Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-04 17:24:32 This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.
Added oauth2 proxy
2026-05-04 17:24:32 +00:00 · 2026-05-04 18:24:04 +01:00 · 2026-05-04 18:21:44 +01:00 · 2026-05-04 18:19:41 +01:00 · 2026-05-04 18:15:48 +01:00 · 2026-05-04 18:12:52 +01:00
14 changed files with 375 additions and 20 deletions
@@ -18,9 +18,11 @@ ArgoCD homelab project
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
 | **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
 | **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |
 | **oauth2-proxy** | [![oauth2-proxy](https://ag.hexor.cy/api/badge?name=oauth2-proxy&revision=true)](https://ag.hexor.cy/applications/argocd/oauth2-proxy) |
 | **postgresql** | [![postgresql](https://ag.hexor.cy/api/badge?name=postgresql&revision=true)](https://ag.hexor.cy/applications/argocd/postgresql) |
 | **prom-stack** | [![prom-stack](https://ag.hexor.cy/api/badge?name=prom-stack&revision=true)](https://ag.hexor.cy/applications/argocd/prom-stack) |
 | **system-upgrade** | [![system-upgrade](https://ag.hexor.cy/api/badge?name=system-upgrade&revision=true)](https://ag.hexor.cy/applications/argocd/system-upgrade) |
@@ -12,4 +12,5 @@ resources:
  - ./telemt-servicemonitor.yaml
  - ./service.yaml
  - ./secret-reader.yaml
  - ./secret-reader-ingress.yaml
 # - ./storage.yaml
@@ -0,0 +1,74 @@
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: keycloak-auth
 spec:
  forwardAuth:
    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-Request-User
      - X-Auth-Request-Email
      - X-Auth-Request-Groups
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: keycloak-auth-redirect
 spec:
  errors:
    status:
      - "401"
    service:
      name: oauth2-proxy-redirect
      port: 80
    query: /oauth2/sign_in?rd={url}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: oauth2-proxy-redirect
 spec:
  type: ExternalName
  externalName: oauth2-proxy.oauth2-proxy.svc.cluster.local
  ports:
    - port: 80
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: secret-reader
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`secret-reader.hexor.cy`) && PathPrefix(`/oauth2/`)
      kind: Rule
      services:
        - name: oauth2-proxy-redirect
          port: 80
    - match: Host(`secret-reader.hexor.cy`)
      kind: Rule
      middlewares:
        - name: keycloak-auth
        - name: keycloak-auth-redirect
      services:
        - name: secret-reader
          port: 80
  tls:
    secretName: secret-reader-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: secret-reader-tls
 spec:
  secretName: secret-reader-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - secret-reader.hexor.cy
@@ -1,26 +1,20 @@
 ---
-apiVersion: networking.k8s.io/v1
+apiVersion: traefik.io/v1alpha1
-kind: Ingress
+kind: IngressRoute
 metadata:
  name: kanidm
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
    traefik.ingress.kubernetes.io/service.serversscheme: https
    traefik.ingress.kubernetes.io/service.serverstransport: kanidm-kanidm-transport@kubernetescrd
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`auth.hexor.cy`)
      kind: Rule
      services:
        - name: kanidm
          port: 443
          scheme: https
          serversTransport: kanidm-transport
  tls:
-    - hosts:
+    secretName: kanidm-ingress-tls
        - auth.hexor.cy
      secretName: kanidm-ingress-tls
  rules:
    - host: auth.hexor.cy
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kanidm
                port:
                  number: 443
@@ -0,0 +1,21 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: keycloak
  namespace: argocd
 spec:
  project: core
  destination:
    namespace: keycloak
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/core/keycloak
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
@@ -0,0 +1,41 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: keycloak-creds
 spec:
  target:
    name: keycloak-creds
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        KC_DB_USERNAME: keycloak
        KC_DB_PASSWORD: |-
          {{ .db_password }}
        KC_BOOTSTRAP_ADMIN_USERNAME: admin
        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
          {{ .admin_password }}
  data:
    - secretKey: db_password
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[18].value
    - secretKey: admin_password
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
        property: login.password
@@ -0,0 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
  - external-secrets.yaml
 helmCharts:
  - name: keycloakx
    repo: https://codecentric.github.io/helm-charts
    version: 7.1.11
    releaseName: keycloak
    namespace: keycloak
    valuesFile: values.yaml
@@ -0,0 +1,67 @@
 replicas: 1
 image:
  repository: quay.io/keycloak/keycloak
  tag: "26.5.6"
 command:
  - "/opt/keycloak/bin/kc.sh"
  - "start"
  - "--http-port=8080"
  - "--hostname-strict=false"
  - "--proxy-headers=xforwarded"
 extraEnvFrom: |
  - secretRef:
      name: keycloak-creds
 extraEnv: |
  - name: KC_HOSTNAME
    value: auth.hexor.cy
  - name: JAVA_OPTS_APPEND
    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
 dbchecker:
  enabled: true
 database:
  vendor: postgres
  hostname: psql.psql.svc
  port: 5432
  database: keycloak
  existingSecret: keycloak-creds
  existingSecretKey: KC_DB_PASSWORD
 service:
  type: ClusterIP
 ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
  rules:
    - host: auth.hexor.cy
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: keycloak-tls
      hosts:
        - auth.hexor.cy
 resources:
  requests:
    cpu: 200m
    memory: 512Mi
  limits:
    cpu: "1"
    memory: 1Gi
 nodeSelector:
  kubernetes.io/hostname: master.tail2fe2d.ts.net
 tolerations:
  - key: node-role.kubernetes.io/master
    effect: NoSchedule
@@ -0,0 +1,21 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: oauth2-proxy
  namespace: argocd
 spec:
  project: core
  destination:
    namespace: oauth2-proxy
    server: https://kubernetes.default.svc
  source:
    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
    targetRevision: HEAD
    path: k8s/core/oauth2-proxy
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
@@ -0,0 +1,40 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: oauth2-proxy-creds
 spec:
  target:
    name: oauth2-proxy-creds
    deletionPolicy: Delete
    template:
      type: Opaque
      data:
        client-id: oauth2-proxy
        client-secret: |-
          {{ .client_secret }}
        cookie-secret: |-
          {{ .cookie_secret }}
  data:
    - secretKey: client_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
        property: login.password
    - secretKey: cookie_secret
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
        property: fields[0].value
@@ -0,0 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - app.yaml
  - external-secrets.yaml
 helmCharts:
  - name: oauth2-proxy
    repo: https://oauth2-proxy.github.io/manifests
    version: 10.4.3
    releaseName: oauth2-proxy
    namespace: oauth2-proxy
    valuesFile: values.yaml
@@ -0,0 +1,3 @@
 # Middleware is deployed per-namespace alongside each IngressRoute
 # because Traefik does not allow cross-namespace middleware references.
 # See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.
@@ -0,0 +1,51 @@
 replicaCount: 1
 config:
  existingSecret: oauth2-proxy-creds
  configFile: |-
    provider = "keycloak-oidc"
    provider_display_name = "Keycloak"
    oidc_issuer_url = "https://auth.hexor.cy/auth/realms/hexor"
    redirect_url = "https://oauth.hexor.cy/oauth2/callback"
    email_domains = ["*"]
    cookie_domains = [".hexor.cy"]
    whitelist_domains = [".hexor.cy"]
    cookie_secure = true
    cookie_samesite = "lax"
    upstreams = ["static://200"]
    reverse_proxy = true
    set_xauthrequest = true
    set_authorization_header = true
    pass_access_token = true
    pass_authorization_header = true
    skip_provider_button = true
    code_challenge_method = "S256"
    scope = "openid profile email"
 ingress:
  enabled: true
  className: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
  hosts:
    - oauth.hexor.cy
  tls:
    - secretName: oauth2-proxy-tls
      hosts:
        - oauth.hexor.cy
 resources:
  requests:
    cpu: 50m
    memory: 64Mi
  limits:
    cpu: 200m
    memory: 128Mi
 nodeSelector:
  kubernetes.io/hostname: master.tail2fe2d.ts.net
 tolerations:
  - key: node-role.kubernetes.io/master
    effect: NoSchedule
@@ -135,6 +135,8 @@ spec:
          {{ .furumi }}
        USER_furumi_dev: |-
          {{ .furumi_dev }}
        USER_keycloak: |-
          {{ .keycloak }}
  data:
    - secretKey: authentik
      sourceRef:
@@ -323,4 +325,14 @@ spec:
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[17].value
-
+    - secretKey: keycloak
      sourceRef:
        storeRef:
          name: vaultwarden-login
          kind: ClusterSecretStore
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
        key: 2a9deb39-ef22-433e-a1be-df1555625e22
        property: fields[18].value
Author	SHA1	Message	Date
Gitea Actions Bot	82ed1c6078	Auto-update README with current k8s applications Terraform / Terraform (pull_request) Failing after 4s Details Generated by CI/CD workflow on 2026-05-04 17:24:32 This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.	2026-05-04 17:24:32 +00:00
Ultradesu	0df274c0b2	Added oauth2 proxy Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 14s Details Check with kubeconform / lint (push) Successful in 14s Details Auto-update README / Generate README and Create MR (push) Successful in 12s Details	2026-05-04 18:24:04 +01:00
Ultradesu	658ec19ff1	Added oauth2 proxy Check with kubeconform / lint (push) Successful in 14s Details Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 19s Details Auto-update README / Generate README and Create MR (push) Successful in 19s Details	2026-05-04 18:21:44 +01:00
Ultradesu	eb27dcf65b	Added oauth2 proxy Check with kubeconform / lint (push) Successful in 15s Details Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 24s Details Auto-update README / Generate README and Create MR (push) Successful in 35s Details	2026-05-04 18:19:41 +01:00
Ultradesu	e44cf95bb2	Added oauth2 proxy Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 13s Details Check with kubeconform / lint (push) Successful in 21s Details Auto-update README / Generate README and Create MR (push) Successful in 32s Details	2026-05-04 18:15:48 +01:00
Ultradesu	df6ab28165	Added oauth2 proxy Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 15s Details Check with kubeconform / lint (push) Successful in 16s Details Auto-update README / Generate README and Create MR (push) Successful in 11s Details	2026-05-04 18:12:52 +01:00
Ultradesu	72cbcc3952	Added oauth2 proxy Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 1m3s Details Check with kubeconform / lint (push) Successful in 1m7s Details Auto-update README / Generate README and Create MR (push) Successful in 28s Details	2026-05-04 18:06:37 +01:00
Ultradesu	2afe27bfd4	Added keycloak Check with kubeconform / lint (push) Successful in 12s Details Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 25s Details Auto-update README / Generate README and Create MR (push) Successful in 29s Details	2026-05-04 17:32:30 +01:00
Ultradesu	36eb9495ef	Added keycloak Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 16s Details Check with kubeconform / lint (push) Successful in 15s Details Auto-update README / Generate README and Create MR (push) Successful in 9s Details	2026-05-04 17:30:40 +01:00
ab	8e2c4f54c4	Update k8s/core/postgresql/external-secrets.yaml Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 15s Details Check with kubeconform / lint (push) Successful in 16s Details Auto-update README / Generate README and Create MR (push) Successful in 14s Details	2026-05-04 16:20:18 +00:00
Ultradesu	7a0c536ecc	Added kanidm Check with kubeconform / lint (push) Successful in 14s Details Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 16s Details Auto-update README / Generate README and Create MR (push) Successful in 11s Details	2026-05-04 17:09:49 +01:00