From 9f98007ce7fada7989a3b76a01a9ec30f8986fd3 Mon Sep 17 00:00:00 2001 From: eball Date: Fri, 26 Sep 2025 18:55:36 +0800 Subject: [PATCH] olares: avoid requesting backend service directly (#1875) * olares: avoid requesting backend service directly * fix: wrong namespace * fix: vault server proxy * fix: seafile and infisical proxy --- .../system-apps/templates/files-provider.yaml | 28 -- .../system-apps/templates/olares-app.yaml | 225 ++---------- .../templates/seafile-provider.yaml | 40 +++ .../wizard/templates/wizard_deploy.yaml | 2 +- .../auth/templates/auth_deploy.yaml | 4 +- .../infisical/templates/infisical_deploy.yaml | 7 +- .../infisical/templates/provider.yaml | 4 +- .../seafile/templates/seafile_fe_deploy.yaml | 328 +++++++----------- .../templates/systemserver_deploy.yaml | 50 +++ 9 files changed, 254 insertions(+), 434 deletions(-) create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/seafile-provider.yaml diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml index 039a1c6c7..bd3947157 100644 --- a/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml @@ -35,34 +35,6 @@ rules: - "/api/nodes/*" verbs: ["*"] -# --- -# apiVersion: sys.bytetrade.io/v1alpha1 -# kind: ProviderRegistry -# metadata: -# name: files-provider -# namespace: user-system-{{ .Values.bfl.username }} -# spec: -# dataType: files -# deployment: files -# description: files provider -# endpoint: files-service.{{ .Release.Namespace }} -# group: service.files -# kind: provider -# namespace: {{ .Release.Namespace }} -# opApis: -# - name: Query -# uri: /provider/query_file -# - name: GetSearchFolderStatus -# uri: /provider/get_search_folder_status -# - name: UpdateSearchFolderPaths -# uri: /provider/update_search_folder_paths -# - name: GetDatasetFolderStatus -# uri: /provider/get_dataset_folder_status -# - name: UpdateDatasetFolderPaths -# uri: /provider/update_dataset_folder_paths -# version: v1 -# status: -# state: active --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml index 1ae3895be..77ef69ee4 100644 --- a/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/olares-app.yaml @@ -249,7 +249,7 @@ spec: initContainers: - args: - -it - - authelia-backend.os-framework:9091,infisical-service:80,system-server.user-system-{{ .Values.bfl.username }}:80,nats.user-system-{{ .Values.bfl.username }}:4222 + - authelia-backend.user-system-{{ .Values.bfl.username }}:9091,infisical-service.user-system-{{ .Values.bfl.username }}:8080,system-server.user-system-{{ .Values.bfl.username }}:80,nats.user-system-{{ .Values.bfl.username }}:4222 image: owncloudci/wait-for:latest imagePullPolicy: IfNotPresent name: check-auth @@ -729,200 +729,7 @@ spec: sub: allow pub: allow user: user-system-{{ .Values.bfl.username }}-files-frontend ---- -apiVersion: v1 -data: - envoy.yaml: | - admin: - access_log_path: "/dev/stdout" - address: - socket_address: - address: 0.0.0.0 - port_value: 15000 - static_resources: - listeners: - - name: listener_0 - address: - socket_address: - address: 0.0.0.0 - port_value: 15003 - listener_filters: - - name: envoy.filters.listener.original_dst - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.listener.original_dst.v3.OriginalDst - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: desktop_http - upgrade_configs: - - upgrade_type: websocket - - upgrade_type: tailscale-control-protocol - skip_xff_append: false - max_request_headers_kb: 500 - codec_type: AUTO - route_config: - name: local_route - virtual_hosts: - - name: service - domains: ["*"] - routes: - - match: - prefix: "/upload" - route: - cluster: upload_original_dst - timeout: 1800s - idle_timeout: 1800s - - match: - prefix: "/" - route: - cluster: original_dst - timeout: 1800s - idle_timeout: 1800s - http_protocol_options: - accept_http_10: true - http_filters: - - name: envoy.filters.http.ext_authz - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz - http_service: - path_prefix: '/api/verify/' - server_uri: - uri: authelia-backend.os-framework:9091 - cluster: authelia - timeout: 2s - authorization_request: - allowed_headers: - patterns: - - exact: accept - - exact: cookie - - exact: proxy-authorization - - prefix: x-unauth- - - exact: x-authorization - - exact: x-bfl-user - - exact: x-real-ip - - exact: terminus-nonce - - exact: x-provider-proxy - headers_to_add: - - key: X-Forwarded-Method - value: '%REQ(:METHOD)%' - - key: X-Forwarded-Proto - value: '%REQ(:SCHEME)%' - - key: X-Forwarded-Host - value: '%REQ(:AUTHORITY)%' - - key: X-Forwarded-Uri - value: '%REQ(:PATH)%' - - key: X-Forwarded-For - value: '%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%' - authorization_response: - allowed_upstream_headers: - patterns: - - exact: authorization - - exact: proxy-authorization - - prefix: remote- - - prefix: authelia- - allowed_client_headers: - patterns: - - exact: set-cookie - allowed_client_headers_on_success: - patterns: - - exact: set-cookie - failure_mode_allow: false - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - name: listener_image - address: - socket_address: - address: 127.0.0.1 - port_value: 15080 - filter_chains: - - filters: - - name: envoy.filters.network.http_connection_manager - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: tapr_http - http_protocol_options: - accept_http_10: true - upgrade_configs: - - upgrade_type: websocket - skip_xff_append: false - codec_type: AUTO - route_config: - name: local_route - virtual_hosts: - - name: service - domains: ["*"] - routes: - - match: - prefix: "/images/upload" - route: - cluster: images - http_filters: - - name: envoy.filters.http.router - typed_config: - "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - - clusters: - - name: original_dst - connect_timeout: 120s - type: ORIGINAL_DST - lb_policy: CLUSTER_PROVIDED - common_http_protocol_options: - idle_timeout: 10s - - name: upload_original_dst - connect_timeout: 5000s - type: LOGICAL_DNS - dns_lookup_family: V4_ONLY - dns_refresh_rate: 600s - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: upload_original_dst - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: files-service.os-framework - port_value: 80 - - name: authelia - connect_timeout: 2s - type: LOGICAL_DNS - dns_lookup_family: V4_ONLY - dns_refresh_rate: 600s - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: authelia - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: authelia-backend.os-framework - port_value: 9091 - - name: images - connect_timeout: 5s - type: LOGICAL_DNS - dns_lookup_family: V4_ONLY - dns_refresh_rate: 600s - lb_policy: ROUND_ROBIN - load_assignment: - cluster_name: images - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: tapr-images-svc.user-system-{{ .Values.bfl.username }} - port_value: 8080 -kind: ConfigMap -metadata: - name: sidecar-upload-configs - namespace: {{ .Release.Namespace }} - --- apiVersion: v1 kind: Secret @@ -979,6 +786,7 @@ spec: key: redis_password name: user-service-secrets namespace: user-service + --- apiVersion: v1 kind: Service @@ -987,7 +795,22 @@ metadata: namespace: {{ .Release.Namespace }} spec: type: ExternalName - externalName: vault-server.os-framework.svc.cluster.local + externalName: vault-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local + ports: + - protocol: TCP + port: 3000 + targetPort: 3000 + +--- +apiVersion: v1 +kind: Service +metadata: + name: vault-server + namespace: user-system-{{ .Values.bfl.username }} +spec: + type: ClusterIP + selector: + app: systemserver ports: - protocol: TCP port: 3000 @@ -1046,7 +869,7 @@ data: http_service: path_prefix: '/api/verify/' server_uri: - uri: authelia-backend.os-framework:9091 + uri: authelia-backend.user-system-{{ .Values.bfl.username }}:9091 cluster: authelia timeout: 2s authorization_request: @@ -1143,7 +966,7 @@ data: - endpoint: address: socket_address: - address: authelia-backend.os-framework + address: authelia-backend.user-system-{{ .Values.bfl.username }} port_value: 9091 - name: images connect_timeout: 5s @@ -1222,7 +1045,7 @@ data: http_service: path_prefix: '/api/verify/' server_uri: - uri: authelia-backend.os-framework:9091 + uri: authelia-backend.user-system-{{ .Values.bfl.username }}:9091 cluster: authelia timeout: 2s authorization_request: @@ -1334,7 +1157,7 @@ data: - endpoint: address: socket_address: - address: authelia-backend.os-framework + address: authelia-backend.user-system-{{ .Values.bfl.username }} port_value: 9091 - name: images connect_timeout: 5s @@ -1412,7 +1235,7 @@ data: http_service: path_prefix: '/api/verify/' server_uri: - uri: authelia-backend.os-framework:9091 + uri: authelia-backend.user-system-{{ .Values.bfl.username }}:9091 cluster: authelia timeout: 2s authorization_request: @@ -1524,7 +1347,7 @@ data: - endpoint: address: socket_address: - address: authelia-backend.os-framework + address: authelia-backend.user-system-{{ .Values.bfl.username }} port_value: 9091 - name: images connect_timeout: 5s diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/seafile-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/seafile-provider.yaml new file mode 100644 index 000000000..f2f87fcda --- /dev/null +++ b/apps/.olares/config/user/helm-charts/system-apps/templates/seafile-provider.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.bfl.username }}:seafile-frontend-domain-desktop + annotations: + provider-registry-ref: {{ .Values.bfl.username }}/desktop + provider-service-ref: seafile.os-framework.os-framework:80 +rules: +- nonResourceURLs: + - "/seahub/*" + - "/seafhttp/*" + verbs: ["*"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: user:{{ .Values.bfl.username }}:seafile-frontend-domain-desktop +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.bfl.username }}:seafile-frontend-domain-desktop +subjects: +- kind: User + name: '{{ .Values.bfl.username }}' + +--- +apiVersion: v1 +kind: Service +metadata: + name: seafile + namespace: user-space-{{ .Values.bfl.username }} +spec: + type: ExternalName + externalName: system-server.user-system-{{ .Values.bfl.username }}.svc.cluster.local + ports: + - protocol: TCP + port: 80 + targetPort: 28080 diff --git a/apps/.olares/config/user/helm-charts/wizard/templates/wizard_deploy.yaml b/apps/.olares/config/user/helm-charts/wizard/templates/wizard_deploy.yaml index 67dcff339..e51cd134c 100644 --- a/apps/.olares/config/user/helm-charts/wizard/templates/wizard_deploy.yaml +++ b/apps/.olares/config/user/helm-charts/wizard/templates/wizard_deploy.yaml @@ -22,7 +22,7 @@ spec: initContainers: - args: - -it - - authelia-backend.os-framework:9091 + - authelia-backend.user-system-{{ .Values.bfl.username }}:9091 image: owncloudci/wait-for:latest imagePullPolicy: IfNotPresent name: check-auth diff --git a/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml b/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml index d646f6487..5438093be 100644 --- a/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml +++ b/framework/authelia/.olares/config/user/helm-charts/auth/templates/auth_deploy.yaml @@ -23,7 +23,7 @@ spec: initContainers: - args: - -it - - authelia-backend.os-framework:9091 + - authelia-backend.user-system-{{ .Values.bfl.username }}:9091 image: owncloudci/wait-for:latest imagePullPolicy: IfNotPresent name: check-auth @@ -59,7 +59,7 @@ metadata: namespace: user-space-{{ .Values.bfl.username }} spec: type: ExternalName - externalName: authelia-backend.os-framework.svc.cluster.local + externalName: authelia-backend.user-system-{{ .Values.bfl.username }}.svc.cluster.local ports: - protocol: TCP name: authelia-bakcend diff --git a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml index 84f897807..0ac1fdc2b 100644 --- a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml +++ b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/infisical_deploy.yaml @@ -3,10 +3,11 @@ apiVersion: v1 kind: Service metadata: name: infisical-service - namespace: {{ .Release.Namespace }} + namespace: user-system-{{ .Values.bfl.username }} spec: - type: ExternalName - externalName: infisical-service.os-framework.svc.cluster.local + type: ClusterIP + selector: + app: systemserver ports: - name: http port: 8080 diff --git a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml index 88f28275c..7a688aa19 100644 --- a/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml +++ b/framework/infisical/.olares/config/user/helm-charts/infisical/templates/provider.yaml @@ -35,7 +35,7 @@ metadata: name: {{ .Values.bfl.username }}:secret-settings-provider-svc annotations: provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret - provider-service-ref: infisical-service.{{ .Release.Namespace }}:8080 + provider-service-ref: infisical-service.os-framework:8080 rules: - nonResourceURLs: - /RetrieveSecret?workspace=settings @@ -53,7 +53,7 @@ metadata: name: {{ .Values.bfl.username }}:secret-dashboard-provider-svc annotations: provider-registry-ref: user-system-{{ .Values.bfl.username }}/secret - provider-service-ref: infisical-service.{{ .Release.Namespace }}:8080 + provider-service-ref: infisical-service.os-framework:8080 rules: - nonResourceURLs: - /RetrieveSecret?workspace=dashboard diff --git a/framework/seahub/.olares/config/user/helm-charts/seafile/templates/seafile_fe_deploy.yaml b/framework/seahub/.olares/config/user/helm-charts/seafile/templates/seafile_fe_deploy.yaml index f92cde3c2..16b4d4c36 100644 --- a/framework/seahub/.olares/config/user/helm-charts/seafile/templates/seafile_fe_deploy.yaml +++ b/framework/seahub/.olares/config/user/helm-charts/seafile/templates/seafile_fe_deploy.yaml @@ -1,239 +1,173 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: seafile - namespace: {{ .Release.Namespace }} -spec: - type: ExternalName - externalName: seafile.os-framework.svc.cluster.local - ports: - - name: seahub - protocol: TCP - port: 8000 - targetPort: 8000 - - name: server - protocol: TCP - port: 8082 - targetPort: 8082 - - name: nginx-port - protocol: TCP - port: 80 - targetPort: 80 - -#--- -#apiVersion: v1 -#kind: Service -#metadata: -# name: seafile-ui -# namespace: {{ .Release.Namespace }} -#spec: -# ports: -# - port: 80 -# protocol: TCP -# targetPort: 8080 -# selector: -# app: seafile -# type: ClusterIP -# -#--- -#apiVersion: apps/v1 -#kind: Deployment -#metadata: -# name: seafile -# namespace: {{ .Release.Namespace }} -# labels: -# app: seafile -# applications.app.bytetrade.io/author: bytetrade.io -# -# applications.app.bytetrade.io/name: seafile -# applications.app.bytetrade.io/owner: '{{ .Values.bfl.username }}' -# annotations: -# applications.app.bytetrade.io/icon: https://file.bttcdn.com/appstore/seafiles/icon.png -# applications.app.bytetrade.io/title: Seafile -# applications.app.bytetrade.io/version: '0.0.1' -# applications.app.bytetrade.io/entrances: '[{"name":"seafile-ui", "host":"seafile-ui", "port":80,"title":"Seafile","invisible": true}]' -# -#spec: -# replicas: 1 -# strategy: -# type: Recreate -# selector: -# matchLabels: -# app: seafile -# template: -# metadata: -# labels: -# app: seafile -# spec: -# containers: -# - name: seafile-proxy -# image: nginx:stable-alpine3.17-slim -# imagePullPolicy: IfNotPresent -# ports: -# - name: proxy -# containerPort: 8080 -# volumeMounts: -# - name: nginx-config -# readOnly: true -# mountPath: /etc/nginx/nginx.conf -# subPath: nginx.conf -# volumes: -# - name: nginx-config -# configMap: -# name: seafile-nginx-configs -# items: -# - key: nginx.conf -# path: nginx.conf +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: seafile +# namespace: {{ .Release.Namespace }} +# spec: +# type: ExternalName +# externalName: seafile.os-framework.svc.cluster.local +# ports: +# - name: seahub +# protocol: TCP +# port: 8000 +# targetPort: 8000 +# - name: server +# protocol: TCP +# port: 8082 +# targetPort: 8082 +# - name: nginx-port +# protocol: TCP +# port: 80 +# targetPort: 80 +# --- +# apiVersion: v1 +# data: +# nginx.conf: | +# # Configuration checksum: ---- -apiVersion: v1 -data: - nginx.conf: | - # Configuration checksum: +# pid /var/run/nginx.pid; - pid /var/run/nginx.pid; +# worker_processes 2; - worker_processes 2; +# worker_rlimit_nofile 65535; - worker_rlimit_nofile 65535; +# worker_shutdown_timeout 240s ; - worker_shutdown_timeout 240s ; +# events { +# multi_accept on; +# worker_connections 16384; +# use epoll; +# } - events { - multi_accept on; - worker_connections 16384; - use epoll; - } +# http { +# aio threads; +# aio_write on; - http { - aio threads; - aio_write on; +# tcp_nopush on; +# tcp_nodelay on; - tcp_nopush on; - tcp_nodelay on; +# log_subrequest on; - log_subrequest on; +# reset_timedout_connection on; - reset_timedout_connection on; +# keepalive_timeout 75s; +# keepalive_requests 100; - keepalive_timeout 75s; - keepalive_requests 100; +# client_body_temp_path /tmp/client-body; +# fastcgi_temp_path /tmp/fastcgi-temp; +# proxy_temp_path /tmp/proxy-temp; +# client_max_body_size 1g; - client_body_temp_path /tmp/client-body; - fastcgi_temp_path /tmp/fastcgi-temp; - proxy_temp_path /tmp/proxy-temp; - client_max_body_size 1g; +# client_header_buffer_size 1k; +# client_header_timeout 60s; +# large_client_header_buffers 4 8k; +# client_body_buffer_size 8k; +# client_body_timeout 60s; - client_header_buffer_size 1k; - client_header_timeout 60s; - large_client_header_buffers 4 8k; - client_body_buffer_size 8k; - client_body_timeout 60s; +# types_hash_max_size 2048; +# server_names_hash_max_size 4096; +# server_names_hash_bucket_size 1024; +# map_hash_bucket_size 64; - types_hash_max_size 2048; - server_names_hash_max_size 4096; - server_names_hash_bucket_size 1024; - map_hash_bucket_size 64; +# proxy_headers_hash_max_size 512; +# proxy_headers_hash_bucket_size 64; - proxy_headers_hash_max_size 512; - proxy_headers_hash_bucket_size 64; +# variables_hash_bucket_size 256; +# variables_hash_max_size 2048; - variables_hash_bucket_size 256; - variables_hash_max_size 2048; +# underscores_in_headers off; +# ignore_invalid_headers on; - underscores_in_headers off; - ignore_invalid_headers on; +# include /etc/nginx/mime.types; +# default_type text/html; - include /etc/nginx/mime.types; - default_type text/html; +# gzip on; +# gzip_comp_level 1; +# gzip_http_version 1.1; +# gzip_min_length 256; +# gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component; +# gzip_proxied any; +# gzip_vary on; - gzip on; - gzip_comp_level 1; - gzip_http_version 1.1; - gzip_min_length 256; - gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component; - gzip_proxied any; - gzip_vary on; +# # Custom headers for response - # Custom headers for response +# server_tokens off; - server_tokens off; +# server_name_in_redirect off; +# port_in_redirect off; - server_name_in_redirect off; - port_in_redirect off; +# # global log +# log_format main $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time "$http_x_forwarded_for"; - # global log - log_format main $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time "$http_x_forwarded_for"; +# access_log /var/log/nginx/access.log main; +# error_log /var/log/nginx/error.log error; - access_log /var/log/nginx/access.log main; - error_log /var/log/nginx/error.log error; +# proxy_ssl_session_reuse on; - proxy_ssl_session_reuse on; +# # Global filters - # Global filters +# # timeout +# resolver_timeout 30s; +# send_timeout 60s; - # timeout - resolver_timeout 30s; - send_timeout 60s; +# ## start server 80 +# server { - ## start server 80 - server { +# server_name _; +# listen 8080; - server_name _; - listen 8080; +# location / { +# add_header Access-Control-Allow-Headers "access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,content-type,x-auth,x-unauth-error,x-authorization"; +# add_header Access-Control-Allow-Methods "PUT, GET, DELETE, POST, OPTIONS"; +# proxy_hide_header Access-Control-Allow-Origin; +# add_header Access-Control-Allow-Origin $http_origin; +# add_header Access-Control-Allow-Credentials true; +# proxy_connect_timeout 30s; +# proxy_send_timeout 60s; +# proxy_read_timeout 300s; +# proxy_set_header Host $host; +# proxy_set_header X-Forwarded-Host $http_host; +# proxy_set_header X-Real-IP $remote_addr; +# proxy_set_header X-Forwarded-For $remote_addr; +# proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; - location / { - add_header Access-Control-Allow-Headers "access-control-allow-headers,access-control-allow-methods,access-control-allow-origin,content-type,x-auth,x-unauth-error,x-authorization"; - add_header Access-Control-Allow-Methods "PUT, GET, DELETE, POST, OPTIONS"; - proxy_hide_header Access-Control-Allow-Origin; - add_header Access-Control-Allow-Origin $http_origin; - add_header Access-Control-Allow-Credentials true; - proxy_connect_timeout 30s; - proxy_send_timeout 60s; - proxy_read_timeout 300s; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for; +# if ($request_method = 'OPTIONS') { +# return 204; +# } - if ($request_method = 'OPTIONS') { - return 204; - } +# proxy_pass http://seafile; +# } - proxy_pass http://seafile; - } +# } - } +# # default server, used for NGINX healthcheck and access to nginx stats +# server { +# listen 127.0.0.1:10246; - # default server, used for NGINX healthcheck and access to nginx stats - server { - listen 127.0.0.1:10246; +# keepalive_timeout 0; +# gzip off; +# access_log off; - keepalive_timeout 0; - gzip off; - access_log off; +# location /healthz { +# return 200; +# } - location /healthz { - return 200; - } +# location /nginx_status { +# stub_status on; +# } - location /nginx_status { - stub_status on; - } - - location / { - return 404; - } - } - } -kind: ConfigMap -metadata: - name: seafile-nginx-configs - namespace: {{ .Release.Namespace }} +# location / { +# return 404; +# } +# } +# } +# kind: ConfigMap +# metadata: +# name: seafile-nginx-configs +# namespace: {{ .Release.Namespace }} diff --git a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml index 892addb4c..e86683cc8 100644 --- a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml +++ b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/systemserver_deploy.yaml @@ -242,6 +242,30 @@ data: "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy stat_prefix: destination cluster: cluster_fakes3_proxy + - name: listener_infisical_proxy + address: + socket_address: + address: 0.0.0.0 + port_value: 8080 + filter_chains: + - filters: + - name: envoy.filters.network.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: destination + cluster: cluster_infisical_proxy + - name: listener_vault_proxy + address: + socket_address: + address: 0.0.0.0 + port_value: 3000 + filter_chains: + - filters: + - name: envoy.filters.network.tcp_proxy + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy + stat_prefix: destination + cluster: cluster_vault_proxy clusters: - name: cluster_redis_proxy connect_timeout: 30s @@ -334,6 +358,32 @@ data: socket_address: address: tapr-s3-svc.os-platform.svc.cluster.local port_value: 4568 + - name: cluster_infisical_proxy + connect_timeout: 30s + type: LOGICAL_DNS + dns_lookup_family: V4_ONLY + load_assignment: + cluster_name: cluster_infisical_proxy + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: infisical-service.os-framework.svc.cluster.local + port_value: 8080 + - name: cluster_vault_proxy + connect_timeout: 30s + type: LOGICAL_DNS + dns_lookup_family: V4_ONLY + load_assignment: + cluster_name: cluster_vault_proxy + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: vault-server.os-framework.svc.cluster.local + port_value: 3000 kind: ConfigMap metadata: name: systemserver-proxy-configs