apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy-prometheus
  labels:
    app: oauth2-proxy
    instance: prometheus
spec:
  selector:
    matchLabels:
      app: oauth2-proxy
      instance: prometheus
  template:
    metadata:
      labels:
        app: oauth2-proxy
        instance: prometheus
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "44180"
    spec:
      containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:latest
        args:
          - --http-address=0.0.0.0:4180
          - --metrics-address=0.0.0.0:44180
          - --real-client-ip-header=x-forwarded-for
        envFrom:
          - configMapRef:
              name: oauth2-proxy
          - secretRef:
              name: oauth2-proxy-prometheus
        env:
          - name: OAUTH2_PROXY_CLIENT_ID
            value: prometheus
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 4180
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy-prometheus
spec:
  selector:
    app: oauth2-proxy
    instance: prometheus
  ports:
  - name: http
    port: 4180
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: oauth2-proxy
data:
  OAUTH2_PROXY_PROVIDER: keycloak-oidc
  OAUTH2_PROXY_OIDC_ISSUER_URL: https://auth.janky.solutions/realms/janky.solutions
  OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: Janky Solutions
  OAUTH2_PROXY_EMAIL_DOMAINS: "*"
  OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: oauth2-proxy-prometheus
spec:
  forwardAuth:
    address: http://oauth2-proxy-prometheus.monitoring.svc.cluster.local:4180/oauth2/auth
    trustForwardHeader: true
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: oauth2-proxy-prometheus-errors
spec:
  errors:
    status:
      - "401-403"
    service: 
      name: oauth2-proxy-prometheus
      port: 4180
    query: "/oauth2/sign_in?rd={url}"