# services/openclaw/oauth2-proxy-agent.yaml apiVersion: v1 kind: Service metadata: name: oauth2-proxy-agent namespace: openclaw labels: app: oauth2-proxy-agent spec: ports: - name: http port: 80 targetPort: 4180 selector: app: oauth2-proxy-agent --- apiVersion: apps/v1 kind: Deployment metadata: name: oauth2-proxy-agent namespace: openclaw labels: app: oauth2-proxy-agent spec: replicas: 2 selector: matchLabels: app: oauth2-proxy-agent template: metadata: labels: app: oauth2-proxy-agent annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "openclaw" vault.hashicorp.com/agent-inject-secret-oidc-config: "kv/data/atlas/openclaw/agent-oidc" vault.hashicorp.com/agent-inject-template-oidc-config: | {{- with secret "kv/data/atlas/openclaw/agent-oidc" -}} client_id = "{{ .Data.data.client_id }}" client_secret = "{{ .Data.data.client_secret }}" cookie_secret = "{{ .Data.data.cookie_secret }}" {{- end -}} spec: serviceAccountName: agent-vault nodeSelector: node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/arch operator: In values: ["arm64"] preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: atlas.bstein.dev/spillover operator: DoesNotExist - weight: 90 preference: matchExpressions: - key: hardware operator: In values: ["rpi5"] - weight: 50 preference: matchExpressions: - key: hardware operator: In values: ["rpi4"] topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: app: oauth2-proxy-agent containers: - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 imagePullPolicy: IfNotPresent args: - --provider=oidc - --config=/vault/secrets/oidc-config - --redirect-url=https://agent.bstein.dev/oauth2/callback - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas - --scope=openid profile email groups - --email-domain=* - --allowed-group=admin - --allowed-group=/admin - --allowed-group=dev - --allowed-group=/dev - --set-xauthrequest=true - --pass-access-token=true - --set-authorization-header=true - --reverse-proxy=true - --cookie-name=_oauth2_proxy_agent - --cookie-secure=true - --cookie-samesite=lax - --cookie-csrf-per-request=true - --cookie-refresh=20m - --cookie-expire=168h - --insecure-oidc-allow-unverified-email=true - --upstream=http://openclaw.openclaw.svc.cluster.local:18789 - --http-address=0.0.0.0:4180 - --skip-provider-button=true - --approval-prompt=auto - --skip-jwt-bearer-tokens=true - --oidc-groups-claim=groups - --cookie-domain=agent.bstein.dev ports: - containerPort: 4180 name: http readinessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: httpGet: path: /ping port: 4180 initialDelaySeconds: 20 periodSeconds: 20 resources: requests: cpu: 25m memory: 64Mi limits: cpu: 250m memory: 256Mi