b84b0021c2
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Unauthenticated users were getting a blank login screen (and the screen would sometimes just hang). Root-caused via a read-only fan-out + adversarial verify: the login SPA cold-loads ~70 flow-executor JS/CSS chunks from /static through the SHARED 10/50 Traefik limiter, so a fresh/empty-cache load 429s the tail and a failed ES-module import aborts SPA bootstrap -> permanent blank. authentik was the only first-party SPA still on the default limiter (8 siblings already have a carve-out). NAT-shared clients trip it especially easily (shared per-IP bucket). - traefik: new `authentik-rate-limit` Middleware (average 100 / burst 1000, mirroring the existing health/tripit carve-outs). The authentik / and /static ingresses switch to it in the authentik-stack commit. - monitoring: the `traefik` scrape job's drop-regex was a blanket `traefik_router_.*`, which also dropped `traefik_router_requests_total` — so per-router 4xx/5xx (incl. 429/503) was neither queryable nor alertable. Narrowed it to keep the counter while still dropping the high-cardinality `*_duration_seconds_bucket` histogram, and added `AuthentikRootRouter5xxHigh` for the episodic all-3-server-pods-NotReady 502/503/504 cascade. Docs updated (networking.md rate-limit list, .claude/CLAUDE.md). GitOps CI applies. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| agent-task-tracking.md | ||
| authentication.md | ||
| automated-upgrades.md | ||
| backup-dr.md | ||
| chrome-service.md | ||
| ci-cd.md | ||
| compute.md | ||
| databases.md | ||
| dns.md | ||
| homepage.md | ||
| incident-response.md | ||
| llama-cpp.md | ||
| mailserver.md | ||
| monitoring.md | ||
| multi-tenancy.md | ||
| networking.md | ||
| overview.md | ||
| secrets.md | ||
| security.md | ||
| storage.md | ||
| vpn.md | ||
| wave1-egress-observation-2026-05-22.md | ||