bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity
Files
1926bdaf3bb26066a0ce96f6c801deb238369af8
bluejay-infra/apps/fc-desktop/fc-desktop.yaml
Andrew Stoltz e65de2938b feat(ingress): single-host Guacamole via guacamole-namespace IngressRoute 
Cluster Traefik disallows cross-namespace service refs from
IngressRoutes, so the PathPrefix(/guacamole) rule I added to
fc-desktop IngressRoute in 292528e failed with:

  "service guacamole/guacamole not in the parent resource namespace
  fc-desktop"

Move the /guacamole path match into the guacamole namespace where
the Service actually lives:

- apps/guacamole/guacamole.yaml adds a new `guacamole-desktop-path`
  IngressRoute matching `Host(desktop.iamworkin.lan) &&
  PathPrefix(/guacamole)` → guacamole:8080 (no add-prefix middleware;
  the browser already sends the /guacamole/* path that Guacamole's
  servlet serves at).
- New Certificate `desktop-guacamole-path-tls` for desktop.iamworkin.lan
  in the guacamole namespace, issued by step-ca-acme. Separate cert
  from fc-desktop's remotedesktop-web-tls because Secret refs are
  also scoped per-namespace; duplicating the cert is cheaper than
  enabling cross-namespace secret refs cluster-wide.
- Revert the cross-namespace attempt in apps/fc-desktop/fc-desktop.yaml
  back to a Host-only route. Traefik's router matching precedence
  (longer/more-specific rule wins) handles the /guacamole vs
  catch-all priority without explicit priority: fields.

Closes the single-host Guacamole URL regression Codex's branch
introduced — GuacamolePublicUrl=https://desktop.iamworkin.lan/guacamole
now resolves to the Guacamole webapp end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 01:07:12 -05:00

41 lines
1.2 KiB
YAML
Raw Blame History

# FlowerCore Remote Desktop — TLS + Ingress
# Deployment and Service managed by deploy script (not ArgoCD)
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: remotedesktop-web-tls
namespace: fc-desktop
spec:
secretName: remotedesktop-web-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- desktop.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: remotedesktop-web
namespace: fc-desktop
spec:
entryPoints:
- websecure
routes:
# Host-level catch-all for desktop.iamworkin.lan. The /guacamole
# path-prefix match lives in apps/guacamole/guacamole.yaml as a
# separate IngressRoute in the guacamole namespace — the cluster
# Traefik disallows cross-namespace service refs, so the PathPrefix
# rule can't sit here. Traefik's router matching precedence gives
# longer/more-specific rules priority automatically, so as long as
# the guacamole IngressRoute exists it takes /guacamole traffic
# before this catch-all sees it.
- match: Host(`desktop.iamworkin.lan`)
kind: Rule
services:
- name: remotedesktop-web
port: 8080
tls:
secretName: remotedesktop-web-tls
Reference in New Issue View Git Blame Copy Permalink