Removed oauth2-proxy and added more subcharts

charts/infrastructure/templates/oauth2-proxy.yaml

@@ -1,85 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  # annotations:
-  #   volsync.backube/privileged-movers: "true"
-  labels:
-    kubernetes.io/metadata.name: oauth2-proxy
-    image-pull-secret: harbor
-  name: oauth2-proxy
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: oauth2-proxy
-  namespace: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  destination:
-    name: ''
-    namespace: oauth2-proxy
-    server: 'https://kubernetes.default.svc'
-  source:
-    path: charts/oauth2-proxy
-    repoURL: {{ .Values.global.repo }}
-    targetRevision: {{ .Values.environment.revision }}
-    helm:
-      values: |
-        {{- include "defaultEnvironment" . | indent 8 }}
-        {{- if eq .Values.environment.mode "staging" }}
-        {{- else if eq .Values.environment.mode "production" }}
-        {{- end }}
-  #project: oauth2-proxy
-  project: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
----
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: oauth2-proxy
-  namespace: argocd
-  # Finalizer that ensures that project is not deleted until it is not referenced by any application
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  description: Infra-level project to isolate oauth2-proxy
-  # Allow manifests to deploy from any Git repos
-  sourceRepos:
-  - '*'
-  # Only permit applications to deploy to the guestbook namespace in the same cluster
-  destinations:
-  - namespace: oauth2-proxy
-    server: https://kubernetes.default.svc
-  # Deny all cluster-scoped resources from being created, except for Namespace
-  clusterResourceWhitelist:
-  - group: ''
-    kind: Namespace
-  # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
-  namespaceResourceBlacklist:
-  - group: ''
-    kind: ResourceQuota
-  - group: ''
-    kind: LimitRange
-  #- group: ''
-  #  kind: NetworkPolicy
-  # # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
-  # namespaceResourceWhitelist:
-  # - group: 'apps'
-  #   kind: Deployment
-  # - group: 'apps'
-  #   kind: StatefulSet
-  roles:
-  # A role which provides read-only access to all applications in the project
-  - name: read-only
-    description: Read-only privileges to oauth2-proxy
-    policies:
-    - p, proj:my-project:read-only, applications, get, oauth2-proxy/*, allow
-    groups:
-    - my-oidc-group

charts/oauth2-proxy/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

charts/oauth2-proxy/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: oauth2-proxy
-  repository: https://oauth2-proxy.github.io/manifests
-  version: 7.14.2
-digest: sha256:63968328c600bf64276b8f9d4176bcd1e82863f00bc83678fb62f6138cb97ea4
-generated: "2025-07-21T17:16:16.287524348Z"

charts/oauth2-proxy/Chart.yaml

@@ -1,29 +0,0 @@
-apiVersion: v2
-name: sealed-secrets
-description: A Helm chart for Kubernetes
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
-
-dependencies:
-- name: oauth2-proxy
-  version: 7.14.2
-  repository: "https://oauth2-proxy.github.io/manifests"

charts/oauth2-proxy/README.md

@@ -1,51 +0,0 @@
-# sealed-secrets
-
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
-
-A Helm chart for Kubernetes
-
-## Requirements
-
-| Repository | Name | Version |
-|------------|------|---------|
-| https://oauth2-proxy.github.io/manifests | oauth2-proxy | 7.12.18 |
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| environment.baseDomain | string | `"deepcypher.me"` |  |
-| environment.contact.email | string | `"noreply@deepcypher.me"` |  |
-| environment.contact.name | string | `"George Onoufriou"` |  |
-| environment.hardware | string | `"metal"` |  |
-| environment.location.name | string | `"unknown"` |  |
-| environment.mode | string | `"production"` |  |
-| environment.name | string | `"unknown"` |  |
-| environment.revision | string | `"main"` |  |
-| oauth2-proxy.autoscaling.enabled | bool | `true` |  |
-| oauth2-proxy.autoscaling.maxReplicas | int | `3` |  |
-| oauth2-proxy.autoscaling.minReplicas | int | `1` |  |
-| oauth2-proxy.config.configFile | string | `"provider = \"keycloak-oidc\"\nredirect_url = \"https://oauth2-proxy.deepcypher.me/oauth2/callback\"\noidc_issuer_url = \"https://auth.deepcypher.me/realms/deepcypher\"\ncode_challenge_method = \"S256\"\nemail_domains=[\"*\"]\nupstreams = [\"static://200\"]"` |  |
-| oauth2-proxy.config.existingSecret | string | `"oidc-credentials"` |  |
-| oauth2-proxy.ingress.annotations."cert-manager.io/cluster-issuer" | string | `"aux-issuer"` |  |
-| oauth2-proxy.ingress.annotations."traefik.ingress.kubernetes.io/router.middlewares" | string | `"traefik-headers@kubernetescrd"` |  |
-| oauth2-proxy.ingress.className | string | `"traefik"` |  |
-| oauth2-proxy.ingress.enabled | bool | `true` |  |
-| oauth2-proxy.ingress.hosts[0] | string | `"oauth2-proxy.deepcypher.me"` |  |
-| oauth2-proxy.ingress.labels | object | `{}` |  |
-| oauth2-proxy.ingress.path | string | `"/"` |  |
-| oauth2-proxy.ingress.pathType | string | `"ImplementationSpecific"` |  |
-| oauth2-proxy.ingress.tls[0].hosts[0] | string | `"oauth2-proxy.deepcypher.me"` |  |
-| oauth2-proxy.ingress.tls[0].secretName | string | `"oauth2-proxy.deepcypher.me-tls"` |  |
-| oauth2-proxy.initContainers.waitForRedis.enabled | bool | `false` |  |
-| oauth2-proxy.metrics.enabled | bool | `true` |  |
-| oauth2-proxy.metrics.serviceMonitor.enabled | bool | `true` |  |
-| oauth2-proxy.redis.auth.enabled | bool | `true` |  |
-| oauth2-proxy.redis.auth.existingSecret | string | `"redis-creds"` |  |
-| oauth2-proxy.redis.auth.existingSecretPasswordKey | string | `"redis-password"` |  |
-| oauth2-proxy.redis.auth.sentinel | bool | `false` |  |
-| oauth2-proxy.redis.enabled | bool | `false` |  |
-| oauth2-proxy.resources.limits.memory | string | `"100Mi"` |  |
-| oauth2-proxy.resources.requests.cpu | string | `"60m"` |  |
-| oidc.realm | string | `"deepcypher"` |  |
-

charts/oauth2-proxy/templates/middleware-forward-auth.yaml

@@ -1,8 +0,0 @@
-# Generic forward auth helper
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: test-auth
-spec:
-  forwardAuth:
-    address: http://oauth2-proxy.oauth2-proxy.svc.cluster.local/oauth2/auth

charts/oauth2-proxy/templates/oidc/oidc-client.yaml

@@ -1,33 +0,0 @@
-apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
-kind: Client
-metadata:
-  name: oauth2-proxy
-spec:
-  deletionPolicy: Delete
-  forProvider:
-    realmIdRef:
-      name: {{ .Values.oidc.realm }}
-    name: oauth2-proxy
-    description: "oauth2-proxy client for authentication testing"
-    accessType: CONFIDENTIAL
-    clientId: oauth2-proxy # must match oidc secret value as no way to marry the two
-    clientSecretSecretRef:
-      name: oidc-credentials
-      namespace: oauth2-proxy
-      key: client-secret
-    standardFlowEnabled: true
-    directAccessGrantsEnabled: true
-    implicitFlowEnabled: false
-    baseUrl: "https://oauth2-proxy.{{ .Values.environment.baseDomain }}"
-    validRedirectUris:
-    - "https://oauth2-proxy.{{ .Values.environment.baseDomain }}/oauth2/callback"
-    validPostLogoutRedirectUris:
-    - "https://oauth2-proxy.{{ .Values.environment.baseDomain }}"
-    - "https://oauth2-proxy.{{ .Values.environment.baseDomain }}/sign_out"
-    webOrigins:
-    - "oauth2-proxy.{{ .Values.environment.baseDomain }}"
-# NOTE: The following URL is the one the client should use for discovery
-# https://keycloak.{{ .Values.environment.baseDomain }}/realms/{{ .Values.oidc.realm }}/.well-known/openid-configuration
-# to test this client you can use the following:
-# curl curl -d "grant_type=password" -d "scope=openid" -d "client_id=oauth2-proxy" -d "client_secret=<CLIENT_SECRET>" -d "username=<USER_NAME>" -d "password=<USER_PASSWORD>" https://keycloak.{{ .Values.environment.baseDomain }}/realms/{{ .Values.oidc.realm }}/protocol/openid-connect/token --insecure | jq .
-# then paste the contents of the access token to the online tool: https://jwt.io/

charts/oauth2-proxy/templates/oidc/oidc-credentials.sealed.yaml

@@ -1,18 +0,0 @@
----
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: oidc-credentials
-  namespace: oauth2-proxy
-spec:
-  encryptedData:
-    client-id: AgCREmd7GPO6jBDNFq3CE0U2o6d+3ULdtTNqNwlxABWLReolwkCUMsxsKJkluRpu8tLl4Qu+KTML5TuN6MsKdd1RK56wcr3SfSuaHRYmLvImqa9DonczzRu//B/naRQanArOXPrnuIn/KkMqqxj9EyqIFBXW5sZ4noY4xwDBQ4XGaVBAP8pRtwBSK83dT4ruxi33yEfvA4sQDV2Cguf6y0UQB4tCKcMtIM1lp04qKHFiyIZioxNJa6fUdgzaGPTGK6dgrKoGj2i9xomfaC9ZYPf9I7Ys+Tr5kktPm7jxDIh+T67MqKqVWxLQ8qgxNae3ze29JrUHV0G8ocVopVcecOln9wSTEYSdt64DrnawvHxJcio8NuUeHPSnC4FtK0MosAqM3eYZDpXBd1D1PZ9BiJgU7cjcBUA/iBd6fLlzEitiW4+3dk53F1X1xlR+plp/d0bZtbWAz4NEFyWpVW0zQh22IyvQselX7EU92bq1fdCBMEnNWVu12unstY/fp35LczGrprMQ3FdYOtcGS+NkCbVAmHVyr6TXXTvIXT3MK27/qAC/E0W2J/Xnph64tVoJZSRWNI80ZEnVOsKDG86snHRCv8lZdw19QRIv54lSU858GNNo/mWr0EK98llKPX6pehQ/KdRFYQ/B24qaKlYnySBkPvb63qqakpAHYfx0xC0lGUHHuJOOwMkmR7r5ADICEfJHLFGZfM8r1CrcJVs=
-    client-secret: AgCAJPZDzG+/uErg086Pzrt33Hel2M8/lvhfqxUwjefsjez7oxogou6spa9SjXzunwvjRGfbEil5Nytt1hde0pw+Ptm8rszxkwpbT/Kn6kFJtLg3hB0tHSsk8HEa6si7bFI+drNwlpnJUqWW5sXFviGVhRl4n1/Eq+qJaIrYiZs4TN6cXoQSD5zsIJciQvwQa/zTE409MbRFG5EiMsADjTTxbtDI/6DGjKTjpPxBKE4LO8k9wwppTEAyhDx91a2RfI7dZccyCNuxtwCHQthDo9TZQRXl7i1xRE3c3MIWvG1S5acRLPhlFK8z1GlUL04QLJWo6/MKV119+PD697MY280uBXYwiU+7fRrSBPdgb58yZewZX35wcPEDjXEDLBlqnn4lReSZG2T1hknl/H9Mx6KyeY8X1qhStHT1xkKT2WV6cd7qrLRiW+isDjKKZCvbn2NABM2iVQcFP/1w8nEbYMZaJmcE+/LKbRsfvwUgqtVf9+49863qtMjyiA8g/VD5DTQQRCeecU8+17OpveIqHgmXSxdgJU5IWQBEZ9oROspPaVcswLTPnjw+dv5PQHrGv9Mje9KnkfKIU71IEsKfjIaLQbwp3z9cQDWIrgvziGcg90Kq9rEeANgaVaVc9waIYMrmdpczgwwuo2MXMFU6F8YSr/QqrX0z/T8kq82iIZrTDxoha/CYinJnSkGPUnrEZrn91q9G61UL9gk8l96wN8Pi9PLmoYw31N+PNPl+aQ/y6euHeynetlZzq6K6+J4QbAJPxcn5d9dZaUfzTbR1WO2j
-    cookie-secret: AgAzdbQzPkcxHCVMoKkpXsUKk128TIN6ADk6Aes3g+QGBER+94QXq5vGyl5uP8taj8w7HzUwLeCXorwBtZUl+tnJI6kVxj8YSQtnu6228YexOnqXAsEURXNwK0U3djFG4U+0ZLIPpBN2PPHP9UzyyNP4l0brt7qIQpL6xx9mhF19hXqDkjqzuX86SdmObipVeuc1HM2bwyKrm2KxP0xBSGty78CUXqOReW70C/VxHsJiEoqz13Wm+ij6NoGKC6VR0tAaXGGSwu6tv1tPbqKFXU5Mfr/4+BHZhxtOIIi0gbrRbQABVK9cYBwrVbx4QrL+JqBTwJycghz26x4qLLNHsF+g1jKr9LvFQTmJsYhMA+kF8b44Tj2kfuqzvzGu8hucImOVNnZ6vyJS3XSj/rWZxCb8otEiGAzhMuKW2ebTYPWcPEu8gVIhEdzgkc9ZM6Jf3e6lW++eAq2oeMEGDTpBi4VPGSTw6cIRwfLaA+nG6RYMyWBZpDYK38WZ432bHHy+VyeSxuz9vawj+I5fgJpGWYN9sHdZTKlz/e59PIo2FVkcJQoi0zIJk5W7g+5mquEFulDRYpY3q2dIxUKWNjIJ/q6xxlUwDRxSa1BD0uiFzFpxAFmVSpIBZD2PNvJs7nbPtdC0Z4a5EYijgaHPQ5iYWvCcO64SiksR1O90ucUoAfGlihpsZStelazYmGdSWdm5fBdXWz4KA164okz7mWjXe63f2Rf1VgI6ZVE0voIq82ArBg==
-  template:
-    metadata:
-      creationTimestamp: null
-      name: oidc-credentials
-      namespace: oauth2-proxy
-    type: Opaque

charts/oauth2-proxy/templates/oidc/oidc-scopes.yaml

@@ -1,24 +0,0 @@
-apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
-kind: ClientDefaultScopes
-metadata:
-  name: oauth2-proxy
-spec:
-  deletionPolicy: Delete
-  forProvider:
-    realmIdRef:
-      name: {{ .Values.oidc.realm }}
-    clientIdRef:
-      name: oauth2-proxy
-    defaultScopes:
-    # basics usually included in all
-    - acr # OpenID Connect scope for add acr (authentication context class reference) to the token
-    - basic # OpenID Connect scope for add all basic claims to the token
-    - web-origins # OpenID Connect scope for add allowed web origins to the access token
-    # standard additionals
-    - email # OpenID Connect built-in scope: email
-    - profile # OpenID Connect built-in scope: profile
-    - roles # OpenID Connect scope for add user roles to the access token
-    # needed by oauth2-proxy
-    - flattened-roles
-  providerConfigRef:
-    name: default

charts/oauth2-proxy/templates/oidc/oidc-urls.yaml

@@ -1,13 +0,0 @@
-{{ $issuerUrl := printf "https://auth.%s/realms/%s" .Values.environment.baseDomain .Values.oidc.realm }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: oidc-urls
-data:
-  issuerURL: "{{ $issuerUrl }}"
-  authorizationURL: "{{ $issuerUrl }}/protocol/openid-connect/auth"
-  jwksURL: "{{ $issuerUrl }}/protocol/openid-connect/certs"
-  logoutURL: "{{ $issuerUrl }}/protocol/openid-connect/logout?post_logout_redirect_uri=https://oauth2-proxy.{{ .Values.environment.baseDomain }}/sign_out"
-  tokenURL: "{{ $issuerUrl }}/protocol/openid-connect/token"
-  userInfoURL: "{{ $issuerUrl }}/protocol/openid-connect/userinfo"
-  wellKnownURL: "{{ $issuerUrl }}/.well-known/openid-configuration"

charts/oauth2-proxy/values.yaml

@@ -1,93 +0,0 @@
-oidc:
-  realm: deepcypher
-
-oauth2-proxy:
-  redis:
-    enabled: false
-    auth:
-      enabled: true
-      sentinel: false
-      existingSecret: redis-creds
-      existingSecretPasswordKey: redis-password
-
-  initContainers:
-    waitForRedis:
-      enabled: false
-
-  ingress:
-    enabled: true
-    className: traefik
-    path: /
-    pathType: ImplementationSpecific
-    hosts:
-    - oauth2-proxy.deepcypher.me
-    labels: {}
-    annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: traefik-headers@kubernetescrd
-      cert-manager.io/cluster-issuer: aux-issuer
-    tls:
-    - secretName: oauth2-proxy.deepcypher.me-tls
-      hosts:
-      - oauth2-proxy.deepcypher.me
-
-  autoscaling:
-    enabled: true
-    minReplicas: 1
-    maxReplicas: 3
-
-  metrics:
-    enabled: true
-    serviceMonitor:
-      enabled: true
-
-  resources:
-    limits:
-      memory: 100Mi
-    requests:
-      cpu: 60m
-
-  config:
-    existingSecret: oidc-credentials
-    # existingConfig: oauth2-proxy
-    configFile: |-
-      provider = "keycloak-oidc"
-      redirect_url = "https://oauth2-proxy.deepcypher.me/oauth2/callback"
-      oidc_issuer_url = "https://auth.deepcypher.me/realms/deepcypher"
-      code_challenge_method = "S256"
-      email_domains=["*"]
-      upstreams = ["static://200"]
-
-
-
-# # see: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example
-# provider = "oidc"
-# oidc_issuer_url = "https://auth.deepcypher.me/"
-# email_domains = ["*"]
-# upstreams = ["file:///dev/null"] #static://200"
-# pass_user_headers = true
-# set_xauthrequest = true
-# reverse_proxy = true
-# # api_routes = ["^/v1"]
-#
-# # this can only be used with volumes
-# # https://stackoverflow.com/questions/70497915/oauth2-proxy-returns-a-white-webpage-with-found-link-instead-of-the-provider-a
-# # custom_templates_dir = "/etc/oauth2_pages"
-#
-# #skip_auth_routes = ["^/api/v1/auth"]
-# #set_authorization_header = true
-# provider_display_name = "Keycloak"
-# # custom_sign_in_logo = "https://some-png.png
-# # https://stackoverflow.com/questions/70497915/oauth2-proxy-returns-a-white-webpage-with-found-link-instead-of-the-provider-a
-# #skip_provider_button = true
-
-environment:
-  name: unknown # not to be used for hard checks but to display to user
-  hardware: metal # to be used to enable on-prem specific features like ceph, cilium, etc
-  mode: production # to be used to configure backup movement and additional debugging features
-  revision: main # to be used to pull from different git branches
-  baseDomain: deepcypher.me # to be used to override default chart domains to configure environments
-  location:
-    name: unknown # not to be used for hard checks purely informational
-  contact:
-    name: George Onoufriou
-    email: noreply@deepcypher.me