From 8545e1984b251389562b1b00f9afc37db26e7166 Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Wed, 31 Dec 2025 00:13:23 +0900
Subject: [PATCH] FEAT(velero): add oauth2-proxy

- for velero with Kanidm OIDC
- Replace authelia middleware with oauth2-proxy
- Configure OIDC authentication via Kanidm
- Update ingress to route through oauth2-proxy
---
 velero/ingress.yaml       |  5 ++-
 velero/kustomization.yaml |  1 +
 velero/oauth2-proxy.yaml  | 70 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 73 insertions(+), 3 deletions(-)
 create mode 100644 velero/oauth2-proxy.yaml

diff --git a/velero/ingress.yaml b/velero/ingress.yaml
index cdbda53..c6e2234 100644
--- a/velero/ingress.yaml
+++ b/velero/ingress.yaml
@@ -5,7 +5,6 @@ metadata:
   namespace: velero
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
@@ -20,6 +19,6 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: velero-ui
+                name: oauth2-proxy
                 port:
-                  number: 3000
+                  number: 4180
diff --git a/velero/kustomization.yaml b/velero/kustomization.yaml
index 3ae7c9f..5e7de4d 100644
--- a/velero/kustomization.yaml
+++ b/velero/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - vault/velero-secrets.yaml
 - ingress.yaml
+- oauth2-proxy.yaml
diff --git a/velero/oauth2-proxy.yaml b/velero/oauth2-proxy.yaml
new file mode 100644
index 0000000..8189707
--- /dev/null
+++ b/velero/oauth2-proxy.yaml
@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oauth2-proxy-secret
+  namespace: velero
+type: Opaque
+stringData:
+  cookie-secret: "abcdefghijklmnopqrstuvwxyz123456"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy
+  namespace: velero
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: oauth2-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+        args:
+        - --provider=oidc
+        - --oidc-issuer-url=https://auth.mayne.kro.kr/oauth2/openid/velero
+        - --client-id=velero
+        - --client-secret=b2GxS9Cswx5M33REUG7VWcMq0LdV760Y0P9H38cXZfMXGGv4
+        - --cookie-secret=abcdefghijklmnopqrstuvwxyz123456
+        - --email-domain=*
+        - --upstream=http://velero-ui:3000
+        - --http-address=0.0.0.0:4180
+        - --redirect-url=https://velero0213.kro.kr/oauth2/callback
+        - --cookie-secure=true
+        - --ssl-insecure-skip-verify=true
+        - --skip-provider-button=true
+        - --code-challenge-method=S256
+        ports:
+        - containerPort: 4180
+        resources:
+          requests:
+            cpu: 10m
+            memory: 32Mi
+          limits:
+            memory: 64Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy
+  namespace: velero
+spec:
+  selector:
+    app: oauth2-proxy
+  ports:
+  - port: 4180
+    targetPort: 4180