Teststand

deploy/quadlet/kubeviz-traefik.container

@@ -0,0 +1,47 @@
+[Unit]
+Description=KubeViz behind Traefik (Podman network)
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+ContainerName=kubeviz
+Image=localhost/kubeviz:prod
+Pull=always
+
+# Attach to the same user-defined network as Traefik.
+Network=traefik.network
+
+Environment=TZ=Europe/Berlin
+Environment=ADDR=:8080
+Environment=SESSION_TTL=30m
+Environment=MAX_UPLOAD_SIZE=5242880
+Environment=COOKIE_SECURE=true
+Environment=LOG_LEVEL=info
+Environment=GIT_ALLOWED_HOSTS=github.com,gitlab.com,gitea.smb-corp.de
+
+NoNewPrivileges=true
+ReadOnly=true
+Tmpfs=/tmp:rw,size=128m,mode=1777
+User=65532
+Group=65532
+
+# Traefik labels (Podman provider)
+Label=traefik.enable=true
+Label=traefik.http.routers.kubeviz.rule=Host(`kubeviz.valtrix.systems`)
+Label=traefik.http.routers.kubeviz.entrypoints=websecure
+Label=traefik.http.routers.kubeviz.tls=true
+Label=traefik.http.routers.kubeviz.tls.certresolver=letsencrypt
+Label=traefik.http.routers.kubeviz.middlewares=kubeviz-sec-headers,kubeviz-auth
+Label=traefik.http.services.kubeviz.loadbalancer.server.port=8080
+Label=traefik.docker.network=traefik
+Label=traefik.http.middlewares.kubeviz-sec-headers.headers.customResponseHeaders.Content-Security-Policy=default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; script-src-elem 'self' 'unsafe-inline'; connect-src 'self' wss: https:; font-src 'self' data:; worker-src 'self' blob:;
+Label=traefik.http.middlewares.kubeviz-auth.basicauth.users=smb:REPLACE_WITH_HTPASSWD_HASH
+
+[Service]
+Restart=always
+RestartSec=3
+TimeoutStartSec=90
+TimeoutStopSec=20
+
+[Install]
+WantedBy=multi-user.target