From 48b70e9ac21efdbf69ce25f462b9e6defb12349e Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 10 Nov 2023 10:53:37 +0000
Subject: [PATCH] do not do hairpin for oauth2 proxy redirects [ci skip]

---
 modules/kubernetes/reverse_proxy/factory/main.tf | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/modules/kubernetes/reverse_proxy/factory/main.tf b/modules/kubernetes/reverse_proxy/factory/main.tf
index 36cfa241..e63a491c 100644
--- a/modules/kubernetes/reverse_proxy/factory/main.tf
+++ b/modules/kubernetes/reverse_proxy/factory/main.tf
@@ -49,8 +49,11 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
     annotations = {
       "nginx.ingress.kubernetes.io/backend-protocol" = "${var.backend_protocol}"
       "kubernetes.io/ingress.class"                  = "nginx"
-      "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "https://oauth2.viktorbarzin.me/oauth2/auth" : null
-      "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" : null
+      # "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "https://oauth2.viktorbarzin.me/oauth2/auth" : null
+      # "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" : null
+      # Do not do hairpinning
+      "nginx.ingress.kubernetes.io/auth-url" : var.protected ? "http://oauth2.oauth2.svc.cluster.local/oauth2/auth" : null
+      "nginx.ingress.kubernetes.io/auth-signin" : var.protected ? "http://oauth2.oauth2.svc.cluster.local/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" : null
     }
   }