health: internal test-access ingress + DEV_AUTH_EMAIL (ADR-0008)
Some checks failed
ci/woodpecker/push/default Pipeline was canceled
Some checks failed
ci/woodpecker/push/default Pipeline was canceled
Add health-test.viktorbarzin.lan (auth=none, allow_local_access_only, anti-AI off) pointing at the same health deployment, plus a DEV_AUTH_EMAIL=vbarzin@gmail.com env on the container. Lets automated E2E / Playwright / manual screenshots reach the live app without the Authentik SSO redirect, for testing — while the public health.viktorbarzin.me ingress stays auth=required (forward-auth fails closed, so the public path always carries the real X-authentik-email header and never hits the DEV_AUTH_EMAIL fallback). LAN-only, no public exposure. Decision recorded in health repo ADR-0008. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
e6699ed20b
commit
05bec26d09
1 changed files with 34 additions and 1 deletions
|
|
@ -128,6 +128,15 @@ resource "kubernetes_deployment" "health" {
|
||||||
name = "COOKIE_SECURE"
|
name = "COOKIE_SECURE"
|
||||||
value = "true"
|
value = "true"
|
||||||
}
|
}
|
||||||
|
env {
|
||||||
|
# ADR-0008 (health repo): identity for the internal LAN test host.
|
||||||
|
# Only reached when no X-authentik-email header is present — i.e. via
|
||||||
|
# the auth="none" test ingress below. The public host's forward-auth
|
||||||
|
# fails closed, so requests arriving there always carry the real
|
||||||
|
# header and never fall back to this value.
|
||||||
|
name = "DEV_AUTH_EMAIL"
|
||||||
|
value = "vbarzin@gmail.com"
|
||||||
|
}
|
||||||
|
|
||||||
volume_mount {
|
volume_mount {
|
||||||
name = "uploads"
|
name = "uploads"
|
||||||
|
|
@ -207,6 +216,30 @@ module "ingress" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# https://health-test.viktorbarzin.lan — internal LAN-only test host for
|
||||||
|
# automated/E2E testing + manual screenshots without the Authentik SSO dance
|
||||||
|
# (ADR-0008). Same `health` deployment; acts as DEV_AUTH_EMAIL=vbarzin@gmail.com.
|
||||||
|
module "ingress_test" {
|
||||||
|
source = "../../modules/kubernetes/ingress_factory"
|
||||||
|
# auth = "none": LAN-only (allow_local_access_only) test host — no public
|
||||||
|
# exposure; the public health.viktorbarzin.me ingress above stays
|
||||||
|
# auth="required". No user data gate here by design — it serves the real app
|
||||||
|
# as DEV_AUTH_EMAIL since no X-authentik-email is injected (ADR-0008).
|
||||||
|
auth = "none"
|
||||||
|
namespace = kubernetes_namespace.health.metadata[0].name
|
||||||
|
name = "health-test"
|
||||||
|
root_domain = "viktorbarzin.lan"
|
||||||
|
service_name = kubernetes_service.health.metadata[0].name
|
||||||
|
tls_secret_name = var.tls_secret_name
|
||||||
|
allow_local_access_only = true
|
||||||
|
ssl_redirect = false
|
||||||
|
max_body_size = "100m"
|
||||||
|
anti_ai_scraping = false
|
||||||
|
extra_annotations = {
|
||||||
|
"gethomepage.dev/enabled" = "false"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
resource "kubernetes_manifest" "external_secret_db" {
|
resource "kubernetes_manifest" "external_secret_db" {
|
||||||
manifest = {
|
manifest = {
|
||||||
apiVersion = "external-secrets.io/v1beta1"
|
apiVersion = "external-secrets.io/v1beta1"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue