From 05bec26d09afe017fbc448e3e0c22f7e0ed7562f Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 14 Jun 2026 04:01:00 +0000
Subject: [PATCH] health: internal test-access ingress + DEV_AUTH_EMAIL
 (ADR-0008)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add health-test.viktorbarzin.lan (auth=none, allow_local_access_only,
anti-AI off) pointing at the same health deployment, plus a
DEV_AUTH_EMAIL=vbarzin@gmail.com env on the container. Lets automated
E2E / Playwright / manual screenshots reach the live app without the
Authentik SSO redirect, for testing — while the public
health.viktorbarzin.me ingress stays auth=required (forward-auth fails
closed, so the public path always carries the real X-authentik-email
header and never hits the DEV_AUTH_EMAIL fallback). LAN-only, no public
exposure. Decision recorded in health repo ADR-0008.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/health/main.tf | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/stacks/health/main.tf b/stacks/health/main.tf
index 979b2dd0..5b9ae090 100644
--- a/stacks/health/main.tf
+++ b/stacks/health/main.tf
@@ -9,7 +9,7 @@ resource "kubernetes_namespace" "health" {
   metadata {
     name = "health"
     labels = {
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
       "keel.sh/enrolled" = "true"
     }
   }
@@ -128,6 +128,15 @@ resource "kubernetes_deployment" "health" {
             name  = "COOKIE_SECURE"
             value = "true"
           }
+          env {
+            # ADR-0008 (health repo): identity for the internal LAN test host.
+            # Only reached when no X-authentik-email header is present — i.e. via
+            # the auth="none" test ingress below. The public host's forward-auth
+            # fails closed, so requests arriving there always carry the real
+            # header and never fall back to this value.
+            name  = "DEV_AUTH_EMAIL"
+            value = "vbarzin@gmail.com"
+          }
 
           volume_mount {
             name       = "uploads"
@@ -207,6 +216,30 @@ module "ingress" {
   }
 }
 
+# https://health-test.viktorbarzin.lan — internal LAN-only test host for
+# automated/E2E testing + manual screenshots without the Authentik SSO dance
+# (ADR-0008). Same `health` deployment; acts as DEV_AUTH_EMAIL=vbarzin@gmail.com.
+module "ingress_test" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": LAN-only (allow_local_access_only) test host — no public
+  # exposure; the public health.viktorbarzin.me ingress above stays
+  # auth="required". No user data gate here by design — it serves the real app
+  # as DEV_AUTH_EMAIL since no X-authentik-email is injected (ADR-0008).
+  auth                    = "none"
+  namespace               = kubernetes_namespace.health.metadata[0].name
+  name                    = "health-test"
+  root_domain             = "viktorbarzin.lan"
+  service_name            = kubernetes_service.health.metadata[0].name
+  tls_secret_name         = var.tls_secret_name
+  allow_local_access_only = true
+  ssl_redirect            = false
+  max_body_size           = "100m"
+  anti_ai_scraping        = false
+  extra_annotations = {
+    "gethomepage.dev/enabled" = "false"
+  }
+}
+
 resource "kubernetes_manifest" "external_secret_db" {
   manifest = {
     apiVersion = "external-secrets.io/v1beta1"