tasks: public ingress carve-out for PWA icons; adopt orphaned stack state
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
macOS Safari's Add to Dock (and iOS/Android home-screen installs) fetch the app icon and web manifest without any session cookies, so the Authentik forward-auth 302 on tasks.viktorbarzin.me made Safari fall back to a letter monogram instead of the real icon. Viktor asked for an ingress carve-out so exactly these five static PWA assets are publicly fetchable: /apple-touch-icon.png, /favicon.png, /pwa-192x192.png, /pwa-512x512.png, /manifest.webmanifest. A second ingress_factory instance (auth=none, dns_type=none, same host) routes only those paths straight to the tasks service; the SPA shell and /api stay behind Authentik exactly as before. The new carve-out is also registered in the Authentik walling-off probe so a future regression (anything 302-ing these paths to Authentik again) alarms, and the service catalog entry records the exception. stacks/tasks/imports.tf adopts the live tasks resources into Terraform state first: the stack's first-ever apply (pipeline 477, 2026-07-03) died mid-apply after creating the resources but before the pg state write, leaving tasks.states empty — without the import blocks this (and every future) tasks apply would create-fail with 'already exists'. Same pattern as the monitoring alert-digest adoption. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
c91fa881e6
commit
c311a6a3c9
4 changed files with 92 additions and 1 deletions
|
|
@ -60,6 +60,10 @@ locals {
|
|||
# t3 dispatch probe surface (auth="none" path carve-out on /probe): WS echo
|
||||
# + healthz for the t3-probe drop-attribution client (stacks/t3code).
|
||||
"t3-probe-ws" = "https://t3.viktorbarzin.me/probe/healthz"
|
||||
# tasks PWA icons + manifest (auth="none" path carve-out, stacks/tasks
|
||||
# module.ingress_icons): macOS/iOS/Android icon fetchers carry no session
|
||||
# cookies, so an Authentik 302 here breaks Add-to-Dock icons.
|
||||
"tasks-icons" = "https://tasks.viktorbarzin.me/apple-touch-icon.png"
|
||||
# NOTE: openclaw task-webhook (auth="none") is intentionally NOT probed — it
|
||||
# has no public DNS record (NXDOMAIN, external_monitor=false), so there is no
|
||||
# externally GET-able URL to probe. Its carve-out is internal-only.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue