From 658ec19ff1695d80481e59bc1643490eaad6e40e Mon Sep 17 00:00:00 2001
From: Ultradesu <ultradesu@hexor.cy>
Date: Mon, 4 May 2026 18:21:44 +0100
Subject: [PATCH] Added oauth2 proxy

---
 k8s/apps/mtproxy/secret-reader-ingress.yaml | 14 +++++++++++++-
 k8s/core/oauth2-proxy/kustomization.yaml    |  1 -
 k8s/core/oauth2-proxy/middleware.yaml       | 17 +++--------------
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/k8s/apps/mtproxy/secret-reader-ingress.yaml b/k8s/apps/mtproxy/secret-reader-ingress.yaml
index 8ac47f9..d8bc614 100644
--- a/k8s/apps/mtproxy/secret-reader-ingress.yaml
+++ b/k8s/apps/mtproxy/secret-reader-ingress.yaml
@@ -1,5 +1,18 @@
 ---
 apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: keycloak-auth
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+---
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: secret-reader
@@ -13,7 +26,6 @@ spec:
       kind: Rule
       middlewares:
         - name: keycloak-auth
-          namespace: kube-system
       services:
         - name: secret-reader
           port: 80
diff --git a/k8s/core/oauth2-proxy/kustomization.yaml b/k8s/core/oauth2-proxy/kustomization.yaml
index db2c493..85c1d35 100644
--- a/k8s/core/oauth2-proxy/kustomization.yaml
+++ b/k8s/core/oauth2-proxy/kustomization.yaml
@@ -4,7 +4,6 @@ kind: Kustomization
 resources:
   - app.yaml
   - external-secrets.yaml
-  - middleware.yaml
 
 helmCharts:
   - name: oauth2-proxy
diff --git a/k8s/core/oauth2-proxy/middleware.yaml b/k8s/core/oauth2-proxy/middleware.yaml
index 5fa7302..0416a9c 100644
--- a/k8s/core/oauth2-proxy/middleware.yaml
+++ b/k8s/core/oauth2-proxy/middleware.yaml
@@ -1,14 +1,3 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: keycloak-auth
-  namespace: kube-system
-spec:
-  forwardAuth:
-    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
+# Middleware is deployed per-namespace alongside each IngressRoute
+# because Traefik does not allow cross-namespace middleware references.
+# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.