[traefik-forward-auth] Reuse existing secret. (#1404)

charts/stable/traefik-forward-auth/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-name: traefik-forward-auth
-description: A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer
-type: application
-version: 1.0.10
 appVersion: 2.2.0
+description: A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer
+name: traefik-forward-auth
+version: 2.0.0
+kubeVersion: ">=1.16.0-0"
 keywords:
   - traefik
   - traefik-forward-auth
@@ -17,3 +17,15 @@ sources:
 maintainers:
   - name: DirtyCajunRice
     email: nick@cajun.pro
+dependencies:
+  - name: common
+    repository: https://library-charts.k8s-at-home.com
+    version: 4.3.0
+annotations:
+  artifacthub.io/changes: |
+    - kind: added
+      description: >
+        **BREAKING** Added `common` chart dependency.
+        This will likely require you to update your chart values.
+    - kind: changed
+      description: Reuse existing secret if present.

charts/stable/traefik-forward-auth/ci/ct-values.yaml

@@ -1,5 +1,6 @@
-providers:
+env:
-  google:
+  PROVIDERS_GOOGLE_CLIENT_ID: fakeclientid
-    enabled: true
+  PROVIDERS_GOOGLE_CLIENT_SECRET: fakeclientsecret
-    clientId: "fakeclientid"
+
-    clientSecret: "fakeclientsecret"
+middleware:
+  enabled: false

charts/stable/traefik-forward-auth/templates/NOTES.txt

@@ -1,21 +1 @@
-1. Get the application URL by running these commands:
+{{- include "common.notes.defaultNotes" . -}}
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
-  {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
-  {{- end }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "traefik-forward-auth.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "traefik-forward-auth.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "traefik-forward-auth.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "traefik-forward-auth.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
-{{- end }}

charts/stable/traefik-forward-auth/templates/_helpers.tpl

@@ -1,63 +0,0 @@
-{{/* vim: set filetype=mustache: */}}
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "traefik-forward-auth.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "traefik-forward-auth.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "traefik-forward-auth.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "traefik-forward-auth.labels" -}}
-helm.sh/chart: {{ include "traefik-forward-auth.chart" . }}
-{{ include "traefik-forward-auth.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "traefik-forward-auth.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "traefik-forward-auth.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "traefik-forward-auth.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "traefik-forward-auth.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}

charts/stable/traefik-forward-auth/templates/common.yaml

@@ -0,0 +1,29 @@
+{{/* Make sure all variables are set properly */}}
+{{- include "common.values.setup" . }}
+
+{{/*
+If there's an existing secret, reuse it, otherwise generate a new one.
+*/}}
+{{- define "traefik-forward-auth.secret" -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "common.names.fullname" .) ) -}}
+  {{- if $secret -}}
+    {{-  index $secret "data" "secret" -}}
+  {{- else -}}
+    {{- randAlphaNum 16 | b64enc | quote -}}
+  {{- end -}}
+{{- end -}}
+
+{{/* Append the hardcoded settings */}}
+{{- define "traefik-forward-auth.harcodedValues" -}}
+{{- if not .Values.env.SECRET }}
+env:
+  SECRET:
+    valueFrom:
+      secretKeyRef:
+        name: {{ include "common.names.fullname" . }}
+        key: secret
+{{- end }}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values (include "traefik-forward-auth.harcodedValues" . | fromYaml) -}}
+
+{{ include "common.all" . }}

charts/stable/traefik-forward-auth/templates/deployment.yaml

@@ -1,222 +0,0 @@
-{{- $fullName := include "traefik-forward-auth.fullname" . -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ $fullName }}
-  labels:
-  {{- include "traefik-forward-auth.labels" . | nindent 4 }}
-spec:
-  {{- if not .Values.autoscaling.enabled }}
-  replicas: {{ .Values.replicaCount }}
-  {{- end }}
-  selector:
-    matchLabels:
-  {{- include "traefik-forward-auth.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-    {{- include "traefik-forward-auth.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "traefik-forward-auth.serviceAccountName" . }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      containers:
-        - name: {{ .Chart.Name }}
-          {{- with .Values.securityContext }}
-          securityContext:
-          {{- toYaml . | nindent 12 }}
-          {{- end }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- with .Values.envFrom }}
-          envFrom:
-          {{- toYaml . | nindent 12 }}
-          {{- end }}
-          env:
-            {{- if .Values.logging.level }}
-            - name: LOG_LEVEL
-              value: {{ .Values.logging.level | quote }}
-            {{- end }}
-            {{- if .Values.logging.format }}
-            - name: LOG_FORMAT
-              value: {{ .Values.logging.format | quote }}
-            {{- end }}
-            {{- if .Values.authHost }}
-            - name: AUTH_HOST
-              value: {{ .Values.authHost | quote }}
-            {{- end }}
-            {{- if .Values.cookie.domain }}
-            - name: COOKIE_DOMAIN
-              value: {{ .Values.cookie.domain | quote }}
-            {{- end }}
-            {{- if .Values.cookie.insecure }}
-            - name: INSECURE_COOKIE
-              value: {{ .Values.cookie.insecure | quote }}
-            {{- end }}
-            {{- if .Values.cookie.name }}
-            - name: COOKIE_NAME
-              value: {{ .Values.cookie.name | quote }}
-            {{- end }}
-            {{- if .Values.cookie.csrfName }}
-            - name: CSRF_COOKIE_NAME
-              value: {{ .Values.cookie.csrfName | quote }}
-            {{- end }}
-            {{- if .Values.default.action }}
-            - name: DEFAULT_ACTION
-              value: {{ .Values.default.action | quote }}
-            {{- end }}
-            {{- if .Values.default.provider }}
-            - name: DEFAULT_PROVIDER
-              value: {{ .Values.default.provider | quote }}
-            {{- end }}
-            {{- if .Values.restrictions.domain }}
-            - name: DOMAIN
-              value: {{ .Values.restrictions.domain | quote }}
-            {{- end }}
-            {{- if .Values.restrictions.whitelist }}
-            - name: WHITELIST
-              value: {{ .Values.restrictions.whitelist | quote }}
-            {{- end }}
-            {{- if .Values.lifetime }}
-            - name: LIFETIME
-              value: {{ .Values.lifetime | quote }}
-            {{- end }}
-            {{- if .Values.logoutRedirect }}
-            - name: LOGOUT_REDIRECT
-              value: {{ .Values.logoutRedirect | quote }}
-            {{- end }}
-            {{- if .Values.urlPath }}
-            - name: URL_PATH
-              value: {{ .Values.urlPath | quote }}
-            {{- end }}
-            {{- if .Values.cookie.secret }}
-            - name: COOKIE_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: {{ $fullName }}
-                  key: cookie-secret
-            {{- end }}
-            {{- if ne .Values.secret "-" }}
-            - name: SECRET
-              {{- if .Values.secret }}
-              value: {{ .Values.secret | quote }}
-              {{- else }}
-              valueFrom:
-                secretKeyRef:
-                  name: {{ $fullName }}
-                  key: secret
-              {{- end }}
-            {{- with .Values.providers}}
-            {{- if .google.enabled }}
-            {{- if .google.clientId }}
-            - name: PROVIDERS_GOOGLE_CLIENT_ID
-              value: {{ .google.clientId | quote }}
-            {{- end }}
-            {{- if .google.clientSecret }}
-            - name: PROVIDERS_GOOGLE_CLIENT_SECRET
-              value: {{ .google.clientSecret | quote }}
-            {{- end }}
-            {{- if .google.prompt }}
-            - name: PROVIDERS_GOOGLE_PROMPT
-              value: {{ .google.prompt | quote }}
-              {{- end }}
-            {{- end }}
-            {{- if .oidc.enabled }}
-            {{- if .oidc.clientId }}
-            - name: PROVIDERS_OIDC_CLIENT_ID
-              value: {{ .oidc.clientId | quote }}
-            {{- end }}
-            {{- if .oidc.clientSecret }}
-            - name: PROVIDERS_OIDC_CLIENT_SECRET
-              value: {{ .oidc.clientSecret | quote }}
-            {{- end }}
-            {{- if .oidc.issuerUrl }}
-            - name: PROVIDERS_OIDC_ISSUER_URL
-              value: {{ .oidc.issuerUrl | quote }}
-            {{- end }}
-            {{- if .oidc.resource }}
-            - name: PROVIDERS_OIDC_RESOURCE
-              value: {{ .oidc.resource | quote }}
-              {{- end }}
-            {{- end }}
-            {{- if .genericOauth.enabled }}
-            {{- if .genericOauth.clientId }}
-            - name: PROVIDERS_GENERIC_OAUTH_CLIENT_ID
-              value: {{ .genericOauth.clientId | quote }}
-            {{- end }}
-            {{- if .genericOauth.clientSecret }}
-            - name: PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET
-              value: {{ .genericOauth.clientSecret | quote }}
-            {{- end }}
-            {{- if .genericOauth.authUrl }}
-            - name: PROVIDERS_GENERIC_OAUTH_AUTH_URL
-              value: {{ .genericOauth.authUrl | quote }}
-            {{- end }}
-            {{- if .genericOauth.tokenUrl }}
-            - name: PROVIDERS_GENERIC_OAUTH_TOKEN_URL
-              value: {{ .genericOauth.tokenUrl | quote }}
-            {{- end }}
-            {{- if .genericOauth.userUrl }}
-            - name: PROVIDERS_GENERIC_OAUTH_USER_URL
-              value: {{ .genericOauth.userUrl | quote }}
-            {{- end }}
-            {{- if .genericOauth.resource }}
-            - name: PROVIDERS_GENERIC_OAUTH_RESOURCE
-              value: {{ .genericOauth.resource | quote }}
-            {{- end }}
-            {{- if .genericOauth.scope }}
-            - name: PROVIDERS_GENERIC_OAUTH_SCOPE
-              value: {{ .genericOauth.scope | quote }}
-            {{- end }}
-            {{- if .genericOauth.tokenStyle }}
-            - name: PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE
-              value: {{ .genericOauth.tokenStyle | quote }}
-          {{- end }}
-          {{- end }}
-          {{- end }}
-          {{- end }}
-          {{- if .Values.env }}
-          {{- toYaml .Values.env | nindent 12 }}
-          {{- end }}
-          ports:
-            - name: http
-              containerPort: 4181
-              protocol: TCP
-        {{- $livenessProbe := .Values.livenessProbe }}
-        {{- if $livenessProbe.enabled }}
-          livenessProbe:
-          {{- $livenessProbe := unset $livenessProbe "enabled" }}
-          {{- toYaml $livenessProbe | nindent 12 }}
-        {{- end }}
-        {{- $readinessProbe := .Values.readinessProbe }}
-        {{- if $readinessProbe.enabled }}
-          readinessProbe:
-            {{- $readinessProbe := unset $readinessProbe "enabled" }}
-            {{- toYaml $readinessProbe | nindent 12 }}
-        {{- end }}
-          {{- with .Values.resources }}
-          resources:
-      {{- toYaml . | nindent 12 }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-  {{- toYaml . | nindent 8 }}
-  {{- end }}

charts/stable/traefik-forward-auth/templates/hpa.yaml

@@ -1,28 +0,0 @@
-{{- if .Values.autoscaling.enabled }}
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
-  name: {{ include "traefik-forward-auth.fullname" . }}
-  labels:
-    {{- include "traefik-forward-auth.labels" . | nindent 4 }}
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: {{ include "traefik-forward-auth.fullname" . }}
-  minReplicas: {{ .Values.autoscaling.minReplicas }}
-  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
-  metrics:
-  {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: cpu
-        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
-  {{- end }}
-  {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: memory
-        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
-  {{- end }}
-{{- end }}

charts/stable/traefik-forward-auth/templates/ingress.yaml

@@ -1,58 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-  {{- $fullName := include "traefik-forward-auth.fullname" . -}}
-  {{- $svcPort := .Values.service.port -}}
-  {{- $apiVersion := .Capabilities.KubeVersion.GitVersion -}}
-  {{- if semverCompare "<1.14-0" $apiVersion -}}
-apiVersion: extensions/v1beta1
-  {{- else if semverCompare "<1.19-0" $apiVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-  {{- else -}}
-apiVersion: networking.k8s.io/v1
-  {{- end }}
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  labels:
-  {{- include "traefik-forward-auth.labels" . | nindent 4 }}
-  {{- if or .Values.ingress.annotations (and .Values.middleware.enabled .Values.authHost) }}
-  annotations:
-    {{- with .Values.ingress.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-    {{- if and .Values.middleware.enabled .Values.authHost }}
-    traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-{{ .Values.middleware.name | default "traefik-forward-auth" }}@kubernetescrd
-  {{- end }}
-  {{- end }}
-spec:
-  {{- if .Values.ingress.tls }}
-  tls:
-    {{- range .Values.ingress.tls }}
-    - hosts:
-        {{- range .hosts }}
-        - {{ . | quote }}
-      {{- end }}
-      secretName: {{ .secretName }}
-  {{- end }}
-  {{- end }}
-  rules:
-    {{- range .Values.ingress.hosts }}
-    - host: {{ .host | quote }}
-      http:
-        paths:
-          {{- range .paths }}
-          - path: {{ . }}
-            {{- if semverCompare ">=1.19-0" $apiVersion }}
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ $fullName }}
-                port:
-                  name: http
-            {{- else }}
-            backend:
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
-            {{- end }}
-  {{- end }}
-  {{- end }}
-  {{- end }}

charts/stable/traefik-forward-auth/templates/middleware.yaml

@@ -2,10 +2,10 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
-  name: {{ .Values.middleware.name | default "traefik-forward-auth" }}
+  name: {{ default (include "common.names.fullname" .) .Values.middleware.nameOverride }}
 spec:
   forwardAuth:
-    address: "http://{{ include "traefik-forward-auth.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}"
+    address: "http://{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.main.ports.http.port }}"
     authResponseHeaders:
       - X-Forwarded-User
-  {{- end }}
+{{- end }}

charts/stable/traefik-forward-auth/templates/secret.yaml

@@ -1,16 +1,11 @@
-{{- if or (and (ne .Values.secret "-") (not .Values.secret)) .Values.cookie.secret }}
+{{- if not .Values.env.SECRET }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ template "traefik-forward-auth.fullname" . }}
+  name: {{ template "common.names.fullname" . }}
   labels:
-  {{- include "traefik-forward-auth.labels" . | nindent 4 }}
+    {{- include "common.labels" . | nindent 4 }}
 type: Opaque
 data:
-  {{- if not .Values.secret }}
+  secret: {{ template "traefik-forward-auth.secret" . }}
-  secret: {{ randAlphaNum 16 | b64enc | quote }}
+{{- end }}
-  {{- end }}
-  {{- if .Values.cookie.secret }}
-  cookie-secret: {{ .Values.cookie.secret | b64enc | quote }}
-  {{- end }}
-  {{- end }}

charts/stable/traefik-forward-auth/templates/service.yaml

@@ -1,22 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "traefik-forward-auth.fullname" . }}
-  labels:
-    {{- include "traefik-forward-auth.labels" . | nindent 4 }}
-  {{- with .Values.service.annotations }}
-  annotations:
-  {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-    - port: {{ .Values.service.port }}
-      targetPort: http
-      protocol: TCP
-      name: http
-  {{- with .Values.service.additionalSpec }}
-  {{- toYaml . | nindent 2 }}
-  {{- end }}
-  selector:
-    {{- include "traefik-forward-auth.selectorLabels" . | nindent 4 }}

charts/stable/traefik-forward-auth/templates/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "traefik-forward-auth.serviceAccountName" . }}
-  labels:
-    {{- include "traefik-forward-auth.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

charts/stable/traefik-forward-auth/values.yaml

@@ -1,190 +1,69 @@
-# Default values for traefik-forward-auth.
+#
-
+# IMPORTANT NOTE
-
+#
-replicaCount: 1
+# This chart inherits from our common library chart. You can check the default values/options here:
+# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml
+#
 
 image:
+  # -- image repository
   repository: thomseddon/traefik-forward-auth
-  pullPolicy: IfNotPresent
+  # -- image tag
+  # @default -- chart.appVersion
   tag: ""
+  # -- image pull policy
+  pullPolicy: IfNotPresent
 
-imagePullSecrets: []
+# -- environment variables. See more environment variables in the [traefik-forward-auth documentation](https://github.com/thomseddon/traefik-forward-auth#configuration)
-nameOverride: ""
+# @default -- See below
-fullnameOverride: ""
+env:
+  TZ: UTC
+  # LOG_LEVEL: warn # [trace|debug|info|warn|error|fatal|panic]
+  # LOG_FORMAT: text # [text|json|pretty]
+  # AUTH_HOST: oauth.example.org
+  # DOMAIN: example.org # Only allow given email domains. (Comma delimited)
+  # WHITELIST: auth@example.org # Only allow given email addresses. (Comma delimited)
+  # LIFETIME: '43200' # Lifetime in seconds
+  # COOKIE_DOMAIN: example.org # Domain(s) to set auth cookie on. (Comma delimited)
+  # INSECURE_COOKIE: 'false' # Use insecure cookies
+  # COOKIE_NAME: _forward_auth # Cookie name
+  # CSRF_COOKIE_NAME: _forward_auth_csrf # CSRF cookie name
+  # SECRET: # Secret used for signing. If unset, one will be generated.
+  #   valueFrom:
+  #     secretKeyRef: traefik-forward-auth
+  # URL_PATH: /_oauth # Callback URL path
+  # LOGOUT_REDIRECT: '' # URL to redirect to following logout
+  # DEFAULT_ACTION: auth # [auth|allow]
+  # DEFAULT_PROVIDER: google # [google|oidc|generic-oauth]
+  #
+  # PROVIDERS_GOOGLE_CLIENT_ID: '' # Client ID
+  # PROVIDERS_GOOGLE_CLIENT_SECRET: '' # Client Secret
+  # PROVIDERS_GOOGLE_PROMPT: '' # Space separated list of OpenID prompt options
+  #
+  # PROVIDERS_OIDC_ISSUER_URL: '' # Issuer URL
+  # PROVIDERS_OIDC_CLIENT_ID: '' # Client ID
+  # PROVIDERS_OIDC_CLIENT_SECRET: '' # Client Secret
+  # PROVIDERS_OIDC_RESOURCE: '' # Optional resource indicator
+  #
+  # PROVIDERS_GENERIC_OAUTH_AUTH_URL: '' # Auth/Login URL
+  # PROVIDERS_GENERIC_OAUTH_TOKEN_URL: '' # Token URL
+  # PROVIDERS_GENERIC_OAUTH_USER_URL: '' # URL used to retrieve user info
+  # PROVIDERS_GENERIC_OAUTH_CLIENT_ID: '' # Client ID
+  # PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET: '' # Client Secret
+  # PROVIDERS_GENERIC_OAUTH_RESOURCE: '' # Optional resource indicator
+  # PROVIDERS_GENERIC_OAUTH_SCOPE: '' # Scopes (default: profile, email)
+  # PROVIDERS_GENERIC_OAUTH_TOKEN_STYLE: '' # How token is presented when querying the User URL
 
-logging:
+# -- Configures service settings for the chart.
-  # logging.level -- [trace|debug|info|warn|error|fatal|panic] Log level (default: warn)
+# @default -- See values.yaml
-  level: ""
+service:
-  # logging.format -- [text|json|pretty] Log format (default: text)
+  main:
-  format: ""
+    ports:
-# authHost -- Single host to use when returning from 3rd party auth
+      http:
-authHost: ""
+        port: 4181
-restrictions:
-  # restrictions.domain -- Only allow given email domains. (Comma delimited)
-  domain: ""
-  # restrictions.whitelist -- Only allow given email addresses. (Comma delimited)
-  whitelist: ""
-# lifetime -- Lifetime in seconds (default: 43200)
-lifetime: ""
-cookie:
-  # cookie.domain -- Domain(s) to set auth cookie on. (Comma delimited)
-  domain: ""
-  # cookie.insecure -- Use insecure cookies
-  insecure: ""
-  # cookie.name -- Cookie Name (default: _forward_auth)
-  name: ""
-  # cookie.csrfName -- CSRF Cookie Name (default: _forward_auth_csrf)
-  csrfName: ""
-  # cookie.secret -- Cookie Secret used for authentication across multiple instances / clusters (default: randomly generated)
-  secret: ""
-default:
-  # default.action -- [auth|allow] Default action (default: auth)
-  action: ""
-  # default.provider -- [google|oidc|generic-oauth] Default provider (default: google)
-  provider: ""
-# logoutRedirect -- URL to redirect to following logout
-logoutRedirect: ""
-# urlPath -- Callback URL Path (default: /_oauth)
-urlPath: ""
-# secret -- Secret used for signing. If empty, one will be generated. If specifying your own in env use "-"
-secret: ""
 
 middleware:
-  # middleware.enabled -- Enable to deploy a preconfigured middleware
+  # -- Enable a preconfigured middleware.
-  enabled: false
-  # middleware.name -- Name for the middleware
-  name: ""
-providers:
-  google:
-    # providers.google.enabled -- Enable the google provider
-    enabled: false
-    # providers.google.clientId -- Client ID
-    clientId: ""
-    # providers.google.clientSecret -- Client Secret
-    clientSecret: ""
-    # providers.google.prompt -- Space separated list of OpenID prompt options
-    prompt: ""
-  oidc:
-    # providers.oidc.enabled -- Enable the generic OIDC provider
-    enabled: false
-    # providers.oidc.issuerUrl -- Issuer URL
-    issuerUrl: ""
-    # providers.oidc.clientId -- Client ID
-    clientId: ""
-    # providers.oidc.clientSecret -- Client Secret
-    clientSecret: ""
-    # providers.oidc.resource -- Optional resource indicator
-    resource: ""
-  genericOauth:
-    # providers.genericOauth.enabled -- Enable the generic OAUTH2 provider
-    enabled: false
-    # providers.genericOauth.authUrl -- Auth/Login URL
-    authUrl: ""
-    # providers.genericOauth.tokenUrl -- Token URL
-    tokenUrl: ""
-    # providers.genericOauth.userUrl -- URL used to retrieve user info
-    userUrl: ""
-    # providers.genericOauth.clientId -- Client ID
-    clientId: ""
-    # providers.genericOauth.clientSecret -- Client Secret
-    clientSecret: ""
-    # providers.genericOauth.scope -- Scopes (default: profile, email)
-    scope: ""
-    # providers.genericOauth.tokenStyle -- How token is presented when querying the User URL
-    tokenStyle: ""
-    # providers.genericOauth.resource -- Optional resource indicator
-    resource: ""
-
-env: []
-envFrom:
-# - secretRef:
-#     name:
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-podAnnotations: {}
-
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
-# livenessProbe -- Liveness probe configuration
-# @default -- {"periodSeconds":20,"tcpSocket":{"port":"http"}}
-livenessProbe:
-  # livenessProbe.enabled -- Enable liveness probe
   enabled: true
-  tcpSocket:
+  # -- Override the middleware name.
-    port: http
+  nameOverride: ""
-  periodSeconds: 20
-
-# readinessProbe -- Readiness probe configuration
-# @default -- {"periodSeconds":10,"tcpSocket":{"port":"http"}}
-readinessProbe:
-  # readinessProbe.enabled -- Enable readiness probe
-  enabled: true
-  tcpSocket:
-    port: http
-  periodSeconds: 10
-
-service:
-  type: ClusterIP
-  port: 4181
-  ## Provide any additional annotations which may be required. This can be used to
-  ## set the LoadBalancer service type to internal only.
-  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
-  ##
-  annotations: {}
-  labels: {}
-  additionalSpec: {}
-
-ingress:
-  enabled: false
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  hosts:
-    - host: chart-example.local
-      paths: []
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - chart-example.local
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-autoscaling:
-  enabled: false
-  minReplicas: 1
-  maxReplicas: 100
-  targetCPUUtilizationPercentage: 80
-  # targetMemoryUtilizationPercentage: 80
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}