services/vault/ingress.yaml

@@ -7,7 +7,9 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: ""
+    traefik.ingress.kubernetes.io/router.middlewares: vault-vault-basicauth@kubernetescrd
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+    traefik.ingress.kubernetes.io/service.serversTransport: vault-vault-to-https@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
@@ -21,6 +23,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: oauth2-proxy-vault
+                name: vault-ui
                 port:
-                  number: 80
+                  number: 8200

services/vault/kustomization.yaml

@@ -9,4 +9,3 @@ resources:
   - ingress.yaml
   - middleware.yaml
   - serverstransport.yaml
-  - oauth2-proxy-vault.yaml

services/vault/middleware.yaml

@@ -2,14 +2,8 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: vault-forward-auth
+  name: vault-basicauth
   namespace: vault
 spec:
-  forwardAuth:
+  basicAuth:
-    address: https://auth.bstein.dev/oauth2/auth
+    secret: vault-basic-auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - Authorization
-      - X-Auth-Request-Email
-      - X-Auth-Request-User
-      - X-Auth-Request-Groups

services/vault/oauth2-proxy-vault.yaml

@@ -1,102 +0,0 @@
-# services/vault/oauth2-proxy-vault.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: oauth2-proxy-vault
-  labels:
-    app: oauth2-proxy-vault
-spec:
-  ports:
-    - name: http
-      port: 80
-      targetPort: 4180
-  selector:
-    app: oauth2-proxy-vault
-
----
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: oauth2-proxy-vault
-  labels:
-    app: oauth2-proxy-vault
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      app: oauth2-proxy-vault
-  template:
-    metadata:
-      labels:
-        app: oauth2-proxy-vault
-    spec:
-      nodeSelector:
-        node-role.kubernetes.io/worker: "true"
-      affinity:
-        nodeAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 80
-              preference:
-                matchExpressions:
-                  - key: kubernetes.io/arch
-                    operator: In
-                    values:
-                      - arm64
-                      - arm
-      containers:
-        - name: oauth2-proxy
-          image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
-          args:
-            - --provider=oidc
-            - --redirect-url=https://secret.bstein.dev/oauth2/callback
-            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
-            - --scope=openid profile email groups
-            - --email-domain=*
-            - --set-xauthrequest=true
-            - --pass-access-token=true
-            - --set-authorization-header=true
-            - --cookie-secure=true
-            - --cookie-samesite=lax
-            - --cookie-refresh=20m
-            - --cookie-expire=168h
-            - --insecure-oidc-allow-unverified-email=true
-            - --upstream=https://vault-ui.vault.svc.cluster.local:8200
-            - --ssl-insecure-skip-verify=true
-            - --http-address=0.0.0.0:4180
-            - --skip-provider-button=true
-            - --skip-jwt-bearer-tokens=true
-            - --oidc-groups-claim=groups
-            - --allowed-group=admin
-            - --cookie-domain=secret.bstein.dev
-          env:
-            - name: OAUTH2_PROXY_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: oauth2-proxy-vault-oidc
-                  key: client_id
-            - name: OAUTH2_PROXY_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: oauth2-proxy-vault-oidc
-                  key: client_secret
-            - name: OAUTH2_PROXY_COOKIE_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: oauth2-proxy-vault-oidc
-                  key: cookie_secret
-          ports:
-            - containerPort: 4180
-              name: http
-          readinessProbe:
-            httpGet:
-              path: /ping
-              port: 4180
-            initialDelaySeconds: 5
-            periodSeconds: 10
-          livenessProbe:
-            httpGet:
-              path: /ping
-              port: 4180
-            initialDelaySeconds: 20
-            periodSeconds: 20

services/zot/ingress.yaml

@@ -8,7 +8,7 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
-    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-forward-auth@kubernetescrd,zot-zot-resp-headers@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:

services/zot/middleware.yaml

@@ -24,20 +24,3 @@ spec:
       - PUT
       - PATCH
       - DELETE
-
----
-
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: zot-forward-auth
-  namespace: zot
-spec:
-  forwardAuth:
-    address: https://auth.bstein.dev/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - Authorization
-      - X-Auth-Request-Email
-      - X-Auth-Request-User
-      - X-Auth-Request-Groups