From e8a4eb0f059468cb5c6d79732cf2f9055d9ebfc2 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 12 Jun 2026 08:53:02 +0000 Subject: [PATCH] tripit: satisfy the auth-comment lint on the tripit-api ingress The previous commit (c5631cff) failed CI's ingress_factory guard: the '# auth = "none": ' justification must sit directly above the auth line inside the module, not above the module block. Same content, moved to where the lint looks; no functional change. Co-Authored-By: Claude Fable 5 --- stacks/tripit/main.tf | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/stacks/tripit/main.tf b/stacks/tripit/main.tf index b165c5a8..bbb3cc49 100644 --- a/stacks/tripit/main.tf +++ b/stacks/tripit/main.tf @@ -821,14 +821,17 @@ module "ingress_planner_slack" { tls_secret_name = var.tls_secret_name } -# Bearer-only API host for the native Shell (tripit ADR-0017, viktor/tripit#49). -# auth = "none": the backend itself validates OIDC bearer JWTs from the -# tripit-app Authentik provider (AUTH_MODE=hybrid, tripit slice 2) — a WebView -# client can't do the forward-auth cookie dance, and CORS preflights would die -# at the outpost. strip-auth-headers deletes inbound X-authentik-* so the -# hybrid fallback header can never be spoofed through this host. +# Bearer-only API host for the native Shell (tripit ADR-0017, viktor/tripit#49): +# the Shell's WebView can't do the forward-auth cookie dance, and CORS +# preflights would die at the outpost, so this host carries no Authentik +# middleware at all. module "ingress_api" { - source = "../../modules/kubernetes/ingress_factory" + source = "../../modules/kubernetes/ingress_factory" + # auth = "none": requests are gated by the backend itself — it validates + # OIDC bearer JWTs from the tripit-app Authentik provider (AUTH_MODE=hybrid, + # tripit slice 2; 401 for everything else). strip-auth-headers deletes + # inbound X-authentik-* so the hybrid fallback header can never be spoofed + # through this host. auth = "none" anti_ai_scraping = false dns_type = "proxied"