Enable ingress basic auth for remote test contour.

Protect all public URLs via nginx basic auth; exempt Gitea API/registry/git paths for CI. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-10 03:25:26 +03:00
parent 7967df9b42
commit b0e527e970
12 changed files with 64 additions and 6 deletions
@@ -47,10 +47,18 @@ kind: Ingress
 metadata:
  name: docs
  namespace: {{ .Values.namespace }}
-  {{- if .Values.ingress.tls.enabled }}
+  {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
  annotations:
+    {{- if .Values.ingress.tls.enabled }}
    cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    {{- end }}
+    {{- if .Values.ingress.basicAuth.enabled }}
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
+    nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
+    nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
+    {{- end }}
  {{- end }}
 spec:
  ingressClassName: {{ .Values.ingress.className }}
@@ -4,6 +4,8 @@ ingress:
    enabled: true
    clusterIssuer: letsencrypt-prod
    secretName: docs-tls
+  basicAuth:
+    enabled: true
 image:
  tag: docs-v1.0.12-test
  pullPolicy: IfNotPresent
@@ -13,7 +13,11 @@ ingress:
  enabled: true
  className: nginx
  host: docs.sova.local
-
+  basicAuth:
+    enabled: false
+    secretName: contour-basic-auth
+    realm: "Sova Test Contour"
+    skipLocations: "/.well-known/acme-challenge"
 resources:
  requests:
    cpu: 25m