mirror of
synced 2025-02-03 07:49:03 +00:00
feat: remoe oauth2-proxy helm chart
This commit is contained in:
@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
# Common VCS dirs
# Common backup files
# Various IDEs
@ -1,19 +0,0 @@
name: oauth2-proxy
version: 5.0.7
apiVersion: v1
appVersion: 7.1.3
home: https://github.com/k8s-at-home/charts/tree/master/charts/stable/oauth2-proxy
description: A reverse proxy that provides authentication with Google, Github or other providers
icon: https://avatars.githubusercontent.com/u/62798169?s=200&v=4
- kubernetes
- oauth
- oauth2
- authentication
- google
- github
- https://github.com/oauth2-proxy/oauth2-proxy
engine: gotpl
kubeVersion: ">=1.9.0-0"
deprecated: true
@ -1,256 +0,0 @@
# oauth2-proxy
![Version: 5.0.7](https://img.shields.io/badge/Version-5.0.7-informational?style=flat-square) ![AppVersion: 7.1.3](https://img.shields.io/badge/AppVersion-7.1.3-informational?style=flat-square)
A reverse proxy that provides authentication with Google, Github or other providers
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)**
## Source Code
* <https://github.com/oauth2-proxy/oauth2-proxy>
## Requirements
Kubernetes: `>=1.9.0-0`
## Dependencies
| Repository | Name | Version |
## TL;DR
helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm repo update
helm install oauth2-proxy k8s-at-home/oauth2-proxy
## Installing the Chart
To install the chart with the release name `oauth2-proxy`
helm install oauth2-proxy k8s-at-home/oauth2-proxy
## Uninstalling the Chart
To uninstall the `oauth2-proxy` deployment
helm uninstall oauth2-proxy
The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release.
## Configuration
Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values.
Other values may be used from the [values.yaml](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common).
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
helm install oauth2-proxy \
--set env.TZ="America/New York" \
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
helm install oauth2-proxy k8s-at-home/oauth2-proxy -f values.yaml
## Custom configuration
### SSL Configuration
See: [SSL Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls).
Use ```values.yaml``` like:
tls-cert: /path/to/cert.pem
tls-key: /path/to/cert.key
- name: ssl-cert
secretName: my-ssl-secret
- mountPath: /path/to/
name: ssl-cert
With a secret called `my-ssl-secret`:
cert.pem: AB..==
cert.key: CD..==
## Values
**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common)
| Key | Type | Default | Description |
| affinity | object | `{}` | node/pod affinities Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
| authenticatedEmailsFile.enabled | bool | `false` | Enables authorize individual email addresses |
| authenticatedEmailsFile.restricted_access | string | `""` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config |
| authenticatedEmailsFile.template | string | `""` | Name of the configmap that is handled outside of that chart It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. Be aware the value name in the extern config map in data needs to be named to "restricted_user_access". One email per line example: restricted_access: |- name1@domain name2@domain If you override the config with restricted_access it will configure a user list within this chart what takes care of the config map resource. |
| config.clientID | string | `"XXXXXXX"` | OAuth client ID |
| config.clientSecret | string | `"XXXXXXXX"` | OAuth client secret |
| config.configFile | string | `"email_domains = [ \"*\" ]\nupstreams = [ \"file:///dev/null\" ]"` | google service account json contents serviceAccountJson: xxxx -- Alternatively, use an existing secret (see google-secret.yaml for required fields) existingSecret: google-secret -- custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line |
| config.cookieSecret | string | `"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 | head -c 32 | base64` |
| config.existingConfig | string | `nil` | xisting Kubernetes configmap to use for the configuration file. See [config template](https://github.com/helm/charts/blob/master/stable/oauth2-proxy/templates/configmap.yaml) for the required values |
| config.google | object | `{}` | |
| extraArgs | object | `{}` | key:value list of extra arguments to give the binary |
| extraEnv | list | `[]` | key:value list of extra environment variables to give the binary |
| extraVolumeMounts | list | `[]` | list of extra volumeMounts |
| extraVolumes | list | `[]` | list of extra volumes |
| htpasswdFile.enabled | bool | `false` | enable htpasswd-file option |
| htpasswdFile.entries | object | `{}` | list of [SHA encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration#command-line-options) |
| htpasswdFile.existingSecret | string | `""` | existing Kubernetes secret to use for OAuth2 htpasswd file |
| httpScheme | string | `"http"` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"quay.io/oauth2-proxy/oauth2-proxy"` | Image repository |
| image.tag | string | `"v7.1.3"` | Image tag |
| imagePullSecrets | list | `nil` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod |
| ingress.annotations | object | `{}` | Ingress annotations |
| ingress.enabled | bool | `false` | Enable Ingress |
| ingress.extraPaths | list | `[]` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). |
| ingress.hosts | list | `[]` | Ingress accepted hostnames |
| ingress.ingressClassName | string | `nil` | Set ingressClassName |
| ingress.path | string | `"/"` | Ingress accepted path |
| ingress.tls | list | `nil` | Ingress TLS configuration |
| initContainers | list | `[]` | Configure init containers for pod Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
| livenessProbe | object | `{"enabled":true,"initialDelaySeconds":0,"timeoutSeconds":1}` | Configure Kubernetes liveness probes. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks |
| nodeSelector | object | `{}` | Node labels for pod assignment Ref: https://kubernetes.io/docs/user-guide/node-selection/ |
| podAnnotations | object | `{}` | annotations to add to each pod |
| podDisruptionBudget | object | `{"enabled":true,"minAvailable":1}` | PodDisruptionBudget settings Ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| podLabels | object | `{}` | labels to add to each pod |
| podSecurityContext | object | `{}` | |
| priorityClassName | string | `""` | |
| proxyVarsAsSecrets | bool | `true` | |
| readinessProbe | object | `{"enabled":true,"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Configure Kubernetes readiness probes. |
| replicaCount | int | `1` | |
| resources | object | `{}` | |
| securityContext | object | `{"enabled":false,"runAsNonRoot":true}` | Configure Kubernetes security context for container Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| service.annotations | object | `{}` | Service annotations for the GUI |
| service.loadBalancerIP | string | `nil` | Loadbalance IP for the GUI |
| service.loadBalancerSourceRanges | list | `nil` | List of IP CIDRs allowed access to load balancer (if supported) |
| service.port | int | `80` | Kubernetes port where the GUI is exposed |
| service.type | string | `"ClusterIP"` | Kubernetes service type for the GUI |
| serviceAccount.annotations | object | `{}` | |
| serviceAccount.enabled | bool | `true` | |
| serviceAccount.name | string | `nil` | |
| tolerations | list | `[]` | Tolerations for pod assignment Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
| topologySpreadConstraints | object | `{"enabled":false,"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"DoNotSchedule"}` | Configure Pod Topology Spread Constraints See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ Requires Kubernetes >= v1.16 |
## Changelog
All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#changelog).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
### [1.0.0]
#### Changed
- This version upgrade oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade.
### [2.0.0]
#### Changed
- support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information.
Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade`of this chart from versions earlier than 2.0.0.
### [3.0.0]
#### Changed
- support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false`
### [4.0.0]
#### Changed
- This is a breaking change as the chart was moved to k8s-at-home. No other change on top of the 3.x.x branch.
### [5.0.0]
#### Changed
- Not many breaking changes. See the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0) for oauth2-proxy, specifically the section "Breaking Changes" for a few configuration changes, particularly to do with the Azure provider.
### [5.0.1]
#### Added
- N/A
#### Changed
- Use helm-docs
#### Removed
- N/A
### [5.0.4]
#### Added
- Added icon url.
#### Changed
- N/A
#### Removed
- N/A
### [5.0.5]
#### Fixed
- Update oauth2-proxy website URLs.
### [5.0.6]
#### Added
- N/A
#### Changed
- This version upgrade oauth2-proxy to 7.1.3. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v7.1.3/CHANGELOG.md) in order to upgrade.
#### Removed
- N/A
[5.0.4]: #5.0.4
[5.0.1]: #5.0.1
## Support
- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/)
- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose)
- Ask a [question](https://github.com/k8s-at-home/organization/discussions)
- Join our [Discord](https://discord.gg/sTMX7Vh) community
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)
@ -1,146 +0,0 @@
{{- define "custom.repository.organization" -}}
{{- end -}}
{{- define "custom.repository.url" -}}
{{- end -}}
{{- define "custom.helm.url" -}}
{{- end -}}
{{- define "custom.helm.path" -}}
{{ template "custom.repository.organization" . }}/{{ template "chart.name" . }}
{{- end -}}
{{- define "custom.notes" -}}
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)**
{{- end -}}
{{- define "custom.requirements" -}}
## Requirements
{{ template "chart.kubeVersionLine" . }}
{{- end -}}
{{- define "custom.dependencies" -}}
## Dependencies
{{ template "chart.requirementsTable" . }}
{{- end -}}
{{- define "custom.install.tldr" -}}
## TL;DR
helm repo add {{ template "custom.repository.organization" . }} {{ template "custom.helm.url" . }}
helm repo update
helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }}
{{- end -}}
{{- define "custom.install" -}}
## Installing the Chart
To install the chart with the release name `{{ template "chart.name" . }}`
helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }}
{{- end -}}
{{- define "custom.uninstall" -}}
## Uninstalling the Chart
To uninstall the `{{ template "chart.name" . }}` deployment
helm uninstall {{ template "chart.name" . }}
The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release.
{{- end -}}
{{- define "custom.configuration.header" -}}
## Configuration
{{- end -}}
{{- define "custom.configuration.readValues" -}}
Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values.
Other values may be used from the [values.yaml](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common).
{{- end -}}
{{- define "custom.configuration.example.set" -}}
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
helm install {{ template "chart.name" . }} \
--set env.TZ="America/New York" \
{{ template "custom.helm.path" . }}
{{- end -}}
{{- define "custom.configuration.example.file" -}}
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }} -f values.yaml
{{- end -}}
{{- define "custom.valuesSection" -}}
## Values
**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common)
{{ template "chart.valuesTable" . }}
{{- end -}}
{{- define "custom.support" -}}
## Support
- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/)
- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose)
- Ask a [question](https://github.com/k8s-at-home/organization/discussions)
- Join our [Discord](https://discord.gg/sTMX7Vh) community
{{- end -}}
{{ template "chart.header" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
{{ template "custom.notes" . }}
{{ template "chart.sourcesSection" . }}
{{ template "custom.requirements" . }}
{{ template "custom.dependencies" . }}
{{ template "custom.install.tldr" . }}
{{ template "custom.install" . }}
{{ template "custom.uninstall" . }}
{{ template "custom.configuration.header" . }}
{{ template "custom.configuration.readValues" . }}
{{ template "custom.configuration.example.set" . }}
{{ template "custom.configuration.example.file" . }}
{{ template "custom.custom.configuration" . }}
{{ template "custom.valuesSection" . }}
{{ template "custom.changelog" . }}
{{ template "custom.support" . }}
{{ template "helm-docs.versionFooter" . }}
{{ "" }}
@ -1,94 +0,0 @@
{{- define "custom.changelog.header" -}}
## Changelog
{{- end -}}
{{- define "custom.changelog" -}}
{{ template "custom.changelog.header" . }}
All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#changelog).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
### [1.0.0]
#### Changed
- This version upgrade oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade.
### [2.0.0]
#### Changed
- support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information.
Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade`of this chart from versions earlier than 2.0.0.
### [3.0.0]
#### Changed
- support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false`
### [4.0.0]
#### Changed
- This is a breaking change as the chart was moved to k8s-at-home. No other change on top of the 3.x.x branch.
### [5.0.0]
#### Changed
- Not many breaking changes. See the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0) for oauth2-proxy, specifically the section "Breaking Changes" for a few configuration changes, particularly to do with the Azure provider.
### [5.0.1]
#### Added
- N/A
#### Changed
- Use helm-docs
#### Removed
- N/A
### [5.0.4]
#### Added
- Added icon url.
#### Changed
- N/A
#### Removed
- N/A
### [5.0.5]
#### Fixed
- Update oauth2-proxy website URLs.
### [5.0.6]
#### Added
- N/A
#### Changed
- This version upgrade oauth2-proxy to 7.1.3. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v7.1.3/CHANGELOG.md) in order to upgrade.
#### Removed
- N/A
[5.0.4]: #5.0.4
[5.0.1]: #5.0.1
{{- end -}}
@ -1,38 +0,0 @@
{{- define "custom.custom.configuration.header" -}}
## Custom configuration
{{- end -}}
{{- define "custom.custom.configuration" -}}
{{ template "custom.custom.configuration.header" . }}
### SSL Configuration
See: [SSL Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls).
Use ```values.yaml``` like:
tls-cert: /path/to/cert.pem
tls-key: /path/to/cert.key
- name: ssl-cert
secretName: my-ssl-secret
- mountPath: /path/to/
name: ssl-cert
With a secret called `my-ssl-secret`:
cert.pem: AB..==
cert.key: CD..==
{{- end -}}
@ -1 +0,0 @@
# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.
@ -1,6 +0,0 @@
- path: /*
serviceName: ssl-redirect
servicePort: use-annotation
@ -1 +0,0 @@
replicaCount: 2 # Enables PodDisruptionBudget which is disabled when replicaCount is 1
@ -1,4 +0,0 @@
# Allocate a FSGroup that owns the pod’s volumes via podSecurityContext
fsGroup: 2000
@ -1 +0,0 @@
# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.
@ -1,2 +0,0 @@
# Will trigger creation of pdb
replicaCount: 2
@ -1,3 +0,0 @@
To verify that oauth2-proxy has started, run:
kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "oauth2-proxy.fullname" . }}"
@ -1,54 +0,0 @@
{{/* vim: set filetype=mustache: */}}
Expand the name of the chart.
{{- define "oauth2-proxy.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
{{- define "oauth2-proxy.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
Create chart name and version as used by the chart label.
{{- define "oauth2-proxy.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
Get the secret name.
{{- define "oauth2-proxy.secretName" -}}
{{- if .Values.config.existingSecret -}}
{{- printf "%s" .Values.config.existingSecret -}}
{{- else -}}
{{- printf "%s" (include "oauth2-proxy.fullname" .) -}}
{{- end -}}
{{- end -}}
Create the name of the service account to use
{{- define "oauth2-proxy.serviceAccountName" -}}
{{- if .Values.serviceAccount.enabled -}}
{{ default (include "oauth2-proxy.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
@ -1,15 +0,0 @@
{{- if .Values.authenticatedEmailsFile.enabled }}
{{- if .Values.authenticatedEmailsFile.restricted_access }}
apiVersion: v1
kind: ConfigMap
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}-accesslist
restricted_user_access: {{ .Values.authenticatedEmailsFile.restricted_access | quote }}
{{- end }}
{{- end }}
@ -1,17 +0,0 @@
{{- if and .Values.htpasswdFile.enabled (not .Values.htpasswdFile.existingSecret) }}
apiVersion: v1
kind: Secret
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
type: Opaque
users.txt: |-
{{- range $entries := .Values.htpasswdFile.entries }}
{{ $entries }}
{{- end -}}
{{- end }}
@ -1,15 +0,0 @@
{{- if not .Values.config.existingConfig }}
{{- if .Values.config.configFile }}
apiVersion: v1
kind: ConfigMap
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
oauth2_proxy.cfg: {{ .Values.config.configFile | quote }}
{{- end }}
{{- end }}
@ -1,222 +0,0 @@
apiVersion: apps/v1
kind: Deployment
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
replicas: {{ .Values.replicaCount }}
app: {{ template "oauth2-proxy.name" . }}
release: {{ .Release.Name }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }}
{{- if .Values.htpasswdFile.enabled }}
checksum/htpasswd: {{ include (print $.Template.BasePath "/configmap-htpasswd-file.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
app: {{ template "oauth2-proxy.name" . }}
release: "{{ .Release.Name }}"
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- with .Values.podSecurityContext }}
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }}
{{- if ne (len .Values.initContainers) 0 }}
{{ toYaml .Values.initContainers | indent 6 }}
{{- end }}
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
- --http-address=
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- if or .Values.config.existingConfig .Values.config.configFile }}
- --config=/etc/oauth2_proxy/oauth2_proxy.cfg
{{- end }}
{{- if .Values.authenticatedEmailsFile.enabled }}
{{- if .Values.authenticatedEmailsFile.template }}
- --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }}
{{- else }}
- --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
{{- end }}
{{- end }}
{{- with .Values.config.google }}
{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
- --google-admin-email={{ .adminEmail }}
- --google-service-account-json=/google/service-account.json
{{- end }}
{{- end }}
{{- if .Values.htpasswdFile.enabled }}
- --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt
{{- end }}
{{- if .Values.proxyVarsAsSecrets }}
name: {{ template "oauth2-proxy.secretName" . }}
key: client-id
name: {{ template "oauth2-proxy.secretName" . }}
key: client-secret
name: {{ template "oauth2-proxy.secretName" . }}
key: cookie-secret
{{- end }}
{{- if .Values.extraEnv }}
{{ toYaml .Values.extraEnv | indent 8 }}
{{- end }}
- containerPort: 4180
name: {{ .Values.httpScheme }}
protocol: TCP
{{- if .Values.livenessProbe.enabled }}
path: /ping
port: {{ .Values.httpScheme }}
scheme: {{ .Values.httpScheme | upper }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
path: /ping
port: {{ .Values.httpScheme }}
scheme: {{ .Values.httpScheme | upper }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
{{- end }}
{{ toYaml .Values.resources | indent 10 }}
{{- with .Values.config.google }}
{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
- name: google-secret
mountPath: /google
readOnly: true
{{- end }}
{{- end }}
{{- if or .Values.config.existingConfig .Values.config.configFile }}
- mountPath: /etc/oauth2_proxy
name: configmain
{{- end }}
{{- if .Values.authenticatedEmailsFile.enabled }}
- mountPath: /etc/oauth2-proxy
name: configaccesslist
readOnly: true
{{- end }}
{{- if .Values.htpasswdFile.enabled }}
- mountPath: /etc/oauth2_proxy/htpasswd
name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
readOnly: true
{{- end }}
{{- if ne (len .Values.extraVolumeMounts) 0 }}
{{ toYaml .Values.extraVolumeMounts | indent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
{{- end}}
{{- with .Values.config.google }}
{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
- name: google-secret
secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}{{ end }}
{{- end }}
{{- end }}
{{- if .Values.htpasswdFile.enabled }}
- name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }}
{{- end }}
{{- if or .Values.config.existingConfig .Values.config.configFile }}
- configMap:
defaultMode: 420
name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }}
name: configmain
{{- end }}
{{- if ne (len .Values.extraVolumes) 0 }}
{{ toYaml .Values.extraVolumes | indent 6 }}
{{- end }}
{{- if .Values.authenticatedEmailsFile.enabled }}
- configMap:
{{- if .Values.authenticatedEmailsFile.template }}
name: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
name: {{ template "oauth2-proxy.fullname" . }}-accesslist
{{- end }}
- key: restricted_user_access
{{- if .Values.authenticatedEmailsFile.template }}
path: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
path: authenticated-emails-list
{{- end }}
name: configaccesslist
{{- end }}
{{- if .Values.imagePullSecrets }}
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion -}}
{{- if .Values.topologySpreadConstraints.enabled }}
- labelSelector:
app: {{ template "oauth2-proxy.name" . }}
release: "{{ .Release.Name }}"
maxSkew: {{ .Values.topologySpreadConstraints.maxSkew }}
topologyKey: {{ .Values.topologySpreadConstraints.topologyKey }}
whenUnsatisfiable: {{ .Values.topologySpreadConstraints.whenUnsatisfiable }}
{{- end }}
{{- end }}
@ -1,14 +0,0 @@
{{- if and .Values.config.google (not .Values.config.google.existingSecret) }}
apiVersion: v1
kind: Secret
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}-google
type: Opaque
service-account.json: {{ .serviceAccountJson }}
{{- end -}}
@ -1,46 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $serviceName := include "oauth2-proxy.fullname" . -}}
{{- $servicePort := .Values.service.port -}}
{{- $ingressPath := .Values.ingress.path -}}
{{- $extraPaths := .Values.ingress.extraPaths -}}
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
{{- with .Values.ingress.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
{{- if .Values.ingress.ingressClassName }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
{{- end }}
{{- end }}
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host | quote }}
{{ if $extraPaths }}
{{ toYaml $extraPaths | indent 10 }}
{{- end }}
- path: {{ $ingressPath }}
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}
@ -1,17 +0,0 @@
{{- if and .Values.podDisruptionBudget.enabled (gt (.Values.replicaCount | int) 1) }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
app: {{ template "oauth2-proxy.name" . }}
release: {{ .Release.Name }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
@ -1,16 +0,0 @@
{{- if and (not .Values.config.existingSecret) (.Values.proxyVarsAsSecrets) }}
apiVersion: v1
kind: Secret
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
type: Opaque
cookie-secret: {{ .Values.config.cookieSecret | b64enc | quote }}
client-secret: {{ .Values.config.clientSecret | b64enc | quote }}
client-id: {{ .Values.config.clientID | b64enc | quote }}
{{- end -}}
@ -1,39 +0,0 @@
apiVersion: v1
kind: Service
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
name: {{ template "oauth2-proxy.fullname" . }}
{{- if .Values.service.annotations }}
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }}
type: ClusterIP
{{- if .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP }}
{{- else if eq .Values.service.type "LoadBalancer" }}
type: {{ .Values.service.type }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if .Values.service.loadBalancerSourceRanges }}
{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }}
{{- end -}}
{{- else }}
type: {{ .Values.service.type }}
{{- end }}
- port: {{ .Values.service.port }}
targetPort: {{ .Values.httpScheme }}
protocol: TCP
name: {{ .Values.httpScheme }}
app: {{ template "oauth2-proxy.name" . }}
release: {{ .Release.Name }}
@ -1,15 +0,0 @@
{{- if or .Values.serviceAccount.enabled -}}
apiVersion: v1
kind: ServiceAccount
{{- with .Values.serviceAccount.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
name: {{ template "oauth2-proxy.fullname" . }}
{{- end -}}
@ -1,223 +0,0 @@
# Oauth client configuration specifics
# -- OAuth client ID
clientID: "XXXXXXX"
# -- OAuth client secret
clientSecret: "XXXXXXXX"
# -- server specific cookie for the secret; create a new one with `openssl rand -base64 32 | head -c 32 | base64`
google: {}
# -- user impersonated by the google service account
# adminEmail: xxxx
# -- google service account json contents
# serviceAccountJson: xxxx
# -- Alternatively, use an existing secret (see google-secret.yaml for required fields)
# existingSecret: google-secret
# -- custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line
configFile: |-
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
# Custom configuration file: oauth2_proxy.cfg
# configFile: |-
# pass_basic_auth = false
# pass_access_token = true
# -- (string)existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/helm/charts/blob/master/stable/oauth2-proxy/templates/configmap.yaml) for the required values
# -- Image repository
repository: "quay.io/oauth2-proxy/oauth2-proxy"
# -- Image tag
tag: "v7.1.3"
# -- Image pull policy
pullPolicy: "IfNotPresent"
# -- (list) Optionally specify an array of imagePullSecrets.
# Secrets must be manually created in the namespace.
# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
# - name: myRegistryKeySecretName
# -- key:value list of extra arguments to give the binary
extraArgs: {}
# -- key:value list of extra environment variables to give the binary
extraEnv: []
# To authorize individual email addresses
# That is part of extraArgs but since this needs special treatment we need to do a separate section
# -- Enables authorize individual email addresses
enabled: false
# -- Name of the configmap that is handled outside of that chart
# It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
# Be aware the value name in the extern config map in data needs to be named to "restricted_user_access".
# One email per line
# example:
# restricted_access: |-
# name1@domain
# name2@domain
# If you override the config with restricted_access it will configure a user list within this chart what takes care of the
# config map resource.
template: ""
# -- [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config
restricted_access: ""
# -- Kubernetes service type for the GUI
type: ClusterIP
# -- Kubernetes port where the GUI is exposed
port: 80
# -- Service annotations for the GUI
annotations: {}
# -- (string) Loadbalance IP for the GUI
# -- (list) List of IP CIDRs allowed access to load balancer (if supported)
## Create or use ServiceAccount
## Specifies whether a ServiceAccount should be created
enabled: true
## The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the fullname template
annotations: {}
# -- Enable Ingress
enabled: false
# -- Ingress accepted path
path: /
# -- Ingress accepted hostnames
hosts: []
# -- Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions).
extraPaths: []
# - path: /*
# backend:
# serviceName: ssl-redirect
# servicePort: use-annotation
# -- Ingress annotations
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- (list) Ingress TLS configuration
# Secrets must be manually created in the namespace.
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# -- (string) Set ingressClassName
resources: {}
# limits:
# cpu: 100m
# memory: 300Mi
# requests:
# cpu: 100m
# memory: 300Mi
# -- list of extra volumes
extraVolumes: []
# - name: ca-bundle-cert
# secret:
# secretName: <secret-name>
# -- list of extra volumeMounts
extraVolumeMounts: []
# - mountPath: /etc/ssl/certs/
# name: ca-bundle-cert
priorityClassName: ""
# -- node/pod affinities
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# -- Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# -- Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
proxyVarsAsSecrets: true
# -- Configure Kubernetes liveness probes.
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
enabled: true
initialDelaySeconds: 0
timeoutSeconds: 1
# -- Configure Kubernetes readiness probes.
enabled: true
initialDelaySeconds: 0
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
# -- Configure Kubernetes security context for container
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
enabled: false
runAsNonRoot: true
# -- annotations to add to each pod
podAnnotations: {}
# -- labels to add to each pod
podLabels: {}
replicaCount: 1
# -- PodDisruptionBudget settings
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
enabled: true
minAvailable: 1
# Configure Kubernetes security context for pod
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
podSecurityContext: {}
# -- Configure init containers for pod
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# -- `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service.
httpScheme: http
# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption.
# Alternatively supply an existing secret which contains the required information.
# -- enable htpasswd-file option
enabled: false
# -- existing Kubernetes secret to use for OAuth2 htpasswd file
existingSecret: ""
# -- list of [SHA encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration#command-line-options)
entries: {}
# One row for each user
# example:
# entries:
# - testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv
# -- Configure Pod Topology Spread Constraints
# See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# Requires Kubernetes >= v1.16
enabled: false
maxSkew: 1
# See https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule
Reference in New Issue
Block a user