kube-cascade/frigate/oauth2-proxy.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: oauth2-proxy
  name: oauth2-proxy
  namespace: frigate
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: oauth2-proxy
    spec:
      initContainers:
      - name: password-creator
        image: httpd:alpine3.19
        command:
        - /usr/local/apache2/bin/htpasswd
        - -Bbc
        - /xfr/htpasswd
        - "$(OIDC_BYPASS_USERNAME)"
        - "$(OIDC_BYPASS_PASSWORD)"
        envFrom:
        - secretRef:
            name: oidc-bypass-user
        volumeMounts:
        - name: htpasswd-xfr
          mountPath: /xfr
      containers:
      - name: oauth2-proxy-http
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
        imagePullPolicy: IfNotPresent
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oidc-client
              key: client_id
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oidc-client
              key: client_secret
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: cookie_secret
        - name: OAUTH2_PROXY_UPSTREAMS
          value: http://frigate:5000
        args:
        - --http-address=0.0.0.0:4180
        - --whitelist-domain=strudelline.net:*
        - --whitelist-domain=.strudelline.net:*
        - --cookie-domain=strudelline.net
        - --email-domain=werts.us
        - --email-domain=strudelline.net
        - --email-domain=andariese.net
        - --cookie-secure
        - --skip-provider-button
        - --htpasswd-file=/xfr/htpasswd
        - --set-xauthrequest
        - --provider=oidc
        - --oidc-issuer-url=https://auth.werts.us/realms/werts
        - --trusted-ip=172.16.0.0/16
        - --cookie-csrf-per-request
        volumeMounts:
        - name: htpasswd-xfr
          mountPath: /xfr
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: http
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        ports:
        - containerPort: 4180
          name: http
          protocol: TCP
      - name: oauth2-proxy-https
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
        imagePullPolicy: IfNotPresent
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oidc-client
              key: client_id
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oidc-client
              key: client_secret
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: cookie_secret
        - name: OAUTH2_PROXY_UPSTREAMS
          value: http://frigate:5000
        args:
        - --https-address=0.0.0.0:4443
        - --tls-cert-file=/certs/tls.crt
        - --tls-key-file=/certs/tls.key
        - --whitelist-domain=strudelline.net:*
        - --whitelist-domain=.strudelline.net:*
        - --cookie-domain=strudelline.net
        - --email-domain=werts.us
        - --email-domain=strudelline.net
        - --email-domain=andariese.net
        - --cookie-secure
        - --skip-provider-button
        - --htpasswd-file=/xfr/htpasswd
        - --set-xauthrequest
        - --provider=oidc
        - --oidc-issuer-url=https://auth.werts.us/realms/werts
        - --trusted-ip=172.16.0.0/16
        - --skip-auth-route=/api/version
        - --cookie-csrf-per-request
        volumeMounts:
        - name: htpasswd-xfr
          mountPath: /xfr
        - name: certs
          mountPath: /certs
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: https
            scheme: HTTPS
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        ports:
        - containerPort: 4443
          name: https
          protocol: TCP
      volumes:
      - name: htpasswd-xfr
        emptyDir:
          medium: Memory
          sizeLimit: 5Mi
      - name: certs
        secret:
          secretName: wildcard-tls
      terminationGracePeriodSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: oauth2-proxy
  annotations:
    metallb.universe.tf/allow-shared-ip: 172.16.17.33
    metallb.universe.tf/loadBalancerIPs: 172.16.17.33
  name: oauth2-proxy
  namespace: frigate
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  internalTrafficPolicy: Local
  ports:
  - name: http-redirect
    port: 80
    protocol: TCP
    targetPort: 4180
  - name: https-frigate
    port: 443
    protocol: TCP
    targetPort: 4443
  - name: http-frigate
    port: 5000
    protocol: TCP
    targetPort: 4180
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180
  selector:
    app: oauth2-proxy
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/instance: frigate
    app.kubernetes.io/name: frigate
  annotations:
    metallb.universe.tf/allow-shared-ip: 172.16.17.33
    metallb.universe.tf/loadBalancerIPs: 172.16.17.33
  name: frigate-lb
  namespace: frigate
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  internalTrafficPolicy: Local
  ports:
  - name: rtmp
    port: 1935
    protocol: TCP
    targetPort: 1935
  - name: restream
    port: 8554
    protocol: TCP
    targetPort: 8554
  selector:
    app.kubernetes.io/instance: frigate
    app.kubernetes.io/name: frigate
true it on up y'all 2023-12-20 22:40:16 +00:00			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`labels:`
			`app: oauth2-proxy`
			`name: oauth2-proxy`
			`namespace: frigate`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: oauth2-proxy`
			`strategy:`
			`rollingUpdate:`
			`maxSurge: 25%`
			`maxUnavailable: 25%`
			`type: RollingUpdate`
			`template:`
			`metadata:`
			`creationTimestamp: null`
			`labels:`
			`app: oauth2-proxy`
			`spec:`
			`initContainers:`
			`- name: password-creator`
			`image: httpd:alpine3.19`
			`command:`
			`- /usr/local/apache2/bin/htpasswd`
			`- -Bbc`
			`- /xfr/htpasswd`
			`- "$(OIDC_BYPASS_USERNAME)"`
			`- "$(OIDC_BYPASS_PASSWORD)"`
			`envFrom:`
			`- secretRef:`
			`name: oidc-bypass-user`
			`volumeMounts:`
			`- name: htpasswd-xfr`
			`mountPath: /xfr`
			`containers:`
			`- name: oauth2-proxy-http`
			`image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0`
			`imagePullPolicy: IfNotPresent`
			`env:`
			`- name: OAUTH2_PROXY_CLIENT_ID`
			`valueFrom:`
			`secretKeyRef:`
			`name: oidc-client`
			`key: client_id`
			`- name: OAUTH2_PROXY_CLIENT_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: oidc-client`
			`key: client_secret`
			`- name: OAUTH2_PROXY_COOKIE_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: oauth2-proxy`
			`key: cookie_secret`
			`- name: OAUTH2_PROXY_UPSTREAMS`
			`value: http://frigate:5000`
			`args:`
			`- --http-address=0.0.0.0:4180`
			`- --whitelist-domain=strudelline.net:*`
			`- --whitelist-domain=.strudelline.net:*`
			`- --cookie-domain=strudelline.net`
			`- --email-domain=werts.us`
			`- --email-domain=strudelline.net`
			`- --email-domain=andariese.net`
			`- --cookie-secure`
			`- --skip-provider-button`
			`- --htpasswd-file=/xfr/htpasswd`
			`- --set-xauthrequest`
			`- --provider=oidc`
			`- --oidc-issuer-url=https://auth.werts.us/realms/werts`
			`- --trusted-ip=172.16.0.0/16`
			`- --cookie-csrf-per-request`
			`volumeMounts:`
			`- name: htpasswd-xfr`
			`mountPath: /xfr`
			`livenessProbe:`
			`failureThreshold: 3`
			`httpGet:`
			`path: /ping`
			`port: http`
			`scheme: HTTP`
			`periodSeconds: 10`
			`successThreshold: 1`
			`timeoutSeconds: 1`
			`ports:`
			`- containerPort: 4180`
			`name: http`
			`protocol: TCP`
			`- name: oauth2-proxy-https`
			`image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0`
			`imagePullPolicy: IfNotPresent`
			`env:`
			`- name: OAUTH2_PROXY_CLIENT_ID`
			`valueFrom:`
			`secretKeyRef:`
			`name: oidc-client`
			`key: client_id`
			`- name: OAUTH2_PROXY_CLIENT_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: oidc-client`
			`key: client_secret`
			`- name: OAUTH2_PROXY_COOKIE_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: oauth2-proxy`
			`key: cookie_secret`
			`- name: OAUTH2_PROXY_UPSTREAMS`
			`value: http://frigate:5000`
			`args:`
			`- --https-address=0.0.0.0:4443`
			`- --tls-cert-file=/certs/tls.crt`
			`- --tls-key-file=/certs/tls.key`
			`- --whitelist-domain=strudelline.net:*`
			`- --whitelist-domain=.strudelline.net:*`
			`- --cookie-domain=strudelline.net`
			`- --email-domain=werts.us`
			`- --email-domain=strudelline.net`
			`- --email-domain=andariese.net`
			`- --cookie-secure`
			`- --skip-provider-button`
			`- --htpasswd-file=/xfr/htpasswd`
			`- --set-xauthrequest`
			`- --provider=oidc`
			`- --oidc-issuer-url=https://auth.werts.us/realms/werts`
			`- --trusted-ip=172.16.0.0/16`
allow version lookup without auth for health checks 2023-12-24 19:58:12 +00:00			`- --skip-auth-route=/api/version`
true it on up y'all 2023-12-20 22:40:16 +00:00			`- --cookie-csrf-per-request`
			`volumeMounts:`
			`- name: htpasswd-xfr`
			`mountPath: /xfr`
			`- name: certs`
			`mountPath: /certs`
			`livenessProbe:`
			`failureThreshold: 3`
			`httpGet:`
			`path: /ping`
			`port: https`
			`scheme: HTTPS`
			`periodSeconds: 10`
			`successThreshold: 1`
			`timeoutSeconds: 1`
			`ports:`
			`- containerPort: 4443`
			`name: https`
			`protocol: TCP`
			`volumes:`
			`- name: htpasswd-xfr`
			`emptyDir:`
			`medium: Memory`
			`sizeLimit: 5Mi`
			`- name: certs`
			`secret:`
			`secretName: wildcard-tls`
			`terminationGracePeriodSeconds: 2`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`labels:`
			`app: oauth2-proxy`
			`annotations:`
			`metallb.universe.tf/allow-shared-ip: 172.16.17.33`
			`metallb.universe.tf/loadBalancerIPs: 172.16.17.33`
			`name: oauth2-proxy`
			`namespace: frigate`
			`spec:`
			`type: LoadBalancer`
			`externalTrafficPolicy: Local`
			`internalTrafficPolicy: Local`
			`ports:`
			`- name: http-redirect`
			`port: 80`
			`protocol: TCP`
			`targetPort: 4180`
			`- name: https-frigate`
			`port: 443`
			`protocol: TCP`
			`targetPort: 4443`
			`- name: http-frigate`
			`port: 5000`
			`protocol: TCP`
			`targetPort: 4180`
			`- name: http`
			`port: 4180`
			`protocol: TCP`
			`targetPort: 4180`
			`selector:`
			`app: oauth2-proxy`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`labels:`
			`app.kubernetes.io/instance: frigate`
			`app.kubernetes.io/name: frigate`
			`annotations:`
			`metallb.universe.tf/allow-shared-ip: 172.16.17.33`
			`metallb.universe.tf/loadBalancerIPs: 172.16.17.33`
			`name: frigate-lb`
			`namespace: frigate`
			`spec:`
			`type: LoadBalancer`
			`externalTrafficPolicy: Local`
			`internalTrafficPolicy: Local`
			`ports:`
			`- name: rtmp`
			`port: 1935`
			`protocol: TCP`
			`targetPort: 1935`
			`- name: restream`
			`port: 8554`
			`protocol: TCP`
			`targetPort: 8554`
			`selector:`
			`app.kubernetes.io/instance: frigate`
			`app.kubernetes.io/name: frigate`