From 0e45303c36a5e7e887ef9cd122711557a981b51c Mon Sep 17 00:00:00 2001
From: Andrei Kartashov <a@ioot.xyz>
Date: Mon, 4 Sep 2023 21:51:47 +0700
Subject: [PATCH] oauth2-proxy

---
 README.rst                                    | 11 +++-
 .../apps/oauth2-proxy/application.yaml        | 60 +++++++++++++++++++
 2 files changed, 69 insertions(+), 2 deletions(-)
 create mode 100644 state/gullfaxi/apps/oauth2-proxy/application.yaml

diff --git a/README.rst b/README.rst
index 412b750..7f070d8 100644
--- a/README.rst
+++ b/README.rst
@@ -30,10 +30,10 @@ Applications & Projects
 +------------------------------+----------------------------------------------------------------+-------------------------+
 | `Apps Project`_, **user level applications**                                                                            |
 +------------------------------+----------------------------------------------------------------+-------------------------+
+| Oauth2-proxy_                | `Oauth2 Proxy`_                                                | |oauth2-proxy_status|   |
++------------------------------+----------------------------------------------------------------+-------------------------+
 
 .. _`Default Project`: https://argocd.ioot.xyz/applications?proj=default
-.. _`System Project`: https://argocd.ioot.xyz/applications?proj=system
-.. _`Apps Project`: https://argocd.ioot.xyz/applications?proj=apps
 
 .. _System: https://argocd.ioot.xyz/applications/argocd/system
 .. |system_status| image:: https://argocd.ioot.xyz/api/badge?name=system&revision=true
@@ -41,6 +41,8 @@ Applications & Projects
 .. _Apps: https://argocd.ioot.xyz/applications/argocd/apps
 .. |apps_status| image:: https://argocd.ioot.xyz/api/badge?name=apps&revision=true
 
+.. _`System Project`: https://argocd.ioot.xyz/applications?proj=system
+
 .. _ArgoCD: https://argocd.ioot.xyz/applications/argocd/argocd
 .. _GitOps tool for Kubernetes: https://argo-cd.readthedocs.io
 .. |argocd_status| image:: https://argocd.ioot.xyz/api/badge?name=argocd&revision=true
@@ -61,6 +63,11 @@ Applications & Projects
 .. _Rancher Local-Path: https://github.com/rancher/local-path-provisioner
 .. |local-path_status| image:: https://argocd.ioot.xyz/api/badge?name=local-path-provisioner&revision=true
 
+.. _`Apps Project`: https://argocd.ioot.xyz/applications?proj=apps
+
+.. _Oauth2-proxy: https://argocd.ioot.xyz/applications/argocd/oauth2-proxy
+.. _Oauth2 Proxy: https://github.com/oauth2-proxy/oauth2-proxy
+.. |oauth2-proxy_status| image:: https://argocd.ioot.xyz/api/badge?name=oauth2-proxy&revision=true
 
 Cluster initialization
 ===============================================================================
diff --git a/state/gullfaxi/apps/oauth2-proxy/application.yaml b/state/gullfaxi/apps/oauth2-proxy/application.yaml
new file mode 100644
index 0000000..e71b79f
--- /dev/null
+++ b/state/gullfaxi/apps/oauth2-proxy/application.yaml
@@ -0,0 +1,60 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: oauth2-proxy
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: oauth2-proxy
+  project: apps
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  # https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/#helm-value-files-from-external-git-repository
+  source:
+    repoURL: https://oauth2-proxy.github.io/manifests
+    targetRevision: 6.16.1
+    chart: oauth2-proxy
+    helm:
+      values: |
+        # https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/values.yaml
+
+        config:
+          clientID: 13240a7012a34dbdd9c7
+          clientSecret: change_in_argocd
+          cookieSecret: change_in_argocd
+          configFile: |-
+            # https://github.com/kubernetes/ingress-nginx/issues/2831#issuecomment-407336056
+            provider = "github"
+            email_domains = [ "*" ]
+            upstreams = [ "file:///dev/null" ]
+            github_users = "amkartashov"
+            whitelist_domains = ".ioot.xyz"
+            cookie_refresh = "1m"
+            cookie_expire = "30m"
+            cookie_secure = "true"
+            cookie_domains = ".ioot.xyz"
+            ssl_insecure_skip_verify = "true"
+            pass_basic_auth = "false"
+            pass_access_token = "true"
+            pass_user_headers = "true"
+            set_authorization_header = "true"
+            pass_authorization_header = "true"
+            set_xauthrequest = true
+            # https://github.com/oauth2-proxy/oauth2-proxy/issues/1724#issuecomment-1199075723
+            scope = "user:email"
+
+        ingress:
+          enabled: true
+          className: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt
+          hosts:
+            - oauth2.ioot.xyz
+          tls:
+            - hosts:
+                - oauth2.ioot.xyz
+              secretName: oauth2-tls