k8s/apps/mtproxy/secret-reader-ingress.yaml

---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: keycloak-auth
spec:
  forwardAuth:
    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-Request-User
      - X-Auth-Request-Email
      - X-Auth-Request-Groups
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: keycloak-auth-redirect
spec:
  errors:
    status:
      - "401"
    service:
      name: oauth2-proxy-redirect
      port: 80
    query: /oauth2/sign_in?rd={url}
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy-redirect
spec:
  type: ExternalName
  externalName: oauth2-proxy.oauth2-proxy.svc.cluster.local
  ports:
    - port: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: secret-reader
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`secret-reader.hexor.cy`) && PathPrefix(`/oauth2/`)
      kind: Rule
      services:
        - name: oauth2-proxy-redirect
          port: 80
    - match: Host(`secret-reader.hexor.cy`)
      kind: Rule
      middlewares:
        - name: keycloak-auth
        - name: keycloak-auth-redirect
      services:
        - name: secret-reader
          port: 80
  tls:
    secretName: secret-reader-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: secret-reader-tls
spec:
  secretName: secret-reader-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - secret-reader.hexor.cy
Added oauth2 proxy 2026-05-04 18:06:37 +01:00			`---`
			`apiVersion: traefik.io/v1alpha1`
Added oauth2 proxy 2026-05-04 18:21:44 +01:00			`kind: Middleware`
			`metadata:`
			`name: keycloak-auth`
			`spec:`
			`forwardAuth:`
			`address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth`
			`trustForwardHeader: true`
			`authResponseHeaders:`
			`- X-Auth-Request-User`
			`- X-Auth-Request-Email`
			`- X-Auth-Request-Groups`
			`---`
			`apiVersion: traefik.io/v1alpha1`
Added oauth2 proxy 2026-05-04 18:24:04 +01:00			`kind: Middleware`
			`metadata:`
			`name: keycloak-auth-redirect`
			`spec:`
			`errors:`
			`status:`
			`- "401"`
			`service:`
			`name: oauth2-proxy-redirect`
			`port: 80`
			`query: /oauth2/sign_in?rd={url}`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: oauth2-proxy-redirect`
			`spec:`
			`type: ExternalName`
			`externalName: oauth2-proxy.oauth2-proxy.svc.cluster.local`
			`ports:`
			`- port: 80`
			`---`
			`apiVersion: traefik.io/v1alpha1`
Added oauth2 proxy 2026-05-04 18:06:37 +01:00			`kind: IngressRoute`
			`metadata:`
			`name: secret-reader`
			`annotations:`
			`cert-manager.io/cluster-issuer: letsencrypt`
			`spec:`
			`entryPoints:`
			`- websecure`
			`routes:`
Added oauth2 proxy 2026-05-04 18:24:04 +01:00			- match: Host(`secret-reader.hexor.cy`) && PathPrefix(`/oauth2/`)
			`kind: Rule`
			`services:`
			`- name: oauth2-proxy-redirect`
			`port: 80`
Added oauth2 proxy 2026-05-04 18:06:37 +01:00			- match: Host(`secret-reader.hexor.cy`)
			`kind: Rule`
			`middlewares:`
			`- name: keycloak-auth`
Added oauth2 proxy 2026-05-04 18:24:04 +01:00			`- name: keycloak-auth-redirect`
Added oauth2 proxy 2026-05-04 18:06:37 +01:00			`services:`
			`- name: secret-reader`
			`port: 80`
			`tls:`
			`secretName: secret-reader-tls`
			`---`
			`apiVersion: cert-manager.io/v1`
			`kind: Certificate`
			`metadata:`
			`name: secret-reader-tls`
			`spec:`
			`secretName: secret-reader-tls`
			`issuerRef:`
			`name: letsencrypt`
			`kind: ClusterIssuer`
			`dnsNames:`
			`- secret-reader.hexor.cy`