feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA

Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
2026-03-01 16:25:11 +00:00
parent a589e6280d
commit cdddc334ff
15 changed files with 391 additions and 64 deletions
--- a/base/ingress/pingora-deployment.yaml
+++ b/base/ingress/pingora-deployment.yaml
@@ -5,6 +5,9 @@ metadata:
  namespace: ingress
 spec:
  replicas: 1
+  # Recreate avoids rolling-update conflicts (single-node; hostPorts in local overlay)
+  strategy:
+    type: Recreate
  selector:
    matchLabels:
      app: pingora
@@ -16,9 +19,10 @@ spec:
        # Pingora terminates TLS at the mesh boundary; sidecar injection is disabled here
        linkerd.io/inject: disabled
    spec:
+      serviceAccountName: pingora
      containers:
        - name: pingora
-          image: nginx:alpine   # placeholder until custom Pingora image is built
+          image: sunbeam-proxy:latest   # overridden per overlay via kustomize images:
          ports:
            - name: http
              containerPort: 80
@@ -34,19 +38,20 @@ spec:
            - name: config
              mountPath: /etc/pingora
              readOnly: true
+            # /etc/tls is an emptyDir written by the proxy via the K8s API on
+            # startup and on cert renewal, so Pingora always reads a fresh cert
+            # without depending on kubelet volume-sync timing.
            - name: tls
              mountPath: /etc/tls
-              readOnly: true
          resources:
            limits:
-              memory: 64Mi
+              memory: 256Mi
            requests:
-              memory: 32Mi
-              cpu: 50m
+              memory: 128Mi
+              cpu: 100m
      volumes:
        - name: config
          configMap:
            name: pingora-config
        - name: tls
-          secret:
-            secretName: pingora-tls
+          emptyDir: {}