admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

updated ingresses

Browse Source
This commit is contained in:
authentik Default Admin
2026-01-03 22:13:41 +01:00
parent e7fc774dc6
commit 861cae2058
2 changed files with 61 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pastefy-system/pastefy.yaml
+61 -44
View File
@@ -224,60 +224,17 @@ spec:
app.kubernetes.io/instance: pastefy
app.kubernetes.io/name: pastefy
---
# Ingress 1: Public - for viewing pastes (no auth)
# Public ingress: everything is readable (UI + assets + paste pages)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pastefy-public
namespace: pastefy-system
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx-internal
rules:
- host: pastefy.dooplex.hu
http:
paths:
# Match paste IDs (typically 6-8 char alphanumeric)
- path: /([a-zA-Z0-9]{5,12})(/raw)?$
pathType: ImplementationSpecific
backend:
service:
name: pastefy
port:
number: 80
- host: pastefy.home
http:
paths:
- path: /([a-zA-Z0-9]{5,12})(/raw)?$
pathType: ImplementationSpecific
backend:
service:
name: pastefy
port:
number: 80
tls:
- hosts:
- pastefy.dooplex.hu
secretName: pastefy-tls
---
# Ingress 2: Protected - main app (with Authentik auth)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pastefy
namespace: pastefy-system
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/hostname: pastefy.dooplex.hu,pastefy.home
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
# Authentik forward auth
nginx.ingress.kubernetes.io/auth-url: "http://ak-outpost-pastefy-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
nginx.ingress.kubernetes.io/auth-signin: "https://pastefy.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$host$escaped_request_uri"
nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
spec:
ingressClassName: nginx-internal
rules:
@@ -306,6 +263,66 @@ spec:
- pastefy.dooplex.hu
secretName: pastefy-tls
---
# API ingress: require authentik ONLY for non-GET methods (POST/PUT/DELETE)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pastefy-api-auth
namespace: pastefy-system
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
# Internal endpoint NGINX will call for auth checks
location = /__ak_auth {
internal;
proxy_pass http://ak-outpost-pastefy-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
}
# Where to send users when auth is required
location @ak_login {
return 302 https://pastefy.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
nginx.ingress.kubernetes.io/configuration-snippet: |
# Allow reading without auth, but require auth for write methods
limit_except GET HEAD OPTIONS {
auth_request /__ak_auth;
error_page 401 = @ak_login;
}
spec:
ingressClassName: nginx-internal
rules:
- host: pastefy.dooplex.hu
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: pastefy
port:
number: 80
- host: pastefy.home
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: pastefy
port:
number: 80
tls:
- hosts:
- pastefy.dooplex.hu
secretName: pastefy-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata: