From 1f5ae50989e5362830d894c6b8f6ee2ee01e4e77 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 9 Dec 2025 02:34:16 -0300
Subject: [PATCH] zot: restore oauth2-proxy front; vault: point ingress to
 vault-ui

---
 services/vault/ingress.yaml  |  2 +-
 services/zot/ingress.yaml    |  6 +++---
 services/zot/middleware.yaml | 14 +++++++++-----
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml
index de14600..0f85ec0 100644
--- a/services/vault/ingress.yaml
+++ b/services/vault/ingress.yaml
@@ -21,6 +21,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: vault
+                name: vault-ui
                 port:
                   number: 8200
diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml
index 2854b75..7a40679 100644
--- a/services/zot/ingress.yaml
+++ b/services/zot/ingress.yaml
@@ -8,7 +8,7 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd,zot-zot-login-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd,zot-zot-forward-auth@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
@@ -22,6 +22,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: zot
+                name: oauth2-proxy-zot
                 port:
-                  number: 5000
+                  number: 80
diff --git a/services/zot/middleware.yaml b/services/zot/middleware.yaml
index 6549811..cc76d5f 100644
--- a/services/zot/middleware.yaml
+++ b/services/zot/middleware.yaml
@@ -30,10 +30,14 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: zot-login-redirect
+  name: zot-forward-auth
   namespace: zot
 spec:
-  redirectRegex:
-    regex: "^/$"
-    replacement: "https://registry.bstein.dev/auth/login?provider=oidc&callback_ui=https://registry.bstein.dev/home"
-    permanent: true
+  forwardAuth:
+    address: https://auth.bstein.dev/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - Authorization
+      - X-Auth-Request-Email
+      - X-Auth-Request-User
+      - X-Auth-Request-Groups