mirror of
https://github.com/k8s-at-home/charts.git
synced 2025-01-31 05:49:04 +00:00
2cde36472e
* [oauth2-proxy] Update oauth2-proxy website urls oauth2-proxy was moved under the oauth2-proxy organization. Signed-off-by: Yusuke Nakamura <yusuke1994525@gmail.com> * [oauth2-proxy] Update changelog Run ./hack/gen-helm-docs.sh stable oauth2-proxy |
||
|---|---|---|
| .. | ||
| ci | ||
| templates | ||
| .helmignore | ||
| Chart.yaml | ||
| default-values.yaml | ||
| pdb-values.yaml | ||
| README_CHANGELOG.md.gotmpl | ||
| README_CONFIG.md.gotmpl | ||
| README.md | ||
| README.md.gotmpl | ||
| values.yaml | ||
oauth2-proxy
A reverse proxy that provides authentication with Google, Github or other providers
This chart is not maintained by the upstream project and any issues with the chart should be raised here
Source Code
Requirements
Kubernetes: >=1.9.0-0
Dependencies
| Repository | Name | Version |
|---|
TL;DR
helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm repo update
helm install oauth2-proxy k8s-at-home/oauth2-proxy
Installing the Chart
To install the chart with the release name oauth2-proxy
helm install oauth2-proxy k8s-at-home/oauth2-proxy
Uninstalling the Chart
To uninstall the oauth2-proxy deployment
helm uninstall oauth2-proxy
The command removes all the Kubernetes components associated with the chart including persistent volumes and deletes the release.
Configuration
Read through the values.yaml file. It has several commented out suggested values. Other values may be used from the values.yaml from the common library.
Specify each parameter using the --set key=value[,key=value] argument to helm install.
helm install oauth2-proxy \
--set env.TZ="America/New York" \
k8s-at-home/oauth2-proxy
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
helm install oauth2-proxy k8s-at-home/oauth2-proxy -f values.yaml
Custom configuration
SSL Configuration
See: SSL Configuration.
Use values.yaml like:
...
extraArgs:
tls-cert: /path/to/cert.pem
tls-key: /path/to/cert.key
extraVolumes:
- name: ssl-cert
secret:
secretName: my-ssl-secret
extraVolumeMounts:
- mountPath: /path/to/
name: ssl-cert
...
With a secret called my-ssl-secret:
...
data:
cert.pem: AB..==
cert.key: CD..==
Values
Important: When deploying an application Helm chart you can add more values from our common library chart here
| Key | Type | Default | Description |
|---|---|---|---|
| affinity | object | {} |
node/pod affinities Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
| authenticatedEmailsFile.enabled | bool | false |
Enables authorize individual email addresses |
| authenticatedEmailsFile.restricted_access | string | "" |
email addresses list config |
| authenticatedEmailsFile.template | string | "" |
Name of the configmap that is handled outside of that chart It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. Be aware the value name in the extern config map in data needs to be named to "restricted_user_access". One email per line example: restricted_access: |
| config.clientID | string | "XXXXXXX" |
OAuth client ID |
| config.clientSecret | string | "XXXXXXXX" |
OAuth client secret |
| config.configFile | string | "email_domains = [ \"*\" ]\nupstreams = [ \"file:///dev/null\" ]" |
google service account json contents serviceAccountJson: xxxx -- Alternatively, use an existing secret (see google-secret.yaml for required fields) existingSecret: google-secret -- custom oauth2_proxy.cfg contents for settings not overridable via environment nor command line |
| config.cookieSecret | string | "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" |
server specific cookie for the secret; create a new one with `openssl rand -base64 32 |
| config.existingConfig | string | nil |
xisting Kubernetes configmap to use for the configuration file. See config template for the required values |
| config.google | object | {} |
|
| extraArgs | object | {} |
key:value list of extra arguments to give the binary |
| extraEnv | list | [] |
key:value list of extra environment variables to give the binary |
| extraVolumeMounts | list | [] |
list of extra volumeMounts |
| extraVolumes | list | [] |
list of extra volumes |
| htpasswdFile.enabled | bool | false |
enable htpasswd-file option |
| htpasswdFile.entries | object | {} |
list of SHA encrypted user:passwords |
| htpasswdFile.existingSecret | string | "" |
existing Kubernetes secret to use for OAuth2 htpasswd file |
| httpScheme | string | "http" |
http or https. name used for port on the deployment. httpGet port name and scheme used for liveness- and readinessProbes. name and targetPort used for the service. |
| image.pullPolicy | string | "IfNotPresent" |
Image pull policy |
| image.repository | string | "quay.io/oauth2-proxy/oauth2-proxy" |
Image repository |
| image.tag | string | "v7.0.1" |
Image tag |
| imagePullSecrets | list | nil |
Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace. ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod |
| ingress.annotations | object | {} |
Ingress annotations |
| ingress.enabled | bool | false |
Enable Ingress |
| ingress.extraPaths | list | [] |
Ingress extra paths to prepend to every host configuration. Useful when configuring custom actions with AWS ALB Ingress Controller. |
| ingress.hosts | list | [] |
Ingress accepted hostnames |
| ingress.ingressClassName | string | nil |
Set ingressClassName |
| ingress.path | string | "/" |
Ingress accepted path |
| ingress.tls | list | nil |
Ingress TLS configuration |
| initContainers | list | [] |
Configure init containers for pod Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
| livenessProbe | object | {"enabled":true,"initialDelaySeconds":0,"timeoutSeconds":1} |
Configure Kubernetes liveness probes. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks |
| nodeSelector | object | {} |
Node labels for pod assignment Ref: https://kubernetes.io/docs/user-guide/node-selection/ |
| podAnnotations | object | {} |
annotations to add to each pod |
| podDisruptionBudget | object | {"enabled":true,"minAvailable":1} |
PodDisruptionBudget settings Ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| podLabels | object | {} |
labels to add to each pod |
| podSecurityContext | object | {} |
|
| priorityClassName | string | "" |
|
| proxyVarsAsSecrets | bool | true |
|
| readinessProbe | object | {"enabled":true,"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} |
Configure Kubernetes readiness probes. |
| replicaCount | int | 1 |
|
| resources | object | {} |
|
| securityContext | object | {"enabled":false,"runAsNonRoot":true} |
Configure Kubernetes security context for container Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| service.annotations | object | {} |
Service annotations for the GUI |
| service.loadBalancerIP | string | nil |
Loadbalance IP for the GUI |
| service.loadBalancerSourceRanges | list | nil |
List of IP CIDRs allowed access to load balancer (if supported) |
| service.port | int | 80 |
Kubernetes port where the GUI is exposed |
| service.type | string | "ClusterIP" |
Kubernetes service type for the GUI |
| serviceAccount.annotations | object | {} |
|
| serviceAccount.enabled | bool | true |
|
| serviceAccount.name | string | nil |
|
| tolerations | list | [] |
Tolerations for pod assignment Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
| topologySpreadConstraints | object | {"enabled":false,"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"DoNotSchedule"} |
Configure Pod Topology Spread Constraints See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ Requires Kubernetes >= v1.16 |
Changelog
All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click here.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[1.0.0]
Changed
- This version upgrade oauth2-proxy to v4.0.0. Please see the changelog in order to upgrade.
[2.0.0]
Changed
- support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion
apps/v1beta2. See the v1.16 API deprecations page for more information.
Due to this issue there may be errors performing a helm upgradeof this chart from versions earlier than 2.0.0.
[3.0.0]
Changed
- support for EKS IAM roles for service accounts by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set
serviceAccount.enabledtofalse
[4.0.0]
Changed
- This is a breaking change as the chart was moved to k8s-at-home. No other change on top of the 3.x.x branch.
[5.0.0]
Changed
- Not many breaking changes. See the changelog for oauth2-proxy, specifically the section "Breaking Changes" for a few configuration changes, particularly to do with the Azure provider.
5.0.1
Added
- N/A
Changed
- Use helm-docs
Removed
- N/A
5.0.4
Added
- Added icon url.
Changed
- N/A
Removed
- N/A
[5.0.5]
Fixed
- Update oauth2-proxy website URLs.
Support
Autogenerated from chart metadata using helm-docs v1.5.0