From b0e527e970dc652a61ef35dc35f27cc9fb5f5f4b Mon Sep 17 00:00:00 2001 From: Valeriy Petrov Date: Wed, 10 Jun 2026 03:25:26 +0300 Subject: [PATCH] Enable ingress basic auth for remote test contour. Protect all public URLs via nginx basic auth; exempt Gitea API/registry/git paths for CI. Co-authored-by: Cursor --- apps/adminpanel/templates/all.yaml | 10 +++++++++- apps/adminpanel/values-test.yaml | 2 ++ apps/adminpanel/values.yaml | 5 +++++ apps/backend/templates/all.yaml | 10 +++++++++- apps/backend/values-test.yaml | 2 ++ apps/backend/values.yaml | 5 +++++ apps/cabinet/templates/all.yaml | 10 +++++++++- apps/cabinet/values-test.yaml | 2 ++ apps/cabinet/values.yaml | 6 +++++- apps/docs/templates/all.yaml | 10 +++++++++- apps/docs/values-test.yaml | 2 ++ apps/docs/values.yaml | 6 +++++- 12 files changed, 64 insertions(+), 6 deletions(-) diff --git a/apps/adminpanel/templates/all.yaml b/apps/adminpanel/templates/all.yaml index 0263d72..b8fb895 100644 --- a/apps/adminpanel/templates/all.yaml +++ b/apps/adminpanel/templates/all.yaml @@ -77,10 +77,18 @@ kind: Ingress metadata: name: adminpanel namespace: {{ .Values.namespace }} - {{- if .Values.ingress.tls.enabled }} + {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }} annotations: + {{- if .Values.ingress.tls.enabled }} cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }} nginx.ingress.kubernetes.io/ssl-redirect: "true" + {{- end }} + {{- if .Values.ingress.basicAuth.enabled }} + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }} + nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }} + nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }} + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} diff --git a/apps/adminpanel/values-test.yaml b/apps/adminpanel/values-test.yaml index 3fd0a16..01e8e25 100644 --- a/apps/adminpanel/values-test.yaml +++ b/apps/adminpanel/values-test.yaml @@ -4,6 +4,8 @@ ingress: enabled: true clusterIssuer: letsencrypt-prod secretName: adminpanel-tls + basicAuth: + enabled: true runtimeEnv: API_BASE_URL: https://api.dev.sovamed.ru image: diff --git a/apps/adminpanel/values.yaml b/apps/adminpanel/values.yaml index 1afde8f..21549ba 100644 --- a/apps/adminpanel/values.yaml +++ b/apps/adminpanel/values.yaml @@ -13,6 +13,11 @@ ingress: enabled: true className: nginx host: admin.test.sova.local + basicAuth: + enabled: false + secretName: contour-basic-auth + realm: "Sova Test Contour" + skipLocations: "/.well-known/acme-challenge" runtimeEnv: API_BASE_URL: http://api.test.sova.local diff --git a/apps/backend/templates/all.yaml b/apps/backend/templates/all.yaml index 81fd9c3..69fb2e5 100644 --- a/apps/backend/templates/all.yaml +++ b/apps/backend/templates/all.yaml @@ -193,10 +193,18 @@ kind: Ingress metadata: name: backend namespace: {{ .Values.namespace }} - {{- if .Values.ingress.tls.enabled }} + {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }} annotations: + {{- if .Values.ingress.tls.enabled }} cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }} nginx.ingress.kubernetes.io/ssl-redirect: "true" + {{- end }} + {{- if .Values.ingress.basicAuth.enabled }} + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }} + nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }} + nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }} + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} diff --git a/apps/backend/values-test.yaml b/apps/backend/values-test.yaml index 62d9a1c..c02c805 100644 --- a/apps/backend/values-test.yaml +++ b/apps/backend/values-test.yaml @@ -4,6 +4,8 @@ ingress: enabled: true clusterIssuer: letsencrypt-prod secretName: backend-tls + basicAuth: + enabled: true image: tag: backend-v1.0.12-test pullPolicy: IfNotPresent diff --git a/apps/backend/values.yaml b/apps/backend/values.yaml index c7ea392..1a44a2b 100644 --- a/apps/backend/values.yaml +++ b/apps/backend/values.yaml @@ -17,6 +17,11 @@ ingress: className: nginx host: api.test.sova.local tls: false + basicAuth: + enabled: false + secretName: contour-basic-auth + realm: "Sova Test Contour" + skipLocations: "/.well-known/acme-challenge" resources: php: diff --git a/apps/cabinet/templates/all.yaml b/apps/cabinet/templates/all.yaml index ffad6ea..668439a 100644 --- a/apps/cabinet/templates/all.yaml +++ b/apps/cabinet/templates/all.yaml @@ -177,10 +177,18 @@ kind: Ingress metadata: name: cabinet namespace: {{ .Values.namespace }} - {{- if .Values.ingress.tls.enabled }} + {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }} annotations: + {{- if .Values.ingress.tls.enabled }} cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }} nginx.ingress.kubernetes.io/ssl-redirect: "true" + {{- end }} + {{- if .Values.ingress.basicAuth.enabled }} + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }} + nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }} + nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }} + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} diff --git a/apps/cabinet/values-test.yaml b/apps/cabinet/values-test.yaml index 53d71ce..6d36c9f 100644 --- a/apps/cabinet/values-test.yaml +++ b/apps/cabinet/values-test.yaml @@ -4,6 +4,8 @@ ingress: enabled: true clusterIssuer: letsencrypt-prod secretName: cabinet-tls + basicAuth: + enabled: true image: tag: cabinet-v1.0.12-test pullPolicy: IfNotPresent diff --git a/apps/cabinet/values.yaml b/apps/cabinet/values.yaml index cbf638e..0ba6988 100644 --- a/apps/cabinet/values.yaml +++ b/apps/cabinet/values.yaml @@ -16,7 +16,11 @@ ingress: enabled: true className: nginx host: cabinet.test.sova.local - + basicAuth: + enabled: false + secretName: contour-basic-auth + realm: "Sova Test Contour" + skipLocations: "/.well-known/acme-challenge" resources: php: requests: diff --git a/apps/docs/templates/all.yaml b/apps/docs/templates/all.yaml index baf3ca7..4f088f0 100644 --- a/apps/docs/templates/all.yaml +++ b/apps/docs/templates/all.yaml @@ -47,10 +47,18 @@ kind: Ingress metadata: name: docs namespace: {{ .Values.namespace }} - {{- if .Values.ingress.tls.enabled }} + {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }} annotations: + {{- if .Values.ingress.tls.enabled }} cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }} nginx.ingress.kubernetes.io/ssl-redirect: "true" + {{- end }} + {{- if .Values.ingress.basicAuth.enabled }} + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }} + nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }} + nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }} + {{- end }} {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} diff --git a/apps/docs/values-test.yaml b/apps/docs/values-test.yaml index 981b0a8..da0755a 100644 --- a/apps/docs/values-test.yaml +++ b/apps/docs/values-test.yaml @@ -4,6 +4,8 @@ ingress: enabled: true clusterIssuer: letsencrypt-prod secretName: docs-tls + basicAuth: + enabled: true image: tag: docs-v1.0.12-test pullPolicy: IfNotPresent diff --git a/apps/docs/values.yaml b/apps/docs/values.yaml index 27c867b..9c4839f 100644 --- a/apps/docs/values.yaml +++ b/apps/docs/values.yaml @@ -13,7 +13,11 @@ ingress: enabled: true className: nginx host: docs.sova.local - + basicAuth: + enabled: false + secretName: contour-basic-auth + realm: "Sova Test Contour" + skipLocations: "/.well-known/acme-challenge" resources: requests: cpu: 25m