Enable ingress basic auth for remote test contour.

Protect all public URLs via nginx basic auth; exempt Gitea API/registry/git paths for CI.

Co-authored-by: Cursor <cursoragent@cursor.com>

apps/cabinet/templates/all.yaml

@@ -177,10 +177,18 @@ kind: Ingress
 metadata:
   name: cabinet
   namespace: {{ .Values.namespace }}
-  {{- if .Values.ingress.tls.enabled }}
+  {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
   annotations:
+    {{- if .Values.ingress.tls.enabled }}
     cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    {{- end }}
+    {{- if .Values.ingress.basicAuth.enabled }}
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
+    nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
+    nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
+    {{- end }}
   {{- end }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}

apps/cabinet/values-test.yaml

@@ -4,6 +4,8 @@ ingress:
     enabled: true
     clusterIssuer: letsencrypt-prod
     secretName: cabinet-tls
+  basicAuth:
+    enabled: true
 image:
   tag: cabinet-v1.0.12-test
   pullPolicy: IfNotPresent

apps/cabinet/values.yaml

@@ -16,7 +16,11 @@ ingress:
   enabled: true
   className: nginx
   host: cabinet.test.sova.local
-
+  basicAuth:
+    enabled: false
+    secretName: contour-basic-auth
+    realm: "Sova Test Contour"
+    skipLocations: "/.well-known/acme-challenge"
 resources:
   php:
     requests: