Skip to content

fix: permit the Policy Reporter HTTPRoute to backend oauth2-proxy (SSO)#2461

Open
devantler wants to merge 1 commit into
mainfrom
claude/fix-policy-reporter-referencegrant
Open

fix: permit the Policy Reporter HTTPRoute to backend oauth2-proxy (SSO)#2461
devantler wants to merge 1 commit into
mainfrom
claude/fix-policy-reporter-referencegrant

Conversation

@devantler

Copy link
Copy Markdown
Contributor

Why

Policy Reporter (#2459) is deployed and all its pods are healthy, but the UI is unreachable in the browser: its HTTPRoute backends cross-namespace to the shared oauth2-proxy SSO Service, and the policy-reporter namespace was missing from the ReferenceGrant that permits that reference. Gateway API therefore denied the backend (ResolvedRefs=False / RefNotPermitted), so no traffic reaches the UI.

What

Adds the policy-reporter HTTPRoute to the allow-oauth2-proxy-backends ReferenceGrant, exactly like the other SSO-fronted UIs (coroot/opencost/longhorn). Once merged, the route resolves and policy-reporter.<domain> loads.

Notes

🤖 Generated with Claude Code

The Policy Reporter UI HTTPRoute (namespace policy-reporter) backends
cross-namespace to the oauth2-proxy Service, but the policy-reporter namespace
was missing from the allow-oauth2-proxy-backends ReferenceGrant. Gateway API
denied the reference (ResolvedRefs=False, RefNotPermitted), so the UI was
unreachable in the browser even though all pods were healthy. Add the
policy-reporter HTTPRoute to the grant's from list, matching the other
SSO-fronted UIs (coroot/opencost/longhorn).

Follow-up to #2459 (which merged without this grant entry).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

A Kubernetes ReferenceGrant manifest for oauth2-proxy is updated to add a new spec.from rule permitting HTTPRoute resources from the policy-reporter namespace to reference the oauth2-proxy backend. Comments note this behavior is prod-only and inert in local/CI environments where the policy-reporter HTTPRoute does not exist.

Changes

Cohort / File Change Summary
ReferenceGrant update — k8s/bases/infrastructure/controllers/oauth2-proxy/reference-grant.yaml Added a spec.from entry allowing HTTPRoute cross-namespace access from policy-reporter namespace

Sequence Diagram(s)

Not applicable — configuration-only change to a Kubernetes manifest.

Estimated code review effort: 1 (Low)

Related issues: None provided.

Related PRs: None provided.

Suggested labels: kubernetes, configuration, low-risk

Suggested reviewers: None provided.

🐰 A grant expands, a route slips through,
From policy-reporter's namespace, hello there too,
In prod it hums, in test it's still,
A quiet line upon the hill.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly describes the main change: allowing Policy Reporter to reach oauth2-proxy via HTTPRoute.
Description check ✅ Passed The description matches the changeset and explains the ReferenceGrant fix and its effect on Policy Reporter access.

Comment @coderabbitai help to get the list of available commands.

@devantler devantler marked this pull request as ready for review July 4, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🫴 Ready

Development

Successfully merging this pull request may close these issues.

1 participant