        resolver kube-dns.kube-system.svc.cluster.local valid=30s;
+        set $s3_backend http://seaweedfs-filer.storage.svc.cluster.local:8333;
        auth_request      /internal/media-auth;
        auth_request_set  $auth_header    $upstream_http_authorization;
        auth_request_set  $amz_date       $upstream_http_x_amz_date;
@@ -60,7 +66,7 @@ data:
        proxy_set_header  Authorization         $auth_header;
        proxy_set_header  X-Amz-Date           $amz_date;
        proxy_set_header  X-Amz-Content-Sha256 $amz_content;
-        proxy_pass http://seaweedfs-filer.storage.svc.cluster.local:8333/sunbeam-drive/;
+        proxy_pass $s3_backend/sunbeam-drive/$s3_key;
      }

      # Internal subrequest: Django checks session and item access, returns S3 auth headers.
@@ -69,8 +75,9 @@ data:
        proxy_pass         http://drive-backend.lasuite.svc.cluster.local:80/api/v1.0/items/media-auth/;
        proxy_pass_request_body off;
        proxy_set_header   Content-Length   "";
-        proxy_set_header   Host             drive.sunbeam.pt;
-        proxy_set_header   X-Original-URL   $scheme://$host$request_uri;
+        proxy_set_header   Cookie           $http_cookie;
+        proxy_set_header   Host             drive.DOMAIN_SUFFIX;
+        proxy_set_header   X-Original-URL   https://drive.DOMAIN_SUFFIX$original_uri;
      }

      error_page 500 502 503 504 @blank_error;