From 9dc3be6cde49393ef0d0d38a25d09fae91e13786 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 9 Dec 2025 23:17:45 -0300
Subject: [PATCH] zot: forward Authorization header to upstream

---
 services/vault/ingress.yaml        | 7 +++++--
 services/zot/oauth2-proxy-zot.yaml | 1 +
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml
index 8849cae..cbc0a74 100644
--- a/services/vault/ingress.yaml
+++ b/services/vault/ingress.yaml
@@ -7,7 +7,10 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: vault-login-redirect@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serverstransport: vault-to-https@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
@@ -21,6 +24,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: oauth2-proxy-vault
+                name: vault
                 port:
-                  number: 80
+                  number: 8200
diff --git a/services/zot/oauth2-proxy-zot.yaml b/services/zot/oauth2-proxy-zot.yaml
index 81c7cb5..538deff 100644
--- a/services/zot/oauth2-proxy-zot.yaml
+++ b/services/zot/oauth2-proxy-zot.yaml
@@ -56,6 +56,7 @@ spec:
             - --set-xauthrequest=true
             - --pass-access-token=true
             - --set-authorization-header=true
+            - --pass-authorization-header=true
             - --cookie-secure=true
             - --cookie-samesite=lax
             - --cookie-refresh=20m