From e7d4d405c3cc5596e039d77c14018f22607cb322 Mon Sep 17 00:00:00 2001
From: u1 <u1@rv32i.pl>
Date: Tue, 6 Jan 2026 16:15:54 +0100
Subject: [PATCH] feat(auth): replace ingress basicAuth with app login

---
 .../overlays/staging/frontend-auth-patch.yaml | 22 +++++++++++++++++++
 .../overlays/staging/frontend-ingress.yaml    |  1 -
 kustomize/overlays/staging/kustomization.yaml |  1 -
 .../staging/trade-basic-auth-middleware.yaml  | 10 ---------
 4 files changed, 22 insertions(+), 12 deletions(-)
 delete mode 100644 kustomize/overlays/staging/trade-basic-auth-middleware.yaml

diff --git a/kustomize/overlays/staging/frontend-auth-patch.yaml b/kustomize/overlays/staging/frontend-auth-patch.yaml
index c7e9deb..de5e7fb 100644
--- a/kustomize/overlays/staging/frontend-auth-patch.yaml
+++ b/kustomize/overlays/staging/frontend-auth-patch.yaml
@@ -10,3 +10,25 @@ spec:
           env:
             - name: BASIC_AUTH_MODE
               value: "off"
+            - name: AUTH_MODE
+              value: "session"
+            - name: HTPASSWD_FILE
+              value: "/auth/users"
+            - name: AUTH_SESSION_SECRET_FILE
+              value: "/auth/session-secret"
+          volumeMounts:
+            - name: auth-users
+              mountPath: /auth/users
+              subPath: users
+              readOnly: true
+            - name: auth-session
+              mountPath: /auth/session-secret
+              subPath: secret
+              readOnly: true
+      volumes:
+        - name: auth-users
+          secret:
+            secretName: trade-basic-auth
+        - name: auth-session
+          secret:
+            secretName: trade-session-secret
diff --git a/kustomize/overlays/staging/frontend-ingress.yaml b/kustomize/overlays/staging/frontend-ingress.yaml
index 715d4d1..b90468a 100644
--- a/kustomize/overlays/staging/frontend-ingress.yaml
+++ b/kustomize/overlays/staging/frontend-ingress.yaml
@@ -5,7 +5,6 @@ metadata:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: trade-staging-trade-basic-auth@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/kustomize/overlays/staging/kustomization.yaml b/kustomize/overlays/staging/kustomization.yaml
index 8fa28ec..a7d541d 100644
--- a/kustomize/overlays/staging/kustomization.yaml
+++ b/kustomize/overlays/staging/kustomization.yaml
@@ -6,7 +6,6 @@ namespace: trade-staging
 resources:
   - ../../base
   - pgadmin.yaml
-  - trade-basic-auth-middleware.yaml
   - frontend-ingress.yaml
 
 patchesStrategicMerge:
diff --git a/kustomize/overlays/staging/trade-basic-auth-middleware.yaml b/kustomize/overlays/staging/trade-basic-auth-middleware.yaml
deleted file mode 100644
index 81823e4..0000000
--- a/kustomize/overlays/staging/trade-basic-auth-middleware.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: trade-basic-auth
-spec:
-  basicAuth:
-    secret: trade-basic-auth
-    realm: trade
-    headerField: X-Trade-User
-    removeHeader: true