Since there was a desire for some kind of authentication in front of wink,
here is a barebones config using oauth2-proxy. It is as yet untested, since
I didn't want to deploy things right now / fiddle with the keycloak settings.
See the comments in the documentation for what must still be done to make
this work.
I acknowledge that I said I wouldn't do this, but no one else seems to care.