# OAuth2 Proxy deployment for SAML authentication
# This provides authentication layer for Code-Server on EKS
---
apiVersion: v1
kind: Namespace
metadata:
  name: code-server
---
apiVersion: v1
kind: Secret
metadata:
  name: oauth2-proxy-secrets
  namespace: code-server
type: Opaque
stringData:
  client-id: "YOUR_SAML_CLIENT_ID"
  client-secret: "YOUR_SAML_CLIENT_SECRET"
  cookie-secret: "GENERATE_WITH_python_-c_import_os_base64_print_base64_urlsafe_b64encode_os_urandom_32_decode"
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: oauth2-proxy-config
  namespace: code-server
data:
  oauth2_proxy.cfg: |
    provider = "oidc"
    provider_display_name = "SSO"
    redirect_url = "https://code-server.example.com/oauth2/callback"
    oidc_issuer_url = "https://your-saml-idp.com"
    upstreams = "http://code-server:8080"
    email_domains = ["*"]
    cookie_secure = true
    cookie_httponly = true
    cookie_samesite = "lax"
    cookie_refresh = "1h"
    cookie_expire = "24h"
    set_xauthrequest = true
    pass_access_token = true
    pass_authorization_header = true
    set_authorization_header = true
    skip_provider_button = false
    whitelist_domains = [".example.com"]
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  namespace: code-server
  labels:
    app: oauth2-proxy
spec:
  type: ClusterIP
  ports:
    - name: http
      port: 4180
      targetPort: 4180
      protocol: TCP
  selector:
    app: oauth2-proxy
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
  namespace: code-server
  labels:
    app: oauth2-proxy
spec:
  replicas: 2
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      serviceAccountName: oauth2-proxy
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
        fsGroup: 2000
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
        imagePullPolicy: IfNotPresent
        args:
          - --config=/etc/oauth2-proxy/oauth2_proxy.cfg
          - --http-address=0.0.0.0:4180
        env:
          - name: OAUTH2_PROXY_CLIENT_ID
            valueFrom:
              secretKeyRef:
                name: oauth2-proxy-secrets
                key: client-id
          - name: OAUTH2_PROXY_CLIENT_SECRET
            valueFrom:
              secretKeyRef:
                name: oauth2-proxy-secrets
                key: client-secret
          - name: OAUTH2_PROXY_COOKIE_SECRET
            valueFrom:
              secretKeyRef:
                name: oauth2-proxy-secrets
                key: cookie-secret
        ports:
          - name: http
            containerPort: 4180
            protocol: TCP
        livenessProbe:
          httpGet:
            path: /ping
            port: http
            scheme: HTTP
          initialDelaySeconds: 10
          timeoutSeconds: 1
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 3
        readinessProbe:
          httpGet:
            path: /ping
            port: http
            scheme: HTTP
          initialDelaySeconds: 5
          timeoutSeconds: 1
          periodSeconds: 10
          successThreshold: 1
          failureThreshold: 3
        resources:
          limits:
            cpu: 500m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 128Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: true
        volumeMounts:
          - name: config
            mountPath: /etc/oauth2-proxy
            readOnly: true
      volumes:
        - name: config
          configMap:
            name: oauth2-proxy-config
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: oauth2-proxy
  namespace: code-server
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: oauth2-proxy
  namespace: code-server
  annotations:
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    alb.ingress.kubernetes.io/healthcheck-path: /ping
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    # Uncomment and set your certificate ARN
    # alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:region:account:certificate/xxxxx
spec:
  ingressClassName: alb
  rules:
    - host: code-server.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: oauth2-proxy
                port:
                  number: 4180
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: oauth2-proxy
  namespace: code-server
spec:
  minAvailable: 1
  selector:
    matchLabels:
      app: oauth2-proxy
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: oauth2-proxy
  namespace: code-server
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: oauth2-proxy
  minReplicas: 2
  maxReplicas: 5
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 75
    - type: Resource
      resource:
        name: memory
        target:
          type: Utilization
          averageUtilization: 80