apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: oauth2-proxy-oidc-secret
  namespace: keycloak
spec:
  data:
  - remoteRef:
      key: oidc client - oauth2-proxy
      property: password
    secretKey: client_secret
  - remoteRef:
      key: oidc client - oauth2-proxy
      property: username
    secretKey: client_id
  - remoteRef:
      key: oidc client - oauth2-proxy
      property: cookie-secret
    secretKey: cookie_secret
  refreshInterval: 5m
  secretStoreRef:
    kind: ClusterSecretStore
    name: bitwarden
  target:
    name: oauth2-proxy-oidc-secret
    template:
      data:
        oauth2-proxy.cfg: |
          cookie_secret='{{ .cookie_secret }}'
          cookie_domains=['werts.us','strudelline.net']
          cookie_csrf_per_request = true

          whitelist_domains=['.werts.us','.strudelline.net','strudelline.net','werts.us']
          # only users with this domain will be let in
          email_domains=["werts.us","strudelline.net","andariese.net"]

          client_id="{{ .client_id }}"
          client_secret="{{ .client_secret }}"
          cookie_secure="true"

          upstreams = [ "file:///dev/null" ]
          skip_provider_button = true
          set_xauthrequest = true
          pass_access_token = true

          provider="oidc"
          oidc_issuer_url="https://auth.werts.us/realms/werts"
      engineVersion: v2
      type: Opaque