fix(helm): Traefik code-server auth redirect + redirect-url fix

iamriajul · Riajul Islam · claude · web-flow · commit 7f0e21625319 · 2026-04-16T17:46:37.000+06:00
- Add oauth2-proxy-code deployment+service for code-server (Traefik only) Routes code-server ingress through oauth2-proxy with --upstream=frontend:13337 - Code-server ingress backend: oauth2-proxy-code:4180 on Traefik (direct on nginx) - Frontend redirect-url: https://<domain>/oauth2/callback (Traefik, same domain) vs https://auth.<domain>/oauth2/callback (nginx, auth subdomain) Co-authored-by: Riajul Islam <riajul@kahf.co> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/helm/vibe-kanban-team/templates/frontend-code-server-ingress.yaml b/helm/vibe-kanban-team/templates/frontend-code-server-ingress.yaml
@@ -1,9 +1,13 @@
 {{- if include "vibe-kanban-team.frontend.codeServerIngressEnabled" . -}}
 {{- $frontendName := include "vibe-kanban-team.frontend.fullname" . -}}
 {{- $codeServerPort := .Values.frontend.codeServer.port -}}
+{{- $ingressClassName := .Values.global.ingressClassName | default "" -}}
+{{- $useTraefikProxy := and .Values.frontend.auth.enabled (contains "traefik" $ingressClassName) -}}
+{{- $backendName := ternary (printf "%s-oauth2-proxy-code" $frontendName) $frontendName $useTraefikProxy -}}
+{{- $backendPort := ternary 4180 ($codeServerPort | int) $useTraefikProxy -}}
 {{- $annotations := include "vibe-kanban-team.ingress.annotations" (dict "root" . "annotations" .Values.frontend.codeServerIngress.annotations) -}}
 {{- $authAnnotations := include "vibe-kanban-team.frontend.authAnnotations" . -}}
-{{- if and .Values.frontend.auth.enabled (eq (trim $authAnnotations) "") -}}
+{{- if and .Values.frontend.auth.enabled (not $useTraefikProxy) (eq (trim $authAnnotations) "") -}}
 {{- fail "frontend.auth.enabled=true but no protected ingress annotations could be derived. Set global.ingressClassName to nginx, or set frontend.auth.createTraefikMiddleware=true with a traefik ingress class, or provide frontend.auth.protectedIngressAnnotations." -}}
 {{- end -}}
 {{- $className := include "vibe-kanban-team.ingress.className" (dict "root" . "className" .Values.frontend.codeServerIngress.className) -}}
@@ -16,12 +20,12 @@ metadata:
   labels:
     {{- include "vibe-kanban-team.labels" . | nindent 4 }}
     app.kubernetes.io/component: frontend
-  {{- if or (ne (trim $annotations) "") (ne (trim $authAnnotations) "") }}
+  {{- if or (ne (trim $annotations) "") (and (not $useTraefikProxy) (ne (trim $authAnnotations) "")) }}
   annotations:
     {{- if ne (trim $annotations) "" }}
     {{- $annotations | nindent 4 }}
     {{- end }}
-    {{- if ne (trim $authAnnotations) "" }}
+    {{- if and (not $useTraefikProxy) (ne (trim $authAnnotations) "") }}
     {{- $authAnnotations | nindent 4 }}
     {{- end }}
   {{- end }}
@@ -57,9 +61,9 @@ spec:
             pathType: {{ .pathType }}
             backend:
               service:
-                name: {{ $frontendName }}
+                name: {{ $backendName }}
                 port:
-                  number: {{ $codeServerPort }}
+                  number: {{ $backendPort }}
           {{- end }}
     {{- end }}
     {{- else if $derivedHost }}
@@ -70,18 +74,18 @@ spec:
             pathType: Prefix
             backend:
               service:
-                name: {{ $frontendName }}
+                name: {{ $backendName }}
                 port:
-                  number: {{ $codeServerPort }}
+                  number: {{ $backendPort }}
     - host: {{ $derivedProxyHost | quote }}
       http:
         paths:
           - path: /
             pathType: Prefix
             backend:
               service:
-                name: {{ $frontendName }}
+                name: {{ $backendName }}
                 port:
-                  number: {{ $codeServerPort }}
+                  number: {{ $backendPort }}
     {{- end }}
 {{- end }}
diff --git a/helm/vibe-kanban-team/templates/frontend-oauth2-proxy-code-server.yaml b/helm/vibe-kanban-team/templates/frontend-oauth2-proxy-code-server.yaml
@@ -0,0 +1,136 @@
+{{- if and .Values.frontend.enabled .Values.frontend.auth.enabled .Values.frontend.codeServer.enabled (contains "traefik" (.Values.global.ingressClassName | default "")) }}
+{{- $frontendName := include "vibe-kanban-team.frontend.fullname" . -}}
+{{- $proxyName := printf "%s-oauth2-proxy-code" $frontendName -}}
+{{- $codeServerHost := include "vibe-kanban-team.codeServer.host" . -}}
+---
+# oauth2-proxy for code-server (Traefik only) — proxies to code-server port.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $proxyName }}
+  labels:
+    {{- include "vibe-kanban-team.labels" . | nindent 4 }}
+    app.kubernetes.io/component: oauth2-proxy-code
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "vibe-kanban-team.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: oauth2-proxy-code
+  template:
+    metadata:
+      labels:
+        {{- include "vibe-kanban-team.labels" . | nindent 8 }}
+        app.kubernetes.io/component: oauth2-proxy-code
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        fsGroup: 65534
+      containers:
+        - name: oauth2-proxy
+          image: "{{ .Values.frontend.auth.image.repository }}:{{ .Values.frontend.auth.image.tag }}"
+          imagePullPolicy: {{ .Values.frontend.auth.image.pullPolicy }}
+          args:
+            - --provider={{ .Values.frontend.auth.provider | default "google" }}
+            {{- if .Values.frontend.auth.oidcIssuerUrl }}
+            - --oidc-issuer-url={{ .Values.frontend.auth.oidcIssuerUrl }}
+            {{- end }}
+            {{- range .Values.frontend.auth.emailDomains }}
+            - --email-domain={{ . }}
+            {{- end }}
+            {{- if gt (len .Values.frontend.auth.allowedEmails) 0 }}
+            - --authenticated-emails-file=/etc/oauth2-proxy/emails
+            {{- end }}
+            {{- if .Values.frontend.auth.githubOrg }}
+            - --github-org={{ .Values.frontend.auth.githubOrg }}
+            {{- end }}
+            {{- if .Values.frontend.auth.githubTeam }}
+            - --github-team={{ .Values.frontend.auth.githubTeam }}
+            {{- end }}
+            {{- range .Values.frontend.auth.extraArgs }}
+            - {{ . }}
+            {{- end }}
+            - --upstream=http://{{ $frontendName }}:{{ .Values.frontend.codeServer.port }}/
+            - --http-address=0.0.0.0:4180
+            - --reverse-proxy=true
+            - --set-xauthrequest=true
+            - --set-authorization-header=true
+            - --cookie-domain={{ .Values.frontend.auth.cookieDomain | default (include "vibe-kanban-team.frontend.cookieDomain" .) }}
+            - --cookie-samesite=lax
+            - --cookie-secure=true
+            - --whitelist-domain={{ .Values.frontend.auth.cookieDomain | default (include "vibe-kanban-team.frontend.cookieDomain" .) }}
+            - --redirect-url=https://{{ $codeServerHost }}/oauth2/callback
+            - --skip-provider-button=true
+          env:
+            - name: OAUTH2_PROXY_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.frontend.auth.secretName }}
+                  key: client-id
+            - name: OAUTH2_PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.frontend.auth.secretName }}
+                  key: client-secret
+            - name: OAUTH2_PROXY_COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.frontend.auth.secretName }}
+                  key: cookie-secret
+          ports:
+            - name: http
+              containerPort: 4180
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: http
+            initialDelaySeconds: 3
+            periodSeconds: 5
+          resources:
+            {{- toYaml .Values.frontend.auth.resources | nindent 12 }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+          {{- if gt (len .Values.frontend.auth.allowedEmails) 0 }}
+          volumeMounts:
+            - name: emails
+              mountPath: /etc/oauth2-proxy
+              readOnly: true
+          {{- end }}
+      {{- if gt (len .Values.frontend.auth.allowedEmails) 0 }}
+      volumes:
+        - name: emails
+          configMap:
+            name: {{ $frontendName }}-oauth2-proxy-emails
+      {{- end }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $proxyName }}
+  labels:
+    {{- include "vibe-kanban-team.labels" . | nindent 4 }}
+    app.kubernetes.io/component: oauth2-proxy-code
+spec:
+  type: ClusterIP
+  ports:
+    - port: 4180
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "vibe-kanban-team.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: oauth2-proxy-code
+{{- end }}
diff --git a/helm/vibe-kanban-team/templates/frontend-oauth2-proxy-deployment.yaml b/helm/vibe-kanban-team/templates/frontend-oauth2-proxy-deployment.yaml
@@ -71,7 +71,11 @@ spec:
             - --cookie-samesite=lax
             - --cookie-secure=true
             - --whitelist-domain={{ .Values.frontend.auth.cookieDomain | default (include "vibe-kanban-team.frontend.cookieDomain" .) }}
+            {{- if contains "traefik" $ingressClassName }}
+            - --redirect-url=https://{{ include "vibe-kanban-team.frontend.host" . }}/oauth2/callback
+            {{- else }}
             - --redirect-url=https://{{ .Values.frontend.auth.host | default (include "vibe-kanban-team.auth.host" .) }}/oauth2/callback
+            {{- end }}
             - --skip-provider-button=true
           env:
             - name: OAUTH2_PROXY_CLIENT_ID
