buun-stack/oauth2-proxy/oauth2-proxy-deployment.gomplate.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: oauth2-proxy-{{ .Env.APP_NAME }}-config
  namespace: {{ .Env.APP_NAMESPACE }}
data:
  config.cfg: |
    http_address = "0.0.0.0:4180"
    provider = "keycloak-oidc"
    oidc_issuer_url = "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}"
    redirect_url = "https://{{ .Env.APP_HOST }}/oauth2/callback"
    email_domains = "*"
    reverse_proxy = true
    {{- if .Env.SKIP_AUTH_ROUTES }}
    skip_auth_routes = [{{ range $i, $route := (split .Env.SKIP_AUTH_ROUTES ",") }}{{ if $i }},{{ end }}
      "^{{ $route }}"{{ end }}
    ]
    {{- end }}

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy-{{ .Env.APP_NAME }}
  namespace: {{ .Env.APP_NAMESPACE }}
  labels:
    app: {{ .Env.APP_NAME }}-oauth2-proxy
    app.kubernetes.io/component: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: {{ .Env.APP_NAME }}-oauth2-proxy
  template:
    metadata:
      labels:
        app: {{ .Env.APP_NAME }}-oauth2-proxy
        app.kubernetes.io/component: oauth2-proxy
    spec:
      containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
        args:
        - --config=/etc/oauth2-proxy/config.cfg
        - --upstream=http://{{ .Env.UPSTREAM_SERVICE }}
        resources:
          requests:
            cpu: 50m
            memory: 128Mi
          limits:
            cpu: 50m
            memory: 128Mi
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy-{{ .Env.APP_NAME }}-config
              key: client_id
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy-{{ .Env.APP_NAME }}-config
              key: client_secret
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy-{{ .Env.APP_NAME }}-config
              key: cookie_secret
        ports:
        - containerPort: 4180
          name: http
        volumeMounts:
        - name: config
          mountPath: /etc/oauth2-proxy/
        readinessProbe:
          httpGet:
            path: /ping
            port: 4180
          initialDelaySeconds: 3
          timeoutSeconds: 1
        livenessProbe:
          httpGet:
            path: /ping
            port: 4180
          initialDelaySeconds: 3
          timeoutSeconds: 1
      volumes:
      - name: config
        configMap:
          name: oauth2-proxy-{{ .Env.APP_NAME }}-config