From f29a8833decce3f58384c88b6716176323930ca4 Mon Sep 17 00:00:00 2001
From: Infrastructure Admin <admin@nge6.com>
Date: Wed, 8 Apr 2026 18:13:21 -0400
Subject: [PATCH] Add Pomerium passthrough for git HTTP protocol and Forgejo
 API

Allows git push/pull and Docker registry token exchange to bypass
Pomerium browser auth - Forgejo handles authentication natively
for these endpoints.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 pomerium-allinone.yaml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/pomerium-allinone.yaml b/pomerium-allinone.yaml
index f5b40e3..51a7149 100644
--- a/pomerium-allinone.yaml
+++ b/pomerium-allinone.yaml
@@ -83,7 +83,24 @@ spec:
               preserve_host_header: true
               allow_public_unauthenticated_access: true
 
-            # Forgejo Git - requires authentication
+            # Forgejo Git HTTP protocol (push/pull - Forgejo handles auth)
+            - from: https://git.nge6.com
+              to: http://forgejo-http.forgejo.svc.cluster.local:3000
+              regex: /.+/info/refs
+              preserve_host_header: true
+              allow_public_unauthenticated_access: true
+            - from: https://git.nge6.com
+              to: http://forgejo-http.forgejo.svc.cluster.local:3000
+              regex: /.+/git-upload-pack
+              preserve_host_header: true
+              allow_public_unauthenticated_access: true
+            - from: https://git.nge6.com
+              to: http://forgejo-http.forgejo.svc.cluster.local:3000
+              regex: /.+/git-receive-pack
+              preserve_host_header: true
+              allow_public_unauthenticated_access: true
+
+            # Forgejo Git web UI - requires authentication
             - from: https://git.nge6.com
               to: http://forgejo-http.forgejo.svc.cluster.local:3000
               preserve_host_header: true