frigate: lan ingress auth=none for HA Sofia integration

The frigate-lan.viktorbarzin.lan ingress had Authentik forward-auth in front. HA Sofia's frigate integration polls /api/config and only knows how to use Frigate's own API key (not browser SSO), so every poll got a 302 to authentik.viktorbarzin.me and the integration entered the errors-state. Same pattern as idrac-redfish-exporter (5c594291). allow_local_access_only IP allowlist + Frigate's API key are enough. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 22:02:21 +00:00 · 2026-05-10 22:02:21 +00:00 · dc7c19d88e
commit dc7c19d88e
parent dc134011eb
1 changed files with 7 additions and 2 deletions
--- a/stacks/frigate/main.tf
+++ b/stacks/frigate/main.tf
@ -309,8 +309,13 @@ module "ingress" {
 }

 module "ingress-internal" {
-  source                  = "../../modules/kubernetes/ingress_factory"
-  auth                    = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # Auth disabled: HA Sofia's frigate integration uses an API key
+  # (set inside HA), not browser SSO. With auth=required, the integration
+  # gets a 302 to authentik.viktorbarzin.me on every poll and reports
+  # the integration as broken. local-only IP allowlist + Frigate's own
+  # API-key auth are sufficient.
+  auth                    = "none"
  namespace               = kubernetes_namespace.frigate.metadata[0].name
  name                    = "frigate-lan"
  host                    = "frigate-lan"