From cb733c92a059ce1e93d02ec29bcfcbd0ab2bf1cb Mon Sep 17 00:00:00 2001
From: Julia McGhee <julia.eloise@pm.me>
Date: Sat, 21 Mar 2026 16:02:24 +0000
Subject: [PATCH] Add internal-only middleware to Gitea IngressRoute

Restrict Gitea web UI to LAN access only, matching other
platform services. SSH NodePort (30022) is unaffected.
---
 infra/kubernetes/platform/traefik/ingressroute-gitea.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/infra/kubernetes/platform/traefik/ingressroute-gitea.yaml b/infra/kubernetes/platform/traefik/ingressroute-gitea.yaml
index 98e4d26..4e4451e 100644
--- a/infra/kubernetes/platform/traefik/ingressroute-gitea.yaml
+++ b/infra/kubernetes/platform/traefik/ingressroute-gitea.yaml
@@ -11,6 +11,9 @@ spec:
   routes:
     - match: Host(`gitea.coreworlds.io`)
       kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: platform
       services:
         - name: gitea-helm-http
           namespace: platform