From 0ff327e97841905ff4c4bd86e04b642c3ca0a1bd Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Wed, 15 May 2024 02:43:21 +0800
Subject: [PATCH] feat(external-proxy-x): add Immich share

---
 .../core/ingress/external-proxy-x/app/hr.yaml |  9 +++++--
 .../ingress/external-proxy-x/app/netpol.yaml  | 25 +++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)
 create mode 100644 kube/deploy/core/ingress/external-proxy-x/app/netpol.yaml

diff --git a/kube/deploy/core/ingress/external-proxy-x/app/hr.yaml b/kube/deploy/core/ingress/external-proxy-x/app/hr.yaml
index 11a82997..baa0dd0e 100644
--- a/kube/deploy/core/ingress/external-proxy-x/app/hr.yaml
+++ b/kube/deploy/core/ingress/external-proxy-x/app/hr.yaml
@@ -95,9 +95,14 @@ spec:
         bind :80 accept-proxy
         redirect scheme https code 301 if !{ ssl_fc } # HTTP to HTTPS redirect
         option forwardfor
+        use_backend immich if { req.hdr(host) -m str ${APP_DNS_IMMICH} } { path_beg /share/ }
         use_backend nginx-public if { req.hdr(host) -m end ${DNS_LONG} }
         use_backend nginx-external if { req.hdr(host) -m end ${DNS_SHORT} }
 
+      backend immich
+        mode http
+        server immich immich.immich.svc.cluster.local:3001 check
+
       backend nginx-public
         mode http
         server nginxpublic nginx-public-controller.ingress.svc.cluster.local:443 ssl verify none sni str(%[ssl_fc_sni]) check check-sni str(external-proxy-x.${DNS_LONG})
@@ -109,8 +114,8 @@ spec:
 # server internalnginx ingress-nginx-controller.ingress.svc.cluster.local:443 ssl verify required ca-file /tls/ca.pem
     resources:
       requests:
-        cpu: 50m
+        cpu: 10m
         memory: 128Mi
       limits:
         cpu: 500m
-        memory: 512Mi
\ No newline at end of file
+        memory: 512Mi
diff --git a/kube/deploy/core/ingress/external-proxy-x/app/netpol.yaml b/kube/deploy/core/ingress/external-proxy-x/app/netpol.yaml
new file mode 100644
index 00000000..0b53c894
--- /dev/null
+++ b/kube/deploy/core/ingress/external-proxy-x/app/netpol.yaml
@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: &app external-proxy-x
+  namespace: ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: haproxy
+      app.kubernetes.io/instance: *app
+  ingress:
+    - fromCIDRSet:
+        - cidr: "${IP_EC2_NON_K8S}/32"
+      toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "80"
+              protocol: UDP
+            - port: "443"
+              protocol: TCP
+            - port: "443"
+              protocol: UDP