# services/zot/oauth2-proxy-zot.yaml apiVersion: v1 kind: Service metadata: name: oauth2-proxy-zot labels: app: oauth2-proxy-zot spec: ports: - name: http port: 80 targetPort: 4180 selector: app: oauth2-proxy-zot --- apiVersion: apps/v1 kind: Deployment metadata: name: oauth2-proxy-zot labels: app: oauth2-proxy-zot spec: replicas: 2 selector: matchLabels: app: oauth2-proxy-zot template: metadata: labels: app: oauth2-proxy-zot spec: nodeSelector: node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 80 preference: matchExpressions: - key: kubernetes.io/arch operator: In values: - arm64 - arm containers: - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 args: - --provider=oidc - --redirect-url=https://registry.bstein.dev/oauth2/callback - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - --scope=openid profile email groups - --email-domain=* - --set-xauthrequest=true - --pass-access-token=true - --set-authorization-header=true - --pass-authorization-header=true - --cookie-secure=true - --cookie-samesite=lax - --cookie-refresh=20m - --cookie-expire=168h - --insecure-oidc-allow-unverified-email=true - --upstream=http://zot.zot.svc.cluster.local:5000 - --http-address=0.0.0.0:4180 - --skip-provider-button=true - --skip-jwt-bearer-tokens=true - --oidc-groups-claim=groups - --allowed-group=admin - --allowed-group=image-pusher - --cookie-domain=registry.bstein.dev env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: name: oauth2-proxy-zot-oidc key: client_id - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: name: oauth2-proxy-zot-oidc key: client_secret - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: name: oauth2-proxy-zot-oidc key: cookie_secret ports: - containerPort: 4180 name: http readinessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 20 periodSeconds: 20