From 5475a5ffffbe33a91967069b543f2b6ecef1cae0 Mon Sep 17 00:00:00 2001 From: Markus Reiter Date: Wed, 9 Feb 2022 19:56:18 +0100 Subject: [PATCH] [traefik-forward-auth] Reuse existing secret. (#1404) --- charts/stable/traefik-forward-auth/Chart.yaml | 20 +- .../traefik-forward-auth/ci/ct-values.yaml | 11 +- .../traefik-forward-auth/templates/NOTES.txt | 22 +- .../templates/_helpers.tpl | 63 ----- .../templates/common.yaml | 29 +++ .../templates/deployment.yaml | 222 ---------------- .../traefik-forward-auth/templates/hpa.yaml | 28 -- .../templates/ingress.yaml | 58 ----- .../templates/middleware.yaml | 6 +- .../templates/secret.yaml | 15 +- .../templates/service.yaml | 22 -- .../templates/serviceaccount.yaml | 12 - .../stable/traefik-forward-auth/values.yaml | 241 +++++------------- 13 files changed, 120 insertions(+), 629 deletions(-) delete mode 100644 charts/stable/traefik-forward-auth/templates/_helpers.tpl create mode 100644 charts/stable/traefik-forward-auth/templates/common.yaml delete mode 100644 charts/stable/traefik-forward-auth/templates/deployment.yaml delete mode 100644 charts/stable/traefik-forward-auth/templates/hpa.yaml delete mode 100644 charts/stable/traefik-forward-auth/templates/ingress.yaml delete mode 100644 charts/stable/traefik-forward-auth/templates/service.yaml delete mode 100644 charts/stable/traefik-forward-auth/templates/serviceaccount.yaml diff --git a/charts/stable/traefik-forward-auth/Chart.yaml b/charts/stable/traefik-forward-auth/Chart.yaml index 6a40d6e4..10db4772 100644 --- a/charts/stable/traefik-forward-auth/Chart.yaml +++ b/charts/stable/traefik-forward-auth/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -name: traefik-forward-auth -description: A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer -type: application -version: 1.0.10 appVersion: 2.2.0 +description: A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer +name: traefik-forward-auth +version: 2.0.0 +kubeVersion: ">=1.16.0-0" keywords: - traefik - traefik-forward-auth @@ -17,3 +17,15 @@ sources: maintainers: - name: DirtyCajunRice email: nick@cajun.pro +dependencies: + - name: common + repository: https://library-charts.k8s-at-home.com + version: 4.3.0 +annotations: + artifacthub.io/changes: | + - kind: added + description: > + **BREAKING** Added `common` chart dependency. + This will likely require you to update your chart values. + - kind: changed + description: Reuse existing secret if present. diff --git a/charts/stable/traefik-forward-auth/ci/ct-values.yaml b/charts/stable/traefik-forward-auth/ci/ct-values.yaml index f5f9f2c6..ca728b3f 100644 --- a/charts/stable/traefik-forward-auth/ci/ct-values.yaml +++ b/charts/stable/traefik-forward-auth/ci/ct-values.yaml @@ -1,5 +1,6 @@ -providers: - google: - enabled: true - clientId: "fakeclientid" - clientSecret: "fakeclientsecret" +env: + PROVIDERS_GOOGLE_CLIENT_ID: fakeclientid + PROVIDERS_GOOGLE_CLIENT_SECRET: fakeclientsecret + +middleware: + enabled: false diff --git a/charts/stable/traefik-forward-auth/templates/NOTES.txt b/charts/stable/traefik-forward-auth/templates/NOTES.txt index 327f1f71..90f7b653 100644 --- a/charts/stable/traefik-forward-auth/templates/NOTES.txt +++ b/charts/stable/traefik-forward-auth/templates/NOTES.txt @@ -1,21 +1 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "traefik-forward-auth.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "traefik-forward-auth.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "traefik-forward-auth.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "traefik-forward-auth.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 -{{- end }} +{{- include "common.notes.defaultNotes" . -}} diff --git a/charts/stable/traefik-forward-auth/templates/_helpers.tpl b/charts/stable/traefik-forward-auth/templates/_helpers.tpl deleted file mode 100644 index ee69d8a8..00000000 --- a/charts/stable/traefik-forward-auth/templates/_helpers.tpl +++ /dev/null @@ -1,63 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "traefik-forward-auth.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "traefik-forward-auth.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "traefik-forward-auth.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "traefik-forward-auth.labels" -}} -helm.sh/chart: {{ include "traefik-forward-auth.chart" . }} -{{ include "traefik-forward-auth.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "traefik-forward-auth.selectorLabels" -}} -app.kubernetes.io/name: {{ include "traefik-forward-auth.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "traefik-forward-auth.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "traefik-forward-auth.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/charts/stable/traefik-forward-auth/templates/common.yaml b/charts/stable/traefik-forward-auth/templates/common.yaml new file mode 100644 index 00000000..6821b0ce --- /dev/null +++ b/charts/stable/traefik-forward-auth/templates/common.yaml @@ -0,0 +1,29 @@ +{{/* Make sure all variables are set properly */}} +{{- include "common.values.setup" . }} + +{{/* +If there's an existing secret, reuse it, otherwise generate a new one. +*/}} +{{- define "traefik-forward-auth.secret" -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "common.names.fullname" .) ) -}} + {{- if $secret -}} + {{- index $secret "data" "secret" -}} + {{- else -}} + {{- randAlphaNum 16 | b64enc | quote -}} + {{- end -}} +{{- end -}} + +{{/* Append the hardcoded settings */}} +{{- define "traefik-forward-auth.harcodedValues" -}} +{{- if not .Values.env.SECRET }} +env: + SECRET: + valueFrom: + secretKeyRef: + name: {{ include "common.names.fullname" . }} + key: secret +{{- end }} +{{- end -}} +{{- $_ := mergeOverwrite .Values (include "traefik-forward-auth.harcodedValues" . | fromYaml) -}} + +{{ include "common.all" . }} diff --git a/charts/stable/traefik-forward-auth/templates/deployment.yaml b/charts/stable/traefik-forward-auth/templates/deployment.yaml deleted file mode 100644 index 99635418..00000000 --- a/charts/stable/traefik-forward-auth/templates/deployment.yaml +++ /dev/null @@ -1,222 +0,0 @@ -{{- $fullName := include "traefik-forward-auth.fullname" . -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $fullName }} - labels: - {{- include "traefik-forward-auth.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "traefik-forward-auth.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "traefik-forward-auth.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "traefik-forward-auth.serviceAccountName" . }} - {{- with .Values.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - {{- with .Values.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- with .Values.envFrom }} - envFrom: - {{- toYaml . | nindent 12 }} - {{- end }} - env: - {{- if .Values.logging.level }} - - name: LOG_LEVEL - value: {{ .Values.logging.level | quote }} - {{- end }} - {{- if .Values.logging.format }} - - name: LOG_FORMAT - value: {{ .Values.logging.format | quote }} - {{- end }} - {{- if .Values.authHost }} - - name: AUTH_HOST - value: {{ .Values.authHost | quote }} - {{- end }} - {{- if .Values.cookie.domain }} - - name: COOKIE_DOMAIN - value: {{ .Values.cookie.domain | quote }} - {{- end }} - {{- if .Values.cookie.insecure }} - - name: INSECURE_COOKIE - value: {{ .Values.cookie.insecure | quote }} - {{- end }} - {{- if .Values.cookie.name }} - - name: COOKIE_NAME - value: {{ .Values.cookie.name | quote }} - {{- end }} - {{- if .Values.cookie.csrfName }} - - name: CSRF_COOKIE_NAME - value: {{ .Values.cookie.csrfName | quote }} - {{- end }} - {{- if .Values.default.action }} - - name: DEFAULT_ACTION - value: {{ .Values.default.action | quote }} - {{- end }} - {{- if .Values.default.provider }} - - name: DEFAULT_PROVIDER - value: {{ .Values.default.provider | quote }} - {{- end }} - {{- if .Values.restrictions.domain }} - - name: DOMAIN - value: {{ .Values.restrictions.domain | quote }} - {{- end }} - {{- if .Values.restrictions.whitelist }} - - name: WHITELIST - value: {{ .Values.restrictions.whitelist | quote }} - {{- end }} - {{- if .Values.lifetime }} - - name: LIFETIME - value: {{ .Values.lifetime | quote }} - {{- end }} - {{- if .Values.logoutRedirect }} - - name: LOGOUT_REDIRECT - value: {{ .Values.logoutRedirect | quote }} - {{- end }} - {{- if .Values.urlPath }} - - name: URL_PATH - value: {{ .Values.urlPath | quote }} - {{- end }} - {{- if .Values.cookie.secret }} - - name: COOKIE_SECRET - valueFrom: - secretKeyRef: - name: {{ $fullName }} - key: cookie-secret - {{- end }} - {{- if ne .Values.secret "-" }} - - name: SECRET - {{- if .Values.secret }} - value: {{ .Values.secret | quote }} - {{- else }} - valueFrom: - secretKeyRef: - name: {{ $fullName }} - key: secret - {{- end }} - {{- with .Values.providers}} - {{- if .google.enabled }} - {{- if .google.clientId }} - - name: PROVIDERS_GOOGLE_CLIENT_ID - value: {{ .google.clientId | quote }} - {{- end }} - {{- if .google.clientSecret }} - - name: PROVIDERS_GOOGLE_CLIENT_SECRET - value: {{ .google.clientSecret | quote }} - {{- end }} - {{- if .google.prompt }} - - name: PROVIDERS_GOOGLE_PROMPT - value: {{ .google.prompt | quote }} - {{- end }} - {{- end }} - {{- if .oidc.enabled }} - {{- if .oidc.clientId }} - - name: PROVIDERS_OIDC_CLIENT_ID - value: {{ .oidc.clientId | quote }} - {{- end }} - {{- if .oidc.clientSecret }} - - name: PROVIDERS_OIDC_CLIENT_SECRET - value: {{ .oidc.clientSecret | quote }} - {{- end }} - {{- if .oidc.issuerUrl }} - - name: PROVIDERS_OIDC_ISSUER_URL - value: {{ .oidc.issuerUrl | quote }} - {{- end }} - {{- if .oidc.resource }} - - name: PROVIDERS_OIDC_RESOURCE - value: {{ .oidc.resource | quote }} - {{- end }} - {{- end }} - {{- if .genericOauth.enabled }} - {{- if .genericOauth.clientId }} - - name: PROVIDERS_GENERIC_OAUTH_CLIENT_ID - value: {{ .genericOauth.clientId | quote }} - {{- end }} - {{- if .genericOauth.clientSecret }} - - name: PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET - value: {{ .genericOauth.clientSecret | quote }} - {{- end }} - {{- if .genericOauth.authUrl }} - - name: PROVIDERS_GENERIC_OAUTH_AUTH_URL - value: {{ .genericOauth.authUrl | quote }} - {{- end }} - {{- if .genericOauth.tokenUrl }} - - name: PROVIDERS_GENERIC_OAUTH_TOKEN_URL - value: {{ .genericOauth.tokenUrl | quote }} - {{- end }} - {{- if .genericOauth.userUrl }} - - name: PROVIDERS_GENERIC_OAUTH_USER_URL - value: {{ .genericOauth.userUrl | quote }} - {{- end }} - {{- if .genericOauth.resource }} - - name: PROVIDERS_GENERIC_OAUTH_RESOURCE - value: {{ .genericOauth.resource | quote }} - {{- end }} - {{- if .genericOauth.scope }} - - name: PROVIDERS_GENERIC_OAUTH_SCOPE - value: {{ .genericOauth.scope | quote }} - {{- end }} - {{- if .genericOauth.tokenStyle }} - - name: PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE - value: {{ .genericOauth.tokenStyle | quote }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.env }} - {{- toYaml .Values.env | nindent 12 }} - {{- end }} - ports: - - name: http - containerPort: 4181 - protocol: TCP - {{- $livenessProbe := .Values.livenessProbe }} - {{- if $livenessProbe.enabled }} - livenessProbe: - {{- $livenessProbe := unset $livenessProbe "enabled" }} - {{- toYaml $livenessProbe | nindent 12 }} - {{- end }} - {{- $readinessProbe := .Values.readinessProbe }} - {{- if $readinessProbe.enabled }} - readinessProbe: - {{- $readinessProbe := unset $readinessProbe "enabled" }} - {{- toYaml $readinessProbe | nindent 12 }} - {{- end }} - {{- with .Values.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/stable/traefik-forward-auth/templates/hpa.yaml b/charts/stable/traefik-forward-auth/templates/hpa.yaml deleted file mode 100644 index ab633a75..00000000 --- a/charts/stable/traefik-forward-auth/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "traefik-forward-auth.fullname" . }} - labels: - {{- include "traefik-forward-auth.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "traefik-forward-auth.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/charts/stable/traefik-forward-auth/templates/ingress.yaml b/charts/stable/traefik-forward-auth/templates/ingress.yaml deleted file mode 100644 index 007d7bee..00000000 --- a/charts/stable/traefik-forward-auth/templates/ingress.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.ingress.enabled -}} - {{- $fullName := include "traefik-forward-auth.fullname" . -}} - {{- $svcPort := .Values.service.port -}} - {{- $apiVersion := .Capabilities.KubeVersion.GitVersion -}} - {{- if semverCompare "<1.14-0" $apiVersion -}} -apiVersion: extensions/v1beta1 - {{- else if semverCompare "<1.19-0" $apiVersion -}} -apiVersion: networking.k8s.io/v1beta1 - {{- else -}} -apiVersion: networking.k8s.io/v1 - {{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "traefik-forward-auth.labels" . | nindent 4 }} - {{- if or .Values.ingress.annotations (and .Values.middleware.enabled .Values.authHost) }} - annotations: - {{- with .Values.ingress.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if and .Values.middleware.enabled .Values.authHost }} - traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-{{ .Values.middleware.name | default "traefik-forward-auth" }}@kubernetescrd - {{- end }} - {{- end }} -spec: - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ . }} - {{- if semverCompare ">=1.19-0" $apiVersion }} - pathType: Prefix - backend: - service: - name: {{ $fullName }} - port: - name: http - {{- else }} - backend: - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} diff --git a/charts/stable/traefik-forward-auth/templates/middleware.yaml b/charts/stable/traefik-forward-auth/templates/middleware.yaml index c7cb3f40..95e34eb9 100644 --- a/charts/stable/traefik-forward-auth/templates/middleware.yaml +++ b/charts/stable/traefik-forward-auth/templates/middleware.yaml @@ -2,10 +2,10 @@ apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: - name: {{ .Values.middleware.name | default "traefik-forward-auth" }} + name: {{ default (include "common.names.fullname" .) .Values.middleware.nameOverride }} spec: forwardAuth: - address: "http://{{ include "traefik-forward-auth.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}" + address: "http://{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.main.ports.http.port }}" authResponseHeaders: - X-Forwarded-User - {{- end }} +{{- end }} diff --git a/charts/stable/traefik-forward-auth/templates/secret.yaml b/charts/stable/traefik-forward-auth/templates/secret.yaml index 72e7998f..ea9ede97 100644 --- a/charts/stable/traefik-forward-auth/templates/secret.yaml +++ b/charts/stable/traefik-forward-auth/templates/secret.yaml @@ -1,16 +1,11 @@ -{{- if or (and (ne .Values.secret "-") (not .Values.secret)) .Values.cookie.secret }} +{{- if not .Values.env.SECRET }} apiVersion: v1 kind: Secret metadata: - name: {{ template "traefik-forward-auth.fullname" . }} + name: {{ template "common.names.fullname" . }} labels: - {{- include "traefik-forward-auth.labels" . | nindent 4 }} + {{- include "common.labels" . | nindent 4 }} type: Opaque data: - {{- if not .Values.secret }} - secret: {{ randAlphaNum 16 | b64enc | quote }} - {{- end }} - {{- if .Values.cookie.secret }} - cookie-secret: {{ .Values.cookie.secret | b64enc | quote }} - {{- end }} - {{- end }} + secret: {{ template "traefik-forward-auth.secret" . }} +{{- end }} diff --git a/charts/stable/traefik-forward-auth/templates/service.yaml b/charts/stable/traefik-forward-auth/templates/service.yaml deleted file mode 100644 index 9694610a..00000000 --- a/charts/stable/traefik-forward-auth/templates/service.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "traefik-forward-auth.fullname" . }} - labels: - {{- include "traefik-forward-auth.labels" . | nindent 4 }} - {{- with .Values.service.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - {{- with .Values.service.additionalSpec }} - {{- toYaml . | nindent 2 }} - {{- end }} - selector: - {{- include "traefik-forward-auth.selectorLabels" . | nindent 4 }} diff --git a/charts/stable/traefik-forward-auth/templates/serviceaccount.yaml b/charts/stable/traefik-forward-auth/templates/serviceaccount.yaml deleted file mode 100644 index 295bff53..00000000 --- a/charts/stable/traefik-forward-auth/templates/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "traefik-forward-auth.serviceAccountName" . }} - labels: - {{- include "traefik-forward-auth.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/stable/traefik-forward-auth/values.yaml b/charts/stable/traefik-forward-auth/values.yaml index 476e5f4d..27449aaf 100644 --- a/charts/stable/traefik-forward-auth/values.yaml +++ b/charts/stable/traefik-forward-auth/values.yaml @@ -1,190 +1,69 @@ -# Default values for traefik-forward-auth. - - -replicaCount: 1 +# +# IMPORTANT NOTE +# +# This chart inherits from our common library chart. You can check the default values/options here: +# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml +# image: + # -- image repository repository: thomseddon/traefik-forward-auth - pullPolicy: IfNotPresent + # -- image tag + # @default -- chart.appVersion tag: "" + # -- image pull policy + pullPolicy: IfNotPresent -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" +# -- environment variables. See more environment variables in the [traefik-forward-auth documentation](https://github.com/thomseddon/traefik-forward-auth#configuration) +# @default -- See below +env: + TZ: UTC + # LOG_LEVEL: warn # [trace|debug|info|warn|error|fatal|panic] + # LOG_FORMAT: text # [text|json|pretty] + # AUTH_HOST: oauth.example.org + # DOMAIN: example.org # Only allow given email domains. (Comma delimited) + # WHITELIST: auth@example.org # Only allow given email addresses. (Comma delimited) + # LIFETIME: '43200' # Lifetime in seconds + # COOKIE_DOMAIN: example.org # Domain(s) to set auth cookie on. (Comma delimited) + # INSECURE_COOKIE: 'false' # Use insecure cookies + # COOKIE_NAME: _forward_auth # Cookie name + # CSRF_COOKIE_NAME: _forward_auth_csrf # CSRF cookie name + # SECRET: # Secret used for signing. If unset, one will be generated. + # valueFrom: + # secretKeyRef: traefik-forward-auth + # URL_PATH: /_oauth # Callback URL path + # LOGOUT_REDIRECT: '' # URL to redirect to following logout + # DEFAULT_ACTION: auth # [auth|allow] + # DEFAULT_PROVIDER: google # [google|oidc|generic-oauth] + # + # PROVIDERS_GOOGLE_CLIENT_ID: '' # Client ID + # PROVIDERS_GOOGLE_CLIENT_SECRET: '' # Client Secret + # PROVIDERS_GOOGLE_PROMPT: '' # Space separated list of OpenID prompt options + # + # PROVIDERS_OIDC_ISSUER_URL: '' # Issuer URL + # PROVIDERS_OIDC_CLIENT_ID: '' # Client ID + # PROVIDERS_OIDC_CLIENT_SECRET: '' # Client Secret + # PROVIDERS_OIDC_RESOURCE: '' # Optional resource indicator + # + # PROVIDERS_GENERIC_OAUTH_AUTH_URL: '' # Auth/Login URL + # PROVIDERS_GENERIC_OAUTH_TOKEN_URL: '' # Token URL + # PROVIDERS_GENERIC_OAUTH_USER_URL: '' # URL used to retrieve user info + # PROVIDERS_GENERIC_OAUTH_CLIENT_ID: '' # Client ID + # PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET: '' # Client Secret + # PROVIDERS_GENERIC_OAUTH_RESOURCE: '' # Optional resource indicator + # PROVIDERS_GENERIC_OAUTH_SCOPE: '' # Scopes (default: profile, email) + # PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE: '' # How token is presented when querying the User URL -logging: - # logging.level -- [trace|debug|info|warn|error|fatal|panic] Log level (default: warn) - level: "" - # logging.format -- [text|json|pretty] Log format (default: text) - format: "" -# authHost -- Single host to use when returning from 3rd party auth -authHost: "" -restrictions: - # restrictions.domain -- Only allow given email domains. (Comma delimited) - domain: "" - # restrictions.whitelist -- Only allow given email addresses. (Comma delimited) - whitelist: "" -# lifetime -- Lifetime in seconds (default: 43200) -lifetime: "" -cookie: - # cookie.domain -- Domain(s) to set auth cookie on. (Comma delimited) - domain: "" - # cookie.insecure -- Use insecure cookies - insecure: "" - # cookie.name -- Cookie Name (default: _forward_auth) - name: "" - # cookie.csrfName -- CSRF Cookie Name (default: _forward_auth_csrf) - csrfName: "" - # cookie.secret -- Cookie Secret used for authentication across multiple instances / clusters (default: randomly generated) - secret: "" -default: - # default.action -- [auth|allow] Default action (default: auth) - action: "" - # default.provider -- [google|oidc|generic-oauth] Default provider (default: google) - provider: "" -# logoutRedirect -- URL to redirect to following logout -logoutRedirect: "" -# urlPath -- Callback URL Path (default: /_oauth) -urlPath: "" -# secret -- Secret used for signing. If empty, one will be generated. If specifying your own in env use "-" -secret: "" +# -- Configures service settings for the chart. +# @default -- See values.yaml +service: + main: + ports: + http: + port: 4181 middleware: - # middleware.enabled -- Enable to deploy a preconfigured middleware - enabled: false - # middleware.name -- Name for the middleware - name: "" -providers: - google: - # providers.google.enabled -- Enable the google provider - enabled: false - # providers.google.clientId -- Client ID - clientId: "" - # providers.google.clientSecret -- Client Secret - clientSecret: "" - # providers.google.prompt -- Space separated list of OpenID prompt options - prompt: "" - oidc: - # providers.oidc.enabled -- Enable the generic OIDC provider - enabled: false - # providers.oidc.issuerUrl -- Issuer URL - issuerUrl: "" - # providers.oidc.clientId -- Client ID - clientId: "" - # providers.oidc.clientSecret -- Client Secret - clientSecret: "" - # providers.oidc.resource -- Optional resource indicator - resource: "" - genericOauth: - # providers.genericOauth.enabled -- Enable the generic OAUTH2 provider - enabled: false - # providers.genericOauth.authUrl -- Auth/Login URL - authUrl: "" - # providers.genericOauth.tokenUrl -- Token URL - tokenUrl: "" - # providers.genericOauth.userUrl -- URL used to retrieve user info - userUrl: "" - # providers.genericOauth.clientId -- Client ID - clientId: "" - # providers.genericOauth.clientSecret -- Client Secret - clientSecret: "" - # providers.genericOauth.scope -- Scopes (default: profile, email) - scope: "" - # providers.genericOauth.tokenStyle -- How token is presented when querying the User URL - tokenStyle: "" - # providers.genericOauth.resource -- Optional resource indicator - resource: "" - -env: [] -envFrom: -# - secretRef: -# name: - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -# livenessProbe -- Liveness probe configuration -# @default -- {"periodSeconds":20,"tcpSocket":{"port":"http"}} -livenessProbe: - # livenessProbe.enabled -- Enable liveness probe + # -- Enable a preconfigured middleware. enabled: true - tcpSocket: - port: http - periodSeconds: 20 - -# readinessProbe -- Readiness probe configuration -# @default -- {"periodSeconds":10,"tcpSocket":{"port":"http"}} -readinessProbe: - # readinessProbe.enabled -- Enable readiness probe - enabled: true - tcpSocket: - port: http - periodSeconds: 10 - -service: - type: ClusterIP - port: 4181 - ## Provide any additional annotations which may be required. This can be used to - ## set the LoadBalancer service type to internal only. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer - ## - annotations: {} - labels: {} - additionalSpec: {} - -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: [] - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} + # -- Override the middleware name. + nameOverride: ""