From 0df274c0b226d5b115cccb48e40991b39f973b65 Mon Sep 17 00:00:00 2001
From: Ultradesu <ultradesu@hexor.cy>
Date: Mon, 4 May 2026 18:24:04 +0100
Subject: [PATCH] Added oauth2 proxy

---
 k8s/apps/mtproxy/secret-reader-ingress.yaml | 29 +++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/k8s/apps/mtproxy/secret-reader-ingress.yaml b/k8s/apps/mtproxy/secret-reader-ingress.yaml
index d8bc614..a03023d 100644
--- a/k8s/apps/mtproxy/secret-reader-ingress.yaml
+++ b/k8s/apps/mtproxy/secret-reader-ingress.yaml
@@ -13,6 +13,29 @@ spec:
       - X-Auth-Request-Groups
 ---
 apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: keycloak-auth-redirect
+spec:
+  errors:
+    status:
+      - "401"
+    service:
+      name: oauth2-proxy-redirect
+      port: 80
+    query: /oauth2/sign_in?rd={url}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy-redirect
+spec:
+  type: ExternalName
+  externalName: oauth2-proxy.oauth2-proxy.svc.cluster.local
+  ports:
+    - port: 80
+---
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: secret-reader
@@ -22,10 +45,16 @@ spec:
   entryPoints:
     - websecure
   routes:
+    - match: Host(`secret-reader.hexor.cy`) && PathPrefix(`/oauth2/`)
+      kind: Rule
+      services:
+        - name: oauth2-proxy-redirect
+          port: 80
     - match: Host(`secret-reader.hexor.cy`)
       kind: Rule
       middlewares:
         - name: keycloak-auth
+        - name: keycloak-auth-redirect
       services:
         - name: secret-reader
           port: 80