From fc13e41a65c8085819d668e83f82946c0489ca92 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Tue, 16 May 2023 04:52:29 +0800 Subject: [PATCH 1/7] fix(gotosocial): OIDC migration from <0.7.0 halp admin me can't login lol, asks me for new account --- kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml b/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml index a4c762bb..26d929b4 100644 --- a/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml +++ b/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml @@ -8,6 +8,8 @@ type: Opaque stringData: GTS_OIDC_ENABLED: "true" GTS_OIDC_IDP_NAME: "JJGadgets Auth" + # migration from <0.7.0 + GTS_OIDC_LINK_EXISTING: "true" GTS_OIDC_ISSUER: "${SECRET_GTS_OIDC_ISSUER}" GTS_OIDC_CLIENT_ID: "${SECRET_GTS_OIDC_CLIENT_ID}" GTS_OIDC_CLIENT_SECRET: "${SECRET_GTS_OIDC_CLIENT_SECRET}" From 20d9095751e5e2ac44c4e323e00682e575b746f9 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Tue, 16 May 2023 05:00:27 +0800 Subject: [PATCH 2/7] fix(cloudflared): GoToSocial non-wildcard SSL --- kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml b/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml index 06c2c3d3..144f4f8c 100644 --- a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml +++ b/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml @@ -51,6 +51,10 @@ spec: ingress: - hostname: "cftest.${DNS_SHORT}" service: hello_world + - hostname: "social.jjgadgets.tech" + service: https://ingress-nginx-controller.ingress.svc.cluster.local:443 + originRequest: + originServerName: "social.jjgadgets.tech" - hostname: "*.${DNS_SHORT}" service: https://ingress-nginx-controller.ingress.svc.cluster.local:443 originRequest: From d18db2ba7702090c6516446d859d33782c1f6ef6 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 17 May 2023 05:38:14 +0800 Subject: [PATCH 3/7] fix(authentik): proxy timeout for websockets increased ingress-nginx proxy-*-timeout to 3600 for WebSockets to work --- kube/3-deploy/2-apps/authentik/app/hr.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kube/3-deploy/2-apps/authentik/app/hr.yaml b/kube/3-deploy/2-apps/authentik/app/hr.yaml index b533c079..801009be 100644 --- a/kube/3-deploy/2-apps/authentik/app/hr.yaml +++ b/kube/3-deploy/2-apps/authentik/app/hr.yaml @@ -30,6 +30,9 @@ spec: annotations: external-dns.alpha.kubernetes.io/target: "${DNS_MAIN_CF}" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + # WebSockets (used for frontend to backend connection) + nginx.ingress.kubernetes.io/proxy-read-timeout: 3600 + nginx.ingress.kubernetes.io/proxy-send-timeout: 3600 hosts: - host: &host "${APP_DNS_AUTH}" paths: @@ -55,6 +58,7 @@ spec: enabled: false send_pii: false postgresql: + enabled: false host: 'pg-authentik-rw' port: 5432 name: "" From 28373d2e839d05769262fd6256af85052ccb96fa Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 17 May 2023 05:43:45 +0800 Subject: [PATCH 4/7] fix(authentik): ws: string not number --- kube/3-deploy/2-apps/authentik/app/hr.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kube/3-deploy/2-apps/authentik/app/hr.yaml b/kube/3-deploy/2-apps/authentik/app/hr.yaml index 801009be..0746b4c4 100644 --- a/kube/3-deploy/2-apps/authentik/app/hr.yaml +++ b/kube/3-deploy/2-apps/authentik/app/hr.yaml @@ -31,8 +31,8 @@ spec: external-dns.alpha.kubernetes.io/target: "${DNS_MAIN_CF}" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" # WebSockets (used for frontend to backend connection) - nginx.ingress.kubernetes.io/proxy-read-timeout: 3600 - nginx.ingress.kubernetes.io/proxy-send-timeout: 3600 + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" hosts: - host: &host "${APP_DNS_AUTH}" paths: From c986d4abe6d32c233a5ae0437eac5bfe113ddbf2 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 17 May 2023 18:20:46 +0800 Subject: [PATCH 5/7] fix(authentik): webosckets: rm L7 http netpol --- kube/3-deploy/2-apps/authentik/app/netpol.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/kube/3-deploy/2-apps/authentik/app/netpol.yaml b/kube/3-deploy/2-apps/authentik/app/netpol.yaml index e2b15c04..8444e951 100644 --- a/kube/3-deploy/2-apps/authentik/app/netpol.yaml +++ b/kube/3-deploy/2-apps/authentik/app/netpol.yaml @@ -31,9 +31,6 @@ spec: protocol: TCP - port: "9300" protocol: TCP - rules: - http: - - {} egress: # same namespace - toEndpoints: From 88ecfa32cb9840b41a502533221094f6583c4819 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 17 May 2023 18:22:09 +0800 Subject: [PATCH 6/7] fix(ntfy): webosckets: rm L7 http netpol --- kube/3-deploy/2-apps/ntfy/app/netpol.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/kube/3-deploy/2-apps/ntfy/app/netpol.yaml b/kube/3-deploy/2-apps/ntfy/app/netpol.yaml index 2bc4dc48..9d82e233 100644 --- a/kube/3-deploy/2-apps/ntfy/app/netpol.yaml +++ b/kube/3-deploy/2-apps/ntfy/app/netpol.yaml @@ -21,9 +21,6 @@ spec: - ports: - port: "8080" protocol: TCP - rules: - http: - - {} # allow SMTP to Ntfy notification - fromEndpoints: - matchLabels: From fd9479d3083cd0e09d0f581544b9defe9c21ee0e Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Wed, 17 May 2023 18:30:57 +0800 Subject: [PATCH 7/7] fix(ingress-nginx): eTP Cluster for HA --- kube/3-deploy/1-core/05-ingress/nginx/install.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml index 5f8b1376..510c85d3 100644 --- a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml +++ b/kube/3-deploy/1-core/05-ingress/nginx/install.yaml @@ -23,7 +23,8 @@ spec: service: enabled: true type: LoadBalancer - externalTrafficPolicy: Local + # eTP can be Cluster (for HA & failover) instead of Local since Cilium is configured in DSR mode, so proper source IP will still work + externalTrafficPolicy: Cluster annotations: "io.cilium/lb-ipam-ips": "${APP_IP_NGINX}" externalIPs: