chore(docs): bump test to docs-v1.0.15-test

Protect all public URLs via nginx basic auth; exempt Gitea API/registry/git paths for CI.

Co-authored-by: Cursor <cursoragent@cursor.com>

apps/adminpanel/templates/all.yaml

@@ -77,8 +77,27 @@ kind: Ingress
 metadata:
   name: adminpanel
   namespace: {{ .Values.namespace }}
+  {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
+  annotations:
+    {{- if .Values.ingress.tls.enabled }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    {{- end }}
+    {{- if .Values.ingress.basicAuth.enabled }}
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
+    nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
+    nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
+    {{- end }}
+  {{- end }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
   rules:
     - host: {{ .Values.ingress.host }}
       http:

apps/adminpanel/values-test.yaml

@@ -1,9 +1,15 @@
 ingress:
   host: adm.dev.sovamed.ru
-env:
+  tls:
+    enabled: true
+    clusterIssuer: letsencrypt-prod
+    secretName: adminpanel-tls
+  basicAuth:
+    enabled: true
+runtimeEnv:
   API_BASE_URL: https://api.dev.sovamed.ru
 image:
-  tag: adminpanel-v1.0.10-test
+  tag: adminpanel-v1.0.12-test
   pullPolicy: IfNotPresent
   repository: git.sova.local/sova/adminpanel
 imagePullSecrets:

apps/adminpanel/values.yaml

@@ -13,6 +13,11 @@ ingress:
   enabled: true
   className: nginx
   host: admin.test.sova.local
+  basicAuth:
+    enabled: false
+    secretName: contour-basic-auth
+    realm: "Sova Test Contour"
+    skipLocations: "/.well-known/acme-challenge"
 
 runtimeEnv:
   API_BASE_URL: http://api.test.sova.local

apps/backend/templates/all.yaml

@@ -193,8 +193,27 @@ kind: Ingress
 metadata:
   name: backend
   namespace: {{ .Values.namespace }}
+  {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
+  annotations:
+    {{- if .Values.ingress.tls.enabled }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    {{- end }}
+    {{- if .Values.ingress.basicAuth.enabled }}
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
+    nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
+    nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
+    {{- end }}
+  {{- end }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
   rules:
     - host: {{ .Values.ingress.host }}
       http:

apps/backend/values-test.yaml

@@ -1,7 +1,13 @@
 ingress:
   host: api.dev.sovamed.ru
+  tls:
+    enabled: true
+    clusterIssuer: letsencrypt-prod
+    secretName: backend-tls
+  basicAuth:
+    enabled: true
 image:
-  tag: backend-v1.0.10-test
+  tag: backend-v1.0.12-test
   pullPolicy: IfNotPresent
   repository: git.sova.local/sova/backend
 imagePullSecrets:

apps/backend/values.yaml

@@ -17,6 +17,11 @@ ingress:
   className: nginx
   host: api.test.sova.local
   tls: false
+  basicAuth:
+    enabled: false
+    secretName: contour-basic-auth
+    realm: "Sova Test Contour"
+    skipLocations: "/.well-known/acme-challenge"
 
 resources:
   php:
@@ -50,13 +55,13 @@ env:
   CORS_ALLOW_ORIGIN: "['http://admin.test.sova.local','https://admin.test.sova.local']"
 
 secrets:
-  APP_SECRET: change-me-test-secret
+  APP_SECRET: In-brrZjIpzgCNAMq_CqBv-1VxOiS7h_1gDAUd7OkpI
-  DATABASE_URL: postgresql://sova_test:sova_test_pass@postgresql-test.sova-data-test.svc.cluster.local:5432/sova_backend_test?serverVersion=16&charset=utf8
+  DATABASE_URL: postgresql://sova_test:c%%25EDQxAr91khfvhle3CV4Mxg@postgresql-test.sova-data-test.svc.cluster.local:5432/sova_backend_test?serverVersion=16&charset=utf8
-  DATABASE_CABINET_URL: postgresql://sova_test:sova_test_pass@postgresql-test.sova-data-test.svc.cluster.local:5432/sova_cabinet_test?serverVersion=16&charset=utf8
+  DATABASE_CABINET_URL: postgresql://sova_test:c%%25EDQxAr91khfvhle3CV4Mxg@postgresql-test.sova-data-test.svc.cluster.local:5432/sova_cabinet_test?serverVersion=16&charset=utf8
-  DATABASE_BITRIX_URL: mysql://bitrix_test:bitrix_test_pass@mysql-bitrix-test.sova-data-test.svc.cluster.local:3306/sova_bitrix_test?serverVersion=8.0
+  DATABASE_BITRIX_URL: mysql://bitrix_test:xEpMvDAaCb%%21U1U%%2AwBOg8GAk%%2B@mysql-bitrix-test.sova-data-test.svc.cluster.local:3306/sova_bitrix_test?serverVersion=8.0
-  REDIS_URL: redis://:redis_test_pass@redis-test-master.sova-data-test.svc.cluster.local:6379/0
+  REDIS_URL: redis://:u96%%3Dbi6a%%21weD6xW3n%%23GGZQTZ@redis-test-master.sova-data-test.svc.cluster.local:6379/0
   JWT_PASSPHRASE: ""
-  AES_SECRET_KEY: test-aes-secret-key-32bytes-min!!
+  AES_SECRET_KEY: o*HTus#3tw^%#sT*z_ZvY#!Uf46AFXRg
   MAILER_ACCESS_TOKEN: test-mailer-token
   SMSRU_URL: http://noop.invalid
   SMSRU_TOKEN: noop

apps/cabinet/templates/all.yaml

@@ -177,8 +177,27 @@ kind: Ingress
 metadata:
   name: cabinet
   namespace: {{ .Values.namespace }}
+  {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
+  annotations:
+    {{- if .Values.ingress.tls.enabled }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    {{- end }}
+    {{- if .Values.ingress.basicAuth.enabled }}
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
+    nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
+    nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
+    {{- end }}
+  {{- end }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
   rules:
     - host: {{ .Values.ingress.host }}
       http:

apps/cabinet/values-test.yaml

@@ -1,7 +1,13 @@
 ingress:
   host: cabinet.dev.sovamed.ru
+  tls:
+    enabled: true
+    clusterIssuer: letsencrypt-prod
+    secretName: cabinet-tls
+  basicAuth:
+    enabled: true
 image:
-  tag: cabinet-v1.0.10-test
+  tag: cabinet-v1.0.12-test
   pullPolicy: IfNotPresent
   repository: git.sova.local/sova/cabinet
 imagePullSecrets:

apps/cabinet/values.yaml

@@ -16,7 +16,11 @@ ingress:
   enabled: true
   className: nginx
   host: cabinet.test.sova.local
-
+  basicAuth:
+    enabled: false
+    secretName: contour-basic-auth
+    realm: "Sova Test Contour"
+    skipLocations: "/.well-known/acme-challenge"
 resources:
   php:
     requests:
@@ -44,10 +48,10 @@ env:
   CORS_ALLOW_ORIGIN: "^https?://(cabinet\\.test\\.sova\\.local|localhost)(:[0-9]+)?$"
 
 secrets:
-  APP_SECRET: change-me-cabinet-test-secret
+  APP_SECRET: sUkQq2K4-57_woq1NgLTuApbRZNGayc41QY3j5CI1Y4
-  DATABASE_URL: postgresql://sova_test:sova_test_pass@postgresql-test.sova-data-test.svc.cluster.local:5432/sova_cabinet_test?serverVersion=16&charset=utf8
+  DATABASE_URL: postgresql://sova_test:c%%25EDQxAr91khfvhle3CV4Mxg@postgresql-test.sova-data-test.svc.cluster.local:5432/sova_cabinet_test?serverVersion=16&charset=utf8
-  DATABASE_BITRIX_URL: mysql://bitrix_test:bitrix_test_pass@mysql-bitrix-test.sova-data-test.svc.cluster.local:3306/sova_bitrix_test?serverVersion=8.0
+  DATABASE_BITRIX_URL: mysql://bitrix_test:xEpMvDAaCb%%21U1U%%2AwBOg8GAk%%2B@mysql-bitrix-test.sova-data-test.svc.cluster.local:3306/sova_bitrix_test?serverVersion=8.0
-  REDIS_URL: redis://:redis_test_pass@redis-test-master.sova-data-test.svc.cluster.local:6379/1
+  REDIS_URL: redis://:u96%%3Dbi6a%%21weD6xW3n%%23GGZQTZ@redis-test-master.sova-data-test.svc.cluster.local:6379/1
   MAILER_DSN: smtp://mailpit.sova-mocks.svc.cluster.local:1025
   SMSRU_KEY_API: noop
   SMSRU_FROM_SOVAMED: noop

apps/docs/templates/all.yaml

@@ -47,8 +47,27 @@ kind: Ingress
 metadata:
   name: docs
   namespace: {{ .Values.namespace }}
+  {{- if or .Values.ingress.tls.enabled .Values.ingress.basicAuth.enabled }}
+  annotations:
+    {{- if .Values.ingress.tls.enabled }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.clusterIssuer | quote }}
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    {{- end }}
+    {{- if .Values.ingress.basicAuth.enabled }}
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.basicAuth.secretName | quote }}
+    nginx.ingress.kubernetes.io/auth-realm: {{ .Values.ingress.basicAuth.realm | quote }}
+    nginx.ingress.kubernetes.io/auth-skip-locations: {{ .Values.ingress.basicAuth.skipLocations | quote }}
+    {{- end }}
+  {{- end }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
   rules:
     - host: {{ .Values.ingress.host }}
       http:

apps/docs/values-test.yaml

@@ -1,7 +1,13 @@
 ingress:
   host: docs.dev.sovamed.ru
+  tls:
+    enabled: true
+    clusterIssuer: letsencrypt-prod
+    secretName: docs-tls
+  basicAuth:
+    enabled: true
 image:
-  tag: docs-v1.0.10-test
+  tag: docs-v1.0.15-test
   pullPolicy: IfNotPresent
   repository: git.sova.local/sova/docs
 imagePullSecrets:

apps/docs/values.yaml

@@ -13,7 +13,11 @@ ingress:
   enabled: true
   className: nginx
   host: docs.sova.local
-
+  basicAuth:
+    enabled: false
+    secretName: contour-basic-auth
+    realm: "Sova Test Contour"
+    skipLocations: "/.well-known/acme-challenge"
 resources:
   requests:
     cpu: 25m

argocd/apps-local/redmine-test.yaml

@@ -1,3 +1,4 @@
+# Только для локальной фермы (Multipass). На удалённом test — не применять.
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:

data/db-init/values.yaml

@@ -3,10 +3,10 @@ namespace: sova-data-test
 postgres:
   host: postgresql-test.sova-data-test.svc.cluster.local
   user: sova_test
-  password: sova_test_pass
+  password: c%EDQxAr91khfvhle3CV4Mxg
 
 mysql:
   host: mysql-bitrix-test.sova-data-test.svc.cluster.local
   user: bitrix_test
-  password: bitrix_test_pass
+  password: xEpMvDAaCb!U1U*wBOg8GAk+
   database: sova_bitrix_test

data/test/sql/postgres/schema/01-create-databases.sql

@@ -1,4 +1,2 @@
 SELECT 'CREATE DATABASE sova_cabinet_test OWNER sova_test'
 WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'sova_cabinet_test')\gexec
-SELECT 'CREATE DATABASE redmine_test OWNER sova_test'
-WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'redmine_test')\gexec

data/test/values.yaml

@@ -5,7 +5,7 @@ postgresql:
   fullnameOverride: postgresql-test
   auth:
     username: sova_test
-    password: sova_test_pass
+    password: c%EDQxAr91khfvhle3CV4Mxg
     database: sova_backend_test
   primary:
     persistence:
@@ -28,9 +28,9 @@ mysql:
   enabled: true
   fullnameOverride: mysql-bitrix-test
   auth:
-    rootPassword: bitrix_root_test
+    rootPassword: NTv$fys*Y$m1sKcH+@F^^77F
     username: bitrix_test
-    password: bitrix_test_pass
+    password: xEpMvDAaCb!U1U*wBOg8GAk+
     database: sova_bitrix_test
   primary:
     persistence:
@@ -46,7 +46,7 @@ redis:
   enabled: true
   fullnameOverride: redis-test
   auth:
-    password: redis_test_pass
+    password: u96=bi6a!weD6xW3n#GGZQTZ
   master:
     persistence:
       enabled: false

platform/cert-manager/cluster-issuer-prod.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: devops@sovamed.ru
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+      - http01:
+          ingress:
+            class: nginx

platform/cert-manager/cluster-issuer-staging.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: devops@sovamed.ru
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - http01:
+          ingress:
+            class: nginx

platform/gitea/values-lite-remote.yaml

@@ -0,0 +1,20 @@
+# Single-node test (8–12 GB): SQLite, без PostgreSQL HA
+postgresql:
+  enabled: false
+postgresql-ha:
+  enabled: false
+
+gitea:
+  config:
+    database:
+      DB_TYPE: sqlite3
+    actions:
+      ENABLED: true
+    packages:
+      ENABLED: true
+
+resources:
+  requests:
+    memory: 128Mi
+  limits:
+    memory: 512Mi

platform/monitoring/values-lite-12gb.yaml

@@ -0,0 +1,25 @@
+# Remote test server — 12 GB RAM (kube-prometheus-stack)
+grafana:
+  enabled: true
+  resources:
+    requests:
+      memory: 128Mi
+    limits:
+      memory: 256Mi
+
+prometheus:
+  prometheusSpec:
+    retention: 3d
+    scrapeInterval: 60s
+    evaluationInterval: 60s
+    resources:
+      requests:
+        memory: 512Mi
+      limits:
+        memory: 1Gi
+
+# Раскомментировать при нехватке RAM:
+# kubeStateMetrics:
+#   enabled: false
+# nodeExporter:
+#   enabled: false

platform/priority-classes.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: scheduling.k8s.io/v1
+kind: PriorityClass
+metadata:
+  name: sova-critical
+value: 1000000
+globalDefault: false
+description: "API, PostgreSQL, MySQL — не убивать при OOM"
+---
+apiVersion: scheduling.k8s.io/v1
+kind: PriorityClass
+metadata:
+  name: sova-normal
+value: 100000
+globalDefault: true
+description: "Gitea, ArgoCD, ingress"
+---
+apiVersion: scheduling.k8s.io/v1
+kind: PriorityClass
+metadata:
+  name: sova-low
+value: 10000
+globalDefault: false
+description: "Runner, Grafana, Loki — жертвы OOM"