apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-forward-auth
data:
  INSECURE_COOKIE: 'true'
  COOKIE_DOMAIN: jupyter.hottis.de
  DOMAINS: jupyter.hottis.de
  AUTH_HOST: auth.jupyter.hottis.de
  URL_PATH: /_oauth
  DEFAULT_PROVIDER: oidc
  PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
  PROVIDERS_OIDC_CLIENT_ID: jupyter
  REQUIRED_ROLE: JupyterAccess
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-forward-auth
  labels:
    app: traefik-forward-auth
  annotations:
    secret.reloader.stakater.com/reload: traefik-forward-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  template:
    metadata:
      labels:
        app: traefik-forward-auth
      annotations:
        container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
    spec:
      containers:
        - name: traefik-forward-auth
          #image: thomseddon/traefik-forward-auth
          image: wollud1969/traefik-forward-auth:3.0.0
          imagePullPolicy: Always
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 65534
            runAsGroup: 65534
            capabilities:
              drop:
                - ALL
          livenessProbe:
            failureThreshold: 3
            tcpSocket:
              port: 4181
            initialDelaySeconds: 10
            periodSeconds: 10
          resources:
            limits:
              memory: '50Mi'
              cpu: '100m'
          ports:
            - containerPort: 4181
              protocol: TCP
          env:
            - name: PROVIDERS_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth
                  key: PROVIDERS_OIDC_CLIENT_SECRET
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth
                  key: SECRET
            - name: LOG_LEVEL
              value: info
          envFrom:
            - configMapRef:
                name: traefik-forward-auth
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-forward-auth
  labels:
    app: traefik-forward-auth
spec:
  type: ClusterIP
  selector:
    app: traefik-forward-auth
  ports:
  - name: auth-http
    port: 4181
    targetPort: 4181
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: auth-jupyter-hottis-de
spec:
  secretName: auth-jupyter-cert
  duration: 2160h
  renewBefore: 360h
  subject:
    organizations:
      - hottis-de
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
  dnsNames:
    - auth.jupyter.hottis.de
  issuerRef:
    name: letsencrypt-production-http
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-forward-auth
  labels:
    app: traefik-forward-auth
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`auth.jupyter.hottis.de`)
    kind: Rule
    services:
    - name: traefik-forward-auth
      port: 4181
  tls:
    secretName: auth-jupyter-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-forward-auth
spec:
  forwardAuth:
    trustForwardHeader: true
    address: http://traefik-forward-auth.jupyter.svc.cluster.local:4181
    authResponseHeaders:
      - X-Forwarded-User

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: jupyter-workspace
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: nfs-client
  resources:
    requests:
      storage: 100Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jupyter
  labels:
    app: jupyter
spec:
  replicas: 1
  selector:
    matchLabels:
      app: jupyter
  template:
    metadata:
      labels:
        app: jupyter
    spec:
      containers:
        - name: jupyter
          image: %IMAGE%
          ports:
            - containerPort: 8888
              protocol: TCP
          env:
            - name: JUPYTER_PORT
              value: "8888"
          volumeMounts:
            - mountPath: /home/jovyan/work
              name: work
      volumes:
        - name: work
          persistentVolumeClaim:
            claimName: jupyter-workspace

---
apiVersion: v1
kind: Service
metadata:
  name: jupyter
spec:
  type: ClusterIP
  selector:
    app: jupyter
  ports:
    - name: http
      targetPort: 8888
      port: 80
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: jupyter-hottis-de
spec:
  secretName: jupyter-cert
  duration: 2160h
  renewBefore: 360h
  subject:
    organizations:
      - hottis-de
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
  dnsNames:
    - jupyter.hottis.de
  issuerRef:
    name: letsencrypt-production-http
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: jupyter
  labels:
    app: jupyter
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`jupyter.hottis.de`)
    kind: Rule
    services:
    - name: jupyter
      port: 80
    middlewares:
      - name: traefik-forward-auth
  tls:
    secretName: jupyter-cert