master-group/charts
2
0
Fork 0
mirror of https://github.com/k8s-at-home/charts.git synced 2025-01-24 07:59:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #48 from k8s-at-home/new/traefik-forward-auth

Browse Source 
[traefik-forward-auth] New Chart
This commit is contained in:
Ryan Holt 2020-09-13 20:39:15 -04:00 committed by GitHub
commit 00f3ce5523
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 860 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -3,7 +3,7 @@
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![](https://github.com/k8s-at-home/charts/workflows/Release%20Charts/badge.svg?branch=master)](https://github.com/k8s-at-home/charts/actions)
[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/k8s-at-home)](https://artifacthub.io/packages/search?repo=k8s-at-home)
## Usage
[Helm](https://helm.sh) must be installed to use the charts.

72
charts/README.templates.md.gotmpl Normal file
View File

@ -0,0 +1,72 @@
{{- define "repository.organization" -}}
k8s-at-home
{{- end -}}
{{- define "repository.url" -}}
https://github.com/k8s-at-home/charts
{{- end -}}
{{- define "helm.url" -}}
https://k8s-at-home.com/charts/
{{- end -}}
{{- define "helm.path" -}}
{{ template "repository.organization" . }}/{{ template "chart.name" . }}
{{- end -}}
{{- define "badge.artifactHub" -}}
[![ArtifactHub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/{{ template "chart.name" . }})](https://artifacthub.io/packages/helm/{{ template "chart.name" . }})
{{- end -}}
{{- define "description.multiarch" -}}
The default values and container images used in this chart will allow for running in a multi-arch cluster (amd64, arm, arm64)
{{- end -}}
{{- define "install.tldr" -}}
## TL;DR
```console
$ helm repo add {{ template "repository.organization" . }} {{ template "helm.url" . }}
$ helm install {{ template "helm.path" . }}
```
{{- end -}}
{{- define "install" -}}
## Installing the Chart
To install the chart with the release name `{{ template "chart.name" . }}`:
```console
helm install {{ template "chart.name" . }} {{ template "helm.path" . }}
```
{{- end -}}
{{- define "uninstall" -}}
## Uninstalling the Chart
To uninstall the `{{ template "chart.name" . }}` deployment:
```console
helm uninstall {{ template "chart.name" . }}
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
{{- end -}}
{{- define "configuration.header" -}}
## Configuration
{{- end -}}
{{- define "configuration.readValues" -}}
Read through the [values.yaml]({{ template "repository.url" . }}/blob/master/charts/{{ template "chart.name" . }}/values.yaml)
file. It has several commented out suggested values.
{{- end -}}
{{- define "configuration.example.set" -}}
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install {{ template "chart.name" . }} \
--set env.TZ="America/New York" \
{{ template "helm.path" . }}
```
{{- end -}}
{{- define "configuration.example.file" -}}
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
For example,
```console
helm install {{ template "chart.name" . }} {{ template "helm.path" . }} --values values.yaml
```
{{- end -}}

25
charts/traefik-forward-auth/.helmignore Normal file
View File

@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
README.md.gotmpl

19
charts/traefik-forward-auth/Chart.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: v2
name: traefik-forward-auth
description: A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer
type: application
version: 1.0.0
appVersion: 2.2.0
keywords:
- traefik
- traefik-forward-auth
- oauth
- oauth2
- oidc
home: https://github.com/k8s-at-home/charts/tree/master/charts/traefik-forward-auth
sources:
- https://github.com/thomseddon/traefik-forward-auth
- https://hub.docker.com/r/thomseddon/traefik-forward-auth
maintainers:
- name: DirtyCajunRice
email: nick@cajun.pro

4
charts/traefik-forward-auth/OWNERS Normal file
View File

@ -0,0 +1,4 @@
approvers:
- DirtyCajunRice
reviewers:
- DirtyCajunRice

120
charts/traefik-forward-auth/README.md Normal file
View File

@ -0,0 +1,120 @@
# traefik-forward-auth
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 2.2.0](https://img.shields.io/badge/AppVersion-2.2.0-informational?style=flat-square) [![ArtifactHub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/traefik-forward-auth)](https://artifacthub.io/packages/helm/traefik-forward-auth)
A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer
The default values and container images used in this chart will allow for running in a multi-arch cluster (amd64, arm, arm64)
Chart that
* Adds docker image information leveraging the [official image](https://github.com/thomseddon/traefik-forward-auth)
* Deploys [traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth)
## TL;DR
```console
$ helm repo add k8s-at-home https://k8s-at-home.com/charts/
$ helm install k8s-at-home/traefik-forward-auth
```
## Installing the Chart
To install the chart with the release name `traefik-forward-auth`:
```console
helm install traefik-forward-auth k8s-at-home/traefik-forward-auth
```
## Uninstalling the Chart
To uninstall the `traefik-forward-auth` deployment:
```console
helm uninstall traefik-forward-auth
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
Read through the [values.yaml](https://github.com/k8s-at-home/charts/blob/master/charts/traefik-forward-auth/values.yaml)
file. It has several commented out suggested values.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
helm install traefik-forward-auth \
--set env.TZ="America/New York" \
k8s-at-home/traefik-forward-auth
```
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
For example,
```console
helm install traefik-forward-auth k8s-at-home/traefik-forward-auth --values values.yaml
```
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| authHost | string | `""` | Single host to use when returning from 3rd party auth |
| autoscaling.enabled | bool | `false` | |
| autoscaling.maxReplicas | int | `100` | |
| autoscaling.minReplicas | int | `1` | |
| autoscaling.targetCPUUtilizationPercentage | int | `80` | |
| cookie.csrfName | string | `""` | CSRF Cookie Name (default: _forward_auth_csrf) |
| cookie.domain | string | `""` | Domain(s) to set auth cookie on. (Comma delimited) |
| cookie.insecure | string | `""` | Use insecure cookies |
| cookie.name | string | `""` | Cookie Name (default: _forward_auth) |
| default.action | string | `""` | [auth|allow] Default action (default: auth) |
| default.provider | string | `""` | [google|oidc|generic-oauth] Default provider (default: google) |
| env | list | `[]` | |
| fullnameOverride | string | `""` | |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"thomseddon/traefik-forward-auth"` | |
| image.tag | string | `""` | |
| imagePullSecrets | list | `[]` | |
| ingress.annotations | object | `{}` | |
| ingress.enabled | bool | `false` | |
| ingress.hosts[0].host | string | `"chart-example.local"` | |
| ingress.hosts[0].paths | list | `[]` | |
| ingress.tls | list | `[]` | |
| lifetime | string | `""` | Lifetime in seconds (default: 43200) |
| logging.format | string | `""` | [text|json|pretty] Log format (default: text) |
| logging.level | string | `""` | [trace|debug|info|warn|error|fatal|panic] Log level (default: warn) |
| logoutRedirect | string | `""` | URL to redirect to following logout |
| middleware.enabled | bool | `false` | Enable to deploy a preconfigured middleware |
| middleware.name | string | `""` | Name for the middleware |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | |
| podSecurityContext | object | `{}` | |
| providers.genericOauth.authUrl | string | `""` | Auth/Login URL |
| providers.genericOauth.clientId | string | `""` | Client ID |
| providers.genericOauth.clientSecret | string | `""` | Client Secret |
| providers.genericOauth.enabled | bool | `false` | Enable the generic OAUTH2 provider |
| providers.genericOauth.resource | string | `""` | Optional resource indicator |
| providers.genericOauth.scope | string | `""` | Scopes (default: profile, email) |
| providers.genericOauth.tokenStyle | string | `""` | How token is presented when querying the User URL |
| providers.genericOauth.tokenUrl | string | `""` | Token URL |
| providers.genericOauth.userUrl | string | `""` | URL used to retrieve user info |
| providers.google.clientId | string | `""` | Client ID |
| providers.google.clientSecret | string | `""` | Client Secret |
| providers.google.enabled | bool | `false` | Enable the google provider |
| providers.google.prompt | string | `""` | Space separated list of OpenID prompt options |
| providers.oidc.clientId | string | `""` | Client ID |
| providers.oidc.clientSecret | string | `""` | Client Secret |
| providers.oidc.enabled | bool | `false` | Enable the generic OIDC provider |
| providers.oidc.issuerUrl | string | `""` | Issuer URL |
| providers.oidc.resource | string | `""` | Optional resource indicator |
| replicaCount | int | `1` | |
| resources | object | `{}` | |
| restrictions.domain | string | `""` | Only allow given email domains. (Comma delimited) |
| restrictions.whitelist | string | `""` | Only allow given email addresses. (Comma delimited) |
| secret | string | `""` | Secret used for signing. If empty, one will be generated. If specifying your own in env use "-" |
| securityContext | object | `{}` | |
| service.additionalSpec | object | `{}` | |
| service.annotations | object | `{}` | |
| service.labels | object | `{}` | |
| service.port | int | `4181` | |
| service.type | string | `"ClusterIP"` | |
| serviceAccount.annotations | object | `{}` | |
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `""` | |
| tolerations | list | `[]` | |
| urlPath | string | `""` | Callback URL Path (default: /_oauth) |

26
charts/traefik-forward-auth/README.md.gotmpl Normal file
View File

@ -0,0 +1,26 @@
{{ template "chart.header" . }}
{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }}{{ template "badge.artifactHub" . }}
{{ template "chart.description" . }}
{{ template "description.multiarch" . }}
Chart that
* Adds docker image information leveraging the [official image](https://github.com/thomseddon/traefik-forward-auth)
* Deploys [traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth)
{{ template "install.tldr" . }}
{{ template "install" . }}
{{ template "uninstall" . }}
{{ template "configuration.header" . }}
{{ template "configuration.readValues" . }}
{{ template "configuration.example.set" .}}
{{ template "configuration.example.file" . }}
{{ template "chart.valuesSection" . }}

5
charts/traefik-forward-auth/ci/ct-values.yaml Normal file
View File

@ -0,0 +1,5 @@
providers:
google:
enabled: true
clientId: "fakeclientid"
clientSecret: "fakeclientsecret"

21
charts/traefik-forward-auth/templates/NOTES.txt Normal file
View File

@ -0,0 +1,21 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "traefik-forward-auth.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "traefik-forward-auth.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "traefik-forward-auth.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "traefik-forward-auth.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
{{- end }}

63
charts/traefik-forward-auth/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,63 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "traefik-forward-auth.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "traefik-forward-auth.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "traefik-forward-auth.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "traefik-forward-auth.labels" -}}
helm.sh/chart: {{ include "traefik-forward-auth.chart" . }}
{{ include "traefik-forward-auth.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "traefik-forward-auth.selectorLabels" -}}
app.kubernetes.io/name: {{ include "traefik-forward-auth.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "traefik-forward-auth.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "traefik-forward-auth.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

207
charts/traefik-forward-auth/templates/deployment.yaml Normal file
View File

@ -0,0 +1,207 @@
{{- $fullName := include "traefik-forward-auth.fullname" . -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ $fullName }}
labels:
{{- include "traefik-forward-auth.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "traefik-forward-auth.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "traefik-forward-auth.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "traefik-forward-auth.serviceAccountName" . }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
{{- if .Values.logging.level }}
- name: LOG_LEVEL
value: {{ .Values.logging.level | quote }}
{{- end }}
{{- if .Values.logging.format }}
- name: LOG_FORMAT
value: {{ .Values.logging.format | quote }}
{{- end }}
{{- if .Values.authHost }}
- name: AUTH_HOST
value: {{ .Values.authHost | quote }}
{{- end }}
{{- if .Values.cookie.domain }}
- name: COOKIE_DOMAIN
value: {{ .Values.cookie.domain | quote }}
{{- end }}
{{- if .Values.cookie.insecure }}
- name: INSECURE_COOKIE
value: {{ .Values.cookie.insecure | quote }}
{{- end }}
{{- if .Values.cookie.name }}
- name: COOKIE_NAME
value: {{ .Values.cookie.name | quote }}
{{- end }}
{{- if .Values.cookie.csrfName }}
- name: CSRF_COOKIE_NAME
value: {{ .Values.cookie.csrfName | quote }}
{{- end }}
{{- if .Values.default.action }}
- name: DEFAULT_ACTION
value: {{ .Values.default.action | quote }}
{{- end }}
{{- if .Values.default.provider }}
- name: DEFAULT_PROVIDER
value: {{ .Values.default.provider | quote }}
{{- end }}
{{- if .Values.restrictions.domain }}
- name: DOMAIN
value: {{ .Values.restrictions.domain | quote }}
{{- end }}
{{- if .Values.restrictions.whitelist }}
- name: WHITELIST
value: {{ .Values.restrictions.whitelist | quote }}
{{- end }}
{{- if .Values.lifetime }}
- name: LIFETIME
value: {{ .Values.lifetime | quote }}
{{- end }}
{{- if .Values.logoutRedirect }}
- name: LOGOUT_REDIRECT
value: {{ .Values.logoutRedirect | quote }}
{{- end }}
{{- if .Values.urlPath }}
- name: URL_PATH
value: {{ .Values.urlPath | quote }}
{{- end }}
{{- if ne .Values.secret "-" }}
- name: SECRET
{{- if .Values.secret }}
value: {{ .Values.secret | quote }}
{{- else }}
valueFrom:
secretKeyRef:
name: {{ $fullName }}
key: secret
{{- end }}
{{- with .Values.providers}}
{{- if .google.enabled }}
{{- if .google.clientId }}
- name: PROVIDERS_GOOGLE_CLIENT_ID
value: {{ .google.clientId | quote }}
{{- end }}
{{- if .google.clientSecret }}
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
value: {{ .google.clientSecret | quote }}
{{- end }}
{{- if .google.prompt }}
- name: PROVIDERS_GOOGLE_PROMPT
value: {{ .google.prompt | quote }}
{{- end }}
{{- end }}
{{- if .oidc.enabled }}
{{- if .oidc.clientId }}
- name: PROVIDERS_OIDC_CLIENT_ID
value: {{ .oidc.clientId | quote }}
{{- end }}
{{- if .oidc.clientSecret }}
- name: PROVIDERS_OIDC_CLIENT_SECRET
value: {{ .oidc.clientSecret | quote }}
{{- end }}
{{- if .oidc.issuerUrl }}
- name: PROVIDERS_OIDC_ISSUER_URL
value: {{ .oidc.issuerUrl | quote }}
{{- end }}
{{- if .oidc.resource }}
- name: PROVIDERS_OIDC_RESOURCE
value: {{ .oidc.resource | quote }}
{{- end }}
{{- end }}
{{- if .genericOauth.enabled }}
{{- if .genericOauth.clientId }}
- name: PROVIDERS_GENERIC_OAUTH_CLIENT_ID
value: {{ .genericOauth.clientId | quote }}
{{- end }}
{{- if .genericOauth.clientSecret }}
- name: PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET
value: {{ .genericOauth.clientSecret | quote }}
{{- end }}
{{- if .genericOauth.authUrl }}
- name: PROVIDERS_GENERIC_OAUTH_AUTH_URL
value: {{ .genericOauth.authUrl | quote }}
{{- end }}
{{- if .genericOauth.tokenUrl }}
- name: PROVIDERS_GENERIC_OAUTH_TOKEN_URL
value: {{ .genericOauth.tokenUrl | quote }}
{{- end }}
{{- if .genericOauth.userUrl }}
- name: PROVIDERS_GENERIC_OAUTH_USER_URL
value: {{ .genericOauth.userUrl | quote }}
{{- end }}
{{- if .genericOauth.resource }}
- name: PROVIDERS_GENERIC_OAUTH_RESOURCE
value: {{ .genericOauth.resource | quote }}
{{- end }}
{{- if .genericOauth.scope }}
- name: PROVIDERS_GENERIC_OAUTH_SCOPE
value: {{ .genericOauth.scope | quote }}
{{- end }}
{{- if .genericOauth.tokenStyle }}
- name: PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE
value: {{ .genericOauth.tokenStyle | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.env }}
{{- toYaml .Values.env | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: 4181
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

28
charts/traefik-forward-auth/templates/hpa.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "traefik-forward-auth.fullname" . }}
labels:
{{- include "traefik-forward-auth.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "traefik-forward-auth.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

46
charts/traefik-forward-auth/templates/ingress.yaml Normal file
View File

@ -0,0 +1,46 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "traefik-forward-auth.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "traefik-forward-auth.labels" . | nindent 4 }}
{{- if or .Values.ingress.annotations (and .Values.middleware.enabled .Values.authHost) }}
annotations:
{{- with .Values.ingress.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if and .Values.middleware.enabled .Values.authHost }}
traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-{{ .Values.middleware.name | default "traefik-forward-auth" }}@kubernetescrd
{{- end }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

11
charts/traefik-forward-auth/templates/middleware.yaml Normal file
View File

@ -0,0 +1,11 @@
{{- if .Values.middleware.enabled -}}
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: {{ .Values.middleware.name | default "traefik-forward-auth" }}
spec:
forwardAuth:
address: "http://{{ include "traefik-forward-auth.fullname" . }}:{{ .Values.service.port }}"
authResponseHeaders:
- X-Forwarded-User
{{- end }}

11
charts/traefik-forward-auth/templates/secret.yaml Normal file
View File

@ -0,0 +1,11 @@
{{- if and (ne .Values.secret "-") (not .Values.secret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "traefik-forward-auth.fullname" . }}
labels:
{{- include "traefik-forward-auth.labels" . | nindent 4 }}
type: Opaque
data:
secret: {{ randAlphaNum 16 | b64enc | quote }}
{{- end }}

22
charts/traefik-forward-auth/templates/service.yaml Normal file
View File

@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "traefik-forward-auth.fullname" . }}
labels:
{{- include "traefik-forward-auth.labels" . | nindent 4 }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
{{- with .Values.service.additionalSpec }}
{{- toYaml . | nindent 2 }}
{{- end }}
selector:
{{- include "traefik-forward-auth.selectorLabels" . | nindent 4 }}

12
charts/traefik-forward-auth/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "traefik-forward-auth.serviceAccountName" . }}
labels:
{{- include "traefik-forward-auth.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

167
charts/traefik-forward-auth/values.yaml Normal file
View File

@ -0,0 +1,167 @@
# Default values for traefik-forward-auth.
replicaCount: 1
image:
repository: thomseddon/traefik-forward-auth
pullPolicy: IfNotPresent
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
logging:
# logging.level -- [trace|debug|info|warn|error|fatal|panic] Log level (default: warn)
level: ""
# logging.format -- [text|json|pretty] Log format (default: text)
format: ""
# authHost -- Single host to use when returning from 3rd party auth
authHost: ""
restrictions:
# restrictions.domain -- Only allow given email domains. (Comma delimited)
domain: ""
# restrictions.whitelist -- Only allow given email addresses. (Comma delimited)
whitelist: ""
# lifetime -- Lifetime in seconds (default: 43200)
lifetime: ""
cookie:
# cookie.domain -- Domain(s) to set auth cookie on. (Comma delimited)
domain: ""
# cookie.insecure -- Use insecure cookies
insecure: ""
# cookie.name -- Cookie Name (default: _forward_auth)
name: ""
# cookie.csrfName -- CSRF Cookie Name (default: _forward_auth_csrf)
csrfName: ""
default:
# default.action -- [auth|allow] Default action (default: auth)
action: ""
# default.provider -- [google|oidc|generic-oauth] Default provider (default: google)
provider: ""
# logoutRedirect -- URL to redirect to following logout
logoutRedirect: ""
# urlPath -- Callback URL Path (default: /_oauth)
urlPath: ""
# secret -- Secret used for signing. If empty, one will be generated. If specifying your own in env use "-"
secret: ""
middleware:
# middleware.enabled -- Enable to deploy a preconfigured middleware
enabled: false
# middleware.name -- Name for the middleware
name: ""
providers:
google:
# providers.google.enabled -- Enable the google provider
enabled: false
# providers.google.clientId -- Client ID
clientId: ""
# providers.google.clientSecret -- Client Secret
clientSecret: ""
# providers.google.prompt -- Space separated list of OpenID prompt options
prompt: ""
oidc:
# providers.oidc.enabled -- Enable the generic OIDC provider
enabled: false
# providers.oidc.issuerUrl -- Issuer URL
issuerUrl: ""
# providers.oidc.clientId -- Client ID
clientId: ""
# providers.oidc.clientSecret -- Client Secret
clientSecret: ""
# providers.oidc.resource -- Optional resource indicator
resource: ""
genericOauth:
# providers.genericOauth.enabled -- Enable the generic OAUTH2 provider
enabled: false
# providers.genericOauth.authUrl -- Auth/Login URL
authUrl: ""
# providers.genericOauth.tokenUrl -- Token URL
tokenUrl: ""
# providers.genericOauth.userUrl -- URL used to retrieve user info
userUrl: ""
# providers.genericOauth.clientId -- Client ID
clientId: ""
# providers.genericOauth.clientSecret -- Client Secret
clientSecret: ""
# providers.genericOauth.scope -- Scopes (default: profile, email)
scope: ""
# providers.genericOauth.tokenStyle -- How token is presented when querying the User URL
tokenStyle: ""
# providers.genericOauth.resource -- Optional resource indicator
resource: ""
env: []
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 4181
## Provide any additional annotations which may be required. This can be used to
## set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
annotations: {}
labels: {}
additionalSpec: {}
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}