fix: add haproxy sidecar to prepend PROXY protocol for registry pushes

Routes git.lunarfront.tech:443 through a local haproxy that adds the PROXY protocol header nginx requires, bypassing the DO LB hairpin.
2026-04-03 07:59:25 -05:00
parent 78e2a36859
commit 0737bf0e69
2 changed files with 41 additions and 1 deletions
--- a/runner/deployment.yaml
+++ b/runner/deployment.yaml
@@ -18,7 +18,7 @@ spec:
      nodeSelector:
        role: system
      hostAliases:
-        - ip: 10.245.189.80
+        - ip: 127.0.0.1
          hostnames:
            - git.lunarfront.tech
      containers:
@@ -55,6 +55,19 @@ spec:
            - name: runner-data
              mountPath: /data

+        - name: registry-proxy
+          image: haproxy:alpine
+          resources:
+            requests:
+              cpu: 10m
+              memory: 16Mi
+            limits:
+              cpu: 100m
+              memory: 64Mi
+          volumeMounts:
+            - name: haproxy-config
+              mountPath: /usr/local/etc/haproxy
+
        - name: dind
          image: docker:dind
          securityContext:
@@ -78,3 +91,6 @@ spec:
        - name: runner-data
          persistentVolumeClaim:
            claimName: gitea-runner-data
+        - name: haproxy-config
+          configMap:
+            name: runner-haproxy-config
--- a/runner/haproxy-configmap.yaml
+++ b/runner/haproxy-configmap.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: runner-haproxy-config
+  namespace: runner
+data:
+  haproxy.cfg: |
+    global
+      daemon
+      log stdout format raw local0
+
+    defaults
+      mode tcp
+      log global
+      timeout connect 5s
+      timeout client 30s
+      timeout server 30s
+
+    frontend registry
+      bind 0.0.0.0:443
+      default_backend nginx
+
+    backend nginx
+      server nginx ingress-nginx-controller.ingress-nginx.svc.cluster.local:443 send-proxy