Merge branch 'main' of github.com:JJGadgets/Biohazard

2026-01-28 02:18:24 +00:00 · 2023-05-18 22:08:14 +08:00
parent 734581cd58 fd9479d308
commit d05350f4f9
6 changed files with 12 additions and 7 deletions
--- a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml
+++ b/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml
@@ -51,6 +51,10 @@ spec:
            ingress:
              - hostname: "cftest.${DNS_SHORT}"
                service: hello_world
+              - hostname: "social.jjgadgets.tech"
+                service: https://ingress-nginx-controller.ingress.svc.cluster.local:443
+                originRequest:
+                  originServerName: "social.jjgadgets.tech"
              - hostname: "*.${DNS_SHORT}"
                service: https://ingress-nginx-controller.ingress.svc.cluster.local:443
                originRequest:
--- a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
+++ b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml
@@ -23,7 +23,8 @@ spec:
      service:
        enabled: true
        type: LoadBalancer
-        externalTrafficPolicy: Local
+        # eTP can be Cluster (for HA & failover) instead of Local since Cilium is configured in DSR mode, so proper source IP will still work
+        externalTrafficPolicy: Cluster
        annotations:
          "io.cilium/lb-ipam-ips": "${APP_IP_NGINX}"
        externalIPs:
--- a/kube/3-deploy/2-apps/authentik/app/hr.yaml
+++ b/kube/3-deploy/2-apps/authentik/app/hr.yaml
@@ -30,6 +30,9 @@ spec:
      annotations:
        external-dns.alpha.kubernetes.io/target: "${DNS_MAIN_CF}"
        external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+        # WebSockets (used for frontend to backend connection)
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
      hosts:
        - host: &host "${APP_DNS_AUTH}"
          paths:
@@ -55,6 +58,7 @@ spec:
        enabled: false
        send_pii: false
      postgresql:
+        enabled: false
        host: 'pg-authentik-rw'
        port: 5432
        name: ""
--- a/kube/3-deploy/2-apps/authentik/app/netpol.yaml
+++ b/kube/3-deploy/2-apps/authentik/app/netpol.yaml
@@ -31,9 +31,6 @@ spec:
              protocol: TCP
            - port: "9300"
              protocol: TCP
-          rules:
-            http:
-              - {}
  egress:
    # same namespace
    - toEndpoints:
--- a/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml
+++ b/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml
@@ -8,6 +8,8 @@ type: Opaque
 stringData:
  GTS_OIDC_ENABLED: "true"
  GTS_OIDC_IDP_NAME: "JJGadgets Auth"
+  # migration from <0.7.0
+  GTS_OIDC_LINK_EXISTING: "true"
  GTS_OIDC_ISSUER: "${SECRET_GTS_OIDC_ISSUER}"
  GTS_OIDC_CLIENT_ID: "${SECRET_GTS_OIDC_CLIENT_ID}"
  GTS_OIDC_CLIENT_SECRET: "${SECRET_GTS_OIDC_CLIENT_SECRET}"
--- a/kube/3-deploy/2-apps/ntfy/app/netpol.yaml
+++ b/kube/3-deploy/2-apps/ntfy/app/netpol.yaml
@@ -21,9 +21,6 @@ spec:
        - ports:
            - port: "8080"
              protocol: TCP
-          rules:
-            http:
-              - {}
    # allow SMTP to Ntfy notification
    - fromEndpoints:
        - matchLabels: