# limitations under the License.
# ============LICENSE_END=========================================================
apiVersion: v2
-version: 14.0.1
+version: 15.0.0
description: ONAP Realm creation, Oauth2Proxy installation and configuration
name: authentication
sources:
version: ~13.x-0
repository: '@local'
- name: onap-keycloak-config-cli
- version: 5.12.0
+ version: 6.1.6
repository: 'file://components/keycloak-config-cli'
- name: onap-oauth2-proxy
- version: 7.5.4
+ version: 7.8.0
repository: 'file://components/oauth2-proxy'
realmSettings:
- name: <Realm ID> - unique ID for a realm (e.g. "ONAP")
displayName: <Display Name> - (optional) Keycloak Display Name (e.g. "ONAP Realm")
+ accessTokenLifespan: - (optional) Access Tolek Lifespan (default: 1900)
+ registrationAllowed: - (optional) Enable/disable the registration page (default: false)
+ resetPasswordAllowed: - (optional) Show a link on login page for user to click when they have forgotten their credentials (default: true)
+ sslRequired: - (optional) Is HTTPS required? ('None'|'External'|'All requests' (default: "external")
themes: - (optional) Keycloak Theme settings
login: <login theme> - (optional) Keycloak Theme for Login UI (e.g. "base")
admin: <admin theme> - (optional) Keycloak Theme for Admin UI (e.g. "base")
account: <account theme> - (optional) Keycloak Theme for Account UI (e.g. "base")
email: <email theme> - (optional) Keycloak Theme for Email UI (e.g. "base")
- attributes:
- frontendUrl: "<Keycloak URL>" - External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/")
+ attributes: - (optional)
+ frontendUrl: "<Keycloak URL>" - (optional) External Url for Keycloak access (e.g. "https://keycloak-$PARAM_BASE_URL/")
```
### CLIENT definitions
In this section each realm authentication client is defined e.g. portal-bff, oauth2-proxy, grafana
-possible "attribute" settings (maybe more):
+- possible "attributes" settings (maybe more):
- id.token.as.detached.signature: "false"
- exclude.session.state.from.auth.response: "false"
- tls.client.certificate.bound.access.tokens: "false"
serviceAccountsEnabled: "<false|true>" - (optional) serviceAccountsEnabled (default: false)
frontchannelLogout: "<false|true>" - (optional) frontend channel logout (default: true)
surrogateAuthRequired: "<false|true>" - (optional) surrogate Auth Required (default: false)
+ authorizationServicesEnabled: "<false|true>" - (optional) enable Authorization Services (RBAC) (default: false)
publicClient: "<false|true>" - (optional) public Client (default: false)
attributes: - (optional) attributes settings (see code)
post.logout.redirect.uris: '<url>' - example
- "http://localhost/*"
webOrigins:
- "https://argocd-$PARAM_BASE_URL"
- defaultClientScopes:
- - "web-origins"
+ defaultClientScopes: - (optional) definition of default client scopes
+ - "web-origins" - if used, has to contain the full scope list
- "profile"
- "acr"
- "email"
- "roles"
- "groups"
+ optionalClientScopes: - (optional) definition of optional client scopes
+ - ... - if used, has to contain the full scope list
```
-### CLIENT SCOPE definitions
+#### Authorization settings within Client section (optional)
-Here additional scopes besides the default scopes can be defined and set as default client scope
+Information about the Keycloak Authorization Services can be found under: <https://www.keycloak.org/docs/latest/authorization_services/index.html>
-default scopes:
+To enable Authorization the setting shown above needs to be:
+ - authorizationServicesEnabled: true
- - roles
- - groups
- - acr
- - profile
- - address
- - web-origin
- - phone
- - email
- - offline_access
- - role_list
- - microprofile-jwt
+```yaml
+ authorizationSettings:
+ allowRemoteResourceManagement: "<false|true>" - (optional) managed remotely by the resource server? (default: true)
+ policyEnforcementMode: "<ENFORCING|PERMISSIVE|DISABLED>"- (optional) dictates how policies are enforced (default: ENFORCING)
+ decisionStrategy: "<UNANIMOUS|AFFIRMATIVE>" - (optional) dictates how permissions are evaluated (default: UNANIMOUS)
+ resources: - resources definitions
+ - name: "<resource name>" - unique name for this resource
+ displayName: "<display name>" - (optional) user-friendly name for the resource
+ type: "<type>" - Type can be used to group different resource instances with the same type
+ ownerManagedAccess: <true|false> - (optional) access can be managed by the resource owner? (default: false)
+ attributes: {} - (optional) The attributes associated wth the resource
+ uris: - Set of URIs which are protected by resource
+ - "/*"
+ - ...
+ scopes: - The scopes associated with this resource
+ - name: "<scope name1>"
+ - ...
+ icon_uri: "<uri>" - (optional) A URI pointing to an icon.
+ - ...
+ policies: - policy definitions
+ - name: "<policy name>" - unique name for this policy
+ description: "<description>" - (optional) A description for this policy
+ type: "<role|client|...>" - Choose the policy type
+ logic: "<POSITIVE|NEGATIVE>" - dictates how the policy decision should be made
+ roles: - Specifies the client roles allowed by this policy
+ - id: "<role name>" - points to an existing role
+ required: <true|false> - decide, whether role is required
+ ...
+ - ...
+ permissions: - policy definitions
+ - name: "<permission name>" - unique name for this permission
+ description: "<description>" - (optional) A description for this permission
+ type: "<scope|resource>" - Choose the permission type
+ decisionStrategy: "<UNANIMOUS|AFFIRMATIVE|CONSENSUS>" - dictates how the policies associated with a given permission are evaluated
+ resources: - Specifies that this permission must be applied to a specific resource instance
+ - "<resource name>" - points to an existing resource
+ - ...
+ scopes: - Specifies that this permission must be applied to one or more scopes
+ - "<scope name>" - points to an existing scope
+ - ...
+ applyPolicies: - Specifies all the policies that must be applied to the scopes defined by this permission
+ - "<policy-name>" - points to an existing policy
+ - ...
+ - ...
+ scopes: - scope definitions
+ - name: "<scope name>" - unique name for this scope
+ iconUri: "<uri>" - (optional) A URI pointing to an icon.
+ displayName: "<display name>" - (optional) user-friendly name for the resource
+ - ...
+```
+
+### CLIENT SCOPE definitions
+
+Here additional scopes besides the default scopes can be defined and set as defaul client scope
+default scopes: roles, groups, acr, profile, address, web-origin, phone, email, offline_access, role_list, microprofile-jwt
```yaml
defaultClientScopes:
### Access control definitions
In this section additional roles (assignableRoles) besides the default roles can be set.
-
-default roles:
- - user
- - admin
- - offline_access
- - uma_authorization
- - default-roles-<realm>
+default roles: user, admin, offline_access, uma_authorization, default-roles-<realm>
(optional) accessRoles can be defined.
These access roles are used in the Ingress "Auhorization Policy" to restrict the access to certain services
- type: password - (optional) initial password (<pwd>: encrypted password, <salt>: used salt)
secretData: "{\"value\":\"<pwd>\",\"salt\":\"<salt>\"}"
credentialData: "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}"
+ requiredActions: - (optional) action, the user has to execute
+ - <action> - e.g. "UPDATE_PASSWORD", "UPDATE_PROFILE",...
attributes: - (optional) additional attributes
sdc_user: - example attribute
- "cs0008"
user: "onapsupport"
```
-## Ingress Authentication settings
+## Requirements
-Activating the Ingress Authentication (enabled: true) will create AuthorizationPolicy resources for each defined "accessControl.accessRoles" in a REALM definition.
+authentication needs the following ONAP projects to work:
-```
-ingressAuthentication:
- enabled: false
- exceptions:
- - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}'
- - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ui") }}'
- - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "minio-console") }}'
- - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "uui-server") }}'
-```
+- common
+- serviceAccount
name: onap-keycloak-config-cli
description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
home: https://github.com/adorsys/keycloak-config-cli
-version: 5.12.0
-appVersion: 5.12.0
+version: 6.1.6
+appVersion: 6.1.6
maintainers:
- name: jkroepke
email: joe@adorsys.de
image:
repository: adorsys/keycloak-config-cli
- tag: "{{ .Chart.AppVersion }}-22.0.4"
+ tag: "{{ .Chart.AppVersion }}-25.0.6"
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
name: onap-oauth2-proxy
-version: 7.5.4
+version: 7.8.0
apiVersion: v2
-appVersion: 7.6.0
+appVersion: 7.7.1
home: https://oauth2-proxy.github.io/oauth2-proxy/
description: A reverse proxy that provides authentication with Google, Github or other providers
keywords:
- redis
dependencies:
- name: redis
- version: 19.1.0
+ version: 20.3.0
repository: https://charts.bitnami.com/bitnami
alias: redis
condition: redis.enabled
email: joel.speed@hotmail.co.uk
- name: pierluigilenoci
email: pierluigi.lenoci@gmail.com
-kubeVersion: ">=1.9.0-0"
+kubeVersion: ">=1.16.0-0"
annotations:
artifacthub.io/changes: |
- - kind: changed
- description: Wait for redis script fixes for cluster and sentinel
+ - kind: added
+ description: allow templates in annotations
links:
- name: Github PR
- url: https://github.com/oauth2-proxy/manifests/issues/205
+ url: https://github.com/oauth2-proxy/manifests/pull/256
# oauth2-proxy
-[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.
+[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by e-mail, domain, or group.
## TL;DR;
$ helm install my-release oauth2-proxy/oauth2-proxy
```
-The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration.
+The [configuration](#configuration) section lists the parameters that can be configured during installation.
## Uninstalling the Chart
## Upgrading an existing Release to a new major version
-A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
-incompatible breaking change needing manual actions.
+A major chart version change (like v1.2.3 -> v2.0.0) indicates an incompatible breaking change needing manual actions.
### To 1.0.0
-This version upgrades oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade.
+This version upgrades oauth2-proxy to v4.0.0. To upgrade, please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400).
### To 2.0.0
-Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`. See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information.
+Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by addressing the Deployment object apiVersion `apps/v1beta2` deprecation.
+See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information.
-Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade` of this chart from versions earlier than 2.0.0.
+Due to [this issue](https://github.com/helm/helm/issues/6583), errors may occur when performing a `helm upgrade` of this chart from versions earlier than 2.0.0.
### To 3.0.0
-Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set `serviceAccount.enabled` to `false`
+Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart.
+This is a breaking change since the service account is enabled by default.
+To disable this behaviour set `serviceAccount.enabled` to `false`
### To 4.0.0
Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**.
-Therefore the `ingress.extraPaths` parameter needs to be updated to the new format.
+Therefore, the `ingress.extraPaths` parameter must be updated to the new format.
See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information.
For the same reason `service.port` was renamed to `service.portNumber`.
### To 5.0.0
-Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). This is a breaking change because many labels of all resources need to be updated to stay consistent.
+Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/).
+This is a breaking change because many labels of all resources need to be updated to stay consistent.
In order to upgrade, delete the Deployment before upgrading:
### To 6.0.0
-Version 6.0.0 bumps the version of the redis subchart from ~10.6.0 to ~16.4.0. You probably need to adjust your redis config. See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions.
+Version 6.0.0 bumps the version of the Redis subchart from ~10.6.0 to ~16.4.0.
+You probably need to adjust your Redis configuration.
+See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions.
+
+### To 7.0.0
+
+Version 7.0.0 introduces a new implementation to support multiple hostAliases.
+You probably need to adjust your hostAliases config.
+See [here](https://github.com/oauth2-proxy/manifests/pull/164/) for detailed information.
## Configuration
The following table lists the configurable parameters of the oauth2-proxy chart and their default values.
-Parameter | Description | Default
---- | --- | ---
-`affinity` | node/pod affinities | None
-`authenticatedEmailsFile.enabled` | Enables authorize individual email addresses | `false`
-`authenticatedEmailsFile.persistence` | Defines how the email addresses file will be projected, via a configmap or secret | `configmap`
-`authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""`
-`authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the email addresses list | `""`
-`authenticatedEmailsFile.restricted_access` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config | `""`
-`authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil`
-`config.clientID` | oauth client ID | `""`
-`config.clientSecret` | oauth client secret | `""`
-`config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""`
-`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil`
-`config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""`
-`config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil`
-`config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""`
-`alphaConfig.enabled` | Flag to toggle any alpha config related logic | `false`
-`alphaConfig.annotations` | Configmap annotations | `{}`
-`alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}`
-`alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}`
-`alphaConfig.configData` | Arbitrary configuration data to append | `{}`
-`alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""`
-`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil`
-`alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil`
-`customLabels` | Custom labels to add into metadata | `{}` |
-`config.google.adminEmail` | user impersonated by the google service account | `""`
-`config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false`
-`config.google.targetPrincipal` | service account to use/impersonate | `""`
-`config.google.serviceAccountJson` | google service account json contents | `""`
-`config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil`
-`config.google.groups` | restrict logins to members of these google groups | `[]`
-`containerPort` | used to customise port on the deployment | `""`
-`extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows to configure the same flag multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]`
-`extraContainers` | List of extra containers to be added to the pod | `[]`
-`extraEnv` | key:value list of extra environment variables to give the binary | `[]`
-`extraVolumes` | list of extra volumes | `[]`
-`extraVolumeMounts` | list of extra volumeMounts | `[]`
-`hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution.
-`htpasswdFile.enabled` | enable htpasswd-file option | `false`
-`htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}`
-`htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""`
-`httpScheme` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http`
-`image.pullPolicy` | Image pull policy | `IfNotPresent`
-`image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy`
-`image.tag` | Image tag | `""` (defaults to appVersion)
-`imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods)
-`ingress.enabled` | Enable Ingress | `false`
-`ingress.className` | name referencing IngressClass | `nil`
-`ingress.path` | Ingress accepted path | `/`
-`ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific`
-`ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]`
-`ingress.labels` | Ingress extra labels | `{}`
-`ingress.annotations` | Ingress annotations | `nil`
-`ingress.hosts` | Ingress accepted hostnames | `nil`
-`ingress.tls` | Ingress TLS configuration | `nil`
-`initContainers.waitForRedis.enabled` | if `redis.enabled` is true, use an init container to wait for the redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list and watch the redis master pod | `true`
-`initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent`
-`initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl`
-`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")`
-`initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true`
-`initContainers.waitForRedis.timeout` | number of seconds | 180
-`initContainers.waitForRedis.resources` | pod resource requests & limits | `{}`
-`livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
-`livenessProbe.initialDelaySeconds` | number of seconds | 0
-`livenessProbe.timeoutSeconds` | number of seconds | 1
-`namespaceOverride` | Override the deployment namespace | `""`
-`nodeSelector` | node labels for pod assignment | `{}`
-`deploymentAnnotations` | annotations to add to the deployment | `{}`
-`podAnnotations` | annotations to add to each pod | `{}`
-`podLabels` | additional labesl to add to each pod | `{}`
-`podDisruptionBudget.enabled`| Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true
-`podDisruptionBudget.minAvailable`| minAvailable parameter for PodDisruptionBudget | 1
-`podSecurityContext` | Kubernetes security context to apply to pod | `{}`
-`priorityClassName` | priorityClassName | `nil`
-`readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
-`readinessProbe.initialDelaySeconds` | number of seconds | 0
-`readinessProbe.timeoutSeconds` | number of seconds | 5
-`readinessProbe.periodSeconds` | number of seconds | 10
-`readinessProbe.successThreshold` | number of successes | 1
-`replicaCount` | desired number of pods | `1`
-`resources` | pod resource requests & limits | `{}`
-`revisionHistoryLimit` | maximum number of revisions maintained | 10
-`service.portNumber` | port number for the service | `80`
-`service.appProtocol` | application protocol on the port of the service | `http`
-`service.type` | type of service | `ClusterIP`
-`service.clusterIP` | cluster ip address | `nil`
-`service.loadBalancerIP` | ip of load balancer | `nil`
-`service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil`
-`service.nodePort` | external port number for the service when service.type is `NodePort` | `nil`
-`serviceAccount.enabled` | create a service account | `true`
-`serviceAccount.name` | the service account name | ``
-`serviceAccount.annotations` | (optional) annotations for the service account | `{}`
-`strategy` | configure deployment strategy | `{}`
-`tolerations` | list of node taints to tolerate | `[]`
-`securityContext.enabled` | enable Kubernetes security context on container | `true`
-`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true`
-`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie`
-`sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""`
-`sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from redis subchart secret if not set. sessionStorage.redis.existingSecret takes precedence | `nil`
-`sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the redis password value | `redis-password`
-`sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone`
-`sessionStorage.redis.standalone.connectionUrl` | URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set. | `""`
-`sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]`
-`sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""`
-`sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` | `nil`
-`sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the redis sentinel password value | `redis-sentinel-password`
-`sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil`
-`sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]`
-`topologySpreadConstraints` | List of pod topology spread constraints | `[]`
-`redis.enabled` | Enable the redis subchart deployment | `false`
-`checkDeprecation` | Enable deprecation checks | `true`
-`metrics.enabled` | Enable Prometheus metrics endpoint | `true`
-`metrics.port` | Serve Prometheus metrics on this port | `44180`
-`metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil`
-`metrics.service.appProtocol` | application protocol of the metrics port in the service | `http`
-`metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false`
-`metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""`
-`metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default`
-`metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s`
-`metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s`
-`metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}`
-`metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.| `""`
-`metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the endpoint. For example if using istio mTLS.| `{}`
-`metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file.| `""`
-`metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster| `{}`
-`metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion.| `[]`
-`metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion.| `[]`
-`extraObjects` | Extra K8s manifests to deploy | `[]`
+| Parameter | Description | Default |
+|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------|
+| `affinity` | node/pod affinities | None |
+| `authenticatedEmailsFile.enabled` | Enables authorize individual e-mail addresses | `false` |
+| `authenticatedEmailsFile.persistence` | Defines how the e-mail addresses file will be projected, via a configmap or secret | `configmap` |
+| `authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` |
+| `authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the e-mail addresses list | `""` |
+| `authenticatedEmailsFile.restricted_access` | [e-mail addresses](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/#email-authentication) list config | `""` |
+| `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` |
+| `config.clientID` | oauth client ID | `""` |
+| `config.clientSecret` | oauth client secret | `""` |
+| `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` |
+| `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` |
+| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` |
+| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` |
+| `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` |
+| `autoscaling.enabled` | Deploy a Horizontal Pod Autoscaler. | `false` |
+| `autoscaling.minReplicas` | Minimum replicas for the Horizontal Pod Autoscaler. | `1` |
+| `autoscaling.maxReplicas` | Maximum replicas for the Horizontal Pod Autoscaler. | `10` |
+| `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` |
+| `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` |
+| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` |
+| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` |
+| `alphaConfig.annotations` | Configmap annotations | `{}` |
+| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` |
+| `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` |
+| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` |
+| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` |
+| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` |
+| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` |
+| `customLabels` | Custom labels to add into metadata | `{}` |
+| `config.google.adminEmail` | user impersonated by the Google service account | `""` |
+| `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` |
+| `config.google.targetPrincipal` | service account to use/impersonate | `""` |
+| `config.google.serviceAccountJson` | Google service account JSON contents | `""` |
+| `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` |
+| `config.google.groups` | restrict logins to members of these Google groups | `[]` |
+| `containerPort` | used to customize port on the deployment | `""` |
+| `extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows the same flag to be configured multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` |
+| `extraContainers` | List of extra containers to be added to the pod | `[]` |
+| `extraEnv` | key:value list of extra environment variables to give the binary | `[]` |
+| `extraVolumes` | list of extra volumes | `[]` |
+| `extraVolumeMounts` | list of extra volumeMounts | `[]` |
+| `hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. | |
+| `htpasswdFile.enabled` | enable htpasswd-file option | `false` |
+| `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#command-line-options) | `{}` |
+| `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` |
+| `httpScheme` | `http` or `https`. `name` used for the port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` |
+| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `image.command` | Define command to be executed by container at startup | `[]` |
+| `image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` |
+| `image.tag` | Image tag | `""` (defaults to appVersion) |
+| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
+| `ingress.enabled` | Enable Ingress | `false` |
+| `ingress.className` | name referencing IngressClass | `nil` |
+| `ingress.path` | Ingress accepted path | `/` |
+| `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` |
+| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/). | `[]` |
+| `ingress.labels` | Ingress extra labels | `{}` |
+| `ingress.annotations` | Ingress annotations | `nil` |
+| `ingress.hosts` | Ingress accepted hostnames | `nil` |
+| `ingress.tls` | Ingress TLS configuration | `nil` |
+| `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` |
+| `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` |
+| `initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` |
+| `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")`
+| `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` |
+| `initContainers.waitForRedis.timeout` | number of seconds | 180 |
+| `initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` |
+| `livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` |
+| `livenessProbe.initialDelaySeconds` | number of seconds | 0 |
+| `livenessProbe.timeoutSeconds` | number of seconds | 1 |
+| `namespaceOverride` | Override the deployment namespace | `""` |
+| `nodeSelector` | node labels for pod assignment | `{}` |
+| `deploymentAnnotations` | annotations to add to the deployment | `{}` |
+| `podAnnotations` | annotations to add to each pod | `{}` |
+| `podLabels` | additional labels to add to each pod | `{}` |
+| `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true |
+| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget | 1 |
+| `podSecurityContext` | Kubernetes security context to apply to pod | `{}` |
+| `priorityClassName` | priorityClassName | `nil` |
+| `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` |
+| `readinessProbe.initialDelaySeconds` | number of seconds | 0 |
+| `readinessProbe.timeoutSeconds` | number of seconds | 5 |
+| `readinessProbe.periodSeconds` | number of seconds | 10 |
+| `readinessProbe.successThreshold` | number of successes | 1 |
+| `replicaCount` | desired number of pods | `1` |
+| `resources` | pod resource requests & limits | `{}` |
+| `revisionHistoryLimit` | maximum number of revisions maintained | 10 |
+| `service.portNumber` | port number for the service | `80` |
+| `service.appProtocol` | application protocol on the port of the service | `http` |
+| `service.externalTrafficPolicy` | denotes if the service desires to route external traffic to node-local or cluster-wide endpoints | `Cluster` |
+| `service.internalTrafficPolicy` | denotes if the service desires to route internal traffic to node-local or cluster-wide endpoints | `Cluster` |
+| `service.type` | type of service | `ClusterIP` |
+| `service.clusterIP` | cluster ip address | `nil` |
+| `service.loadBalancerIP` | ip of load balancer | `nil` |
+| `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` |
+| `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` |
+| `serviceAccount.enabled` | create a service account | `true` |
+| `serviceAccount.name` | the service account name | `` |
+| `serviceAccount.annotations` | (optional) annotations for the service account | `{}` |
+| `strategy` | configure deployment strategy | `{}` |
+| `tolerations` | list of node taints to tolerate | `[]` |
+| `securityContext.enabled` | enable Kubernetes security context on container | `true` |
+| `proxyVarsAsSecrets` | Choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` |
+| `sessionStorage.type` | Session storage type which can be one of the following: cookie or Redis | `cookie` |
+| `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the Redis & Redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` |
+| `sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from Redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence | `nil` |
+| `sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the Redis password value | `redis-password` |
+| `sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for the Redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` |
+| `sessionStorage.redis.standalone.connectionUrl` | URL of Redis standalone server for Redis session storage (e.g., `redis://HOST[:PORT]`). Automatically generated if not set. | `""` |
+| `sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g., `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` |
+| `sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the Redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` |
+| `sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any Redis node passwords need to use `sessionStorage.redis.password` | `nil` |
+| `sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the Redis sentinel password value | `redis-sentinel-password` |
+| `sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` |
+| `sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` |
+| `topologySpreadConstraints` | List of pod topology spread constraints | `[]` |
+| `redis.enabled` | Enable the Redis subchart deployment | `false` |
+| `checkDeprecation` | Enable deprecation checks | `true` |
+| `metrics.enabled` | Enable Prometheus metrics endpoint | `true` |
+| `metrics.port` | Serve Prometheus metrics on this port | `44180` |
+| `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` |
+| `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` |
+| `metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` |
+| `metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` |
+| `metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` |
+| `metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` |
+| `metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` |
+| `metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource | `{}` |
+| `metrics.serviceMonitor.scheme` | HTTP scheme for scraping. It can be used with `tlsConfig` for example, if using Istio mTLS. | `""` |
+| `metrics.serviceMonitor.tlsConfig` | TLS configuration when scraping the endpoint. For example, if using Istio mTLS. | `{}` |
+| `metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file. | `""` |
+| `metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster | `{}` |
+| `metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion. | `[]` |
+| `metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion. | `[]` |
+| `extraObjects` | Extra K8s manifests to deploy | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
## TLS Configuration
-See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls).
+See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/).
Use ```values.yaml``` like:
```yaml
```
## Extra environment variable templating
-The extraEnv value supports the tpl function which evaluate strings as templates inside the deployment template.
-This is useful to pass a template string as a value to the chart's extra environment variables and to render external configuration environment values
-
+The extraEnv value supports the tpl function, which evaluates strings as templates inside the deployment template.
+This is useful for passing a template string as a value to the chart's extra environment variables and rendering external configuration environment values.
```yaml
...
</body>
</html>
```
+
## Multi whitelist-domain configuration
-For using multi whitelist-domain configuration for one Oauth2-proxy instance, you have to use the config.configFile section.
+You must use the config.configFile section for a multi-whitelist-domain configuration for one Oauth2-proxy instance.
-It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` configuration file.
-In this example, Google provider is used, but you can find all other provider configuration here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/)
+It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` [configuration file](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#config-file).
+In this example, Google provider is used, but you can find all other provider configurations here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/).
-```yaml
+```
config:
...
clientID="$YOUR_GOOGLE_CLIENT_ID"
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
cookie_secure = "false"
- cookie_domains = [ ".domain.com", ".otherdomain.io" ]
- whitelist_domains = [ ".domain.com", ".otherdomain.io"]
+ cookie_domains = [ ".domain.com", ".example.io" ]
+ whitelist_domains = [ ".domain.com", ".example.io"]
provider = "google"
```
--- /dev/null
+# Enables Horizontal Pod Autoscaler and removes replica count in deployment
+autoscaling:
+ enabled: true
+ annotations:
+ test-annotations/test: "true"
tls:
- hosts:
- "{{ $.Release.Name }}.local"
+ annotations:
+ test-annotations/test: "{{ $.Release.Name }}"
oauth2-proxy:
checkDeprecation: false
config:
extraArgs:
pass-authorization-header: "{{ $.Values.pass_authorization_header }}"
+
+extraVolumes:
+ - name: "{{ $.Release.Name }}-secret"
+ secret:
+ secretName: "{{ .Release.Name }}-secret"
+ items:
+ - key: secret
+ path: secret
+
+authenticatedEmailsFile:
+ annotations:
+ test-annotations/test: "{{ $.Release.Name }}"
+
+config:
+ annotations:
+ test-annotations/test: "{{ $.Release.Name }}"
+
+deploymentAnnotations:
+ test-annotations/test: "{{ $.Release.Name }}"
+
+autoscaling:
+ annotations:
+ test-annotations/test: "{{ $.Release.Name }}"
+
+alphaConfig:
+ annotations:
+ test-annotations/test: "{{ $.Release.Name }}"
+
+service:
+ annotations:
+ test-annotations/test: "{{ $.Release.Name }}"
+
+serviceAccount:
+ annotations:
+ test-annotations/test: "{{ $.Release.Name }}"
+
+serviceMonitor:
+ annotations:
+ test-annotations/test: "{{ $.Release.Name }}"
# For parsing and checking connections
parse_and_check() {
url=$1
- clean_url=${url#redis://}
+
+ # Strip either redis:// or rediss://
+ if [ $url = "rediss://*" ]; then
+ clean_url=${url#rediss://}
+ echo "Using secure Rediss connection..."
+ else
+ clean_url=${url#redis://}
+ echo "Using standard Redis connection..."
+ fi
+
host=$(echo $clean_url | cut -d':' -f1)
port=$(echo $clean_url | cut -d':' -f2)
check_redis $host $port
labels:
app: {{ template "oauth2-proxy.name" . }}
{{- include "oauth2-proxy.labels" . | indent 4 }}
-{{- if .Values.authenticatedEmailsFile.annotations }}
+{{- with .Values.authenticatedEmailsFile.annotations }}
annotations:
-{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }}
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
name: {{ template "oauth2-proxy.fullname" . }}-accesslist
namespace: {{ template "oauth2-proxy.namespace" $ }}
apiVersion: v1
kind: ConfigMap
metadata:
-{{- if .Values.config.annotations }}
+{{- with .Values.config.annotations }}
annotations:
-{{ toYaml .Values.config.annotations | indent 4 }}
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
labels:
app: {{ template "oauth2-proxy.name" . }}
labels:
app: {{ template "oauth2-proxy.name" . }}
{{- include "oauth2-proxy.labels" . | indent 4 }}
- {{- if .Values.deploymentAnnotations }}
+ {{- with .Values.deploymentAnnotations }}
annotations:
-{{ toYaml .Values.deploymentAnnotations | indent 8 }}
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
name: {{ template "oauth2-proxy.fullname" . }}
namespace: {{ template "oauth2-proxy.namespace" $ }}
spec:
+ {{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
+ {{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- with .Values.strategy }}
strategy:
template:
metadata:
annotations:
+ {{- if .Values.config.configFile }}
checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }}
+ {{- end }}
{{- if .Values.alphaConfig.enabled }}
checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }}
{{- end }}
image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}"
#image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
+ {{- if .Values.image.command }}
+ command:
+ {{- range .Values.image.command }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- end }}
args:
{{- if .Values.alphaConfig.enabled }}
- --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml
{{- if .Values.authenticatedEmailsFile.template }}
- --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }}
{{- else }}
- - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
+ - --authenticated-emails-file=/etc/oauth2-proxy/{{ template "oauth2-proxy.fullname" . }}-accesslist
{{- end }}
{{- end }}
{{- with .Values.config.google }}
{{- if .Values.authenticatedEmailsFile.template }}
path: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
- path: authenticated-emails-list
+ path: {{ template "oauth2-proxy.fullname" . }}-accesslist
{{- end }}
{{- if .Values.authenticatedEmailsFile.template }}
secretName: {{ .Values.authenticatedEmailsFile.template }}
{{- end }}
{{- end }}
{{- if ne (len .Values.extraVolumes) 0 }}
-{{ toYaml .Values.extraVolumes | indent 6 }}
+{{ tpl (toYaml .Values.extraVolumes) . | indent 6 }}
{{- end }}
{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }}
- configMap:
{{- if .Values.authenticatedEmailsFile.template }}
path: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
- path: authenticated-emails-list
+ path: {{ template "oauth2-proxy.fullname" . }}-accesslist
{{- end }}
name: configaccesslist
{{- end }}
- {{- if .Values.imagePullSecrets }}
+ {{- with (.Values.imagePullSecrets | default .Values.global.imagePullSecrets) }}
imagePullSecrets:
-{{ toYaml .Values.imagePullSecrets | indent 8 }}
- {{- end }}
- {{- if .Values.affinity }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+ {{- toYaml . | nindent 8 }}
{{- end }}
- {{- if .Values.nodeSelector }}
+ {{- with .Values.nodeSelector }}
nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
+ {{ toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.tolerations }}
tolerations:
-{{ toYaml .Values.tolerations | indent 8 }}
- {{- with .Values.topologySpreadConstraints }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
- {{- end }}
+ {{- end }}
--- /dev/null
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+ {{- with .Values.autoscaling.annotations }}
+ annotations:
+{{ tpl ( toYaml . ) $ | indent 8 }}
+ {{- end }}
+ name: {{ template "oauth2-proxy.fullname" . }}
+ namespace: {{ template "oauth2-proxy.namespace" $ }}
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: {{ template "oauth2-proxy.fullname" . }}
+ minReplicas: {{ .Values.autoscaling.minReplicas }}
+ maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+ metrics:
+ {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: memory
+ target:
+ type: Utilization
+ averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+ {{- end }}
+ {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+ {{- end }}
+{{- end }}
namespace: {{ template "oauth2-proxy.namespace" $ }}
{{- with .Values.ingress.annotations }}
annotations:
-{{ toYaml . | indent 4 }}
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }}
apiVersion: v1
kind: Secret
metadata:
-{{- if .Values.alphaConfig.annotations }}
- annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }}
+{{- with .Values.alphaConfig.annotations }}
+ annotations:
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
labels:
app: {{ template "oauth2-proxy.name" . }}
labels:
app: {{ template "oauth2-proxy.name" . }}
{{- include "oauth2-proxy.labels" . | indent 4 }}
-{{- if .Values.authenticatedEmailsFile.annotations }}
+{{- with .Values.authenticatedEmailsFile.annotations }}
annotations:
-{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }}
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
name: {{ template "oauth2-proxy.fullname" . }}-accesslist
namespace: {{ template "oauth2-proxy.namespace" $ }}
apiVersion: v1
kind: Secret
metadata:
-{{- if .Values.config.annotations }}
+{{- with .Values.config.annotations }}
annotations:
-{{ toYaml .Values.config.annotations | indent 4 }}
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
labels:
app: {{ template "oauth2-proxy.name" . }}
{{- include "oauth2-proxy.labels" . | indent 4 }}
name: {{ template "oauth2-proxy.fullname" . }}
namespace: {{ template "oauth2-proxy.namespace" $ }}
-{{- if .Values.service.annotations }}
+{{- with .Values.service.annotations }}
annotations:
-{{ toYaml .Values.service.annotations | indent 4 }}
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
spec:
{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }}
{{- end -}}
{{- else }}
type: {{ .Values.service.type }}
+{{- end }}
+{{- if .Values.service.externalTrafficPolicy }}
+ externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+{{- end }}
+{{- if .Values.service.internalTrafficPolicy }}
+ internalTrafficPolicy: {{ .Values.service.internalTrafficPolicy }}
{{- end }}
ports:
- port: {{ .Values.service.portNumber }}
metadata:
{{- with .Values.serviceAccount.annotations }}
annotations:
- {{- toYaml . | nindent 4 }}
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
labels:
app: {{ $name }}
metadata:
{{- with .Values.metrics.serviceMonitor.annotations }}
annotations:
- {{- toYaml . | nindent 4 }}
+{{ tpl ( toYaml . ) $ | indent 4 }}
{{- end }}
name: {{ template "oauth2-proxy.fullname" . }}
{{- if .Values.metrics.serviceMonitor.namespace }}
# appVersion is used by default
tag: ""
pullPolicy: "IfNotPresent"
+ command: []
# Optionally specify an array of imagePullSecrets.
# Secrets must be manually created in the namespace.
appProtocol: http
annotations: {}
# foo.io/bar: "true"
+ # configure externalTrafficPolicy
+ externalTrafficPolicy: ""
+ # configure internalTrafficPolicy
+ internalTrafficPolicy: ""
## Create or use ServiceAccount
serviceAccount:
enabled: true
minAvailable: 1
+## Horizontal Pod Autoscaling
+## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+autoscaling:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 10
+ targetCPUUtilizationPercentage: 80
+# targetMemoryUtilizationPercentage: 80
+ annotations: {}
+
# Configure Kubernetes security context for pod
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
podSecurityContext: {}
realm: {{ $realm.name }}
{{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }}
id: {{ $realm.name }}
-accessTokenLifespan: 1900
-registrationAllowed: false
-resetPasswordAllowed: true
+accessTokenLifespan: {{ default "1900" $realm.accessTokenLifespan }}
+registrationAllowed: {{ default false $realm.registrationAllowed }}
+resetPasswordAllowed: {{ default true $realm.resetPasswordAllowed }}
+sslRequired: {{ default "external" $realm.sslRequired }}
enabled: true
{{ if $realm.themes }}
{{ if $realm.themes.login }}loginTheme: {{ $realm.themes.login }}{{ end }}
baseUrl: {{ tpl $client.baseUrl $dot }}
{{- end }}
surrogateAuthRequired: {{ default false $client.surrogateAuthRequired }}
+ authorizationServicesEnabled: {{ default false $client.authorizationServicesEnabled }}
enabled: true
alwaysDisplayInConsole: false
clientAuthenticatorType: {{ default "client-secret" $client.clientAuthenticatorType }}
{{ toYaml $mapper.config | nindent 10 }}
{{- end }}
{{- end }}
+ {{- if $client.defaultClientScopes }}
defaultClientScopes:
- {{- if $client.defaultClientScopes }}
- {{- range $index2, $scope := $client.defaultClientScopes }}
+ {{- range $index2, $scope := $client.defaultClientScopes }}
- {{ $scope }}
- {{- end }}
- {{- else }}
- - web-origins
- - profile
- - acr
- - email
{{- end }}
+ {{- end }}
+ {{- if $client.optionalClientScopes }}
optionalClientScopes:
- {{- if $client.optionalClientScopes }}
- {{- range $index2, $scope := $client.optionalClientScopes }}
+ {{- range $index2, $scope := $client.optionalClientScopes }}
- {{ $scope }}
+ {{- end }}
+ {{- end }}
+ {{- if $client.authorizationSettings }}
+ authorizationSettings: {{ include "auth._authorizationSettings" (dict "dot" $client.authorizationSettings ) | nindent 6 }}
+ {{- end }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Renders the authorizationSettings in the client section in a realm.
+Usage:
+{{ include "auth._authorizationSettings" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._authorizationSettings" -}}
+{{- $dot := default . .dot -}}
+allowRemoteResourceManagement: "{{ default true $dot.allowRemoteResourceManagement }}"
+policyEnforcementMode: "{{ default "ENFORCING" $dot.policyEnforcementMode }}"
+decisionStrategy: "{{ default "UNANIMOUS" $dot.decisionStrategy }}"
+resources:
+ {{- range $index, $resource := $dot.resources }}
+ - name: {{ $resource.name }}
+ type: {{ (default "" $resource.type) | quote }}
+ displayName: {{ (default "" $resource.displayName) | quote }}
+ ownerManagedAccess: {{ default false $resource.ownerManagedAccess }}
+ {{- if $resource.attributes }}
+ attributes:
+ {{- range $key,$value := $resource.attributes }}
+ {{ $key }}: {{ $value }}
{{- end }}
- {{- else }}
- - address
- - phone
- - offline_access
- - microprofile-jwt
+ {{- end }}
+ {{- if $resource.uris }}
+ uris:
+ {{- range $index2, $url := $resource.uris }}
+ - {{ $url }}
+ {{- end }}
+ {{- end }}
+ {{- if $resource.scopes }}
+ scopes:
+ {{- range $index3, $scope := $resource.scopes }}
+ - {{ $scope | toYaml }}
+ {{- end }}
+ {{- end }}
+ icon_uri: {{ (default "" $resource.icon_uri) | quote }}
+ {{- end }}
+policies:
+ {{- range $index4, $policy := $dot.policies }}
+ - name: {{ $policy.name }}
+ type: {{ (default "" $policy.type) | quote }}
+ description: {{ (default "" $policy.description) | quote }}
+ logic: {{ default "POSITIVE" $policy.logic }}
+ decisionStrategy: {{ default "UNANIMOUS" $dot.decisionStrategy }}
+ config:
+ roles: {{ include "auth._policyRoles" (dict "dot" $policy.roles) | toJson }}
+ {{- end }}
+ {{- range $index6, $permission := $dot.permissions }}
+ - name: {{ $permission.name }}
+ type: {{ (default "" $permission.type) | quote }}
+ description: {{ (default "" $permission.description) | quote }}
+ logic: {{ default "POSITIVE" $permission.logic }}
+ decisionStrategy: {{ default "UNANIMOUS" $permission.decisionStrategy }}
+ config:
+ {{- if $permission.resources }}
+ resources: {{ include "auth._permissionResources" (dict "dot" $permission.resources) | toJson }}
+ {{- end }}
+ {{- if $permission.scopes }}
+ scopes: {{ include "auth._permissionScopes" (dict "dot" $permission.scopes) | toJson }}
+ {{- end }}
+ {{- if $permission.applyPolicies }}
+ applyPolicies: {{ include "auth._permissionApplyPolicies" (dict "dot" $permission.applyPolicies) | toJson }}
{{- end }}
{{- end }}
+scopes:
+ {{- range $index, $scope := $dot.scopes }}
+ - name: {{ $scope.name }}
+ iconUri: {{ (default "" $scope.icon_uri) | quote }}
+ displayName: {{ (default "" $scope.displayName) | quote }}
+ {{- end }}
+{{- end }}
+
+{{/*
+Renders the roles in a policy.
+Usage:
+{{ include "auth._policyRoles" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._policyRoles" -}}
+{{- $dot := default . .dot -}}
+[{{- range $index,$role := $dot }}{"id":"{{ $role.id }}","required":{{ $role.required }}}{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}]
{{- end }}
{{/*
-Renders the defaulDefaultClientScopes section in a realm.
+Renders the resources in a permission.
+Usage:
+{{ include "auth._permissionResources" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._permissionResources" -}}
+{{- $dot := default . .dot -}}
+[{{- range $index,$resource := $dot }}"{{ $resource }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}]
+{{- end }}
+
+{{/*
+Renders the scopes in a permission.
+Usage:
+{{ include "auth._permissionScopes" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._permissionScopes" -}}
+{{- $dot := default . .dot -}}
+[{{- range $index,$scope := $dot }}"{{ $scope }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}]
+{{- end }}
+
+{{/*
+Renders the applyPolicies in a permission.
+Usage:
+{{ include "auth._permissionApplyPolicies" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._permissionApplyPolicies" -}}
+{{- $dot := default . .dot -}}
+[{{- range $index,$policy := $dot }}"{{ $policy }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}]
+{{- end }}
+{{/*
+Renders the defaultDefaultClientScopes section in a realm.
Usage:
{{ include "auth._defaultClientScopes" ( dict "dot" .Values) }}
*/}}
{{- if $dot.additionalClientScopes }}
{{- range $index, $scope := $dot.additionalClientScopes }}
- name: {{ $scope.name }}
- description: "{{ default "" $scope.description }}"
+ description: {{ (default "" $scope.description) | quote }}
protocol: openid-connect
attributes:
include.in.token.scope: 'false'
display.on.consent.screen: 'true'
gui.order: ''
consent.screen.text: "${rolesScopeConsentText}"
+ {{- if $scope.protocolMappers }}
protocolMappers:
- {{- if $scope.protocolMappers }}
{{- range $index2, $mapper := $scope.protocolMappers }}
- name: {{ $mapper.name }}
protocol: "openid-connect"
config:
{{ toYaml $mapper.config | nindent 8 }}
{{- end }}
- {{- end }}
-
+ {{- end }}
{{- end }}
{{- end }}
- name: roles
{{ toYaml $user.credentials | nindent 6 }}
{{- end }}
disableableCredentialTypes: []
+ {{- if $user.requiredActions }}
+ requiredActions:
+ {{- range $index2, $action := $user.requiredActions }}
+ - "{{ $action }}"
+ {{- end }}
+ {{- else }}
requiredActions: []
+ {{- end }}
{{- if $user.realmRoles }}
realmRoles:
{{- range $index2, $realmRole := $user.realmRoles }}
{{- define "auth._attributes" -}}
{{- $dot := default . .dot -}}
{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}}
+{{- if $realm.attributes }}
attributes:
+{{- if $realm.attributes.frontendUrl }}
frontendUrl: {{ tpl $realm.attributes.frontendUrl $dot }}
+{{- end }}
acr.loa.map: "{\"ABC\":\"5\"}"
{{- end }}
+{{- end }}
postaddr: ""
keycloak:
- intURL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/"
+ intURL: "http://keycloak-http.keycloak.svc.cluster.local/"
relativePath: "auth/"
ingressAuthentication:
enabled: false
onap-keycloak-config-cli:
image:
+ # "edge" is the latest build release and need to be replaced with a new version
+ # compatible with keycloak 26.x.y
+ tag: edge
+ #tag: "6.1.6-25.0.1"
pullSecrets:
- name: onap-docker-registry-key
#existingSecret: "keycloak-keycloakx-admin-creds"
env:
# internal KC URL plus relative path
- KEYCLOAK_URL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/"
+ KEYCLOAK_URL: "http://keycloak-http.keycloak.svc.cluster.local/auth/"
KEYCLOAK_SSLVERIFY: "false"
KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
secrets:
memory: 10Mi
onap-oauth2-proxy:
+
+ # Addition for oauth2-proxy deployment
+ imagePullSecrets:
+ - name: '{{ include "common.namespace" . }}-docker-registry-key'
+
securityContext:
capabilities:
drop:
- name: "Client Host"
protocolMapper: "oidc-usersessionmodel-note-mapper"
config:
- user.session.note : "clientHost"
- id.token.claim : "true"
- access.token.claim : "true"
- claim.name : "clientHost"
- jsonType.label : "String"
+ user.session.note: "clientHost"
+ id.token.claim: "true"
+ access.token.claim: "true"
+ claim.name: "clientHost"
+ jsonType.label: "String"
- name: "Client IP Address"
protocolMapper: "oidc-usersessionmodel-note-mapper"
config:
- user.session.note : "clientAddress"
- id.token.claim : "true"
- access.token.claim : "true"
- claim.name : "clientAddress"
- jsonType.label : "String"
+ user.session.note: "clientAddress"
+ id.token.claim: "true"
+ access.token.claim: "true"
+ claim.name: "clientAddress"
+ jsonType.label: "String"
defaultClientScopes:
- "onap_roles"
additionalClientScopes:
- name: onap_roles
- description: OpenID Connect scope for add user onap roles to the access token
+ description: "OpenID Connect scope for add user onap roles to the access token"
protocolMappers:
- name: aud
protocol: openid-connect
dependencies:
- name: authentication
- version: ~14.x-0
+ version: ~15.x-0
repository: '@local'
condition: authentication:enabled
- name: aai
Code Review / oom.git / commitdiff