zot/vault: simplify to native OIDC and redirect to login

services/vault/ingress.yaml

@@ -7,7 +7,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: ""
+    traefik.ingress.kubernetes.io/router.middlewares: vault-vault-login-redirect@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
@@ -21,6 +21,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: oauth2-proxy-vault
+                name: vault
                 port:
-                  number: 80
+                  number: 8200

services/vault/middleware.yaml

@@ -2,14 +2,10 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: vault-forward-auth
+  name: vault-vault-login-redirect
   namespace: vault
 spec:
-  forwardAuth:
-    address: https://auth.bstein.dev/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - Authorization
-      - X-Auth-Request-Email
-      - X-Auth-Request-User
-      - X-Auth-Request-Groups
+  redirectRegex:
+    regex: "^/$"
+    replacement: "https://secret.bstein.dev/ui/vault/auth/oidc/login"
+    permanent: true

services/zot/ingress.yaml

@@ -8,7 +8,7 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd,zot-zot-login-redirect@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:

services/zot/middleware.yaml

@@ -30,14 +30,10 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: zot-forward-auth
+  name: zot-login-redirect
   namespace: zot
 spec:
-  forwardAuth:
-    address: https://auth.bstein.dev/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - Authorization
-      - X-Auth-Request-Email
-      - X-Auth-Request-User
-      - X-Auth-Request-Groups
+  redirectRegex:
+    regex: "^/$"
+    replacement: "https://registry.bstein.dev/auth/login?provider=oidc&callback_ui=https://registry.bstein.dev/home"
+    permanent: true