From 00147789b1864620f3b5334d88a035913a8d0f1d Mon Sep 17 00:00:00 2001 From: pro-777 Date: Wed, 29 Apr 2026 13:57:51 +0300 Subject: [PATCH] ingress: route /connect and /teardown to backend (customer-facing token endpoints) --- templates/ingressroute.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/templates/ingressroute.yaml b/templates/ingressroute.yaml index e328b5c..d188458 100644 --- a/templates/ingressroute.yaml +++ b/templates/ingressroute.yaml @@ -2,8 +2,13 @@ # same hostname. # # Routing rules (Traefik picks longest-match-with-priority): -# - API endpoints (/healthz, /instances, future /api/*) → backend -# - everything else → frontend (Vue SPA) +# - /api/*, /healthz, /connect/*, /teardown/* → backend +# - everything else → frontend (Vue SPA) +# +# /connect and /teardown are customer-facing (token-bearer auth, no +# operator JWT) — that's why they're NOT under /api. They still +# need to land on the backend, not the SPA, so the customer's +# `curl … | sudo bash` actually receives a shell script. # # Priority is set explicitly so Traefik doesn't fall back to its # heuristic; the API rule outranks the catchall, which outranks no @@ -19,7 +24,7 @@ spec: - {{ .Values.ingress.entryPoint }} routes: {{- if .Values.backend.enabled }} - - match: Host(`{{ .Values.ingress.domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/healthz`)) + - match: Host(`{{ .Values.ingress.domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/healthz`) || PathPrefix(`/connect`) || PathPrefix(`/teardown`)) kind: Rule priority: 200 services: