diff --git a/apps/k8s01/nas/kustomization.yaml b/apps/k8s01/nas/kustomization.yaml
index e9785d34bcd9bb0e833df1130d38a36b1cc3e9f0..304fe6766dc6198df1d06681c61893a38cdb1399 100644
--- a/apps/k8s01/nas/kustomization.yaml
+++ b/apps/k8s01/nas/kustomization.yaml
@@ -3,4 +3,5 @@ kind: Kustomization
resources:
- namespace.yaml
- s3.yaml
+- ../../../shared/applications/oauth2-proxy.yaml
- oauth2.yaml
diff --git a/apps/k8s01/nas/oauth2.yaml b/apps/k8s01/nas/oauth2.yaml
index 1ee2ec8e517828040ec914334965a9c590be0f3e..9f8e47a529b85c646f0c8d1594f45749cedc9ebc 100644
--- a/apps/k8s01/nas/oauth2.yaml
+++ b/apps/k8s01/nas/oauth2.yaml
@@ -1,200 +1,17 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: HelmRepository
+apiVersion: v1
+kind: Secret
metadata:
- name: oauth2-proxy
- namespace: nas
-spec:
- interval: 30m
- url: https://oauth2-proxy.github.io/manifests
+ name: oauth2-proxy-override-values
+stringData:
+ values-overrides.yaml: ENC[AES256_GCM,data:lPcpFoSXcDXRC5yD62ZYV6/8IHcMOCTd2rEGcaQZXNI4OSSZ90dyyVSm/2DBy9ryCV8RgjfTUHIGsvUobnQEh7SI5oAmJ5RonegggjgUPeuj0NRPfHAIU3DZgVYKCaMOS4v7vpkhZNre0IYsHIxAYESXG9oQp55Fl69QR9qUuplcbzXsfArHwHdZBVFfNhgDpeBj2LeX+XbJ6Vfkqh9cMGSrIWC09nzfUIuW0BYmy9Y8mCEaWJxVdoaAfJSLxBdoysWU9hdgAVy6B6Ov3RBHSU0547Z4zpLrVXfwmxVP88TcDd2dvoFnujpFZJttaQz9RxgZjlHsWgLrohei/Uonu+gQy7sJw9eFJDfDegbED6R6O7Z6PArA8i7VnDh56sFJw8ObkB5EnWxmXLsG6POQv1CN7Ia5mw//3dr6bGACsMlM95DjWdLEPR/Gwpn2aM/XRrdI7rLp8xJT6SgSNgLeeT8jCL+ApPG0wQUQKa16xrYrDXaoR599IXpDOeW6ewHmOUP5/G7Kf53nHD2dy2E9MVh4o4aYxBa3d1m5syPAgzRY8GawR0g+Bh+LLm2O0omgRJE0Iu4SThiT0xzrSdElsbFfjEG1Z42u19r08fWo+Ve2Dw0jFWgDHKhQYjthptKzHdsi+/harGhGrwqzvoM1z79zVWYchLpkA4aSkJ9kv0EzLkAgf/AuNrbBvWtw1XGJKbWJb+DvhGPUyE+p5lZ1Vg==,iv:LVtcvL1Zdp0Q46sxCxLOx9cX9ABanlpiBNCO5/ASWCo=,tag:QDxJQ1fJz2A0JK8MAsGP5Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-09-11T21:46:11Z"
- mac: ENC[AES256_GCM,data:4sdEwWdKLdSn3j93pPqc92SR5PFlVT53ShRwD27zHnROvLheGz2zNu0cgdRcQDMyVQPduSaqldftZWlBj0bs0Q/3J8fY4fSqObmv52N+/kpkM8rFd642GKA9YV8DaXgRWhXs/bk8Xm0g2j6Pyztwgqo0bziYw9feoAFJ+a8eekk=,iv:68aTY2mtxyw5gvKDI94SbsYXI1FXNP5paTar9jzhSS4=,tag:FrcaedlYTzunCdQsRPl1VA==,type:str]
- pgp:
- - created_at: "2022-01-22T04:06:16Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
- 27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
- BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
- 7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
- KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
- OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
- LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
- DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
- b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
- HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
- XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
- 5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
- M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
- =c/3x
- -----END PGP MESSAGE-----
- fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
- - created_at: "2022-01-22T04:06:16Z"
- enc: |
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
- yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
- 2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
- 46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
- 4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
- GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
- fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
- WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
- vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
- tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
- w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
- aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
- NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
- PNNoVr/LwxMQ
- =e2fo
- -----END PGP MESSAGE-----
- fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
- encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
- version: 3.7.3
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
- name: oauth2-proxy
- namespace: nas
-spec:
- releaseName: oauth2-proxy
- chart:
- spec:
- chart: oauth2-proxy
- sourceRef:
- kind: HelmRepository
- name: oauth2-proxy
- namespace: nas
- version: 6.17.1
- interval: 5m
- install:
- remediation:
- retries: -1
- values:
- config:
- clientID: minio-console
- clientSecret: ENC[AES256_GCM,data:RewDTS7iqqQMwWWYTzNOjxngI3zKsOtGd2yidJfjqWU=,iv:qBbWEg7QA2pRHBopjo+O2QPFo25qId0yFXxQ2ZiVQYc=,tag:AKavMpQPh4FzbZaEahTZFw==,type:str]
- cookieSecret: ENC[AES256_GCM,data:2peh/VSESdjO5HFMyCjw1an1/oLwjKY2wS0l4ZTXZHoSCgMOtEaeYTKBWQ==,iv:PBoklIo3LhvLloXUWP5IEtQ46VfJJE7EbXO+LdGD/ks=,tag:csWZ0NRhKJxH9yFA3PssWQ==,type:str]
- extraArgs:
- provider: keycloak-oidc
- provider-display-name: SI-Auth
- redirect-url: ENC[AES256_GCM,data:vDtGDhv20Ot5+8j41rwR6AZsWXBsz9c21lw2C3b+5vAxzBYHNWIOugresnGqkkACkrcDRhi2,iv:dBRABK+dazmG0C4OrsHs4pfOWQLVlFEFVuLnCcOyVnE=,tag:T1OMopItnHFbfl5NZY/4LQ==,type:str]
- oidc-issuer-url: ENC[AES256_GCM,data:lcMt0EiZJPca/5iwNp4Ged6qchqzkuKAXOiyJNR99jfJPRwBjMp3JJJmvfhdU+dU1/VFqMgk3w==,iv:0avQixtcn6Mr87AcloKhIVAIcp08eQk9Ud80CjMRfB4=,tag:uGVgCeeqOoD7ZxhDHvfQmQ==,type:str]
- allowed-role: minio-console:user
- whitelist-domain: ENC[AES256_GCM,data:SKqK+unRFLC6Y5DNmhgTJ1Bq4Z+PSgT2NLa4/MVR,iv:+lzfSaArulzf8q9giuPFIoBbgGd9jogKTroyrYqeCT0=,tag:Dbdu3OKdwRfx/T4gZQuJIQ==,type:str]
- session-cookie-minimal: "true"
- silence-ping-logging: "true"
- scope: openid email profile
- replicaCount: 2
- securityContext:
- enabled: true
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- app: oauth2-proxy
- topologyKey: kubernetes.io/hostname
- ingress:
- enabled: true
- path: /oauth2
- pathType: Prefix
- hosts:
- - ENC[AES256_GCM,data:z2FG3Hw17BmN4ugvZzo7UUmRvo13KyKMovID4oVL,iv:J2n80jxA/mERXSGm2ubZLQnCPvXpm1CVT7NadRYPuXY=,tag:cf55KnUHRCtpJBSSNZ6U1w==,type:str]
- tls:
- - hosts:
- - ENC[AES256_GCM,data:hfS3UudkpAhyyuf2T0sLGAa3+dGeNFPVh5BeZOuX,iv:nkKjDiJO6+GfZwyw8BPSbdHLQd5QeTjXkH1O7cYrRBY=,tag:/Z9Y0VU/ybw4cwsWBnwf4w==,type:str]
- secretName: ingress-s3-tls
- resources:
- limits:
- cpu: 200m
- memory: 100Mi
- requests:
- cpu: 100m
- memory: 25Mi
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age: []
- lastmodified: "2023-09-11T21:46:11Z"
- mac: ENC[AES256_GCM,data:4sdEwWdKLdSn3j93pPqc92SR5PFlVT53ShRwD27zHnROvLheGz2zNu0cgdRcQDMyVQPduSaqldftZWlBj0bs0Q/3J8fY4fSqObmv52N+/kpkM8rFd642GKA9YV8DaXgRWhXs/bk8Xm0g2j6Pyztwgqo0bziYw9feoAFJ+a8eekk=,iv:68aTY2mtxyw5gvKDI94SbsYXI1FXNP5paTar9jzhSS4=,tag:FrcaedlYTzunCdQsRPl1VA==,type:str]
- pgp:
- - created_at: "2022-01-22T04:06:16Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
- 27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
- BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
- 7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
- KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
- OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
- LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
- DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
- b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
- HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
- XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
- 5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
- M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
- =c/3x
- -----END PGP MESSAGE-----
- fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
- - created_at: "2022-01-22T04:06:16Z"
- enc: |
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
- yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
- 2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
- 46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
- 4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
- GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
- fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
- WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
- vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
- tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
- w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
- aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
- NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
- PNNoVr/LwxMQ
- =e2fo
- -----END PGP MESSAGE-----
- fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
- encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
- version: 3.7.3
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- name: allow-ingress-to-oauth2
- namespace: nas
-spec:
- podSelector:
- matchLabels:
- app: oauth2-proxy
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- ingress.shivering-isles.com/network-access-required: "true"
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age: []
- lastmodified: "2023-09-11T21:46:11Z"
- mac: ENC[AES256_GCM,data:4sdEwWdKLdSn3j93pPqc92SR5PFlVT53ShRwD27zHnROvLheGz2zNu0cgdRcQDMyVQPduSaqldftZWlBj0bs0Q/3J8fY4fSqObmv52N+/kpkM8rFd642GKA9YV8DaXgRWhXs/bk8Xm0g2j6Pyztwgqo0bziYw9feoAFJ+a8eekk=,iv:68aTY2mtxyw5gvKDI94SbsYXI1FXNP5paTar9jzhSS4=,tag:FrcaedlYTzunCdQsRPl1VA==,type:str]
+ lastmodified: "2023-10-03T16:03:33Z"
+ mac: ENC[AES256_GCM,data:0PshoV38MsD7xpy7rTVdLj3uRubN4l6TT8ZGTJRDTVCOLYHf1180VOcxwuqGR2Fw3tzbPqqwpw4B6u/kcvnQSZeWgEDL/YHkNlMd6Pptqw/8dJXdrLMQn4wDS2rPdUwOVve5Hmm02aySOpKZZHtNiebxcIFWzgpWN52iTUYsv3Y=,iv:h0vJJ2M6oBwP7MQYAGuXv50jQTfG9j6btvDr9og0inw=,tag:Hj7tFu/80v7VbsnX/sn21A==,type:str]
pgp:
- created_at: "2022-01-22T04:06:16Z"
enc: |-