Add reuse service landing page
This commit is contained in:
@@ -42,8 +42,30 @@ export REUSE_SURFACE_URL=http://127.0.0.1:18001
|
||||
| Chart | `charts/reuse-surface` |
|
||||
| Values | `helm/reuse-surface-values.yaml` |
|
||||
| Image | `gitea.coulomb.social/coulomb/reuse-surface:<tag>` |
|
||||
| Landing image | `nginxinc/nginx-unprivileged:1.27-alpine` |
|
||||
| Secret | `reuse-surface-env` (`REUSE_SURFACE_TOKEN`) |
|
||||
|
||||
## Browser landing page
|
||||
|
||||
`https://reuse.coulomb.social/` serves a static no-login landing page from the
|
||||
Helm-managed `reuse-surface-landing` Deployment and Service. It exists for
|
||||
humans who open the hostname in a browser; it does not change the API service.
|
||||
|
||||
Ingress routing is intentionally split:
|
||||
|
||||
- HTTP `/` redirects permanently to `https://reuse.coulomb.social/`;
|
||||
- HTTPS `/health` and `/v1/*` route to `svc/reuse-surface`;
|
||||
- HTTPS `/` and other non-API browser paths route to
|
||||
`svc/reuse-surface-landing`.
|
||||
|
||||
The rendered page includes `noindex,nofollow`, a short service description, and
|
||||
links to `/health`, `/v1/federated`, and this operator runbook. It must not
|
||||
include `REUSE_SURFACE_TOKEN` or any other runtime secret.
|
||||
|
||||
Rollback: set `landing.enabled: false` in `helm/reuse-surface-values.yaml` and
|
||||
run `KUBECONFIG=~/.kube/config-hosteurope make reuse-deploy`; the ingress will
|
||||
return to routing all `/` traffic to the API service.
|
||||
|
||||
## Deploy
|
||||
|
||||
```bash
|
||||
@@ -67,7 +89,10 @@ KUBECONFIG=~/.kube/config-hosteurope make reuse-status
|
||||
## Smoke checks
|
||||
|
||||
```bash
|
||||
curl -I http://reuse.coulomb.social/
|
||||
curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/
|
||||
curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/health
|
||||
curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/v1/federated
|
||||
|
||||
export REUSE_SURFACE_TOKEN=$(KUBECONFIG=~/.kube/config-hosteurope kubectl get secret reuse-surface-env -n reuse \
|
||||
-o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d)
|
||||
@@ -95,4 +120,4 @@ KUBECONFIG=~/.kube/config-hosteurope make reuse-deploy
|
||||
```
|
||||
|
||||
Bootstrap copy on CoulombCore (`92.205.130.254`) was removed 2026-06-15 — use
|
||||
`config-hosteurope` only.
|
||||
`config-hosteurope` only.
|
||||
|
||||
@@ -64,6 +64,40 @@ workplans first.
|
||||
headers to a value included in the app's allowed hosts.
|
||||
- [ ] Keep readiness and liveness paths stable and unauthenticated.
|
||||
|
||||
## Endpoint Landing Pages
|
||||
|
||||
- [ ] Give every public S5 endpoint an intentional browser response at `/`.
|
||||
- [ ] For API-only services, serve a static informational landing page at `/`
|
||||
that states the service purpose, avoids any login claim, does not expose or
|
||||
hint at runtime secrets, and links only to non-secret health/status or
|
||||
operator documentation.
|
||||
- [ ] For UI-backed services, a landing page may forward users to the canonical
|
||||
login or application route, but it must also include a visible button for the
|
||||
same destination.
|
||||
- [ ] Preserve existing machine-facing paths. Health probes, API prefixes,
|
||||
OAuth callbacks, and static asset routes must continue to reach their owning
|
||||
backend after the landing page is enabled.
|
||||
- [ ] For API-only endpoints, route explicit API/probe paths such as `/health`
|
||||
and `/v1` to the API service, then use `/` as the landing fallback. Avoid
|
||||
competing exact `/` and prefix `/` rules for different backends.
|
||||
- [ ] Add `noindex` metadata for operator and service landing pages that are
|
||||
not intended as public marketing pages.
|
||||
|
||||
Example UI-backed landing values:
|
||||
|
||||
```yaml
|
||||
landing:
|
||||
enabled: true
|
||||
title: "Application sign-in"
|
||||
eyebrow: "app.example.coulomb.social"
|
||||
body: "You are being sent to the application sign-in page."
|
||||
buttonLabel: "Continue to sign-in"
|
||||
redirect:
|
||||
enabled: true
|
||||
target: "/login/"
|
||||
delaySeconds: 5
|
||||
```
|
||||
|
||||
## Validation And Smoke Tests
|
||||
|
||||
- [ ] Run `make check-tools`.
|
||||
@@ -73,8 +107,8 @@ workplans first.
|
||||
- [ ] Use the persistent-pod plus `kubectl exec` smoke pattern from
|
||||
`docs/operator-recipes.md`.
|
||||
- [ ] Capture app-level deployment evidence: dry-run result, rollout status,
|
||||
HTTPS or service smoke check, migration result when applicable, and rollback
|
||||
note.
|
||||
HTTPS or service smoke check, landing-page check when enabled, migration
|
||||
result when applicable, and rollback note.
|
||||
|
||||
## Runbook Baseline
|
||||
|
||||
@@ -86,6 +120,7 @@ Each S5 app runbook should include:
|
||||
- day-to-day operator commands;
|
||||
- image promotion steps;
|
||||
- rollback behavior and migration warning;
|
||||
- public `/` landing-page behavior and the canonical login or API entrypoints;
|
||||
- troubleshooting for probes, database URLs, TLS, and app-specific failure
|
||||
modes;
|
||||
- backup and restore readiness gate;
|
||||
|
||||
Reference in New Issue
Block a user