sova/sova-deploy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enable ingress basic auth for remote test contour.

Browse Source 
Protect all public URLs via nginx basic auth; exempt Gitea API/registry/git paths for CI.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Valeriy Petrov
2026-06-10 03:25:26 +03:00
parent 7967df9b42
commit b0e527e970
12 changed files with 64 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/adminpanel/templates/all.yaml
+9 -1
View File
@@ -77,10 +77,18 @@ kind: Ingress
metadata: metadata:
name: adminpanel name: adminpanel
namespace: {{ .Values.namespace }} namespace: {{ .Values.namespace }}
{{- if .Values.ingress.tls.enabled }} {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
annotations: annotations:
{{- if .Values.ingress.tls.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }} cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
{{- end }}
{{- if .Values.ingress.basicAuth.enabled }}
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
{{- end }}
{{- end }} {{- end }}
spec: spec:
ingressClassName: {{ .Values.ingress.className }} ingressClassName: {{ .Values.ingress.className }}
apps/adminpanel/values-test.yaml
+2
View File
@@ -4,6 +4,8 @@ ingress:
enabled: true enabled: true
clusterIssuer: letsencrypt-prod clusterIssuer: letsencrypt-prod
secretName: adminpanel-tls secretName: adminpanel-tls
basicAuth:
enabled: true
runtimeEnv: runtimeEnv:
API_BASE_URL: https://api.dev.sovamed.ru API_BASE_URL: https://api.dev.sovamed.ru
image: image:
apps/adminpanel/values.yaml
+5
View File
@@ -13,6 +13,11 @@ ingress:
enabled: true enabled: true
className: nginx className: nginx
host: admin.test.sova.local host: admin.test.sova.local
basicAuth:
enabled: false
secretName: contour-basic-auth
realm: "Sova Test Contour"
skipLocations: "/.well-known/acme-challenge"
runtimeEnv: runtimeEnv:
API_BASE_URL: http://api.test.sova.local API_BASE_URL: http://api.test.sova.local
apps/backend/templates/all.yaml
+9 -1
View File
@@ -193,10 +193,18 @@ kind: Ingress
metadata: metadata:
name: backend name: backend
namespace: {{ .Values.namespace }} namespace: {{ .Values.namespace }}
{{- if .Values.ingress.tls.enabled }} {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
annotations: annotations:
{{- if .Values.ingress.tls.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }} cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
{{- end }}
{{- if .Values.ingress.basicAuth.enabled }}
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
{{- end }}
{{- end }} {{- end }}
spec: spec:
ingressClassName: {{ .Values.ingress.className }} ingressClassName: {{ .Values.ingress.className }}
apps/backend/values-test.yaml
+2
View File
@@ -4,6 +4,8 @@ ingress:
enabled: true enabled: true
clusterIssuer: letsencrypt-prod clusterIssuer: letsencrypt-prod
secretName: backend-tls secretName: backend-tls
basicAuth:
enabled: true
image: image:
tag: backend-v1.0.12-test tag: backend-v1.0.12-test
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
apps/backend/values.yaml
+5
View File
@@ -17,6 +17,11 @@ ingress:
className: nginx className: nginx
host: api.test.sova.local host: api.test.sova.local
tls: false tls: false
basicAuth:
enabled: false
secretName: contour-basic-auth
realm: "Sova Test Contour"
skipLocations: "/.well-known/acme-challenge"
resources: resources:
php: php:
apps/cabinet/templates/all.yaml
+9 -1
View File
@@ -177,10 +177,18 @@ kind: Ingress
metadata: metadata:
name: cabinet name: cabinet
namespace: {{ .Values.namespace }} namespace: {{ .Values.namespace }}
{{- if .Values.ingress.tls.enabled }} {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
annotations: annotations:
{{- if .Values.ingress.tls.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }} cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
{{- end }}
{{- if .Values.ingress.basicAuth.enabled }}
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
{{- end }}
{{- end }} {{- end }}
spec: spec:
ingressClassName: {{ .Values.ingress.className }} ingressClassName: {{ .Values.ingress.className }}
apps/cabinet/values-test.yaml
+2
View File
@@ -4,6 +4,8 @@ ingress:
enabled: true enabled: true
clusterIssuer: letsencrypt-prod clusterIssuer: letsencrypt-prod
secretName: cabinet-tls secretName: cabinet-tls
basicAuth:
enabled: true
image: image:
tag: cabinet-v1.0.12-test tag: cabinet-v1.0.12-test
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
apps/cabinet/values.yaml
+5 -1
View File
@@ -16,7 +16,11 @@ ingress:
enabled: true enabled: true
className: nginx className: nginx
host: cabinet.test.sova.local host: cabinet.test.sova.local
basicAuth:
enabled: false
secretName: contour-basic-auth
realm: "Sova Test Contour"
skipLocations: "/.well-known/acme-challenge"
resources: resources:
php: php:
requests: requests:
apps/docs/templates/all.yaml
Vendored
+9 -1
View File
@@ -47,10 +47,18 @@ kind: Ingress
metadata: metadata:
name: docs name: docs
namespace: {{ .Values.namespace }} namespace: {{ .Values.namespace }}
{{- if .Values.ingress.tls.enabled }} {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
annotations: annotations:
{{- if .Values.ingress.tls.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }} cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
{{- end }}
{{- if .Values.ingress.basicAuth.enabled }}
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
{{- end }}
{{- end }} {{- end }}
spec: spec:
ingressClassName: {{ .Values.ingress.className }} ingressClassName: {{ .Values.ingress.className }}
apps/docs/values-test.yaml
+2
View File
@@ -4,6 +4,8 @@ ingress:
enabled: true enabled: true
clusterIssuer: letsencrypt-prod clusterIssuer: letsencrypt-prod
secretName: docs-tls secretName: docs-tls
basicAuth:
enabled: true
image: image:
tag: docs-v1.0.12-test tag: docs-v1.0.12-test
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
apps/docs/values.yaml
+5 -1
View File
@@ -13,7 +13,11 @@ ingress:
enabled: true enabled: true
className: nginx className: nginx
host: docs.sova.local host: docs.sova.local
basicAuth:
enabled: false
secretName: contour-basic-auth
realm: "Sova Test Contour"
skipLocations: "/.well-known/acme-challenge"
resources: resources:
requests: requests:
cpu: 25m cpu: 25m