titan-iac/services/quality/oauth2-proxy-sonarqube.yaml

# services/quality/oauth2-proxy-sonarqube.yaml
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy-sonarqube
  namespace: quality
  labels:
    app: oauth2-proxy-sonarqube
spec:
  ports:
    - name: http
      port: 80
      targetPort: 4180
  selector:
    app: oauth2-proxy-sonarqube

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy-sonarqube
  namespace: quality
  labels:
    app: oauth2-proxy-sonarqube
spec:
  replicas: 2
  selector:
    matchLabels:
      app: oauth2-proxy-sonarqube
  template:
    metadata:
      labels:
        app: oauth2-proxy-sonarqube
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "quality"
        vault.hashicorp.com/agent-inject-secret-oidc-config: "kv/data/atlas/quality/sonarqube-oidc"
        vault.hashicorp.com/agent-inject-template-oidc-config: |
          {{- with secret "kv/data/atlas/quality/sonarqube-oidc" -}}
          client_id = "{{ .Data.data.client_id }}"
          client_secret = "{{ .Data.data.client_secret }}"
          cookie_secret = "{{ .Data.data.cookie_secret }}"
          {{- end -}}
    spec:
      serviceAccountName: quality-vault-sync
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/arch
                    operator: In
                    values: ["arm64"]
                  - key: hardware
                    operator: In
                    values: ["rpi5"]
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5"]
      containers:
        - name: oauth2-proxy
          image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
          imagePullPolicy: IfNotPresent
          args:
            - --provider=oidc
            - --config=/vault/secrets/oidc-config
            - --redirect-url=https://quality.bstein.dev/oauth2/callback
            - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas
            - --scope=openid profile email groups
            - --email-domain=*
            - --allowed-group=admin
            - --allowed-group=/admin
            - --allowed-group=dev
            - --allowed-group=/dev
            - --set-xauthrequest=true
            - --pass-access-token=true
            - --set-authorization-header=true
            - --cookie-secure=true
            - --cookie-samesite=lax
            - --cookie-refresh=20m
            - --cookie-expire=168h
            - --insecure-oidc-allow-unverified-email=true
            - --upstream=http://sonarqube.quality.svc.cluster.local:9000
            - --http-address=0.0.0.0:4180
            - --skip-provider-button=true
            - --approval-prompt=auto
            - --skip-jwt-bearer-tokens=true
            - --oidc-groups-claim=groups
            - --cookie-domain=quality.bstein.dev
          ports:
            - containerPort: 4180
              name: http
          readinessProbe:
            httpGet:
              path: /ping
              port: 4180
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /ping
              port: 4180
            initialDelaySeconds: 20
            periodSeconds: 20
          resources:
            requests:
              cpu: 25m
              memory: 64Mi
            limits:
              cpu: 250m
              memory: 256Mi