url/shlink: ingress url.viktorbarzin.me auth required -> none

Authentik forward-auth on the shlink REST API + short-link domain (url.viktorbarzin.me) 302s shlink-web's cross-origin API XHR (CORS preflight) and SSO-bounces every public short link. Result: the admin UI showed "Something went wrong while loading short URLs" and short links never resolved for logged-out clients. The shlink REST API is self-gated by its X-Api-Key and short links are public by design, so Authentik must not front this domain. CrowdSec + rate-limit + anti-AI bot-block still apply. The admin web UI (shlink.viktorbarzin.me) stays auth=required via module.ingress-web. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-02 20:37:33 +00:00 · 2026-06-02 20:37:33 +00:00 · 5dc5cd53c0
commit 5dc5cd53c0
parent fe8db19aaf
1 changed files with 9 additions and 3 deletions
--- a/stacks/url/main.tf
+++ b/stacks/url/main.tf
@ -24,7 +24,7 @@ resource "kubernetes_namespace" "shlink" {
    name = "url"
    labels = {
      "istio-injection" : "disabled"
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
      "keel.sh/enrolled" = "true"
    }
  }
@ -297,8 +297,14 @@ resource "kubernetes_service" "shlink" {
 }

 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": url.viktorbarzin.me serves public short-link redirects plus
+  # the shlink REST API, which is self-gated by its X-Api-Key (CrowdSec +
+  # rate-limit + anti-AI bot-block still front it). Authentik forward-auth must
+  # NOT gate it — forward-auth 302s shlink-web's cross-origin API XHR (CORS
+  # preflight) and SSO-bounces every public short link. The admin web UI
+  # (shlink.viktorbarzin.me) stays auth = "required" via module.ingress-web.
+  auth            = "none"
  dns_type        = "proxied"
  namespace       = kubernetes_namespace.shlink.metadata[0].name
  name            = "url"