gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5e5c6ef671ea0e5afb653d2b953cbd6801439e07
home-server/clusters/noble/bootstrap/oauth2-proxy/values.yaml

52 lines
2.0 KiB
YAML
Raw Blame History

# oauth2-proxy — OIDC client to **Authentik** (not BasicAuth). Used with Traefik ForwardAuth
# so apps without native OIDC (Prometheus, Alertmanager, Longhorn UI) still get a full OAuth code flow.
#
# Client id/secret/cookie-secret are created by Ansible (Kubernetes Secret + Helm values).
#
# helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests && helm repo update
# kubectl apply -f clusters/noble/bootstrap/oauth2-proxy/namespace.yaml
# helm upgrade --install oauth2-proxy oauth2-proxy/oauth2-proxy -n oauth2-proxy \
# --version 10.4.3 -f clusters/noble/bootstrap/oauth2-proxy/values.yaml -f /path/to/extra.yaml --wait
config:
# Populated by Ansible: Secret **oauth2-proxy-credentials** (keys client-id, client-secret, cookie-secret).
existingSecret: oauth2-proxy-credentials
clientID: oauth2-proxy
clientSecret: ""
cookieSecret: ""
cookieName: _oauth2_proxy
emailDomains: ["*"]
ingress:
enabled: true
className: traefik
path: /
hosts:
- oauth2.apps.noble.lab.pcenicni.dev
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
tls:
- secretName: oauth2-apps-noble-tls
hosts:
- oauth2.apps.noble.lab.pcenicni.dev
extraArgs:
provider: oidc
skip-provider-button: "true"
# Authentik bootstrap / local users often omit **email_verified** in the id_token; without this,
# oauth2-proxy returns **500** on `/oauth2/callback` with: "email in id_token (...) isn't verified".
# Prefer marking the account verified in Authentik (Directory) in production.
insecure-oidc-allow-unverified-email: "true"
oidc-issuer-url: "https://auth.apps.noble.lab.pcenicni.dev/application/o/oauth2-proxy/"
redirect-url: "https://oauth2.apps.noble.lab.pcenicni.dev/oauth2/callback"
scope: "openid profile email groups"
cookie-domain: ".apps.noble.lab.pcenicni.dev"
whitelist-domain: ".apps.noble.lab.pcenicni.dev"
set-authorization-header: "true"
pass-access-token: "false"
reverse-proxy: "true"
upstream: static://200
service:
portNumber: 4180
Reference in New Issue View Git Blame Copy Permalink