reverse-proxy: dedicated rate limit for ha-london; bump ha-sofia (cold-client 429s)

New, empty-cache clients (the repurposed Meta Portal running the HA companion app) cold-load the whole HA frontend at once - dozens of frontend_latest/*.js + MDI icon chunks. ha-london had no per-service rate limit, so it fell back to the global 10/s burst 50 and 429'd those chunks, leaving every dashboard blank (Settings, which loads less, worked). Give ha-london its own 200/500 middleware (skip_global_rate_limit, mirroring ha-sofia, with depends_on to avoid the dangling-middleware 404 window) and bump ha-sofia 100/200 -> 200/500 so a cold Portal load of Sofia doesn't hit the same wall. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 19:53:47 +00:00 · 2026-06-17 19:53:47 +00:00 · 677a181d49
commit 677a181d49
parent 9565ff1ce5
1 changed files with 36 additions and 4 deletions
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@ -238,8 +238,10 @@ resource "kubernetes_manifest" "ha_sofia_rate_limit" {
    }
    spec = {
      rateLimit = {
-        average = 100
-        burst   = 200
+        # Bumped 100/200 -> 200/500 (2026-06-17): a cold HA-frontend load from a
+        # new, empty-cache client bursts dozens of JS/icon chunks and 429'd.
+        average = 200
+        burst   = 500
      }
    }
  }
@ -342,6 +344,27 @@ module "music-assistant" {
  }
 }

+# Rate limit for ha-london — cold HA-frontend loads from a new, empty-cache
+# client (e.g. the repurposed Portal) burst dozens of JS/icon chunks at once;
+# the global 10/50 default 429'd them, blanking the dashboards. Generous own
+# limit, mirroring ha-sofia. (2026-06-17)
+resource "kubernetes_manifest" "ha_london_rate_limit" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "ha-london-rate-limit"
+      namespace = "reverse-proxy"
+    }
+    spec = {
+      rateLimit = {
+        average = 200
+        burst   = 500
+      }
+    }
+  }
+}
+
 # https://ha-london.viktorbarzin.me/
 module "ha-london" {
  source          = "./factory"
@ -350,8 +373,17 @@ module "ha-london" {
  external_name   = "ha-london.viktorbarzin.lan"
  port            = 8123
  tls_secret_name = var.tls_secret_name
-  depends_on      = [kubernetes_namespace.reverse-proxy]
-  protected       = false
+  # depends_on on the rate-limit manifest avoids a dangling-reference window
+  # that would 404 ha-london traffic (see ha-sofia / memory 768).
+  depends_on = [
+    kubernetes_namespace.reverse-proxy,
+    kubernetes_manifest.ha_london_rate_limit,
+  ]
+  protected              = false
+  skip_global_rate_limit = true
+  extra_middlewares = [
+    "reverse-proxy-ha-london-rate-limit@kubernetescrd",
+  ]
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Home Assistant London"