---
apiVersion: v1
kind: Namespace
metadata:
  name: authentik
---
apiVersion: v1
kind: Service
metadata:
  name: authentik-outpost
  namespace: authentik
  labels:
    app.kubernetes.io/instance: yolokube-proxy
    app.kubernetes.io/managed-by: goauthentik.io
    app.kubernetes.io/name: authentik-proxy
spec:
  ports:
    - name: http
      port: 9000
      protocol: TCP
      targetPort: http
    - name: https
      port: 9443
      protocol: TCP
      targetPort: https
  type: ClusterIP
  selector:
    app.kubernetes.io/managed-by: goauthentik.io
    app.kubernetes.io/instance: yolokube-proxy
    app.kubernetes.io/name: authentik-proxy
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/tls-acme: "true"
  name: authentik-ingress
  namespace: authentik
spec:
  rules:
    - host: "sso.services.yolokube.de"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: authentik-outpost
                port:
                  number: 9000
  tls:
    - hosts:
        - sso.services.yolokube.de
      secretName: authentik-tls-key
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: authentik-outpost
  namespace: authentik
  labels:
    app.kubernetes.io/instance: yolokube-proxy
    app.kubernetes.io/managed-by: goauthentik.io
    app.kubernetes.io/name: authentik-proxy
spec:
  selector:
    matchLabels:
      app.kubernetes.io/instance: yolokube-proxy
      app.kubernetes.io/managed-by: goauthentik.io
      app.kubernetes.io/name: authentik-proxy
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: yolokube-proxy
        app.kubernetes.io/managed-by: goauthentik.io
        app.kubernetes.io/name: authentik-proxy
    spec:
      containers:
        - env:
            - name: AUTHENTIK_HOST
              valueFrom:
                secretKeyRef:
                  key: authentik_host
                  name: authentik-outpost-api
            - name: AUTHENTIK_TOKEN
              valueFrom:
                secretKeyRef:
                  key: token
                  name: authentik-outpost-api
            - name: AUTHENTIK_INSECURE
              valueFrom:
                secretKeyRef:
                  key: authentik_host_insecure
                  name: authentik-outpost-api
          image: ghcr.io/goauthentik/proxy:2024.12.3
          name: proxy
          ports:
            - containerPort: 9000
              name: http
              protocol: TCP
            - containerPort: 9443
              name: https
              protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: authentik
  namespace: authentik
spec:
  forwardAuth:
    address: http://authentik-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-grafana-role
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version