The Phase 4 audit promoted three "smoke-test candidates" from `protected = false`
to `auth = "public"`, but all three are XHR / curl-driven endpoints (fetch()
calls, automation scripts) that don't survive the 302+cookie redirect dance
that the public-auto-login flow requires on first visit. fire-planner's SPA
broke immediately — every fetch() to /api/* hit a cross-origin redirect and
CORS preflight rejected it.
Important learning for the `auth = "public"` design:
`auth = "public"` is functionally equivalent to a normal Authentik forward-auth
for the FIRST request — it issues a 302 to authentik to set a guest session
cookie, then 302s back. This is invisible for top-level browser navigation
but BREAKS:
- XHR/fetch() under CORS preflight (preflight rejects redirects)
- curl/automation scripts that don't preserve cookies across requests
- Mobile / native clients that can't follow OAuth-style redirects
Use `auth = "public"` only for top-level HTML pages where the user navigates
via the browser address bar (or links). For XHR APIs, native-client surfaces,
webhooks, OAuth callbacks — use `auth = "none"`.
The plan's "smoke test 3 candidates" were misjudged on this front. Reverting
all three to `auth = "none"` (their previous behaviour). The end-to-end public
flow IS verified working via curl + flow API — the design is sound, just the
test targets were wrong.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
174 lines
4.4 KiB
HCL
174 lines
4.4 KiB
HCL
variable "tls_secret_name" {}
|
|
variable "tier" { type = string }
|
|
variable "k8s_ca_cert" {
|
|
type = string
|
|
default = ""
|
|
}
|
|
|
|
resource "kubernetes_namespace" "k8s_portal" {
|
|
metadata {
|
|
name = "k8s-portal"
|
|
labels = {
|
|
tier = var.tier
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
|
|
ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
|
|
}
|
|
}
|
|
|
|
module "tls_secret" {
|
|
source = "../../../../modules/kubernetes/setup_tls_secret"
|
|
namespace = kubernetes_namespace.k8s_portal.metadata[0].name
|
|
tls_secret_name = var.tls_secret_name
|
|
}
|
|
|
|
resource "kubernetes_config_map" "k8s_portal_config" {
|
|
metadata {
|
|
name = "k8s-portal-config"
|
|
namespace = kubernetes_namespace.k8s_portal.metadata[0].name
|
|
}
|
|
|
|
data = {
|
|
"ca.crt" = var.k8s_ca_cert
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_deployment" "k8s_portal" {
|
|
metadata {
|
|
name = "k8s-portal"
|
|
namespace = kubernetes_namespace.k8s_portal.metadata[0].name
|
|
labels = {
|
|
app = "k8s-portal"
|
|
tier = var.tier
|
|
}
|
|
}
|
|
|
|
spec {
|
|
replicas = 1
|
|
strategy {
|
|
type = "Recreate"
|
|
}
|
|
revision_history_limit = 3
|
|
selector {
|
|
match_labels = {
|
|
app = "k8s-portal"
|
|
}
|
|
}
|
|
|
|
template {
|
|
metadata {
|
|
labels = {
|
|
app = "k8s-portal"
|
|
}
|
|
}
|
|
|
|
spec {
|
|
container {
|
|
name = "portal"
|
|
image = "viktorbarzin/k8s-portal:latest"
|
|
port {
|
|
container_port = 3000
|
|
}
|
|
|
|
volume_mount {
|
|
name = "config"
|
|
mount_path = "/config/ca.crt"
|
|
sub_path = "ca.crt"
|
|
read_only = true
|
|
}
|
|
volume_mount {
|
|
name = "user-roles"
|
|
mount_path = "/config/users.json"
|
|
sub_path = "users.json"
|
|
read_only = true
|
|
}
|
|
resources {
|
|
requests = {
|
|
cpu = "10m"
|
|
memory = "128Mi"
|
|
}
|
|
limits = {
|
|
memory = "128Mi"
|
|
}
|
|
}
|
|
}
|
|
|
|
volume {
|
|
name = "config"
|
|
config_map {
|
|
name = kubernetes_config_map.k8s_portal_config.metadata[0].name
|
|
}
|
|
}
|
|
volume {
|
|
name = "user-roles"
|
|
config_map {
|
|
name = "k8s-user-roles"
|
|
}
|
|
}
|
|
dns_config {
|
|
option {
|
|
name = "ndots"
|
|
value = "2"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
lifecycle {
|
|
# DRIFT_WORKAROUND: CI pipeline owns image tag (kubectl set image from Woodpecker/GHA); Kyverno mutates dns_config for ndots. Reviewed 2026-04-18.
|
|
ignore_changes = [
|
|
spec[0].template[0].spec[0].dns_config, # KYVERNO_LIFECYCLE_V1
|
|
spec[0].template[0].spec[0].container[0].image, # CI updates image tag
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_service" "k8s_portal" {
|
|
metadata {
|
|
name = "k8s-portal"
|
|
namespace = kubernetes_namespace.k8s_portal.metadata[0].name
|
|
}
|
|
|
|
spec {
|
|
selector = {
|
|
app = "k8s-portal"
|
|
}
|
|
port {
|
|
port = 80
|
|
target_port = 3000
|
|
}
|
|
}
|
|
}
|
|
|
|
module "ingress" {
|
|
source = "../../../../modules/kubernetes/ingress_factory"
|
|
dns_type = "non-proxied"
|
|
namespace = kubernetes_namespace.k8s_portal.metadata[0].name
|
|
name = "k8s-portal"
|
|
tls_secret_name = var.tls_secret_name
|
|
auth = "required" # Require Authentik login
|
|
extra_annotations = {
|
|
"gethomepage.dev/enabled" = "true"
|
|
"gethomepage.dev/name" = "K8s Portal"
|
|
"gethomepage.dev/description" = "Kubernetes portal"
|
|
"gethomepage.dev/icon" = "kubernetes.png"
|
|
"gethomepage.dev/group" = "Core Platform"
|
|
"gethomepage.dev/pod-selector" = ""
|
|
}
|
|
}
|
|
|
|
# Unprotected ingress for the setup script and agent endpoint (needs to be
|
|
# curl-able without auth). `auth = "public"` would 302+cookie-dance on
|
|
# first visit, breaking automation that doesn't preserve cookies.
|
|
module "ingress_setup_script" {
|
|
source = "../../../../modules/kubernetes/ingress_factory"
|
|
namespace = kubernetes_namespace.k8s_portal.metadata[0].name
|
|
name = "k8s-portal-setup"
|
|
host = "k8s-portal"
|
|
service_name = "k8s-portal"
|
|
ingress_path = ["/setup/script", "/agent"]
|
|
tls_secret_name = var.tls_secret_name
|
|
auth = "none"
|
|
}
|