Update PDS to v0.4.208 and fix OAuth ingress routing · sans-self.org/infrastructure@243f5c1

this repo has no description

Update PDS to v0.4.208 and fix OAuth ingress routing

Upgrade PDS from pinned pre-OAuth digest to 0.4.208, which serves
.well-known/oauth-authorization-server and /oauth/* endpoints.

Simplify ingress to catch-all for sans-self.org instead of
allowlisting individual path prefixes, preventing future breakage
as the PDS adds new endpoints. Admin routes remain blocked.

sans-self.org 1 month ago 243f5c19 31f87d20

+29 -14

3 changed files

expand all

CHANGELOG.md

k8s

pds

deployment.yaml

ingress.yaml

+24

CHANGELOG.md

··· 1 + # Changelog 2 + 3 + All notable changes to this project will be documented in this file. 4 + 5 + The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). 6 + 7 + ## [Unreleased] 8 + 9 + ### Added 10 + - Add daily S3 backup cronjob for Tangled knot data (#9) 11 + - Add Tangled knot with Spindle CI/CD to k3s cluster (#1) 12 + 13 + ### Fixed 14 + - Update PDS to v0.4.208 for OAuth metadata support (#13) 15 + - Update PDS to v0.4.208 for OAuth metadata support (#13) 16 + 17 + ### Changed 18 + - Update knot hostname from git.sans-self.org to knot.sans-self.org (#12) 19 + - Deploy Tangled knot to k3s cluster (#11) 20 + - Refactor backup cronjobs to share common rclone/SQLite logic (#10) 21 + - Remove Spindle deployment and rename knot subdomain to git.sans-self.org (#7) 22 + - Add Spindle CI runner deployment with Docker-in-Docker (#5) 23 + - Add SSH ingress for Git push/pull over SSH (#4) 24 + - Add k8s manifests for Tangled knot server deployment (#3)

+1 -1

k8s/pds/deployment.yaml

··· 33 33 runAsNonRoot: false 34 34 containers: 35 35 - name: pds 36 - image: ghcr.io/bluesky-social/pds@sha256:637083d9369dff85946fbcc12ae5fcce482322ff315d70c4b6004a0be9654bc8 36 + image: ghcr.io/bluesky-social/pds:0.4.208 37 37 ports: 38 38 - containerPort: 3000 39 39 envFrom:

+4 -13

k8s/pds/ingress.yaml

··· 38 38 services: 39 39 - name: pds 40 40 port: 3000 41 - # Public xrpc endpoints (federation, sync, identity, etc) 42 - - match: Host(`sans-self.org`) && PathPrefix(`/xrpc`) 41 + # Everything else (xrpc, OAuth, .well-known, etc) 42 + - match: Host(`sans-self.org`) 43 43 kind: Rule 44 - priority: 50 45 44 middlewares: 46 45 - name: strip-server-headers 47 46 services: 48 47 - name: pds 49 48 port: 3000 50 - # Handle verification — root domain 51 - - match: Host(`sans-self.org`) && Path(`/.well-known/atproto-did`) 52 - kind: Rule 53 - middlewares: 54 - - name: strip-server-headers 55 - services: 56 - - name: pds 57 - port: 3000 58 - # Handle verification — subdomains 59 - - match: Host(`pds-test.sans-self.org`) && Path(`/.well-known/atproto-did`) 49 + # Subdomain well-known endpoints 50 + - match: Host(`pds-test.sans-self.org`) 60 51 kind: Rule 61 52 middlewares: 62 53 - name: strip-server-headers