# services/zot/oauth2-proxy-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: zot-oauth2-proxy namespace: zot labels: { app: zot-oauth2-proxy } spec: replicas: 1 selector: matchLabels: { app: zot-oauth2-proxy } template: metadata: labels: { app: zot-oauth2-proxy } spec: nodeSelector: node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 50 preference: matchExpressions: - key: hardware operator: In values: ["rpi4","rpi5"] containers: - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 imagePullPolicy: IfNotPresent args: - --provider=oidc - --redirect-url=https://web.registry.bstein.dev/oauth2/callback - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - --scope=openid profile email - --email-domain=* - --cookie-domain=web.registry.bstein.dev - --cookie-name=_zot_ui_oauth - --set-xauthrequest=true - --set-authorization-header=false - --pass-authorization-header=false - --pass-access-token=false - --cookie-secure=true - --cookie-samesite=lax - --cookie-refresh=20m - --cookie-expire=168h - --upstream=http://zot:5000 - --http-address=0.0.0.0:4180 - --skip-provider-button=true - --skip-jwt-bearer-tokens=true env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: name: zot-oidc key: client_id - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: name: zot-oidc key: client_secret - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: name: zot-oidc key: client_secret ports: - containerPort: 4180 name: http readinessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 20 periodSeconds: 20 resources: requests: { cpu: "25m", memory: "64Mi" }