add traefik oauth forward

deployment/authZ/certificate.yaml

@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gh-authz-certificate
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+spec:
+  isCA: false
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  dnsNames:
+    - gh-authz.generations-heritage.svc.cluster.local
+    - gh-authz
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+  subject:
+    organizations:
+      - GenerationsHeritage
+  secretName: gh-authz-tls
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  issuerRef:
+    name: default-cluster-ca-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+  

deployment/authZ/deployment.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: gh-authz
+    app.kubernetes.io/name: gh-authz
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/hook: Synce
+  name: gh-authz
+  namespace: generations-heritage
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: gh-authz
+      app.kubernetes.io/name: gh-authz
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: gh-authz
+        app.kubernetes.io/name: gh-authz
+    spec:
+      containers:
+        - image: vcscsvcscs/gheritage-auth-service:latest
+          imagePullPolicy: Always
+          name: gh-authz
+          ports:
+          - containerPort: 443
+            name: gin
+          securityContext:
+            runAsUser: 0
+          resources:
+            limits:
+              cpu: 250m
+              memory: 200Mi
+            requests:
+              cpu: 100m
+              memory: 50Mi
+          volumeMounts:
+            - name: gh-authz-certs
+              mountPath: /etc/gh-authz/ssl
+            - name: zitadel-service-account
+              mountPath: /etc/gh-authz/zitadel
+      volumes:
+      - name: gh-authz-certs
+        secret:
+          secretName: gh-authz-tls
+      - name: zitadel-service-account
+        secret:
+          secretName: zitadel-service-account

deployment/authZ/forwardAuth.yaml

@@ -0,0 +1,11 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: auth-service
+spec:
+  forwardAuth:
+    address: https://gh-authz/auth/
+    authResponseHeaders:
+      - id
+    tls:
+      insecureSkipVerify: true

deployment/authZ/horizontalPodAutoScaler.yaml

@@ -0,0 +1,26 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: gh-authz
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: gh-authz
+  minReplicas: 1
+  maxReplicas: 5
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 50
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: 50

deployment/authZ/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: generations-heritage
+
+resources:
+  - ./certificate.yaml
+  - ./zitadel-acces-key.yaml
+  - ./deployment.yaml
+  - ./service.yaml
+  - ./horizontalPodAutoScaler.yaml
+  - ./forwardAuth.yaml

deployment/authZ/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: gh-authz
+    app.kubernetes.io/name: gh-authz
+  name: gh-authz
+spec:
+  ports:
+  - name: gin
+    port: 443
+    protocol: TCP
+    targetPort: 443
+  selector:
+    app.kubernetes.io/instance: gh-authz
+    app.kubernetes.io/name: gh-authz
+  type: ClusterIP