titan-iac/services/zot/oauth2-proxy-deployment.yaml

# services/zot/oauth2-proxy-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: zot-oauth2-proxy
  namespace: zot
  labels: { app: zot-oauth2-proxy }
spec:
  replicas: 1
  selector:
    matchLabels: { app: zot-oauth2-proxy }
  template:
    metadata:
      labels: { app: zot-oauth2-proxy }
    spec:
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 50
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi4","rpi5"]
      containers:
        - name: oauth2-proxy
          image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
          imagePullPolicy: IfNotPresent
          args:
            - --provider=oidc
            - --redirect-url=https://web.registry.bstein.dev/oauth2/callback
            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
            - --scope=openid profile email
            - --email-domain=*
            - --cookie-domain=web.registry.bstein.dev
            - --cookie-name=_zot_ui_oauth
            - --set-xauthrequest=true
            - --set-authorization-header=false
            - --pass-authorization-header=true
            - --pass-access-token=false
            - --pass-basic-auth=false
            - --cookie-secure=true
            - --cookie-samesite=lax
            - --cookie-refresh=20m
            - --cookie-expire=168h
            - --upstream=http://zot-ui-proxy:TempSsoUiPass%212025@zot:5000
            - --http-address=0.0.0.0:4180
            - --skip-provider-button=true
            - --skip-jwt-bearer-tokens=true
          env:
            - name: OAUTH2_PROXY_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: zot-oidc
                  key: client_id
            - name: OAUTH2_PROXY_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: zot-oidc
                  key: client_secret
            - name: OAUTH2_PROXY_COOKIE_SECRET
              valueFrom:
                secretKeyRef:
                  name: zot-oidc
                  key: client_secret
          ports:
            - containerPort: 4180
              name: http
          readinessProbe:
            httpGet:
              path: /ping
              port: 4180
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /ping
              port: 4180
            initialDelaySeconds: 20
            periodSeconds: 20
          resources:
            requests: { cpu: "25m", memory: "64Mi" }
zot: add oauth proxy and user sync scripts 2025-12-15 12:57:02 -03:00			`# services/zot/oauth2-proxy-deployment.yaml`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: zot-oauth2-proxy`
			`namespace: zot`
			`labels: { app: zot-oauth2-proxy }`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels: { app: zot-oauth2-proxy }`
			`template:`
			`metadata:`
			`labels: { app: zot-oauth2-proxy }`
			`spec:`
			`nodeSelector:`
			`node-role.kubernetes.io/worker: "true"`
			`affinity:`
			`nodeAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 50`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi4","rpi5"]`
			`containers:`
			`- name: oauth2-proxy`
			`image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0`
			`imagePullPolicy: IfNotPresent`
			`args:`
			`- --provider=oidc`
			`- --redirect-url=https://web.registry.bstein.dev/oauth2/callback`
			`- --oidc-issuer-url=https://sso.bstein.dev/realms/atlas`
			`- --scope=openid profile email`
			`- --email-domain=*`
			`- --cookie-domain=web.registry.bstein.dev`
			`- --cookie-name=_zot_ui_oauth`
			`- --set-xauthrequest=true`
			`- --set-authorization-header=false`
zot: forward authorization header to ui 2025-12-15 14:14:49 -03:00			`- --pass-authorization-header=true`
zot: add oauth proxy and user sync scripts 2025-12-15 12:57:02 -03:00			`- --pass-access-token=false`
zot: forward authorization header to ui 2025-12-15 14:14:49 -03:00			`- --pass-basic-auth=false`
zot: add oauth proxy and user sync scripts 2025-12-15 12:57:02 -03:00			`- --cookie-secure=true`
			`- --cookie-samesite=lax`
			`- --cookie-refresh=20m`
			`- --cookie-expire=168h`
zot ui: send basic creds from oauth2-proxy, remove traefik header 2025-12-15 14:08:18 -03:00			`- --upstream=http://zot-ui-proxy:TempSsoUiPass%212025@zot:5000`
zot: add oauth proxy and user sync scripts 2025-12-15 12:57:02 -03:00			`- --http-address=0.0.0.0:4180`
			`- --skip-provider-button=true`
			`- --skip-jwt-bearer-tokens=true`
			`env:`
			`- name: OAUTH2_PROXY_CLIENT_ID`
			`valueFrom:`
			`secretKeyRef:`
			`name: zot-oidc`
			`key: client_id`
			`- name: OAUTH2_PROXY_CLIENT_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: zot-oidc`
			`key: client_secret`
			`- name: OAUTH2_PROXY_COOKIE_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: zot-oidc`
			`key: client_secret`
			`ports:`
			`- containerPort: 4180`
			`name: http`
			`readinessProbe:`
			`httpGet:`
			`path: /ping`
			`port: 4180`
			`initialDelaySeconds: 5`
			`periodSeconds: 10`
			`livenessProbe:`
			`httpGet:`
			`path: /ping`
			`port: 4180`
			`initialDelaySeconds: 20`
			`periodSeconds: 20`
			`resources:`
			`requests: { cpu: "25m", memory: "64Mi" }`