---
apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-forward-auth
data:
  INSECURE_COOKIE: 'true'
  COOKIE_DOMAIN: whoami.hottis.de
  DOMAINS: whoami.hottis.de
  AUTH_HOST: auth.whoami.hottis.de
  URL_PATH: /_oauth
  DEFAULT_PROVIDER: oidc
  PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
  PROVIDERS_OIDC_CLIENT_ID: whoami
  REQUIRED_ROLE: whoami_access
# ---
# apiVersion: v1
# kind: Secret
# metadata:
#   name: traefik-forward-auth
# type: Opaque
# data:
#   PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER
#   SECRET: PLACEHOLDER
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-forward-auth
  labels:
    app: traefik-forward-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  template:
    metadata:
      labels:
        app: traefik-forward-auth
      annotations:
        container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
    spec:
      containers:
        - name: traefik-forward-auth
          #image: thomseddon/traefik-forward-auth
          image: wollud1969/traefik-forward-auth:3.0.0
          imagePullPolicy: Always
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 65534
            runAsGroup: 65534
            capabilities:
              drop:
                - ALL
          livenessProbe:
            failureThreshold: 3
            tcpSocket:
              port: 4181
            initialDelaySeconds: 10
            periodSeconds: 10
          resources:
            limits:
              memory: '10Mi'
              cpu: '100m'
          ports:
            - containerPort: 4181
              protocol: TCP
          env:
            - name: PROVIDERS_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth
                  key: PROVIDERS_OIDC_CLIENT_SECRET
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth
                  key: SECRET
            - name: LOG_LEVEL
              value: trace
          envFrom:
            - configMapRef:
                name: traefik-forward-auth
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-forward-auth
  labels:
    app: traefik-forward-auth
spec:
  type: ClusterIP
  selector:
    app: traefik-forward-auth
  ports:
  - name: auth-http
    port: 4181
    targetPort: 4181
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: auth-whoami-hottis-de
spec:
  secretName: auth-whoami-cert
  duration: 2160h
  renewBefore: 360h
  subject:
    organizations:
      - hottis-de
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
  dnsNames:
    - auth.whoami.hottis.de
  issuerRef:
    name: letsencrypt-production-http
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-forward-auth
  labels:
    app: traefik-forward-auth
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`auth.whoami.hottis.de`)
    kind: Rule
    services:
    - name: traefik-forward-auth
      port: 4181
  tls:
    secretName: auth-whoami-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-forward-auth
spec:
  forwardAuth:
    trustForwardHeader: true
    address: http://traefik-forward-auth.whoami.svc.cluster.local:4181
    authResponseHeaders:
      - X-Forwarded-User