health: internal test-access ingress + DEV_AUTH_EMAIL (ADR-0008)

Add health-test.viktorbarzin.lan (auth=none, allow_local_access_only, anti-AI off) pointing at the same health deployment, plus a DEV_AUTH_EMAIL=vbarzin@gmail.com env on the container. Lets automated E2E / Playwright / manual screenshots reach the live app without the Authentik SSO redirect, for testing — while the public health.viktorbarzin.me ingress stays auth=required (forward-auth fails closed, so the public path always carries the real X-authentik-email header and never hits the DEV_AUTH_EMAIL fallback). LAN-only, no public exposure. Decision recorded in health repo ADR-0008. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-14 04:01:00 +00:00 · 2026-06-14 04:01:00 +00:00 · 05bec26d09
commit 05bec26d09
parent e6699ed20b
1 changed files with 34 additions and 1 deletions
--- a/stacks/health/main.tf
+++ b/stacks/health/main.tf
@ -9,7 +9,7 @@ resource "kubernetes_namespace" "health" {
  metadata {
    name = "health"
    labels = {
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
      "keel.sh/enrolled" = "true"
    }
  }
@ -128,6 +128,15 @@ resource "kubernetes_deployment" "health" {
            name  = "COOKIE_SECURE"
            value = "true"
          }
+          env {
+            # ADR-0008 (health repo): identity for the internal LAN test host.
+            # Only reached when no X-authentik-email header is present — i.e. via
+            # the auth="none" test ingress below. The public host's forward-auth
+            # fails closed, so requests arriving there always carry the real
+            # header and never fall back to this value.
+            name  = "DEV_AUTH_EMAIL"
+            value = "vbarzin@gmail.com"
+          }

          volume_mount {
            name       = "uploads"
@ -207,6 +216,30 @@ module "ingress" {
  }
 }

+# https://health-test.viktorbarzin.lan — internal LAN-only test host for
+# automated/E2E testing + manual screenshots without the Authentik SSO dance
+# (ADR-0008). Same `health` deployment; acts as DEV_AUTH_EMAIL=vbarzin@gmail.com.
+module "ingress_test" {
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": LAN-only (allow_local_access_only) test host — no public
+  # exposure; the public health.viktorbarzin.me ingress above stays
+  # auth="required". No user data gate here by design — it serves the real app
+  # as DEV_AUTH_EMAIL since no X-authentik-email is injected (ADR-0008).
+  auth                    = "none"
+  namespace               = kubernetes_namespace.health.metadata[0].name
+  name                    = "health-test"
+  root_domain             = "viktorbarzin.lan"
+  service_name            = kubernetes_service.health.metadata[0].name
+  tls_secret_name         = var.tls_secret_name
+  allow_local_access_only = true
+  ssl_redirect            = false
+  max_body_size           = "100m"
+  anti_ai_scraping        = false
+  extra_annotations = {
+    "gethomepage.dev/enabled" = "false"
+  }
+}
+
 resource "kubernetes_manifest" "external_secret_db" {
  manifest = {
    apiVersion = "external-secrets.io/v1beta1"