apiVersion: v1
kind: Service
metadata:
  name: oid
  labels:
    run: oid
spec:
  ports:
    - name: http
      port: 80
      targetPort: 80
  selector:
    run: oid
#  type: LoadBalancer
# Uncomment the following if you wnat to expose an IP
#status:
#  loadBalancer: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oid
spec:
  replicas: 1
  selector:
    matchLabels:
      run: oid
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        run: oid
    spec:
      containers:
        - image: 1nfiniteloop/webauth
          name: oid
          env:
            - name: OID_SESSION_SECRET #: secret value for cookie sessions
              value: ThisIsASecret
            - name: OID_DISCOVERY #: OpenID provider well-known discovery URL
              value: https://keycloak.xdrtest.accenturefederalcyber.com/auth
            - name: OID_CLIENT_ID #: OpenID Client ID
              value: oid
            - name: PROXY_HOST #: Host name of the service to proxy
              value: google.com
            - name: PROXY_PORT #: Port of the service to proxy
              value: "443"
            - name: PROXY_PROTOCOL #: Protocol to the service to proxy (http or https)
              value: https
#            - name: ADD_HOST_HEADER #: pass the proxy host header downstream (true or false)
#              value: 
#            - name: OIDC_AUTH_METHOD #: OpenID Connect authentication method (client_secret_basic or client_secret_post)
#              value: 
#            - name: OID_SESSION_CHECK_SSI #: check SSI or not (on or off)
#              value: 
#            - name: OID_SESSION_NAME #: cookie session name
#              value: 
#            - name: OID_REDIRECT_PATH #: Redirect path after authentication
#              value: 
#            - name: OID_CLIENT_SECRET #: OpenID Client Secret
#              value: 
#            - name: OIDC_RENEW_ACCESS_TOKEN_ON_EXPIRY #: Enable silent renew of access token (true or false)
#              value: 
          ports:
            - containerPort: 80
          resources: {}
      restartPolicy: Always
status: {}
---
# Hosting
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: oid-ingress
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    ## basic auth for oid
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - Octoprint'
spec:
  tls:
  - hosts:
    - oid.monkeybox.org
    secretName: oid-tls
  rules:
  - host: oid.monkeybox.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: oid
            port:
              number: 80