openclaw: task-webhook ingress auth required->none (inbound Forgejo webhook)

The task-webhook host is an inbound webhook receiver: Forgejo (a machine with no Authentik SSO cookie) POSTs issue/comment events, so forward-auth 302-bounced every delivery and silently dropped all webhooks. Flip only this ingress to auth=none; the do_POST handler gates on payload action + bot-user filtering. Gateway (openclaw) and openlobster stay auth=required. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-02 21:55:25 +00:00 · 2026-06-02 21:55:25 +00:00 · 982dc9e63a
commit 982dc9e63a
parent 91d110acf5
1 changed files with 3 additions and 2 deletions
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@ -1685,8 +1685,9 @@ resource "kubernetes_service" "task_webhook" {
 }

 module "task_webhook_ingress" {
-  source           = "../../modules/kubernetes/ingress_factory"
-  auth             = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": inbound Forgejo webhook receiver - machine sender (no Authentik SSO cookie); receiver filters on payload action + bot-user
+  auth             = "none"
  namespace        = kubernetes_namespace.openclaw.metadata[0].name
  name             = "task-webhook"
  tls_secret_name  = var.tls_secret_name