updated with 2 ingresses

pastefy-system/pastefy.yaml

@@ -1,17 +1,3 @@
-# Pastefy - Self-hosted Pastebin alternative
-# https://github.com/interaapps/pastefy
-# Version: 7.1.5
-# Domain: pastefy.dooplex.hu
-# Auth: Native OAuth2/OIDC with Authentik
-#
-# Authentik Setup:
-# 1. Create OAuth2/OIDC Provider:
-#    - Name: pastefy
-#    - Client Type: Confidential
-#    - Redirect URIs: https://pastefy.dooplex.hu/oauth-callback
-#    - Scopes: openid, email, profile
-# 2. Create Application linked to this provider
----
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -107,7 +93,6 @@ metadata:
   labels:
     app.kubernetes.io/instance: pastefy
     app.kubernetes.io/name: pastefy
-    app.kubernetes.io/version: "7.1.5"
 spec:
   replicas: 1
   selector:
@@ -121,18 +106,17 @@ spec:
       labels:
         app.kubernetes.io/instance: pastefy
         app.kubernetes.io/name: pastefy
-        app.kubernetes.io/version: "7.1.5"
     spec:
       containers:
       - name: pastefy
         image: interaapps/pastefy:7.1.5
         env:
         - name: HTTP_SERVER_PORT
-          value: "80"
+          value: '80'
         - name: HTTP_SERVER_CORS
-          value: "*"
+          value: '*'
         - name: DATABASE_DRIVER
-          value: "mysql"
+          value: mysql
         - name: DATABASE_NAME
           valueFrom:
             secretKeyRef:
@@ -149,22 +133,21 @@ spec:
               name: pastefy-db
               key: password
         - name: DATABASE_HOST
-          value: "pastefy-db"
+          value: pastefy-db
         - name: DATABASE_PORT
-          value: "3306"
+          value: '3306'
         - name: SERVER_NAME
-          value: "https://pastefy.dooplex.hu"
+          value: https://pastefy.dooplex.hu
-        # Optional settings
         - name: AUTH_PROVIDER
-          value: ""  # Disable broken OAuth
+          value: ''
         - name: PASTEFY_LOGIN_REQUIRED
-          value: "false"
+          value: 'false'
         - name: PASTEFY_LOGIN_REQUIRED_CREATE
-          value: "false"
+          value: 'false'
         - name: PASTEFY_PUBLIC_STATS
-          value: "false"
+          value: 'false'
         - name: PASTEFY_INFO_CUSTOM_NAME
-          value: "Dooplex Paste"
+          value: Dooplex Paste
         ports:
         - containerPort: 80
           name: http
@@ -224,7 +207,6 @@ spec:
     app.kubernetes.io/instance: pastefy
     app.kubernetes.io/name: pastefy
 ---
-# Public ingress: everything is readable (UI + assets + paste pages)
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -233,8 +215,9 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     external-dns.alpha.kubernetes.io/hostname: pastefy.dooplex.hu,pastefy.home
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
-    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+    nginx.ingress.kubernetes.io/proxy-body-size: 50m
+    nginx.ingress.kubernetes.io/enable-global-auth: 'false'
 spec:
   ingressClassName: nginx-internal
   rules:
@@ -263,55 +246,37 @@ spec:
     - pastefy.dooplex.hu
     secretName: pastefy-tls
 ---
-# API ingress: require authentik ONLY for non-GET methods (POST/PUT/DELETE)
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: pastefy-api-auth
+  name: pastefy-write
   namespace: pastefy-system
   annotations:
-    nginx.ingress.kubernetes.io/server-snippet: |
+    cert-manager.io/cluster-issuer: letsencrypt-prod
-      # Internal endpoint NGINX will call for auth checks
+    external-dns.alpha.kubernetes.io/hostname: pastefy-write.dooplex.hu,pastefy-write.home
-      location = /__ak_auth {
+    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
-        internal;
+    nginx.ingress.kubernetes.io/proxy-body-size: 50m
-        proxy_pass http://ak-outpost-pastefy-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx;
+    nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-pastefy-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
-
+    nginx.ingress.kubernetes.io/auth-signin: https://authentik.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$host$request_uri
-        proxy_pass_request_body off;
+    nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
-        proxy_set_header Content-Length "";
+    nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Host $http_host;
-
-        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-        proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $remote_addr;
-      }
-
-      # Where to send users when auth is required
-      location @ak_login {
-        return 302 https://pastefy.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
-      }
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      # Allow reading without auth, but require auth for write methods
-      limit_except GET HEAD OPTIONS {
-        auth_request /__ak_auth;
-        error_page 401 = @ak_login;
-      }
 spec:
   ingressClassName: nginx-internal
   rules:
-  - host: pastefy.dooplex.hu
+  - host: pastefy-write.dooplex.hu
     http:
       paths:
-      - path: /api
+      - path: /
         pathType: Prefix
         backend:
           service:
             name: pastefy
             port:
               number: 80
-  - host: pastefy.home
+  - host: pastefy-write.home
     http:
       paths:
-      - path: /api
+      - path: /
         pathType: Prefix
         backend:
           service:
@@ -320,8 +285,8 @@ spec:
               number: 80
   tls:
   - hosts:
-    - pastefy.dooplex.hu
+    - pastefy-write.dooplex.hu
-    secretName: pastefy-tls
+    secretName: pastefy-write-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim