fix: use expose annotation rather than explicit whitelist

values/headscale/values.yaml

@@ -223,6 +223,7 @@ configMaps:
            { "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "plausible.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "dapr.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
 
            { "name": "rabbitmq.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "rabbitmq.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },

values/keycloak/values/values-prod.yaml

@@ -54,7 +54,7 @@ adminIngress:
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hostname: keycloak.adm.oceanbox.io
   ingressClassName: nginx
   path: /

values/keycloak/values/values.yaml

@@ -49,7 +49,7 @@ adminIngress:
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hostname: auth.adm.oceanbox.io
   ingressClassName: nginx
   path: /

values/openfga/values/openfga-prod.yaml.gotmpl

@@ -29,7 +29,7 @@ ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hosts:
     - host: openfga.srv.oceanbox.io
       paths:

values/openfga/values/openfga-staging.yaml.gotmpl

@@ -29,7 +29,7 @@ ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hosts:
     - host: openfga.dev.oceanbox.io
       paths:

values/plume/values/plume-staging.yaml.gotmpl

@@ -5,7 +5,7 @@ ingress:
     cert-manager.io/cluster-issuer: letsencrypt-staging
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    oceanbox.io/expose: internal
   hosts:
     - host: plume.ekman.oceanbox.io
       paths:

values/system/oceanbox/hubble-ui-ingress.yaml

@@ -12,7 +12,7 @@ metadata:
     # nginx.ingress.kubernetes.io/server-snippet: |
     #   client_header_buffer_size 100k;
     #   large_client_header_buffers 4 100k;
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,128.39.100.131/32,158.36.88.98/32,158.36.21.21/32,192.30.252.0/22,140.82.112.0/20
+    oceanbox.io/expose: internal
   name: hubble-ui
   namespace: kube-system
 spec:
@@ -42,7 +42,7 @@ metadata:
     # nginx.ingress.kubernetes.io/server-snippet: |
     #   client_header_buffer_size 100k;
     #   large_client_header_buffers 4 100k;
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,128.39.100.131/32,158.36.88.98/32,158.36.21.21/32,192.30.252.0/22,140.82.112.0/20
+    oceanbox.io/expose: internal
   name: hubble-ui-oauth2-proxy
   namespace: kube-system
 spec: