apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: oidc-secret
  namespace: grist
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: bitwarden
  data:
  - remoteRef:
      key: oidc client - grist
      property: password
    secretKey: client_secret
  - remoteRef:
      key: oidc client - grist
      property: username
    secretKey: client_id
  - remoteRef:
      key: oidc client - grist
      property: cookie-secret
    secretKey: cookie_secret
  refreshInterval: 5m
  target:
    creationPolicy: Owner
    deletionPolicy: Delete
    name: oidc-secret
    template:
      data:
        oauth2-proxy.cfg: |
          cookie_secret='{{ .cookie_secret }}'
          cookie_domains=['werts.us','strudelline.net']

          whitelist_domains=['.werts.us','.strudelline.net','strudelline.net','werts.us']
          # only users with this domain will be let in
          email_domains=["werts.us","strudelline.net","andariese.net"]

          client_id="{{ .client_id }}"
          client_secret="{{ .client_secret }}"
          cookie_secure="true"

          upstreams = [ "http://localhost:8080" ]
          #skip_auth_routes = [
          #  "!=^/admin(/.*)?$"
          #]

          skip_provider_button = true

          reverse_proxy = true
          set_xauthrequest = true

          provider="oidc"
          oidc_issuer_url="https://auth.werts.us/realms/werts"
      type: Opaque