From dce7d269cdbc44f573b878376290dfd6ae5c601e Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Wed, 19 Feb 2025 15:55:21 +0800
Subject: [PATCH] chore: cleanup

---
 kube/deploy/apps/authentik/app/netpol.yaml    | 29 +++++++++++++++++++
 .../ingress-nginx/app/default-backend.yaml    |  7 ++---
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/kube/deploy/apps/authentik/app/netpol.yaml b/kube/deploy/apps/authentik/app/netpol.yaml
index db5d4809..6a8982c3 100644
--- a/kube/deploy/apps/authentik/app/netpol.yaml
+++ b/kube/deploy/apps/authentik/app/netpol.yaml
@@ -8,6 +8,16 @@ metadata:
 spec:
   endpointSelector: {}
   ingress:
+    # allow HTTP traffic in-cluster
+    - fromEndpoints:
+        - matchLabels:
+            authentik.home.arpa/http: allow
+          matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "9000"
     # allow HTTPS traffic in-cluster
     - fromEndpoints:
         - matchLabels:
@@ -55,6 +65,25 @@ spec:
 # yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
 apiVersion: cilium.io/v2
 kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: &app authentik-http-in-cluster
+spec:
+  endpointSelector:
+    matchLabels:
+      authentik.home.arpa/http: allow
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: authentik
+            app.kubernetes.io/name: authentik
+            app.kubernetes.io/component: authentik
+      toPorts:
+        - ports:
+            - port: "9000"
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
 metadata:
   name: &app authentik-https-in-cluster
 spec:
diff --git a/kube/deploy/core/ingress/ingress-nginx/app/default-backend.yaml b/kube/deploy/core/ingress/ingress-nginx/app/default-backend.yaml
index 1d4b88a6..4449bb1e 100644
--- a/kube/deploy/core/ingress/ingress-nginx/app/default-backend.yaml
+++ b/kube/deploy/core/ingress/ingress-nginx/app/default-backend.yaml
@@ -21,17 +21,14 @@ spec:
       ingress.home.arpa/nginx-external: "allow"
       ingress.home.arpa/nginx-public: "allow"
       ingress.home.arpa/cloudflare: "allow"
-      authentik.home.arpa/https: allow
+      authentik.home.arpa/http: allow
     controller:
       type: daemonset
     image:
       repository: "jank.ing/jjgadgets/jjgadgets-error-page-ingress-nginx"
       tag: "1.0.0-caddy-2.7.5@sha256:d3c928202a7496e8728b001120bb9e8319c7830a24c09aaecc1572aec7776a22"
     env:
-      AUTHENTIK_BACKEND: |
-        https://authentik.authentik.svc.cluster.local:9443 {
-          header_up Host ${APP_DNS_AUTHENTIK}
-        }
+      AUTHENTIK_BACKEND: http://authentik.authentik.svc.cluster.local:9000
     service:
       main:
         ports: