master-group/charts
2
0
Fork 0
mirror of https://github.com/k8s-at-home/charts.git synced 2025-01-23 23:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: remoe oauth2-proxy helm chart

Browse Source
This commit is contained in:
Devin Buhl 2021-08-23 07:42:55 -04:00
parent 18d106d278
commit 4e258501c8
No known key found for this signature in database
GPG Key ID: 77149AC618D714D6
25 changed files with 0 additions and 1287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
charts/stable/oauth2-proxy/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
OWNERS

19
charts/stable/oauth2-proxy/Chart.yaml
View File

@ -1,19 +0,0 @@
name: oauth2-proxy
version: 5.0.7
apiVersion: v1
appVersion: 7.1.3
home: https://github.com/k8s-at-home/charts/tree/master/charts/stable/oauth2-proxy
description: A reverse proxy that provides authentication with Google, Github or other providers
icon: https://avatars.githubusercontent.com/u/62798169?s=200&v=4
keywords:
- kubernetes
- oauth
- oauth2
- authentication
- google
- github
sources:
- https://github.com/oauth2-proxy/oauth2-proxy
engine: gotpl
kubeVersion: ">=1.9.0-0"
deprecated: true

256
charts/stable/oauth2-proxy/README.md
View File

@ -1,256 +0,0 @@
# oauth2-proxy
![Version: 5.0.7](https://img.shields.io/badge/Version-5.0.7-informational?style=flat-square) ![AppVersion: 7.1.3](https://img.shields.io/badge/AppVersion-7.1.3-informational?style=flat-square)
A reverse proxy that provides authentication with Google, Github or other providers
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)**
## Source Code
* <https://github.com/oauth2-proxy/oauth2-proxy>
## Requirements
Kubernetes: `>=1.9.0-0`
## Dependencies
| Repository | Name | Version |
|------------|------|---------|
## TL;DR
```console
helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm repo update
helm install oauth2-proxy k8s-at-home/oauth2-proxy
```
## Installing the Chart
To install the chart with the release name `oauth2-proxy`
```console
helm install oauth2-proxy k8s-at-home/oauth2-proxy
```
## Uninstalling the Chart
To uninstall the `oauth2-proxy` deployment
```console
helm uninstall oauth2-proxy
```
The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release.
## Configuration
Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values.
Other values may be used from the [values.yaml](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common).
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
```console
helm install oauth2-proxy \
--set env.TZ="America/New York" \
k8s-at-home/oauth2-proxy
```
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
```console
helm install oauth2-proxy k8s-at-home/oauth2-proxy -f values.yaml
```
## Custom configuration
### SSL Configuration
See: [SSL Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls).
Use ```values.yaml``` like:
```yaml
...
extraArgs:
tls-cert: /path/to/cert.pem
tls-key: /path/to/cert.key
extraVolumes:
- name: ssl-cert
secret:
secretName: my-ssl-secret
extraVolumeMounts:
- mountPath: /path/to/
name: ssl-cert
...
```
With a secret called `my-ssl-secret`:
```yaml
...
data:
cert.pem: AB..==
cert.key: CD..==
```
## Values
**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common)
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | node/pod affinities Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
| authenticatedEmailsFile.enabled | bool | `false` | Enables authorize individual email addresses |
| authenticatedEmailsFile.restricted_access | string | `""` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config |
| authenticatedEmailsFile.template | string | `""` | Name of the configmap that is handled outside of that chart It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. Be aware the value name in the extern config map in data needs to be named to "restricted_user_access". One email per line example: restricted_access: |- name1@domain name2@domain If you override the config with restricted_access it will configure a user list within this chart what takes care of the config map resource. |
| config.clientID | string | `"XXXXXXX"` | OAuth client ID |
| config.clientSecret | string | `"XXXXXXXX"` | OAuth client secret |
| config.configFile | string | `"email_domains = [ \"*\" ]\nupstreams = [ \"file:///dev/null\" ]"` | google service account json contents serviceAccountJson: xxxx -- Alternatively, use an existing secret (see google-secret.yaml for required fields) existingSecret: google-secret -- custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line |
| config.cookieSecret | string | `"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 | head -c 32 | base64` |
| config.existingConfig | string | `nil` | xisting Kubernetes configmap to use for the configuration file. See [config template](https://github.com/helm/charts/blob/master/stable/oauth2-proxy/templates/configmap.yaml) for the required values |
| config.google | object | `{}` | |
| extraArgs | object | `{}` | key:value list of extra arguments to give the binary |
| extraEnv | list | `[]` | key:value list of extra environment variables to give the binary |
| extraVolumeMounts | list | `[]` | list of extra volumeMounts |
| extraVolumes | list | `[]` | list of extra volumes |
| htpasswdFile.enabled | bool | `false` | enable htpasswd-file option |
| htpasswdFile.entries | object | `{}` | list of [SHA encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration#command-line-options) |
| htpasswdFile.existingSecret | string | `""` | existing Kubernetes secret to use for OAuth2 htpasswd file |
| httpScheme | string | `"http"` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.repository | string | `"quay.io/oauth2-proxy/oauth2-proxy"` | Image repository |
| image.tag | string | `"v7.1.3"` | Image tag |
| imagePullSecrets | list | `nil` | Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod |
| ingress.annotations | object | `{}` | Ingress annotations |
| ingress.enabled | bool | `false` | Enable Ingress |
| ingress.extraPaths | list | `[]` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). |
| ingress.hosts | list | `[]` | Ingress accepted hostnames |
| ingress.ingressClassName | string | `nil` | Set ingressClassName |
| ingress.path | string | `"/"` | Ingress accepted path |
| ingress.tls | list | `nil` | Ingress TLS configuration |
| initContainers | list | `[]` | Configure init containers for pod Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
| livenessProbe | object | `{"enabled":true,"initialDelaySeconds":0,"timeoutSeconds":1}` | Configure Kubernetes liveness probes. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks |
| nodeSelector | object | `{}` | Node labels for pod assignment Ref: https://kubernetes.io/docs/user-guide/node-selection/ |
| podAnnotations | object | `{}` | annotations to add to each pod |
| podDisruptionBudget | object | `{"enabled":true,"minAvailable":1}` | PodDisruptionBudget settings Ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| podLabels | object | `{}` | labels to add to each pod |
| podSecurityContext | object | `{}` | |
| priorityClassName | string | `""` | |
| proxyVarsAsSecrets | bool | `true` | |
| readinessProbe | object | `{"enabled":true,"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Configure Kubernetes readiness probes. |
| replicaCount | int | `1` | |
| resources | object | `{}` | |
| securityContext | object | `{"enabled":false,"runAsNonRoot":true}` | Configure Kubernetes security context for container Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| service.annotations | object | `{}` | Service annotations for the GUI |
| service.loadBalancerIP | string | `nil` | Loadbalance IP for the GUI |
| service.loadBalancerSourceRanges | list | `nil` | List of IP CIDRs allowed access to load balancer (if supported) |
| service.port | int | `80` | Kubernetes port where the GUI is exposed |
| service.type | string | `"ClusterIP"` | Kubernetes service type for the GUI |
| serviceAccount.annotations | object | `{}` | |
| serviceAccount.enabled | bool | `true` | |
| serviceAccount.name | string | `nil` | |
| tolerations | list | `[]` | Tolerations for pod assignment Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
| topologySpreadConstraints | object | `{"enabled":false,"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"DoNotSchedule"}` | Configure Pod Topology Spread Constraints See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ Requires Kubernetes >= v1.16 |
## Changelog
All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#changelog).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
### [1.0.0]
#### Changed
- This version upgrade oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade.
### [2.0.0]
#### Changed
- support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information.
Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade`of this chart from versions earlier than 2.0.0.
### [3.0.0]
#### Changed
- support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false`
### [4.0.0]
#### Changed
- This is a breaking change as the chart was moved to k8s-at-home. No other change on top of the 3.x.x branch.
### [5.0.0]
#### Changed
- Not many breaking changes. See the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0) for oauth2-proxy, specifically the section "Breaking Changes" for a few configuration changes, particularly to do with the Azure provider.
### [5.0.1]
#### Added
- N/A
#### Changed
- Use helm-docs
#### Removed
- N/A
### [5.0.4]
#### Added
- Added icon url.
#### Changed
- N/A
#### Removed
- N/A
### [5.0.5]
#### Fixed
- Update oauth2-proxy website URLs.
### [5.0.6]
#### Added
- N/A
#### Changed
- This version upgrade oauth2-proxy to 7.1.3. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v7.1.3/CHANGELOG.md) in order to upgrade.
#### Removed
- N/A
[5.0.4]: #5.0.4
[5.0.1]: #5.0.1
## Support
- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/)
- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose)
- Ask a [question](https://github.com/k8s-at-home/organization/discussions)
- Join our [Discord](https://discord.gg/sTMX7Vh) community
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

146
charts/stable/oauth2-proxy/README.md.gotmpl
View File

@ -1,146 +0,0 @@
{{- define "custom.repository.organization" -}}
k8s-at-home
{{- end -}}
{{- define "custom.repository.url" -}}
https://github.com/k8s-at-home/charts
{{- end -}}
{{- define "custom.helm.url" -}}
https://k8s-at-home.com/charts/
{{- end -}}
{{- define "custom.helm.path" -}}
{{ template "custom.repository.organization" . }}/{{ template "chart.name" . }}
{{- end -}}
{{- define "custom.notes" -}}
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)**
{{- end -}}
{{- define "custom.requirements" -}}
## Requirements
{{ template "chart.kubeVersionLine" . }}
{{- end -}}
{{- define "custom.dependencies" -}}
## Dependencies
{{ template "chart.requirementsTable" . }}
{{- end -}}
{{- define "custom.install.tldr" -}}
## TL;DR
```console
helm repo add {{ template "custom.repository.organization" . }} {{ template "custom.helm.url" . }}
helm repo update
helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }}
```
{{- end -}}
{{- define "custom.install" -}}
## Installing the Chart
To install the chart with the release name `{{ template "chart.name" . }}`
```console
helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }}
```
{{- end -}}
{{- define "custom.uninstall" -}}
## Uninstalling the Chart
To uninstall the `{{ template "chart.name" . }}` deployment
```console
helm uninstall {{ template "chart.name" . }}
```
The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release.
{{- end -}}
{{- define "custom.configuration.header" -}}
## Configuration
{{- end -}}
{{- define "custom.configuration.readValues" -}}
Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values.
Other values may be used from the [values.yaml](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common).
{{- end -}}
{{- define "custom.configuration.example.set" -}}
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
```console
helm install {{ template "chart.name" . }} \
--set env.TZ="America/New York" \
{{ template "custom.helm.path" . }}
```
{{- end -}}
{{- define "custom.configuration.example.file" -}}
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
```console
helm install {{ template "chart.name" . }} {{ template "custom.helm.path" . }} -f values.yaml
```
{{- end -}}
{{- define "custom.valuesSection" -}}
## Values
**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common)
{{ template "chart.valuesTable" . }}
{{- end -}}
{{- define "custom.support" -}}
## Support
- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/)
- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose)
- Ask a [question](https://github.com/k8s-at-home/organization/discussions)
- Join our [Discord](https://discord.gg/sTMX7Vh) community
{{- end -}}
{{ template "chart.header" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
{{ template "custom.notes" . }}
{{ template "chart.sourcesSection" . }}
{{ template "custom.requirements" . }}
{{ template "custom.dependencies" . }}
{{ template "custom.install.tldr" . }}
{{ template "custom.install" . }}
{{ template "custom.uninstall" . }}
{{ template "custom.configuration.header" . }}
{{ template "custom.configuration.readValues" . }}
{{ template "custom.configuration.example.set" . }}
{{ template "custom.configuration.example.file" . }}
{{ template "custom.custom.configuration" . }}
{{ template "custom.valuesSection" . }}
{{ template "custom.changelog" . }}
{{ template "custom.support" . }}
{{ template "helm-docs.versionFooter" . }}
{{ "" }}

94
charts/stable/oauth2-proxy/README_CHANGELOG.md.gotmpl
View File

@ -1,94 +0,0 @@
{{- define "custom.changelog.header" -}}
## Changelog
{{- end -}}
{{- define "custom.changelog" -}}
{{ template "custom.changelog.header" . }}
All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#changelog).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
### [1.0.0]
#### Changed
- This version upgrade oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade.
### [2.0.0]
#### Changed
- support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information.
Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade`of this chart from versions earlier than 2.0.0.
### [3.0.0]
#### Changed
- support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false`
### [4.0.0]
#### Changed
- This is a breaking change as the chart was moved to k8s-at-home. No other change on top of the 3.x.x branch.
### [5.0.0]
#### Changed
- Not many breaking changes. See the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.0.0) for oauth2-proxy, specifically the section "Breaking Changes" for a few configuration changes, particularly to do with the Azure provider.
### [5.0.1]
#### Added
- N/A
#### Changed
- Use helm-docs
#### Removed
- N/A
### [5.0.4]
#### Added
- Added icon url.
#### Changed
- N/A
#### Removed
- N/A
### [5.0.5]
#### Fixed
- Update oauth2-proxy website URLs.
### [5.0.6]
#### Added
- N/A
#### Changed
- This version upgrade oauth2-proxy to 7.1.3. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v7.1.3/CHANGELOG.md) in order to upgrade.
#### Removed
- N/A
[5.0.4]: #5.0.4
[5.0.1]: #5.0.1
{{- end -}}

38
charts/stable/oauth2-proxy/README_CONFIG.md.gotmpl
View File

@ -1,38 +0,0 @@
{{- define "custom.custom.configuration.header" -}}
## Custom configuration
{{- end -}}
{{- define "custom.custom.configuration" -}}
{{ template "custom.custom.configuration.header" . }}
### SSL Configuration
See: [SSL Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls).
Use ```values.yaml``` like:
```yaml
...
extraArgs:
tls-cert: /path/to/cert.pem
tls-key: /path/to/cert.key
extraVolumes:
- name: ssl-cert
secret:
secretName: my-ssl-secret
extraVolumeMounts:
- mountPath: /path/to/
name: ssl-cert
...
```
With a secret called `my-ssl-secret`:
```yaml
...
data:
cert.pem: AB..==
cert.key: CD..==
```
{{- end -}}

1
charts/stable/oauth2-proxy/ci/default-values.yaml
View File

@ -1 +0,0 @@
# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.

6
charts/stable/oauth2-proxy/ci/ingress-extra-paths-values.yaml
View File

@ -1,6 +0,0 @@
ingress:
extraPaths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation

1
charts/stable/oauth2-proxy/ci/pdb-values.yaml
View File

@ -1 +0,0 @@
replicaCount: 2 # Enables PodDisruptionBudget which is disabled when replicaCount is 1

4
charts/stable/oauth2-proxy/ci/pod-security-context-values.yaml
View File

@ -1,4 +0,0 @@
# Allocate a FSGroup that owns the pods volumes via podSecurityContext
---
podSecurityContext:
fsGroup: 2000

1
charts/stable/oauth2-proxy/default-values.yaml
View File

@ -1 +0,0 @@
# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.

2
charts/stable/oauth2-proxy/pdb-values.yaml
View File

@ -1,2 +0,0 @@
# Will trigger creation of pdb
replicaCount: 2

3
charts/stable/oauth2-proxy/templates/NOTES.txt
View File

@ -1,3 +0,0 @@
To verify that oauth2-proxy has started, run:
kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "oauth2-proxy.fullname" . }}"

54
charts/stable/oauth2-proxy/templates/_helpers.tpl
View File

@ -1,54 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "oauth2-proxy.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "oauth2-proxy.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "oauth2-proxy.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Get the secret name.
*/}}
{{- define "oauth2-proxy.secretName" -}}
{{- if .Values.config.existingSecret -}}
{{- printf "%s" .Values.config.existingSecret -}}
{{- else -}}
{{- printf "%s" (include "oauth2-proxy.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "oauth2-proxy.serviceAccountName" -}}
{{- if .Values.serviceAccount.enabled -}}
{{ default (include "oauth2-proxy.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

15
charts/stable/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
View File

@ -1,15 +0,0 @@
{{- if .Values.authenticatedEmailsFile.enabled }}
{{- if .Values.authenticatedEmailsFile.restricted_access }}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}-accesslist
data:
restricted_user_access: {{ .Values.authenticatedEmailsFile.restricted_access | quote }}
{{- end }}
{{- end }}

17
charts/stable/oauth2-proxy/templates/configmap-htpasswd-file.yaml
View File

@ -1,17 +0,0 @@
{{- if and .Values.htpasswdFile.enabled (not .Values.htpasswdFile.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
type: Opaque
stringData:
users.txt: |-
{{- range $entries := .Values.htpasswdFile.entries }}
{{ $entries }}
{{- end -}}
{{- end }}

15
charts/stable/oauth2-proxy/templates/configmap.yaml
View File

@ -1,15 +0,0 @@
{{- if not .Values.config.existingConfig }}
{{- if .Values.config.configFile }}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
data:
oauth2_proxy.cfg: {{ .Values.config.configFile | quote }}
{{- end }}
{{- end }}

222
charts/stable/oauth2-proxy/templates/deployment.yaml
View File

@ -1,222 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "oauth2-proxy.name" . }}
release: {{ .Release.Name }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }}
{{- if .Values.htpasswdFile.enabled }}
checksum/htpasswd: {{ include (print $.Template.BasePath "/configmap-htpasswd-file.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "oauth2-proxy.name" . }}
release: "{{ .Release.Name }}"
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }}
{{- if ne (len .Values.initContainers) 0 }}
initContainers:
{{ toYaml .Values.initContainers | indent 6 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --http-address=0.0.0.0:4180
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- if or .Values.config.existingConfig .Values.config.configFile }}
- --config=/etc/oauth2_proxy/oauth2_proxy.cfg
{{- end }}
{{- if .Values.authenticatedEmailsFile.enabled }}
{{- if .Values.authenticatedEmailsFile.template }}
- --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }}
{{- else }}
- --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
{{- end }}
{{- end }}
{{- with .Values.config.google }}
{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
- --google-admin-email={{ .adminEmail }}
- --google-service-account-json=/google/service-account.json
{{- end }}
{{- end }}
{{- if .Values.htpasswdFile.enabled }}
- --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt
{{- end }}
env:
{{- if .Values.proxyVarsAsSecrets }}
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "oauth2-proxy.secretName" . }}
key: client-id
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "oauth2-proxy.secretName" . }}
key: client-secret
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "oauth2-proxy.secretName" . }}
key: cookie-secret
{{- end }}
{{- if .Values.extraEnv }}
{{ toYaml .Values.extraEnv | indent 8 }}
{{- end }}
ports:
- containerPort: 4180
name: {{ .Values.httpScheme }}
protocol: TCP
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /ping
port: {{ .Values.httpScheme }}
scheme: {{ .Values.httpScheme | upper }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /ping
port: {{ .Values.httpScheme }}
scheme: {{ .Values.httpScheme | upper }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
{{- with .Values.config.google }}
{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
- name: google-secret
mountPath: /google
readOnly: true
{{- end }}
{{- end }}
{{- if or .Values.config.existingConfig .Values.config.configFile }}
- mountPath: /etc/oauth2_proxy
name: configmain
{{- end }}
{{- if .Values.authenticatedEmailsFile.enabled }}
- mountPath: /etc/oauth2-proxy
name: configaccesslist
readOnly: true
{{- end }}
{{- if .Values.htpasswdFile.enabled }}
- mountPath: /etc/oauth2_proxy/htpasswd
name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
readOnly: true
{{- end }}
{{- if ne (len .Values.extraVolumeMounts) 0 }}
{{ toYaml .Values.extraVolumeMounts | indent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }}
{{- end}}
volumes:
{{- with .Values.config.google }}
{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
- name: google-secret
secret:
secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}{{ end }}
{{- end }}
{{- end }}
{{- if .Values.htpasswdFile.enabled }}
- name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
secret:
secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }}
{{- end }}
{{- if or .Values.config.existingConfig .Values.config.configFile }}
- configMap:
defaultMode: 420
name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }}
name: configmain
{{- end }}
{{- if ne (len .Values.extraVolumes) 0 }}
{{ toYaml .Values.extraVolumes | indent 6 }}
{{- end }}
{{- if .Values.authenticatedEmailsFile.enabled }}
- configMap:
{{- if .Values.authenticatedEmailsFile.template }}
name: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
name: {{ template "oauth2-proxy.fullname" . }}-accesslist
{{- end }}
items:
- key: restricted_user_access
{{- if .Values.authenticatedEmailsFile.template }}
path: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
path: authenticated-emails-list
{{- end }}
name: configaccesslist
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.GitVersion -}}
{{- if .Values.topologySpreadConstraints.enabled }}
topologySpreadConstraints:
- labelSelector:
matchLabels:
app: {{ template "oauth2-proxy.name" . }}
release: "{{ .Release.Name }}"
maxSkew: {{ .Values.topologySpreadConstraints.maxSkew }}
topologyKey: {{ .Values.topologySpreadConstraints.topologyKey }}
whenUnsatisfiable: {{ .Values.topologySpreadConstraints.whenUnsatisfiable }}
{{- end }}
{{- end }}

14
charts/stable/oauth2-proxy/templates/google-secret.yaml
View File

@ -1,14 +0,0 @@
{{- if and .Values.config.google (not .Values.config.google.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}-google
type: Opaque
data:
service-account.json: {{ .serviceAccountJson }}
{{- end -}}

46
charts/stable/oauth2-proxy/templates/ingress.yaml
View File

@ -1,46 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $serviceName := include "oauth2-proxy.fullname" . -}}
{{- $servicePort := .Values.service.port -}}
{{- $ingressPath := .Values.ingress.path -}}
{{- $extraPaths := .Values.ingress.extraPaths -}}
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
{{- if .Values.ingress.ingressClassName }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
{{- end }}
{{- end }}
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host | quote }}
http:
paths:
{{ if $extraPaths }}
{{ toYaml $extraPaths | indent 10 }}
{{- end }}
- path: {{ $ingressPath }}
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- end -}}

17
charts/stable/oauth2-proxy/templates/poddisruptionbudget.yaml
View File

@ -1,17 +0,0 @@
{{- if and .Values.podDisruptionBudget.enabled (gt (.Values.replicaCount | int) 1) }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
spec:
selector:
matchLabels:
app: {{ template "oauth2-proxy.name" . }}
release: {{ .Release.Name }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}

16
charts/stable/oauth2-proxy/templates/secret.yaml
View File

@ -1,16 +0,0 @@
{{- if and (not .Values.config.existingSecret) (.Values.proxyVarsAsSecrets) }}
apiVersion: v1
kind: Secret
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}
type: Opaque
data:
cookie-secret: {{ .Values.config.cookieSecret | b64enc | quote }}
client-secret: {{ .Values.config.clientSecret | b64enc | quote }}
client-id: {{ .Values.config.clientID | b64enc | quote }}
{{- end -}}

39
charts/stable/oauth2-proxy/templates/service.yaml
View File

@ -1,39 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
name: {{ template "oauth2-proxy.fullname" . }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }}
type: ClusterIP
{{- if .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP }}
{{end}}
{{- else if eq .Values.service.type "LoadBalancer" }}
type: {{ .Values.service.type }}
{{- if .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }}
{{- end -}}
{{- else }}
type: {{ .Values.service.type }}
{{- end }}
ports:
- port: {{ .Values.service.port }}
targetPort: {{ .Values.httpScheme }}
protocol: TCP
name: {{ .Values.httpScheme }}
selector:
app: {{ template "oauth2-proxy.name" . }}
release: {{ .Release.Name }}

15
charts/stable/oauth2-proxy/templates/serviceaccount.yaml
View File

@ -1,15 +0,0 @@
{{- if or .Values.serviceAccount.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
name: {{ template "oauth2-proxy.fullname" . }}
{{- end -}}

223
charts/stable/oauth2-proxy/values.yaml
View File

@ -1,223 +0,0 @@
# Oauth client configuration specifics
config:
# -- OAuth client ID
clientID: "XXXXXXX"
# -- OAuth client secret
clientSecret: "XXXXXXXX"
# -- server specific cookie for the secret; create a new one with `openssl rand -base64 32 | head -c 32 | base64`
cookieSecret: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
google: {}
# -- user impersonated by the google service account
# adminEmail: xxxx
# -- google service account json contents
# serviceAccountJson: xxxx
# -- Alternatively, use an existing secret (see google-secret.yaml for required fields)
# existingSecret: google-secret
# -- custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line
configFile: |-
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
# Custom configuration file: oauth2_proxy.cfg
# configFile: |-
# pass_basic_auth = false
# pass_access_token = true
# -- (string)existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/helm/charts/blob/master/stable/oauth2-proxy/templates/configmap.yaml) for the required values
existingConfig:
image:
# -- Image repository
repository: "quay.io/oauth2-proxy/oauth2-proxy"
# -- Image tag
tag: "v7.1.3"
# -- Image pull policy
pullPolicy: "IfNotPresent"
# -- (list) Optionally specify an array of imagePullSecrets.
# Secrets must be manually created in the namespace.
# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
imagePullSecrets:
# - name: myRegistryKeySecretName
# -- key:value list of extra arguments to give the binary
extraArgs: {}
# -- key:value list of extra environment variables to give the binary
extraEnv: []
# To authorize individual email addresses
# That is part of extraArgs but since this needs special treatment we need to do a separate section
authenticatedEmailsFile:
# -- Enables authorize individual email addresses
enabled: false
# -- Name of the configmap that is handled outside of that chart
# It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
# Be aware the value name in the extern config map in data needs to be named to "restricted_user_access".
# One email per line
# example:
# restricted_access: |-
# name1@domain
# name2@domain
# If you override the config with restricted_access it will configure a user list within this chart what takes care of the
# config map resource.
template: ""
# -- [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config
restricted_access: ""
service:
# -- Kubernetes service type for the GUI
type: ClusterIP
# -- Kubernetes port where the GUI is exposed
port: 80
# -- Service annotations for the GUI
annotations: {}
# -- (string) Loadbalance IP for the GUI
loadBalancerIP:
# -- (list) List of IP CIDRs allowed access to load balancer (if supported)
loadBalancerSourceRanges:
## Create or use ServiceAccount
serviceAccount:
## Specifies whether a ServiceAccount should be created
enabled: true
## The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the fullname template
name:
annotations: {}
ingress:
# -- Enable Ingress
enabled: false
# -- Ingress accepted path
path: /
# -- Ingress accepted hostnames
hosts: []
# -- Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions).
extraPaths: []
# - path: /*
# backend:
# serviceName: ssl-redirect
# servicePort: use-annotation
# -- Ingress annotations
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- (list) Ingress TLS configuration
tls:
# Secrets must be manually created in the namespace.
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# -- (string) Set ingressClassName
ingressClassName:
resources: {}
# limits:
# cpu: 100m
# memory: 300Mi
# requests:
# cpu: 100m
# memory: 300Mi
# -- list of extra volumes
extraVolumes: []
# - name: ca-bundle-cert
# secret:
# secretName: <secret-name>
# -- list of extra volumeMounts
extraVolumeMounts: []
# - mountPath: /etc/ssl/certs/
# name: ca-bundle-cert
priorityClassName: ""
# -- node/pod affinities
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# -- Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# -- Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
proxyVarsAsSecrets: true
# -- Configure Kubernetes liveness probes.
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
livenessProbe:
enabled: true
initialDelaySeconds: 0
timeoutSeconds: 1
# -- Configure Kubernetes readiness probes.
readinessProbe:
enabled: true
initialDelaySeconds: 0
timeoutSeconds: 1
periodSeconds: 10
successThreshold: 1
# -- Configure Kubernetes security context for container
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
enabled: false
runAsNonRoot: true
# -- annotations to add to each pod
podAnnotations: {}
# -- labels to add to each pod
podLabels: {}
replicaCount: 1
# -- PodDisruptionBudget settings
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: true
minAvailable: 1
# Configure Kubernetes security context for pod
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
podSecurityContext: {}
# -- Configure init containers for pod
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# -- `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service.
httpScheme: http
# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption.
# Alternatively supply an existing secret which contains the required information.
htpasswdFile:
# -- enable htpasswd-file option
enabled: false
# -- existing Kubernetes secret to use for OAuth2 htpasswd file
existingSecret: ""
# -- list of [SHA encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration#command-line-options)
entries: {}
# One row for each user
# example:
# entries:
# - testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv
# -- Configure Pod Topology Spread Constraints
# See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# Requires Kubernetes >= v1.16
topologySpreadConstraints:
enabled: false
maxSkew: 1
# See https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: DoNotSchedule