From 76073731460c0c08aa954bd1fb62d67a5f510e89 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Sun, 22 Jun 2025 08:48:35 +0200
Subject: [PATCH] fix: use expose annotation rather than explicit whitelist

---
 values/headscale/values.yaml                      | 1 +
 values/keycloak/values/values-prod.yaml           | 2 +-
 values/keycloak/values/values.yaml                | 2 +-
 values/openfga/values/openfga-prod.yaml.gotmpl    | 2 +-
 values/openfga/values/openfga-staging.yaml.gotmpl | 2 +-
 values/plume/values/plume-staging.yaml.gotmpl     | 2 +-
 values/system/oceanbox/hubble-ui-ingress.yaml     | 4 ++--
 7 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml
index febb24dc..74ddd360 100644
--- a/values/headscale/values.yaml
+++ b/values/headscale/values.yaml
@@ -223,6 +223,7 @@ configMaps:
            { "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "plausible.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "dapr.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
 
            { "name": "rabbitmq.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "rabbitmq.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
diff --git a/values/keycloak/values/values-prod.yaml b/values/keycloak/values/values-prod.yaml
index e5bb0bfb..33bf5146 100644
--- a/values/keycloak/values/values-prod.yaml
+++ b/values/keycloak/values/values-prod.yaml
@@ -54,7 +54,7 @@ adminIngress:
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hostname: keycloak.adm.oceanbox.io
   ingressClassName: nginx
   path: /
diff --git a/values/keycloak/values/values.yaml b/values/keycloak/values/values.yaml
index e462f37f..ff5f43e4 100644
--- a/values/keycloak/values/values.yaml
+++ b/values/keycloak/values/values.yaml
@@ -49,7 +49,7 @@ adminIngress:
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hostname: auth.adm.oceanbox.io
   ingressClassName: nginx
   path: /
diff --git a/values/openfga/values/openfga-prod.yaml.gotmpl b/values/openfga/values/openfga-prod.yaml.gotmpl
index 7117203d..5a49fcd0 100644
--- a/values/openfga/values/openfga-prod.yaml.gotmpl
+++ b/values/openfga/values/openfga-prod.yaml.gotmpl
@@ -29,7 +29,7 @@ ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hosts:
     - host: openfga.srv.oceanbox.io
       paths:
diff --git a/values/openfga/values/openfga-staging.yaml.gotmpl b/values/openfga/values/openfga-staging.yaml.gotmpl
index cd104afc..15afe77b 100644
--- a/values/openfga/values/openfga-staging.yaml.gotmpl
+++ b/values/openfga/values/openfga-staging.yaml.gotmpl
@@ -29,7 +29,7 @@ ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hosts:
     - host: openfga.dev.oceanbox.io
       paths:
diff --git a/values/plume/values/plume-staging.yaml.gotmpl b/values/plume/values/plume-staging.yaml.gotmpl
index 8712f588..a0c30063 100644
--- a/values/plume/values/plume-staging.yaml.gotmpl
+++ b/values/plume/values/plume-staging.yaml.gotmpl
@@ -5,7 +5,7 @@ ingress:
     cert-manager.io/cluster-issuer: letsencrypt-staging
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hosts:
     - host: plume.ekman.oceanbox.io
       paths:
diff --git a/values/system/oceanbox/hubble-ui-ingress.yaml b/values/system/oceanbox/hubble-ui-ingress.yaml
index 650d0ae6..f99770e8 100644
--- a/values/system/oceanbox/hubble-ui-ingress.yaml
+++ b/values/system/oceanbox/hubble-ui-ingress.yaml
@@ -12,7 +12,7 @@ metadata:
     # nginx.ingress.kubernetes.io/server-snippet: |
     #   client_header_buffer_size 100k;
     #   large_client_header_buffers 4 100k;
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,128.39.100.131/32,158.36.88.98/32,158.36.21.21/32,192.30.252.0/22,140.82.112.0/20
+    oceanbox.io/expose: internal
   name: hubble-ui
   namespace: kube-system
 spec:
@@ -42,7 +42,7 @@ metadata:
     # nginx.ingress.kubernetes.io/server-snippet: |
     #   client_header_buffer_size 100k;
     #   large_client_header_buffers 4 100k;
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,128.39.100.131/32,158.36.88.98/32,158.36.21.21/32,192.30.252.0/22,140.82.112.0/20
+    oceanbox.io/expose: internal
   name: hubble-ui-oauth2-proxy
   namespace: kube-system
 spec: