unip-controller/controller/templates/api-component/oauth2-proxy-deployment.yaml

# ============================================================
# Система: Единая библиотека, Центр ИИ НИУ ВШЭ
# Модуль: APIComponent
# Авторы: Полежаев В.А., Хританков А.С.
# Дата создания: 2025 г.
# ============================================================
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ deployment_name }}
  namespace: {{ namespace }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: {{ selector_label }}
  template:
    metadata:
      labels:
        app: {{ selector_label }}
    spec:
      initContainers:
        - name: init
          image: busybox:1.37.0
          volumeMounts:
            - name: groups-secret-volume
              mountPath: /unip/groups-secret
              readOnly: true
            - name: prepared-groups-var-volume
              mountPath: /unip/prepared-groups-var
          command: [ 'sh', '-c', 'echo -n "OIDC_GROUPS=" > /unip/prepared-groups-var/groups-var && cat /unip/groups-secret/groups | paste -sd "," - >> /unip/prepared-groups-var/groups-var' ]
          resources:
            limits:
              memory: 64M
              cpu: 100m
      containers:
        - command: ["/bin/sh", "-c"]
          args:
            - -c
            - >-
                source <(grep "=" /unip/prepared-groups-var/groups-var) && 
                /bin/oauth2-proxy            
                --provider=keycloak-oidc
                --client-id={{ client_id }}
                --client-secret={{ client_secret }}
                --cookie-secret={{ cookie_secret }}
                --redirect-url={{ redirect_url }}
                --oidc-issuer-url={{ oidc_issuer_url }}
                --skip-jwt-bearer-tokens=true
                {% if oidc_extra_audience %}
                --oidc-extra-audience={{ oidc_extra_audience }}
                {% endif %}
                {% if extra_jwt_issuers %}
                --extra-jwt-issuers={{ extra_jwt_issuers }}
                {% endif %}
                --email-domain=*
                --cookie-httponly=false
                --set-xauthrequest=true
                --set-basic-auth=true
                --basic-auth-password=default
                --allowed-group=$OIDC_GROUPS
                {% if roles %}
                --allowed-role={{ roles }}
                {% endif %}
                --code-challenge-method=S256
                --proxy-prefix={{ proxy_prefix }}
                --upstream=file:///dev/null
                --http-address=0.0.0.0:{{ container_port }}                
          image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
          imagePullPolicy: IfNotPresent
          name: oauth2-proxy
          ports:
          - containerPort: {{ container_port }}
            protocol: TCP
          resources:
            limits:
              memory: 64M
              cpu: 100m
          volumeMounts:
            - name: prepared-groups-var-volume
              mountPath: /unip/prepared-groups-var
      volumes:
        - name: groups-secret-volume
          secret:
            secretName: {{ groups_secret_name }}
        - name: prepared-groups-var-volume
          emptyDir:
            sizeLimit: 10Mi