studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA

Browse Source 
Ingress:
- Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder
- HTTPS termination with mkcert (local) / rustls-acme (production)
- Host-prefix routing with path-based sub-routing for auth virtual host:
  /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui
- HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub
- cert-manager HTTP-01 ACME challenge routing via Ingress watcher
- RBAC for Ingress watcher (pingora-watcher ClusterRole)
- local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict

Infrastructure:
- socket_vmnet shared network for host↔VM reachability (192.168.105.2)
- local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution
- Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods
- Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25
- Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-01 16:25:11 +00:00
parent a589e6280d
commit cdddc334ff
15 changed files with 391 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
overlays/local/kustomization.yaml
View File

@@ -20,12 +20,26 @@ resources:
- ../../base/media
- ../../base/devtools
images:
# Local dev: image is built and imported directly into k3s containerd.
# imagePullPolicy: Never is set in values-pingora.yaml so k3s never tries to pull.
# Production overlay points this at src.DOMAIN_SUFFIX/sunbeam/sunbeam-proxy:latest.
- name: sunbeam-proxy
newName: sunbeam-proxy
newTag: dev
patches:
# Disable rustls-acme; add hostPort for TURN relay range on Lima VM
# Add hostPort for TURN relay range on Lima VM
- path: values-pingora.yaml
target:
kind: Deployment
name: pingora
# Downgrade LiveKit TURN service from LoadBalancer → ClusterIP (klipper would take hostPort 443)
- path: values-livekit.yaml
target:
kind: Service
name: livekit-server-turn
# Apply §10.7 memory limits to all Deployments
- path: values-resources.yaml