feat(adguard/beelink): add API IngressRoute without Authentik for Homepage widget#1788
Open
ixxeL2097 wants to merge 2 commits into
Open
feat(adguard/beelink): add API IngressRoute without Authentik for Homepage widget#1788ixxeL2097 wants to merge 2 commits into
ixxeL2097 wants to merge 2 commits into
Conversation
…epage widget Homepage runs on genmachine and cannot use k0s internal service URLs (different clusters). The external URL adguard.k0s-fullstack.fredcorp.com is behind Authentik forwardAuth which returns the login HTML page instead of AdGuard JSON stats. Solution: dedicated IngressRoute on adguard-api.k0s-fullstack.fredcorp.com without Authentik middleware. AdGuard's own basic auth handles access control. DNS wildcard *.k0s-fullstack.fredcorp.com -> 192.168.1.191 already covers the new hostname (no DNS change needed). - adguard/beelink/templates/ingressroute-homepage.yaml: Certificate + IngressRoute for adguard-api.k0s-fullstack.fredcorp.com routing to adguard-adguard-home-http:80 with no middlewares - homepage config: widget url -> adguard-api.k0s-fullstack.fredcorp.com Pre-requisite: sa-homepage user must exist in beelink AdGuard with the password stored at Vault adguard/creds (same as genmachine AdGuard). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…API endpoint IngressRoute (Traefik CRD) was inconsistent with the existing beelink AdGuard pattern which uses standard Kubernetes Ingress objects. Standard Ingress with cert-manager annotations is simpler: no separate Certificate resource needed, cert-manager handles TLS automatically, one resource instead of two. No Authentik middleware annotation = no Authentik interception. AdGuard basic auth remains the access control layer. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Homepage runs on genmachine and requests AdGuard stats from the beelink k0s cluster. The external URL
adguard.k0s-fullstack.fredcorp.comis behind the AuthentikforwardAuthmiddleware — the widget receives the Authentik HTML login page instead of AdGuard JSON:Cross-cluster internal service URLs (
adguard-adguard-home-http.adguard.svc.cluster.local) are not reachable from genmachine — different clusters, different Kubernetes networks.Solution
New hostname
adguard-api.k0s-fullstack.fredcorp.comwith a dedicatedIngressRoutethat has no Authentik middleware. AdGuard's own HTTP basic auth handles access control (sa-homepage/ password from Vaultadguard/creds).DNS
The wildcard rewrite
*.k0s-fullstack.fredcorp.com → 192.168.1.191(beelink Traefik LoadBalancer IP) already exists in both AdGuard instances (beelink and genmachine). No DNS changes required.Changes
adguard/beelink/templates/ingressroute-homepage.yamladguard-api.k0s-fullstack.fredcorp.com, no middlewareshomepage/genmachine/templates/config.yamladguard.k0s-fullstack.fredcorp.com→adguard-api.k0s-fullstack.fredcorp.comPre-requisite
sa-homepageuser must exist in beelink AdGuard (Settings → Users) with the password stored at Vaultadguard/creds(same secret used by the genmachine AdGuard widget).🤖 Generated with Claude Code