chore: cleanup

2026-03-22 01:39:49 +00:00 · 2025-02-19 15:55:21 +08:00
parent dd63bd57dc
commit dce7d269cd
2 changed files with 31 additions and 5 deletions
--- a/kube/deploy/apps/authentik/app/netpol.yaml
+++ b/kube/deploy/apps/authentik/app/netpol.yaml
@@ -8,6 +8,16 @@ metadata:
 spec:
  endpointSelector: {}
  ingress:
+    # allow HTTP traffic in-cluster
+    - fromEndpoints:
+        - matchLabels:
+            authentik.home.arpa/http: allow
+          matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "9000"
    # allow HTTPS traffic in-cluster
    - fromEndpoints:
        - matchLabels:
@@ -55,6 +65,25 @@ spec:
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
 apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: &app authentik-http-in-cluster
+spec:
+  endpointSelector:
+    matchLabels:
+      authentik.home.arpa/http: allow
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: authentik
+            app.kubernetes.io/name: authentik
+            app.kubernetes.io/component: authentik
+      toPorts:
+        - ports:
+            - port: "9000"
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
 metadata:
  name: &app authentik-https-in-cluster
 spec:
--- a/kube/deploy/core/ingress/ingress-nginx/app/default-backend.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/default-backend.yaml
@@ -21,17 +21,14 @@ spec:
      ingress.home.arpa/nginx-external: "allow"
      ingress.home.arpa/nginx-public: "allow"
      ingress.home.arpa/cloudflare: "allow"
-      authentik.home.arpa/https: allow
+      authentik.home.arpa/http: allow
    controller:
      type: daemonset
    image:
      repository: "jank.ing/jjgadgets/jjgadgets-error-page-ingress-nginx"
      tag: "1.0.0-caddy-2.7.5@sha256:d3c928202a7496e8728b001120bb9e8319c7830a24c09aaecc1572aec7776a22"
    env:
-      AUTHENTIK_BACKEND: |
-        https://authentik.authentik.svc.cluster.local:9443 {
-          header_up Host ${APP_DNS_AUTHENTIK}
-        }
+      AUTHENTIK_BACKEND: http://authentik.authentik.svc.cluster.local:9000
    service:
      main:
        ports: