From 27214e729411802a4980089caff23d7608cf05ff Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 9 Dec 2025 02:26:01 -0300
Subject: [PATCH] zot/vault: simplify to native OIDC and redirect to login

---
 services/vault/ingress.yaml    |  6 +++---
 services/vault/middleware.yaml | 14 +++++---------
 services/zot/ingress.yaml      |  2 +-
 services/zot/middleware.yaml   | 14 +++++---------
 4 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml
index d61d4bc..de14600 100644
--- a/services/vault/ingress.yaml
+++ b/services/vault/ingress.yaml
@@ -7,7 +7,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: ""
+    traefik.ingress.kubernetes.io/router.middlewares: vault-vault-login-redirect@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
@@ -21,6 +21,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: oauth2-proxy-vault
+                name: vault
                 port:
-                  number: 80
+                  number: 8200
diff --git a/services/vault/middleware.yaml b/services/vault/middleware.yaml
index 8a39bf9..f457798 100644
--- a/services/vault/middleware.yaml
+++ b/services/vault/middleware.yaml
@@ -2,14 +2,10 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: vault-forward-auth
+  name: vault-vault-login-redirect
   namespace: vault
 spec:
-  forwardAuth:
-    address: https://auth.bstein.dev/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - Authorization
-      - X-Auth-Request-Email
-      - X-Auth-Request-User
-      - X-Auth-Request-Groups
+  redirectRegex:
+    regex: "^/$"
+    replacement: "https://secret.bstein.dev/ui/vault/auth/oidc/login"
+    permanent: true
diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml
index 3425535..2854b75 100644
--- a/services/zot/ingress.yaml
+++ b/services/zot/ingress.yaml
@@ -8,7 +8,7 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd,zot-zot-login-redirect@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/services/zot/middleware.yaml b/services/zot/middleware.yaml
index cc76d5f..6549811 100644
--- a/services/zot/middleware.yaml
+++ b/services/zot/middleware.yaml
@@ -30,14 +30,10 @@ spec:
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: zot-forward-auth
+  name: zot-login-redirect
   namespace: zot
 spec:
-  forwardAuth:
-    address: https://auth.bstein.dev/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - Authorization
-      - X-Auth-Request-Email
-      - X-Auth-Request-User
-      - X-Auth-Request-Groups
+  redirectRegex:
+    regex: "^/$"
+    replacement: "https://registry.bstein.dev/auth/login?provider=oidc&callback_ui=https://registry.bstein.dev/home"
+    permanent: true