---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-oidc-proxy-0.3.5-d2iq-defaults
  namespace: ${releaseNamespace}
data:
  values.yaml: |-
    ---
    # See: https://github.com/mesosphere/dkp-container-images/tree/main/kube-oidc-proxy
    image:
      repository: ghcr.io/mesosphere/dkp-container-images/kube-oidc-proxy
      tag: 1.0.7
    priorityClassName: "dkp-critical-priority"
    deploymentAnnotations:
      # Config changes and certificate rotation by cert-manager need a reload
      secret.reloader.stakater.com/reload: "kube-oidc-proxy-config,kube-oidc-proxy-server-tls" # If a fullNameOverride has been set, change the value of "kube-oidc-proxy" accordingly.
    ingress:
      enabled: true
      annotations:
        kubernetes.io/ingress.class: kommander-traefik
        ingress.kubernetes.io/protocol: https
        traefik.ingress.kubernetes.io/rule-type: PathPrefixStrip
        traefik.ingress.kubernetes.io/router.middlewares: "${workspaceNamespace}-stripprefixes@kubernetescrd"
        traefik.ingress.kubernetes.io/router.tls: "true"
      path: /dkp/api-server
      hosts:
        - ""
    oidc:
      clientId: kube-apiserver
      # will be overridden by the controller
      issuerUrl: https://dex.${releaseNamespace}.svc.cluster.local:8080/dex
      usernameClaim: email
      groupsClaim: groups
      groupsPrefix: "oidc:"
      # This must be set when using custom built image which is based on alpine.
      caSystemDefaultPath: "/etc/ssl/certs/certs-bundle.crt"
    tokenPassthrough:
      enabled: true
    certIssuerRef:
      kind: ${certificateIssuerKind:=Issuer}
      name: ${certificateIssuerName}
    dnsNames:
      - kube-oidc-proxy
      - kube-oidc-proxy.${releaseNamespace}
      - kube-oidc-proxy.${releaseNamespace}.svc
      - kube-oidc-proxy.${releaseNamespace}.svc.cluster
      - kube-oidc-proxy.${releaseNamespace}.svc.cluster.local