feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain

- Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD - Update allowed_return_urls and selfservice URLs: chat→messages - Add Kratos verification flow, employee/external identity schemas - Extend session lifespan to 30 days with persistent cookies - Route messages.* to tuwunel via Pingora with WebSocket support - Replace login-ui with kratos-admin-ui as unified auth frontend - Update TLS certificate SANs: chat→messages, add monitoring subdomains - Add tuwunel + La Suite images to production overlay - Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00
parent 584e98316b
commit e5741c4df6
10 changed files with 101 additions and 29 deletions
--- a/base/ingress/pingora-config.yaml
+++ b/base/ingress/pingora-config.yaml
@@ -21,7 +21,7 @@ data:
    key_path  = "/etc/tls/tls.key"

    [telemetry]
-    otlp_endpoint = "http://tempo.monitoring.svc.cluster.local:4318"
+    otlp_endpoint = ""
    metrics_port  = 9090

    # Kubernetes resource names for cert/config watchers.
@@ -31,22 +31,20 @@ data:
    tls_secret       = "pingora-tls"
    config_configmap = "pingora-config"

-    # DDoS detection — KNN-based per-IP behavioral classification.
+    # DDoS detection — decision tree + MLP ensemble (compiled-in weights).
    [ddos]
    enabled         = true
-    model_path      = "/models/ddos_model.bin"
-    k               = 5
+    observe_only    = true
    threshold       = 0.6
    window_secs     = 60
    window_capacity = 1000
    min_events      = 10

-    # Scanner detection — logistic regression per-request classification.
+    # Scanner detection — decision tree + MLP ensemble (compiled-in weights).
    [scanner]
    enabled            = true
-    model_path         = "/models/scanner_model.bin"
+    observe_only       = true
    threshold          = 0.5
-    poll_interval_secs = 30
    bot_cache_ttl_secs = 86400

    [[scanner.allowlist]]
@@ -61,6 +59,10 @@ data:
    dns_suffixes = ["search.msn.com"]
    cidrs        = ["40.77.167.0/24", "157.55.39.0/24"]

+    [[scanner.allowlist]]
+    ua_prefix    = "containerd"
+    reason       = "Container registry client (buildkitd/containerd)"
+
    # Rate limiting — leaky bucket per-identity throttling.
    [rate_limit]
    enabled                = true
@@ -146,7 +148,7 @@ data:
    backend     = "http://messages-frontend.lasuite.svc.cluster.local:80"

    [[routes]]
-    host_prefix = "chat"
+    host_prefix = "messages"
    backend     = "http://tuwunel.matrix.svc.cluster.local:6167"
    websocket   = true

@@ -181,10 +183,10 @@ data:
    backend     = "http://gitea-http.devtools.svc.cluster.local:3000"
    websocket   = true

-    # auth: login-ui handles browser UI; Hydra handles OAuth2/OIDC; Kratos handles self-service flows.
+    # auth: unified IAM dashboard; Hydra handles OAuth2/OIDC; Kratos handles self-service flows.
    [[routes]]
    host_prefix = "auth"
-    backend     = "http://login-ui.ory.svc.cluster.local:3000"
+    backend     = "http://kratos-admin-ui.ory.svc.cluster.local:3000"

      [[routes.paths]]
      prefix   = "/oauth2"
@@ -204,10 +206,6 @@ data:
      backend       = "http://kratos-public.ory.svc.cluster.local:80"
      strip_prefix  = true

-    [[routes]]
-    host_prefix = "admin"
-    backend     = "http://kratos-admin-ui.ory.svc.cluster.local:3000"
-
    [[routes]]
    host_prefix = "integration"
    backend     = "http://integration.lasuite.svc.cluster.local:80"