From 27e5c9391c093ef08694205b1e310a566b2ada33 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sun, 7 Dec 2025 10:25:44 -0300
Subject: [PATCH] auth: add namespace-local forward-auth middlewares

---
 infrastructure/longhorn/ui-ingress/ingress.yaml |  2 +-
 .../longhorn/ui-ingress/middleware.yaml         | 17 +++++++++++++++++
 services/vault/ingress.yaml                     |  2 +-
 services/vault/middleware.yaml                  | 12 +++++++++---
 services/zot/ingress.yaml                       |  2 +-
 services/zot/middleware.yaml                    | 17 +++++++++++++++++
 6 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/infrastructure/longhorn/ui-ingress/ingress.yaml b/infrastructure/longhorn/ui-ingress/ingress.yaml
index e9905ba..8f55b82 100644
--- a/infrastructure/longhorn/ui-ingress/ingress.yaml
+++ b/infrastructure/longhorn/ui-ingress/ingress.yaml
@@ -7,7 +7,7 @@ metadata:
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-forward-auth@kubernetescrd,longhorn-system-longhorn-headers@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-forward-auth@kubernetescrd,longhorn-system-longhorn-headers@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/infrastructure/longhorn/ui-ingress/middleware.yaml b/infrastructure/longhorn/ui-ingress/middleware.yaml
index c670cef..abc2a64 100644
--- a/infrastructure/longhorn/ui-ingress/middleware.yaml
+++ b/infrastructure/longhorn/ui-ingress/middleware.yaml
@@ -20,3 +20,20 @@ spec:
   headers:
     customRequestHeaders:
       X-Forwarded-Proto: "https"
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: longhorn-forward-auth
+  namespace: longhorn-system
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.sso.svc.cluster.local:4180/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - Authorization
+      - X-Auth-Request-Email
+      - X-Auth-Request-User
+      - X-Auth-Request-Groups
diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml
index fa43bc2..6115e38 100644
--- a/services/vault/ingress.yaml
+++ b/services/vault/ingress.yaml
@@ -7,7 +7,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-forward-auth@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: vault-vault-forward-auth@kubernetescrd
     traefik.ingress.kubernetes.io/service.serversscheme: https
     traefik.ingress.kubernetes.io/service.serversTransport: vault-vault-to-https@kubernetescrd
 spec:
diff --git a/services/vault/middleware.yaml b/services/vault/middleware.yaml
index 0a41961..0f4388e 100644
--- a/services/vault/middleware.yaml
+++ b/services/vault/middleware.yaml
@@ -2,8 +2,14 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: vault-basicauth
+  name: vault-forward-auth
   namespace: vault
 spec:
-  basicAuth:
-    secret: vault-basic-auth
+  forwardAuth:
+    address: http://oauth2-proxy.sso.svc.cluster.local:4180/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - Authorization
+      - X-Auth-Request-Email
+      - X-Auth-Request-User
+      - X-Auth-Request-Groups
diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml
index 10a0743..75ec998 100644
--- a/services/zot/ingress.yaml
+++ b/services/zot/ingress.yaml
@@ -8,7 +8,7 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.middlewares: sso-oauth2-proxy-forward-auth@kubernetescrd,zot-zot-resp-headers@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-forward-auth@kubernetescrd,zot-zot-resp-headers@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/services/zot/middleware.yaml b/services/zot/middleware.yaml
index 166b070..a7a294d 100644
--- a/services/zot/middleware.yaml
+++ b/services/zot/middleware.yaml
@@ -24,3 +24,20 @@ spec:
       - PUT
       - PATCH
       - DELETE
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: zot-forward-auth
+  namespace: zot
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.sso.svc.cluster.local:4180/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - Authorization
+      - X-Auth-Request-Email
+      - X-Auth-Request-User
+      - X-Auth-Request-Groups