studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f3faf31d4b6314dd75081c9730f48e84291d9171
sbbb/base/ingress/pingora-deployment.yaml
Sienna Meridian Satterwhite 424db43ccf feat(infra): Meet integration, La Suite theming, Pingora SSH + meet routes 
Meet: add backend/frontend/celery deployments and services, meet-config
ConfigMap, nginx SPA config, VSO secrets (meet-db-credentials VDS,
meet-django-secret and meet-livekit VSS). Wire oidc-meet OAuth2Client.

La Suite overlay discipline: move people/docs frontend nginx ConfigMaps
and patches from overlays/local to base so both environments share them.
Remove values-ory.yaml (folded into base). Add docs-frontend nginx config
with sub_filter theming. Add local gitea mkcert CA patch.

Pingora: add [ssh] TCP passthrough block (port 22 → Gitea SSH pod) and
split meet route into frontend default + backend paths for /api/, /admin/,
/oidc/, /static/, /__. Remove now-unused values-pingora.yaml from production
overlay (host ports moved to patch-pingora-hostport.yaml).

Update both overlay kustomizations to reference all new resources and
add meet-backend/meet-frontend image entries.
2026-03-06 12:08:21 +00:00

62 lines
1.8 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
apiVersion: apps/v1
kind: Deployment
metadata:
name: pingora
namespace: ingress
spec:
replicas: 1
# Recreate avoids rolling-update conflicts (single-node; hostPorts in local overlay)
strategy:
type: Recreate
selector:
matchLabels:
app: pingora
template:
metadata:
labels:
app: pingora
annotations:
# Pingora terminates TLS at the mesh boundary; sidecar injection is disabled here
linkerd.io/inject: disabled
spec:
serviceAccountName: pingora
containers:
- name: pingora
image: sunbeam-proxy:latest # overridden per overlay via kustomize images:
imagePullPolicy: IfNotPresent # pre-seeded into containerd; avoids pull deadlock on startup
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: ssh
containerPort: 22
protocol: TCP
- name: turn-udp
containerPort: 3478
protocol: UDP
# TURN relay range 4915249252 exposed via hostPort in local overlay
volumeMounts:
- name: config
mountPath: /etc/pingora
readOnly: true
# /etc/tls is an emptyDir written by the proxy via the K8s API on
# startup and on cert renewal, so Pingora always reads a fresh cert
# without depending on kubelet volume-sync timing.
- name: tls
mountPath: /etc/tls
resources:
limits:
memory: 256Mi
requests:
memory: 128Mi
cpu: 100m
volumes:
- name: config
configMap:
name: pingora-config
- name: tls
emptyDir: {}
Reference in New Issue View Git Blame Copy Permalink