From 143413dc0bc8563413be7a2131cdc89d7c23c512 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 10 May 2026 18:55:04 +0000 Subject: [PATCH] =?UTF-8?q?owntracks:=20explicit=20auth=20=3D=20"none"=20?= =?UTF-8?q?=E2=80=94=20Phase=205=20audit=20completion?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Phase 4 audit pass missed this site because the previous agent scoped out owntracks (it overrides the factory's middleware list via extra_annotations to use its own basic-auth middleware). Adding the explicit auth = "none" satisfies Phase 5's "every ingress has an explicit decision" goal and makes the intent visible — mobile OwnTracks clients post location data via HTTP basic-auth and can't follow Authentik forward-auth 302s. Closes the loop on Phase 5: 122/122 active ingress_factory call sites now carry an explicit auth = "..." decision (zero callers rely on the default). Co-Authored-By: Claude Opus 4.7 --- stacks/owntracks/main.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index 38608ebf..970739bf 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -226,7 +226,12 @@ resource "kubernetes_service" "owntracks" { } module "ingress" { - source = "../../modules/kubernetes/ingress_factory" + source = "../../modules/kubernetes/ingress_factory" + # OwnTracks mobile clients post location data over HTTP basic-auth (see the + # `owntracks-basic-auth` middleware below). They can't follow forward-auth + # 302s, so Authentik is bypassed; the `extra_annotations` block below + # overrides the factory's middleware list anyway. + auth = "none" dns_type = "proxied" namespace = kubernetes_namespace.owntracks.metadata[0].name name = "owntracks"