From d9ed166640408e2c90bac01ed4576720e77ba6c2 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Wed, 15 Apr 2026 21:43:22 +0000
Subject: [PATCH] fix(beads-server): add Authentik auth to Dolt Workbench

- Set protected=true on ingress (Authentik forward-auth)
- Remove unused DATABASE_URL env var (Workbench uses browser-based connection config)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 stacks/beads-server/main.tf | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf
index 39d228d5..6105e6b8 100644
--- a/stacks/beads-server/main.tf
+++ b/stacks/beads-server/main.tf
@@ -214,11 +214,6 @@ resource "kubernetes_deployment" "workbench" {
             container_port = 9002
           }
 
-          env {
-            name  = "DATABASE_URL"
-            value = "mysql://beads@dolt.beads-server.svc.cluster.local:3306/code"
-          }
-
           startup_probe {
             http_get {
               path = "/"
@@ -295,6 +290,7 @@ module "ingress" {
   namespace       = kubernetes_namespace.beads.metadata[0].name
   name            = "dolt-workbench"
   tls_secret_name = var.tls_secret_name
+  protected       = true
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Dolt Workbench"