fix: add haproxy sidecar to prepend PROXY protocol for registry pushes

Routes git.lunarfront.tech:443 through a local haproxy that adds the PROXY protocol header nginx requires, bypassing the DO LB hairpin.
2026-04-03 07:59:25 -05:00
parent 78e2a36859
commit 0737bf0e69
2 changed files with 41 additions and 1 deletions
--- a/runner/deployment.yaml
+++ b/runner/deployment.yaml
@@ -18,7 +18,7 @@ spec:
      nodeSelector:
        role: system
      hostAliases:
-        - ip: 10.245.189.80
+        - ip: 127.0.0.1
          hostnames:
            - git.lunarfront.tech
      containers:
@@ -55,6 +55,19 @@ spec:
            - name: runner-data
              mountPath: /data

+        - name: registry-proxy
+          image: haproxy:alpine
+          resources:
+            requests:
+              cpu: 10m
+              memory: 16Mi
+            limits:
+              cpu: 100m
+              memory: 64Mi
+          volumeMounts:
+            - name: haproxy-config
+              mountPath: /usr/local/etc/haproxy
+
        - name: dind
          image: docker:dind
          securityContext:
@@ -78,3 +91,6 @@ spec:
        - name: runner-data
          persistentVolumeClaim:
            claimName: gitea-runner-data
+        - name: haproxy-config
+          configMap:
+            name: runner-haproxy-config