outline: route via APISIX (port 9443, ApisixRoute CRD), not Traefik

Switched Bunny iron-kr-nowaf origin from :443 (Traefik) to :9443 (APISIX, no SafeLine plugin) since APISIX plugins are per-route. Used existing :9443 path (juiceshop already there) instead of opening a new OpenWrt port. Outline route managed via ApisixTls + ApisixRoute CRDs because admin-API direct PUTs get swept by apisix-ingress-controller as orphans. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 10:08:16 +09:00
parent a20c68e3a1
commit 0fbce86cfc
2 changed files with 16 additions and 2 deletions
--- a/history/2026-04-21-outline-bunny-nowaf-migration.md
+++ b/history/2026-04-21-outline-bunny-nowaf-migration.md
@@ -36,12 +36,25 @@ Basic plan 한계로 host-per-path 커스텀 룰 불가, 따라서 **전용 풀
 | Pull Zone | iron-kr (ID 5555227) | **iron-kr-nowaf** (ID 5720695, 신규) |
 | Shield | iron-kr Shield 101015 (CRS 활성) | Shield 없음 |
 | 국가차단 | middleware 64811 | middleware 64811 (동일) |
-| OriginUrl | https://220.120.65.245 | https://220.120.65.245 (동일) |
+| OriginUrl | https://220.120.65.245 (Traefik 직결) | **https://220.120.65.245:9443** (APISIX 경유) |
+| Backend 경로 | OpenWrt :443 → HAProxy → Traefik 192.168.9.53:443 → outline IngressRoute | OpenWrt :9443 → HAProxy → APISIX 192.168.9.50:443 → ApisixRoute outline → outline svc |
 | AddHostHeader | true | true |
 | VerifyOriginSSL | false | false |
 | EnableWebSockets | true | true |
 | TLS 인증서 | LE 자동 | `*.inouter.com` wildcard (cert-manager 수동 업로드) |

+### APISIX (서울 K3s)
+
+CRD 기반으로 관리 (admin API 직접 PUT은 apisix-ingress-controller가 orphan으로 판단해 sweep함):
+
+| 객체 | 종류 | 이름 | 비고 |
+|---|---|---|---|
+| SSL | `ApisixTls` | `outline-tls` | sni=`outline.inouter.com`, secret=`apisix/wildcard-inouter-tls`, ssl_id=`4e7704e0` |
+| Route | `ApisixRoute` | `outline` | host=`outline.inouter.com`, upstream=`outline.outline.svc:80`, plugins 없음(SafeLine 미장착), route_id=`ce4d2d80` |
+| Class | `ingressClassName: apisix` | | apisix-ingress-controller가 reconcile |
+
+⚠️ **중요**: APISIX 객체를 admin API로 직접 PUT하면 `apisix-ingress-controller`가 ingressClassName 없는 orphan으로 판단해 자동 DELETE함. 반드시 ApisixTls/ApisixRoute CRD 사용.
+
 ### DNS

 ```
--- a/infra/platform/outline.md
+++ b/infra/platform/outline.md
@@ -26,8 +26,9 @@ Outline은 팀 위키/문서 관리 플랫폼. K3s 클러스터에 배포.
 | TLS (Traefik) | wildcard-inouter-tls (*.inouter.com) |
 | TLS (CDN) | *.inouter.com wildcard (cert-manager, GTS WR1 발급) 수동 업로드 |
 | CDN | BunnyCDN **iron-kr-nowaf** 존 (ID 5720695, WAF 없음, 쿠키 허용) — 2026-04-21 iron-kr에서 분리 이전 |
+| Bunny Origin | https://220.120.65.245:9443 → APISIX (Traefik 미경유) |
 | DNS | outline.inouter.com CNAME → iron-kr-nowaf.b-cdn.net (Cloudflare, proxied OFF) |
-| Ingress | Traefik IngressRoute (CRD) |
+| Ingress | **APISIX ApisixRoute `outline` (ssl_id 4e7704e0, route_id ce4d2d80)** — 2026-04-21 변경. Traefik IngressRoute는 롤백 대비 유지 중이지만 비활성 경로 |

 ## 인증 (Gitea OAuth2)