diff --git a/.sops.yaml b/.sops.yaml
index 912dddbd06d9c2c2c305a09ffba17fd8b1671c8d..0957a2f8d6639afa4599837369d0b6272e514433 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,4 +1,9 @@
creation_rules:
+ - path_regex: shared/components/.*secret.yaml
+ encrypted_regex: ^(stringData)$
+ pgp: >-
+ 286791FB6648539775DB31B8FCB98C2A3EC6F601,
+ B137EE1549DFAF960DD1E2B15147025FB9F09E07
- path_regex: shared/applications/.*.yaml
encrypted_regex: ^(stringData)$
pgp: >-
diff --git a/apps/base/forecastle/kustomization.yaml b/apps/base/forecastle/kustomization.yaml
index 0c988e077090d1cad353e1e19d07a0951bd9a31a..7e377b974e5f724c10b177d78184cd4283e85354 100644
--- a/apps/base/forecastle/kustomization.yaml
+++ b/apps/base/forecastle/kustomization.yaml
@@ -10,7 +10,3 @@ resources:
commonLabels:
app: forecastle
-
-components:
- - ../../../shared/components/flux-namespace-admin
- - ../../../shared/components/namespace-baseline
\ No newline at end of file
diff --git a/apps/k8s01/forecastle/kustomization.yaml b/apps/k8s01/forecastle/kustomization.yaml
index e22854b47738d084408649eef0c9ded1962d03a2..2594b1594a712f3084292d4059f07f291ac6b132 100644
--- a/apps/k8s01/forecastle/kustomization.yaml
+++ b/apps/k8s01/forecastle/kustomization.yaml
@@ -1,12 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: forecastle
+
+commonLabels:
+ app.kubernetes.io/name: forecastle
+ app.kubernetes.io/instance: fmd
+
resources:
- ../../base/forecastle
- certificate.yaml
- forecastle-values.yaml
- - ../../../shared/applications/oauth2-proxy.yaml
- oauth2.yaml
- pdb.yaml
- slo.yaml
- ../../../shared/resourcequotas/default.yaml
+
+components:
+ - ../../../shared/components/namespace-baseline
+ - ../../../shared/components/oauth2-proxy
+ - ../../../shared/components/flux-namespace-admin
\ No newline at end of file
diff --git a/shared/components/oauth2-proxy/configmap.yaml b/shared/components/oauth2-proxy/configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..94e1ec95d4a794316968b1a04d4061f540c8c989
--- /dev/null
+++ b/shared/components/oauth2-proxy/configmap.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: oauth2-proxy-base-values
+ labels:
+ app.kubernetes.io/component: oauth2-proxy
+data:
+ values.yaml: |
+ extraArgs:
+ silence-ping-logging: "true"
+ scope: openid email profile
+ oidc-groups-claim: memberof
+ code-challenge-method: 'S256'
+ replicaCount: 2
+ securityContext:
+ enabled: true
+ resources:
+ limits:
+ cpu: 200m
+ memory: 100Mi
+ requests:
+ cpu: 100m
+ memory: 25Mi
+ topologySpreadConstraints:
+ - maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
+ labelSelector:
+ matchLabels:
+ app: oauth2-proxy
+ matchLabelKeys:
+ - pod-template-hash
\ No newline at end of file
diff --git a/shared/components/oauth2-proxy/kustomization.yaml b/shared/components/oauth2-proxy/kustomization.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a92d7e6dd88ef6b3ee8ac2b6aa6679556c86d065
--- /dev/null
+++ b/shared/components/oauth2-proxy/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+ - configmap.yaml
+ - secret.yaml
+ - repository.yaml
+ - release.yaml
+ - networkpolicy.yaml
\ No newline at end of file
diff --git a/shared/components/oauth2-proxy/networkpolicy.yaml b/shared/components/oauth2-proxy/networkpolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c47fe9849ac40eb8ea0d9ce7cceaba370745f122
--- /dev/null
+++ b/shared/components/oauth2-proxy/networkpolicy.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: allow-ingress-to-oauth2
+ labels:
+ app.kubernetes.io/component: oauth2-proxy
+spec:
+ podSelector:
+ matchExpressions:
+ - key: app
+ operator: In
+ values:
+ - oauth2-proxy
+ matchLabels: {}
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ ingress.shivering-isles.com/network-access-required: "true"
+
diff --git a/shared/components/oauth2-proxy/release.yaml b/shared/components/oauth2-proxy/release.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..68b94cdf6889688d4b1ea2b55f993fd8c57906dd
--- /dev/null
+++ b/shared/components/oauth2-proxy/release.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: oauth2-proxy
+ labels:
+ app.kubernetes.io/component: oauth2-proxy
+spec:
+ releaseName: oauth2-proxy
+ chart:
+ spec:
+ chart: oauth2-proxy
+ sourceRef:
+ kind: HelmRepository
+ name: oauth2-proxy
+ # renovate: datasource=helm depName=oauth2-proxy registryUrl=https://oauth2-proxy.github.io/manifests
+ version: 6.23.1
+ interval: 5m
+ install:
+ remediation:
+ retries: 5
+ upgrade:
+ remediation:
+ retries: 5
+ valuesFrom:
+ - kind: ConfigMap
+ name: oauth2-proxy-base-values
+ valuesKey: values.yaml
+ - kind: Secret
+ name: oauth2-proxy-common-values
+ valuesKey: values.yaml
+ - kind: Secret
+ name: oauth2-proxy-override-values
+ valuesKey: values-overrides.yaml
\ No newline at end of file
diff --git a/shared/components/oauth2-proxy/repository.yaml b/shared/components/oauth2-proxy/repository.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fb3f3e027a4efa18e00baf95d221bc6e7e14da91
--- /dev/null
+++ b/shared/components/oauth2-proxy/repository.yaml
@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: oauth2-proxy
+ labels:
+ app.kubernetes.io/component: oauth2-proxy
+spec:
+ interval: 30m
+ url: https://oauth2-proxy.github.io/manifests
\ No newline at end of file
diff --git a/shared/components/oauth2-proxy/secret.yaml b/shared/components/oauth2-proxy/secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1b5dc6a4e2382d49c901c1450d03bf60ae4ed1a5
--- /dev/null
+++ b/shared/components/oauth2-proxy/secret.yaml
@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: oauth2-proxy-common-values
+ labels:
+ app.kubernetes.io/component: oauth2-proxy
+stringData:
+ values.yaml: ENC[AES256_GCM,data:e/0KprhgVZA3xvmkPleKFKsdjrhaFtKxZV6WcR5D+usFY4EjAMqQU8l7F1WwI9TToR5FJvE8WpdwOHQNxkrleEELXOC73PPK9h7EIJ9X9AQnAfQfeAlN7uW5Y1ClO6QQPXbG+A9dWw8axtlgBAhbsjgnkRRzkInYRZ+3/Bw11GCoDJuEsmUE9F+/yp+WMDAK,iv:2ODN4Hr59QOa8LHGbz5rjwtpjazj5+lJVmbVNMb19fg=,tag:PGJxywVMCdqTGmw7kRiiPQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2024-01-29T01:19:56Z"
+ mac: ENC[AES256_GCM,data:DdWfX3V/M+cpR74W2IJF9NL82mI7L4Qdz7Akl0AN/pSZtdSS8r73FrJNe/I53HKD0kdsaA+H8ERRqEvs8tA10PqgjTMa4ejF+Bm56SOQTiZU8oSEPlSMirIMyxVbjMo3ijG18tNgxRLi5iW6RKgfPKXeRBPOdVfVpWG6NJhVktM=,iv:zyNJI9ZmuJXZ2U/4BP4IEkETOuiM5PZdI7UUiPrai/M=,tag:LIrbpGp7g7A3lOny370jOQ==,type:str]
+ pgp:
+ - created_at: "2024-01-29T01:19:56Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ wcFMA7kpg2bgzVHcAQ//dWZu1FM8PdaLI/pECsn34T+V+iWLQ8kQ3dbfz0Svhfri
+ rDwqcZLP7L8SKsnP5SaDRmBr7OfgvR6mwSlgJ5KrISevSeXm+Gqo/TG8jf8ry6mG
+ StWISlGahRFU1GeuciBAJ6hppSJCg2vk+VvI9CEHvPjqCBGjunxnGrUlrSRz4F0G
+ NifNuLejDJ+PBz7lZcVe17MoIi9FsdsaloONBh5Qa9V7RBNt5q5ZMIx9HG7gyd9Z
+ ZV7PToFEbbncAQwtoDGjPZTxV+jTZnejrnLySU+oYYxzpj73mBA7iNAaI816cNY6
+ +jfbj+JeguAY6WEZX+y/BXn+oaYHlL5ZwJbIwKQaoQRbxx+QKTtuKHcd3oJsmGr5
+ qfGoH6FmLTnLUfIIWJIYR45t5dnbvJTzRgKgTz3Oe2H6/H2uIvSeyv7JMXVsaNyF
+ 0Bym3zLAVieKA+IC2YQsywu5wThl5oBNnaiClizqf5BGXvI7sz48H1A3TUXBjYaF
+ l9CosIXsBZtDMi/wxEGEjXQnfnvfc3y4SbtvOGE+E5m5WPYorR0FD3zAvh/BK26F
+ nAMlLD6h+uL/mzhH3QiYzKN/Ylx6jeSbvAGpBYVQ9DISRPDBGrvoPK8jrLVtj+fZ
+ 4Hbn/PNJgfRKOvFIf85CvTBnTS0HsxNbJKucYL9XsYuWcGerWJeEy+OfsTMkuJ/S
+ UQHvweldOK7VHkI1tSSdNp3B8P8Yin1VGmr/qJgQlaEXtums/BDXKda2aYTYjQHk
+ WngEGNgVBaDZYyt3g2PkLWhInKmleZWIMKMKj+hSbAS9EQ==
+ =ztPR
+ -----END PGP MESSAGE-----
+ fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+ - created_at: "2024-01-29T01:19:56Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4oYbIHZIrAPARAAw+Cytg1mG36/wr9AHVF30V6zYKMzS7HKajj1Ia9Xt8ej
+ TGpHRSpscU2HwfX1SliEAtfe2Xnqupm65AVXQEeorRhj2axgTfaRYFBIEJDnTJzm
+ UZcndCf416GZIDDu5SF2u2c64WofnpMPV7okdaFvoPNRCZvavGytcYXcczMdV43E
+ Xdb8p66LbFRJuHbGsu3b0M5ylMuaIH2MQGr/KX3fPHij4ZhYaZ/hMRf0YCSf41sM
+ 8aoA+Nkgkj/rn6AasSPoFezUNRI0BE7zg20TGcR3sMLIYE7y0Ds2cqa7BIujGcRB
+ pJJQj2VVJZDYpBo4KGiPnvtWNLQONvD5fj+4FKqOiY1moxvr+SYHjY1aMtuCdfmS
+ soPOmj646OBz9Al43TzD16+QBf/r8LzHp2r/ZXXZSAKUqC1e+2whqi2+VOXVk2Vn
+ SUXyDJY52oNX7kC+HnuoxUnsZuwfDRQT5mJG0oF0n0byFz4H3l58T6r3gaS2gzaY
+ AdI0Txv+ktnrJxqLYo4j5Yhq3nBFflMK76U08v6K2N3u0XuRABwbH/TFrdpnKJUA
+ OuJ8+nwgnh81i/yEuIKlKHWu/j9MYjCJSBsq+9TDmL6623uu1GLRj8LKEenClOwo
+ 7Q9GNZmQ3qNGTMSs9j1kYCtE67RJJq4GreufffEz4InWFYdPkg5lCPFMPcY5xRvU
+ aAEJAhCQosWWWhg0VQuN+gAhwEFZnMZZsxyo3qpLvsirYuIrxtzVdJZvrRlshexh
+ 1eCp0BLflopyp20Avl85QeP//NO/6BeZE6whf5KGsfBdzCh8uoV9/+yqCxYTWX0L
+ E0xLjP9XfzKh
+ =XKjJ
+ -----END PGP MESSAGE-----
+ fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+ encrypted_regex: ^(stringData)$
+ version: 3.7.3