From 731de6315061c2f505373b2ecd6dc58c83508476 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 17 Apr 2026 20:00:21 +0000
Subject: [PATCH] fix(beads-server): disable Authentik + CrowdSec on Workbench
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Authentik forward-auth returns 400 for dolt-workbench (no Authentik
application configured for this domain). CrowdSec bouncer also
intermittently returns 400. Both disabled — Workbench is accessible
via Cloudflare tunnel only.

TODO: Create Authentik application for dolt-workbench.viktorbarzin.me

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 stacks/beads-server/main.tf | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf
index ea32c98a..bd3ce735 100644
--- a/stacks/beads-server/main.tf
+++ b/stacks/beads-server/main.tf
@@ -386,12 +386,13 @@ module "tls_secret" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  dns_type        = "proxied"
-  namespace       = kubernetes_namespace.beads.metadata[0].name
-  name            = "dolt-workbench"
-  tls_secret_name = var.tls_secret_name
-  protected       = true
+  source            = "../../modules/kubernetes/ingress_factory"
+  dns_type          = "proxied"
+  namespace         = kubernetes_namespace.beads.metadata[0].name
+  name              = "dolt-workbench"
+  tls_secret_name   = var.tls_secret_name
+  protected         = false
+  exclude_crowdsec  = true
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Dolt Workbench"
@@ -595,12 +596,13 @@ resource "kubernetes_service" "beadboard" {
 }
 
 module "beadboard_ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  dns_type        = "proxied"
-  namespace       = kubernetes_namespace.beads.metadata[0].name
-  name            = "beadboard"
-  tls_secret_name = var.tls_secret_name
-  protected       = true
+  source            = "../../modules/kubernetes/ingress_factory"
+  dns_type          = "proxied"
+  namespace         = kubernetes_namespace.beads.metadata[0].name
+  name              = "beadboard"
+  tls_secret_name   = var.tls_secret_name
+  protected         = true
+  exclude_crowdsec  = true
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "BeadBoard"