From 5cc7f787cc962cb4576aba451b963de476a97a8e Mon Sep 17 00:00:00 2001
From: "Andrew M. Stoltz" <1578013+astoltz@users.noreply.github.com>
Date: Wed, 11 Mar 2026 14:44:03 -0500
Subject: [PATCH] Add basicAuth middleware to NOC proxy IngressRoutes

Add bcrypt-based basicAuth (admin/zenith-turret-falcon-umber) to grafana,
prometheus, and cockpit IngressRoutes in noc-proxy namespace. Uses shared
Secret and Middleware, matching the traefik-dashboard-auth pattern.
---
 apps/noc-services/noc-services.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/apps/noc-services/noc-services.yaml b/apps/noc-services/noc-services.yaml
index 62ccdf9..8788880 100644
--- a/apps/noc-services/noc-services.yaml
+++ b/apps/noc-services/noc-services.yaml
@@ -11,6 +11,27 @@ metadata:
     app.kubernetes.io/part-of: bluejay-infra
 ---
 # ============================================================
+# BasicAuth - shared across all NOC proxy IngressRoutes
+# ============================================================
+apiVersion: v1
+kind: Secret
+metadata:
+  name: noc-proxy-auth
+  namespace: noc-proxy
+type: Opaque
+data:
+  users: YWRtaW46JDJiJDEwJEZjdlVFNWNpNkxvNi5rZ1k5L3hJV2V5M2tvM3VVY1U5YXJaSlQ4N29ZREtCSi5lNkoucXJD
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: noc-proxy-auth
+  namespace: noc-proxy
+spec:
+  basicAuth:
+    secret: noc-proxy-auth
+---
+# ============================================================
 # Grafana - noc1:3000
 # ============================================================
 apiVersion: v1
@@ -61,6 +82,8 @@ spec:
   routes:
     - kind: Rule
       match: Host(`grafana.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
       services:
         - name: grafana-external
           port: 3000
@@ -118,6 +141,8 @@ spec:
   routes:
     - kind: Rule
       match: Host(`prometheus.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
       services:
         - name: prometheus-external
           port: 9091
@@ -185,6 +210,8 @@ spec:
   routes:
     - kind: Rule
       match: Host(`cockpit.iamworkin.lan`)
+      middlewares:
+        - name: noc-proxy-auth
       services:
         - name: cockpit-external
           port: 9090