feat: add host to access log fields

Merge pull request 'Utilisation d'une clé privée partagée via un Secret sur Kubernetes' (#19 ) from kubernetes-private-key into develop
Reviewed-on: #19
2024-03-28 19:47:32 +01:00 · 2024-03-28 15:57:17 +01:00 · 2024-03-28 15:54:59 +01:00 · 2024-03-28 15:53:40 +01:00 · 2024-03-28 09:10:16 +01:00 · 2024-03-27 17:57:07 +01:00
71 changed files with 2384 additions and 326 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -6,4 +6,7 @@
 /data
 /bin
 /.bouncer-token
-/.env
+/.env
+/misc/k8s
+/misc/k6s
+/misc/grafterm
--- a/.gitignore
+++ b/.gitignore
@ -7,4 +7,5 @@
 /admin-key.json
 /.bouncer-token
 /data
-/out
+/out
+.dockerconfigjson
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -11,7 +11,7 @@ builds:
      - -s
      - -w
      - -X 'main.GitRef={{ .Commit }}'
-      - -X 'main.ProjectVersion={{ .Version }}' 
+      - -X 'main.ProjectVersion={{ .Version }}'
      - -X 'main.BuildDate={{ .Date }}'
      - -X 'main.DefaultConfigPath=/etc/bouncer/config.yml'
    gcflags:
@ -33,15 +33,15 @@ archives:
      - README.md
      - misc/packaging/common/config.yml
 checksum:
-  name_template: 'checksums.txt'
+  name_template: "checksums.txt"
 snapshot:
  name_template: "{{ .Version }}"
 changelog:
  sort: asc
  filters:
    exclude:
-      - '^docs:'
-      - '^test:'
+      - "^docs:"
+      - "^test:"
 nfpms:
  - id: bouncer-bin
    builds:
@ -63,6 +63,10 @@ nfpms:
      - src: layers
        dst: /etc/bouncer/layers
        type: config
+      - dst: /etc/bouncer/bootstrap.d
+        type: dir
+        file_info:
+          mode: 0700
  - id: bouncer-admin
    meta: true
    package_name: bouncer-admin
--- a/32
+++ b/32
@ -1,4 +1,4 @@
-FROM golang:1.20 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.21.6 AS BUILD

 RUN apt-get update \
    && apt-get install -y make
@ -9,29 +9,31 @@ RUN mkdir -p /usr/local/bin \
    && wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 \
    && chmod +x /usr/local/bin/yq

-COPY . /src
-
 WORKDIR /src

+COPY go.mod .
+COPY go.sum .
+
+RUN go mod download
+
+COPY . /src
+
 RUN make GORELEASER_ARGS='build --rm-dist --single-target --snapshot' goreleaser

 # Patch config
 RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.layers.queue.templateDir = "/usr/share/bouncer/layers/queue/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
    && yq -i '.admin.auth.privateKey = "/etc/bouncer/admin-key.json"' /src/dist/bouncer_linux_amd64_v1/config.yml \
-    && yq -i '.redis.adresses = ["redis:6379"]' /src/dist/bouncer_linux_amd64_v1/config.yml
+    && yq -i '.redis.adresses = ["redis:6379"]' /src/dist/bouncer_linux_amd64_v1/config.yml \
+    && yq -i '.redis.writeTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
+    && yq -i '.redis.readTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
+    && yq -i '.redis.dialTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml

-FROM alpine:3.18 AS RUNTIME
+FROM reg.cadoles.com/proxy_cache/library/alpine:3.19.1 AS RUNTIME

-ARG DUMB_INIT_VERSION=1.2.5
+RUN apk add --no-cache ca-certificates dumb-init

-RUN apk add --no-cache ca-certificates
-
-RUN mkdir -p /usr/local/bin \
-    && wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_x86_64 \
-    && chmod +x /usr/local/bin/dumb-init
-
-ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]

 RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer

@ -44,6 +46,10 @@ RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer
 EXPOSE 8080
 EXPOSE 8081

+RUN adduser -D -H bouncer
+
 ENV BOUNCER_CONFIG=/etc/bouncer/config.yml

+USER bouncer
+
 CMD ["bouncer"]
--- a/8
+++ b/8
@ -16,6 +16,9 @@ GOTEST_ARGS ?= -short

 OPENWRT_DEVICE ?= 192.168.1.1

+SIEGE_URLS_FILE ?= misc/siege/urls.txt
+SIEGE_CONCURRENCY ?= 100
+
 watch: tools/modd/bin/modd deps ## Watching updated files - live reload
 	( set -o allexport && source .env && set +o allexport && tools/modd/bin/modd )

@ -105,7 +108,10 @@ grafterm: tools/grafterm/bin/grafterm
 	tools/grafterm/bin/grafterm -c ./misc/grafterm/dashboard.json -v job=bouncer-proxy -r 5s

 siege:
-	siege -i -c 100 -f ./misc/siege/urls.txt
+	$(eval TMP := $(shell mktemp))
+	cat $(SIEGE_URLS_FILE) | envsubst > $(TMP)
+	siege -i -b -c $(SIEGE_CONCURRENCY) -f $(TMP)
+	rm -rf $(TMP)

 tools/gitea-release/bin/gitea-release.sh:
 	mkdir -p tools/gitea-release/bin
--- a/doc/README.md
+++ b/doc/README.md
@ -6,9 +6,11 @@
 ## Exemples

 - [(FR) - Exemple de déploiement multi-noeuds](../misc/docker-compose/README.md)
+
 ## Référence

 - [(FR) - Layers](./fr/references/layers/README.md)
+- [(FR) - Métriques](./fr/references/metrics.md)
 - [(FR) - Fichier de configuration](../misc/packaging/common/config.yml)
 - [(FR) - API d'administration](./fr/references/admin_api.md)

@ -17,8 +19,10 @@
 ### Utilisation

 - [(FR) - Ajouter un layer de type "file d'attente"](./fr/tutorials/add-queue-layer.md)
+- [(FR) - Amorçage d'un serveur Bouncer via la configuration](./fr/tutorials/bootstrapping.md)
+- [(FR) - Intégration avec Kubernetes](./fr/tutorials/kubernetes-integration.md)

 ### Développement

 - [(FR) - Démarrer avec les sources](./fr/tutorials/getting-started-with-sources.md)
- [(FR) - Créer son propre layer](./fr/tutorials/create-custom-layer.md)
+- [(FR) - Créer son propre layer](./fr/tutorials/create-custom-layer.md)
--- a/doc/fr/getting-started.md
+++ b/doc/fr/getting-started.md
@ -41,7 +41,7 @@
 5. Tester que le CLI est en capacité d'interroger l'API d'administration

    ```bash
-    bouncer admin query proxy
+    bouncer admin proxy query
    ```

    Un message équivalent à celui ci devrait s'afficher:
@ -92,4 +92,4 @@

 3. Ouvrir la page `https://<ip_serveur>:8080/` dans un navigateur. Le site Cadoles s'affiche !

-**Bravo, vous avez créé votre premier proxy avec Bouncer !**
+**Bravo, vous avez créé votre premier proxy avec Bouncer !**
--- a/doc/fr/references/layers/circuitbreaker.md
+++ b/doc/fr/references/layers/circuitbreaker.md
@ -32,6 +32,10 @@ Ce layer permet de bloquer l'accès à un site (ou une section de celui ci) cibl

    Voir le [fichier de configuration de référence](../../../../misc/packaging/common/config.yml), section `layers.circuitbreaker` pour voir les options permettant de personnaliser le chemin du répertoire contenant les templates.

-### Schéma
+## Schéma

-Voir le [schéma JSON](../../../../internal/proxy/director/layer/circuitbreaker/layer-options.json).
+Voir le [schéma JSON](../../../../internal/proxy/director/layer/circuitbreaker/layer-options.json).
+
+## Métriques
+
+_Aucune [métrique Prometheus](../metrics.md) n'est exportée par ce layer._
--- a/doc/fr/references/layers/queue.md
+++ b/doc/fr/references/layers/queue.md
@ -30,6 +30,34 @@ Ce layer permet d'ajouter un mécanisme de file d'attente dynamique au proxy ass

    Par exemple, si vous souhaitez limiter votre file à l'ensemble d'une section "`/blog`" d'un site, vous pouvez déclarer la valeur `["*/blog*"]`. Les autres URLs du site ne seront pas affectées par cette file d'attente.

-### Schéma
+## Schéma

-Voir le [schéma JSON](../../../../internal/proxy/director/layer/queue/schema/layer-options.json).
+Voir le [schéma JSON](../../../../internal/proxy/director/layer/queue/schema/layer-options.json).
+
+## Métriques
+
+Les [métriques Prometheus](../metrics.md) suivantes sont exposées par ce layer.
+
+### `bouncer_layer_queue_capacity{layer=<layerName>,proxy=<proxyName>}`
+
+- **Type:** `gauge`
+- **Description**: Capacité maximale de la queue
+- **Exemple**
+
+    ```
+    # HELP bouncer_layer_queue_capacity Bouncer's queue layer capacity
+    # TYPE bouncer_layer_queue_capacity gauge
+    bouncer_layer_queue_capacity{layer="queue",proxy="cadoles"} 2
+    ```
+
+### `bouncer_layer_queue_sessions{layer=<layerName>,proxy=<proxyName>}`
+
+- **Type:** `gauge`
+- **Description**: Nombre courant de sessions ouvertes
+- **Exemple**
+
+    ```
+    # HELP bouncer_layer_queue_sessions Bouncer's queue layer current sessions
+    # TYPE bouncer_layer_queue_sessions gauge
+    bouncer_layer_queue_sessions{layer="queue",proxy="cadoles"} 3
+    ```
--- a/doc/fr/references/metrics.md
+++ b/doc/fr/references/metrics.md
@ -0,0 +1,29 @@
+# Métriques
+
+Bouncer expose un certain nombre de métriques Prometheus sur le serveur proxy ainsi que sur le serveur d'administration. Ces métriques sont par défaut accessibles sur `/.bouncer/metrics`. 
+
+Il est possible de configurer le point d'entrée de ces métriques ainsi que d'ajouter une authentification de type `Basic Auth` [via la configuration](../../../misc/packaging/common/config.yml) (voir les clés `admin.metrics` et `proxy.metrics`).
+
+Outre les métriques par défaut fournies par la librairie [Prometheus](https://prometheus.io/docs/guides/go-application/#instrumenting-a-go-application-for-prometheus), les serveurs Bouncer exposent également des métriques propres.
+
+Chaque layer associé à un proxy peut également ses propres métriques spécifiques. [Voir la page de documentation](./layers/README.md) de chaque layer pour plus d'informations.
+
+## Métriques spécifiques
+
+### Serveur proxy
+
+#### `bouncer_proxy_director_proxy_requests_total{proxy=<proxyName>}`
+
+- **Type:** `counter`
+- **Description**: Nombre total de requêtes ayant transité par le proxy 
+- **Exemple**
+
+    ```
+    # HELP bouncer_proxy_director_proxy_requests_total Bouncer proxy total requests
+    # TYPE bouncer_proxy_director_proxy_requests_total counter
+    bouncer_proxy_director_proxy_requests_total{proxy="cadoles"} 64
+    ```
+
+### Serveur d'administration
+
+_Pas de métrique supplémentaire._
--- a/doc/fr/tutorials/bootstrapping.md
+++ b/doc/fr/tutorials/bootstrapping.md
@ -0,0 +1,47 @@
+# Amorçage d'un serveur Bouncer via la configuration
+
+Il est possible d'amorcer des données par défaut (i.e. des "proxies" et "layers" associés) via la configuration du serveur d'administration.
+
+> **Attention** Ce mécanisme de modifiera pas des proxies déjà existants dans la base de données du serveur Bouncer. Autrement dit, si un proxy est déjà pré-existant lors du démarrage du serveur Bouncer, il ne sera pas modifié.
+
+La définition des proxies et layers par défaut s'effectue dans la section `bootstrap` du fichier de configuration. Deux possibilités pour définir les proxys à charger par défaut:
+
+- Utiliser un répertoire contenant des fichiers YAML (un par proxy) en définissant le chemin du répertoire via l'attribut `bootstrap.dir`;
+- Définir directement la liste des proxies via l'attribut `bootstrap.proxies`.
+
+```yaml
+# Configuration d'une série de proxy/layers
+# à créer par défaut par le serveur d'administration
+bootstrap:
+  # Répertoire contenant les définitions de proxy à créer
+  # par défaut. Les fichiers seront récupérés si ils
+  # correspondent au patron de nommage suivant:
+  #
+  # <bootstrap_dir>/<proxy_name>.yml
+  #
+  # Voir ci-dessous pour les attributs possibles dans les fichiers.
+  #
+  # Si l'attribut est vide ou absent le chargement des fichiers
+  # est désactivé.
+  dir: /etc/bouncer/bootstrap.d
+
+  # Tableau associatif de définition de proxies à créer par
+  # défaut par le serveur d'administration.
+  # Si `proxies` et `dir` sont tous les deux définis, les fichiers
+  # présents dans le répertoire `dir` surchargeront les valeurs définies
+  # dans `proxies`.
+  #
+  # Par défaut vide.
+  proxies:
+  #     my-proxy:
+  #         enabled: true                       # Activer/désactiver le proxy
+  #         from: ["*"]                         # Filtre d'origine d'activation du proxy
+  #         to: "https://example.net"           # Destination du proxy
+  #         weight: 0                           # Priorité du proxy
+  #         layers:                             # Layers associés au proxy
+  #             my-layer:
+  #                 type: queue                 # Type du proxy
+  #                 enabled: false              # Activer/désactiver le layer
+  #                 weight: 0                   # Priorité du layer
+  #                 options: {"capacity": 100}  # Options associées au layer
+```
--- a/doc/fr/tutorials/kubernetes-integration.md
+++ b/doc/fr/tutorials/kubernetes-integration.md
@ -0,0 +1,61 @@
+# Intégration avec Kubernetes
+
+Dans le cadre du déploiement de Bouncer dans un environnement Kubernetes, il est possible d'activer un mode d'intégration permettant à Bouncer d'exposer des jetons d'authentification directement sous forme de [`Secret`](https://kubernetes.io/fr/docs/concepts/configuration/secret/).
+
+L'activation et configuration de l'intégration Kubernetes s'effectue dans le fichier de configuration du serveur d'administration via la section `integrations.kubernetes`:
+
+```yaml
+# Section de configuration des intégrations
+# avec des produits externes
+integrations:
+  # Intégration avec Kubernetes
+  kubernetes:
+    # Activer/désactiver l'intégration Kubernetes
+    enabled: true
+    # Créer/mettre à jour un Secret automatiquement avec un jeton d'authentification
+    # avec le rôle "writer".
+    # Désactivé si l'attribut est vide ou absent.
+    writerTokenSecret: my-bouncer-admin-writer-token
+    # Namespace de destination du Secret pour le jeton d'authentification
+    # avec le rôle "reader".
+    # Utilise par défaut le namespace courant si absent ou vide.
+    writerTokenSecretNamespace: "my-namespace"
+    # Créer/mettre à jour un Secret automatiquement avec un jeton d'authentification
+    # avec le rôle "reader".
+    # Désactivé si l'attribut est vide ou absent.
+    readerTokenSecret: my-bouncer-admin-reader-token
+    # Namespace de destination du Secret pour le jeton d'authentification
+    # avec le rôle "reader".
+    # Utilise par défaut le namespace courant si absent ou vide.
+    readerTokenSecretNamespace: "my-namespace"
+    # Délai maximum alloué au verrou distribué pour la mise à jour
+    # des secrets.
+    lockTimeout: 30s
+```
+
+Vous devrez également définir un `ServiceAccount` pour votre `Pod` avec un `Role` équivalent au suivant (dans le cas nominal où le `Pod` créait les `Secrets` dans son même namespace):
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: bouncer-admin
+rules:
+  - apiGroups:
+      - ""
+      - v1
+    resources:
+      - secrets
+    verbs:
+      - create
+      - get
+      - update
+```
+
+> **Note**
+>
+> La génération des jetons d'authentification s'effectue à chaque démarrage du serveur d'administration. Un verrou partagé permet d'éviter que plusieurs instances fonctionnant en parallèle essayent de mettre à jour les ressources Kubernetes au même moment.
+>
+> De plus, les jetons seront laissés en l'état si la clé de génération n'a pas été modifiée pour éviter de changer les jetons à chaque redémarrage d'un `Pod` (voir l'annotation `bouncer.cadoles.com/public-key` sur les `Secrets` créés.).
+
+Un exemple fonctionnel de déploiement Kubernetes est disponible dans le répertoire `misc/k8s` du projet.
--- a/go.mod
+++ b/go.mod
@ -1,19 +1,27 @@
 module forge.cadoles.com/cadoles/bouncer

-go 1.20
+go 1.21
+
+toolchain go1.22.0

 require (
 	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20230701194111-c6b3d482cca6
 	github.com/Masterminds/sprig/v3 v3.2.3
+	github.com/bsm/redislock v0.9.4
 	github.com/btcsuite/btcd/btcutil v1.1.3
+	github.com/drone/envsubst v1.0.3
 	github.com/getsentry/sentry-go v0.22.0
 	github.com/go-chi/chi/v5 v5.0.8
 	github.com/jedib0t/go-pretty/v6 v6.4.6
 	github.com/mitchellh/mapstructure v1.4.1
+	github.com/oklog/ulid/v2 v2.1.0
 	github.com/ory/dockertest/v3 v3.10.0
 	github.com/prometheus/client_golang v1.16.0
 	github.com/qri-io/jsonschema v0.2.1
 	github.com/redis/go-redis/v9 v9.0.4
+	k8s.io/api v0.29.3
+	k8s.io/apimachinery v0.29.3
+	k8s.io/client-go v0.29.3
 )

 require (
@ -27,22 +35,35 @@ require (
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/docker/cli v20.10.17+incompatible // indirect
 	github.com/docker/docker v20.10.13+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/huandu/xstrings v1.3.3 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/kr/text v0.2.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.0 // indirect
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/opencontainers/runc v1.1.5 // indirect
@ -51,7 +72,6 @@ require (
 	github.com/prometheus/procfs v0.10.1 // indirect
 	github.com/qri-io/jsonpointer v0.1.1 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
@ -59,10 +79,21 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/oauth2 v0.10.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220314164441-57ef72a4c106 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/klog/v2 v2.110.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )

 require (
@ -79,11 +110,11 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/uuid v1.3.0
 	github.com/leodido/go-urn v1.2.1 // indirect
-	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/httprc v1.0.4 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
-	github.com/lestrrat-go/jwx/v2 v2.0.11
+	github.com/lestrrat-go/jwx/v2 v2.0.19
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lib/pq v1.10.0 // indirect
 	github.com/lithammer/shortuuid/v4 v4.0.0
@ -95,11 +126,11 @@ require (
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	gitlab.com/wpetit/goweb v0.0.0-20230419082146-a94d9ed7202b
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/crypto v0.9.0 // indirect
-	golang.org/x/mod v0.9.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/term v0.8.0 // indirect
-	golang.org/x/tools v0.7.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	gopkg.in/go-playground/validator.v9 v9.29.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1
--- a/go.sum
+++ b/go.sum
@ -83,7 +83,11 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bsm/ginkgo/v2 v2.7.0 h1:ItPMPH90RbmZJt5GtkcNvIRuGEdwlBItdNVoyzaNQao=
+github.com/bsm/ginkgo/v2 v2.7.0/go.mod h1:AiKlXPm7ItEHNc/2+OkrNG4E0ITzojb9/xWzvQ9XZ9w=
 github.com/bsm/gomega v1.26.0 h1:LhQm+AFcgV2M0WyKroMASzAzCAJVpAxQXv4SaI9a69Y=
+github.com/bsm/gomega v1.26.0/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
+github.com/bsm/redislock v0.9.4 h1:X/Wse1DPpiQgHbVYRE9zv6m070UcKoOGekgvpNhiSvw=
+github.com/bsm/redislock v0.9.4/go.mod h1:Epf7AJLiSFwLCiZcfi6pWFO/8eAYrYpQXFxEDPoDeAk=
 github.com/btcsuite/btcd v0.20.1-beta/go.mod h1:wVuoA8VJLEcwgqHBwHmzLRazpKxTv13Px/pDuV7OomQ=
 github.com/btcsuite/btcd v0.22.0-beta.0.20220111032746-97732e52810c/go.mod h1:tjmYdS6MLJ5/s0Fj4DbLgSbDHbEqLJrtnHecBFkdz5M=
 github.com/btcsuite/btcd v0.23.0/go.mod h1:0QJIIN1wwIXF/3G/m87gIwGniDMDQqjVn4SZgnFpsYY=
@ -143,7 +147,6 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
-github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
@ -163,6 +166,10 @@ github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKoh
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/drone/envsubst v1.0.3 h1:PCIBwNDYjs50AsLZPYdfhSATKaRg/FJmDc2D6+C2x8g=
+github.com/drone/envsubst v1.0.3/go.mod h1:N2jZmlMufstn1KEqvbHjw40h1KyTmnVzHcSc9bFiJ2g=
+github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
+github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@ -188,9 +195,18 @@ github.com/go-chi/chi/v5 v5.0.8/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITL
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM=
 github.com/go-playground/locales v0.14.0 h1:u50s323jtVGugKlcYeyzC0etD1HifMjqmJqb8WugfUU=
 github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs=
@ -198,6 +214,9 @@ github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEK
 github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/jYrnRPArHwAcmLoJZxyho=
 github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA=
 github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
+github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@ -237,12 +256,14 @@ github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@ -256,7 +277,12 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@ -274,6 +300,7 @@ github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
@ -307,7 +334,11 @@ github.com/jedib0t/go-pretty/v6 v6.4.6 h1:v6aG9h6Uby3IusSSEjHaZNXpHFhzqMmjXcPq1R
 github.com/jedib0t/go-pretty/v6 v6.4.6/go.mod h1:Ndk3ase2CkQbXLLNf5QDHoYb6J9WtVfmHZu9n8rk2xs=
 github.com/jessevdk/go-flags v0.0.0-20141203071132-1679536dcc89/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jrick/logrotate v1.0.0/go.mod h1:LNinyqDIJnpAur+b8yyulnQw/wDuN1+BYKlTRt3OuAQ=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
@ -316,6 +347,7 @@ github.com/kkdai/bstream v0.0.0-20161212061736-f391b8402d23/go.mod h1:J+Gs4SYgM6
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@ -323,23 +355,24 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw=
 github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w=
 github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY=
-github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80=
-github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
+github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k=
+github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
 github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=
 github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
 github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
 github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
-github.com/lestrrat-go/jwx/v2 v2.0.11 h1:ViHMnaMeaO0qV16RZWBHM7GTrAnX2aFLVKofc7FuKLQ=
-github.com/lestrrat-go/jwx/v2 v2.0.11/go.mod h1:ZtPtMFlrfDrH2Y0iwfa3dRFn8VzwBrB+cyrm3IBWdDg=
-github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
+github.com/lestrrat-go/jwx/v2 v2.0.19 h1:ekv1qEZE6BVct89QA+pRF6+4pCpfVrOnEJnTnT4RXoY=
+github.com/lestrrat-go/jwx/v2 v2.0.19/go.mod h1:l3im3coce1lL2cDeAjqmaR+Awx+X8Ih+2k8BuHNJ4CU=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.0 h1:Zx5DJFEYQXio93kgXnQ09fXNiUKsqv4OUEu2UtGcB1E=
 github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lithammer/shortuuid/v4 v4.0.0 h1:QRbbVkfgNippHOS8PXDkti4NaWeyYfcBTHtw7k08o4c=
 github.com/lithammer/shortuuid/v4 v4.0.0/go.mod h1:Zs8puNcrvf2rV9rTH51ZLLcj7ZXqQI3lv67aw4KiB1Y=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@ -367,17 +400,31 @@ github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx
 github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
 github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc=
 github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/nkovacs/streamquote v0.0.0-20170412213628-49af9bddb229/go.mod h1:0aYXnNPJ8l7uZxf45rWW1a/uME32OF0rhiYGNQ2oF2E=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/oklog/ulid/v2 v2.1.0 h1:+9lhoxAP56we25tyYETBBY1YLA2SaoLvUFgrP2miPJU=
+github.com/oklog/ulid/v2 v2.1.0/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA=
 github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
+github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
+github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
 github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
+github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
@ -389,7 +436,9 @@ github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuh
 github.com/ory/dockertest/v3 v3.10.0 h1:4K3z2VMe8Woe++invjaTB7VRyQXQy5UY+loujO4aNE4=
 github.com/ory/dockertest/v3 v3.10.0/go.mod h1:nr57ZbRWMqfsdGdFNLHz5jjNdDb7VVFnzAeW1n5N1Lg=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
+github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
+github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@ -436,6 +485,8 @@ github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasO
 github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@ -496,8 +547,8 @@ golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
-golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -534,9 +585,8 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=
-golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -579,9 +629,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -598,6 +647,8 @@ golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8=
+golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -610,8 +661,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181128092732-4ed8d59d0b35/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -676,24 +727,20 @@ golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -704,12 +751,13 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@ -765,9 +813,8 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
-golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -810,6 +857,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@ -912,22 +960,26 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM=
 gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE=
 gopkg.in/go-playground/validator.v9 v9.29.1 h1:SvGtYmN60a5CVKTOzMSyfzWDeZRxRuGvRQyEAKbw1xc=
 gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
@ -936,6 +988,7 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.3.0 h1:MfDY1b1/0xN1CyMlQDac0ziEy9zJQd9CXBRRDHw2jJo=
+gotest.tools/v3 v3.3.0/go.mod h1:Mcr9QNxkg0uMvy/YElmo4SpXgJKWgQvYrT7Kw5RzJ1A=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@ -943,6 +996,24 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw=
+k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80=
+k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU=
+k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU=
+k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg=
+k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0=
+k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
+k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
+k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
+k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
--- a/internal/admin/bootstrap.go
+++ b/internal/admin/bootstrap.go
@ -0,0 +1,112 @@
+package admin
+
+import (
+	"context"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/config"
+	"forge.cadoles.com/cadoles/bouncer/internal/lock/redis"
+	"forge.cadoles.com/cadoles/bouncer/internal/schema"
+	"forge.cadoles.com/cadoles/bouncer/internal/setup"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+func (s *Server) bootstrapProxies(ctx context.Context) error {
+	if err := s.validateBootstrap(ctx); err != nil {
+		return errors.Wrap(err, "could not validate bootstrapped proxies")
+	}
+
+	proxyRepo := s.proxyRepository
+	layerRepo := s.layerRepository
+
+	lockTimeout := time.Duration(s.bootstrapConfig.LockTimeout)
+	locker := redis.NewLocker(s.redisClient)
+
+	err := locker.WithLock(ctx, "bouncer-admin-bootstrap", lockTimeout, func(ctx context.Context) error {
+		logger.Info(ctx, "bootstrapping proxies")
+
+		for proxyName, proxyConfig := range s.bootstrapConfig.Proxies {
+			_, err := s.proxyRepository.GetProxy(ctx, proxyName)
+			if !errors.Is(err, store.ErrNotFound) {
+				if err != nil {
+					return errors.WithStack(err)
+				}
+
+				logger.Info(ctx, "ignoring existing proxy", logger.F("proxyName", proxyName))
+				continue
+			}
+
+			logger.Info(ctx, "creating proxy", logger.F("proxyName", proxyName))
+
+			if _, err := proxyRepo.CreateProxy(ctx, proxyName, string(proxyConfig.To), proxyConfig.From...); err != nil {
+				return errors.WithStack(err)
+			}
+
+			_, err = proxyRepo.UpdateProxy(
+				ctx, proxyName,
+				store.WithProxyUpdateEnabled(bool(proxyConfig.Enabled)),
+				store.WithProxyUpdateWeight(int(proxyConfig.Weight)),
+			)
+			if err != nil {
+				return errors.WithStack(err)
+			}
+
+			for layerName, layerConfig := range proxyConfig.Layers {
+				layerType := store.LayerType(layerConfig.Type)
+				layerOptions := store.LayerOptions(layerConfig.Options)
+
+				if _, err := layerRepo.CreateLayer(ctx, proxyName, layerName, layerType, layerOptions); err != nil {
+					return errors.WithStack(err)
+				}
+
+				_, err := layerRepo.UpdateLayer(
+					ctx,
+					proxyName, layerName,
+					store.WithLayerUpdateEnabled(bool(layerConfig.Enabled)),
+					store.WithLayerUpdateOptions(layerOptions),
+					store.WithLayerUpdateWeight(int(layerConfig.Weight)),
+				)
+				if err != nil {
+					return errors.WithStack(err)
+				}
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
+
+const validateErrMessage = "could not validate proxy '%s': could not validate layer '%s'"
+
+func (s *Server) validateBootstrap(ctx context.Context) error {
+	for proxyName, proxyConf := range s.bootstrapConfig.Proxies {
+		for layerName, layerConf := range proxyConf.Layers {
+			layerType := store.LayerType(layerConf.Type)
+			if !setup.LayerTypeExists(layerType) {
+				return errors.Errorf(validateErrMessage+": could not find layer type '%s'", proxyName, layerName, layerType)
+			}
+
+			layerOptionsSchema, err := setup.GetLayerOptionsSchema(layerType)
+			if err != nil {
+				return errors.Wrapf(err, validateErrMessage, proxyName, layerName)
+			}
+
+			rawOptions := func(opts config.InterpolatedMap) map[string]any {
+				return opts
+			}(layerConf.Options)
+
+			if err := schema.Validate(ctx, layerOptionsSchema, rawOptions); err != nil {
+				return errors.Wrapf(err, validateErrMessage, proxyName, layerName)
+			}
+		}
+	}
+
+	return nil
+}
--- a/internal/admin/init.go
+++ b/internal/admin/init.go
@ -3,11 +3,18 @@ package admin
 import (
 	"context"

+	"forge.cadoles.com/cadoles/bouncer/internal/integration"
+	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
 	"forge.cadoles.com/cadoles/bouncer/internal/setup"
 	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
 )

 func (s *Server) initRepositories(ctx context.Context) error {
+	if err := s.initRedisClient(ctx); err != nil {
+		return errors.WithStack(err)
+	}
+
 	if err := s.initLayerRepository(ctx); err != nil {
 		return errors.WithStack(err)
 	}
@ -19,8 +26,16 @@ func (s *Server) initRepositories(ctx context.Context) error {
 	return nil
 }

+func (s *Server) initRedisClient(ctx context.Context) error {
+	client := setup.NewRedisClient(ctx, s.redisConfig)
+
+	s.redisClient = client
+
+	return nil
+}
+
 func (s *Server) initLayerRepository(ctx context.Context) error {
-	layerRepository, err := setup.NewLayerRepository(ctx, s.redisConfig)
+	layerRepository, err := setup.NewLayerRepository(ctx, s.redisClient)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -31,7 +46,7 @@ func (s *Server) initLayerRepository(ctx context.Context) error {
 }

 func (s *Server) initProxyRepository(ctx context.Context) error {
-	proxyRepository, err := setup.NewProxyRepository(ctx, s.redisConfig)
+	proxyRepository, err := setup.NewProxyRepository(ctx, s.redisClient)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -40,3 +55,34 @@ func (s *Server) initProxyRepository(ctx context.Context) error {

 	return nil
 }
+
+func (s *Server) initPrivateKey(ctx context.Context) error {
+	localKey, err := jwk.LoadOrGenerate(string(s.serverConfig.Auth.PrivateKey), jwk.DefaultKeySize)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	ctx = integration.WithPrivateKey(ctx, localKey)
+
+	key, err := integration.RunOnKeyLoad(ctx, s.integrations)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	if key != nil {
+		s.privateKey = key
+	} else {
+		s.privateKey = localKey
+	}
+
+	logger.Info(ctx, "using private key", logger.F("keyID", s.privateKey.KeyID()))
+
+	publicKeys, err := jwk.PublicKeySet(s.privateKey)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	s.publicKeys = publicKeys
+
+	return nil
+}
--- a/internal/admin/layer_route.go
+++ b/internal/admin/layer_route.go
@ -51,15 +51,6 @@ func (s *Server) queryLayer(w http.ResponseWriter, r *http.Request) {
 	})
 }

-func validateLayerName(v string) (store.LayerName, error) {
-	name, err := store.ValidateName(v)
-	if err != nil {
-		return "", errors.WithStack(err)
-	}
-
-	return store.LayerName(name), nil
-}
-
 type GetLayerResponse struct {
 	Layer *store.Layer `json:"layer"`
 }
--- a/internal/admin/option.go
+++ b/internal/admin/option.go
@ -2,11 +2,14 @@ package admin

 import (
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
+	"forge.cadoles.com/cadoles/bouncer/internal/integration"
 )

 type Option struct {
-	ServerConfig config.AdminServerConfig
-	RedisConfig  config.RedisConfig
+	BootstrapConfig config.BootstrapConfig
+	ServerConfig    config.AdminServerConfig
+	RedisConfig     config.RedisConfig
+	Integrations    []integration.Integration
 }

 type OptionFunc func(*Option)
@ -15,6 +18,7 @@ func defaultOption() *Option {
 	return &Option{
 		ServerConfig: config.NewDefaultAdminServerConfig(),
 		RedisConfig:  config.NewDefaultRedisConfig(),
+		Integrations: make([]integration.Integration, 0),
 	}
 }

@ -29,3 +33,15 @@ func WithRedisConfig(conf config.RedisConfig) OptionFunc {
 		opt.RedisConfig = conf
 	}
 }
+
+func WithBootstrapConfig(conf config.BootstrapConfig) OptionFunc {
+	return func(opt *Option) {
+		opt.BootstrapConfig = conf
+	}
+}
+
+func WithIntegrations(integrations ...integration.Integration) OptionFunc {
+	return func(opt *Option) {
+		opt.Integrations = integrations
+	}
+}
--- a/internal/admin/proxy_route.go
+++ b/internal/admin/proxy_route.go
@ -114,6 +114,23 @@ func (s *Server) deleteProxy(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	layers, err := s.layerRepository.QueryLayers(ctx, proxyName)
+	if err != nil {
+		logAndCaptureError(ctx, "could not query proxy's layers", errors.WithStack(err))
+		api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil)
+
+		return
+	}
+
+	for _, layer := range layers {
+		if err := s.layerRepository.DeleteLayer(ctx, proxyName, layer.Name); err != nil {
+			logAndCaptureError(ctx, "could not delete layer", errors.WithStack(err))
+			api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil)
+
+			return
+		}
+	}
+
 	api.DataResponse(w, http.StatusOK, DeleteProxyResponse{
 		ProxyName: proxyName,
 	})
--- a/internal/admin/server.go
+++ b/internal/admin/server.go
@ -11,6 +11,7 @@ import (
 	"forge.cadoles.com/cadoles/bouncer/internal/auth/jwt"
 	bouncerChi "forge.cadoles.com/cadoles/bouncer/internal/chi"
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
+	"forge.cadoles.com/cadoles/bouncer/internal/integration"
 	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	sentryhttp "github.com/getsentry/sentry-go/http"
@ -19,14 +20,24 @@ import (
 	"github.com/go-chi/cors"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/redis/go-redis/v9"
 	"gitlab.com/wpetit/goweb/logger"
 )

 type Server struct {
-	serverConfig    config.AdminServerConfig
-	redisConfig     config.RedisConfig
+	serverConfig config.AdminServerConfig
+	redisConfig  config.RedisConfig
+
+	redisClient redis.UniversalClient
+
+	integrations []integration.Integration
+
+	bootstrapConfig config.BootstrapConfig
 	proxyRepository store.ProxyRepository
 	layerRepository store.LayerRepository
+
+	privateKey jwk.Key
+	publicKeys jwk.Set
 }

 func (s *Server) Start(ctx context.Context) (<-chan net.Addr, <-chan error) {
@ -53,6 +64,27 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		return
 	}

+	if err := s.bootstrapProxies(ctx); err != nil {
+		errs <- errors.WithStack(err)
+
+		return
+	}
+
+	if err := s.initPrivateKey(ctx); err != nil {
+		errs <- errors.WithStack(err)
+
+		return
+	}
+
+	ctx = integration.WithPrivateKey(ctx, s.privateKey)
+	ctx = integration.WithPublicKeySet(ctx, s.publicKeys)
+
+	if err := integration.RunOnStartup(ctx, s.integrations); err != nil {
+		errs <- errors.WithStack(err)
+
+		return
+	}
+
 	listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", s.serverConfig.HTTP.Host, s.serverConfig.HTTP.Port))
 	if err != nil {
 		errs <- errors.WithStack(err)
@ -76,20 +108,6 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		}
 	}()

-	key, err := jwk.LoadOrGenerate(string(s.serverConfig.Auth.PrivateKey), jwk.DefaultKeySize)
-	if err != nil {
-		errs <- errors.WithStack(err)
-
-		return
-	}
-
-	keys, err := jwk.PublicKeySet(key)
-	if err != nil {
-		errs <- errors.WithStack(err)
-
-		return
-	}
-
 	router := chi.NewRouter()

 	if s.serverConfig.HTTP.UseRealIP {
@ -140,7 +158,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	router.Route("/api/v1", func(r chi.Router) {
 		r.Group(func(r chi.Router) {
 			r.Use(auth.Middleware(
-				jwt.NewAuthenticator(keys, string(s.serverConfig.Auth.Issuer), jwt.DefaultAcceptableSkew),
+				jwt.NewAuthenticator(s.publicKeys, string(s.serverConfig.Auth.Issuer), jwt.DefaultAcceptableSkew),
 			))

 			r.Route("/proxies", func(r chi.Router) {
@ -175,7 +193,9 @@ func NewServer(funcs ...OptionFunc) *Server {
 	}

 	return &Server{
-		serverConfig: opt.ServerConfig,
-		redisConfig:  opt.RedisConfig,
+		serverConfig:    opt.ServerConfig,
+		redisConfig:     opt.RedisConfig,
+		bootstrapConfig: opt.BootstrapConfig,
+		integrations:    opt.Integrations,
 	}
 }
--- a/internal/auth/jwt/jwt.go
+++ b/internal/auth/jwt/jwt.go
@ -16,6 +16,7 @@ const keyRole = "role"
 func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken string, acceptableSkew time.Duration) (jwt.Token, error) {
 	token, err := jwt.Parse(
 		[]byte(rawToken),
+		jwt.WithContext(ctx),
 		jwt.WithKeySet(keys, jws.WithRequireKid(false)),
 		jwt.WithIssuer(issuer),
 		jwt.WithValidate(true),
@ -60,3 +61,17 @@ func GenerateToken(ctx context.Context, key jwk.Key, issuer, subject string, rol

 	return string(rawToken), nil
 }
+
+func GenerateTokenWithPrivateKey(ctx context.Context, privateKeyFile string, issuer string, subject string, role Role) (string, jwk.Key, error) {
+	key, err := jwk.LoadOrGenerate(privateKeyFile, jwk.DefaultKeySize)
+	if err != nil {
+		return "", nil, errors.WithStack(err)
+	}
+
+	token, err := GenerateToken(ctx, key, issuer, subject, role)
+	if err != nil {
+		return "", nil, errors.WithStack(err)
+	}
+
+	return token, key, nil
+}
--- a/internal/chi/log_formatter.go
+++ b/internal/chi/log_formatter.go
@ -16,6 +16,7 @@ type LogFormatter struct{}
 func (*LogFormatter) NewLogEntry(r *http.Request) middleware.LogEntry {
 	return &LogEntry{
 		method: r.Method,
+		host:   r.Host,
 		path:   r.URL.Path,
 		ctx:    r.Context(),
 	}
@ -29,6 +30,7 @@ var _ middleware.LogFormatter = &LogFormatter{}

 type LogEntry struct {
 	method string
+	host   string
 	path   string
 	ctx    context.Context
 }
@ -41,6 +43,7 @@ func (e *LogEntry) Panic(v interface{}, stack []byte) {
 // Write implements middleware.LogEntry
 func (e *LogEntry) Write(status int, bytes int, header http.Header, elapsed time.Duration, extra interface{}) {
 	logger.Info(e.ctx, fmt.Sprintf("%s %s - %d", e.method, e.path, status),
+		logger.F("host", e.host),
 		logger.F("status", status),
 		logger.F("bytes", bytes),
 		logger.F("elapsed", elapsed),
--- a/internal/command/auth/create_token.go
+++ b/internal/command/auth/create_token.go
@ -5,7 +5,6 @@ import (

 	"forge.cadoles.com/cadoles/bouncer/internal/auth/jwt"
 	"forge.cadoles.com/cadoles/bouncer/internal/command/common"
-	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
 	"github.com/lithammer/shortuuid/v4"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
@ -30,20 +29,15 @@ func CreateTokenCommand() *cli.Command {
 		Action: func(ctx *cli.Context) error {
 			conf, err := common.LoadConfig(ctx)
 			if err != nil {
-				return errors.Wrap(err, "Could not load configuration")
+				return errors.Wrap(err, "could not load configuration")
 			}

 			subject := ctx.String("subject")
 			role := ctx.String("role")

-			key, err := jwk.LoadOrGenerate(string(conf.Admin.Auth.PrivateKey), jwk.DefaultKeySize)
+			token, _, err := jwt.GenerateTokenWithPrivateKey(ctx.Context, string(conf.Admin.Auth.PrivateKey), string(conf.Admin.Auth.Issuer), subject, jwt.Role(role))
 			if err != nil {
-				return errors.WithStack(err)
-			}
-
-			token, err := jwt.GenerateToken(ctx.Context, key, string(conf.Admin.Auth.Issuer), subject, jwt.Role(role))
-			if err != nil {
-				return errors.WithStack(err)
+				return errors.Wrap(err, "could not generate token")
 			}

 			fmt.Println(token)
--- a/internal/command/server/admin/run.go
+++ b/internal/command/server/admin/run.go
@ -12,8 +12,14 @@ import (
 	"gitlab.com/wpetit/goweb/logger"
 )

+const (
+	flagPrintDefaultToken = "print-default-token"
+)
+
 func RunCommand() *cli.Command {
-	flags := common.Flags()
+	flags := append(
+		common.Flags(),
+	)

 	return &cli.Command{
 		Name:  "run",
@ -36,9 +42,16 @@ func RunCommand() *cli.Command {

 			defer flushSentry()

+			integrations, err := setup.SetupIntegrations(ctx.Context, conf)
+			if err != nil {
+				return errors.Wrap(err, "could not setup integrations")
+			}
+
 			srv := admin.NewServer(
 				admin.WithServerConfig(conf.Admin),
 				admin.WithRedisConfig(conf.Redis),
+				admin.WithBootstrapConfig(conf.Bootstrap),
+				admin.WithIntegrations(integrations...),
 			)

 			addrs, srvErrs := srv.Start(ctx.Context)
--- a/internal/config/bootstrap.go
+++ b/internal/config/bootstrap.go
@ -0,0 +1,104 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v3"
+)
+
+type BootstrapConfig struct {
+	Proxies     map[store.ProxyName]BootstrapProxyConfig `yaml:"proxies"`
+	Dir         InterpolatedString                       `yaml:"dir"`
+	LockTimeout InterpolatedDuration                     `yaml:"lockTimeout"`
+}
+
+func (c *BootstrapConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	src := struct {
+		Proxies map[store.ProxyName]BootstrapProxyConfig `yaml:"proxies"`
+		Dir     InterpolatedString                       `yaml:"dir"`
+	}{
+		Proxies: make(map[store.ProxyName]BootstrapProxyConfig),
+		Dir:     "",
+	}
+
+	if err := unmarshal(&src); err != nil {
+		return errors.WithStack(err)
+	}
+
+	c.Proxies = src.Proxies
+	c.Dir = src.Dir
+
+	if src.Dir != "" {
+		proxies, err := loadBootstrapDir(string(src.Dir))
+		if err != nil {
+			return errors.Wrapf(err, "could not load bootstrap dir '%s'", src.Dir)
+		}
+
+		c.Proxies = overrideProxies(c.Proxies, proxies)
+	}
+
+	return nil
+}
+
+type BootstrapProxyConfig struct {
+	Enabled InterpolatedBool                         `yaml:"enabled"`
+	Weight  InterpolatedInt                          `yaml:"weight"`
+	To      InterpolatedString                       `yaml:"to"`
+	From    InterpolatedStringSlice                  `yaml:"from"`
+	Layers  map[store.LayerName]BootstrapLayerConfig `yaml:"layers"`
+}
+
+type BootstrapLayerConfig struct {
+	Enabled InterpolatedBool   `yaml:"enabled"`
+	Type    InterpolatedString `yaml:"type"`
+	Weight  InterpolatedInt    `yaml:"weight"`
+	Options InterpolatedMap    `yaml:"options"`
+}
+
+func NewDefaultBootstrapConfig() BootstrapConfig {
+	return BootstrapConfig{
+		Dir:         "",
+		LockTimeout: *NewInterpolatedDuration(30 * time.Second),
+	}
+}
+
+func loadBootstrapDir(dir string) (map[store.ProxyName]BootstrapProxyConfig, error) {
+	pattern := filepath.Join(dir, "*.yml")
+
+	files, err := filepath.Glob(pattern)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	proxies := make(map[store.ProxyName]BootstrapProxyConfig)
+	for _, f := range files {
+		data, err := os.ReadFile(f)
+		if err != nil {
+			return nil, errors.Wrapf(err, "could not read file '%s'", f)
+		}
+
+		proxy := BootstrapProxyConfig{}
+
+		if err := yaml.Unmarshal(data, &proxy); err != nil {
+			return nil, errors.Wrapf(err, "could not unmarshal proxy")
+		}
+
+		name := store.ProxyName(strings.TrimSuffix(filepath.Base(f), filepath.Ext(f)))
+		proxies[name] = proxy
+	}
+
+	return proxies, nil
+}
+
+func overrideProxies(base map[store.ProxyName]BootstrapProxyConfig, proxies map[store.ProxyName]BootstrapProxyConfig) map[store.ProxyName]BootstrapProxyConfig {
+	for name, proxy := range proxies {
+		base[name] = proxy
+	}
+
+	return base
+}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -2,7 +2,7 @@ package config

 import (
 	"io"
-	"io/ioutil"
+	"os"

 	"github.com/pkg/errors"
 	"gopkg.in/yaml.v3"
@ -10,18 +10,20 @@ import (

 // Config definition
 type Config struct {
-	Admin  AdminServerConfig `yaml:"admin"`
-	Proxy  ProxyServerConfig `yaml:"proxy"`
-	Redis  RedisConfig       `yaml:"redis"`
-	Logger LoggerConfig      `yaml:"logger"`
-	Layers LayersConfig      `yaml:"layers"`
+	Admin        AdminServerConfig  `yaml:"admin"`
+	Proxy        ProxyServerConfig  `yaml:"proxy"`
+	Redis        RedisConfig        `yaml:"redis"`
+	Logger       LoggerConfig       `yaml:"logger"`
+	Layers       LayersConfig       `yaml:"layers"`
+	Bootstrap    BootstrapConfig    `yaml:"bootstrap"`
+	Integrations IntegrationsConfig `yaml:"integrations"`
 }

 // NewFromFile retrieves the configuration from the given file
 func NewFromFile(path string) (*Config, error) {
 	config := NewDefault()

-	data, err := ioutil.ReadFile(path)
+	data, err := os.ReadFile(path)
 	if err != nil {
 		return nil, errors.Wrapf(err, "could not read file '%s'", path)
 	}
@ -43,11 +45,13 @@ func NewDumpDefault() *Config {
 // NewDefault return new default configuration
 func NewDefault() *Config {
 	return &Config{
-		Admin:  NewDefaultAdminServerConfig(),
-		Proxy:  NewDefaultProxyServerConfig(),
-		Logger: NewDefaultLoggerConfig(),
-		Redis:  NewDefaultRedisConfig(),
-		Layers: NewDefaultLayersConfig(),
+		Admin:        NewDefaultAdminServerConfig(),
+		Proxy:        NewDefaultProxyServerConfig(),
+		Logger:       NewDefaultLoggerConfig(),
+		Redis:        NewDefaultRedisConfig(),
+		Layers:       NewDefaultLayersConfig(),
+		Bootstrap:    NewDefaultBootstrapConfig(),
+		Integrations: NewDefaultIntegrationsConfig(),
 	}
 }

--- a/internal/config/environment.go
+++ b/internal/config/environment.go
@ -6,11 +6,13 @@ import (
 	"strconv"
 	"time"

+	"github.com/drone/envsubst"
 	"github.com/pkg/errors"
 	"gopkg.in/yaml.v3"
 )

-var reVar = regexp.MustCompile(`^\${(\w+)}$`)
+// var reVar = regexp.MustCompile(`^\${(\w+)}$`)
+var reVar = regexp.MustCompile(`\${(.*?)}`)

 type InterpolatedString string

@ -130,14 +132,22 @@ type InterpolatedStringSlice []string

 func (iss *InterpolatedStringSlice) UnmarshalYAML(value *yaml.Node) error {
 	var data []string
+	var evErr error

 	if err := value.Decode(&data); err != nil {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line)
 	}

 	for index, value := range data {
-		if match := reVar.FindStringSubmatch(value); len(match) > 0 {
-			value = os.Getenv(match[1])
+		//match := reVar.FindStringSubmatch(value)
+		re := regexp.MustCompile(`\${(.*?)}`)
+
+		res := re.FindAllStringSubmatch(value, 10)
+		if len(res) > 0 {
+			value, evErr = envsubst.EvalEnv(value)
+			if evErr != nil {
+				return evErr
+			}
 		}

 		data[index] = value
--- a/internal/config/integrations.go
+++ b/internal/config/integrations.go
@ -0,0 +1,33 @@
+package config
+
+import "time"
+
+type IntegrationsConfig struct {
+	Kubernetes KubernetesConfig `yaml:"kubernetes"`
+}
+
+func NewDefaultIntegrationsConfig() IntegrationsConfig {
+	return IntegrationsConfig{
+		Kubernetes: KubernetesConfig{
+			Enabled:                    false,
+			WriterTokenSecret:          "",
+			WriterTokenSecretNamespace: "",
+			ReaderTokenSecretNamespace: "",
+			PrivateKeySecret:           "",
+			PrivateKeySecretNamespace:  "",
+			ReaderTokenSecret:          "",
+			LockTimeout:                *NewInterpolatedDuration(30 * time.Second),
+		},
+	}
+}
+
+type KubernetesConfig struct {
+	Enabled                    InterpolatedBool     `yaml:"enabled"`
+	WriterTokenSecret          InterpolatedString   `yaml:"writerTokenSecret"`
+	WriterTokenSecretNamespace InterpolatedString   `yaml:"writerTokenSecretNamespace"`
+	ReaderTokenSecret          InterpolatedString   `yaml:"readerTokenSecret"`
+	ReaderTokenSecretNamespace InterpolatedString   `yaml:"readerTokenSecretNamespace"`
+	PrivateKeySecret           InterpolatedString   `yaml:"privateKeySecret"`
+	PrivateKeySecretNamespace  InterpolatedString   `yaml:"privateKeySecretNamespace"`
+	LockTimeout                InterpolatedDuration `yaml:"lockTimeout"`
+}
--- a/internal/config/redis.go
+++ b/internal/config/redis.go
@ -1,5 +1,7 @@
 package config

+import "time"
+
 const (
 	RedisModeSimple   = "simple"
 	RedisModeSentinel = "sentinel"
@ -7,13 +9,19 @@ const (
 )

 type RedisConfig struct {
-	Adresses InterpolatedStringSlice `yaml:"addresses"`
-	Master   InterpolatedString      `yaml:"master"`
+	Adresses     InterpolatedStringSlice `yaml:"addresses"`
+	Master       InterpolatedString      `yaml:"master"`
+	ReadTimeout  InterpolatedDuration    `yaml:"readTimeout"`
+	WriteTimeout InterpolatedDuration    `yaml:"writeTimeout"`
+	DialTimeout  InterpolatedDuration    `yaml:"dialTimeout"`
 }

 func NewDefaultRedisConfig() RedisConfig {
 	return RedisConfig{
-		Adresses: InterpolatedStringSlice{"localhost:6379"},
-		Master:   "",
+		Adresses:     InterpolatedStringSlice{"localhost:6379"},
+		Master:       "",
+		ReadTimeout:  InterpolatedDuration(30 * time.Second),
+		WriteTimeout: InterpolatedDuration(30 * time.Second),
+		DialTimeout:  InterpolatedDuration(30 * time.Second),
 	}
 }
--- a/internal/config/testdata/config.yml
+++ b/internal/config/testdata/config.yml
@ -2,5 +2,5 @@ logger:
  level: 0
  format: human
 http:
-  host: "0.0.0.0"
-  port: 3000
+  host: "${LISTEN_ADDR}"
+  port: 3000
--- a/internal/integration/context.go
+++ b/internal/integration/context.go
@ -0,0 +1,49 @@
+package integration
+
+import (
+	"context"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
+	"github.com/pkg/errors"
+)
+
+var (
+	ErrNotFound = errors.New("not found")
+)
+
+type contextKey string
+
+const (
+	ctxPublicKeySet contextKey = "public-key-set"
+	ctxPrivateKey   contextKey = "private-key"
+)
+
+func CtxPublicKeySet(ctx context.Context) (jwk.Set, error) {
+	return ctxValue[jwk.Set](ctx, ctxPublicKeySet)
+}
+
+func WithPublicKeySet(ctx context.Context, set jwk.Set) context.Context {
+	return context.WithValue(ctx, ctxPublicKeySet, set)
+}
+
+func CtxPrivateKey(ctx context.Context) (jwk.Key, error) {
+	return ctxValue[jwk.Key](ctx, ctxPrivateKey)
+}
+
+func WithPrivateKey(ctx context.Context, key jwk.Key) context.Context {
+	return context.WithValue(ctx, ctxPrivateKey, key)
+}
+
+func ctxValue[T any](ctx context.Context, key contextKey) (T, error) {
+	raw := ctx.Value(key)
+	if raw == nil {
+		return *new(T), errors.WithStack(ErrNotFound)
+	}
+
+	value, ok := raw.(T)
+	if !ok {
+		return *new(T), errors.Errorf("unexpected value type '%T'", raw)
+	}
+
+	return value, nil
+}
--- a/internal/integration/integration.go
+++ b/internal/integration/integration.go
@ -0,0 +1,57 @@
+package integration
+
+import (
+	"context"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
+	"github.com/pkg/errors"
+)
+
+type Integration interface {
+	Integration()
+}
+
+type OnStartup interface {
+	Integration
+	OnStartup(ctx context.Context) error
+}
+
+type OnKeyLoad interface {
+	Integration
+	OnKeyLoad(ctx context.Context) (jwk.Key, error)
+}
+
+func RunOnStartup(ctx context.Context, integrations []Integration) error {
+	for _, it := range integrations {
+		onStartup, ok := it.(OnStartup)
+		if !ok {
+			continue
+		}
+
+		if err := onStartup.OnStartup(ctx); err != nil {
+			return errors.WithStack(err)
+		}
+	}
+
+	return nil
+}
+
+func RunOnKeyLoad(ctx context.Context, integrations []Integration) (jwk.Key, error) {
+	for _, it := range integrations {
+		onKeyLoad, ok := it.(OnKeyLoad)
+		if !ok {
+			continue
+		}
+
+		key, err := onKeyLoad.OnKeyLoad(ctx)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		if key != nil {
+			return key, nil
+		}
+	}
+
+	return nil, nil
+}
--- a/internal/integration/kubernetes/integration.go
+++ b/internal/integration/kubernetes/integration.go
@ -0,0 +1,293 @@
+package kubernetes
+
+import (
+	"context"
+	"encoding/json"
+	"os"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/auth/jwt"
+	"forge.cadoles.com/cadoles/bouncer/internal/integration"
+	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+	v1 "k8s.io/api/core/v1"
+	k8serr "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+const (
+	namespaceFile      = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
+	writerTokenSubject = "bouncer-admin-kubernetes-writer"
+	readerTokenSubject = "bouncer-admin-kubernetes-reader"
+)
+
+type Integration struct {
+	Options *Options
+}
+
+// OnKeyLoad implements integration.OnKeyLoad.
+func (i *Integration) OnKeyLoad(ctx context.Context) (jwk.Key, error) {
+	locker := i.Options.Locker
+	timeout := i.Options.LockTimeout
+
+	var key jwk.Key
+	err := locker.WithLock(ctx, "bouncer-kubernetes-onkeyload", timeout, func(ctx context.Context) error {
+		client, err := i.getClient()
+		if err != nil {
+			return errors.WithStack(err)
+		}
+
+		if i.Options.PrivateKeySecret != "" {
+			sharedPrivateKey, err := i.getSharedPrivateKey(ctx, client, i.Options.PrivateKeySecretNamespace, i.Options.PrivateKeySecret)
+			if err != nil {
+				return errors.WithStack(err)
+			}
+
+			if sharedPrivateKey != nil {
+				key = sharedPrivateKey
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return key, nil
+}
+
+// Integration implements integration.OnStartup.
+func (i *Integration) Integration() {}
+
+// OnStartup implements integration.OnStartup.
+func (i *Integration) OnStartup(ctx context.Context) error {
+	locker := i.Options.Locker
+	timeout := i.Options.LockTimeout
+	err := locker.WithLock(ctx, "bouncer-kubernetes-onstartup", timeout, func(ctx context.Context) error {
+		client, err := i.getClient()
+		if err != nil {
+			return errors.WithStack(err)
+		}
+
+		if i.Options.WriterTokenSecret != "" {
+			if err := i.upsertTokenSecret(ctx, client, i.Options.WriterTokenSecretNamespace, i.Options.WriterTokenSecret, writerTokenSubject, jwt.RoleWriter); err != nil {
+				return errors.Wrap(err, "could not upsert writer token secret")
+			}
+		}
+
+		if i.Options.ReaderTokenSecret != "" {
+			if err := i.upsertTokenSecret(ctx, client, i.Options.ReaderTokenSecretNamespace, i.Options.ReaderTokenSecret, readerTokenSubject, jwt.RoleReader); err != nil {
+				return errors.Wrap(err, "could not upsert reader token secret")
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
+
+func (i *Integration) getClient() (*kubernetes.Clientset, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	client, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return client, nil
+}
+
+const (
+	annotationPublicKey = "bouncer.cadoles.com/public-key"
+)
+
+func (i *Integration) upsertTokenSecret(ctx context.Context, client *kubernetes.Clientset, namespace string, name string, subject string, role jwt.Role) error {
+	if namespace == "" {
+		defaultNamespace, err := i.getCurrentNamespace()
+		if err != nil {
+			return errors.WithStack(err)
+		}
+
+		namespace = defaultNamespace
+	}
+
+	ctx = logger.With(ctx,
+		logger.F("secretNamespace", namespace),
+		logger.F("secretName", name),
+		logger.F("tokenRole", role),
+		logger.F("tokenSubject", subject),
+	)
+
+	logger.Debug(ctx, "generating new token")
+
+	alreadyExists := true
+	secret, err := client.CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil {
+		if k8serr.IsNotFound(err) {
+			alreadyExists = false
+		} else {
+			return errors.WithStack(err)
+		}
+	}
+
+	privateKey, err := integration.CtxPrivateKey(ctx)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	keySet, err := integration.CtxPublicKeySet(ctx)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	publicKeyThumbprint, err := getKeySetThumbprint(keySet)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	if !alreadyExists {
+		token, err := jwt.GenerateToken(ctx, privateKey, i.Options.Issuer, subject, role)
+		if err != nil {
+			return errors.WithStack(err)
+		}
+
+		secret := &v1.Secret{
+			Type: v1.SecretTypeOpaque,
+			ObjectMeta: metav1.ObjectMeta{
+				Name: name,
+				Annotations: map[string]string{
+					annotationPublicKey: publicKeyThumbprint,
+				},
+			},
+			StringData: map[string]string{
+				"token": token,
+			},
+		}
+
+		logger.Info(ctx, "creating token secret")
+
+		if _, err := client.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{}); err != nil {
+			return errors.WithStack(err)
+		}
+	} else {
+		existingPublicKeyHash, exists := secret.Annotations[annotationPublicKey]
+		if !exists || publicKeyThumbprint != existingPublicKeyHash {
+			token, err := jwt.GenerateToken(ctx, privateKey, i.Options.Issuer, subject, role)
+			if err != nil {
+				return errors.WithStack(err)
+			}
+
+			secret.StringData = map[string]string{
+				"token": token,
+			}
+
+			if secret.Annotations == nil {
+				secret.Annotations = make(map[string]string)
+			}
+
+			secret.Annotations[annotationPublicKey] = publicKeyThumbprint
+
+			logger.Info(ctx, "updating token secret")
+
+			if _, err := client.CoreV1().Secrets(namespace).Update(ctx, secret, metav1.UpdateOptions{}); err != nil {
+				return errors.WithStack(err)
+			}
+		} else {
+			logger.Info(ctx, "key did not changed, doing nothing")
+		}
+	}
+
+	return nil
+}
+
+func (i *Integration) getSharedPrivateKey(ctx context.Context, client *kubernetes.Clientset, namespace string, name string) (jwk.Key, error) {
+	if namespace == "" {
+		defaultNamespace, err := i.getCurrentNamespace()
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		namespace = defaultNamespace
+	}
+
+	ctx = logger.With(ctx,
+		logger.F("secretNamespace", namespace),
+		logger.F("secretName", name),
+	)
+
+	logger.Debug(ctx, "searching shared private key from secret")
+
+	secret, err := client.CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil && !k8serr.IsNotFound(err) {
+		return nil, errors.WithStack(err)
+	}
+
+	rawPrivateKey, exists := secret.Data["key"]
+
+	if exists && len(rawPrivateKey) != 0 {
+		key, err := jwk.ParseKey(rawPrivateKey)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		return key, nil
+	}
+
+	localKey, err := integration.CtxPrivateKey(ctx)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	rawLocalKey, err := json.Marshal(localKey)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	secret = &v1.Secret{
+		Type: v1.SecretTypeOpaque,
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Data: map[string][]byte{
+			"key": rawLocalKey,
+		},
+	}
+
+	if _, err := client.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{}); err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return localKey, nil
+}
+
+func (i *Integration) getCurrentNamespace() (string, error) {
+	namespace, err := os.ReadFile(namespaceFile)
+	if err != nil {
+		return "", errors.Wrap(err, "could not retrieve current namespace")
+	}
+
+	return string(namespace), nil
+}
+
+func NewIntegration(funcs ...OptionFunc) *Integration {
+	opts := NewOptions(funcs...)
+
+	return &Integration{
+		Options: opts,
+	}
+}
+
+var (
+	_ integration.OnStartup = &Integration{}
+	_ integration.OnKeyLoad = &Integration{}
+)
--- a/internal/integration/kubernetes/keyset.go
+++ b/internal/integration/kubernetes/keyset.go
@ -0,0 +1,41 @@
+package kubernetes
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/sha256"
+	"fmt"
+	"slices"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
+	"github.com/pkg/errors"
+)
+
+func getKeySetThumbprint(set jwk.Set) (string, error) {
+	data := make([][]byte, 0, set.Len())
+
+	for i := 0; i < set.Len(); i++ {
+		key, exists := set.Key(i)
+		if !exists {
+			continue
+		}
+
+		thumbprint, err := key.Thumbprint(crypto.SHA256)
+		if err != nil {
+			return "", errors.WithStack(err)
+		}
+
+		data = append(data, thumbprint)
+	}
+
+	slices.SortFunc(data, bytes.Compare)
+
+	hash := sha256.New()
+	for _, d := range data {
+		if _, err := hash.Write(d); err != nil {
+			return "", errors.WithStack(err)
+		}
+	}
+
+	return fmt.Sprintf("%x", hash.Sum(nil)), nil
+}
--- a/internal/integration/kubernetes/options.go
+++ b/internal/integration/kubernetes/options.go
@ -0,0 +1,95 @@
+package kubernetes
+
+import (
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/lock"
+	"forge.cadoles.com/cadoles/bouncer/internal/lock/memory"
+)
+
+type Options struct {
+	WriterTokenSecret          string
+	WriterTokenSecretNamespace string
+	ReaderTokenSecret          string
+	ReaderTokenSecretNamespace string
+	PrivateKeySecret           string
+	PrivateKeySecretNamespace  string
+	Issuer                     string
+	Locker                     lock.Locker
+	LockTimeout                time.Duration
+}
+
+type OptionFunc func(opts *Options)
+
+func NewOptions(funcs ...OptionFunc) *Options {
+	opts := &Options{
+		WriterTokenSecret:          "",
+		WriterTokenSecretNamespace: "",
+		ReaderTokenSecret:          "",
+		ReaderTokenSecretNamespace: "",
+		PrivateKeySecret:           "",
+		PrivateKeySecretNamespace:  "",
+		Issuer:                     "",
+		Locker:                     memory.NewLocker(),
+		LockTimeout:                30 * time.Second,
+	}
+	for _, fn := range funcs {
+		fn(opts)
+	}
+
+	return opts
+}
+
+func WithWriterTokenSecret(secretName string) OptionFunc {
+	return func(opts *Options) {
+		opts.WriterTokenSecret = secretName
+	}
+}
+
+func WithWriterTokenSecretNamespace(namespace string) OptionFunc {
+	return func(opts *Options) {
+		opts.WriterTokenSecretNamespace = namespace
+	}
+}
+
+func WithReaderTokenSecret(secretName string) OptionFunc {
+	return func(opts *Options) {
+		opts.ReaderTokenSecret = secretName
+	}
+}
+
+func WithReaderTokenSecretNamespace(namespace string) OptionFunc {
+	return func(opts *Options) {
+		opts.ReaderTokenSecretNamespace = namespace
+	}
+}
+
+func WithPrivateKeySecret(secretName string) OptionFunc {
+	return func(opts *Options) {
+		opts.PrivateKeySecret = secretName
+	}
+}
+
+func WithPrivateKeySecretNamespace(namespace string) OptionFunc {
+	return func(opts *Options) {
+		opts.PrivateKeySecretNamespace = namespace
+	}
+}
+
+func WithIssuer(issuer string) OptionFunc {
+	return func(opts *Options) {
+		opts.Issuer = issuer
+	}
+}
+
+func WithLocker(locker lock.Locker) OptionFunc {
+	return func(opts *Options) {
+		opts.Locker = locker
+	}
+}
+
+func WithLockTimeout(timeout time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.LockTimeout = timeout
+	}
+}
--- a/internal/jwk/jwk.go
+++ b/internal/jwk/jwk.go
@ -4,13 +4,13 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/json"
-	"io/ioutil"
 	"os"

 	"github.com/btcsuite/btcd/btcutil/base58"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jws"
+	"github.com/oklog/ulid/v2"

 	"github.com/pkg/errors"
 )
@ -24,8 +24,9 @@ type (
 )

 var (
-	FromRaw = jwk.FromRaw
-	NewSet  = jwk.NewSet
+	FromRaw  = jwk.FromRaw
+	NewSet   = jwk.NewSet
+	ParseKey = jwk.ParseKey
 )

 const AlgorithmKey = jwk.AlgorithmKey
@ -56,7 +57,7 @@ func PublicKeySet(keys ...jwk.Key) (jwk.Set, error) {
 }

 func LoadOrGenerate(path string, size int) (jwk.Key, error) {
-	data, err := ioutil.ReadFile(path)
+	data, err := os.ReadFile(path)
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return nil, errors.WithStack(err)
 	}
@ -72,7 +73,7 @@ func LoadOrGenerate(path string, size int) (jwk.Key, error) {
 			return nil, errors.WithStack(err)
 		}

-		if err := ioutil.WriteFile(path, data, 0o640); err != nil {
+		if err := os.WriteFile(path, data, 0o640); err != nil {
 			return nil, errors.WithStack(err)
 		}
 	}
@ -96,6 +97,12 @@ func Generate(size int) (jwk.Key, error) {
 		return nil, errors.WithStack(err)
 	}

+	keyID := ulid.Make().String()
+
+	if err := key.Set(jwk.KeyIDKey, keyID); err != nil {
+		return nil, errors.WithStack(err)
+	}
+
 	return key, nil
 }

--- a/internal/lock/locker.go
+++ b/internal/lock/locker.go
@ -0,0 +1,10 @@
+package lock
+
+import (
+	"context"
+	"time"
+)
+
+type Locker interface {
+	WithLock(ctx context.Context, key string, timeout time.Duration, fn func(ctx context.Context) error) error
+}
--- a/internal/lock/memory/locker.go
+++ b/internal/lock/memory/locker.go
@ -0,0 +1,45 @@
+package memory
+
+import (
+	"context"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/lock"
+	"github.com/pkg/errors"
+)
+
+var (
+	ErrTimeout = errors.New("timeout")
+)
+
+type Locker struct {
+	lock chan struct{}
+}
+
+// WithLock implements lock.Locker.
+func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration, fn func(ctx context.Context) error) error {
+	select {
+	case l.lock <- struct{}{}:
+		defer func() {
+			<-l.lock
+		}()
+		if err := fn(ctx); err != nil {
+			return errors.WithStack(err)
+		}
+	case <-ctx.Done():
+		return errors.WithStack(ctx.Err())
+
+	case <-time.After(timeout):
+		return errors.WithStack(ErrTimeout)
+	}
+
+	return nil
+}
+
+func NewLocker() *Locker {
+	return &Locker{
+		lock: make(chan struct{}, 1),
+	}
+}
+
+var _ lock.Locker = &Locker{}
--- a/internal/lock/redis/locker.go
+++ b/internal/lock/redis/locker.go
@ -0,0 +1,59 @@
+package redis
+
+import (
+	"context"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/lock"
+	"github.com/bsm/redislock"
+	"github.com/pkg/errors"
+	"github.com/redis/go-redis/v9"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+type Locker struct {
+	client  redis.UniversalClient
+	timeout time.Duration
+}
+
+// WithLock implements lock.Locker.
+func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration, fn func(ctx context.Context) error) error {
+	locker := redislock.New(l.client)
+
+	backoff := redislock.ExponentialBackoff(time.Second, timeout*2)
+
+	ctx = logger.With(ctx, logger.F("lockTimeout", timeout), logger.F("lockKey", key))
+
+	logger.Debug(ctx, "acquiring lock")
+
+	lock, err := locker.Obtain(ctx, key, timeout, &redislock.Options{
+		RetryStrategy: backoff,
+	})
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	logger.Debug(ctx, "lock obtained")
+
+	defer func() {
+		if err := lock.Release(ctx); err != nil {
+			logger.Error(ctx, "could not release lock", logger.E(errors.WithStack(err)))
+		}
+
+		logger.Debug(ctx, "lock released")
+	}()
+
+	if err := fn(ctx); err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
+}
+
+func NewLocker(client redis.UniversalClient) *Locker {
+	return &Locker{
+		client: client,
+	}
+}
+
+var _ lock.Locker = &Locker{}
--- a/internal/proxy/init.go
+++ b/internal/proxy/init.go
@ -5,22 +5,25 @@ import (

 	"forge.cadoles.com/cadoles/bouncer/internal/setup"
 	"github.com/pkg/errors"
+	"github.com/redis/go-redis/v9"
 )

 func (s *Server) initRepositories(ctx context.Context) error {
-	if err := s.initProxyRepository(ctx); err != nil {
+	client := setup.NewRedisClient(ctx, s.redisConfig)
+
+	if err := s.initProxyRepository(ctx, client); err != nil {
 		return errors.WithStack(err)
 	}

-	if err := s.initLayerRepository(ctx); err != nil {
+	if err := s.initLayerRepository(ctx, client); err != nil {
 		return errors.WithStack(err)
 	}

 	return nil
 }

-func (s *Server) initProxyRepository(ctx context.Context) error {
-	proxyRepository, err := setup.NewProxyRepository(ctx, s.redisConfig)
+func (s *Server) initProxyRepository(ctx context.Context, client redis.UniversalClient) error {
+	proxyRepository, err := setup.NewProxyRepository(ctx, client)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@ -30,8 +33,8 @@ func (s *Server) initProxyRepository(ctx context.Context) error {
 	return nil
 }

-func (s *Server) initLayerRepository(ctx context.Context) error {
-	layerRepository, err := setup.NewLayerRepository(ctx, s.redisConfig)
+func (s *Server) initLayerRepository(ctx context.Context, client redis.UniversalClient) error {
+	layerRepository, err := setup.NewLayerRepository(ctx, client)
 	if err != nil {
 		return errors.WithStack(err)
 	}
--- a/internal/setup/integrations.go
+++ b/internal/setup/integrations.go
@ -0,0 +1,46 @@
+package setup
+
+import (
+	"context"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/config"
+	"forge.cadoles.com/cadoles/bouncer/internal/integration"
+	"forge.cadoles.com/cadoles/bouncer/internal/integration/kubernetes"
+	"forge.cadoles.com/cadoles/bouncer/internal/lock/redis"
+	"github.com/pkg/errors"
+)
+
+func SetupIntegrations(ctx context.Context, conf *config.Config) ([]integration.Integration, error) {
+	integrations := make([]integration.Integration, 0)
+
+	if conf.Integrations.Kubernetes.Enabled {
+		kubernetes, err := setupKubernetesIntegration(ctx, conf)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not setup kubernetes integration")
+		}
+
+		integrations = append(integrations, kubernetes)
+	}
+
+	return integrations, nil
+}
+
+func setupKubernetesIntegration(ctx context.Context, conf *config.Config) (*kubernetes.Integration, error) {
+	client := newRedisClient(conf.Redis)
+	locker := redis.NewLocker(client)
+
+	integration := kubernetes.NewIntegration(
+		kubernetes.WithReaderTokenSecret(string(conf.Integrations.Kubernetes.ReaderTokenSecret)),
+		kubernetes.WithReaderTokenSecretNamespace(string(conf.Integrations.Kubernetes.ReaderTokenSecretNamespace)),
+		kubernetes.WithWriterTokenSecret(string(conf.Integrations.Kubernetes.WriterTokenSecret)),
+		kubernetes.WithWriterTokenSecretNamespace(string(conf.Integrations.Kubernetes.WriterTokenSecretNamespace)),
+		kubernetes.WithPrivateKeySecret(string(conf.Integrations.Kubernetes.PrivateKeySecret)),
+		kubernetes.WithPrivateKeySecretNamespace(string(conf.Integrations.Kubernetes.PrivateKeySecretNamespace)),
+		kubernetes.WithIssuer(string(conf.Admin.Auth.Issuer)),
+		kubernetes.WithLocker(locker),
+		kubernetes.WithLockTimeout(time.Duration(conf.Integrations.Kubernetes.LockTimeout)),
+	)
+
+	return integration, nil
+}
--- a/internal/setup/lock.go
+++ b/internal/setup/lock.go
@ -0,0 +1,15 @@
+package setup
+
+import (
+	"context"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/config"
+	"forge.cadoles.com/cadoles/bouncer/internal/lock"
+	"forge.cadoles.com/cadoles/bouncer/internal/lock/redis"
+)
+
+func SetupLocker(ctx context.Context, conf *config.Config) (lock.Locker, error) {
+	client := newRedisClient(conf.Redis)
+	locker := redis.NewLocker(client)
+	return locker, nil
+}
--- a/internal/setup/proxy_repository.go
+++ b/internal/setup/proxy_repository.go
@ -9,20 +9,17 @@ import (
 	"github.com/redis/go-redis/v9"
 )

-func NewProxyRepository(ctx context.Context, conf config.RedisConfig) (store.ProxyRepository, error) {
-	rdb := redis.NewUniversalClient(&redis.UniversalOptions{
+func NewRedisClient(ctx context.Context, conf config.RedisConfig) redis.UniversalClient {
+	return redis.NewUniversalClient(&redis.UniversalOptions{
 		Addrs:      conf.Adresses,
 		MasterName: string(conf.Master),
 	})
-
-	return redisStore.NewProxyRepository(rdb), nil
 }

-func NewLayerRepository(ctx context.Context, conf config.RedisConfig) (store.LayerRepository, error) {
-	rdb := redis.NewUniversalClient(&redis.UniversalOptions{
-		Addrs:      conf.Adresses,
-		MasterName: string(conf.Master),
-	})
-
-	return redisStore.NewLayerRepository(rdb), nil
+func NewProxyRepository(ctx context.Context, client redis.UniversalClient) (store.ProxyRepository, error) {
+	return redisStore.NewProxyRepository(client), nil
+}
+
+func NewLayerRepository(ctx context.Context, client redis.UniversalClient) (store.LayerRepository, error) {
+	return redisStore.NewLayerRepository(client), nil
 }
--- a/internal/setup/queue_layer.go
+++ b/internal/setup/queue_layer.go
@ -8,7 +8,6 @@ import (
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/queue"
 	queueRedis "forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/queue/redis"
 	"github.com/pkg/errors"
-	"github.com/redis/go-redis/v9"
 )

 func init() {
@ -36,10 +35,6 @@ func setupQueueLayer(conf *config.Config) (director.Layer, error) {
 }

 func newQueueAdapter(redisConf config.RedisConfig) (queue.Adapter, error) {
-	rdb := redis.NewUniversalClient(&redis.UniversalOptions{
-		Addrs:      redisConf.Adresses,
-		MasterName: string(redisConf.Master),
-	})
-
+	rdb := newRedisClient(redisConf)
 	return queueRedis.NewAdapter(rdb, 2), nil
 }
--- a/internal/setup/redis.go
+++ b/internal/setup/redis.go
@ -0,0 +1,20 @@
+package setup
+
+import (
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/config"
+	"github.com/redis/go-redis/v9"
+)
+
+func newRedisClient(conf config.RedisConfig) redis.UniversalClient {
+	return redis.NewUniversalClient(&redis.UniversalOptions{
+		Addrs:                 conf.Adresses,
+		MasterName:            string(conf.Master),
+		ReadTimeout:           time.Duration(conf.ReadTimeout),
+		WriteTimeout:          time.Duration(conf.WriteTimeout),
+		DialTimeout:           time.Duration(conf.DialTimeout),
+		RouteByLatency:        true,
+		ContextTimeoutEnabled: true,
+	})
+}
--- a/misc/images/bouncer/Dockerfile
+++ b/misc/images/bouncer/Dockerfile
@ -0,0 +1,49 @@
+FROM golang:1.20 AS BUILD
+
+RUN apt-get update \
+    && apt-get install -y make
+
+ARG YQ_VERSION=4.34.1
+
+RUN mkdir -p /usr/local/bin \
+    && wget -O /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64 \
+    && chmod +x /usr/local/bin/yq
+
+COPY . /src
+
+WORKDIR /src
+
+RUN make GORELEASER_ARGS='build --rm-dist --single-target --snapshot' goreleaser
+
+# Patch config
+RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bouncer_linux_amd64_v1/config.yml \
+    && yq -i '.layers.queue.templateDir = "/usr/share/bouncer/layers/queue/templates"' /src/dist/bouncer_linux_amd64_v1/config.yml \
+    && yq -i '.admin.auth.privateKey = "/etc/bouncer/admin-key.json"' /src/dist/bouncer_linux_amd64_v1/config.yml \
+    && yq -i '.redis.adresses = ["redis:6379"]' /src/dist/bouncer_linux_amd64_v1/config.yml
+
+FROM alpine:3.18 AS RUNTIME
+
+ARG DUMB_INIT_VERSION=1.2.5
+
+RUN apk add --no-cache ca-certificates
+
+RUN mkdir -p /usr/local/bin \
+    && wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v${DUMB_INIT_VERSION}/dumb-init_${DUMB_INIT_VERSION}_x86_64 \
+    && chmod +x /usr/local/bin/dumb-init
+
+ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
+
+RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer
+
+COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
+COPY --from=BUILD /src/layers /usr/share/bouncer/layers
+COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
+
+RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer
+
+EXPOSE 8080
+EXPOSE 8081
+
+ENV BOUNCER_CONFIG=/etc/bouncer/config.yml
+
+CMD ["bouncer"]
--- a/misc/jenkins/Dockerfile
+++ b/misc/jenkins/Dockerfile
@ -23,7 +23,7 @@ RUN install -m 0755 -d /etc/apt/keyrings \
    && apt-get update \
    && apt-get install -y docker-ce-cli

-ARG GO_VERSION=1.20.4
+ARG GO_VERSION=1.22.0

 # Install Go
 RUN mkdir -p /tmp \
--- a/misc/k6/README.md
+++ b/misc/k6/README.md
@ -0,0 +1,9 @@
+# K6 - Load Test
+
+Very basic load testing script for [k6](https://k6.io/).
+
+## How to run
+
+```shell
+k6 run cadoles-loadtest.js
+```
--- a/misc/k6/cadoles-loadtest.js
+++ b/misc/k6/cadoles-loadtest.js
@ -0,0 +1,29 @@
+import { check } from 'k6';
+import { browser } from 'k6/experimental/browser';
+
+export const options = {
+  scenarios: {
+    browser: {
+      vus: 10,
+      iterations: 100,
+      executor: 'shared-iterations',
+      options: {
+        browser: {
+          type: 'chromium',
+        },
+      },
+    },
+  }
+};
+
+export default async function () {
+  const page = browser.newPage();
+  try {
+    await page.goto('https://www.cadoles.com');
+    check(page, {
+      'Homepage loaded': p => p.locator('h1').textContent().trim() == 'La liberté est un choix',
+    });
+  } finally {
+    page.close();
+  }
+}
--- a/misc/k8s/README.md
+++ b/misc/k8s/README.md
@ -0,0 +1,84 @@
+# Kubernetes
+
+## Initialize your project
+
+1. Generate the Docker configuration to enable image builds with Kaniko and communicate with reg.cadoles.com
+
+   ```shell
+   docker login reg.cadoles.com
+   mkdir -p misc/k8s/kustomization/base/secrets/dockerconfig
+   docker --config misc/k8s/kustomization/base/secrets/dockerconfig login reg.cadoles.com
+   mv misc/k8s/kustomization/base/secrets/dockerconfig/config.json misc/k8s/kustomization/base/secrets/dockerconfig/.dockerconfigjson
+   mkdir -p misc/k8s/kustomization/overlays/dev/secrets/dockerconfig
+   cp misc/k8s/kustomization/base/secrets/dockerconfig/.dockerconfigjson misc/k8s/kustomization/overlays/dev/secrets/dockerconfig/.dockerconfigjson
+   ```
+
+## Getting started with Kind
+
+1. Create your [Kind](https://kind.sigs.k8s.io/) cluster
+
+   ```shell
+   kind create cluster --config misc/k8s/kind/bouncer-cluster.yaml
+   ```
+
+2. Deploy required operators
+
+   ```shell
+   kubectl apply -k misc/k8s/kind/cluster --server-side
+   ```
+
+3. Deploy your Bouncer development environment
+
+   ```shell
+   skaffold dev -p dev --cleanup=false --default-repo reg.cadoles.com/<YOUR_PERSONNAL_USER_NAME>
+   ```
+
+## Testing
+
+Bouncer will automatically create proxies based on the files present in the `misc/k8s/kustomization/overlays/dev/files/bouncer/bootstrap.d` folder.
+
+By default, with you host web browser, open http://localhost:9000, you should see the Cadoles website.
+
+### Using the admin API
+
+#### From inside the cluster
+
+1. Open shell in bouncer-admin pod
+
+   ```shell
+   kubectl exec -it -n bouncer-dev bouncer-admin-<suffix> -- /bin/sh
+   ```
+
+2. Create an authentication token
+
+   ```shell
+   bouncer --config /etc/bouncer/config.yml auth create-token --role writer --subject $(whoami) > .bouncer-token
+   ```
+
+3. Create a proxy and enable it
+
+   ```shell
+   bouncer admin proxy query
+   ```
+
+#### From outside the cluster
+
+1. Retrieve the authentication token from the generated secret
+
+   ```shell
+   TOKEN=$(kubectl get secret -n bouncer-dev -o jsonpath="{.data.token}" bouncer-admin-writer-token | base64 -d)
+   ```
+
+2. Use the `bouncer` admin client to query the admin API
+
+   ```shell
+   ./bouncer admin proxy query -t "${TOKEN}" --server http://127.0.0.1:9999
+   ```
+
+## Benchmarking
+
+You can use [`siege`](https://github.com/JoeDog/siege) to benchmark your instance with the Cadoles proxy.
+
+```shell
+BASE_URL=http://localhost:9000 make siege
+```
--- a/misc/k8s/kind/bouncer-cluster.yaml
+++ b/misc/k8s/kind/bouncer-cluster.yaml
@ -0,0 +1,3 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: bouncer-dev
--- a/misc/k8s/kind/cluster/kustomization.yaml
+++ b/misc/k8s/kind/cluster/kustomization.yaml
@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop
--- a/misc/k8s/kustomization/base/kustomization.yaml
+++ b/misc/k8s/kustomization/base/kustomization.yaml
@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: bouncer
+
+resources:
+- ./resources/namespace.yaml
+- ./resources/bouncer-server
+- ./resources/bouncer-admin
+- ./resources/redis
+
--- a/misc/k8s/kustomization/base/resources/bouncer-admin/files/config.yml
+++ b/misc/k8s/kustomization/base/resources/bouncer-admin/files/config.yml
@ -0,0 +1,47 @@
+admin:
+  http:
+    host: 127.0.0.1
+    port: 8081
+  cors:
+    allowedOrigins:
+      - http://localhost:3001
+    allowCredentials: true
+    allowMethods:
+      - POST
+      - GET
+      - PUT
+      - DELETE
+    allowedHeaders:
+      - Origin
+      - Accept
+      - Content-Type
+      - Authorization
+      - Sentry-Trace
+    debug: false
+  auth:
+    issuer: http://127.0.0.1:8081
+    privateKey: /var/lib/bouncer/admin-key.json
+  metrics:
+    enabled: true
+    endpoint: /.bouncer/metrics
+    basicAuth: null
+
+redis:
+  addresses:
+    - rfs-bouncer-redis:${RFS_BOUNCER_REDIS_SERVICE_PORT}
+  master: mymaster
+
+logger:
+  level: ${BOUNCER_LOG_LEVEL}
+  format: human
+
+bootstrap:
+  dir: /etc/bouncer/bootstrap.d
+  lockTimeout: 30s
+
+integrations:
+  kubernetes:
+    enabled: true
+    writerTokenSecret: ${BOUNCER_WRITER_TOKEN_SECRET}
+    readerTokenSecret: ${BOUNCER_READER_TOKEN_SECRET}
+    privateKeySecret: ${BOUNCER_PRIVATE_KEY_SECRET}
--- a/misc/k8s/kustomization/base/resources/bouncer-admin/kustomization.yaml
+++ b/misc/k8s/kustomization/base/resources/bouncer-admin/kustomization.yaml
@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./resources/service.yaml
+  - ./resources/deployment.yaml
+  - ./resources/serviceaccount.yaml
+
+configMapGenerator:
+  - name: bouncer-admin-config
+    files:
+      - ./files/config.yml
+  - name: bouncer-admin-bootstrap
+  - name: bouncer-admin-env
+    literals:
+      - BOUNCER_LOG_LEVEL=2
+      - BOUNCER_WRITER_TOKEN_SECRET=bouncer-admin-writer-token
+      - BOUNCER_READER_TOKEN_SECRET=bouncer-admin-reader-token
+      - BOUNCER_PRIVATE_KEY_SECRET=bouncer-admin-private-key
--- a/misc/k8s/kustomization/base/resources/bouncer-admin/resources/deployment.yaml
+++ b/misc/k8s/kustomization/base/resources/bouncer-admin/resources/deployment.yaml
@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bouncer-admin
+  labels:
+    app: bouncer-admin
+    app.kubernetes.io/name: bouncer-admin
+    app.kubernetes.io/part-of: bouncer
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: bouncer-admin
+  template:
+    metadata:
+      labels:
+        app: bouncer-admin
+        app.kubernetes.io/name: bouncer-admin
+        app.kubernetes.io/part-of: bouncer
+    spec:
+      restartPolicy: Always
+      serviceAccountName: bouncer-admin
+      containers:
+        - name: bouncer-admin
+          image: bouncer
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          command:
+            [
+              "bouncer",
+              "--debug",
+              "-c",
+              "/etc/bouncer/config.yml",
+              "server",
+              "admin",
+              "run",
+            ]
+          imagePullPolicy: Always
+          resources: {}
+          ports:
+            - name: bouncer-admin
+              containerPort: 8081
+          envFrom:
+            - configMapRef:
+                name: bouncer-admin-env
+          volumeMounts:
+            - mountPath: /etc/bouncer/
+              name: bouncer-admin-config
+            - mountPath: /etc/bouncer/bootstrap.d
+              name: bouncer-admin-bootstrap
+            - mountPath: /var/lib/bouncer
+              name: bouncer-admin-var
+      volumes:
+        - name: bouncer-admin-config
+          configMap:
+            name: bouncer-admin-config
+        - name: bouncer-admin-bootstrap
+          configMap:
+            name: bouncer-admin-bootstrap
+        - name: bouncer-admin-var
+          emptyDir:
+            sizeLimit: 10Mi
+            medium: Memory
--- a/misc/k8s/kustomization/base/resources/bouncer-admin/resources/service.yaml
+++ b/misc/k8s/kustomization/base/resources/bouncer-admin/resources/service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: bouncer-admin
+    app.kubernetes.io/part-of: bouncer
+  name: bouncer-admin
+spec:
+  type: ClusterIP
+  ports:
+    - name: bouncer-admin
+      port: 8081
+      targetPort: bouncer-admin
+  selector:
+    app.kubernetes.io/name: bouncer-admin
--- a/misc/k8s/kustomization/base/resources/bouncer-admin/resources/serviceaccount.yaml
+++ b/misc/k8s/kustomization/base/resources/bouncer-admin/resources/serviceaccount.yaml
@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bouncer-admin
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: bouncer-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: bouncer-admin
+subjects:
+  - kind: ServiceAccount
+    name: bouncer-admin
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: bouncer-admin
+rules:
+  - apiGroups:
+      - ""
+      - v1
+    resources:
+      - secrets
+    verbs:
+      - create
+      - get
+      - update
--- a/misc/k8s/kustomization/base/resources/bouncer-server/files/config.yml
+++ b/misc/k8s/kustomization/base/resources/bouncer-server/files/config.yml
@ -0,0 +1,22 @@
+proxy:
+  http:
+    host: 0.0.0.0
+    port: 8080
+  metrics:
+    enabled: true
+    endpoint: /.bouncer/metrics
+    basicAuth: null
+
+layers:
+  queue:
+    templateDir: /usr/share/bouncer/layers/queue/templates
+    defaultKeepAlive: 1m0s
+
+redis:
+  addresses:
+    - rfs-bouncer-redis:${RFS_BOUNCER_REDIS_SERVICE_PORT}
+  master: mymaster
+
+logger:
+  level: ${BOUNCER_LOG_LEVEL}
+  format: human
--- a/misc/k8s/kustomization/base/resources/bouncer-server/kustomization.yaml
+++ b/misc/k8s/kustomization/base/resources/bouncer-server/kustomization.yaml
@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./resources/service.yaml
+  - ./resources/deployment.yaml
+
+configMapGenerator:
+  - name: bouncer-server-config
+    files:
+      - ./files/config.yml
+  - name: bouncer-server-env
+    literals:
+      - BOUNCER_LOG_LEVEL=2
--- a/misc/k8s/kustomization/base/resources/bouncer-server/resources/deployment.yaml
+++ b/misc/k8s/kustomization/base/resources/bouncer-server/resources/deployment.yaml
@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bouncer-server
+  labels:
+    app: bouncer-server
+    app.kubernetes.io/name: bouncer-server
+    app.kubernetes.io/part-of: bouncer
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: bouncer-server
+  template:
+    metadata:
+      labels:
+        app: bouncer-server
+        app.kubernetes.io/name: bouncer-server
+        app.kubernetes.io/part-of: bouncer
+    spec:
+      containers:
+        - name: bouncer-server
+          image: bouncer
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          command:
+            [
+              "bouncer",
+              "-c",
+              "/etc/bouncer/config.yml",
+              "server",
+              "proxy",
+              "run",
+            ]
+          imagePullPolicy: Always
+          envFrom:
+            - configMapRef:
+                name: bouncer-server-env
+          resources: {}
+          ports:
+            - name: bouncer-server
+              containerPort: 8080
+          volumeMounts:
+            - mountPath: /etc/bouncer/
+              name: bouncer-server-config
+      volumes:
+        - name: bouncer-server-config
+          configMap:
+            name: bouncer-server-config
--- a/misc/k8s/kustomization/base/resources/bouncer-server/resources/service.yaml
+++ b/misc/k8s/kustomization/base/resources/bouncer-server/resources/service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: bouncer-server
+    app.kubernetes.io/part-of: bouncer
+  name: bouncer-server
+spec:
+  type: ClusterIP
+  ports:
+    - name: bouncer-server
+      port: 8080
+      targetPort: bouncer-server
+  selector:
+    app.kubernetes.io/name: bouncer-server
--- a/misc/k8s/kustomization/base/resources/namespace.yaml
+++ b/misc/k8s/kustomization/base/resources/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bouncer
--- a/misc/k8s/kustomization/base/resources/redis/kustomization.yaml
+++ b/misc/k8s/kustomization/base/resources/redis/kustomization.yaml
@ -0,0 +1,15 @@
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ./resources/redis-cluster.yaml
+
+vars:
+- name: REDIS_SERVICE_NAME
+  objref:
+    name: bouncer-redis
+    apiVersion: databases.spotahome.com/v1
+    kind: RedisFailover
+  fieldref:
+    fieldpath: metadata.name
--- a/misc/k8s/kustomization/base/resources/redis/resources/redis-cluster.yaml
+++ b/misc/k8s/kustomization/base/resources/redis/resources/redis-cluster.yaml
@ -0,0 +1,21 @@
+apiVersion: databases.spotahome.com/v1
+kind: RedisFailover
+metadata:
+  name: bouncer-redis
+spec:
+  sentinel:
+    replicas: 3
+    resources:
+      requests:
+        cpu: 100m
+      limits:
+        memory: 100Mi
+  redis:
+    replicas: 3
+    resources:
+      requests:
+        cpu: 100m
+        memory: 100Mi
+      limits:
+        cpu: 400m
+        memory: 500Mi
--- a/misc/k8s/kustomization/overlays/dev/files/bouncer/bootstrap.d/cadoles.yml
+++ b/misc/k8s/kustomization/overlays/dev/files/bouncer/bootstrap.d/cadoles.yml
@ -0,0 +1,11 @@
+from: ["*"]
+to: https://www.cadoles.com
+enabled: true
+weight: 0
+layers:
+  my-queue:
+    type: queue
+    enabled: true
+    weight: 0
+    options:
+      capacity: 10
--- a/misc/k8s/kustomization/overlays/dev/kustomization.yaml
+++ b/misc/k8s/kustomization/overlays/dev/kustomization.yaml
@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: bouncer-dev
+
+resources:
+  - ../../base
+
+secretGenerator:
+  - files:
+      - secrets/dockerconfig/.dockerconfigjson
+    name: regcred-dev
+    type: kubernetes.io/dockerconfigjson
+
+patches:
+  - path: patches/add-registry-pull-secret.patch.yaml
+    target:
+      kind: Deployment
+      version: v1
+
+configMapGenerator:
+  - name: bouncer-admin-bootstrap
+    behavior: merge
+    files:
+      - ./files/bouncer/bootstrap.d/cadoles.yml
+  - name: bouncer-admin-env
+    behavior: merge
+    literals:
+      - BOUNCER_LOG_LEVEL=0
+  - name: bouncer-server-env
+    behavior: merge
+    literals:
+      - BOUNCER_LOG_LEVEL=0
--- a/misc/k8s/kustomization/overlays/dev/patches/add-registry-pull-secret.patch.yaml
+++ b/misc/k8s/kustomization/overlays/dev/patches/add-registry-pull-secret.patch.yaml
@ -0,0 +1,4 @@
+- op: add
+  path: "/spec/template/spec/imagePullSecrets"
+  value:
+  - name: regcred-dev
--- a/misc/packaging/common/config.yml
+++ b/misc/packaging/common/config.yml
@ -1,176 +1,212 @@
 # Configuration du service "admin"
 admin:
-    http:
-        # Hôte d'écoute du service, 
-        # 0.0.0.0 pour écouter sur toutes les interfaces
-        host: 127.0.0.1
-        # Port d'écoute du service
-        port: 8081
-        # Utiliser les entêtes HTTP True-Client-IP, X-Real-IP ou X-Forwarded-For
-        # pour le calcul de l'adresse distante à l'origine des requêtes
-        useRealIP: true
+  http:
+    # Hôte d'écoute du service,
+    # 0.0.0.0 pour écouter sur toutes les interfaces
+    host: 127.0.0.1
+    # Port d'écoute du service
+    port: 8081
+    # Utiliser les entêtes HTTP True-Client-IP, X-Real-IP ou X-Forwarded-For
+    # pour le calcul de l'adresse distante à l'origine des requêtes
+    useRealIP: true

-    # Configuration CORS du service
-    # Uniquement nécessaire si un frontend web
-    # est branché sur l'API d'administration.
-    cors:
-        allowedOrigins:
-            - http://localhost:8081
-        allowCredentials: true
-        allowMethods:
-            - POST
-            - GET
-            - PUT
-            - DELETE
-        allowedHeaders:
-            - Origin
-            - Accept
-            - Content-Type
-            - Authorization
-            - Sentry-Trace
-        debug: false
-    
-    # Authentification JWT
-    auth:
-        # Origine du jeton JWT
-        issuer: http://127.0.0.1:8081
-        # Clé privée permettant de signer les jetons
-        # JWT générés pour l'usage de l'API d'administration.
-        privateKey: /etc/bouncer/admin-key.json
+  # Configuration CORS du service
+  # Uniquement nécessaire si un frontend web
+  # est branché sur l'API d'administration.
+  cors:
+    allowedOrigins:
+      - http://localhost:8081
+    allowCredentials: true
+    allowMethods:
+      - POST
+      - GET
+      - PUT
+      - DELETE
+    allowedHeaders:
+      - Origin
+      - Accept
+      - Content-Type
+      - Authorization
+      - Sentry-Trace
+    debug: false

-    # Métriques Prometheus
-    metrics:
-        # Activer ou désactiver la publication des métriques
-        enabled: true
-        # Route de publication des métriques
-        endpoint: /.bouncer/metrics
-        # Authentification "basic auth" sur la page
-        # de publication
-        # Mettre à null pour désactiver l'authentification
-        basicAuth: null
-    
-    # Configuration de l'intégration Sentry
-    # Voir https://pkg.go.dev/github.com/getsentry/sentry-go?utm_source=godoc#ClientOptions
-    sentry:
-        dsn: ""
-        debug: false
-        flushTimeout: 2s
-        attachStacktrace: true
-        sampleRate: 1
-        enableTracing: true
-        tracesSampleRate: 0.2
-        profilesSampleRate: 1
-        ignoreErrors: []
-        sendDefaultPII: false
-        serverName: ""
-        environment: ""
-        maxBreadcrumbs: 0
-        maxSpans: 1000
-        maxErrorDepth: 10
+  # Authentification JWT
+  auth:
+    # Origine du jeton JWT
+    issuer: http://127.0.0.1:8081
+    # Clé privée permettant de signer les jetons
+    # JWT générés pour l'usage de l'API d'administration.
+    privateKey: /etc/bouncer/admin-key.json
+
+  # Métriques Prometheus
+  metrics:
+    # Activer ou désactiver la publication des métriques
+    enabled: true
+    # Route de publication des métriques
+    endpoint: /.bouncer/metrics
+    # Authentification "basic auth" sur la page
+    # de publication
+    # Mettre à null pour désactiver l'authentification
+    basicAuth: null
+
+  # Configuration de l'intégration Sentry
+  # Voir https://pkg.go.dev/github.com/getsentry/sentry-go?utm_source=godoc#ClientOptions
+  sentry:
+    dsn: ""
+    debug: false
+    flushTimeout: 2s
+    attachStacktrace: true
+    sampleRate: 1
+    enableTracing: true
+    tracesSampleRate: 0.2
+    profilesSampleRate: 1
+    ignoreErrors: []
+    sendDefaultPII: false
+    serverName: ""
+    environment: ""
+    maxBreadcrumbs: 0
+    maxSpans: 1000
+    maxErrorDepth: 10

 # Configuration du service "proxy"
 proxy:
-    http:
-        # Hôte d'écoute du service, 
-        # 0.0.0.0 pour écouter sur toutes les interfaces
-        host: 0.0.0.0
-        # Port d'écoute du service
-        port: 8080
-        # Utiliser les entêtes HTTP True-Client-IP, X-Real-IP ou X-Forwarded-For
-        # pour le calcul de l'adresse distante à l'origine des requêtes
-        useRealIP: true
-    
-    # Métriques Prometheus
-    metrics:
-        # Activer ou désactiver la publication des métriques
-        enabled: true
-        # Route de publication des métriques
-        endpoint: /.bouncer/metrics
-        # Authentification "basic auth" sur la page
-        # de publication
-        # Mettre à null pour désactiver l'authentification
-        basicAuth:
-            credentials:
-                prom: etheus
+  http:
+    # Hôte d'écoute du service,
+    # 0.0.0.0 pour écouter sur toutes les interfaces
+    host: 0.0.0.0
+    # Port d'écoute du service
+    port: 8080
+    # Utiliser les entêtes HTTP True-Client-IP, X-Real-IP ou X-Forwarded-For
+    # pour le calcul de l'adresse distante à l'origine des requêtes
+    useRealIP: true

-    # Configuration du transport HTTP(S)
-    # Voir https://pkg.go.dev/net/http#Transport
-    transport:
-        forceAttemptHTTP2: true
-        maxIdleConns: 100
-        maxIdleConnsPerHost: 100
-        maxConnsPerHost: 100
-        idleConnTimeout: 1m30s
-        tlsHandshakeTimeout: 10s
-        expectContinueTimeout: 1s
-        disableKeepAlives: false
-        disableCompression: false
-        responseHeaderTimeout: 10s
-        writeBufferSize: 4096
-        readBufferSize: 4096
-        maxResponseHeaderBytes: 0
+  # Métriques Prometheus
+  metrics:
+    # Activer ou désactiver la publication des métriques
+    enabled: true
+    # Route de publication des métriques
+    endpoint: /.bouncer/metrics
+    # Authentification "basic auth" sur la page
+    # de publication
+    # Mettre à null pour désactiver l'authentification
+    basicAuth:
+      credentials:
+        prom: etheus

-    # Configuration de l'intégration Sentry
-    # Voir https://pkg.go.dev/github.com/getsentry/sentry-go?utm_source=godoc#ClientOptions
-    sentry:
-        dsn: ""
-        debug: false
-        flushTimeout: 2s
-        attachStacktrace: true
-        sampleRate: 1
-        enableTracing: true
-        tracesSampleRate: 0.2
-        profilesSampleRate: 1
-        ignoreErrors: []
-        sendDefaultPII: false
-        serverName: ""
-        environment: ""
-        maxBreadcrumbs: 0
-        maxSpans: 1000
-        maxErrorDepth: 10
+  # Configuration du transport HTTP(S)
+  # Voir https://pkg.go.dev/net/http#Transport
+  transport:
+    forceAttemptHTTP2: true
+    maxIdleConns: 100
+    maxIdleConnsPerHost: 100
+    maxConnsPerHost: 100
+    idleConnTimeout: 1m30s
+    tlsHandshakeTimeout: 10s
+    expectContinueTimeout: 1s
+    disableKeepAlives: false
+    disableCompression: false
+    responseHeaderTimeout: 10s
+    writeBufferSize: 4096
+    readBufferSize: 4096
+    maxResponseHeaderBytes: 0

-    # Configuration des connexions TCP
-    # Voir https://pkg.go.dev/net#Dialer
-    dial:
-        timeout: 30s
-        keepAlive: 30s
-        fallbackDelay: 300ms
-        dualStack: true
+  # Configuration de l'intégration Sentry
+  # Voir https://pkg.go.dev/github.com/getsentry/sentry-go?utm_source=godoc#ClientOptions
+  sentry:
+    dsn: ""
+    debug: false
+    flushTimeout: 2s
+    attachStacktrace: true
+    sampleRate: 1
+    enableTracing: true
+    tracesSampleRate: 0.2
+    profilesSampleRate: 1
+    ignoreErrors: []
+    sendDefaultPII: false
+    serverName: ""
+    environment: ""
+    maxBreadcrumbs: 0
+    maxSpans: 1000
+    maxErrorDepth: 10
+
+  # Configuration des connexions TCP
+  # Voir https://pkg.go.dev/net#Dialer
+  dial:
+    timeout: 30s
+    keepAlive: 30s
+    fallbackDelay: 300ms
+    dualStack: true

 # Configuration du client Redis
 #
 # Les modes "standalone", "sentinel" et "cluster" de Redis sont supportés:
 # - Mode "standalone": renseigner une seule entrée dans redis.addresses;
-# - Mode "sentinel": renseigner une adresse dans redis.master et une ou plusieurs adresses dans redis.addresses;
+# - Mode "sentinel": renseigner le nom du master sentinel dans redis.master et une ou plusieurs adresses dans redis.addresses;
 # - Mode "cluster": renseigner plusieurs adresses dans redis.addresses et laisser redis.master vide.
 redis:
-    addresses:
-        - localhost:6379
-    master: ""
+  addresses:
+    - localhost:6379
+  master: ""
+  writeTimeout: 30s
+  readTimeout: 30s
+  dialTimeout: 30s

 # Configuration des logs
 logger:
-    # Niveau de verbosité
-    # 0 - DEBUG
-    # 1 - INFO
-    # 2 - WARNING
-    # 3 - ERROR
-    # 4 - FATAL
-    level: 1
-    # Format des logs, "human" ou "json"
-    format: human
+  # Niveau de verbosité
+  # 0 - DEBUG
+  # 1 - INFO
+  # 2 - WARNING
+  # 3 - ERROR
+  # 4 - FATAL
+  level: 2
+  # Format des logs, "human" ou "json"
+  format: human

 # Configuration des différents layers
 layers:
-    # Configuration du layer "queue"
-    queue:
-        # Répertoire contenant les templates
-        templateDir: "/etc/bouncer/layers/queue/templates"
-        # Temps de vie par défaut d'une session
-        defaultKeepAlive: 1m
-    
-    # Configuration du layer "circuitbreaker"
-    circuitbreaker:
-        # Répertoire contenant les templates
-        templateDir: "/etc/bouncer/layers/circuitbreaker/templates"
-    
+  # Configuration du layer "queue"
+  queue:
+    # Répertoire contenant les templates
+    templateDir: "/etc/bouncer/layers/queue/templates"
+    # Temps de vie par défaut d'une session
+    defaultKeepAlive: 1m
+
+  # Configuration du layer "circuitbreaker"
+  circuitbreaker:
+    # Répertoire contenant les templates
+    templateDir: "/etc/bouncer/layers/circuitbreaker/templates"
+
+# Configuration d'une série de proxy/layers
+# à créer par défaut par le serveur d'administration
+bootstrap:
+  # Répertoire contenant les définitions de proxy à créer
+  # par défaut. Les fichiers seront récupérés si ils
+  # correspondent au patron de nommage suivant:
+  #
+  # <bootstrap_dir>/<proxy_name>.yml
+  #
+  # Si l'attribut est vide ou absent le chargement des fichiers
+  # est désactivé.
+  dir: /etc/bouncer/bootstrap.d
+  # Délai d'expiration du verrou distribué utilisé lors du chargement
+  # des définitions de proxy par défaut.
+  lockTimeout: 30s
+  # Tableau associatif de définition de proxies à créer par
+  # défaut par le serveur d'administration.
+  # Si `proxies` et `dir` sont tous les deux définis, les fichiers
+  # présents dans le répertoire `dir` surchargeront les valeurs définies
+  # dans `proxies`.
+  # Par défault non défini
+  proxies:
+  #     my-proxy:
+  #         enabled: true
+  #         from: ["*"]
+  #         to: "https://example.net"
+  #         weight: 0
+  #         layers:
+  #             my-layer:
+  #                 type: queue
+  #                 enabled: false
+  #                 weight: 0
+  #                 options: {"capacity": 100}
--- a/misc/siege/urls.txt
+++ b/misc/siege/urls.txt
@ -1,6 +1,6 @@
-http://localhost:8080/blog/
-http://localhost:8080/services/
-http://localhost:8080/
-http://localhost:8080/recrutement/
-http://localhost:8080/faq/
-http://localhost:8080/societe/histoire/
+${BASE_URL}/blog/
+${BASE_URL}/services/
+${BASE_URL}
+${BASE_URL}/recrutement/
+${BASE_URL}/faq/
+${BASE_URL}/societe/histoire/
--- a/skaffold.yaml
+++ b/skaffold.yaml
@ -0,0 +1,53 @@
+apiVersion: skaffold/v3
+kind: Config
+
+metadata:
+  name: bouncer
+
+manifests:
+  kustomize:
+    paths:
+      - misc/k8s/kustomization/base
+
+profiles:
+  - name: dev
+    manifests:
+      kustomize:
+        paths:
+          - misc/k8s/kustomization/overlays/dev
+    activation:
+      - command: dev
+
+build:
+  local:
+    push: true
+
+  tagPolicy:
+    inputDigest: {}
+
+  artifacts:
+    - image: bouncer
+      context: .
+      sync:
+        infer:
+          - cmd/**
+          - internal/**
+          - layers/**
+          - misc/**
+      docker:
+        dockerfile: Dockerfile
+
+deploy:
+  statusCheckDeadlineSeconds: 600
+
+portForward:
+  - resourceType: service
+    resourceName: bouncer-admin
+    namespace: bouncer-dev
+    port: 8081
+    localPort: 9999
+  - resourceType: service
+    resourceName: bouncer-server
+    namespace: bouncer-dev
+    port: 8080
+    localPort: 9000 # *Optional*
Author	SHA1	Message	Date
William Petit	f548c8c8e7	feat: add host to access log fields All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-03-28 19:47:32 +01:00
wpetit	a82fe46fa3	Merge pull request 'Utilisation d'une clé privée partagée via un `Secret` sur Kubernetes' (#19 ) from kubernetes-private-key into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #19	2024-03-28 15:57:17 +01:00
William Petit	cc20bdd289	feat: remove printing of default token Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details Cadoles/bouncer/pipeline/head This commit looks good Details	2024-03-28 15:54:59 +01:00
William Petit	7de166765b	feat(k8s): use secret as shared source for admin private key All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-03-28 15:53:40 +01:00
William Petit	35717429a2	doc(k8s): add in/out cluster api querying procedure All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-03-28 09:10:16 +01:00
wpetit	16305469c5	Merge pull request 'Intégration basique avec Kubernetes' (#18 ) from kubernetes-integration into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #18	2024-03-27 17:57:07 +01:00
William Petit	7515be9583	chore: update go version in ci All checks were successful Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-03-27 17:51:01 +01:00
William Petit	e76a82668d	feat: kubernetes basic integration Some checks failed Cadoles/bouncer/pipeline/head There was a failure building this commit Details Cadoles/bouncer/pipeline/pr-develop There was a failure building this commit Details	2024-03-27 17:47:39 +01:00
William Petit	d8b78ad277	feat(docker): run as non-root user All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-03-27 09:19:08 +01:00
wpetit	61012b07cd	Merge pull request 'feat: bootstrap default proxy and layers from configuration' (#17 ) from proxy-bootstrap into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #17	2024-03-26 17:30:20 +01:00
William Petit	d12ebfc642	feat: proxy bootstrapping from configuration All checks were successful Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-03-26 17:28:38 +01:00
wpetit	441d3a623e	Merge pull request 'feat(k8s): adding kubernetes support' (#12 ) from feat/issue-10/add-k8s-kustomize into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #12	2024-03-26 14:49:24 +01:00
vfebvre	e1d9acb980	fix[README]: Added --role writer in token authentication creation Some checks are pending Cadoles/bouncer/pipeline/pr-develop Build started... Details	2024-03-26 14:04:07 +01:00
vfebvre	f8be2c08d6	fix[README]: add identifier generation step	2024-03-26 14:04:07 +01:00
William Petit	bc7422a50c	feat: add configurable redis timeouts	2024-03-26 14:04:07 +01:00
William Petit	9d32551ec5	feat: generalize siege task	2024-03-26 14:04:07 +01:00
William Petit	ded6d179c1	fix(k8s): redis configuration	2024-03-26 14:04:07 +01:00
Philippe Caseiro	6f4ee0ebd1	fix(skaffold): adding port-forward for testing	2024-03-26 14:04:07 +01:00
Philippe Caseiro	1375c9b317	fup	2024-03-26 14:04:05 +01:00
Philippe Caseiro	53a0d26a47	feat(pkg): adding archlinux package to gorelease	2024-03-26 13:49:58 +01:00
Philippe Caseiro	87354ef0d4	fix(doc): test command was incorrect	2024-03-26 13:49:58 +01:00
Philippe Caseiro	8560041598	fix(kustomization): adding correct labels to deployments	2024-03-26 13:49:58 +01:00
Philippe Caseiro	0611cc9f70	feat(k8s): adding kubernetes support Now we can use skaffold and deploy bouncer in a kubernetes cluster ref #10	2024-03-26 13:49:58 +01:00
William Petit	734ed64e8e	feat: add basic k6 load testing script All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-03-25 15:40:25 +01:00
William Petit	c8fc143efa	doc: add prometheus metrics documentation All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-02-21 12:29:03 +01:00
William Petit	f91c14e5d4	feat(admin): print default writer token to logs by default All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-02-21 11:09:34 +01:00
pcaseiro	1602626e8c	Merge pull request 'fix(depends): update go.mod library versions' (#15 ) from fix/go-lib-versions into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #15	2024-02-05 11:24:02 +01:00
Philippe Caseiro	e2e38841f4	fix(depends): update go.mod library versions All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-02-05 11:21:27 +01:00
vfebvre	c23d8e3adb	Merge pull request 'fix(config): supporting multiple env variables in a value.' (#11 ) from fix/issue-9/multiple-env-variables into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #11	2024-02-05 11:13:47 +01:00
Philippe Caseiro	a3f44cf123	fix(config): supporting multiple env variables in a value. ref #9	2024-02-05 11:13:47 +01:00
vfebvre	5453988419	Merge pull request 'fix(dockerfile): updating base images versions.' (#14 ) from fix/dockerfile into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #14	2024-02-05 11:08:50 +01:00
Philippe Caseiro	1e392f94a7	fix(dockerfile): updating base images versions. All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop This commit looks good Details Keep things up to date and security alerts away from trivi. Using apk package for dumb-init	2024-02-05 11:04:28 +01:00