Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 2acf886d9f |
@@ -0,0 +1,42 @@
|
||||
# Cloudflare Zero Trust Access — git.neuralplatform.ai (Gitea)
|
||||
#
|
||||
# The Gitea Access application itself is currently managed in the Cloudflare
|
||||
# dashboard, NOT in Terraform. This file only manages the *service token* the
|
||||
# Gitea Actions runners use to authenticate through CF Access while still
|
||||
# keeping the human Google-OAuth gate for browser users.
|
||||
#
|
||||
# Why not import the application here?
|
||||
# - Importing the existing dashboard app risks drifting the human-auth
|
||||
# policy (Google IdP, allowed emails) which is settled and working.
|
||||
# - Service tokens can be added to a dashboard-managed app without
|
||||
# importing the app itself; the token resource lives at the account
|
||||
# level and is referenced from a policy.
|
||||
# - We pay only the cost we need to. If we later want all Access apps
|
||||
# in TF we can do a focused import pass.
|
||||
#
|
||||
# After `terraform apply` produces the token id/secret, Will must:
|
||||
# 1. Run `vault kv put secret/gitea-runner-cf-access ...` (see outputs).
|
||||
# 2. In the Cloudflare dashboard, edit the existing "Gitea" Access
|
||||
# application's policies and add a new policy:
|
||||
# Action: Service Auth (decision = non_identity)
|
||||
# Include: Service Token = "gitea-runner"
|
||||
# This grants the service token bypass through CF Access on
|
||||
# git.neuralplatform.ai without changing the human-auth flow.
|
||||
|
||||
resource "cloudflare_zero_trust_access_service_token" "gitea_runner" {
|
||||
account_id = var.cloudflare_account_id
|
||||
name = "gitea-runner"
|
||||
# Default duration is "8760h" (1 year). Rotate via re-apply when needed.
|
||||
duration = "forever"
|
||||
}
|
||||
|
||||
output "gitea_runner_cf_access_client_id" {
|
||||
description = "CF Access service token client ID for the Gitea Actions runner. Store in Vault at secret/gitea-runner-cf-access."
|
||||
value = cloudflare_zero_trust_access_service_token.gitea_runner.client_id
|
||||
}
|
||||
|
||||
output "gitea_runner_cf_access_client_secret" {
|
||||
description = "CF Access service token client secret. Store in Vault at secret/gitea-runner-cf-access. Only emitted at creation time."
|
||||
value = cloudflare_zero_trust_access_service_token.gitea_runner.client_secret
|
||||
sensitive = true
|
||||
}
|
||||
@@ -117,32 +117,6 @@ spec:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: neuron-prod
|
||||
---
|
||||
# ── dharma: accept from Traefik (kube-system) and neuron-prod namespace ──────
|
||||
# The dharma pod was healthy and the IngressRoute was correct, but cross-
|
||||
# namespace ingress from kube-system (Traefik) was denied by default-deny-all,
|
||||
# so every external request landed at Traefik and bounced back as 502. This
|
||||
# allow rule mirrors `allow-mcp-ingress` and brings dharma into line with the
|
||||
# other neuron-prod services.
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-dharma-ingress
|
||||
namespace: neuron-prod
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: dharma
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: kube-system
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: neuron-prod
|
||||
---
|
||||
# ── Egress: all prod pods may reach platform (postgres/redis), vault,
|
||||
# monitoring (alloy OTLP), kube-dns, and the internet (external APIs) ─
|
||||
apiVersion: networking.k8s.io/v1
|
||||
|
||||
Reference in New Issue
Block a user