From fb84affce64be4525f55157c3b699a1f6ce36167 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 10 Jan 2026 20:41:00 +0000 Subject: [PATCH] disable auth-response-headers for idrac and gw ingresses as they cause errors on the upstream [ci skip] --- modules/kubernetes/reverse_proxy/main.tf | 27 ++++++++---------------- 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/modules/kubernetes/reverse_proxy/main.tf b/modules/kubernetes/reverse_proxy/main.tf index 3ea44e12..dd5fd4ef 100644 --- a/modules/kubernetes/reverse_proxy/main.tf +++ b/modules/kubernetes/reverse_proxy/main.tf @@ -82,7 +82,11 @@ module "idrac" { port = 443 tls_secret_name = var.tls_secret_name backend_protocol = "HTTPS" - depends_on = [kubernetes_namespace.reverse-proxy] + extra_annotations = { + # authentik causes 413; we don't need the header below + "nginx.ingress.kubernetes.io/auth-response-headers" : null + } + depends_on = [kubernetes_namespace.reverse-proxy] } # Can either listen on https or http; can't do both :/ @@ -96,23 +100,10 @@ module "tp-link-gateway" { backend_protocol = "HTTPS" depends_on = [kubernetes_namespace.reverse-proxy] protected = true - # Doesn't work due to 413 due to GA/authentik cookie - # additional_configuration_snippet = <<-EOF - # # 1. Try to extract the sysauth cookie and its value - # # This regex looks for 'sysauth=' followed by everything until a semicolon or end of string - # set $sysauth_only ""; - # if ($http_cookie ~* "sysauth=([^;]+)") { - # set $sysauth_only "sysauth=$1"; - # } - - # # 2. Overwrite the Cookie header. - # # If sysauth was found, only it is sent. If not found, no cookies are sent. - # proxy_set_header Cookie $sysauth_only; - # EOF - # extra_annotations = { - # client-header-buffer-size : "16k" - # large-client-header-buffers : "4 16k" - # } + extra_annotations = { + # authentik causes 413; we don't need the header below + "nginx.ingress.kubernetes.io/auth-response-headers" : null + } } # https://truenas.viktorbarzin.me/