modified login to dual-ingress

2026-01-03 21:44:15 +01:00
parent c616af28cb
commit 9489f28b08
1 changed files with 47 additions and 29 deletions
@@ -154,36 +154,13 @@ spec:
          value: "3306"
        - name: SERVER_NAME
          value: "https://pastefy.dooplex.hu"
-        # OAuth2 Custom Provider (Authentik)
-        - name: AUTH_PROVIDER
-          value: "OAUTH2"
-        - name: OAUTH2_CUSTOM_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              name: pastefy-oidc
-              key: client-id
-        - name: OAUTH2_CUSTOM_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: pastefy-oidc
-              key: client-secret
-        - name: OAUTH2_CUSTOM_SCOPES
-          value: "openid profile email"
-        - name: OAUTH2_CUSTOM_USER_ID_FIELD
-          value: "sub"
-        - name: OAUTH2_CUSTOM_USER_NAME_FIELD
-          value: "preferred_username"
-        - name: OAUTH2_CUSTOM_AUTH_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/authorize/"
-        - name: OAUTH2_CUSTOM_TOKEN_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/token/"
-        - name: OAUTH2_CUSTOM_USERINFO_ENDPOINT
-          value: "https://authentik.dooplex.hu/application/o/userinfo/"
        # Optional settings
+        - name: AUTH_PROVIDER
+          value: ""  # Disable broken OAuth
        - name: PASTEFY_LOGIN_REQUIRED
          value: "false"
        - name: PASTEFY_LOGIN_REQUIRED_CREATE
-          value: "true"
+          value: "false"
        - name: PASTEFY_PUBLIC_STATS
          value: "false"
        - name: PASTEFY_INFO_CUSTOM_NAME
@@ -247,19 +224,60 @@ spec:
    app.kubernetes.io/instance: pastefy
    app.kubernetes.io/name: pastefy
 ---
+# Ingress 1: Public - for viewing pastes (no auth)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pastefy-public
+  namespace: pastefy-system
+  annotations:
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx-internal
+  rules:
+  - host: pastefy.dooplex.hu
+    http:
+      paths:
+      # Match paste IDs (typically 6-8 char alphanumeric)
+      - path: /([a-zA-Z0-9]{5,12})(/raw)?$
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: pastefy
+            port:
+              number: 80
+  - host: pastefy.home
+    http:
+      paths:
+      - path: /([a-zA-Z0-9]{5,12})(/raw)?$
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: pastefy
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - pastefy.dooplex.hu
+    secretName: pastefy-tls
+---
+# Ingress 2: Protected - main app (with Authentik auth)
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: pastefy
  namespace: pastefy-system
-  labels:
-    app.kubernetes.io/instance: pastefy
-    app.kubernetes.io/name: pastefy
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    external-dns.alpha.kubernetes.io/hostname: pastefy.dooplex.hu,pastefy.home
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+    # Authentik forward auth
+    nginx.ingress.kubernetes.io/auth-url: "http://ak-outpost-authentik-embedded-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx"
+    nginx.ingress.kubernetes.io/auth-signin: "https://authentik.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$host$escaped_request_uri"
+    nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid"
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Host $http_host;
 spec:
  ingressClassName: nginx-internal
  rules: