# services/logging/oauth2-proxy.yaml apiVersion: v1 kind: Service metadata: name: oauth2-proxy-loki namespace: logging labels: app: oauth2-proxy-loki spec: ports: - name: http port: 80 targetPort: 4180 selector: app: oauth2-proxy-loki --- apiVersion: apps/v1 kind: Deployment metadata: name: oauth2-proxy-loki namespace: logging labels: app: oauth2-proxy-loki spec: replicas: 2 selector: matchLabels: app: oauth2-proxy-loki template: metadata: labels: app: oauth2-proxy-loki spec: nodeSelector: node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: hardware operator: In values: - rpi5 - rpi4 containers: - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 imagePullPolicy: IfNotPresent args: - --provider=oidc - --redirect-url=https://logs.bstein.dev/oauth2/callback - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - --scope=openid profile email - --email-domain=* - --set-xauthrequest=true - --pass-access-token=true - --set-authorization-header=true - --cookie-secure=true - --cookie-samesite=lax - --cookie-refresh=20m - --cookie-expire=168h - --insecure-oidc-allow-unverified-email=true - --upstream=http://loki-gateway.logging.svc.cluster.local - --http-address=0.0.0.0:4180 - --skip-provider-button=true - --skip-jwt-bearer-tokens=true - --cookie-domain=logs.bstein.dev env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: name: oauth2-proxy-loki-oidc key: client_id - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: name: oauth2-proxy-loki-oidc key: client_secret - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: name: oauth2-proxy-loki-oidc key: cookie_secret ports: - containerPort: 4180 name: http readinessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 20 periodSeconds: 20