From 437c94f2e1dbda5a1ca0fadf004d5f35d7ccd419 Mon Sep 17 00:00:00 2001
From: Jan Novak <jan.novak@livesport.eu>
Date: Mon, 5 Jan 2026 22:19:31 +0100
Subject: [PATCH] gitops: add oauth-proxy + some changes in plane helmrelease

---
 .../flux-system/extra-kustomizations.yaml     | 13 +++++
 .../oauth-proxy/helmrelease.yaml              | 57 +++++++++++++++++++
 .../oauth-proxy/helmrepository.yaml           |  8 +++
 .../oauth-proxy/namespace.yaml                |  4 ++
 .../home-kubernetes/oauth-proxy/secret.yaml   | 11 ++++
 gitops/home-kubernetes/plane/helmrelease.yaml |  2 +-
 6 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 gitops/home-kubernetes/oauth-proxy/helmrelease.yaml
 create mode 100644 gitops/home-kubernetes/oauth-proxy/helmrepository.yaml
 create mode 100644 gitops/home-kubernetes/oauth-proxy/namespace.yaml
 create mode 100644 gitops/home-kubernetes/oauth-proxy/secret.yaml

diff --git a/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml b/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml
index 24c7e03..d07677e 100644
--- a/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml
+++ b/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml
@@ -40,6 +40,19 @@ spec:
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
+metadata:
+  name: oauth2-proxy
+  namespace: flux-system
+spec:
+  interval: 10m0s
+  path: ./gitops/home-kubernetes/oauth2-proxy
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
 metadata:
   name: podinfo
   namespace: flux-system
diff --git a/gitops/home-kubernetes/oauth-proxy/helmrelease.yaml b/gitops/home-kubernetes/oauth-proxy/helmrelease.yaml
new file mode 100644
index 0000000..fde01d2
--- /dev/null
+++ b/gitops/home-kubernetes/oauth-proxy/helmrelease.yaml
@@ -0,0 +1,57 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: oauth2-proxy
+  namespace: oauth2-proxy
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: oauth2-proxy
+      version: ">=7.0.0 <8.0.0"
+      sourceRef:
+        kind: HelmRepository
+        name: oauth2-proxy
+        namespace: oauth2-proxy
+      interval: 12h
+  values:
+    replicaCount: 2
+
+    config:
+      existingSecret: oauth2-proxy-secrets
+      configFile: |-
+        provider = "oidc"
+        oidc_issuer_url = "https://idm.home.hrajfrisbee.cz/oauth2/openid/oauth2-proxy"
+        email_domains = ["*"]
+        cookie_secure = true
+        cookie_domains = [".lab.home.hrajfrisbee.cz"]
+        whitelist_domains = [".lab.home.hrajfrisbee.cz"]
+        set_xauthrequest = true
+        set_authorization_header = true
+        pass_access_token = true
+        skip_provider_button = true
+        upstreams = ["static://202"]
+
+    extraArgs:
+      - --reverse-proxy=true
+
+    ingress:
+      enabled: true
+      className: nginx
+      hosts:
+        - oauth2-proxy.lab.home.hrajfrisbee.cz
+      tls:
+        - secretName: oauth2-proxy-tls
+          hosts:
+            - oauth2-proxy.lab.home.hrajfrisbee.cz
+
+    resources:
+      limits:
+        memory: 128Mi
+      requests:
+        cpu: 10m
+        memory: 64Mi
+
+    podDisruptionBudget:
+      enabled: true
+      minAvailable: 1
diff --git a/gitops/home-kubernetes/oauth-proxy/helmrepository.yaml b/gitops/home-kubernetes/oauth-proxy/helmrepository.yaml
new file mode 100644
index 0000000..daca8f7
--- /dev/null
+++ b/gitops/home-kubernetes/oauth-proxy/helmrepository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: oauth2-proxy
+  namespace: oauth2-proxy
+spec:
+  interval: 1h
+  url: https://oauth2-proxy.github.io/manifests
\ No newline at end of file
diff --git a/gitops/home-kubernetes/oauth-proxy/namespace.yaml b/gitops/home-kubernetes/oauth-proxy/namespace.yaml
new file mode 100644
index 0000000..5a738cf
--- /dev/null
+++ b/gitops/home-kubernetes/oauth-proxy/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: oauth2-proxy
\ No newline at end of file
diff --git a/gitops/home-kubernetes/oauth-proxy/secret.yaml b/gitops/home-kubernetes/oauth-proxy/secret.yaml
new file mode 100644
index 0000000..04a547f
--- /dev/null
+++ b/gitops/home-kubernetes/oauth-proxy/secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oauth2-proxy-secrets
+  namespace: oauth2-proxy
+  annotations:
+    kustomize.toolkit.fluxcd.io/reconcile: disabled  
+stringData:
+  client-id: oauth2-proxy
+  client-secret: <REPLACE_WITH_KANIDM_SECRET>
+  cookie-secret: <REPLACE_WITH_OPENSSL_RAND_BASE64_32>
\ No newline at end of file
diff --git a/gitops/home-kubernetes/plane/helmrelease.yaml b/gitops/home-kubernetes/plane/helmrelease.yaml
index cf022c8..7bf0941 100644
--- a/gitops/home-kubernetes/plane/helmrelease.yaml
+++ b/gitops/home-kubernetes/plane/helmrelease.yaml
@@ -132,4 +132,4 @@ spec:
       issuer: letsencrypt-prod
       # email: admin@example.com
       # server: https://acme-v02.api.letsencrypt.org/directory
-      # tls_secret_name: plane-tls  # if using existing cert
\ No newline at end of file
+      tls_secret_name: plane-tls  # if using existing cert
\ No newline at end of file