# oauth2-proxy — OIDC client to **Authentik** (not BasicAuth). Used with Traefik ForwardAuth
# so apps without native OIDC (Prometheus, Alertmanager, Longhorn UI) still get a full OAuth code flow.
#
# Client id/secret/cookie-secret are created by Ansible (Kubernetes Secret + Helm values).
#
# helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests && helm repo update
# kubectl apply -f clusters/noble/bootstrap/oauth2-proxy/namespace.yaml
# helm upgrade --install oauth2-proxy oauth2-proxy/oauth2-proxy -n oauth2-proxy \
#   --version 10.4.3 -f clusters/noble/bootstrap/oauth2-proxy/values.yaml -f /path/to/extra.yaml --wait

config:
  # Populated by Ansible: Secret **oauth2-proxy-credentials** (keys client-id, client-secret, cookie-secret).
  existingSecret: oauth2-proxy-credentials
  clientID: oauth2-proxy
  clientSecret: ""
  cookieSecret: ""
  cookieName: _oauth2_proxy
  emailDomains: ["*"]

ingress:
  enabled: true
  className: traefik
  path: /
  hosts:
    - oauth2.apps.noble.lab.pcenicni.dev
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  tls:
    - secretName: oauth2-apps-noble-tls
      hosts:
        - oauth2.apps.noble.lab.pcenicni.dev

extraArgs:
  provider: oidc
  skip-provider-button: "true"
  oidc-issuer-url: "https://auth.apps.noble.lab.pcenicni.dev/application/o/oauth2-proxy/"
  redirect-url: "https://oauth2.apps.noble.lab.pcenicni.dev/oauth2/callback"
  scope: "openid profile email groups"
  cookie-domain: ".apps.noble.lab.pcenicni.dev"
  whitelist-domain: ".apps.noble.lab.pcenicni.dev"
  set-authorization-header: "true"
  pass-access-token: "false"
  reverse-proxy: "true"
  upstream: static://200

service:
  portNumber: 4180