apiVersion: v1
kind: ConfigMap
metadata:
  name: host-mappings
  namespace: auth-proxy
  labels:
    app: proxy
data:
  mapping.json: |
    {
      "tekton-el.auth-proxy.svc": "tekton-el.cluster.local",
      "vmcluster.auth-proxy.svc": "vmcluster.cluster.local",
      "loki.auth-proxy.svc": "loki-write.cluster.local",
      "loki.auth-proxy.svc:80": "loki-write.cluster.local",
      "loki-distributed.auth-proxy.svc": "loki-loki.cluster.local",
      "loki-distributed.auth-proxy.svc:80": "loki-loki.cluster.local"
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: internal-proxy
  namespace: auth-proxy
  labels:
    app: internal-proxy
  annotations:
    configmap.reloader.stakater.com/reload: "host-mappings"
    secret.reloader.stakater.com/reload: "tailscale-auth"
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: internal-proxy
  template:
    metadata:
      labels:
        app: internal-proxy
    spec:
      serviceAccountName: default
      dnsPolicy: ClusterFirst
      dnsConfig:
        nameservers:
          - 100.100.100.100
      containers:
      - name: proxy
        image: rg.fr-par.scw.cloud/averagemarcus/proxy:latest
        imagePullPolicy: Always
        env:
        - name: PROXY_DESTINATION
          value: talos.tail4dfb.ts.net
        - name: PORT
          value: "8080"
        - name: TS_AUTH_KEY
          valueFrom:
            secretKeyRef:
              name: tailscale-auth
              key: password
        - name: TS_HOSTNAME
          value: auth-proxy-internal-proxy
        ports:
        - containerPort: 8080
          protocol: TCP
        volumeMounts:
        - name: host-mappings
          mountPath: /config/

      - name: oauth-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
        args:
        - --cookie-secure=false
        - --provider=oidc
        - --provider-display-name=Auth0
        - --upstream=http://localhost:8080
        - --http-address=0.0.0.0:8181
        - --email-domain=*
        - --pass-basic-auth=false
        - --pass-access-token=false
        - --oidc-issuer-url=https://marcusnoble.eu.auth0.com/
        - --cookie-secret=KDGD6rrK6cBmryyZ4wcJ9xAUNW9AQNFT
        - --cookie-expire=336h0m0s
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              key: username
              name: auth-proxy
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: password
              name: auth-proxy
        ports:
        - containerPort: 8181
          protocol: TCP
        resources:
          limits:
            memory: 50Mi
          requests:
            memory: 50Mi
      volumes:
      - name: host-mappings
        configMap:
          name: host-mappings
---
apiVersion: v1
kind: Service
metadata:
  name: tailscale-proxy
  namespace: auth-proxy
  labels:
    app: internal-proxy
spec:
  ports:
  - name: non-auth
    port: 80
    protocol: TCP
    targetPort: 8080
  - name: auth
    port: 81
    protocol: TCP
    targetPort: 8181
  selector:
    app: internal-proxy
  type: ClusterIP
---