apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: oauth2-proxy
  name: oauth2-proxy
  namespace: frigate
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: oauth2-proxy
    spec:
      initContainers:
      - name: password-creator
        image: httpd:alpine3.19
        command:
        - /usr/local/apache2/bin/htpasswd
        - -Bbc
        - /xfr/htpasswd
        - "$(OIDC_BYPASS_USERNAME)"
        - "$(OIDC_BYPASS_PASSWORD)"
        envFrom:
        - secretRef:
            name: oidc-bypass-user
        volumeMounts:
        - name: htpasswd-xfr
          mountPath: /xfr
      containers:
      - name: oauth2-proxy-http
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
        imagePullPolicy: IfNotPresent
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oidc-client
              key: client_id
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oidc-client
              key: client_secret
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: cookie_secret
        - name: OAUTH2_PROXY_UPSTREAMS
          value: http://frigate:5000
        args:
        - --http-address=0.0.0.0:4180
        - --whitelist-domain=strudelline.net:*
        - --whitelist-domain=.strudelline.net:*
        - --cookie-domain=strudelline.net
        - --email-domain=werts.us
        - --email-domain=strudelline.net
        - --email-domain=andariese.net
        - --cookie-secure
        - --skip-provider-button
        - --htpasswd-file=/xfr/htpasswd
        - --set-xauthrequest
        - --provider=oidc
        - --oidc-issuer-url=https://auth.werts.us/realms/werts
        - --trusted-ip=172.16.0.0/16
        - --cookie-csrf-per-request
        volumeMounts:
        - name: htpasswd-xfr
          mountPath: /xfr
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: http
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        ports:
        - containerPort: 4180
          name: http
          protocol: TCP
      - name: oauth2-proxy-https
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
        imagePullPolicy: IfNotPresent
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oidc-client
              key: client_id
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oidc-client
              key: client_secret
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: cookie_secret
        - name: OAUTH2_PROXY_UPSTREAMS
          value: http://frigate:5000
        args:
        - --https-address=0.0.0.0:4443
        - --tls-cert-file=/certs/tls.crt
        - --tls-key-file=/certs/tls.key
        - --whitelist-domain=strudelline.net:*
        - --whitelist-domain=.strudelline.net:*
        - --cookie-domain=strudelline.net
        - --email-domain=werts.us
        - --email-domain=strudelline.net
        - --email-domain=andariese.net
        - --cookie-secure
        - --skip-provider-button
        - --htpasswd-file=/xfr/htpasswd
        - --set-xauthrequest
        - --provider=oidc
        - --oidc-issuer-url=https://auth.werts.us/realms/werts
        - --trusted-ip=172.16.0.0/16
        - --cookie-csrf-per-request
        volumeMounts:
        - name: htpasswd-xfr
          mountPath: /xfr
        - name: certs
          mountPath: /certs
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: https
            scheme: HTTPS
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        ports:
        - containerPort: 4443
          name: https
          protocol: TCP
      volumes:
      - name: htpasswd-xfr
        emptyDir:
          medium: Memory
          sizeLimit: 5Mi
      - name: certs
        secret:
          secretName: wildcard-tls
      terminationGracePeriodSeconds: 2
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: oauth2-proxy
  annotations:
    metallb.universe.tf/allow-shared-ip: 172.16.17.33
    metallb.universe.tf/loadBalancerIPs: 172.16.17.33
  name: oauth2-proxy
  namespace: frigate
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  internalTrafficPolicy: Local
  ports:
  - name: http-redirect
    port: 80
    protocol: TCP
    targetPort: 4180
  - name: https-frigate
    port: 443
    protocol: TCP
    targetPort: 4443
  - name: http-frigate
    port: 5000
    protocol: TCP
    targetPort: 4180
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180
  selector:
    app: oauth2-proxy
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/instance: frigate
    app.kubernetes.io/name: frigate
  annotations:
    metallb.universe.tf/allow-shared-ip: 172.16.17.33
    metallb.universe.tf/loadBalancerIPs: 172.16.17.33
  name: frigate-lb
  namespace: frigate
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  internalTrafficPolicy: Local
  ports:
  - name: rtmp
    port: 1935
    protocol: TCP
    targetPort: 1935
  - name: restream
    port: 8554
    protocol: TCP
    targetPort: 8554
  selector:
    app.kubernetes.io/instance: frigate
    app.kubernetes.io/name: frigate