apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: oauth2-proxy
spec:
  destination:
    server: https://kubernetes.default.svc
    namespace: oauth2-proxy
  project: apps
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
  # https://argo-cd.readthedocs.io/en/stable/user-guide/multiple_sources/#helm-value-files-from-external-git-repository
  source:
    repoURL: https://oauth2-proxy.github.io/manifests
    targetRevision: 6.16.1
    chart: oauth2-proxy
    helm:
      values: |
        # https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/values.yaml

        config:
          clientID: 13240a7012a34dbdd9c7
          clientSecret: change_in_argocd
          cookieSecret: change_in_argocd
          configFile: |-
            # https://github.com/kubernetes/ingress-nginx/issues/2831#issuecomment-407336056
            provider = "github"
            email_domains = [ "*" ]
            upstreams = [ "file:///dev/null" ]
            github_users = "amkartashov"
            whitelist_domains = ".ioot.xyz"
            cookie_refresh = "1m"
            cookie_expire = "30m"
            cookie_secure = "true"
            cookie_domains = ".ioot.xyz"
            ssl_insecure_skip_verify = "true"
            pass_basic_auth = "false"
            pass_access_token = "true"
            pass_user_headers = "true"
            set_authorization_header = "true"
            pass_authorization_header = "true"
            set_xauthrequest = true
            # https://github.com/oauth2-proxy/oauth2-proxy/issues/1724#issuecomment-1199075723
            scope = "user:email"

        ingress:
          enabled: true
          className: nginx
          annotations:
            cert-manager.io/cluster-issuer: letsencrypt
          hosts:
            - oauth2.ioot.xyz
          tls:
            - hosts:
                - oauth2.ioot.xyz
              secretName: oauth2-tls