question: can I add auth to the controller UI but not necessarily to the cluster as a whole (?) like can I add auth to the UI without requests to the broker having to be authorize via CURL?

Just a thought, could you have your controller UI run behind a webserver (like ngnix) and have nginx handle the auth instead? You can specify which endpoints should be auth enabled and which ones not. You could possibly run nginx in the same pod or via k8s ingress controller? https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

yea i was thinking about that was wondering if there was a way to do it within the application without having to bring the webserver but yea totally doable