From 3003793f0c27885d209d9d0ae8a6c6ef98ef926b Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Fri, 19 May 2023 14:38:26 +0800
Subject: [PATCH 1/6] fix(gotosocial): postgres-init image hash

---
 kube/3-deploy/2-apps/gotosocial/app/hr.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kube/3-deploy/2-apps/gotosocial/app/hr.yaml b/kube/3-deploy/2-apps/gotosocial/app/hr.yaml
index 3b3f7721..815997bd 100644
--- a/kube/3-deploy/2-apps/gotosocial/app/hr.yaml
+++ b/kube/3-deploy/2-apps/gotosocial/app/hr.yaml
@@ -81,10 +81,10 @@ spec:
         cpu: 10m
         memory: 128Mi
       limits:
-        memory: 6000Mi
+        memory: 1024Mi
     initContainers:
       01-init-db:
-        image: ghcr.io/onedr0p/postgres-init:14.8
+        image: ghcr.io/onedr0p/postgres-init:14.8@sha256:d8391076d2c6449927a6409c4e72aaa5607c95be51969036f4feeb7c999638ea
         imagePullPolicy: IfNotPresent
         envFrom:
           - secretRef:

From ea64fb9bdfa4a489f1b8b81981841a3ad2d6c6b5 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Fri, 19 May 2023 14:43:32 +0800
Subject: [PATCH 2/6] feat(templates): update hr

---
 kube/templates/test/app/hr.yaml | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/kube/templates/test/app/hr.yaml b/kube/templates/test/app/hr.yaml
index f830a69c..7556bb31 100644
--- a/kube/templates/test/app/hr.yaml
+++ b/kube/templates/test/app/hr.yaml
@@ -8,10 +8,10 @@ spec:
   chart:
     spec:
       chart: app-template
-      version: 1.4.0
+      version: 1.5.0
       sourceRef:
-        kind: HelmRepository
         name: bjw-s
+        kind: HelmRepository
         namespace: flux-system
   values:
     controller:
@@ -25,12 +25,11 @@ spec:
       main:
         enabled: true
         type: LoadBalancer
-        externalTrafficPolicy: Local
+        # eTP can be Cluster (for HA & failover) instead of Local since Cilium is configured in DSR mode, so proper source IP will still work
+        externalTrafficPolicy: Cluster
         annotations:
           coredns.io/hostname: "${APP_DNS_${APPNAME}}"
           "io.cilium/lb-ipam-ips": "${APP_IP_${APPNAME}}"
-        externalIPs:
-          - "${APP_IP_${APPNAME}}"
         ports:
           http:
             enabled: true
@@ -153,3 +152,11 @@ spec:
           name: data
         - mountPath: /config
           name: config
+      01-init-db:
+        image: ghcr.io/onedr0p/postgres-init:14.8@sha256:d8391076d2c6449927a6409c4e72aaa5607c95be51969036f4feeb7c999638ea
+        imagePullPolicy: IfNotPresent
+        envFrom:
+          - secretRef:
+              name: gotosocial-pg
+          - secretRef:
+              name: gotosocial-pg-superuser

From 891acf3006fff7a780cf047f2fe57303568bef6c Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Sat, 20 May 2023 22:50:02 +0800
Subject: [PATCH 3/6] feat(ingress): add default-backend

---
 .../05-ingress/nginx/default-backend.yaml     | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml

diff --git a/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml b/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml
new file mode 100644
index 00000000..ba061c9e
--- /dev/null
+++ b/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: default-backend
+  namespace: ingress
+spec:
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.0
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controller:
+      type: daemonset
+    image:
+      repository: public.ecr.aws/docker/library/busybox
+      tag: 1.36.1-glibc
+    command: ["busybox", "sh", "-c"]
+    args: ["wget 'https://jjgadgets.tech/error' -O /dev/shm/error.html && httpd -f -v -p 8080 -h /dev/shm"]
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+            targetPort: 8080
+    podSecurityContext:
+      runAsUser: &uid 404200
+      runAsGroup: *uid
+      fsGroup: *uid
+      fsGroupChangePolicy: Always
+    resources:
+      requests:
+        cpu: 10m
+        memory: 32Mi
+      limits:
+        memory: 256Mi

From b99642305493e89df4415e882ae6765d4d238e7c Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Sat, 20 May 2023 23:43:00 +0800
Subject: [PATCH 4/6] feat(ingress-nginx): custom error page

---
 kube/3-deploy/1-core/05-ingress/nginx/install.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
index 510c85d3..2c084ded 100644
--- a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
+++ b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
@@ -33,6 +33,7 @@ spec:
         enabled: true
       extraArgs:
         default-ssl-certificate: ingress/short-domain-tls
+        default-backend-service: default-backend
       ingressClassByName: true
       nodeSelector:
         node-restriction.kubernetes.io/nodeType: main
@@ -43,6 +44,7 @@ spec:
         disable-access-log: "false"
         log-format-escape-json: "true"
         # hardening
+        custom-http-errors: 400,401,403,404,405,409,410,411,412,413,414,415,416,417,418,421,425,431,451,500,501,502,503,504,505,506,510
         hsts-max-age: "31449600"
         hsts-preload: "true"
         ssl-protocols: TLSv1.3 TLSv1.2

From c963d0cf7d162be7ce60bd1a87fafbbd25352c40 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Sat, 20 May 2023 23:59:24 +0800
Subject: [PATCH 5/6] Update install.yaml

---
 kube/3-deploy/1-core/05-ingress/nginx/install.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
index 2c084ded..0add0a62 100644
--- a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
+++ b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
@@ -33,7 +33,7 @@ spec:
         enabled: true
       extraArgs:
         default-ssl-certificate: ingress/short-domain-tls
-        default-backend-service: default-backend
+        default-backend-service: ingress/default-backend
       ingressClassByName: true
       nodeSelector:
         node-restriction.kubernetes.io/nodeType: main

From 2c6fa155df7d5c013121076c8029c80cc4d9252d Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Sun, 21 May 2023 01:03:49 +0800
Subject: [PATCH 6/6] fix: default-backend

---
 kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml b/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml
index ba061c9e..df635a54 100644
--- a/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml
+++ b/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml
@@ -20,7 +20,7 @@ spec:
       repository: public.ecr.aws/docker/library/busybox
       tag: 1.36.1-glibc
     command: ["busybox", "sh", "-c"]
-    args: ["wget 'https://jjgadgets.tech/error' -O /dev/shm/error.html && httpd -f -v -p 8080 -h /dev/shm"]
+    args: ["wget 'https://jjgadgets.tech/error.zstd' -O /dev/shm/index.html && httpd -f -v -p 8080 -h /dev/shm"]
     service:
       main:
         ports: