Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-04 17:13:29

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -1,41 +1,5 @@
 ---
 apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: keycloak-auth
-spec:
-  forwardAuth:
-    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: keycloak-auth-redirect
-spec:
-  errors:
-    status:
-      - "401"
-    service:
-      name: oauth2-proxy-redirect
-      port: 80
-    query: /oauth2/sign_in?rd={url}
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: oauth2-proxy-redirect
-spec:
-  type: ExternalName
-  externalName: oauth2-proxy.oauth2-proxy.svc.cluster.local
-  ports:
-    - port: 80
----
-apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: secret-reader
@@ -45,16 +9,11 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`secret-reader.hexor.cy`) && PathPrefix(`/oauth2/`)
-      kind: Rule
-      services:
-        - name: oauth2-proxy-redirect
-          port: 80
     - match: Host(`secret-reader.hexor.cy`)
       kind: Rule
       middlewares:
         - name: keycloak-auth
-        - name: keycloak-auth-redirect
+          namespace: oauth2-proxy
       services:
         - name: secret-reader
           port: 80

k8s/core/oauth2-proxy/external-secrets.yaml

@@ -10,10 +10,10 @@ spec:
     template:
       type: Opaque
       data:
-        client-id: oauth2-proxy
-        client-secret: |-
+        client_id: oauth2-proxy
+        client_secret: |-
           {{ .client_secret }}
-        cookie-secret: |-
+        cookie_secret: |-
           {{ .cookie_secret }}
   data:
     - secretKey: client_secret

k8s/core/oauth2-proxy/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
   - app.yaml
   - external-secrets.yaml
+  - middleware.yaml
 
 helmCharts:
   - name: oauth2-proxy

k8s/core/oauth2-proxy/middleware.yaml

@@ -1,3 +1,14 @@
-# Middleware is deployed per-namespace alongside each IngressRoute
-# because Traefik does not allow cross-namespace middleware references.
-# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: keycloak-auth
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+      - Authorization

k8s/core/oauth2-proxy/values.yaml

@@ -1,7 +1,6 @@
 replicaCount: 1
 
 config:
-  existingSecret: oauth2-proxy-creds
   configFile: |-
     provider = "keycloak-oidc"
     provider_display_name = "Keycloak"
@@ -22,6 +21,23 @@ config:
     code_challenge_method = "S256"
     scope = "openid profile email"
 
+extraEnv:
+  - name: OAUTH2_PROXY_CLIENT_ID
+    valueFrom:
+      secretKeyRef:
+        name: oauth2-proxy-creds
+        key: client_id
+  - name: OAUTH2_PROXY_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: oauth2-proxy-creds
+        key: client_secret
+  - name: OAUTH2_PROXY_COOKIE_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: oauth2-proxy-creds
+        key: cookie_secret
+
 ingress:
   enabled: true
   className: traefik