add dashboard and redis

deploy/infra/ingress-web-public.yaml

@@ -61,6 +61,21 @@ spec:
         - name: nextcloud-deny-paths
         - name: nextcloud-dav
 
+    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
+      kind: Rule
+      services:
+        - name: nextcloud-whiteboard
+          port: 3002
+      middlewares:
+         - name: nextcloud-security-headers
+         - name: rate-limit
+         - name: nextcloud-deny-paths
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
+         - name: nextcloud-dav
+         - name: strip-whiteboard
+    
+    
     # 3) EVERYTHING ELSE (SSO REQUIRED)
     - match: Host(`cloud.limbosolutions.com`)
       kind: Rule

deploy/infra/ingress-web.yaml

@@ -27,3 +27,16 @@ spec:
          - name: nextcloud-hostmeta
          - name: nextcloud-dav
 
+    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
+      kind: Rule
+      services:
+        - name: nextcloud-whiteboard
+          port: 3002
+      middlewares:
+         - name: nextcloud-security-headers
+         - name: rate-limit
+         - name: nextcloud-deny-paths
+         - name: nextcloud-wellknown
+         - name: nextcloud-hostmeta
+         - name: nextcloud-dav
+         - name: strip-whiteboard

deploy/infra/kustomization.yaml

@@ -9,5 +9,6 @@ resources:
   - storage-limbosolutions-com/pv.yaml
   - ./onlyoffice/ingress.yaml
   - ./onlyoffice/middlewares.yaml
+  - ./whiteboard/middlewares.yaml
 generatorOptions:
   disableNameSuffixHash: true

deploy/infra/network-policies.yaml

@@ -17,7 +17,7 @@ spec:
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-traefik-ingress
+  name: allow-traefik-to-nextcloud-ingress
 spec:
   endpointSelector:
     matchLabels:
@@ -42,3 +42,61 @@ spec:
     
               protocol: TCP
 
+---
+
+
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-traefik-to-onlyoffice-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app: onlyoffice
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (internal and public) to reach onlyoffice web port
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+                - traefik-public
+      toPorts:
+        - ports:
+            - port: "80"
+    
+              protocol: TCP
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-traefik-to-whiteboard-ingress
+spec:
+  endpointSelector:
+    matchLabels:
+      app: nextcloud-whiteboard
+
+  ingress:
+    # -------------------------------------------------------------
+    # Allow Traefik (internal and public) to reach whiteboard ws
+    # -------------------------------------------------------------
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: traefik
+          matchExpressions:
+            - key: k8s:io.kubernetes.pod.namespace
+              operator: In
+              values:
+                - traefik
+                - traefik-public
+      toPorts:
+        - ports:
+            - port: "3002"
+    
+              protocol: TCP

deploy/infra/onlyoffice/middlewares.yaml

@@ -28,4 +28,5 @@ spec:
     customRequestHeaders:
       X-Forwarded-Proto: "https"
       X-Forwarded-Ssl: "on"
-      X-Forwarded-Port: "443"
+      X-Forwarded-Port: "443"
+

deploy/infra/whiteboard/middlewares.yaml

@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: strip-whiteboard
+spec:
+  stripPrefix:
+    prefixes:
+      - "/whiteboard"