ingress: route /connect and /teardown to backend (customer-facing token endpoints)
This commit is contained in:
pro-777
@@ -2,8 +2,13 @@
|
|||||||
# same hostname.
|
# same hostname.
|
||||||
#
|
#
|
||||||
# Routing rules (Traefik picks longest-match-with-priority):
|
# Routing rules (Traefik picks longest-match-with-priority):
|
||||||
# - API endpoints (/healthz, /instances, future /api/*) → backend
|
# - /api/*, /healthz, /connect/*, /teardown/* → backend
|
||||||
# - everything else → frontend (Vue SPA)
|
# - everything else → frontend (Vue SPA)
|
||||||
|
#
|
||||||
|
# /connect and /teardown are customer-facing (token-bearer auth, no
|
||||||
|
# operator JWT) — that's why they're NOT under /api. They still
|
||||||
|
# need to land on the backend, not the SPA, so the customer's
|
||||||
|
# `curl … | sudo bash` actually receives a shell script.
|
||||||
#
|
#
|
||||||
# Priority is set explicitly so Traefik doesn't fall back to its
|
# Priority is set explicitly so Traefik doesn't fall back to its
|
||||||
# heuristic; the API rule outranks the catchall, which outranks no
|
# heuristic; the API rule outranks the catchall, which outranks no
|
||||||
@@ -19,7 +24,7 @@ spec:
|
|||||||
- {{ .Values.ingress.entryPoint }}
|
- {{ .Values.ingress.entryPoint }}
|
||||||
routes:
|
routes:
|
||||||
{{- if .Values.backend.enabled }}
|
{{- if .Values.backend.enabled }}
|
||||||
- match: Host(`{{ .Values.ingress.domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/healthz`))
|
- match: Host(`{{ .Values.ingress.domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/healthz`) || PathPrefix(`/connect`) || PathPrefix(`/teardown`))
|
||||||
kind: Rule
|
kind: Rule
|
||||||
priority: 200
|
priority: 200
|
||||||
services:
|
services:
|
||||||
|
|||||||
Reference in New Issue
Block a user