fix: permit the Policy Reporter HTTPRoute to backend oauth2-proxy (SSO)#2461
fix: permit the Policy Reporter HTTPRoute to backend oauth2-proxy (SSO)#2461devantler wants to merge 1 commit into
Conversation
The Policy Reporter UI HTTPRoute (namespace policy-reporter) backends cross-namespace to the oauth2-proxy Service, but the policy-reporter namespace was missing from the allow-oauth2-proxy-backends ReferenceGrant. Gateway API denied the reference (ResolvedRefs=False, RefNotPermitted), so the UI was unreachable in the browser even though all pods were healthy. Add the policy-reporter HTTPRoute to the grant's from list, matching the other SSO-fronted UIs (coroot/opencost/longhorn). Follow-up to #2459 (which merged without this grant entry). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📝 WalkthroughWalkthroughA Kubernetes ReferenceGrant manifest for oauth2-proxy is updated to add a new Changes
Sequence Diagram(s)Not applicable — configuration-only change to a Kubernetes manifest. Estimated code review effort: 1 (Low) Related issues: None provided. Related PRs: None provided. Suggested labels: kubernetes, configuration, low-risk Suggested reviewers: None provided. 🐰 A grant expands, a route slips through, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Comment |
Why
Policy Reporter (#2459) is deployed and all its pods are healthy, but the UI is unreachable in the browser: its HTTPRoute backends cross-namespace to the shared oauth2-proxy SSO Service, and the
policy-reporternamespace was missing from theReferenceGrantthat permits that reference. Gateway API therefore denied the backend (ResolvedRefs=False / RefNotPermitted), so no traffic reaches the UI.What
Adds the
policy-reporterHTTPRoute to theallow-oauth2-proxy-backendsReferenceGrant, exactly like the other SSO-fronted UIs (coroot/opencost/longhorn). Once merged, the route resolves andpolicy-reporter.<domain>loads.Notes
🤖 Generated with Claude Code