From 4eecb8b373e5d355b164fa82768b4e9d6b390f42 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 4 Jul 2026 18:55:32 +0200 Subject: [PATCH] fix: permit the Policy Reporter HTTPRoute to backend oauth2-proxy (SSO) The Policy Reporter UI HTTPRoute (namespace policy-reporter) backends cross-namespace to the oauth2-proxy Service, but the policy-reporter namespace was missing from the allow-oauth2-proxy-backends ReferenceGrant. Gateway API denied the reference (ResolvedRefs=False, RefNotPermitted), so the UI was unreachable in the browser even though all pods were healthy. Add the policy-reporter HTTPRoute to the grant's from list, matching the other SSO-fronted UIs (coroot/opencost/longhorn). Follow-up to #2459 (which merged without this grant entry). Co-Authored-By: Claude Opus 4.8 --- .../controllers/oauth2-proxy/reference-grant.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/k8s/bases/infrastructure/controllers/oauth2-proxy/reference-grant.yaml b/k8s/bases/infrastructure/controllers/oauth2-proxy/reference-grant.yaml index eae1a0537..49a096dcf 100644 --- a/k8s/bases/infrastructure/controllers/oauth2-proxy/reference-grant.yaml +++ b/k8s/bases/infrastructure/controllers/oauth2-proxy/reference-grant.yaml @@ -21,6 +21,12 @@ spec: - group: gateway.networking.k8s.io kind: HTTPRoute namespace: opencost + # The Policy Reporter UI HTTPRoute (policy-reporter) backends to the + # oauth2-proxy Service for SSO. Prod-only (the app ships only via the hetzner + # overlay); inert on local/CI where the policy-reporter namespace has no HTTPRoute. + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: policy-reporter # Hetzner-only: the Longhorn UI HTTPRoute (longhorn-system) backends to the # oauth2-proxy Service for SSO. Inert on local/CI where longhorn-system has # no HTTPRoute.