---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: keycloak-auth
spec:
  forwardAuth:
    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
    trustForwardHeader: true
    authResponseHeaders:
      - X-Auth-Request-User
      - X-Auth-Request-Email
      - X-Auth-Request-Groups
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: keycloak-auth-redirect
spec:
  errors:
    status:
      - "401"
    service:
      name: oauth2-proxy-redirect
      port: 80
    query: /oauth2/sign_in?rd={url}
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy-redirect
spec:
  type: ExternalName
  externalName: oauth2-proxy.oauth2-proxy.svc.cluster.local
  ports:
    - port: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: secret-reader
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`secret-reader.hexor.cy`) && PathPrefix(`/oauth2/`)
      kind: Rule
      services:
        - name: oauth2-proxy-redirect
          port: 80
    - match: Host(`secret-reader.hexor.cy`)
      kind: Rule
      middlewares:
        - name: keycloak-auth
        - name: keycloak-auth-redirect
      services:
        - name: secret-reader
          port: 80
  tls:
    secretName: secret-reader-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: secret-reader-tls
spec:
  secretName: secret-reader-tls
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  dnsNames:
    - secret-reader.hexor.cy