From 6e932d1bdd04313a62e84fb6d72a5afb5d371523 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Wed, 29 Apr 2026 21:34:17 -0600
Subject: [PATCH] chore(warp): allow WARP devices to authenticate to Access
 apps

Flip allow_authenticate_via_warp on the Zero Trust org. WARP-enrolled
machines now get a valid Access session for protected hostnames without
the browser OIDC redirect, so kubectl over k3s.makeitwork.cloud works
seamlessly on WARP. Off-WARP devices still authenticate via OIDC.
---
 cf-warp.tf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cf-warp.tf b/cf-warp.tf
index f87dc2b..0583a95 100644
--- a/cf-warp.tf
+++ b/cf-warp.tf
@@ -6,7 +6,10 @@ resource "cloudflare_zero_trust_organization" "main" {
   name        = "makeitworkcloud.cloudflareaccess.com"
   auth_domain = "makeitworkcloud.cloudflareaccess.com"
 
-  allow_authenticate_via_warp = false
+  # WARP-enrolled devices get a valid Access session automatically, so
+  # protected hostnames (e.g. k3s.makeitwork.cloud) work without the OIDC
+  # browser flow. Off-WARP devices still authenticate normally.
+  allow_authenticate_via_warp = true
   is_ui_read_only             = false
 }