olares: avoid requesting backend service directly (#1875)

* olares: avoid requesting backend service directly * fix: wrong namespace * fix: vault server proxy * fix: seafile and infisical proxy
2026-05-24 09:18:23 +00:00 · 2025-09-26 18:55:36 +08:00 · 2025-09-26 18:55:36 +08:00 · 9f98007ce7
commit 9f98007ce7
parent 234b887787
9 changed files with 254 additions and 434 deletions
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml
@ -35,34 +35,6 @@ rules:
  - "/api/nodes/*"
  verbs: ["*"]

-# ---
-# apiVersion: sys.bytetrade.io/v1alpha1
-# kind: ProviderRegistry
-# metadata:
-#   name: files-provider
-#   namespace: user-system-{{ .Values.bfl.username }}
-# spec:
-#   dataType: files
-#   deployment: files
-#   description: files provider
-#   endpoint: files-service.{{ .Release.Namespace }}
-#   group: service.files
-#   kind: provider
-#   namespace: {{ .Release.Namespace }}
-#   opApis:
-#     - name: Query
-#       uri: /provider/query_file
-#     - name: GetSearchFolderStatus
-#       uri: /provider/get_search_folder_status
-#     - name: UpdateSearchFolderPaths
-#       uri: /provider/update_search_folder_paths
-#     - name: GetDatasetFolderStatus
-#       uri: /provider/get_dataset_folder_status
-#     - name: UpdateDatasetFolderPaths
-#       uri: /provider/update_dataset_folder_paths
-#   version: v1
-# status:
-#   state: active
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml
@ -249,7 +249,7 @@ spec:
      initContainers:
        - args:
            - -it
-            - authelia-backend.os-framework:9091,infisical-service:80,system-server.user-system-{{ .Values.bfl.username }}:80,nats.user-system-{{ .Values.bfl.username }}:4222
+            - authelia-backend.user-system-{{ .Values.bfl.username }}:9091,infisical-service.user-system-{{ .Values.bfl.username }}:8080,system-server.user-system-{{ .Values.bfl.username }}:80,nats.user-system-{{ .Values.bfl.username }}:4222
          image: owncloudci/wait-for:latest
          imagePullPolicy: IfNotPresent
          name: check-auth
@ -729,200 +729,7 @@ spec:
          sub: allow
          pub: allow
    user: user-system-{{ .Values.bfl.username }}-files-frontend
---
-apiVersion: v1
-data:
-  envoy.yaml: |
-    admin:
-      access_log_path: "/dev/stdout"
-      address:
-        socket_address:
-          address: 0.0.0.0
-          port_value: 15000
-    static_resources:
-      listeners:
-        - name: listener_0
-          address:
-            socket_address:
-              address: 0.0.0.0
-              port_value: 15003
-          listener_filters:
-            - name: envoy.filters.listener.original_dst
-              typed_config:
-                "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst
-          filter_chains:
-            - filters:
-                - name: envoy.filters.network.http_connection_manager
-                  typed_config:
-                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
-                    stat_prefix: desktop_http
-                    upgrade_configs:
-                      - upgrade_type: websocket
-                      - upgrade_type: tailscale-control-protocol
-                    skip_xff_append: false
-                    max_request_headers_kb: 500
-                    codec_type: AUTO
-                    route_config:
-                      name: local_route
-                      virtual_hosts:
-                        - name: service
-                          domains: ["*"]
-                          routes:
-                            - match:
-                                prefix: "/upload"
-                              route:
-                                cluster: upload_original_dst
-                                timeout: 1800s
-                                idle_timeout: 1800s
-                            - match:
-                                prefix: "/"
-                              route:
-                                cluster: original_dst
-                                timeout: 1800s
-                                idle_timeout: 1800s
-                    http_protocol_options:
-                      accept_http_10: true
-                    http_filters:
-                      - name: envoy.filters.http.ext_authz
-                        typed_config:
-                          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
-                          http_service:
-                            path_prefix: '/api/verify/'
-                            server_uri:
-                              uri: authelia-backend.os-framework:9091
-                              cluster: authelia
-                              timeout: 2s
-                            authorization_request:
-                              allowed_headers:
-                                patterns:
-                                  - exact: accept
-                                  - exact: cookie
-                                  - exact: proxy-authorization
-                                  - prefix: x-unauth-
-                                  - exact: x-authorization
-                                  - exact: x-bfl-user
-                                  - exact: x-real-ip
-                                  - exact: terminus-nonce
-                                  - exact: x-provider-proxy
-                              headers_to_add:
-                                - key: X-Forwarded-Method
-                                  value: '%REQ(:METHOD)%'
-                                - key: X-Forwarded-Proto
-                                  value: '%REQ(:SCHEME)%'
-                                - key: X-Forwarded-Host
-                                  value: '%REQ(:AUTHORITY)%'
-                                - key: X-Forwarded-Uri
-                                  value: '%REQ(:PATH)%'
-                                - key: X-Forwarded-For
-                                  value: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%'
-                            authorization_response:
-                              allowed_upstream_headers:
-                                patterns:
-                                  - exact: authorization
-                                  - exact: proxy-authorization
-                                  - prefix: remote-
-                                  - prefix: authelia-
-                              allowed_client_headers:
-                                patterns:
-                                  - exact: set-cookie
-                              allowed_client_headers_on_success:
-                                patterns:
-                                  - exact: set-cookie
-                          failure_mode_allow: false
-                      - name: envoy.filters.http.router
-                        typed_config:
-                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

-        - name: listener_image
-          address:
-            socket_address:
-              address: 127.0.0.1
-              port_value: 15080
-          filter_chains:
-            - filters:
-                - name: envoy.filters.network.http_connection_manager
-                  typed_config:
-                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
-                    stat_prefix: tapr_http
-                    http_protocol_options:
-                      accept_http_10: true
-                    upgrade_configs:
-                      - upgrade_type: websocket
-                    skip_xff_append: false
-                    codec_type: AUTO
-                    route_config:
-                      name: local_route
-                      virtual_hosts:
-                        - name: service
-                          domains: ["*"]
-                          routes:
-                            - match:
-                                prefix: "/images/upload"
-                              route:
-                                cluster: images
-                    http_filters:
-                      - name: envoy.filters.http.router
-                        typed_config:
-                          "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
-
-
-      clusters:
-        - name: original_dst
-          connect_timeout: 120s
-          type: ORIGINAL_DST
-          lb_policy: CLUSTER_PROVIDED
-          common_http_protocol_options:
-            idle_timeout: 10s
-        - name: upload_original_dst
-          connect_timeout: 5000s
-          type: LOGICAL_DNS
-          dns_lookup_family: V4_ONLY
-          dns_refresh_rate: 600s
-          lb_policy: ROUND_ROBIN
-          load_assignment:
-            cluster_name: upload_original_dst
-            endpoints:
-              - lb_endpoints:
-                  - endpoint:
-                      address:
-                        socket_address:
-                          address: files-service.os-framework
-                          port_value: 80
-        - name: authelia
-          connect_timeout: 2s
-          type: LOGICAL_DNS
-          dns_lookup_family: V4_ONLY
-          dns_refresh_rate: 600s
-          lb_policy: ROUND_ROBIN
-          load_assignment:
-            cluster_name: authelia
-            endpoints:
-              - lb_endpoints:
-                  - endpoint:
-                      address:
-                        socket_address:
-                          address: authelia-backend.os-framework
-                          port_value: 9091
-        - name: images
-          connect_timeout: 5s
-          type: LOGICAL_DNS
-          dns_lookup_family: V4_ONLY
-          dns_refresh_rate: 600s
-          lb_policy: ROUND_ROBIN
-          load_assignment:
-            cluster_name: images
-            endpoints:
-              - lb_endpoints:
-                  - endpoint:
-                      address:
-                        socket_address:
-                          address: tapr-images-svc.user-system-{{ .Values.bfl.username }}
-                          port_value: 8080
-kind: ConfigMap
-metadata:
-  name: sidecar-upload-configs
-  namespace: {{ .Release.Namespace }}
-  
 ---
 apiVersion: v1
 kind: Secret
@ -979,6 +786,7 @@ spec:
          key: redis_password
          name: user-service-secrets
    namespace: user-service
+
 ---
 apiVersion: v1
 kind: Service
@ -987,7 +795,22 @@ metadata:
  namespace: {{ .Release.Namespace }}
 spec:
  type: ExternalName
-  externalName: vault-server.os-framework.svc.cluster.local
+  externalName: vault-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local
+  ports:
+    - protocol: TCP
+      port: 3000
+      targetPort: 3000
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault-server
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
  ports:
    - protocol: TCP
      port: 3000
@ -1046,7 +869,7 @@ data:
                      http_service:
                        path_prefix: '/api/verify/'
                        server_uri:
-                          uri: authelia-backend.os-framework:9091
+                          uri: authelia-backend.user-system-{{ .Values.bfl.username }}:9091
                          cluster: authelia
                          timeout: 2s
                        authorization_request:
@ -1143,7 +966,7 @@ data:
                - endpoint:
                    address:
                      socket_address:
-                        address: authelia-backend.os-framework
+                        address: authelia-backend.user-system-{{ .Values.bfl.username }}
                        port_value: 9091
      - name: images
        connect_timeout: 5s
@ -1222,7 +1045,7 @@ data:
                      http_service:
                        path_prefix: '/api/verify/'
                        server_uri:
-                          uri: authelia-backend.os-framework:9091
+                          uri: authelia-backend.user-system-{{ .Values.bfl.username }}:9091
                          cluster: authelia
                          timeout: 2s
                        authorization_request:
@ -1334,7 +1157,7 @@ data:
                - endpoint:
                    address:
                      socket_address:
-                        address: authelia-backend.os-framework
+                        address: authelia-backend.user-system-{{ .Values.bfl.username }}
                        port_value: 9091
      - name: images
        connect_timeout: 5s
@ -1412,7 +1235,7 @@ data:
                      http_service:
                        path_prefix: '/api/verify/'
                        server_uri:
-                          uri: authelia-backend.os-framework:9091
+                          uri: authelia-backend.user-system-{{ .Values.bfl.username }}:9091
                          cluster: authelia
                          timeout: 2s
                        authorization_request:
@ -1524,7 +1347,7 @@ data:
                - endpoint:
                    address:
                      socket_address:
-                        address: authelia-backend.os-framework
+                        address: authelia-backend.user-system-{{ .Values.bfl.username }}
                        port_value: 9091
      - name: images
        connect_timeout: 5s
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/seafile-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/seafile-provider.yaml
@ -0,0 +1,40 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:seafile-frontend-domain-desktop
+  annotations:
+    provider-registry-ref: {{ .Values.bfl.username }}/desktop
+    provider-service-ref: seafile.os-framework.os-framework:80
+rules:
+- nonResourceURLs: 
+  - "/seahub/*"
+  - "/seafhttp/*"
+  verbs: ["*"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: user:{{ .Values.bfl.username }}:seafile-frontend-domain-desktop
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:seafile-frontend-domain-desktop
+subjects:
+- kind: User
+  name: '{{ .Values.bfl.username }}'
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: seafile
+  namespace: user-space-{{ .Values.bfl.username }}
+spec:
+  type: ExternalName
+  externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 28080
--- a/apps/.olares/config/user/helm-charts/wizard/templates/wizard_deploy.yaml
+++ b/apps/.olares/config/user/helm-charts/wizard/templates/wizard_deploy.yaml
@ -22,7 +22,7 @@ spec:
      initContainers:
      - args:
        - -it
-        - authelia-backend.os-framework:9091
+        - authelia-backend.user-system-{{ .Values.bfl.username }}:9091
        image: owncloudci/wait-for:latest
        imagePullPolicy: IfNotPresent
        name: check-auth
--- a/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml
+++ b/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml
@ -23,7 +23,7 @@ spec:
      initContainers:
      - args:
        - -it
-        - authelia-backend.os-framework:9091
+        - authelia-backend.user-system-{{ .Values.bfl.username }}:9091
        image: owncloudci/wait-for:latest
        imagePullPolicy: IfNotPresent
        name: check-auth
@ -59,7 +59,7 @@ metadata:
  namespace: user-space-{{ .Values.bfl.username }}
 spec:
  type: ExternalName
-  externalName: authelia-backend.os-framework.svc.cluster.local
+  externalName: authelia-backend.user-system-{{ .Values.bfl.username }}.svc.cluster.local
  ports:
    - protocol: TCP
      name: authelia-bakcend
--- a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml
+++ b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml
@ -3,10 +3,11 @@ apiVersion: v1
 kind: Service
 metadata:
  name: infisical-service
-  namespace: {{ .Release.Namespace }}
+  namespace: user-system-{{ .Values.bfl.username }}
 spec:
-  type: ExternalName
-  externalName: infisical-service.os-framework.svc.cluster.local
+  type: ClusterIP
+  selector:
+    app: systemserver
  ports:
    - name: http
      port: 8080
--- a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml
+++ b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml
@ -35,7 +35,7 @@ metadata:
  name: {{ .Values.bfl.username }}:secret-settings-provider-svc
  annotations:
    provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret
-    provider-service-ref: infisical-service.{{ .Release.Namespace }}:8080
+    provider-service-ref: infisical-service.os-framework:8080
 rules:
 - nonResourceURLs: 
  - /RetrieveSecret?workspace=settings
@ -53,7 +53,7 @@ metadata:
  name: {{ .Values.bfl.username }}:secret-dashboard-provider-svc
  annotations:
    provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret
-    provider-service-ref: infisical-service.{{ .Release.Namespace }}:8080
+    provider-service-ref: infisical-service.os-framework:8080
 rules:
 - nonResourceURLs: 
  - /RetrieveSecret?workspace=dashboard
--- a/framework/seahub/.olares/config/user/helm-charts/seafile/templates/seafile_fe_deploy.yaml
+++ b/framework/seahub/.olares/config/user/helm-charts/seafile/templates/seafile_fe_deploy.yaml
@ -1,239 +1,173 @@


---
-apiVersion: v1
-kind: Service
-metadata:
-  name: seafile
-  namespace: {{ .Release.Namespace }}
-spec:
-  type: ExternalName
-  externalName: seafile.os-framework.svc.cluster.local
-  ports:
-    - name: seahub
-      protocol: TCP
-      port: 8000
-      targetPort: 8000
-    - name: server
-      protocol: TCP
-      port: 8082
-      targetPort: 8082
-    - name: nginx-port
-      protocol: TCP
-      port: 80
-      targetPort: 80
-
-#---
-#apiVersion: v1
-#kind: Service
-#metadata:
-#  name: seafile-ui
-#  namespace: {{ .Release.Namespace }}
-#spec:
-#  ports:
-#  - port: 80
-#    protocol: TCP
-#    targetPort: 8080
-#  selector:
-#    app: seafile
-#  type: ClusterIP
-#
-#---
-#apiVersion: apps/v1
-#kind: Deployment
-#metadata:
-#  name: seafile
-#  namespace: {{ .Release.Namespace }}
-#  labels:
-#    app: seafile
-#    applications.app.bytetrade.io/author: bytetrade.io
-#
-#    applications.app.bytetrade.io/name: seafile
-#    applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}'
-#  annotations:
-#    applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/seafiles/icon.png
-#    applications.app.bytetrade.io/title: Seafile
-#    applications.app.bytetrade.io/version: '0.0.1'
-#    applications.app.bytetrade.io/entrances: '[{"name":"seafile-ui", "host":"seafile-ui", "port":80,"title":"Seafile","invisible": true}]'
-#
-#spec:
-#  replicas: 1
-#  strategy:
-#    type: Recreate
-#  selector:
-#    matchLabels:
-#      app: seafile
-#  template:
-#    metadata:
-#      labels:
-#        app: seafile
-#    spec:
-#      containers:
-#      - name: seafile-proxy
-#        image: nginx:stable-alpine3.17-slim
-#        imagePullPolicy: IfNotPresent
-#        ports:
-#        - name: proxy
-#          containerPort: 8080
-#        volumeMounts:
-#        - name: nginx-config
-#          readOnly: true
-#          mountPath: /etc/nginx/nginx.conf
-#          subPath: nginx.conf
-#      volumes:
-#      - name: nginx-config
-#        configMap:
-#          name: seafile-nginx-configs
-#          items:
-#          - key: nginx.conf
-#            path: nginx.conf
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: seafile
+#   namespace: {{ .Release.Namespace }}
+# spec:
+#   type: ExternalName
+#   externalName: seafile.os-framework.svc.cluster.local
+#   ports:
+#     - name: seahub
+#       protocol: TCP
+#       port: 8000
+#       targetPort: 8000
+#     - name: server
+#       protocol: TCP
+#       port: 8082
+#       targetPort: 8082
+#     - name: nginx-port
+#       protocol: TCP
+#       port: 80
+#       targetPort: 80


+# ---
+# apiVersion: v1
+# data:
+#   nginx.conf: |
+#     # Configuration checksum:

---
-apiVersion: v1
-data:
-  nginx.conf: |
-    # Configuration checksum:
+#     pid /var/run/nginx.pid;

-    pid /var/run/nginx.pid;
+#     worker_processes 2;

-    worker_processes 2;
+#     worker_rlimit_nofile 65535;

-    worker_rlimit_nofile 65535;
+#     worker_shutdown_timeout 240s ;

-    worker_shutdown_timeout 240s ;
+#     events {
+#       multi_accept        on;
+#       worker_connections  16384;
+#       use                 epoll;
+#     }

-    events {
-      multi_accept        on;
-      worker_connections  16384;
-      use                 epoll;
-    }
+#     http {
+#       aio                 threads;
+#       aio_write           on;

-    http {
-      aio                 threads;
-      aio_write           on;
+#       tcp_nopush          on;
+#       tcp_nodelay         on;

-      tcp_nopush          on;
-      tcp_nodelay         on;
+#       log_subrequest      on;

-      log_subrequest      on;
+#       reset_timedout_connection on;

-      reset_timedout_connection on;
+#       keepalive_timeout  75s;
+#       keepalive_requests 100;

-      keepalive_timeout  75s;
-      keepalive_requests 100;
+#       client_body_temp_path           /tmp/client-body;
+#       fastcgi_temp_path               /tmp/fastcgi-temp;
+#       proxy_temp_path                 /tmp/proxy-temp;
+#       client_max_body_size            1g;

-      client_body_temp_path           /tmp/client-body;
-      fastcgi_temp_path               /tmp/fastcgi-temp;
-      proxy_temp_path                 /tmp/proxy-temp;
-      client_max_body_size            1g;
+#       client_header_buffer_size       1k;
+#       client_header_timeout           60s;
+#       large_client_header_buffers     4 8k;
+#       client_body_buffer_size         8k;
+#       client_body_timeout             60s;

-      client_header_buffer_size       1k;
-      client_header_timeout           60s;
-      large_client_header_buffers     4 8k;
-      client_body_buffer_size         8k;
-      client_body_timeout             60s;
+#       types_hash_max_size             2048;
+#       server_names_hash_max_size      4096;
+#       server_names_hash_bucket_size   1024;
+#       map_hash_bucket_size            64;

-      types_hash_max_size             2048;
-      server_names_hash_max_size      4096;
-      server_names_hash_bucket_size   1024;
-      map_hash_bucket_size            64;
+#       proxy_headers_hash_max_size     512;
+#       proxy_headers_hash_bucket_size  64;

-      proxy_headers_hash_max_size     512;
-      proxy_headers_hash_bucket_size  64;
+#       variables_hash_bucket_size      256;
+#       variables_hash_max_size         2048;

-      variables_hash_bucket_size      256;
-      variables_hash_max_size         2048;
+#       underscores_in_headers          off;
+#       ignore_invalid_headers          on;

-      underscores_in_headers          off;
-      ignore_invalid_headers          on;
+#       include /etc/nginx/mime.types;
+#       default_type text/html;

-      include /etc/nginx/mime.types;
-      default_type text/html;
+#       gzip on;
+#       gzip_comp_level 1;
+#       gzip_http_version 1.1;
+#       gzip_min_length 256;
+#       gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component;
+#       gzip_proxied any;
+#       gzip_vary on;

-      gzip on;
-      gzip_comp_level 1;
-      gzip_http_version 1.1;
-      gzip_min_length 256;
-      gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component;
-      gzip_proxied any;
-      gzip_vary on;
+#       # Custom headers for response

-      # Custom headers for response
+#       server_tokens off;

-      server_tokens off;
+#       server_name_in_redirect off;
+#       port_in_redirect        off;

-      server_name_in_redirect off;
-      port_in_redirect        off;
+#       # global log
+#       log_format main $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time "$http_x_forwarded_for";

-      # global log
-      log_format main $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time "$http_x_forwarded_for";
+#       access_log /var/log/nginx/access.log main;
+#       error_log /var/log/nginx/error.log error;

-      access_log /var/log/nginx/access.log main;
-      error_log /var/log/nginx/error.log error;
+#       proxy_ssl_session_reuse on;

-      proxy_ssl_session_reuse on;
+#       # Global filters

-      # Global filters
+#       # timeout
+#       resolver_timeout        30s;
+#       send_timeout            60s;

-      # timeout
-      resolver_timeout        30s;
-      send_timeout            60s;
+#       ## start server 80
+#       server {

-      ## start server 80
-      server {
+#         server_name _;
+#         listen 8080;

-        server_name _;
-        listen 8080;
+#         location / {
+#           add_header Access-Control-Allow-Headers "access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,content-type,x-auth,x-unauth-error,x-authorization";
+#           add_header Access-Control-Allow-Methods "PUT, GET, DELETE, POST, OPTIONS";
+#           proxy_hide_header Access-Control-Allow-Origin;
+#           add_header Access-Control-Allow-Origin $http_origin;
+#           add_header Access-Control-Allow-Credentials true;			
+#           proxy_connect_timeout                          30s;
+#           proxy_send_timeout                             60s;
+#           proxy_read_timeout                             300s;
+#           proxy_set_header Host                      $host;
+#           proxy_set_header X-Forwarded-Host          $http_host;
+#           proxy_set_header X-Real-IP                 $remote_addr;
+#           proxy_set_header X-Forwarded-For            $remote_addr;
+#           proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;

-        location / {
-          add_header Access-Control-Allow-Headers "access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,content-type,x-auth,x-unauth-error,x-authorization";
-          add_header Access-Control-Allow-Methods "PUT, GET, DELETE, POST, OPTIONS";
-          proxy_hide_header Access-Control-Allow-Origin;
-          add_header Access-Control-Allow-Origin $http_origin;
-          add_header Access-Control-Allow-Credentials true;			
-          proxy_connect_timeout                          30s;
-          proxy_send_timeout                             60s;
-          proxy_read_timeout                             300s;
-          proxy_set_header Host                      $host;
-          proxy_set_header X-Forwarded-Host          $http_host;
-          proxy_set_header X-Real-IP                 $remote_addr;
-          proxy_set_header X-Forwarded-For            $remote_addr;
-          proxy_set_header X-Original-Forwarded-For  $http_x_forwarded_for;
+#           if ($request_method = 'OPTIONS') {
+#             return 204;
+#           }

-          if ($request_method = 'OPTIONS') {
-            return 204;
-          }
+#           proxy_pass http://seafile;
+#         }

-          proxy_pass http://seafile;
-        }
+#       }

-      }
+#       # default server, used for NGINX healthcheck and access to nginx stats
+#       server {
+#         listen 127.0.0.1:10246;

-      # default server, used for NGINX healthcheck and access to nginx stats
-      server {
-        listen 127.0.0.1:10246;
+#         keepalive_timeout 0;
+#         gzip off;
+#         access_log off;

-        keepalive_timeout 0;
-        gzip off;
-        access_log off;
+#         location /healthz {
+#           return 200;
+#         }

-        location /healthz {
-          return 200;
-        }
+#         location /nginx_status {
+#           stub_status on;
+#         }

-        location /nginx_status {
-          stub_status on;
-        }
-
-        location / {
-          return 404;
-        }
-      }
-    }
-kind: ConfigMap
-metadata:
-  name: seafile-nginx-configs
-  namespace: {{ .Release.Namespace }}
+#         location / {
+#           return 404;
+#         }
+#       }
+#     }
+# kind: ConfigMap
+# metadata:
+#   name: seafile-nginx-configs
+#   namespace: {{ .Release.Namespace }}

--- a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml
+++ b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml
@ -242,6 +242,30 @@ data:
                    "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
                    stat_prefix: destination
                    cluster: cluster_fakes3_proxy
+        - name: listener_infisical_proxy
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 8080
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.tcp_proxy
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+                    stat_prefix: destination
+                    cluster: cluster_infisical_proxy
+        - name: listener_vault_proxy
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 3000
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.tcp_proxy
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
+                    stat_prefix: destination
+                    cluster: cluster_vault_proxy
      clusters:
        - name: cluster_redis_proxy
          connect_timeout: 30s
@ -334,6 +358,32 @@ data:
                        socket_address:
                          address: tapr-s3-svc.os-platform.svc.cluster.local
                          port_value: 4568  
+        - name: cluster_infisical_proxy
+          connect_timeout: 30s
+          type: LOGICAL_DNS
+          dns_lookup_family: V4_ONLY
+          load_assignment:
+            cluster_name: cluster_infisical_proxy
+            endpoints:
+              - lb_endpoints:
+                  - endpoint:
+                      address:
+                        socket_address:
+                          address: infisical-service.os-framework.svc.cluster.local
+                          port_value: 8080
+        - name: cluster_vault_proxy
+          connect_timeout: 30s
+          type: LOGICAL_DNS
+          dns_lookup_family: V4_ONLY
+          load_assignment:
+            cluster_name: cluster_vault_proxy
+            endpoints:
+              - lb_endpoints:
+                  - endpoint:
+                      address:
+                        socket_address:
+                          address: vault-server.os-framework.svc.cluster.local
+                          port_value: 3000
 kind: ConfigMap
 metadata:
  name: systemserver-proxy-configs