apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: oauth2-proxy

resources:
- namespace.yaml
- deployment.yaml
- serviceaccount.yaml
- service.yaml
- virtualservice.yaml

secretGenerator:
- name: oauth2-proxy
  type: Opaque
  literals:
  - client-id=kubeflow-oidc-authservice
  - client-secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
  - cookie-secret=7d16fee92f8d11b8940b081b3f8b8acb

configMapGenerator:
- name: oauth2-proxy
  files:
  - oauth2_proxy.cfg

- name: oauth2-proxy-theme
  files:
  - kubeflow-logo.svg

- name: oauth2-proxy-parameters
  literals:
  # This will configure oauth2-proxy option --cookie-secure which can force
  # auth redirect with redirect_uri parameter using https.
  - FORCE_HTTPS=false

  # If Kubernetes is managed by kind, vCluster, minikube or similar tool,
  # most probably the Kubernetes OIDC Issuer will be server in-cluster
  # behind self-signed certs. This option will configure
  # --ssl-insecure-skip-verify which will accept self-signed-certificates.
  - ALLOW_SELF_SIGNED_ISSUER=true

  # This will configure oauth2-proxy option --skip-jwt-bearer-tokens which
  # will pass the requests with 'Authorization' header with Bearer Token
  # matching --extra-jwt-issuers.
  - ENABLE_M2M_TOKENS=true

  # Bearer tokens issued by these OIDC Issuers will be verified against the
  # Issuer and accepted on success.
  # The format is exactly like in --extra-jwt-issuers.
  # If extra jwt issuers are meant to be used with m2m bearer tokens,
  # each issuer has to be added with RequestAuthentication so Istio can
  # verify, trust and use the JWT. See
  # 'common/oauth2-proxy/components/istio-m2m' for details.
  # Examples:
  # - EXTRA_JWT_ISSUERS=https://kubernetes.default.svc.cluster.local=https://kubernetes.default.svc.cluster.local
  # - EXTRA_JWT_ISSUERS=https://oidc.eks.region.amazonaws.com/id/1234abcd=https://kubernetes.default.svc
  - EXTRA_JWT_ISSUERS=

replacements:
- source:
    version: v1
    kind: Service
    name: oauth2-proxy
    fieldPath: metadata.name
  targets:
  - fieldPaths:
    - spec.http.0.route.0.destination.host
    options:
      delimiter: .
    select:
      version: v1alpha3
      group: networking.istio.io
      kind: VirtualService
      name: oauth2-proxy
- source:
    fieldPath: metadata.namespace
    kind: Service
    name: oauth2-proxy
    version: v1
  targets:
  - fieldPaths:
    - spec.http.0.route.0.destination.host
    options:
      delimiter: .
      index: 1
    select:
      version: v1alpha3
      group: networking.istio.io
      kind: VirtualService
      name: oauth2-proxy

images:
- name: quay.io/oauth2-proxy/oauth2-proxy
  newName: quay.io/oauth2-proxy/oauth2-proxy
  newTag: v7.7.1