2 quayRepository: quay.io
4 # Force the target Kubernetes version (it uses Helm `.Capabilities` if not set).
5 # This is especially useful for `helm template` as capabilities are always empty
6 # due to the fact that it doesn't query an actual cluster
9 # Oauth client configuration specifics
11 # Add config annotations
16 clientSecret: "XXXXXXXX"
17 # Create a new secret with the following command
18 # openssl rand -base64 32 | head -c 32 | base64
19 # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
21 # existingSecret: secret
22 cookieSecret: "XXXXXXXXXXXXXXXX"
23 # The name of the cookie that oauth2-proxy will create
24 # If left empty, it will default to the release name
28 # useApplicationDefaultCredentials: true
29 # targetPrincipal: xxxx
30 # serviceAccountJson: xxxx
31 # Alternatively, use an existing secret (see google-secret.yaml for required fields)
33 # existingSecret: google-secret
36 # - group1@example.com
37 # - group2@example.com
38 # Default configuration, to be overridden
40 email_domains = [ "*" ]
41 upstreams = [ "file:///dev/null" ]
42 # Custom configuration file: oauth2_proxy.cfg
44 # pass_basic_auth = false
45 # pass_access_token = true
46 # Use an existing config map (see configmap.yaml for required fields)
48 # existingConfig: config
52 # Add config annotations
54 # Arbitrary configuration data to append to the server section
56 # Arbitrary configuration data to append to the metrics section
58 # Arbitrary configuration data to append
60 # Use an existing config map (see configmap-alpha.yaml for required fields)
64 #repository: "quay.io/oauth2-proxy/oauth2-proxy"
65 repository: "oauth2-proxy/oauth2-proxy"
66 # appVersion is used by default
68 pullPolicy: "IfNotPresent"
70 # Optionally specify an array of imagePullSecrets.
71 # Secrets must be manually created in the namespace.
72 # ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
74 # - name: myRegistryKeySecretName
76 # Set a custom containerPort if required.
77 # This will default to 4180 if this value is not set and the httpScheme set to http
78 # This will default to 4443 if this value is not set and the httpScheme set to https
84 # -- Custom labels to add into metadata
87 # To authorize individual email addresses
88 # That is part of extraArgs but since this needs special treatment we need to do a separate section
89 authenticatedEmailsFile:
91 # Defines how the email addresses file will be projected, via a configmap or secret
92 persistence: configmap
93 # template is the name of the configmap what contains the email user list but has been configured without this chart.
94 # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
95 # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the
96 # provided value in restrictedUserAccessKey field.
98 # The configmap/secret key under which the list of email access is stored
99 # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility
100 restrictedUserAccessKey: ""
103 # restricted_access: |-
106 # If you override the config with restricted_access it will configure a user list within this chart what takes care of the
107 # config map resource.
108 restricted_access: ""
110 # helm.sh/resource-policy: keep
114 # when service.type is ClusterIP ...
115 # clusterIP: 192.0.2.20
116 # when service.type is LoadBalancer ...
117 # loadBalancerIP: 198.51.100.40
118 # loadBalancerSourceRanges: 203.0.113.0/24
119 # when service.type is NodePort ...
122 # Protocol set on the service
127 ## Create or use ServiceAccount
129 ## Specifies whether a ServiceAccount should be created
131 ## The name of the ServiceAccount to use.
132 ## If not set and create is true, a name is generated using the fullname template
134 automountServiceAccountToken: true
141 # Only used if API capabilities (networking.k8s.io/v1) allow it
142 pathType: ImplementationSpecific
143 # Used to create an Ingress record.
145 # - chart-example.local
146 # Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
147 # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
150 # pathType: ImplementationSpecific
155 # name: use-annotation
157 # kubernetes.io/ingress.class: nginx
158 # kubernetes.io/tls-acme: "true"
160 # Secrets must be manually created in the namespace.
161 # - secretName: chart-example-tls
163 # - chart-example.local
174 # - name: ca-bundle-cert
176 # secretName: <secret-name>
178 extraVolumeMounts: []
179 # - mountPath: /etc/ssl/certs/
180 # name: ca-bundle-cert
182 # Additional containers to be added to the pod.
185 # image: nginx:latest
187 priorityClassName: ""
189 # Host aliases, useful when working "on premise" where (public) DNS resolver does not know about my hosts.
192 # ip: "10.xxx.xxx.xxx"
193 # hostname: "auth.example.com"
195 # [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.
196 # Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
197 # topologySpreadConstraints: []
199 # Affinity for pod assignment
200 # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
203 # Tolerations for pod assignment
204 # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
207 # Node labels for pod assignment
208 # Ref: https://kubernetes.io/docs/user-guide/node-selection/
211 # Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
212 proxyVarsAsSecrets: true
214 # Configure Kubernetes liveness and readiness probes.
215 # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
216 # Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
219 initialDelaySeconds: 0
224 initialDelaySeconds: 0
229 # Configure Kubernetes security context for container
230 # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
234 # allowPrivilegeEscalation: false
237 deploymentAnnotations: {}
241 revisionHistoryLimit: 10
243 ## PodDisruptionBudget settings
244 ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
249 # Configure Kubernetes security context for pod
250 # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
251 podSecurityContext: {}
253 # whether to use http or https
256 # Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.
257 # Alternatively supply an existing secret which contains the required information.
262 # One row for each user
265 # - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy
267 # Configure the session storage type, between cookie and redis
269 # Can be one of the supported session storage cookie|redis
272 # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`)
274 # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence
276 # Key of the Kubernetes secret data containing the redis password value
277 passwordKey: "redis-password"
278 # Can be one of standalone|cluster|sentinel
279 clientType: "standalone"
281 # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set
284 # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`)
287 # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret`
289 # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password`
291 # Key of the Kubernetes secret data containing the redis sentinel password value
292 passwordKey: "redis-sentinel-password"
293 # Redis sentinel master name
295 # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`)
298 # Enables and configure the automatic deployment of the redis subchart
300 # provision an instance of the redis sub-chart
302 # Redis specific helm chart settings, please see:
303 # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
309 # Enables apiVersion deprecation checks
310 checkDeprecation: true
313 # Enable Prometheus metrics endpoint
315 # Serve Prometheus metrics on this port
317 # when service.type is NodePort ...
319 # Protocol set on the service for the metrics port
323 # Enable Prometheus Operator ServiceMonitor
325 # Define the namespace where to deploy the ServiceMonitor resource
327 # Prometheus Instance definition
328 prometheusInstance: default
329 # Prometheus scrape interval
331 # Prometheus scrape timeout
333 # Add custom labels to the ServiceMonitor resource
336 # Extra K8s manifests to deploy
338 # - apiVersion: secrets-store.csi.x-k8s.io/v1
339 # kind: SecretProviderClass
341 # name: oauth2-proxy-secrets-store
346 # - objectName: "oauth2-proxy"
347 # objectType: "secretsmanager"
349 # - path: "client_id"
350 # objectAlias: "client-id"
351 # - path: "client_secret"
352 # objectAlias: "client-secret"
353 # - path: "cookie_secret"
354 # objectAlias: "cookie-secret"
358 # objectName: client-id
359 # - key: client-secret
360 # objectName: client-secret
361 # - key: cookie-secret
362 # objectName: cookie-secret
363 # secretName: oauth2-proxy-secrets-store