From 982dc9e63acb7a85f0a6ca2e15275d82a5dcb28a Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Tue, 2 Jun 2026 21:55:25 +0000
Subject: [PATCH] openclaw: task-webhook ingress auth required->none (inbound
 Forgejo webhook)

The task-webhook host is an inbound webhook receiver: Forgejo (a machine
with no Authentik SSO cookie) POSTs issue/comment events, so forward-auth
302-bounced every delivery and silently dropped all webhooks. Flip only
this ingress to auth=none; the do_POST handler gates on payload action +
bot-user filtering. Gateway (openclaw) and openlobster stay auth=required.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/openclaw/main.tf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf
index eda166a5..78f7f1e4 100644
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@@ -1685,8 +1685,9 @@ resource "kubernetes_service" "task_webhook" {
 }
 
 module "task_webhook_ingress" {
-  source           = "../../modules/kubernetes/ingress_factory"
-  auth             = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": inbound Forgejo webhook receiver - machine sender (no Authentik SSO cookie); receiver filters on payload action + bot-user
+  auth             = "none"
   namespace        = kubernetes_namespace.openclaw.metadata[0].name
   name             = "task-webhook"
   tls_secret_name  = var.tls_secret_name