From 5dc5cd53c0256a87c29094adb4590f238e7fe07e Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Tue, 2 Jun 2026 20:37:33 +0000 Subject: [PATCH] url/shlink: ingress url.viktorbarzin.me auth required -> none Authentik forward-auth on the shlink REST API + short-link domain (url.viktorbarzin.me) 302s shlink-web's cross-origin API XHR (CORS preflight) and SSO-bounces every public short link. Result: the admin UI showed "Something went wrong while loading short URLs" and short links never resolved for logged-out clients. The shlink REST API is self-gated by its X-Api-Key and short links are public by design, so Authentik must not front this domain. CrowdSec + rate-limit + anti-AI bot-block still apply. The admin web UI (shlink.viktorbarzin.me) stays auth=required via module.ingress-web. Co-Authored-By: Claude Opus 4.8 --- stacks/url/main.tf | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/stacks/url/main.tf b/stacks/url/main.tf index 2f1dd067..9ff36052 100644 --- a/stacks/url/main.tf +++ b/stacks/url/main.tf @@ -24,7 +24,7 @@ resource "kubernetes_namespace" "shlink" { name = "url" labels = { "istio-injection" : "disabled" - tier = local.tiers.aux + tier = local.tiers.aux "keel.sh/enrolled" = "true" } } @@ -297,8 +297,14 @@ resource "kubernetes_service" "shlink" { } module "ingress" { - source = "../../modules/kubernetes/ingress_factory" - auth = "required" + source = "../../modules/kubernetes/ingress_factory" + # auth = "none": url.viktorbarzin.me serves public short-link redirects plus + # the shlink REST API, which is self-gated by its X-Api-Key (CrowdSec + + # rate-limit + anti-AI bot-block still front it). Authentik forward-auth must + # NOT gate it — forward-auth 302s shlink-web's cross-origin API XHR (CORS + # preflight) and SSO-bounces every public short link. The admin web UI + # (shlink.viktorbarzin.me) stays auth = "required" via module.ingress-web. + auth = "none" dns_type = "proxied" namespace = kubernetes_namespace.shlink.metadata[0].name name = "url"