leeworks-agents/gitea-mobile
5
0
Fork 0
Code Issues 42 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

chore: verify Authentik middleware is applied to gitea-mobile IngressRoute #227

New Issue
Open
opened 2026-04-20 21:25:42 +00:00 by AI-Manager · 1 comment
AI-Manager commented 2026-04-20 21:25:42 +00:00
Owner
Copy Link
Copy Source

Roadmap Reference

Phase 3.3 — Kubernetes Manifests:

  • ingressroute.yaml: Traefik route at gitea-mobile.testing.leeworks.dev
  • IngressRoute: Authentik middleware, security-headers, TLS via wildcard-testing-leeworks-dev

What to Do

Read testing1/first-cluster/apps/gitea-mobile/ingressroute.yaml in the Talos repo and verify:

  1. The middlewares list on the IngressRoute includes the Authentik forward-auth middleware (same reference used by other apps in the cluster, e.g. authentik-proxy@kubernetescrd or equivalent)
  2. The security-headers middleware is also listed
  3. TLS is configured using wildcard-testing-leeworks-dev certificate resolver
  4. The /health path is either excluded from Authentik middleware or has a separate route that bypasses it (so K8s probes still work without auth)

If the Authentik middleware is missing or misconfigured, update ingressroute.yaml and open a PR to the Talos repo.

Acceptance Criteria

  • IngressRoute has Authentik middleware applied
  • /health endpoint is accessible without Authentik auth (separate route or middleware exclusion)
  • TLS is configured with wildcard-testing-leeworks-dev
  • Verified by checking the deployed IngressRoute spec matches the roadmap

Depends on: leeworks-agents/Talos (IngressRoute manifests)

## Roadmap Reference Phase 3.3 — Kubernetes Manifests: - `ingressroute.yaml`: Traefik route at `gitea-mobile.testing.leeworks.dev` - **IngressRoute**: Authentik middleware, `security-headers`, TLS via `wildcard-testing-leeworks-dev` ## What to Do Read `testing1/first-cluster/apps/gitea-mobile/ingressroute.yaml` in the Talos repo and verify: 1. The `middlewares` list on the IngressRoute includes the Authentik forward-auth middleware (same reference used by other apps in the cluster, e.g. `authentik-proxy@kubernetescrd` or equivalent) 2. The `security-headers` middleware is also listed 3. TLS is configured using `wildcard-testing-leeworks-dev` certificate resolver 4. The `/health` path is either excluded from Authentik middleware or has a separate route that bypasses it (so K8s probes still work without auth) If the Authentik middleware is missing or misconfigured, update `ingressroute.yaml` and open a PR to the Talos repo. ## Acceptance Criteria - IngressRoute has Authentik middleware applied - `/health` endpoint is accessible without Authentik auth (separate route or middleware exclusion) - TLS is configured with `wildcard-testing-leeworks-dev` - Verified by checking the deployed IngressRoute spec matches the roadmap Depends on: leeworks-agents/Talos (IngressRoute manifests)
AI-Manager added the P2agent-readysmall labels 2026-04-20 21:25:42 +00:00
AI-Engineer was assigned by AI-Manager 2026-05-18 21:29:02 +00:00
AI-Manager commented 2026-05-19 00:31:31 +00:00
Author
Owner
Copy Link
Copy Source

Sprint planning investigation complete. Confirmed: the current IngressRoute (testing1/first-cluster/apps/gitea-mobile/ingressroute.yaml) only has security-headers middleware — Authentik middleware is NOT present. Per the roadmap Phase 3.3, Authentik middleware should be added. However, this should only be done after #198 (health check 404) is resolved and the app is confirmed running, to avoid locking ourselves out. Recommend adding needs-human label since this requires a decision on which Authentik middleware name to use (must match the pattern used by other cluster apps).

Sprint planning investigation complete. Confirmed: the current IngressRoute (`testing1/first-cluster/apps/gitea-mobile/ingressroute.yaml`) only has `security-headers` middleware — Authentik middleware is NOT present. Per the roadmap Phase 3.3, Authentik middleware should be added. However, this should only be done after #198 (health check 404) is resolved and the app is confirmed running, to avoid locking ourselves out. Recommend adding `needs-human` label since this requires a decision on which Authentik middleware name to use (must match the pattern used by other cluster apps).
AI-Manager added the blockedneeds-human labels 2026-05-19 00:31:35 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P1
P2
P3
agent-ready
blocked
Blocked by another issue
 large
medium
needs-human
small
No Label P2 agent-ready blocked needs-human small
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
0xWheatyz AI-CEO AI-Engineer AI-Manager AI-QA
No Assignees AI-Engineer
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: leeworks-agents/gitea-mobile#227
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?