From e1092ce45978327d803182a2941b2708d1306dba Mon Sep 17 00:00:00 2001
From: Thomas Richter <git@tricnet.de>
Date: Sun, 1 Feb 2026 19:52:43 +0100
Subject: [PATCH] feat(helm): add basic auth support via Traefik middleware

- Add basicAuth.enabled and basicAuth.htpasswd values
- Create middleware.yaml template for Secret and Traefik Middleware
- Update ingress to include middleware annotation when enabled

Usage:
  helm upgrade taskplaner ./helm/taskplaner \
    --set basicAuth.enabled=true \
    --set basicAuth.htpasswd='admin:$apr1$...'

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 helm/taskplaner/templates/ingress.yaml    |  7 +++++--
 helm/taskplaner/templates/middleware.yaml | 22 ++++++++++++++++++++++
 helm/taskplaner/values.yaml               |  7 +++++++
 3 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 helm/taskplaner/templates/middleware.yaml

diff --git a/helm/taskplaner/templates/ingress.yaml b/helm/taskplaner/templates/ingress.yaml
index b630b81..5b3141c 100644
--- a/helm/taskplaner/templates/ingress.yaml
+++ b/helm/taskplaner/templates/ingress.yaml
@@ -5,10 +5,13 @@ metadata:
   name: {{ include "taskplaner.fullname" . }}
   labels:
     {{- include "taskplaner.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
   annotations:
+    {{- with .Values.ingress.annotations }}
     {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- end }}
+    {{- if .Values.basicAuth.enabled }}
+    traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-{{ include "taskplaner.fullname" . }}-basic-auth@kubernetescrd
+    {{- end }}
 spec:
   {{- if .Values.ingress.className }}
   ingressClassName: {{ .Values.ingress.className }}
diff --git a/helm/taskplaner/templates/middleware.yaml b/helm/taskplaner/templates/middleware.yaml
new file mode 100644
index 0000000..aa562e8
--- /dev/null
+++ b/helm/taskplaner/templates/middleware.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.basicAuth.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "taskplaner.fullname" . }}-basic-auth
+  labels:
+    {{- include "taskplaner.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  users: {{ .Values.basicAuth.htpasswd | quote }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ include "taskplaner.fullname" . }}-basic-auth
+  labels:
+    {{- include "taskplaner.labels" . | nindent 4 }}
+spec:
+  basicAuth:
+    secret: {{ include "taskplaner.fullname" . }}-basic-auth
+{{- end }}
diff --git a/helm/taskplaner/values.yaml b/helm/taskplaner/values.yaml
index 21911f9..8687916 100644
--- a/helm/taskplaner/values.yaml
+++ b/helm/taskplaner/values.yaml
@@ -102,6 +102,13 @@ tolerations: []
 
 affinity: {}
 
+# Basic authentication (Traefik middleware)
+basicAuth:
+  enabled: false
+  # htpasswd encoded credentials (generate with: htpasswd -nb user password)
+  # Example: "admin:$apr1$xyz..."
+  htpasswd: ""
+
 # Application-specific configuration
 config:
   # The external URL where the app is accessible (required for CSRF protection)