├── .github ├── renovate.json5 └── workflows │ ├── lint-test.yaml │ └── release.yaml ├── .gitignore ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── artifacthub-repo.yml ├── ct.yaml └── helm └── oauth2-proxy ├── .helmignore ├── Chart.lock ├── Chart.yaml ├── README.md ├── ci ├── default-values.yaml ├── extra-args-as-dict-values.yaml ├── extra-args-as-list-values.yaml ├── extra-env-tpl-values.yaml ├── extra-init-container.yaml ├── horizontal-pod-autoscaling-values.yaml ├── ingress-extra-paths-values.yaml ├── pdb-values.yaml ├── pod-security-context-values.yaml ├── redis-sentinel-array-values.yaml ├── redis-sentinel-comma-values.yaml ├── redis-standalone-values.yaml ├── servicemonitor-values.yaml └── tpl-values.yaml ├── scripts └── check-redis.sh ├── templates ├── NOTES.txt ├── _capabilities.tpl ├── _helpers.tpl ├── _ingress.tpl ├── configmap-authenticated-emails-file.yaml ├── configmap-wait-for-redis.yaml ├── configmap.yaml ├── deployment.yaml ├── deprecation.yaml ├── extra-manifests.yaml ├── google-secret.yaml ├── hpa.yaml ├── ingress.yaml ├── poddisruptionbudget.yaml ├── redis-secret.yaml ├── secret-alpha.yaml ├── secret-authenticated-emails-file.yaml ├── secret-htpasswd-file.yaml ├── secret.yaml ├── service.yaml ├── serviceaccount.yaml └── servicemonitor.yaml └── values.yaml /.github/renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | extends: [ 3 | 'config:recommended', 4 | ':disableDependencyDashboard', 5 | ], 6 | automerge: false, 7 | assignees: [ 8 | 'pierluigilenoci', 9 | 'tuunit', 10 | ], 11 | schedule: [ 12 | 'before 5am', 13 | ], 14 | packageRules: [ 15 | { 16 | description: 'Group all patch updates per package', 17 | matchUpdateTypes: [ 18 | 'patch', 19 | ], 20 | groupName: 'all-patch-updates', 21 | bumpVersion: 'patch', 22 | }, 23 | { 24 | description: 'Group all minor updates per package', 25 | matchUpdateTypes: [ 26 | 'minor', 27 | ], 28 | groupName: 'all-minor-updates', 29 | bumpVersion: 'patch', 30 | }, 31 | { 32 | description: 'Group all major updates per package', 33 | matchUpdateTypes: [ 34 | 'major', 35 | ], 36 | groupName: 'all-major-updates', 37 | bumpVersion: 'patch', 38 | }, 39 | ], 40 | platformAutomerge: true, 41 | lockFileMaintenance: { 42 | enabled: true, 43 | }, 44 | baseBranches: [ 45 | 'main', 46 | ], 47 | } 48 | -------------------------------------------------------------------------------- /.github/workflows/lint-test.yaml: -------------------------------------------------------------------------------- 1 | name: Lint and Test Charts 2 | 3 | on: pull_request 4 | 5 | jobs: 6 | lint-test: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - name: Checkout 10 | uses: actions/checkout@v4 11 | with: 12 | fetch-depth: 0 13 | 14 | # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and 15 | # yamllint (https://github.com/adrienverge/yamllint) which requires Python 16 | - name: Set up Python 17 | uses: actions/setup-python@v5 18 | with: 19 | python-version: '3.13' 20 | check-latest: true 21 | 22 | - name: Set up chart-testing 23 | uses: helm/chart-testing-action@v2 24 | 25 | - name: Run chart-testing (list-changed) 26 | id: list-changed 27 | run: | 28 | changed=$(ct list-changed --config ct.yaml) 29 | if [[ -n "$changed" ]]; then 30 | echo "::set-output name=changed::true" 31 | fi 32 | 33 | - name: Run chart-testing (lint) 34 | run: ct lint --config ct.yaml 35 | 36 | - name: Create kind cluster 37 | uses: helm/kind-action@v1 38 | if: steps.list-changed.outputs.changed == 'true' 39 | 40 | - name: Install Prometheus Operator CRDs 41 | id: prom 42 | run: kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.80.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml 43 | if: steps.list-changed.outputs.changed == 'true' 44 | 45 | - name: Run chart-testing (install) 46 | run: ct install --config ct.yaml 47 | if: steps.list-changed.outputs.changed == 'true' 48 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: Release Charts 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | 8 | jobs: 9 | release: 10 | permissions: 11 | contents: write 12 | packages: write 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Checkout 16 | uses: actions/checkout@v4 17 | with: 18 | fetch-depth: 0 19 | 20 | - name: Configure Git 21 | run: | 22 | git config user.name "$GITHUB_ACTOR" 23 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 24 | 25 | - name: Add Helm repositories 26 | run: | 27 | helm repo add bitnami https://charts.bitnami.com/bitnami 28 | 29 | - name: Run chart-releaser 30 | uses: helm/chart-releaser-action@v1.7.0 31 | with: 32 | charts_dir: helm 33 | env: 34 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 35 | CR_GENERATE_RELEASE_NOTES: true 36 | 37 | # See https://github.com/helm/chart-releaser/issues/183 38 | - name: Login to GitHub Container Registry 39 | uses: docker/login-action@v3 40 | with: 41 | registry: ghcr.io 42 | username: ${{ github.actor }} 43 | password: ${{ secrets.GITHUB_TOKEN }} 44 | 45 | - name: Push Charts to GHCR 46 | run: | 47 | shopt -s nullglob 48 | for pkg in .cr-release-packages/*; do 49 | if [ -z "${pkg:-}" ]; then 50 | break 51 | fi 52 | helm push "${pkg}" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts 53 | done 54 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # From https://raw.githubusercontent.com/helm/charts/master/.gitignore 2 | 3 | # General files for the project 4 | pkg/* 5 | *.pyc 6 | bin/* 7 | .project 8 | /.bin 9 | /_test/secrets/*.json 10 | 11 | # OSX leaves these everywhere on SMB shares 12 | ._* 13 | 14 | # OSX trash 15 | .DS_Store 16 | 17 | # Files generated by JetBrains IDEs, e.g. IntelliJ IDEA 18 | .idea/ 19 | *.iml 20 | 21 | # Vscode files 22 | .vscode 23 | 24 | # Emacs save files 25 | *~ 26 | \#*\# 27 | .\#* 28 | 29 | # Vim-related files 30 | [._]*.s[a-w][a-z] 31 | [._]s[a-w][a-z] 32 | *.un~ 33 | Session.vim 34 | .netrwhist 35 | 36 | # Chart dependencies 37 | **/charts/*.tgz 38 | 39 | .history 40 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | This repository is the official **community maintained** helm chart for oauth2-proxy and is not to be confused with the helm chart published by bitnami. We rely on you to test your changes sufficiently. 4 | 5 | ## Pull Requests 6 | 7 | All submissions, including submissions by project members, require review. We use GitHub pull requests for this purpose. 8 | 9 | ### Pull Request Title 10 | 11 | We do not enforce the title of your pull request to follow guidelines but we do appreciate [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/). 12 | 13 | ## Documentation 14 | 15 | The documentation in the chart [README.md](charts/oauth2-proxy) and the `values.yaml` should always be kept up to date if you make changes to existing parameters or introduce new ones. 16 | 17 | ### Artifact Hub Annotation 18 | 19 | Since we release the chart on Artifact Hub we require you to update the `artifacthub.io/changes` annotation in the `Chart.yaml`. 20 | 21 | * [https://artifacthub.io/docs/topics/annotations/helm/](https://artifacthub.io/docs/topics/annotations/helm/) 22 | 23 | 24 | ## Versioning 25 | 26 | We follow the [semver standard](https://semver.org/) for the chart version and application version. 27 | 28 | Always consider your changes and try to avoid breaking changes where possible. 29 | 30 | ### New Application Versions 31 | 32 | The application version is only to be updated if a new release of the oauth2-proxy application repo was published. 33 | 34 | ### Immutability 35 | 36 | Each release must be immutable. Any change to a chart (even just documentation) requires a version bump. Trying to release the same version twice will result in an error. 37 | 38 | 39 | ## Testing 40 | 41 | When making changes to the logic or resources of the chart please make sure you tested those changes in two ways: 42 | 43 | * Existing helm release with the chart version before your changes: `helm upgrade` 44 | * Fresh helm release with you changes: `helm install` 45 | 46 | 47 | ### Testing Charts 48 | 49 | As part of the Continuous Integration system we run Helm's [Chart Testing](https://github.com/helm/chart-testing) tool. 50 | 51 | The checks for Chart Testing are stricter than the standard Helm requirements. 52 | 53 | The configuration can be found in [ct.yaml](ct.yaml) 54 | 55 | If you have `ct` installed you can manually invoke the linting with the following command: 56 | 57 | ```shell 58 | ct lint --config ct.yaml 59 | ``` 60 | 61 | If you want to run the tests locally we recommend to use [kind](https://kind.sigs.k8s.io). 62 | 63 | Prerequisites: 64 | 65 | ```shell 66 | # Add monitoring CRD 67 | kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/release-0.78/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml 68 | ``` 69 | 70 | Run the tests: 71 | 72 | ```shell 73 | ct --config ct.yaml install 74 | ``` 75 | 76 | ## Publishing Changes 77 | 78 | Changes are automatically publish whenever a commit is merged to the `main` branch by the CI job (see `./.github/workflows/release.yml`). -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright The Helm Authors. 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # manifests 2 | 3 | For hosting manifests to allow for the deployment of OAuth2-Proxy/OAuth2-Proxy 4 | 5 | ## Helm Chart 6 | 7 | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/oauth2-proxy)](https://artifacthub.io/packages/helm/oauth2-proxy/oauth2-proxy) 8 | 9 | __repository:__ https://oauth2-proxy.github.io/manifests 10 | __name:__ oauth2-proxy 11 | 12 | 13 | The helm chart in this repo is based on the community chart from the deprecated [helm/stable repo](https://github.com/helm/charts/tree/master/stable/oauth2-proxy) 14 | 15 | Linting/validation uses the [helm/chart-testing tool](https://github.com/helm/chart-testing). To run it locally you need to place [two schema files](https://github.com/helm/chart-testing/blob/master/etc/lintconf.yaml) in `~/.ct` or `/etc/ct`. 16 | 17 | ```bash 18 | ct lint --all --config ct.yaml 19 | ct install --all --config ct.yaml 20 | ``` 21 | -------------------------------------------------------------------------------- /artifacthub-repo.yml: -------------------------------------------------------------------------------- 1 | # Artifact Hub repository metadata file 2 | repositoryID: 84a61f0d-c836-4a44-91ab-9c60748748df 3 | owners: 4 | - name: pierluigilenoci 5 | email: pierluigi.lenoci@gmail.com 6 | - name: tuunit 7 | email: jan@larwig.com 8 | - name: JoelSpeed 9 | email: joel.speed@hotmail.co.uk 10 | 11 | -------------------------------------------------------------------------------- /ct.yaml: -------------------------------------------------------------------------------- 1 | # See https://github.com/helm/chart-testing#configuration 2 | remote: origin 3 | chart-dirs: 4 | - helm 5 | target-branch: main 6 | # helm-extra-args: --timeout 600s 7 | chart-repos: 8 | - bitnami=https://charts.bitnami.com/bitnami 9 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | 23 | OWNERS 24 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: redis 3 | repository: https://charts.bitnami.com/bitnami 4 | version: 21.1.7 5 | digest: sha256:9ea083569d8d723cb22d762beb856acdb0f32a71d7f2ef7111744a18f6c04abf 6 | generated: "2025-05-27T10:03:38.057840831Z" 7 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/Chart.yaml: -------------------------------------------------------------------------------- 1 | name: oauth2-proxy 2 | version: 7.12.17 3 | apiVersion: v2 4 | appVersion: 7.9.0 5 | home: https://oauth2-proxy.github.io/oauth2-proxy/ 6 | description: A reverse proxy that provides authentication with Google, Github or other providers 7 | keywords: 8 | - kubernetes 9 | - oauth 10 | - oauth2 11 | - authentication 12 | - google 13 | - github 14 | - redis 15 | dependencies: 16 | - name: redis 17 | version: 21.1.7 18 | repository: https://charts.bitnami.com/bitnami 19 | alias: redis 20 | condition: redis.enabled 21 | sources: 22 | - https://github.com/oauth2-proxy/oauth2-proxy 23 | - https://github.com/oauth2-proxy/manifests 24 | maintainers: 25 | - name: pierluigilenoci 26 | email: pierluigi.lenoci@gmail.com 27 | - name: tuunit 28 | email: jan@larwig.com 29 | - name: JoelSpeed 30 | email: joel.speed@hotmail.co.uk 31 | kubeVersion: ">=1.16.0-0" 32 | annotations: 33 | artifacthub.io/changes: | 34 | - kind: changed 35 | description: Updated the Redis chart to the latest version 36 | links: 37 | - name: Github PR 38 | url: https://github.com/oauth2-proxy/manifests/pull/313 39 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/README.md: -------------------------------------------------------------------------------- 1 | # oauth2-proxy 2 | 3 | [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by e-mail, domain, or group. 4 | 5 | ## TL;DR; 6 | 7 | ```console 8 | $ helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests 9 | $ helm install my-release oauth2-proxy/oauth2-proxy 10 | ``` 11 | 12 | ## Introduction 13 | 14 | This chart bootstraps an oauth2-proxy deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. 15 | 16 | ## Installing the Chart 17 | 18 | To install the chart with the release name `my-release`: 19 | 20 | ```console 21 | $ helm install my-release oauth2-proxy/oauth2-proxy 22 | ``` 23 | 24 | The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. 25 | The [configuration](#configuration) section lists the parameters that can be configured during installation. 26 | 27 | ## Uninstalling the Chart 28 | 29 | To uninstall/delete the `my-release` deployment: 30 | 31 | ```console 32 | $ helm uninstall my-release 33 | ``` 34 | 35 | The command removes all the Kubernetes components associated with the chart and deletes the release. 36 | 37 | ## Upgrading an existing Release to a new major version 38 | 39 | A major chart version change (like v1.2.3 -> v2.0.0) indicates an incompatible breaking change needing manual actions. 40 | 41 | ### To 1.0.0 42 | 43 | This version upgrades oauth2-proxy to v4.0.0. To upgrade, please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400). 44 | 45 | ### To 2.0.0 46 | 47 | Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by addressing the Deployment object apiVersion `apps/v1beta2` deprecation. 48 | See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. 49 | 50 | Due to [this issue](https://github.com/helm/helm/issues/6583), errors may occur when performing a `helm upgrade` of this chart from versions earlier than 2.0.0. 51 | 52 | ### To 3.0.0 53 | 54 | Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. 55 | This is a breaking change since the service account is enabled by default. 56 | To disable this behaviour set `serviceAccount.enabled` to `false` 57 | 58 | ### To 4.0.0 59 | 60 | Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**. 61 | Therefore, the `ingress.extraPaths` parameter must be updated to the new format. 62 | See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information. 63 | 64 | For the same reason `service.port` was renamed to `service.portNumber`. 65 | 66 | ### To 5.0.0 67 | 68 | Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). 69 | This is a breaking change because many labels of all resources need to be updated to stay consistent. 70 | 71 | In order to upgrade, delete the Deployment before upgrading: 72 | 73 | ```bash 74 | kubectl delete deployment my-release-oauth2-proxy 75 | ``` 76 | 77 | This will introduce a slight downtime. 78 | 79 | For users who don't want downtime, you can perform these actions: 80 | 81 | - Perform a non-cascading removal of the deployment that keeps the pods running 82 | - Add new labels to pods 83 | - Perform `helm upgrade` 84 | 85 | ### To 6.0.0 86 | 87 | Version 6.0.0 bumps the version of the Redis subchart from ~10.6.0 to ~16.4.0. 88 | You probably need to adjust your Redis configuration. 89 | See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. 90 | 91 | ### To 7.0.0 92 | 93 | Version 7.0.0 introduces a new implementation to support multiple hostAliases. 94 | You probably need to adjust your hostAliases config. 95 | See [here](https://github.com/oauth2-proxy/manifests/pull/164/) for detailed information. 96 | 97 | ## Configuration 98 | 99 | The following table lists the configurable parameters of the oauth2-proxy chart and their default values. 100 | 101 | | Parameter | Description | Default | 102 | | ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | 103 | | `affinity` | node/pod affinities | None | 104 | | `authenticatedEmailsFile.enabled` | Enables authorize individual e-mail addresses | `false` | 105 | | `authenticatedEmailsFile.persistence` | Defines how the e-mail addresses file will be projected, via a configmap or secret | `configmap` | 106 | | `authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` | 107 | | `authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the e-mail addresses list | `""` | 108 | | `authenticatedEmailsFile.restricted_access` | [e-mail addresses](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/#email-authentication) list config | `""` | 109 | | `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` | 110 | | `config.clientID` | oauth client ID | `""` | 111 | | `config.clientSecret` | oauth client secret | `""` | 112 | | `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` | 113 | | `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` | 114 | | `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` | 115 | | `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | 116 | | `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` | 117 | | `autoscaling.enabled` | Deploy a Horizontal Pod Autoscaler. | `false` | 118 | | `autoscaling.minReplicas` | Minimum replicas for the Horizontal Pod Autoscaler. | `1` | 119 | | `autoscaling.maxReplicas` | Maximum replicas for the Horizontal Pod Autoscaler. | `10` | 120 | | `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | 121 | | `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | 122 | | `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | 123 | | `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | 124 | | `alphaConfig.annotations` | Configmap annotations | `{}` | 125 | | `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | 126 | | `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` | 127 | | `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | 128 | | `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` | 129 | | `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | 130 | | `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | 131 | | `customLabels` | Custom labels to add into metadata | `{}` | 132 | | `config.google.adminEmail` | user impersonated by the Google service account | `""` | 133 | | `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` | 134 | | `config.google.targetPrincipal` | service account to use/impersonate | `""` | 135 | | `config.google.serviceAccountJson` | Google service account JSON contents | `""` | 136 | | `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` | 137 | | `config.google.groups` | restrict logins to members of these Google groups | `[]` | 138 | | `containerPort` | used to customize port on the deployment | `""` | 139 | | `enableServiceLinks` | configure deployment enableServiceLinks | `true` | 140 | | `extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows the same flag to be configured multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` | 141 | | `extraContainers` | List of extra containers to be added to the pod | `[]` | 142 | | `extraInitContainers` | List of extra initContainers to be added to the pod | `[]` | 143 | | `extraEnv` | key:value list of extra environment variables to give the binary | `[]` | 144 | | `extraVolumes` | list of extra volumes | `[]` | 145 | | `extraVolumeMounts` | list of extra volumeMounts | `[]` | 146 | | `hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. | | 147 | | `htpasswdFile.enabled` | enable htpasswd-file option | `false` | 148 | | `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#command-line-options) | `{}` | 149 | | `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` | 150 | | `httpScheme` | `http` or `https`. `name` used for the port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` | 151 | | `image.pullPolicy` | Image pull policy | `IfNotPresent` | 152 | | `image.command` | Define command to be executed by container at startup | `[]` | 153 | | `image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` | 154 | | `image.tag` | Image tag | `""` (defaults to appVersion) | 155 | | `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | 156 | | `ingress.enabled` | Enable Ingress | `false` | 157 | | `ingress.className` | name referencing IngressClass | `nil` | 158 | | `ingress.path` | Ingress accepted path | `/` | 159 | | `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` | 160 | | `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/). | `[]` | 161 | | `ingress.labels` | Ingress extra labels | `{}` | 162 | | `ingress.annotations` | Ingress annotations | `nil` | 163 | | `ingress.hosts` | Ingress accepted hostnames | `nil` | 164 | | `ingress.tls` | Ingress TLS configuration | `nil` | 165 | | `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` | 166 | | `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` | 167 | | `initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` | 168 | | `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor \| replace "+" "")` | 169 | | `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` | 170 | | `initContainers.waitForRedis.timeout` | number of seconds | 180 | 171 | | `initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` | 172 | | `livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | 173 | | `livenessProbe.initialDelaySeconds` | number of seconds | 0 | 174 | | `livenessProbe.timeoutSeconds` | number of seconds | 1 | 175 | | `namespaceOverride` | Override the deployment namespace | `""` | 176 | | `nodeSelector` | node labels for pod assignment | `{}` | 177 | | `deploymentAnnotations` | annotations to add to the deployment | `{}` | 178 | | `podAnnotations` | annotations to add to each pod | `{}` | 179 | | `podLabels` | additional labels to add to each pod | `{}` | 180 | | `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | 181 | | `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget | 1 | 182 | | `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | 183 | | `priorityClassName` | priorityClassName | `nil` | 184 | | `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | 185 | | `readinessProbe.initialDelaySeconds` | number of seconds | 0 | 186 | | `readinessProbe.timeoutSeconds` | number of seconds | 5 | 187 | | `readinessProbe.periodSeconds` | number of seconds | 10 | 188 | | `readinessProbe.successThreshold` | number of successes | 1 | 189 | | `replicaCount` | desired number of pods | `1` | 190 | | `resources` | pod resource requests & limits | `{}` | 191 | | `revisionHistoryLimit` | maximum number of revisions maintained | 10 | 192 | | `service.portNumber` | port number for the service | `80` | 193 | | `service.appProtocol` | application protocol on the port of the service | `http` | 194 | | `service.externalTrafficPolicy` | denotes if the service desires to route external traffic to node-local or cluster-wide endpoints | `Cluster` | 195 | | `service.internalTrafficPolicy` | denotes if the service desires to route internal traffic to node-local or cluster-wide endpoints | `Cluster` | 196 | | `service.type` | type of service | `ClusterIP` | 197 | | `service.clusterIP` | cluster ip address | `nil` | 198 | | `service.loadBalancerIP` | ip of load balancer | `nil` | 199 | | `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` | 200 | | `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` | 201 | | `service.targetPort` | (optional) a numeric port number (e.g., 80) or a port name defined in the pod's container(s) (e.g., http) | `""` | 202 | | `serviceAccount.enabled` | create a service account | `true` | 203 | | `serviceAccount.name` | the service account name | `` | 204 | | `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | 205 | | `strategy` | configure deployment strategy | `{}` | 206 | | `tolerations` | list of node taints to tolerate | `[]` | 207 | | `securityContext.enabled` | enable Kubernetes security context on container | `true` | 208 | | `proxyVarsAsSecrets` | Choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` | 209 | | `sessionStorage.type` | Session storage type which can be one of the following: `cookie` or `redis` | `cookie` | 210 | | `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the Redis & Redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` | 211 | | `sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from Redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence | `nil` | 212 | | `sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the Redis password value | `redis-password` | 213 | | `sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for the Redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` | 214 | | `sessionStorage.redis.standalone.connectionUrl` | URL of Redis standalone server for Redis session storage (e.g., `redis://HOST[:PORT]`). Automatically generated if not set. | `""` | 215 | | `sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g., `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | 216 | | `sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the Redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` | 217 | | `sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any Redis node passwords need to use `sessionStorage.redis.password` | `nil` | 218 | | `sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the Redis sentinel password value | `redis-sentinel-password` | 219 | | `sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` | 220 | | `sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | 221 | | `topologySpreadConstraints` | List of pod topology spread constraints | `[]` | 222 | | `redis.enabled` | Enable the Redis subchart deployment | `false` | 223 | | `checkDeprecation` | Enable deprecation checks | `true` | 224 | | `metrics.enabled` | Enable Prometheus metrics endpoint | `true` | 225 | | `metrics.port` | Serve Prometheus metrics on this port | `44180` | 226 | | `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` | 227 | | `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` | 228 | | `metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` | 229 | | `metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` | 230 | | `metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` | 231 | | `metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` | 232 | | `metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | 233 | | `metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource | `{}` | 234 | | `metrics.serviceMonitor.scheme` | HTTP scheme for scraping. It can be used with `tlsConfig` for example, if using Istio mTLS. | `""` | 235 | | `metrics.serviceMonitor.tlsConfig` | TLS configuration when scraping the endpoint. For example, if using Istio mTLS. | `{}` | 236 | | `metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file. | `""` | 237 | | `metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster | `{}` | 238 | | `metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion. | `[]` | 239 | | `metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion. | `[]` | 240 | | `extraObjects` | Extra K8s manifests to deploy | `[]` | 241 | 242 | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, 243 | 244 | ```console 245 | $ helm install my-release oauth2-proxy/oauth2-proxy \ 246 | --set=image.tag=v0.0.2,resources.limits.cpu=200m 247 | ``` 248 | 249 | Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, 250 | 251 | ```console 252 | $ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml 253 | ``` 254 | 255 | > **Tip**: You can use the default [values.yaml](values.yaml) 256 | 257 | ## TLS Configuration 258 | 259 | See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/). 260 | Use ```values.yaml``` like: 261 | 262 | ```yaml 263 | ... 264 | extraArgs: 265 | tls-cert-file: /path/to/cert.pem 266 | tls-key-file: /path/to/cert.key 267 | 268 | extraVolumes: 269 | - name: ssl-cert 270 | secret: 271 | secretName: my-ssl-secret 272 | 273 | extraVolumeMounts: 274 | - mountPath: /path/to/ 275 | name: ssl-cert 276 | ... 277 | ``` 278 | 279 | With a secret called `my-ssl-secret`: 280 | 281 | ```yaml 282 | ... 283 | data: 284 | cert.pem: AB..== 285 | cert.key: CD..== 286 | ``` 287 | 288 | ## Extra environment variable templating 289 | The extraEnv value supports the tpl function, which evaluates strings as templates inside the deployment template. 290 | This is useful for passing a template string as a value to the chart's extra environment variables and rendering external configuration environment values. 291 | 292 | ```yaml 293 | ... 294 | tplValue: "This is a test value for the tpl function" 295 | extraEnv: 296 | - name: TEST_ENV_VAR_1 297 | value: test_value_1 298 | - name: TEST_ENV_VAR_2 299 | value: '{{ .Values.tplValue }}' 300 | ``` 301 | 302 | ## Custom templates configuration 303 | You can replace the default template files using a Kubernetes `configMap` volume. The default templates are the two files [sign_in.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/sign_in.html) and [error.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/error.html). 304 | 305 | ```yaml 306 | config: 307 | configFile: | 308 | ... 309 | custom_templates_dir = "/data/custom-templates" 310 | 311 | extraVolumes: 312 | - name: custom-templates 313 | configMap: 314 | name: oauth2-proxy-custom-templates 315 | 316 | extraVolumeMounts: 317 | - name: custom-templates 318 | mountPath: "/data/custom-templates" 319 | readOnly: true 320 | 321 | extraObjects: 322 | - apiVersion: v1 323 | kind: ConfigMap 324 | metadata: 325 | name: oauth2-proxy-custom-templates 326 | data: 327 | sign_in.html: | 328 | 329 | 330 | sign_in 331 | 332 | error.html: | 333 | 334 | 335 | 336 |

error

337 |

{{`{{ .StatusCode }}`}}

338 | 339 | 340 | ``` 341 | 342 | ## Multi whitelist-domain configuration 343 | You must use the config.configFile section for a multi-whitelist-domain configuration for one Oauth2-proxy instance. 344 | 345 | It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` [configuration file](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#config-file). 346 | In this example, Google provider is used, but you can find all other provider configurations here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/). 347 | 348 | ``` 349 | config: 350 | ... 351 | clientID="$YOUR_GOOGLE_CLIENT_ID" 352 | clientSecret="$YOUR_GOOGLE_CLIENT_SECRET" 353 | cookieSecret="$YOUR_COOKIE_SECRET" 354 | configFile: | 355 | ... 356 | email_domains = [ "*" ] 357 | upstreams = [ "file:///dev/null" ] 358 | cookie_secure = "false" 359 | cookie_domains = [ ".domain.com", ".example.io" ] 360 | whitelist_domains = [ ".domain.com", ".example.io"] 361 | provider = "google" 362 | ``` 363 | 364 | ## Route requests to sidecar container 365 | You can route requests to a sidecar container first by setting the `service.targetPort` variable. The possible values for the targetPort field of a Kubernetes Service can be either a port number or the name of a port defined in the pod. By default, the service's `targetPort` value equals to `httpSchema`'s. 366 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/default-values.yaml: -------------------------------------------------------------------------------- 1 | # Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. 2 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/extra-args-as-dict-values.yaml: -------------------------------------------------------------------------------- 1 | extraArgs: 2 | pass-authorization-header: "true" 3 | request-logging: "true" 4 | allowed-role: client_id:client_role 5 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/extra-args-as-list-values.yaml: -------------------------------------------------------------------------------- 1 | extraArgs: 2 | - "--pass-authorization-header=true" 3 | - "--request-logging=true" 4 | - --allowed-role=client_id:client_role_A 5 | - --allowed-role=client_id_B:client_role_C 6 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/extra-env-tpl-values.yaml: -------------------------------------------------------------------------------- 1 | tplValue: "This is a test value for the template function" 2 | extraEnv: 3 | - name: TEST_ENV_VAR_1 4 | value: test_value_1 5 | - name: TEST_ENV_VAR_2 6 | value: '{{ .Values.tplValue }}' 7 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/extra-init-container.yaml: -------------------------------------------------------------------------------- 1 | extraInitContainers: 2 | - name: extra-init-container 3 | image: busybox 4 | command: 5 | - sh 6 | - -c 7 | - echo "Hello World!" 8 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml: -------------------------------------------------------------------------------- 1 | # Enables Horizontal Pod Autoscaler and removes replica count in deployment 2 | autoscaling: 3 | enabled: true 4 | annotations: 5 | test-annotations/test: "true" 6 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/ingress-extra-paths-values.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | path: / 4 | pathType: ImplementationSpecific 5 | hosts: 6 | - chart-example.local 7 | extraPaths: 8 | - path: /* 9 | pathType: ImplementationSpecific 10 | backend: 11 | service: 12 | name: ssl-redirect 13 | port: 14 | name: use-annotation 15 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/pdb-values.yaml: -------------------------------------------------------------------------------- 1 | replicaCount: 2 # Enables PodDisruptionBudget which is disabled when replicaCount is 1 2 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/pod-security-context-values.yaml: -------------------------------------------------------------------------------- 1 | # Allocate a FSGroup that owns the pod’s volumes via podSecurityContext 2 | --- 3 | podSecurityContext: 4 | fsGroup: 2000 5 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/redis-sentinel-array-values.yaml: -------------------------------------------------------------------------------- 1 | sessionStorage: 2 | type: redis 3 | redis: 4 | clientType: sentinel 5 | sentinel: 6 | password: "foo" 7 | masterName: "mymaster" 8 | connectionUrls: 9 | - "redis://oauth2-proxy-redis:26379" 10 | - "redis://oauth2-proxy-redis:26379" 11 | redis: 12 | # provision an instance of the redis sub-chart 13 | enabled: true 14 | fullnameOverride: oauth2-proxy-redis 15 | architecture: replication 16 | sentinel: 17 | enabled: true 18 | masterSet: mymaster 19 | global: 20 | redis: 21 | password: "foo" 22 | initContainers: 23 | waitForRedis: 24 | enabled: true 25 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/redis-sentinel-comma-values.yaml: -------------------------------------------------------------------------------- 1 | sessionStorage: 2 | type: redis 3 | redis: 4 | clientType: sentinel 5 | sentinel: 6 | password: "foo" 7 | masterName: "mymaster" 8 | connectionUrls: "redis://oauth2-proxy-redis:26379,redis://oauth2-proxy-redis:26379" 9 | redis: 10 | # provision an instance of the redis sub-chart 11 | enabled: true 12 | fullnameOverride: oauth2-proxy-redis 13 | architecture: replication 14 | sentinel: 15 | enabled: true 16 | masterSet: mymaster 17 | global: 18 | redis: 19 | password: "foo" 20 | initContainers: 21 | waitForRedis: 22 | enabled: true 23 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/redis-standalone-values.yaml: -------------------------------------------------------------------------------- 1 | sessionStorage: 2 | type: redis 3 | redis: 4 | clientType: "standalone" 5 | password: "foo" 6 | redis: 7 | # provision an instance of the redis sub-chart 8 | enabled: true 9 | architecture: standalone 10 | global: 11 | redis: 12 | password: "foo" 13 | initContainers: 14 | waitForRedis: 15 | enabled: true 16 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/servicemonitor-values.yaml: -------------------------------------------------------------------------------- 1 | metrics: 2 | enabled: true 3 | serviceMonitor: 4 | enabled: true 5 | annotations: 6 | key: value 7 | metricRelabelings: 8 | - action: keep 9 | regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' 10 | sourceLabels: [__name__] 11 | 12 | relabelings: 13 | - sourceLabels: [__meta_kubernetes_pod_node_name] 14 | separator: ; 15 | regex: ^(.*)$ 16 | targetLabel: nodename 17 | replacement: $1 18 | action: replace 19 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/ci/tpl-values.yaml: -------------------------------------------------------------------------------- 1 | extraEnv: 2 | - name: TEST_ENV_VAR_2 3 | value: '{{ $.Release.Name }}' 4 | ingress: 5 | enabled: true 6 | hosts: 7 | - "{{ $.Release.Name }}.local" 8 | tls: 9 | - hosts: 10 | - "{{ $.Release.Name }}.local" 11 | annotations: 12 | test-annotations/test: "{{ $.Release.Name }}" 13 | oauth2-proxy: 14 | checkDeprecation: false 15 | config: 16 | clientSecret: '{{ $.Release.Name }}' 17 | configFile: | 18 | oidc_issuer_url = "https://{{ $.Release.Name }}/dex" 19 | 20 | pass_authorization_header: "true" 21 | 22 | extraArgs: 23 | pass-authorization-header: "{{ $.Values.pass_authorization_header }}" 24 | 25 | extraVolumes: 26 | - name: "{{ $.Release.Name }}-secret" 27 | secret: 28 | secretName: "{{ .Release.Name }}-secret" 29 | items: 30 | - key: secret 31 | path: secret 32 | 33 | authenticatedEmailsFile: 34 | annotations: 35 | test-annotations/test: "{{ $.Release.Name }}" 36 | 37 | config: 38 | annotations: 39 | test-annotations/test: "{{ $.Release.Name }}" 40 | 41 | deploymentAnnotations: 42 | test-annotations/test: "{{ $.Release.Name }}" 43 | 44 | autoscaling: 45 | annotations: 46 | test-annotations/test: "{{ $.Release.Name }}" 47 | 48 | alphaConfig: 49 | annotations: 50 | test-annotations/test: "{{ $.Release.Name }}" 51 | 52 | service: 53 | annotations: 54 | test-annotations/test: "{{ $.Release.Name }}" 55 | 56 | serviceAccount: 57 | annotations: 58 | test-annotations/test: "{{ $.Release.Name }}" 59 | 60 | serviceMonitor: 61 | annotations: 62 | test-annotations/test: "{{ $.Release.Name }}" 63 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/scripts/check-redis.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | RETRY_INTERVAL=5 # Interval between retries in seconds 4 | elapsed=0 # Elapsed time 5 | 6 | check_redis() { 7 | host=$1 8 | port=$2 9 | while [ $elapsed -lt $TOTAL_RETRY_TIME ]; do 10 | echo "Checking Redis at $host:$port... Elapsed time: ${elapsed}s" 11 | if nc -z -w1 $TIMEOUT $host $port > /dev/null 2>&1; then 12 | echo "Redis is up at $host:$port!" 13 | return 0 14 | else 15 | echo "Redis is down at $host:$port. Retrying in $RETRY_INTERVAL seconds." 16 | sleep $RETRY_INTERVAL 17 | elapsed=$((elapsed + RETRY_INTERVAL)) 18 | fi 19 | done 20 | echo "Failed to connect to Redis at $host:$port after $TOTAL_RETRY_TIME seconds." 21 | return 1 22 | } 23 | 24 | # For parsing and checking connections 25 | parse_and_check() { 26 | url=$1 27 | 28 | # Strip either redis:// or rediss:// 29 | if [[ $url == rediss://* ]]; then 30 | clean_url=${url#rediss://} 31 | echo "Using secure Rediss connection..." 32 | else 33 | clean_url=${url#redis://} 34 | echo "Using standard Redis connection..." 35 | fi 36 | 37 | host=$(echo $clean_url | cut -d':' -f1) 38 | port=$(echo $clean_url | cut -d':' -f2) 39 | check_redis $host $port 40 | } 41 | 42 | # Main 43 | if [ -n "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" ]; then 44 | echo "Checking Redis in cluster mode..." 45 | echo "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do 46 | parse_and_check $addr || exit 1 47 | done 48 | elif [ -n "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" ]; then 49 | echo "Checking Redis in sentinel mode..." 50 | echo "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do 51 | parse_and_check $addr || exit 1 52 | done 53 | elif [ -n "$OAUTH2_PROXY_REDIS_CONNECTION_URL" ]; then 54 | echo "Checking standalone Redis..." 55 | parse_and_check "$OAUTH2_PROXY_REDIS_CONNECTION_URL" || exit 1 56 | else 57 | echo "Redis configuration not specified." 58 | exit 1 59 | fi 60 | 61 | echo "Redis check completed." 62 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | To verify that oauth2-proxy has started, run: 2 | 3 | kubectl --namespace={{ template "oauth2-proxy.namespace" $ }} get pods -l "app={{ template "oauth2-proxy.name" . }}" 4 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/_capabilities.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Returns the appropriate apiVersion for podDisruptionBudget object. 3 | */}} 4 | {{- define "capabilities.podDisruptionBudget.apiVersion" -}} 5 | {{- if semverCompare ">=1.21-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} 6 | {{- print "policy/v1" -}} 7 | {{- else -}} 8 | {{- print "policy/v1beta1" -}} 9 | {{- end -}} 10 | {{- end -}} 11 | 12 | {{/* 13 | Return the appropriate apiVersion for ingress object. 14 | */}} 15 | {{- define "capabilities.ingress.apiVersion" -}} 16 | {{- if semverCompare "<1.14-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} 17 | {{- print "extensions/v1beta1" -}} 18 | {{- else if semverCompare "<1.19-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} 19 | {{- print "networking.k8s.io/v1beta1" -}} 20 | {{- else -}} 21 | {{- print "networking.k8s.io/v1" -}} 22 | {{- end -}} 23 | {{- end -}} 24 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "oauth2-proxy.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "oauth2-proxy.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "oauth2-proxy.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Generate basic labels 36 | */}} 37 | {{- define "oauth2-proxy.labels" }} 38 | helm.sh/chart: {{ include "oauth2-proxy.chart" . }} 39 | app.kubernetes.io/managed-by: {{ .Release.Service }} 40 | app.kubernetes.io/component: authentication-proxy 41 | app.kubernetes.io/part-of: {{ template "oauth2-proxy.name" . }} 42 | {{- include "oauth2-proxy.selectorLabels" . }} 43 | {{- if .Chart.AppVersion }} 44 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 45 | {{- end }} 46 | {{- if .Values.customLabels }} 47 | {{ toYaml .Values.customLabels }} 48 | {{- end }} 49 | {{- end }} 50 | 51 | {{/* 52 | Selector labels 53 | */}} 54 | {{- define "oauth2-proxy.selectorLabels" }} 55 | app.kubernetes.io/name: {{ include "oauth2-proxy.name" . }} 56 | app.kubernetes.io/instance: {{ .Release.Name }} 57 | {{- end }} 58 | 59 | {{/* 60 | Get the secret name. 61 | */}} 62 | {{- define "oauth2-proxy.secretName" -}} 63 | {{- if .Values.config.existingSecret -}} 64 | {{- printf "%s" .Values.config.existingSecret -}} 65 | {{- else -}} 66 | {{- printf "%s" (include "oauth2-proxy.fullname" .) -}} 67 | {{- end -}} 68 | {{- end -}} 69 | 70 | {{/* 71 | Create the name of the service account to use 72 | */}} 73 | {{- define "oauth2-proxy.serviceAccountName" -}} 74 | {{- if .Values.serviceAccount.enabled -}} 75 | {{ default (include "oauth2-proxy.fullname" .) .Values.serviceAccount.name }} 76 | {{- else -}} 77 | {{ default "default" .Values.serviceAccount.name }} 78 | {{- end -}} 79 | {{- end -}} 80 | 81 | {{/* 82 | Allow the release namespace to be overridden for multi-namespace deployments in combined charts 83 | */}} 84 | {{- define "oauth2-proxy.namespace" -}} 85 | {{- if .Values.namespaceOverride -}} 86 | {{- .Values.namespaceOverride -}} 87 | {{- else -}} 88 | {{- .Release.Namespace -}} 89 | {{- end -}} 90 | {{- end -}} 91 | 92 | {{/* 93 | Redis subcharts fullname 94 | */}} 95 | {{- define "oauth2-proxy.redis.fullname" -}} 96 | {{- if .Values.redis.enabled -}} 97 | {{- include "common.names.fullname" (dict "Chart" (dict "Name" "redis") "Release" .Release "Values" .Values.redis) -}} 98 | {{- else -}} 99 | {{ fail "attempting to use redis subcharts fullname, even though the subchart is not enabled. This will lead to misconfiguration" }} 100 | {{- end -}} 101 | {{- end -}} 102 | 103 | {{/* 104 | Compute the redis url if not set explicitly. 105 | */}} 106 | {{- define "oauth2-proxy.redis.StandaloneUrl" -}} 107 | {{- if .Values.sessionStorage.redis.standalone.connectionUrl -}} 108 | {{ .Values.sessionStorage.redis.standalone.connectionUrl }} 109 | {{- else if .Values.redis.enabled -}} 110 | {{- printf "redis://%s-master:%.0f" (include "oauth2-proxy.redis.fullname" .) .Values.redis.master.service.ports.redis -}} 111 | {{- else -}} 112 | {{ fail "please set sessionStorage.redis.standalone.connectionUrl or enable the redis subchart via redis.enabled" }} 113 | {{- end -}} 114 | {{- end -}} 115 | 116 | {{/* 117 | Returns the version 118 | */}} 119 | {{- define "oauth2-proxy.version" -}} 120 | {{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }} 121 | {{- end -}} 122 | 123 | {{/* 124 | Returns the kubectl version 125 | Workaround for EKS https://github.com/aws/eks-distro/issues/1128 126 | */}} 127 | {{- define "kubectl.version" -}} 128 | {{- if .Values.initContainers.waitForRedis.kubectlVersion -}} 129 | {{ .Values.initContainers.waitForRedis.kubectlVersion }} 130 | {{- else -}} 131 | {{- printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "") -}} 132 | {{- end -}} 133 | {{- end -}} 134 | 135 | {{- define "oauth2-proxy.alpha-config" -}} 136 | --- 137 | server: 138 | BindAddress: '0.0.0.0:4180' 139 | {{- if .Values.alphaConfig.serverConfigData }} 140 | {{- toYaml .Values.alphaConfig.serverConfigData | nindent 2 }} 141 | {{- end }} 142 | {{- if .Values.metrics.enabled }} 143 | metricsServer: 144 | BindAddress: '0.0.0.0:44180' 145 | {{- if .Values.alphaConfig.metricsConfigData }} 146 | {{- toYaml .Values.alphaConfig.metricsConfigData | nindent 2 }} 147 | {{- end }} 148 | {{- end }} 149 | {{- if .Values.alphaConfig.configData }} 150 | {{- toYaml .Values.alphaConfig.configData | nindent 0 }} 151 | {{- end }} 152 | {{- if .Values.alphaConfig.configFile }} 153 | {{- tpl .Values.alphaConfig.configFile $ | nindent 0 }} 154 | {{- end }} 155 | {{- end -}} 156 | 157 | {{- define "oauth2-proxy.secrets" -}} 158 | cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }} 159 | client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }} 160 | client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }} 161 | {{- end -}} 162 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/_ingress.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Returns `true` if the API `ingressClassName` field is supported and `false` otherwise 3 | */}} 4 | {{- define "ingress.supportsIngressClassName" -}} 5 | {{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} 6 | {{- print "false" -}} 7 | {{- else -}} 8 | {{- print "true" -}} 9 | {{- end -}} 10 | {{- end -}} 11 | 12 | {{/* 13 | Returns `true` if the API `pathType` field is supported and `false` otherwise 14 | */}} 15 | {{- define "ingress.supportsPathType" -}} 16 | {{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} 17 | {{- print "false" -}} 18 | {{- else -}} 19 | {{- print "true" -}} 20 | {{- end -}} 21 | {{- end -}} 22 | 23 | {{/* 24 | Returns the appropriate ingress `backend` fields depending on the Kubernetes API version. 25 | e.g.: `{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}` 26 | Where the dict must contain the following entries: 27 | - `serviceName` {String} - Name of an existing service backend 28 | - `servicePort` {String|Number} - Port name or port number of the service. 29 | - `context` {Dict} - (Parent) Context for the template evaluation required for the API version detection. 30 | */}} 31 | {{- define "ingress.backend" -}} 32 | {{- $apiVersion := ( include "capabilities.ingress.apiVersion" .context ) -}} 33 | {{- if or ( eq $apiVersion "extensions/v1beta1" ) ( eq $apiVersion "networking.k8s.io/v1beta1" ) -}} 34 | serviceName: {{ .serviceName }} 35 | servicePort: {{ .servicePort }} 36 | {{- else -}} 37 | service: 38 | name: {{ .serviceName }} 39 | port: 40 | {{- if typeIs "string" .servicePort }} 41 | name: {{ .servicePort }} 42 | {{- else if or ( typeIs "int" .servicePort ) ( typeIs "float64" .servicePort ) }} 43 | number: {{ .servicePort }} 44 | {{- end }} 45 | {{- end -}} 46 | {{- end -}} 47 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.authenticatedEmailsFile.enabled }} 2 | {{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | labels: 7 | app: {{ template "oauth2-proxy.name" . }} 8 | {{- include "oauth2-proxy.labels" . | indent 4 }} 9 | {{- with .Values.authenticatedEmailsFile.annotations }} 10 | annotations: 11 | {{ tpl ( toYaml . ) $ | indent 4 }} 12 | {{- end }} 13 | name: {{ template "oauth2-proxy.fullname" . }}-accesslist 14 | namespace: {{ template "oauth2-proxy.namespace" $ }} 15 | data: 16 | {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | quote }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/configmap-wait-for-redis.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | labels: 6 | app: {{ template "oauth2-proxy.name" . }} 7 | {{- include "oauth2-proxy.labels" . | indent 4 }} 8 | name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis 9 | namespace: {{ template "oauth2-proxy.namespace" $ }} 10 | data: 11 | check-redis.sh: | 12 | {{ .Files.Get "scripts/check-redis.sh" | indent 4 }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.config.existingConfig }} 2 | {{- if .Values.config.configFile }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | {{- with .Values.config.annotations }} 7 | annotations: 8 | {{ tpl ( toYaml . ) $ | indent 4 }} 9 | {{- end }} 10 | labels: 11 | app: {{ template "oauth2-proxy.name" . }} 12 | {{- include "oauth2-proxy.labels" . | indent 4 }} 13 | name: {{ template "oauth2-proxy.fullname" . }} 14 | namespace: {{ template "oauth2-proxy.namespace" $ }} 15 | data: 16 | oauth2_proxy.cfg: {{ tpl .Values.config.configFile $ | quote }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: {{ template "oauth2-proxy.name" . }} 6 | {{- include "oauth2-proxy.labels" . | indent 4 }} 7 | {{- with .Values.deploymentAnnotations }} 8 | annotations: 9 | {{ tpl ( toYaml . ) $ | indent 4 }} 10 | {{- end }} 11 | name: {{ template "oauth2-proxy.fullname" . }} 12 | namespace: {{ template "oauth2-proxy.namespace" $ }} 13 | spec: 14 | {{- if not .Values.autoscaling.enabled }} 15 | replicas: {{ .Values.replicaCount }} 16 | {{- end }} 17 | revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} 18 | {{- with .Values.strategy }} 19 | strategy: 20 | {{ toYaml . | nindent 4 }} 21 | {{- end }} 22 | selector: 23 | matchLabels: 24 | {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} 25 | template: 26 | metadata: 27 | annotations: 28 | {{- if .Values.config.configFile }} 29 | checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }} 30 | {{- end }} 31 | {{- if .Values.alphaConfig.enabled }} 32 | checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} 33 | {{- end }} 34 | {{- if .Values.authenticatedEmailsFile.enabled }} 35 | checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }} 36 | {{- end }} 37 | checksum/secret: {{ include "oauth2-proxy.secrets" . | sha256sum }} 38 | checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }} 39 | checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} 40 | {{- if .Values.htpasswdFile.enabled }} 41 | checksum/htpasswd: {{ toYaml .Values.htpasswdFile.entries | sha256sum }} 42 | {{- end }} 43 | {{- if .Values.podAnnotations }} 44 | {{ toYaml .Values.podAnnotations | indent 8 }} 45 | {{- end }} 46 | labels: 47 | app: {{ template "oauth2-proxy.name" . }} 48 | {{- include "oauth2-proxy.labels" . | indent 8 }} 49 | {{- if .Values.podLabels }} 50 | {{ toYaml .Values.podLabels | indent 8 }} 51 | {{- end }} 52 | spec: 53 | {{- if .Values.priorityClassName }} 54 | priorityClassName: "{{ .Values.priorityClassName }}" 55 | {{- end }} 56 | {{- with .Values.podSecurityContext }} 57 | securityContext: 58 | {{- toYaml . | nindent 8 }} 59 | {{- end }} 60 | serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }} 61 | enableServiceLinks: {{ .Values.enableServiceLinks }} 62 | automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} 63 | {{- if .Values.hostAliases }} 64 | hostAliases: 65 | {{ toYaml .Values.hostAliases | nindent 8}} 66 | {{- end }} 67 | {{- if or (and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled) .Values.extraInitContainers }} 68 | initContainers: 69 | {{- if .Values.extraInitContainers }} 70 | {{- toYaml .Values.extraInitContainers | nindent 6 }} 71 | {{- end }} 72 | {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} 73 | - name: wait-for-redis 74 | image: "{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}" 75 | imagePullPolicy: {{ .Values.initContainers.waitForRedis.image.pullPolicy }} 76 | command: ["/bin/sh", "-c", "/scripts/check-redis.sh"] 77 | env: 78 | - name: TOTAL_RETRY_TIME 79 | value: "{{ .Values.initContainers.waitForRedis.timeout }}" 80 | {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} 81 | - name: OAUTH2_PROXY_REDIS_CONNECTION_URL 82 | value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} 83 | {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} 84 | - name: OAUTH2_PROXY_REDIS_USE_CLUSTER 85 | value: "true" 86 | - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS 87 | value: {{ join "," .Values.sessionStorage.redis.cluster.connectionUrls }} 88 | {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} 89 | - name: OAUTH2_PROXY_REDIS_USE_SENTINEL 90 | value: "true" 91 | - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS 92 | value: {{ join "," .Values.sessionStorage.redis.sentinel.connectionUrls }} 93 | {{- end }} 94 | {{- if .Values.initContainers.waitForRedis.securityContext.enabled }} 95 | {{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }} 96 | securityContext: 97 | {{- toYaml $securityContext | nindent 10 }} 98 | {{- end }} 99 | resources: 100 | {{- toYaml .Values.initContainers.waitForRedis.resources | nindent 10 }} 101 | volumeMounts: 102 | - name: redis-script 103 | mountPath: /scripts 104 | {{- end }} 105 | {{- end }} 106 | {{- if .Values.terminationGracePeriodSeconds }} 107 | terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} 108 | {{- end }} 109 | containers: 110 | - name: {{ .Chart.Name }} 111 | image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" 112 | imagePullPolicy: {{ .Values.image.pullPolicy }} 113 | {{- if .Values.image.command }} 114 | command: 115 | {{- range .Values.image.command }} 116 | - {{ . | quote }} 117 | {{- end }} 118 | {{- end }} 119 | args: 120 | {{- if .Values.alphaConfig.enabled }} 121 | - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml 122 | {{- else }} 123 | - --http-address=0.0.0.0:4180 124 | - --https-address=0.0.0.0:4443 125 | {{- if .Values.metrics.enabled }} 126 | - --metrics-address=0.0.0.0:44180 127 | {{- end }} 128 | {{- end }} 129 | {{- if .Values.config.cookieName }} 130 | - --cookie-name={{ .Values.config.cookieName }} 131 | {{- end }} 132 | {{- if kindIs "map" .Values.extraArgs }} 133 | {{- range $key, $value := .Values.extraArgs }} 134 | {{- if not (kindIs "invalid" $value) }} 135 | - --{{ $key }}={{ tpl ($value | toString) $ }} 136 | {{- else }} 137 | - --{{ $key }} 138 | {{- end }} 139 | {{- end }} 140 | {{- end }} 141 | {{- if kindIs "slice" .Values.extraArgs }} 142 | {{- with .Values.extraArgs }} 143 | {{- toYaml . | nindent 10 }} 144 | {{- end }} 145 | {{- end }} 146 | {{- if or .Values.config.existingConfig .Values.config.configFile }} 147 | - --config=/etc/oauth2_proxy/oauth2_proxy.cfg 148 | {{- end }} 149 | {{- if .Values.authenticatedEmailsFile.enabled }} 150 | {{- if .Values.authenticatedEmailsFile.template }} 151 | - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} 152 | {{- else }} 153 | - --authenticated-emails-file=/etc/oauth2-proxy/{{ template "oauth2-proxy.fullname" . }}-accesslist 154 | {{- end }} 155 | {{- end }} 156 | {{- with .Values.config.google }} 157 | {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }} 158 | - --google-admin-email={{ .adminEmail }} 159 | {{- if .useApplicationDefaultCredentials }} 160 | - --google-use-application-default-credentials=true 161 | {{- else }} 162 | - --google-service-account-json=/google/service-account.json 163 | {{- end }} 164 | {{- if .targetPrincipal }} 165 | - --google-target-principal={{ .targetPrincipal }} 166 | {{- end }} 167 | {{- end }} 168 | {{- if .groups }} 169 | {{- range $group := .groups }} 170 | - --google-group={{ $group }} 171 | {{- end }} 172 | {{- end }} 173 | {{- end }} 174 | {{- if .Values.htpasswdFile.enabled }} 175 | - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt 176 | {{- end }} 177 | {{- if .Values.lifecycle }} 178 | lifecycle: 179 | {{ toYaml .Values.lifecycle | indent 10 }} 180 | {{- end }} 181 | env: 182 | {{- if .Values.proxyVarsAsSecrets }} 183 | - name: OAUTH2_PROXY_CLIENT_ID 184 | valueFrom: 185 | secretKeyRef: 186 | name: {{ template "oauth2-proxy.secretName" . }} 187 | key: client-id 188 | - name: OAUTH2_PROXY_CLIENT_SECRET 189 | valueFrom: 190 | secretKeyRef: 191 | name: {{ template "oauth2-proxy.secretName" . }} 192 | key: client-secret 193 | - name: OAUTH2_PROXY_COOKIE_SECRET 194 | valueFrom: 195 | secretKeyRef: 196 | name: {{ template "oauth2-proxy.secretName" . }} 197 | key: cookie-secret 198 | {{- end }} 199 | {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }} 200 | - name: OAUTH2_PROXY_SESSION_STORE_TYPE 201 | value: "redis" 202 | {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}} 203 | - name: OAUTH2_PROXY_REDIS_PASSWORD 204 | valueFrom: 205 | secretKeyRef: 206 | {{- if .Values.sessionStorage.redis.existingSecret }} 207 | name: {{ .Values.sessionStorage.redis.existingSecret }} 208 | {{- else if .Values.sessionStorage.redis.password }} 209 | name: {{ template "oauth2-proxy.fullname" . }}-redis-access 210 | {{- else }} 211 | name: {{ include "oauth2-proxy.redis.fullname" . }} 212 | {{- end }} 213 | key: {{ .Values.sessionStorage.redis.passwordKey }} 214 | {{- end }} 215 | {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} 216 | - name: OAUTH2_PROXY_REDIS_CONNECTION_URL 217 | value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} 218 | {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} 219 | - name: OAUTH2_PROXY_REDIS_USE_CLUSTER 220 | value: "true" 221 | - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS 222 | value: {{ join "," .Values.sessionStorage.redis.cluster.connectionUrls }} 223 | {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} 224 | - name: OAUTH2_PROXY_REDIS_USE_SENTINEL 225 | value: "true" 226 | - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME 227 | value: {{ .Values.sessionStorage.redis.sentinel.masterName }} 228 | - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS 229 | value: {{ join "," .Values.sessionStorage.redis.sentinel.connectionUrls }} 230 | {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }} 231 | - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD 232 | valueFrom: 233 | secretKeyRef: 234 | {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }} 235 | name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }} 236 | {{- else }} 237 | name: {{ template "oauth2-proxy.fullname" . }}-redis-access 238 | {{- end }} 239 | key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }} 240 | {{- end }} 241 | {{- end }} 242 | {{- end }} 243 | {{- if .Values.extraEnv }} 244 | {{ tpl (toYaml .Values.extraEnv) . | indent 8 }} 245 | {{- end }} 246 | {{- if .Values.envFrom }} 247 | envFrom: 248 | {{ tpl (toYaml .Values.envFrom) . | indent 8 }} 249 | {{- end }} 250 | ports: 251 | {{- if .Values.containerPort }} 252 | - containerPort: {{ .Values.containerPort }} 253 | {{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }} 254 | - containerPort: 4180 255 | {{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }} 256 | - containerPort: 4443 257 | {{- else }} 258 | {{- end}} 259 | name: {{ .Values.httpScheme }} 260 | protocol: TCP 261 | {{- if .Values.metrics.enabled }} 262 | - containerPort: 44180 263 | protocol: TCP 264 | name: metrics 265 | {{- end }} 266 | {{- if .Values.livenessProbe.enabled }} 267 | livenessProbe: 268 | httpGet: 269 | path: /ping 270 | port: {{ .Values.httpScheme }} 271 | scheme: {{ .Values.httpScheme | upper }} 272 | initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} 273 | timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} 274 | {{- end }} 275 | {{- if .Values.readinessProbe.enabled }} 276 | readinessProbe: 277 | httpGet: 278 | path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }} 279 | port: {{ .Values.httpScheme }} 280 | scheme: {{ .Values.httpScheme | upper }} 281 | initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} 282 | timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} 283 | successThreshold: {{ .Values.readinessProbe.successThreshold }} 284 | periodSeconds: {{ .Values.readinessProbe.periodSeconds }} 285 | {{- end }} 286 | resources: 287 | {{ toYaml .Values.resources | indent 10 }} 288 | volumeMounts: 289 | {{- with .Values.config.google }} 290 | {{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} 291 | - name: google-secret 292 | mountPath: /google 293 | readOnly: true 294 | {{- end }} 295 | {{- end }} 296 | {{- if or .Values.config.existingConfig .Values.config.configFile }} 297 | - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg 298 | name: configmain 299 | subPath: oauth2_proxy.cfg 300 | {{- end }} 301 | {{- if .Values.alphaConfig.enabled }} 302 | - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml 303 | name: configalpha 304 | subPath: oauth2_proxy.yml 305 | {{- end }} 306 | {{- if .Values.authenticatedEmailsFile.enabled }} 307 | - mountPath: /etc/oauth2-proxy 308 | name: configaccesslist 309 | readOnly: true 310 | {{- end }} 311 | {{- if .Values.htpasswdFile.enabled }} 312 | - mountPath: /etc/oauth2_proxy/htpasswd 313 | name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file 314 | readOnly: true 315 | {{- end }} 316 | {{- if ne (len .Values.extraVolumeMounts) 0 }} 317 | {{ toYaml .Values.extraVolumeMounts | indent 8 }} 318 | {{- end }} 319 | {{- if .Values.securityContext.enabled }} 320 | {{- $securityContext := unset .Values.securityContext "enabled" }} 321 | securityContext: 322 | {{- toYaml $securityContext | nindent 10 }} 323 | {{- end }} 324 | {{- if .Values.extraContainers }} 325 | {{- toYaml .Values.extraContainers | nindent 6 }} 326 | {{- end }} 327 | volumes: 328 | {{- with .Values.config.google }} 329 | {{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} 330 | - name: google-secret 331 | secret: 332 | secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }} 333 | {{- end }} 334 | {{- end }} 335 | 336 | {{- if .Values.htpasswdFile.enabled }} 337 | - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file 338 | secret: 339 | secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }} 340 | {{- end }} 341 | 342 | {{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }} 343 | - name: configaccesslist 344 | secret: 345 | items: 346 | - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} 347 | {{- if .Values.authenticatedEmailsFile.template }} 348 | path: {{ .Values.authenticatedEmailsFile.template }} 349 | {{- else }} 350 | path: {{ template "oauth2-proxy.fullname" . }}-accesslist 351 | {{- end }} 352 | {{- if .Values.authenticatedEmailsFile.template }} 353 | secretName: {{ .Values.authenticatedEmailsFile.template }} 354 | {{- else }} 355 | secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist 356 | {{- end }} 357 | {{- end }} 358 | {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} 359 | - name: redis-script 360 | configMap: 361 | name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis 362 | defaultMode: 0775 363 | {{- end }} 364 | {{- if or .Values.config.existingConfig .Values.config.configFile }} 365 | - configMap: 366 | defaultMode: 420 367 | name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }} 368 | name: configmain 369 | {{- end }} 370 | {{- if .Values.alphaConfig.enabled }} 371 | {{- if .Values.alphaConfig.existingConfig }} 372 | - configMap: 373 | defaultMode: 420 374 | name: {{ .Values.alphaConfig.existingConfig }} 375 | name: configalpha 376 | {{- else }} 377 | - secret: 378 | defaultMode: 420 379 | secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} 380 | name: configalpha 381 | {{- end }} 382 | {{- end }} 383 | {{- if ne (len .Values.extraVolumes) 0 }} 384 | {{ tpl (toYaml .Values.extraVolumes) . | indent 6 }} 385 | {{- end }} 386 | {{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} 387 | - configMap: 388 | {{- if .Values.authenticatedEmailsFile.template }} 389 | name: {{ .Values.authenticatedEmailsFile.template }} 390 | {{- else }} 391 | name: {{ template "oauth2-proxy.fullname" . }}-accesslist 392 | {{- end }} 393 | items: 394 | - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} 395 | {{- if .Values.authenticatedEmailsFile.template }} 396 | path: {{ .Values.authenticatedEmailsFile.template }} 397 | {{- else }} 398 | path: {{ template "oauth2-proxy.fullname" . }}-accesslist 399 | {{- end }} 400 | name: configaccesslist 401 | {{- end }} 402 | 403 | {{- with (.Values.imagePullSecrets | default .Values.global.imagePullSecrets) }} 404 | imagePullSecrets: 405 | {{- toYaml . | nindent 8 }} 406 | {{- end }} 407 | {{- with .Values.affinity }} 408 | affinity: 409 | {{- toYaml . | nindent 8 }} 410 | {{- end }} 411 | {{- with .Values.nodeSelector }} 412 | nodeSelector: 413 | {{- toYaml . | nindent 8 }} 414 | {{- end }} 415 | {{- with .Values.tolerations }} 416 | tolerations: 417 | {{- toYaml . | nindent 8 }} 418 | {{- end }} 419 | {{- with .Values.topologySpreadConstraints }} 420 | topologySpreadConstraints: 421 | {{- toYaml . | nindent 8 }} 422 | {{- end }} 423 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/deprecation.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.checkDeprecation }} 2 | {{- if .Values.service.port }} 3 | {{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }} 4 | {{- end }} 5 | {{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}} 6 | {{- range .Values.ingress.extraPaths }} 7 | {{- if or (.backend.serviceName) (.backend.servicePort) }} 8 | {{ fail "Please update the format of your `ingress.extraPaths` to the new ingress apiVersion `networking.k8s.io/v1` format" }} 9 | {{- end }} 10 | {{- end }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/extra-manifests.yaml: -------------------------------------------------------------------------------- 1 | {{ range .Values.extraObjects }} 2 | --- 3 | {{ tpl (toYaml .) $ }} 4 | {{ end }} 5 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/google-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.config.google (and (not .Values.config.google.existingSecret) (not .Values.config.google.useApplicationDefaultCredentials)) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | labels: 6 | app: {{ template "oauth2-proxy.name" . }} 7 | {{- include "oauth2-proxy.labels" . | indent 4 }} 8 | name: {{ template "oauth2-proxy.fullname" . }}-google 9 | namespace: {{ template "oauth2-proxy.namespace" $ }} 10 | type: Opaque 11 | data: 12 | service-account.json: {{ .Values.config.google.serviceAccountJson | b64enc | quote }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | labels: 6 | app: {{ template "oauth2-proxy.name" . }} 7 | {{- include "oauth2-proxy.labels" . | indent 4 }} 8 | {{- with .Values.autoscaling.annotations }} 9 | annotations: 10 | {{ tpl ( toYaml . ) $ | indent 8 }} 11 | {{- end }} 12 | name: {{ template "oauth2-proxy.fullname" . }} 13 | namespace: {{ template "oauth2-proxy.namespace" $ }} 14 | spec: 15 | scaleTargetRef: 16 | apiVersion: apps/v1 17 | kind: Deployment 18 | name: {{ template "oauth2-proxy.fullname" . }} 19 | minReplicas: {{ .Values.autoscaling.minReplicas }} 20 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 21 | metrics: 22 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} 23 | - type: Resource 24 | resource: 25 | name: memory 26 | target: 27 | type: Utilization 28 | averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} 29 | {{- end }} 30 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 31 | - type: Resource 32 | resource: 33 | name: cpu 34 | target: 35 | type: Utilization 36 | averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 37 | {{- end }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $serviceName := include "oauth2-proxy.fullname" . -}} 3 | {{- $servicePort := .Values.service.portNumber -}} 4 | {{- $ingressPath := .Values.ingress.path -}} 5 | {{- $ingressPathType := .Values.ingress.pathType -}} 6 | {{- $extraPaths := .Values.ingress.extraPaths -}} 7 | apiVersion: {{ include "capabilities.ingress.apiVersion" . }} 8 | kind: Ingress 9 | metadata: 10 | labels: 11 | app: {{ template "oauth2-proxy.name" . }} 12 | {{- include "oauth2-proxy.labels" . | indent 4 }} 13 | {{- if .Values.ingress.labels }} 14 | {{ toYaml .Values.ingress.labels | indent 4 }} 15 | {{- end }} 16 | name: {{ template "oauth2-proxy.fullname" . }} 17 | namespace: {{ template "oauth2-proxy.namespace" $ }} 18 | {{- with .Values.ingress.annotations }} 19 | annotations: 20 | {{ tpl ( toYaml . ) $ | indent 4 }} 21 | {{- end }} 22 | spec: 23 | {{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }} 24 | ingressClassName: {{ .Values.ingress.className | quote }} 25 | {{- end }} 26 | rules: 27 | {{- range $host := .Values.ingress.hosts }} 28 | - host: {{ tpl $host $ | quote }} 29 | http: 30 | paths: 31 | {{- if $extraPaths }} 32 | {{ toYaml $extraPaths | indent 10 }} 33 | {{- end }} 34 | - path: {{ $ingressPath }} 35 | {{- if eq "true" ( include "ingress.supportsPathType" $ ) }} 36 | pathType: {{ $ingressPathType }} 37 | {{- end }} 38 | backend: {{- include "ingress.backend" ( dict "serviceName" $serviceName "servicePort" $servicePort "context" $ ) | nindent 14 }} 39 | {{- end -}} 40 | {{- if .Values.ingress.tls }} 41 | tls: 42 | {{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }} 43 | {{- end -}} 44 | {{- end -}} 45 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/poddisruptionbudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.podDisruptionBudget.enabled (gt (.Values.replicaCount | int) 1) }} 2 | apiVersion: {{ include "capabilities.podDisruptionBudget.apiVersion" . }} 3 | kind: PodDisruptionBudget 4 | metadata: 5 | labels: 6 | app: {{ template "oauth2-proxy.name" . }} 7 | {{- include "oauth2-proxy.labels" . | indent 4 }} 8 | name: {{ template "oauth2-proxy.fullname" . }} 9 | namespace: {{ template "oauth2-proxy.namespace" $ }} 10 | spec: 11 | selector: 12 | matchLabels: 13 | {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} 14 | minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/redis-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- $name := include "oauth2-proxy.name" . -}} 2 | {{- $fullName := include "oauth2-proxy.fullname" . -}} 3 | {{- $labels := include "oauth2-proxy.labels" . -}} 4 | {{- with .Values.sessionStorage }} 5 | {{- if and (eq .type "redis") (not .redis.existingSecret) (or .redis.password .redis.sentinel.password) }} 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | labels: 10 | app: {{ $name }} 11 | {{- $labels | indent 4 }} 12 | name: {{ $fullName }}-redis-access 13 | namespace: {{ template "oauth2-proxy.namespace" $ }} 14 | type: Opaque 15 | data: 16 | {{- if and .redis.password (not .redis.existingSecret) }} 17 | {{ .redis.passwordKey }}: {{ .redis.password | b64enc | quote }} 18 | {{- end }} 19 | {{- if and .redis.sentinel.password (not .redis.sentinel.existingSecret) (ne .redis.sentinel.passwordKey .redis.passwordKey) }} 20 | {{ .redis.sentinel.passwordKey }}: {{ .redis.sentinel.password | b64enc | quote }} 21 | {{- end }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/secret-alpha.yaml: -------------------------------------------------------------------------------- 1 | {{- 2 | if and 3 | .Values.alphaConfig.enabled 4 | (not .Values.alphaConfig.existingConfig) 5 | (not .Values.alphaConfig.existingSecret) 6 | }} 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | {{- with .Values.alphaConfig.annotations }} 11 | annotations: 12 | {{ tpl ( toYaml . ) $ | indent 4 }} 13 | {{- end }} 14 | labels: 15 | app: {{ template "oauth2-proxy.name" . }} 16 | {{- include "oauth2-proxy.labels" . | indent 4 }} 17 | name: {{ template "oauth2-proxy.fullname" . }}-alpha 18 | namespace: {{ template "oauth2-proxy.namespace" $ }} 19 | data: 20 | oauth2_proxy.yml: {{ include "oauth2-proxy.alpha-config" . | b64enc | quote }} 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/secret-authenticated-emails-file.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.authenticatedEmailsFile.enabled }} 2 | {{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "secret") }} 3 | apiVersion: v1 4 | kind: Secret 5 | type: Opaque 6 | metadata: 7 | labels: 8 | app: {{ template "oauth2-proxy.name" . }} 9 | {{- include "oauth2-proxy.labels" . | indent 4 }} 10 | {{- with .Values.authenticatedEmailsFile.annotations }} 11 | annotations: 12 | {{ tpl ( toYaml . ) $ | indent 4 }} 13 | {{- end }} 14 | name: {{ template "oauth2-proxy.fullname" . }}-accesslist 15 | namespace: {{ template "oauth2-proxy.namespace" $ }} 16 | data: 17 | {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | b64enc }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/secret-htpasswd-file.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.htpasswdFile.enabled (not .Values.htpasswdFile.existingSecret) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | labels: 6 | app: {{ template "oauth2-proxy.name" . }} 7 | {{- include "oauth2-proxy.labels" . | indent 4 }} 8 | name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file 9 | namespace: {{ template "oauth2-proxy.namespace" $ }} 10 | type: Opaque 11 | stringData: 12 | users.txt: |- 13 | {{- range $entries := .Values.htpasswdFile.entries }} 14 | {{ $entries }} 15 | {{- end -}} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not .Values.config.existingSecret) (.Values.proxyVarsAsSecrets) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | {{- with .Values.config.annotations }} 6 | annotations: 7 | {{ tpl ( toYaml . ) $ | indent 4 }} 8 | {{- end }} 9 | labels: 10 | app: {{ template "oauth2-proxy.name" . }} 11 | {{- include "oauth2-proxy.labels" . | indent 4 }} 12 | name: {{ template "oauth2-proxy.fullname" . }} 13 | namespace: {{ template "oauth2-proxy.namespace" $ }} 14 | type: Opaque 15 | data: 16 | {{- include "oauth2-proxy.secrets" . | nindent 2 }} 17 | {{- end -}} 18 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | labels: 5 | app: {{ template "oauth2-proxy.name" . }} 6 | {{- include "oauth2-proxy.labels" . | indent 4 }} 7 | name: {{ template "oauth2-proxy.fullname" . }} 8 | namespace: {{ template "oauth2-proxy.namespace" $ }} 9 | {{- with .Values.service.annotations }} 10 | annotations: 11 | {{ tpl ( toYaml . ) $ | indent 4 }} 12 | {{- end }} 13 | spec: 14 | {{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} 15 | type: ClusterIP 16 | {{- if .Values.service.clusterIP }} 17 | clusterIP: {{ .Values.service.clusterIP }} 18 | {{end}} 19 | {{- else if eq .Values.service.type "LoadBalancer" }} 20 | type: {{ .Values.service.type }} 21 | {{- if .Values.service.loadBalancerIP }} 22 | loadBalancerIP: {{ .Values.service.loadBalancerIP }} 23 | {{- end }} 24 | {{- if .Values.service.loadBalancerSourceRanges }} 25 | loadBalancerSourceRanges: 26 | {{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} 27 | {{- end -}} 28 | {{- else }} 29 | type: {{ .Values.service.type }} 30 | {{- end }} 31 | {{- if .Values.service.externalTrafficPolicy }} 32 | externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} 33 | {{- end }} 34 | {{- if .Values.service.internalTrafficPolicy }} 35 | internalTrafficPolicy: {{ .Values.service.internalTrafficPolicy }} 36 | {{- end }} 37 | ports: 38 | - port: {{ .Values.service.portNumber }} 39 | targetPort: {{ .Values.service.targetPort | default .Values.httpScheme }} 40 | {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} 41 | nodePort: {{ .Values.service.nodePort }} 42 | {{- end }} 43 | protocol: TCP 44 | {{- with .Values.service.appProtocol }} 45 | appProtocol: {{ . }} 46 | {{- end }} 47 | name: {{ .Values.httpScheme }} 48 | {{- if and .Values.metrics.enabled .Values.metrics.port }} 49 | - port: {{ .Values.metrics.port }} 50 | protocol: TCP 51 | {{- with .Values.metrics.service.appProtocol }} 52 | appProtocol: {{ . }} 53 | {{- end }} 54 | targetPort: metrics 55 | {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.metrics.nodePort))) }} 56 | nodePort: {{ .Values.metrics.nodePort }} 57 | {{- end }} 58 | name: metrics 59 | {{- end }} 60 | selector: 61 | {{- include "oauth2-proxy.selectorLabels" . | indent 4 }} 62 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if or .Values.serviceAccount.enabled -}} 2 | {{- $fullName := include "oauth2-proxy.fullname" . -}} 3 | {{- $saName := include "oauth2-proxy.serviceAccountName" . -}} 4 | {{- $name := include "oauth2-proxy.name" . -}} 5 | {{- $namespace := include "oauth2-proxy.namespace" $ -}} 6 | {{- $labels := include "oauth2-proxy.labels" . -}} 7 | --- 8 | apiVersion: v1 9 | kind: ServiceAccount 10 | metadata: 11 | {{- with .Values.serviceAccount.annotations }} 12 | annotations: 13 | {{ tpl ( toYaml . ) $ | indent 4 }} 14 | {{- end }} 15 | labels: 16 | app: {{ $name }} 17 | {{- $labels | indent 4 }} 18 | name: {{ $saName }} 19 | namespace: {{ $namespace }} 20 | automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} 21 | {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} 22 | --- 23 | kind: Role 24 | apiVersion: rbac.authorization.k8s.io/v1 25 | metadata: 26 | name: {{ $fullName }}-watch-redis 27 | namespace: {{ $namespace }} 28 | labels: 29 | app: {{ $name }} 30 | {{- $labels | nindent 4 }} 31 | rules: 32 | - apiGroups: 33 | - "" 34 | resources: 35 | - pods 36 | resourceNames: 37 | - "{{ include "oauth2-proxy.redis.fullname" . }}-master-0" 38 | verbs: 39 | - get 40 | - list 41 | - watch 42 | --- 43 | kind: RoleBinding 44 | apiVersion: rbac.authorization.k8s.io/v1 45 | metadata: 46 | name: {{ $saName }}-watch-redis 47 | namespace: {{ $namespace }} 48 | labels: 49 | app: {{ $name }} 50 | {{- $labels | nindent 4 }} 51 | subjects: 52 | - kind: ServiceAccount 53 | name: {{ $saName }} 54 | apiGroup: "" 55 | roleRef: 56 | kind: Role 57 | name: {{ $fullName }}-watch-redis 58 | apiGroup: "" 59 | {{- end -}} 60 | {{- end -}} 61 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | {{- with .Values.metrics.serviceMonitor.annotations }} 6 | annotations: 7 | {{ tpl ( toYaml . ) $ | indent 4 }} 8 | {{- end }} 9 | name: {{ template "oauth2-proxy.fullname" . }} 10 | {{- if .Values.metrics.serviceMonitor.namespace }} 11 | namespace: {{ .Values.metrics.serviceMonitor.namespace }} 12 | {{- else }} 13 | namespace: {{ template "oauth2-proxy.namespace" $ }} 14 | {{- end }} 15 | labels: 16 | prometheus: {{ .Values.metrics.serviceMonitor.prometheusInstance }} 17 | app: {{ template "oauth2-proxy.name" . }} 18 | {{- include "oauth2-proxy.labels" . | indent 4 }} 19 | {{- if .Values.metrics.serviceMonitor.labels }} 20 | {{ toYaml .Values.metrics.serviceMonitor.labels | indent 4}} 21 | {{- end }} 22 | spec: 23 | jobLabel: {{ template "oauth2-proxy.fullname" . }} 24 | selector: 25 | matchLabels: 26 | {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} 27 | namespaceSelector: 28 | matchNames: 29 | - {{ template "oauth2-proxy.namespace" $ }} 30 | endpoints: 31 | - port: metrics 32 | path: "/metrics" 33 | {{- with .Values.metrics.serviceMonitor.interval }} 34 | interval: {{ . }} 35 | {{- end }} 36 | {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} 37 | scrapeTimeout: {{ . }} 38 | {{- end }} 39 | {{- with .Values.metrics.serviceMonitor.scheme }} 40 | scheme: {{ . }} 41 | {{- end }} 42 | {{- with .Values.metrics.serviceMonitor.bearerTokenFile }} 43 | bearerTokenFile: {{ . }} 44 | {{- end }} 45 | {{- with .Values.metrics.serviceMonitor.tlsConfig }} 46 | tlsConfig: 47 | {{- toYaml .| nindent 6 }} 48 | {{- end }} 49 | {{- with .Values.metrics.serviceMonitor.metricRelabelings }} 50 | metricRelabelings: 51 | {{- toYaml . | nindent 4 }} 52 | {{- end }} 53 | {{- with .Values.metrics.serviceMonitor.relabelings }} 54 | relabelings: 55 | {{- toYaml . | nindent 4 }} 56 | {{- end }} 57 | {{- end }} 58 | -------------------------------------------------------------------------------- /helm/oauth2-proxy/values.yaml: -------------------------------------------------------------------------------- 1 | global: {} 2 | # To help compatibility with other charts which use global.imagePullSecrets. 3 | # global: 4 | # imagePullSecrets: 5 | # - name: pullSecret1 6 | # - name: pullSecret2 7 | 8 | ## Override the deployment namespace 9 | ## 10 | namespaceOverride: "" 11 | 12 | # Force the target Kubernetes version (it uses Helm `.Capabilities` if not set). 13 | # This is especially useful for `helm template` as capabilities are always empty 14 | # due to the fact that it doesn't query an actual cluster 15 | kubeVersion: 16 | 17 | # Oauth client configuration specifics 18 | config: 19 | # Add config annotations 20 | annotations: {} 21 | # OAuth client ID 22 | clientID: "XXXXXXX" 23 | # OAuth client secret 24 | clientSecret: "XXXXXXXX" 25 | # Create a new secret with the following command 26 | # openssl rand -base64 32 | head -c 32 | base64 27 | # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields) 28 | # Example: 29 | # existingSecret: secret 30 | cookieSecret: "XXXXXXXXXXXXXXXX" 31 | # The name of the cookie that oauth2-proxy will create 32 | # If left empty, it will default to the release name 33 | cookieName: "" 34 | google: {} 35 | # adminEmail: xxxx 36 | # useApplicationDefaultCredentials: true 37 | # targetPrincipal: xxxx 38 | # serviceAccountJson: xxxx 39 | # Alternatively, use an existing secret (see google-secret.yaml for required fields) 40 | # Example: 41 | # existingSecret: google-secret 42 | # groups: [] 43 | # Example: 44 | # - group1@example.com 45 | # - group2@example.com 46 | # Default configuration, to be overridden 47 | configFile: |- 48 | email_domains = [ "*" ] 49 | upstreams = [ "file:///dev/null" ] 50 | # Custom configuration file: oauth2_proxy.cfg 51 | # configFile: |- 52 | # pass_basic_auth = false 53 | # pass_access_token = true 54 | # Use an existing config map (see configmap.yaml for required fields) 55 | # Example: 56 | # existingConfig: config 57 | 58 | alphaConfig: 59 | enabled: false 60 | # Add config annotations 61 | annotations: {} 62 | # Arbitrary configuration data to append to the server section 63 | serverConfigData: {} 64 | # Arbitrary configuration data to append to the metrics section 65 | metricsConfigData: {} 66 | # Arbitrary configuration data to append 67 | configData: {} 68 | # Arbitrary configuration to append 69 | # This is treated as a Go template and rendered with the root context 70 | configFile: "" 71 | # Use an existing config map (see secret-alpha.yaml for required fields) 72 | existingConfig: ~ 73 | # Use an existing secret 74 | existingSecret: ~ 75 | 76 | image: 77 | repository: "quay.io/oauth2-proxy/oauth2-proxy" 78 | # appVersion is used by default 79 | tag: "" 80 | pullPolicy: "IfNotPresent" 81 | command: [] 82 | 83 | # Optionally specify an array of imagePullSecrets. 84 | # Secrets must be manually created in the namespace. 85 | # ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod 86 | imagePullSecrets: [] 87 | # - name: myRegistryKeySecretName 88 | 89 | # Set a custom containerPort if required. 90 | # This will default to 4180 if this value is not set and the httpScheme set to http 91 | # This will default to 4443 if this value is not set and the httpScheme set to https 92 | # containerPort: 4180 93 | 94 | extraArgs: {} 95 | extraEnv: [] 96 | 97 | envFrom: [] 98 | # Load environment variables from a ConfigMap(s) and/or Secret(s) 99 | # that already exists (created and managed by you). 100 | # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables 101 | # 102 | # PS: Changes in these ConfigMaps or Secrets will not be automatically 103 | # detected and you must manually restart the relevant Pods after changes. 104 | # 105 | # - configMapRef: 106 | # name: special-config 107 | # - secretRef: 108 | # name: special-config-secret 109 | 110 | # -- Custom labels to add into metadata 111 | customLabels: {} 112 | 113 | # To authorize individual email addresses 114 | # That is part of extraArgs but since this needs special treatment we need to do a separate section 115 | authenticatedEmailsFile: 116 | enabled: false 117 | # Defines how the email addresses file will be projected, via a configmap or secret 118 | persistence: configmap 119 | # template is the name of the configmap what contains the email user list but has been configured without this chart. 120 | # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. 121 | # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the 122 | # provided value in restrictedUserAccessKey field. 123 | template: "" 124 | # The configmap/secret key under which the list of email access is stored 125 | # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility 126 | restrictedUserAccessKey: "" 127 | # One email per line 128 | # example: 129 | # restricted_access: |- 130 | # name1@domain 131 | # name2@domain 132 | # If you override the config with restricted_access it will configure a user list within this chart what takes care of the 133 | # config map resource. 134 | restricted_access: "" 135 | annotations: {} 136 | # helm.sh/resource-policy: keep 137 | 138 | service: 139 | type: ClusterIP 140 | # when service.type is ClusterIP ... 141 | # clusterIP: 192.0.2.20 142 | # when service.type is LoadBalancer ... 143 | # loadBalancerIP: 198.51.100.40 144 | # loadBalancerSourceRanges: 203.0.113.0/24 145 | # when service.type is NodePort ... 146 | # nodePort: 80 147 | portNumber: 80 148 | # Protocol set on the service 149 | appProtocol: http 150 | annotations: {} 151 | # foo.io/bar: "true" 152 | # configure externalTrafficPolicy 153 | externalTrafficPolicy: "" 154 | # configure internalTrafficPolicy 155 | internalTrafficPolicy: "" 156 | # configure service target port 157 | targetPort: "" 158 | 159 | ## Create or use ServiceAccount 160 | serviceAccount: 161 | ## Specifies whether a ServiceAccount should be created 162 | enabled: true 163 | ## The name of the ServiceAccount to use. 164 | ## If not set and create is true, a name is generated using the fullname template 165 | name: 166 | automountServiceAccountToken: true 167 | annotations: {} 168 | 169 | ingress: 170 | enabled: false 171 | # className: nginx 172 | path: / 173 | # Only used if API capabilities (networking.k8s.io/v1) allow it 174 | pathType: ImplementationSpecific 175 | # Used to create an Ingress record. 176 | # hosts: 177 | # - chart-example.local 178 | # Extra paths to prepend to every host configuration. This is useful when working with annotation based services. 179 | # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1) 180 | # extraPaths: 181 | # - path: /* 182 | # pathType: ImplementationSpecific 183 | # backend: 184 | # service: 185 | # name: ssl-redirect 186 | # port: 187 | # name: use-annotation 188 | labels: {} 189 | # annotations: 190 | # kubernetes.io/ingress.class: nginx 191 | # kubernetes.io/tls-acme: "true" 192 | # tls: 193 | # Secrets must be manually created in the namespace. 194 | # - secretName: chart-example-tls 195 | # hosts: 196 | # - chart-example.local 197 | 198 | resources: {} 199 | # limits: 200 | # cpu: 100m 201 | # memory: 300Mi 202 | # requests: 203 | # cpu: 100m 204 | # memory: 300Mi 205 | 206 | extraVolumes: [] 207 | # - name: ca-bundle-cert 208 | # secret: 209 | # secretName: 210 | 211 | extraVolumeMounts: [] 212 | # - mountPath: /etc/ssl/certs/ 213 | # name: ca-bundle-cert 214 | 215 | # Additional containers to be added to the pod. 216 | extraContainers: [] 217 | # - name: my-sidecar 218 | # image: nginx:latest 219 | 220 | # Additional Init containers to be added to the pod. 221 | extraInitContainers: [] 222 | # - name: wait-for-idp 223 | # image: my-idp-wait:latest 224 | # command: 225 | # - sh 226 | # - -c 227 | # - wait-for-idp.sh 228 | 229 | priorityClassName: "" 230 | 231 | # hostAliases is a list of aliases to be added to /etc/hosts for network name resolution 232 | hostAliases: [] 233 | # - ip: "10.xxx.xxx.xxx" 234 | # hostnames: 235 | # - "auth.example.com" 236 | # - ip: 127.0.0.1 237 | # hostnames: 238 | # - chart-example.local 239 | # - example.local 240 | 241 | # [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. 242 | # Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling 243 | # topologySpreadConstraints: [] 244 | 245 | # Affinity for pod assignment 246 | # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity 247 | # affinity: {} 248 | 249 | # Tolerations for pod assignment 250 | # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ 251 | tolerations: [] 252 | 253 | # Node labels for pod assignment 254 | # Ref: https://kubernetes.io/docs/user-guide/node-selection/ 255 | nodeSelector: {} 256 | 257 | # Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables 258 | proxyVarsAsSecrets: true 259 | 260 | # Configure Kubernetes liveness and readiness probes. 261 | # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ 262 | # Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks 263 | livenessProbe: 264 | enabled: true 265 | initialDelaySeconds: 0 266 | timeoutSeconds: 1 267 | 268 | readinessProbe: 269 | enabled: true 270 | initialDelaySeconds: 0 271 | timeoutSeconds: 5 272 | periodSeconds: 10 273 | successThreshold: 1 274 | 275 | # Configure Kubernetes security context for container 276 | # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 277 | securityContext: 278 | enabled: true 279 | allowPrivilegeEscalation: false 280 | capabilities: 281 | drop: 282 | - ALL 283 | readOnlyRootFilesystem: true 284 | runAsNonRoot: true 285 | runAsUser: 2000 286 | runAsGroup: 2000 287 | seccompProfile: 288 | type: RuntimeDefault 289 | 290 | deploymentAnnotations: {} 291 | podAnnotations: {} 292 | podLabels: {} 293 | replicaCount: 1 294 | revisionHistoryLimit: 10 295 | strategy: {} 296 | enableServiceLinks: true 297 | 298 | ## PodDisruptionBudget settings 299 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ 300 | podDisruptionBudget: 301 | enabled: true 302 | minAvailable: 1 303 | 304 | ## Horizontal Pod Autoscaling 305 | ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ 306 | autoscaling: 307 | enabled: false 308 | minReplicas: 1 309 | maxReplicas: 10 310 | targetCPUUtilizationPercentage: 80 311 | # targetMemoryUtilizationPercentage: 80 312 | annotations: {} 313 | 314 | # Configure Kubernetes security context for pod 315 | # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 316 | podSecurityContext: {} 317 | 318 | # whether to use http or https 319 | httpScheme: http 320 | 321 | initContainers: 322 | # if the redis sub-chart is enabled, wait for it to be ready 323 | # before starting the proxy 324 | # creates a role binding to get, list, watch, the redis master pod 325 | # if service account is enabled 326 | waitForRedis: 327 | enabled: true 328 | image: 329 | repository: "alpine" 330 | tag: "latest" 331 | pullPolicy: "IfNotPresent" 332 | # uses the kubernetes version of the cluster 333 | # the chart is deployed on, if not set 334 | kubectlVersion: "" 335 | securityContext: 336 | enabled: true 337 | allowPrivilegeEscalation: false 338 | capabilities: 339 | drop: 340 | - ALL 341 | readOnlyRootFilesystem: true 342 | runAsNonRoot: true 343 | runAsUser: 65534 344 | runAsGroup: 65534 345 | seccompProfile: 346 | type: RuntimeDefault 347 | timeout: 180 348 | resources: {} 349 | # limits: 350 | # cpu: 100m 351 | # memory: 300Mi 352 | # requests: 353 | # cpu: 100m 354 | # memory: 300Mi 355 | 356 | # Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption. 357 | # Alternatively supply an existing secret which contains the required information. 358 | htpasswdFile: 359 | enabled: false 360 | existingSecret: "" 361 | entries: [] 362 | # One row for each user 363 | # example: 364 | # entries: 365 | # - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy 366 | 367 | # Configure the session storage type, between cookie and redis 368 | sessionStorage: 369 | # Can be one of the supported session storage cookie|redis 370 | type: cookie 371 | redis: 372 | # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) 373 | existingSecret: "" 374 | # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence 375 | password: "" 376 | # Key of the Kubernetes secret data containing the redis password value. If you use the redis sub chart, make sure 377 | # this password matches the one used in redis.global.redis.password (see below). 378 | passwordKey: "redis-password" 379 | # Can be one of standalone|cluster|sentinel 380 | clientType: "standalone" 381 | standalone: 382 | # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set 383 | connectionUrl: "" 384 | cluster: 385 | # List of Redis cluster connection URLs. Array or single string allowed. 386 | connectionUrls: [] 387 | # - "redis://127.0.0.1:8000" 388 | # - "redis://127.0.0.1:8001" 389 | sentinel: 390 | # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` 391 | existingSecret: "" 392 | # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` 393 | password: "" 394 | # Key of the Kubernetes secret data containing the redis sentinel password value 395 | passwordKey: "redis-sentinel-password" 396 | # Redis sentinel master name 397 | masterName: "" 398 | # List of Redis cluster connection URLs. Array or single string allowed. 399 | connectionUrls: [] 400 | # - "redis://127.0.0.1:8000" 401 | # - "redis://127.0.0.1:8001" 402 | 403 | # Enables and configure the automatic deployment of the redis subchart 404 | redis: 405 | # provision an instance of the redis sub-chart 406 | enabled: false 407 | # Redis specific helm chart settings, please see: 408 | # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters 409 | # global: 410 | # redis: 411 | # password: yourpassword 412 | # If you install Redis using this sub chart, make sure that the password of the sub chart matches the password 413 | # you set in sessionStorage.redis.password (see above). 414 | # redisPort: 6379 415 | # architecture: standalone 416 | 417 | # Enables apiVersion deprecation checks 418 | checkDeprecation: true 419 | 420 | # Allows graceful shutdown 421 | # terminationGracePeriodSeconds: 65 422 | # lifecycle: 423 | # preStop: 424 | # exec: 425 | # command: [ "sh", "-c", "sleep 60" ] 426 | 427 | metrics: 428 | # Enable Prometheus metrics endpoint 429 | enabled: true 430 | # Serve Prometheus metrics on this port 431 | port: 44180 432 | # when service.type is NodePort ... 433 | # nodePort: 44180 434 | # Protocol set on the service for the metrics port 435 | service: 436 | appProtocol: http 437 | serviceMonitor: 438 | # Enable Prometheus Operator ServiceMonitor 439 | enabled: false 440 | # Define the namespace where to deploy the ServiceMonitor resource 441 | namespace: "" 442 | # Prometheus Instance definition 443 | prometheusInstance: default 444 | # Prometheus scrape interval 445 | interval: 60s 446 | # Prometheus scrape timeout 447 | scrapeTimeout: 30s 448 | # Add custom labels to the ServiceMonitor resource 449 | labels: {} 450 | 451 | ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. 452 | scheme: "" 453 | 454 | ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. 455 | ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig 456 | tlsConfig: {} 457 | 458 | ## bearerTokenFile: Path to bearer token file. 459 | bearerTokenFile: "" 460 | 461 | ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with 462 | ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec 463 | annotations: {} 464 | 465 | ## Metric relabel configs to apply to samples before ingestion. 466 | ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) 467 | metricRelabelings: [] 468 | # - action: keep 469 | # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' 470 | # sourceLabels: [__name__] 471 | 472 | ## Relabel configs to apply to samples before ingestion. 473 | ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) 474 | relabelings: [] 475 | # - sourceLabels: [__meta_kubernetes_pod_node_name] 476 | # separator: ; 477 | # regex: ^(.*)$ 478 | # targetLabel: nodename 479 | # replacement: $1 480 | # action: replace 481 | 482 | # Extra K8s manifests to deploy 483 | extraObjects: [] 484 | # - apiVersion: secrets-store.csi.x-k8s.io/v1 485 | # kind: SecretProviderClass 486 | # metadata: 487 | # name: oauth2-proxy-secrets-store 488 | # spec: 489 | # provider: aws 490 | # parameters: 491 | # objects: | 492 | # - objectName: "oauth2-proxy" 493 | # objectType: "secretsmanager" 494 | # jmesPath: 495 | # - path: "client_id" 496 | # objectAlias: "client-id" 497 | # - path: "client_secret" 498 | # objectAlias: "client-secret" 499 | # - path: "cookie_secret" 500 | # objectAlias: "cookie-secret" 501 | # secretObjects: 502 | # - data: 503 | # - key: client-id 504 | # objectName: client-id 505 | # - key: client-secret 506 | # objectName: client-secret 507 | # - key: cookie-secret 508 | # objectName: cookie-secret 509 | # secretName: oauth2-proxy-secrets-store 510 | # type: Opaque 511 | --------------------------------------------------------------------------------