SYS-674 helm chart updates for auth protection of mythtv-backend

Author: instantlinux

images/mythtv-backend/README.md

@@ -7,18 +7,15 @@ The MythTV backend built under Ubuntu noble (24.04).
 
 This image must be run in network_mode:host in order to communicate with HD Homerun tuners; assign a new IP address and hostname for this application, and define it as a secondary IP address on your Docker host's primary interface.
 
-For configuration, see the example docker-compose.yml (for swarm or standalone docker) or [helm](https://github.com/instantlinux/docker-tools/blob/main/images/helm) or kubernetes.yaml to run on bare-metal Kubernetes. Set environment variables and secrets as defined here, and customize volume mounts as desired. This repo has complete instructions for
-[building a kubernetes cluster](https://github.com/instantlinux/docker-tools/blob/main/k8s/README.md) where you can launch with [helm](https://github.com/instantlinux/docker-tools/tree/main/images/mythtv-backend/helm) or [kubernetes.yaml](https://github.com/instantlinux/docker-tools/blob/main/images/mythtv-backend/kubernetes.yaml) using _make_ and customizing [Makefile.vars](https://github.com/instantlinux/docker-tools/blob/main/k8s/Makefile.vars) after cloning this repo:
+For configuration, see the example docker-compose.yml (for swarm or standalone docker) or [helm](https://github.com/instantlinux/docker-tools/blob/main/images/helm). Set variables and secrets as defined here, and customize volume mounts as desired. This repo has complete instructions for
+[building a kubernetes cluster](https://github.com/instantlinux/docker-tools/blob/main/k8s/README.md) where you can launch with [helm](https://github.com/instantlinux/docker-tools/tree/main/images/mythtv-backend/helm) using _make_ and customizing [Makefile.vars](https://github.com/instantlinux/docker-tools/blob/main/k8s/Makefile.vars) after cloning this repo:
 ~~~
 git clone https://github.com/instantlinux/docker-tools.git
 cd docker-tools/k8s
 make mythtv-backend
 ~~~
 
-If you have two Kubernetes nodes set up, run the kubernetes-ha.yaml to set up data sync between two identical drives across the nodes, and define a floating IP address. One copy of mythbackend will be running on one of the nodes at any given time, providing a simple high-availability configuration. See more details in the Makefile in k8s directory. The kubernetes.yaml sample provided here can also set up the mythweb virtual-host https://mythweb.yourdomain.com so you can schedule recordings when you're not home; create an htpasswd file with name _auth_ and then:
-~~~
-kubectl create secret generic mythweb-auth --from-file=auth
-~~~
+If you have two Kubernetes nodes set up, run the kubernetes-ha.yaml to set up data sync between two identical drives across the nodes, and define a floating IP address. One copy of mythbackend will be running on one of the nodes at any given time, providing a simple high-availability configuration. See more details in the Makefile in k8s directory. The kubernetes.yaml sample provided here can also set up the mythweb virtual-host https://mythweb.yourdomain.com so you can schedule recordings when you're not home.
 
 You can also run this image directly (without compose or kubernetes) using environment variables and secrets files.
 
@@ -43,7 +40,6 @@ Starting with v34, mythtv-setup is accessed via <pod-ip>:6544/setupwizard. Use t
 ### Variables
 Variable | Default | Description
 -------- | ------- | -----------
-APACHE_LOG_DIR | /var/log/apache2 | Apache logs
 DBNAME | mythtv | Database name
 DBSERVER | db00 | Database server hostname
 LANG | en_US.UTF-8 | 
@@ -69,11 +65,10 @@ Note that the [Kodi](https://kodi.tv/download/) frontend also provides limited s
 
 ### Volumes
 
-Optionally, mount these path names to persistent storage:
+Optionally, mount this path name to persistent storage:
 
 Path | Description
 ---- | -----------
-/var/log/apache2 | Apache logs
 /etc/ssh | Host keys and configs for ssh
 
 ### Secrets
@@ -84,7 +79,6 @@ Secret | Description
 ------ | -----------
 mythtv-db-password | Password of MythTV db user
 mythtv-user-password | Hashed password of MythTV ssh user
-mythweb-auth | htpasswd for mythweb user(s) under k8s
 
 ### Upgrade Notes
 

images/mythtv-backend/helm/values.yaml

@@ -85,40 +85,26 @@ autoscaling:
   enabled: false
 
 authelia:
+  # To override, use tlsHostname at top level
   fqdn: authtotp.example.com
   ip: 10.101.1.5
+  path: /Myth/LoginUser
 ingress:
   # This ingress exposes your MythTV schedule and operational controls to
-  #  the public Internet.
-  # TODO: change default back to true once the setup wizard screens
-  #  are secured by the authentication framework.
+  #  the public Internet. Set up the admin user before enabling.
   enabled: false
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    kubernetes.io/ingress.class: nginx
-    nginx.ingress.kubernetes.io/auth-type: basic
-    nginx.ingress.kubernetes.io/auth-secret: mythweb-auth
-  hosts:
-  - host: mythweb.example.com
-    paths:
-    - path: /
-      pathType: Prefix
-  tls:
-  - secretName: tls-mythtv-backend
-    hosts:
-    - mythweb.example.com
 ingressTOTP:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    kubernetes.io/ingress.class: nginx
-  hosts:
-  - host: mythweb.example.com
-    paths:
-    - path: /settings
-      pathType: Prefix
-  tls:
-  - secretName: tls-mythtv-backend
-    hosts: [ mythweb.example.com ]
+  # Enable this ingress for TOTP if you have Authelia installed,
+  #   along with an external DNS name.
+  # TODO: this helm chart does trigger TOTP, but Authelia's login
+  #   splash page doesn't come up. The http-post operation to
+  #   /Myth/LoginUser fails to redirect. But you can manually
+  #   bring it up (e.g. https://authtotp.example.com) and authenticate
+  #   there, then come back to the MythTV dashboard's login link.
+  # Fixing that is a low-priority, as ingress-nginx is deprecated
+  #   and there may be an easier way to implement TOTP under envoy
+  #   gateway.
+  enabled: false
 
 # Subchart data-sync, maintains persistent data across nodes
 data-sync: