From 84447283fcc1574a807044cab6a9acc5e7e1c2f3 Mon Sep 17 00:00:00 2001 From: Fiete Ostkamp Date: Wed, 12 Nov 2025 09:50:30 +0100 Subject: [PATCH] [oauth2-proxy] Use remote chart dependency - use remote chart dependency instead of versioning a copy of the whole chart in the OOM repo - the copy was slightly modified to use repositoryGenerator.dockerHubRepository but that was the only change that was made [0] - the huge benefit of not maintaining a copy in OOM is that we avoid having to do a diff when upgrading the chart - even the knowledge that the chart is "custom" is a large mental barrier to upgrading, because it is unknown beforehand how big the diff may be [0] there is nothing in this change to replace it right now, which means that an override for .Values.initContainers.waitForRedis.image.repository needs to be defined for this chart explicitly Issue-ID: INT-2334 Change-Id: Ia7a2b9bc5db60f2a81be6b7bf9b93b005bf6cc6a Signed-off-by: Fiete Ostkamp --- kubernetes/authentication/Chart.yaml | 4 +- .../components/oauth2-proxy/.helmignore | 23 - .../components/oauth2-proxy/Chart.yaml | 48 -- .../components/oauth2-proxy/README.md | 359 --------------- .../components/oauth2-proxy/ci/default-values.yaml | 1 - .../oauth2-proxy/ci/extra-args-as-dict-values.yaml | 4 - .../oauth2-proxy/ci/extra-args-as-list-values.yaml | 5 - .../oauth2-proxy/ci/extra-env-tpl-values.yaml | 6 - .../ci/horizontal-pod-autoscaling-values.yaml | 5 - .../ci/ingress-extra-paths-values.yaml | 14 - .../components/oauth2-proxy/ci/pdb-values.yaml | 1 - .../ci/pod-security-context-values.yaml | 4 - .../oauth2-proxy/ci/redis-standalone-values.yaml | 15 - .../oauth2-proxy/ci/servicemonitor-values.yaml | 18 - .../components/oauth2-proxy/ci/tpl-values.yaml | 62 --- .../components/oauth2-proxy/scripts/check-redis.sh | 61 --- .../components/oauth2-proxy/templates/NOTES.txt | 3 - .../oauth2-proxy/templates/_capabilities.tpl | 23 - .../components/oauth2-proxy/templates/_helpers.tpl | 161 ------- .../components/oauth2-proxy/templates/_ingress.tpl | 46 -- .../configmap-authenticated-emails-file.yaml | 18 - .../templates/configmap-wait-for-redis.yaml | 13 - .../oauth2-proxy/templates/configmap.yaml | 18 - .../oauth2-proxy/templates/deployment.yaml | 418 ----------------- .../oauth2-proxy/templates/deprecation.yaml | 12 - .../oauth2-proxy/templates/extra-manifests.yaml | 4 - .../oauth2-proxy/templates/google-secret.yaml | 13 - .../components/oauth2-proxy/templates/hpa.yaml | 38 -- .../components/oauth2-proxy/templates/ingress.yaml | 44 -- .../templates/poddisruptionbudget.yaml | 15 - .../oauth2-proxy/templates/redis-secret.yaml | 23 - .../oauth2-proxy/templates/secret-alpha.yaml | 21 - .../secret-authenticated-emails-file.yaml | 19 - .../templates/secret-htpasswd-file.yaml | 16 - .../components/oauth2-proxy/templates/secret.yaml | 17 - .../components/oauth2-proxy/templates/service.yaml | 61 --- .../oauth2-proxy/templates/serviceaccount.yaml | 60 --- .../oauth2-proxy/templates/servicemonitor.yaml | 57 --- .../components/oauth2-proxy/values.yaml | 497 --------------------- .../authentication/resources/oauth2_proxy.cfg | 6 +- kubernetes/authentication/values.yaml | 12 +- 41 files changed, 14 insertions(+), 2231 deletions(-) delete mode 100644 kubernetes/authentication/components/oauth2-proxy/.helmignore delete mode 100644 kubernetes/authentication/components/oauth2-proxy/Chart.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/README.md delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml delete mode 100755 kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/service.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml delete mode 100644 kubernetes/authentication/components/oauth2-proxy/values.yaml diff --git a/kubernetes/authentication/Chart.yaml b/kubernetes/authentication/Chart.yaml index 6430743bf7..9eeb0e4e61 100644 --- a/kubernetes/authentication/Chart.yaml +++ b/kubernetes/authentication/Chart.yaml @@ -32,6 +32,6 @@ dependencies: - name: onap-keycloak-config-cli version: 6.2.1 repository: 'file://components/keycloak-config-cli' - - name: onap-oauth2-proxy + - name: oauth2-proxy version: 7.8.0 - repository: 'file://components/oauth2-proxy' + repository: https://oauth2-proxy.github.io/manifests diff --git a/kubernetes/authentication/components/oauth2-proxy/.helmignore b/kubernetes/authentication/components/oauth2-proxy/.helmignore deleted file mode 100644 index 825c007791..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj - -OWNERS diff --git a/kubernetes/authentication/components/oauth2-proxy/Chart.yaml b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml deleted file mode 100644 index 300ed0964b..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/Chart.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: onap-oauth2-proxy -version: 7.8.0 -apiVersion: v2 -appVersion: 7.7.1 -home: https://oauth2-proxy.github.io/oauth2-proxy/ -description: A reverse proxy that provides authentication with Google, Github or other providers -keywords: - - kubernetes - - oauth - - oauth2 - - authentication - - google - - github - - redis -dependencies: - - name: redis - version: 20.3.0 - repository: https://charts.bitnami.com/bitnami - alias: redis - condition: redis.enabled - - name: common - version: ~13.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~13.x-0 - repository: '@local' - -sources: - - https://github.com/oauth2-proxy/oauth2-proxy - - https://github.com/oauth2-proxy/manifests -maintainers: - - name: desaintmartin - email: cedric@desaintmartin.fr - - name: tlawrie - - name: NickMeves - email: nicholas.meves@gmail.com - - name: JoelSpeed - email: joel.speed@hotmail.co.uk - - name: pierluigilenoci - email: pierluigi.lenoci@gmail.com -kubeVersion: ">=1.16.0-0" -annotations: - artifacthub.io/changes: | - - kind: added - description: allow templates in annotations - links: - - name: Github PR - url: https://github.com/oauth2-proxy/manifests/pull/256 diff --git a/kubernetes/authentication/components/oauth2-proxy/README.md b/kubernetes/authentication/components/oauth2-proxy/README.md deleted file mode 100644 index 0dc6c13962..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/README.md +++ /dev/null @@ -1,359 +0,0 @@ -# oauth2-proxy - -[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by e-mail, domain, or group. - -## TL;DR; - -```console -$ helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests -$ helm install my-release oauth2-proxy/oauth2-proxy -``` - -## Introduction - -This chart bootstraps an oauth2-proxy deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```console -$ helm install my-release oauth2-proxy/oauth2-proxy -``` - -The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. -The [configuration](#configuration) section lists the parameters that can be configured during installation. - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -$ helm uninstall my-release -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Upgrading an existing Release to a new major version - -A major chart version change (like v1.2.3 -> v2.0.0) indicates an incompatible breaking change needing manual actions. - -### To 1.0.0 - -This version upgrades oauth2-proxy to v4.0.0. To upgrade, please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400). - -### To 2.0.0 - -Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by addressing the Deployment object apiVersion `apps/v1beta2` deprecation. -See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. - -Due to [this issue](https://github.com/helm/helm/issues/6583), errors may occur when performing a `helm upgrade` of this chart from versions earlier than 2.0.0. - -### To 3.0.0 - -Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. -This is a breaking change since the service account is enabled by default. -To disable this behaviour set `serviceAccount.enabled` to `false` - -### To 4.0.0 - -Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**. -Therefore, the `ingress.extraPaths` parameter must be updated to the new format. -See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information. - -For the same reason `service.port` was renamed to `service.portNumber`. - -### To 5.0.0 - -Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). -This is a breaking change because many labels of all resources need to be updated to stay consistent. - -In order to upgrade, delete the Deployment before upgrading: - -```bash -kubectl delete deployment my-release-oauth2-proxy -``` - -This will introduce a slight downtime. - -For users who don't want downtime, you can perform these actions: - -- Perform a non-cascading removal of the deployment that keeps the pods running -- Add new labels to pods -- Perform `helm upgrade` - -### To 6.0.0 - -Version 6.0.0 bumps the version of the Redis subchart from ~10.6.0 to ~16.4.0. -You probably need to adjust your Redis configuration. -See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. - -### To 7.0.0 - -Version 7.0.0 introduces a new implementation to support multiple hostAliases. -You probably need to adjust your hostAliases config. -See [here](https://github.com/oauth2-proxy/manifests/pull/164/) for detailed information. - -## Configuration - -The following table lists the configurable parameters of the oauth2-proxy chart and their default values. - -| Parameter | Description | Default | -|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------| -| `affinity` | node/pod affinities | None | -| `authenticatedEmailsFile.enabled` | Enables authorize individual e-mail addresses | `false` | -| `authenticatedEmailsFile.persistence` | Defines how the e-mail addresses file will be projected, via a configmap or secret | `configmap` | -| `authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` | -| `authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the e-mail addresses list | `""` | -| `authenticatedEmailsFile.restricted_access` | [e-mail addresses](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/#email-authentication) list config | `""` | -| `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` | -| `config.clientID` | oauth client ID | `""` | -| `config.clientSecret` | oauth client secret | `""` | -| `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` | -| `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` | -| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` | -| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | -| `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` | -| `autoscaling.enabled` | Deploy a Horizontal Pod Autoscaler. | `false` | -| `autoscaling.minReplicas` | Minimum replicas for the Horizontal Pod Autoscaler. | `1` | -| `autoscaling.maxReplicas` | Maximum replicas for the Horizontal Pod Autoscaler. | `10` | -| `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | -| `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | -| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | -| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | -| `alphaConfig.annotations` | Configmap annotations | `{}` | -| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | -| `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` | -| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | -| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` | -| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | -| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | -| `customLabels` | Custom labels to add into metadata | `{}` | -| `config.google.adminEmail` | user impersonated by the Google service account | `""` | -| `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` | -| `config.google.targetPrincipal` | service account to use/impersonate | `""` | -| `config.google.serviceAccountJson` | Google service account JSON contents | `""` | -| `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` | -| `config.google.groups` | restrict logins to members of these Google groups | `[]` | -| `containerPort` | used to customize port on the deployment | `""` | -| `extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows the same flag to be configured multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` | -| `extraContainers` | List of extra containers to be added to the pod | `[]` | -| `extraEnv` | key:value list of extra environment variables to give the binary | `[]` | -| `extraVolumes` | list of extra volumes | `[]` | -| `extraVolumeMounts` | list of extra volumeMounts | `[]` | -| `hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. | | -| `htpasswdFile.enabled` | enable htpasswd-file option | `false` | -| `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#command-line-options) | `{}` | -| `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` | -| `httpScheme` | `http` or `https`. `name` used for the port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `image.command` | Define command to be executed by container at startup | `[]` | -| `image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` | -| `image.tag` | Image tag | `""` (defaults to appVersion) | -| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | -| `ingress.enabled` | Enable Ingress | `false` | -| `ingress.className` | name referencing IngressClass | `nil` | -| `ingress.path` | Ingress accepted path | `/` | -| `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` | -| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/). | `[]` | -| `ingress.labels` | Ingress extra labels | `{}` | -| `ingress.annotations` | Ingress annotations | `nil` | -| `ingress.hosts` | Ingress accepted hostnames | `nil` | -| `ingress.tls` | Ingress TLS configuration | `nil` | -| `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` | -| `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` | -| `initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` | -| `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")` -| `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` | -| `initContainers.waitForRedis.timeout` | number of seconds | 180 | -| `initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` | -| `livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | -| `livenessProbe.initialDelaySeconds` | number of seconds | 0 | -| `livenessProbe.timeoutSeconds` | number of seconds | 1 | -| `namespaceOverride` | Override the deployment namespace | `""` | -| `nodeSelector` | node labels for pod assignment | `{}` | -| `deploymentAnnotations` | annotations to add to the deployment | `{}` | -| `podAnnotations` | annotations to add to each pod | `{}` | -| `podLabels` | additional labels to add to each pod | `{}` | -| `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | -| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget | 1 | -| `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | -| `priorityClassName` | priorityClassName | `nil` | -| `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | -| `readinessProbe.initialDelaySeconds` | number of seconds | 0 | -| `readinessProbe.timeoutSeconds` | number of seconds | 5 | -| `readinessProbe.periodSeconds` | number of seconds | 10 | -| `readinessProbe.successThreshold` | number of successes | 1 | -| `replicaCount` | desired number of pods | `1` | -| `resources` | pod resource requests & limits | `{}` | -| `revisionHistoryLimit` | maximum number of revisions maintained | 10 | -| `service.portNumber` | port number for the service | `80` | -| `service.appProtocol` | application protocol on the port of the service | `http` | -| `service.externalTrafficPolicy` | denotes if the service desires to route external traffic to node-local or cluster-wide endpoints | `Cluster` | -| `service.internalTrafficPolicy` | denotes if the service desires to route internal traffic to node-local or cluster-wide endpoints | `Cluster` | -| `service.type` | type of service | `ClusterIP` | -| `service.clusterIP` | cluster ip address | `nil` | -| `service.loadBalancerIP` | ip of load balancer | `nil` | -| `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` | -| `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` | -| `serviceAccount.enabled` | create a service account | `true` | -| `serviceAccount.name` | the service account name | `` | -| `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | -| `strategy` | configure deployment strategy | `{}` | -| `tolerations` | list of node taints to tolerate | `[]` | -| `securityContext.enabled` | enable Kubernetes security context on container | `true` | -| `proxyVarsAsSecrets` | Choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` | -| `sessionStorage.type` | Session storage type which can be one of the following: cookie or Redis | `cookie` | -| `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the Redis & Redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` | -| `sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from Redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence | `nil` | -| `sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the Redis password value | `redis-password` | -| `sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for the Redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` | -| `sessionStorage.redis.standalone.connectionUrl` | URL of Redis standalone server for Redis session storage (e.g., `redis://HOST[:PORT]`). Automatically generated if not set. | `""` | -| `sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g., `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | -| `sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the Redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` | -| `sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any Redis node passwords need to use `sessionStorage.redis.password` | `nil` | -| `sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the Redis sentinel password value | `redis-sentinel-password` | -| `sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` | -| `sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | -| `topologySpreadConstraints` | List of pod topology spread constraints | `[]` | -| `redis.enabled` | Enable the Redis subchart deployment | `false` | -| `checkDeprecation` | Enable deprecation checks | `true` | -| `metrics.enabled` | Enable Prometheus metrics endpoint | `true` | -| `metrics.port` | Serve Prometheus metrics on this port | `44180` | -| `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` | -| `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` | -| `metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` | -| `metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` | -| `metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` | -| `metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` | -| `metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | -| `metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource | `{}` | -| `metrics.serviceMonitor.scheme` | HTTP scheme for scraping. It can be used with `tlsConfig` for example, if using Istio mTLS. | `""` | -| `metrics.serviceMonitor.tlsConfig` | TLS configuration when scraping the endpoint. For example, if using Istio mTLS. | `{}` | -| `metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file. | `""` | -| `metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster | `{}` | -| `metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion. | `[]` | -| `metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion. | `[]` | -| `extraObjects` | Extra K8s manifests to deploy | `[]` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -$ helm install my-release oauth2-proxy/oauth2-proxy \ - --set=image.tag=v0.0.2,resources.limits.cpu=200m -``` - -Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, - -```console -$ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -## TLS Configuration - -See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/). -Use ```values.yaml``` like: - -```yaml -... -extraArgs: - tls-cert-file: /path/to/cert.pem - tls-key-file: /path/to/cert.key - -extraVolumes: - - name: ssl-cert - secret: - secretName: my-ssl-secret - -extraVolumeMounts: - - mountPath: /path/to/ - name: ssl-cert -... -``` - -With a secret called `my-ssl-secret`: - -```yaml -... -data: - cert.pem: AB..== - cert.key: CD..== -``` - -## Extra environment variable templating -The extraEnv value supports the tpl function, which evaluates strings as templates inside the deployment template. -This is useful for passing a template string as a value to the chart's extra environment variables and rendering external configuration environment values. - -```yaml -... -tplValue: "This is a test value for the tpl function" -extraEnv: - - name: TEST_ENV_VAR_1 - value: test_value_1 - - name: TEST_ENV_VAR_2 - value: '{{ .Values.tplValue }}' -``` - -## Custom templates configuration -You can replace the default template files using a Kubernetes `configMap` volume. The default templates are the two files [sign_in.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/sign_in.html) and [error.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/error.html). - -```yaml -config: - configFile: | - ... - custom_templates_dir = "/data/custom-templates" - -extraVolumes: - - name: custom-templates - configMap: - name: oauth2-proxy-custom-templates - -extraVolumeMounts: - - name: custom-templates - mountPath: "/data/custom-templates" - readOnly: true - -extraObjects: - - apiVersion: v1 - kind: ConfigMap - metadata: - name: oauth2-proxy-custom-templates - data: - sign_in.html: | - - - sign_in - - error.html: | - - - -

error

-

{{.StatusCode}}

- - -``` - -## Multi whitelist-domain configuration -You must use the config.configFile section for a multi-whitelist-domain configuration for one Oauth2-proxy instance. - -It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` [configuration file](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#config-file). -In this example, Google provider is used, but you can find all other provider configurations here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/). - -``` -config: - ... - clientID="$YOUR_GOOGLE_CLIENT_ID" - clientSecret="$YOUR_GOOGLE_CLIENT_SECRET" - cookieSecret="$YOUR_COOKIE_SECRET" - configFile: | - ... - email_domains = [ "*" ] - upstreams = [ "file:///dev/null" ] - cookie_secure = "false" - cookie_domains = [ ".domain.com", ".example.io" ] - whitelist_domains = [ ".domain.com", ".example.io"] - provider = "google" -``` diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml deleted file mode 100644 index fc2ba605ad..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml +++ /dev/null @@ -1 +0,0 @@ -# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml deleted file mode 100644 index 92dc451807..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -extraArgs: - pass-authorization-header: "true" - request-logging: "true" - allowed-role: client_id:client_role diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml deleted file mode 100644 index 5f47a5f479..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml +++ /dev/null @@ -1,5 +0,0 @@ -extraArgs: - - "--pass-authorization-header=true" - - "--request-logging=true" - - --allowed-role=client_id:client_role_A - - --allowed-role=client_id_B:client_role_C diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml deleted file mode 100644 index 357dba9153..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml +++ /dev/null @@ -1,6 +0,0 @@ -tplValue: "This is a test value for the template function" -extraEnv: - - name: TEST_ENV_VAR_1 - value: test_value_1 - - name: TEST_ENV_VAR_2 - value: '{{ .Values.tplValue }}' diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml deleted file mode 100644 index fd1a0060fe..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# Enables Horizontal Pod Autoscaler and removes replica count in deployment -autoscaling: - enabled: true - annotations: - test-annotations/test: "true" diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml deleted file mode 100644 index e74a393db0..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -ingress: - enabled: true - path: / - pathType: ImplementationSpecific - hosts: - - chart-example.local - extraPaths: - - path: /* - pathType: ImplementationSpecific - backend: - service: - name: ssl-redirect - port: - name: use-annotation diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml deleted file mode 100644 index 25b16272a7..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml +++ /dev/null @@ -1 +0,0 @@ -replicaCount: 2 # Enables PodDisruptionBudget which is disabled when replicaCount is 1 diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml deleted file mode 100644 index b7c8cea546..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -# Allocate a FSGroup that owns the pod’s volumes via podSecurityContext ---- -podSecurityContext: - fsGroup: 2000 diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml deleted file mode 100644 index e58c32cf0c..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml +++ /dev/null @@ -1,15 +0,0 @@ -sessionStorage: - type: redis - redis: - clientType: "standalone" - password: "foo" -redis: - # provision an instance of the redis sub-chart - enabled: true - architecture: standalone - global: - redis: - password: "foo" -initContainers: - waitForRedis: - enabled: true diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml deleted file mode 100644 index 0c232bf5c1..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml +++ /dev/null @@ -1,18 +0,0 @@ -metrics: - enabled: true - serviceMonitor: - enabled: true - annotations: - key: value - metricRelabelings: - - action: keep - regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' - sourceLabels: [__name__] - - relabelings: - - sourceLabels: [__meta_kubernetes_pod_node_name] - separator: ; - regex: ^(.*)$ - targetLabel: nodename - replacement: $1 - action: replace diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml deleted file mode 100644 index d217653086..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml +++ /dev/null @@ -1,62 +0,0 @@ -extraEnv: - - name: TEST_ENV_VAR_2 - value: '{{ $.Release.Name }}' -ingress: - enabled: true - hosts: - - "{{ $.Release.Name }}.local" - tls: - - hosts: - - "{{ $.Release.Name }}.local" - annotations: - test-annotations/test: "{{ $.Release.Name }}" -oauth2-proxy: - checkDeprecation: false - config: - clientSecret: '{{ $.Release.Name }}' - configFile: | - oidc_issuer_url = "https://{{ $.Release.Name }}/dex" - -pass_authorization_header: "true" - -extraArgs: - pass-authorization-header: "{{ $.Values.pass_authorization_header }}" - -extraVolumes: - - name: "{{ $.Release.Name }}-secret" - secret: - secretName: "{{ .Release.Name }}-secret" - items: - - key: secret - path: secret - -authenticatedEmailsFile: - annotations: - test-annotations/test: "{{ $.Release.Name }}" - -config: - annotations: - test-annotations/test: "{{ $.Release.Name }}" - -deploymentAnnotations: - test-annotations/test: "{{ $.Release.Name }}" - -autoscaling: - annotations: - test-annotations/test: "{{ $.Release.Name }}" - -alphaConfig: - annotations: - test-annotations/test: "{{ $.Release.Name }}" - -service: - annotations: - test-annotations/test: "{{ $.Release.Name }}" - -serviceAccount: - annotations: - test-annotations/test: "{{ $.Release.Name }}" - -serviceMonitor: - annotations: - test-annotations/test: "{{ $.Release.Name }}" diff --git a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh deleted file mode 100755 index 62dd9b684f..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh - -RETRY_INTERVAL=5 # Interval between retries in seconds -elapsed=0 # Elapsed time - -check_redis() { - host=$1 - port=$2 - while [ $elapsed -lt $TOTAL_RETRY_TIME ]; do - echo "Checking Redis at $host:$port... Elapsed time: ${elapsed}s" - if nc -z -w1 $TIMEOUT $host $port > /dev/null 2>&1; then - echo "Redis is up at $host:$port!" - return 0 - else - echo "Redis is down at $host:$port. Retrying in $RETRY_INTERVAL seconds." - sleep $RETRY_INTERVAL - elapsed=$((elapsed + RETRY_INTERVAL)) - fi - done - echo "Failed to connect to Redis at $host:$port after $TOTAL_RETRY_TIME seconds." - return 1 -} - -# For parsing and checking connections -parse_and_check() { - url=$1 - - # Strip either redis:// or rediss:// - if [ $url = "rediss://*" ]; then - clean_url=${url#rediss://} - echo "Using secure Rediss connection..." - else - clean_url=${url#redis://} - echo "Using standard Redis connection..." - fi - - host=$(echo $clean_url | cut -d':' -f1) - port=$(echo $clean_url | cut -d':' -f2) - check_redis $host $port -} - -# Main -if [ -n "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" ]; then - echo "Checking Redis in cluster mode..." - echo "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do - parse_and_check $addr || exit 1 - done -elif [ -n "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" ]; then - echo "Checking Redis in sentinel mode..." - echo "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do - parse_and_check $addr || exit 1 - done -elif [ -n "$OAUTH2_PROXY_REDIS_CONNECTION_URL" ]; then - echo "Checking standalone Redis..." - parse_and_check "$OAUTH2_PROXY_REDIS_CONNECTION_URL" || exit 1 -else - echo "Redis configuration not specified." - exit 1 -fi - -echo "Redis check completed." diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt b/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt deleted file mode 100644 index 36ded35867..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt +++ /dev/null @@ -1,3 +0,0 @@ -To verify that oauth2-proxy has started, run: - - kubectl --namespace={{ template "oauth2-proxy.namespace" $ }} get pods -l "app={{ template "oauth2-proxy.name" . }}" diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl deleted file mode 100644 index f959f10e49..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* -Returns the appropriate apiVersion for podDisruptionBudget object. -*/}} -{{- define "capabilities.podDisruptionBudget.apiVersion" -}} -{{- if semverCompare ">=1.21-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} -{{- print "policy/v1" -}} -{{- else -}} -{{- print "policy/v1beta1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for ingress object. -*/}} -{{- define "capabilities.ingress.apiVersion" -}} -{{- if semverCompare "<1.14-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "<1.19-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} -{{- print "networking.k8s.io/v1beta1" -}} -{{- else -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl deleted file mode 100644 index 6a9bbb320d..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl +++ /dev/null @@ -1,161 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "oauth2-proxy.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "oauth2-proxy.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "oauth2-proxy.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Generate basic labels -*/}} -{{- define "oauth2-proxy.labels" }} -helm.sh/chart: {{ include "oauth2-proxy.chart" . }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/component: authentication-proxy -app.kubernetes.io/part-of: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels }} -{{- end }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "oauth2-proxy.selectorLabels" }} -app.kubernetes.io/name: {{ include "oauth2-proxy.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Get the secret name. -*/}} -{{- define "oauth2-proxy.secretName" -}} -{{- if .Values.config.existingSecret -}} -{{- printf "%s" .Values.config.existingSecret -}} -{{- else -}} -{{- printf "%s" (include "oauth2-proxy.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "oauth2-proxy.serviceAccountName" -}} -{{- if .Values.serviceAccount.enabled -}} - {{ default (include "oauth2-proxy.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Allow the release namespace to be overridden for multi-namespace deployments in combined charts -*/}} -{{- define "oauth2-proxy.namespace" -}} - {{- if .Values.namespaceOverride -}} - {{- .Values.namespaceOverride -}} - {{- else -}} - {{- .Release.Namespace -}} - {{- end -}} -{{- end -}} - -{{/* -Redis subcharts fullname -*/}} -{{- define "oauth2-proxy.redis.fullname" -}} -{{- if .Values.redis.enabled -}} -{{- include "common.names.fullname" (dict "Chart" (dict "Name" "redis") "Release" .Release "Values" .Values.redis) -}} -{{- else -}} -{{ fail "attempting to use redis subcharts fullname, even though the subchart is not enabled. This will lead to misconfiguration" }} -{{- end -}} -{{- end -}} - -{{/* -Compute the redis url if not set explicitly. -*/}} -{{- define "oauth2-proxy.redis.StandaloneUrl" -}} -{{- if .Values.sessionStorage.redis.standalone.connectionUrl -}} -{{ .Values.sessionStorage.redis.standalone.connectionUrl }} -{{- else if .Values.redis.enabled -}} -{{- printf "redis://%s-master:%.0f" (include "oauth2-proxy.redis.fullname" .) .Values.redis.master.service.ports.redis -}} -{{- else -}} -{{ fail "please set sessionStorage.redis.standalone.connectionUrl or enable the redis subchart via redis.enabled" }} -{{- end -}} -{{- end -}} - -{{/* -Returns the version -*/}} -{{- define "oauth2-proxy.version" -}} -{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }} -{{- end -}} - -{{/* -Returns the kubectl version -Workaround for EKS https://github.com/aws/eks-distro/issues/1128 -*/}} -{{- define "kubectl.version" -}} -{{- if .Values.initContainers.waitForRedis.kubectlVersion -}} -{{ .Values.initContainers.waitForRedis.kubectlVersion }} -{{- else -}} -{{- printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "") -}} -{{- end -}} -{{- end -}} - -{{- define "oauth2-proxy.alpha-config" -}} ---- -server: - BindAddress: '0.0.0.0:4180' -{{- if .Values.alphaConfig.serverConfigData }} -{{- toYaml .Values.alphaConfig.serverConfigData | nindent 2 }} -{{- end }} -{{- if .Values.metrics.enabled }} -metricsServer: - BindAddress: '0.0.0.0:44180' -{{- if .Values.alphaConfig.metricsConfigData }} -{{- toYaml .Values.alphaConfig.metricsConfigData | nindent 2 }} -{{- end }} -{{- end }} -{{- if .Values.alphaConfig.configData }} -{{- toYaml .Values.alphaConfig.configData | nindent 0 }} -{{- end }} -{{- if .Values.alphaConfig.configFile }} -{{- tpl .Values.alphaConfig.configFile $ | nindent 0 }} -{{- end }} -{{- end -}} - -{{- define "oauth2-proxy.secrets" -}} -cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }} -client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }} -client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }} -{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl deleted file mode 100644 index f4a3cad0e4..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Returns `true` if the API `ingressClassName` field is supported and `false` otherwise -*/}} -{{- define "ingress.supportsIngressClassName" -}} -{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns `true` if the API `pathType` field is supported and `false` otherwise -*/}} -{{- define "ingress.supportsPathType" -}} -{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} -{{- print "false" -}} -{{- else -}} -{{- print "true" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns the appropriate ingress `backend` fields depending on the Kubernetes API version. -e.g.: `{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}` -Where the dict must contain the following entries: -- `serviceName` {String} - Name of an existing service backend -- `servicePort` {String|Number} - Port name or port number of the service. -- `context` {Dict} - (Parent) Context for the template evaluation required for the API version detection. -*/}} -{{- define "ingress.backend" -}} -{{- $apiVersion := ( include "capabilities.ingress.apiVersion" .context ) -}} -{{- if or ( eq $apiVersion "extensions/v1beta1" ) ( eq $apiVersion "networking.k8s.io/v1beta1" ) -}} -serviceName: {{ .serviceName }} -servicePort: {{ .servicePort }} -{{- else -}} -service: - name: {{ .serviceName }} - port: - {{- if typeIs "string" .servicePort }} - name: {{ .servicePort }} - {{- else if or ( typeIs "int" .servicePort ) ( typeIs "float64" .servicePort ) }} - number: {{ .servicePort }} - {{- end }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml deleted file mode 100644 index 68c9d76629..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.authenticatedEmailsFile.enabled }} -{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} -{{- with .Values.authenticatedEmailsFile.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} -{{- end }} - name: {{ template "oauth2-proxy.fullname" . }}-accesslist - namespace: {{ template "oauth2-proxy.namespace" $ }} -data: - {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | quote }} -{{- end }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml deleted file mode 100644 index 721048d786..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis - namespace: {{ template "oauth2-proxy.namespace" $ }} -data: - check-redis.sh: | -{{ .Files.Get "scripts/check-redis.sh" | indent 4 }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml deleted file mode 100644 index 0f164d230c..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if not .Values.config.existingConfig }} -{{- if .Values.config.configFile }} -apiVersion: v1 -kind: ConfigMap -metadata: -{{- with .Values.config.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} -{{- end }} - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }} - namespace: {{ template "oauth2-proxy.namespace" $ }} -data: - oauth2_proxy.cfg: {{ tpl .Values.config.configFile $ | quote }} -{{- end }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml deleted file mode 100644 index bd5c2c923d..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml +++ /dev/null @@ -1,418 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - {{- with .Values.deploymentAnnotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} - {{- end }} - name: {{ template "oauth2-proxy.fullname" . }} - namespace: {{ template "oauth2-proxy.namespace" $ }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - {{- with .Values.strategy }} - strategy: - {{ toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} - template: - metadata: - annotations: - {{- if .Values.config.configFile }} - checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }} - {{- end }} - {{- if .Values.alphaConfig.enabled }} - checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} - {{- end }} - {{- if .Values.authenticatedEmailsFile.enabled }} - checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }} - {{- end }} - checksum/secret: {{ include "oauth2-proxy.secrets" . | sha256sum }} - checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }} - checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} -{{- if .Values.htpasswdFile.enabled }} - checksum/htpasswd: {{ toYaml .Values.htpasswdFile.entries | sha256sum }} -{{- end }} - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - labels: - app: {{ template "oauth2-proxy.name" . }} - {{- include "oauth2-proxy.labels" . | indent 8 }} - {{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} - {{- end }} - spec: - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - {{- with .Values.podSecurityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} - {{- if .Values.hostAliases }} - hostAliases: - {{ toYaml .Values.hostAliases | nindent 8}} - {{- end }} - {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} - initContainers: - - name: wait-for-redis - #image: "{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}" - image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}" - imagePullPolicy: {{ .Values.initContainers.waitForRedis.image.pullPolicy }} - command: ["/bin/sh", "-c", "/scripts/check-redis.sh"] - env: - - name: TOTAL_RETRY_TIME - value: "{{ .Values.initContainers.waitForRedis.timeout }}" - {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} - - name: OAUTH2_PROXY_REDIS_CONNECTION_URL - value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} - {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} - - name: OAUTH2_PROXY_REDIS_USE_CLUSTER - value: "true" - - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS - value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }} - {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} - - name: OAUTH2_PROXY_REDIS_USE_SENTINEL - value: "true" - - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS - value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }} - {{- end }} - {{- if .Values.initContainers.waitForRedis.securityContext.enabled }} - {{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }} - securityContext: - {{- toYaml $securityContext | nindent 10 }} - {{- end }} - resources: - {{- toYaml .Values.initContainers.waitForRedis.resources | nindent 10 }} - volumeMounts: - - name: redis-script - mountPath: /scripts - {{- end }} - {{- if .Values.terminationGracePeriodSeconds }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" - #image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.image.command }} - command: - {{- range .Values.image.command }} - - {{ . | quote }} - {{- end }} - {{- end }} - args: - {{- if .Values.alphaConfig.enabled }} - - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml - {{- else }} - - --http-address=0.0.0.0:4180 - - --https-address=0.0.0.0:4443 - {{- if .Values.metrics.enabled }} - - --metrics-address=0.0.0.0:44180 - {{- end }} - {{- end }} - {{- if .Values.config.cookieName }} - - --cookie-name={{ .Values.config.cookieName }} - {{- end }} - {{- if kindIs "map" .Values.extraArgs }} - {{- range $key, $value := .Values.extraArgs }} - {{- if not (kindIs "invalid" $value) }} - - --{{ $key }}={{ tpl ($value | toString) $ }} - {{- else }} - - --{{ $key }} - {{- end }} - {{- end }} - {{- end }} - {{- if kindIs "slice" .Values.extraArgs }} - {{- with .Values.extraArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- end }} - {{- if or .Values.config.existingConfig .Values.config.configFile }} - - --config=/etc/oauth2_proxy/oauth2_proxy.cfg - {{- end }} - {{- if .Values.authenticatedEmailsFile.enabled }} - {{- if .Values.authenticatedEmailsFile.template }} - - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} - {{- else }} - - --authenticated-emails-file=/etc/oauth2-proxy/{{ template "oauth2-proxy.fullname" . }}-accesslist - {{- end }} - {{- end }} - {{- with .Values.config.google }} - {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }} - - --google-admin-email={{ .adminEmail }} - {{- if .useApplicationDefaultCredentials }} - - --google-use-application-default-credentials=true - {{- else }} - - --google-service-account-json=/google/service-account.json - {{- end }} - {{- if .targetPrincipal }} - - --google-target-principal={{ .targetPrincipal }} - {{- end }} - {{- end }} - {{- if .groups }} - {{- range $group := .groups }} - - --google-group={{ $group }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.htpasswdFile.enabled }} - - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt - {{- end }} -{{- if .Values.lifecycle }} - lifecycle: -{{ toYaml .Values.lifecycle | indent 10 }} -{{- end }} - env: - {{- if .Values.proxyVarsAsSecrets }} - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - name: {{ template "oauth2-proxy.secretName" . }} - key: client-id - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ template "oauth2-proxy.secretName" . }} - key: client-secret - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "oauth2-proxy.secretName" . }} - key: cookie-secret - {{- end }} - {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }} - - name: OAUTH2_PROXY_SESSION_STORE_TYPE - value: "redis" - {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}} - - name: OAUTH2_PROXY_REDIS_PASSWORD - valueFrom: - secretKeyRef: - {{- if .Values.sessionStorage.redis.existingSecret }} - name: {{ .Values.sessionStorage.redis.existingSecret }} - {{- else if .Values.sessionStorage.redis.password }} - name: {{ template "oauth2-proxy.fullname" . }}-redis-access - {{- else }} - name: {{ include "oauth2-proxy.redis.fullname" . }} - {{- end }} - key: {{ .Values.sessionStorage.redis.passwordKey }} - {{- end }} - {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} - - name: OAUTH2_PROXY_REDIS_CONNECTION_URL - value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} - {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} - - name: OAUTH2_PROXY_REDIS_USE_CLUSTER - value: "true" - - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS - value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }} - {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} - - name: OAUTH2_PROXY_REDIS_USE_SENTINEL - value: "true" - - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME - value: {{ .Values.sessionStorage.redis.sentinel.masterName }} - - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS - value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }} - {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }} - - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD - valueFrom: - secretKeyRef: - {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }} - name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }} - {{- else }} - name: {{ template "oauth2-proxy.fullname" . }}-redis-access - {{- end }} - key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }} - {{- end }} - {{- end }} - {{- end }} - {{- if .Values.extraEnv }} -{{ tpl (toYaml .Values.extraEnv) . | indent 8 }} - {{- end }} - {{- if .Values.envFrom }} - envFrom: -{{ tpl (toYaml .Values.envFrom) . | indent 8 }} - {{- end }} - ports: - {{- if .Values.containerPort }} - - containerPort: {{ .Values.containerPort }} - {{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }} - - containerPort: 4180 - {{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }} - - containerPort: 4443 - {{- else }} - {{- end}} - name: {{ .Values.httpScheme }} - protocol: TCP -{{- if .Values.metrics.enabled }} - - containerPort: 44180 - protocol: TCP - name: metrics -{{- end }} -{{- if .Values.livenessProbe.enabled }} - livenessProbe: - httpGet: - path: /ping - port: {{ .Values.httpScheme }} - scheme: {{ .Values.httpScheme | upper }} - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} -{{- end }} -{{- if .Values.readinessProbe.enabled }} - readinessProbe: - httpGet: - path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }} - port: {{ .Values.httpScheme }} - scheme: {{ .Values.httpScheme | upper }} - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - successThreshold: {{ .Values.readinessProbe.successThreshold }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} -{{- end }} - resources: -{{ toYaml .Values.resources | indent 10 }} - volumeMounts: -{{- with .Values.config.google }} -{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} - - name: google-secret - mountPath: /google - readOnly: true -{{- end }} -{{- end }} -{{- if or .Values.config.existingConfig .Values.config.configFile }} - - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg - name: configmain - subPath: oauth2_proxy.cfg -{{- end }} -{{- if .Values.alphaConfig.enabled }} - - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml - name: configalpha - subPath: oauth2_proxy.yml -{{- end }} -{{- if .Values.authenticatedEmailsFile.enabled }} - - mountPath: /etc/oauth2-proxy - name: configaccesslist - readOnly: true -{{- end }} -{{- if .Values.htpasswdFile.enabled }} - - mountPath: /etc/oauth2_proxy/htpasswd - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file - readOnly: true -{{- end }} -{{- if ne (len .Values.extraVolumeMounts) 0 }} -{{ toYaml .Values.extraVolumeMounts | indent 8 }} -{{- end }} -{{- if .Values.securityContext.enabled }} -{{- $securityContext := unset .Values.securityContext "enabled" }} - securityContext: - {{- toYaml $securityContext | nindent 10 }} -{{- end }} -{{- if .Values.extraContainers }} - {{- toYaml .Values.extraContainers | nindent 6 }} -{{- end }} - volumes: -{{- with .Values.config.google }} -{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} - - name: google-secret - secret: - secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }} -{{- end }} -{{- end }} - -{{- if .Values.htpasswdFile.enabled }} - - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file - secret: - secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }} -{{- end }} - -{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }} - - name: configaccesslist - secret: - items: - - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} -{{- if .Values.authenticatedEmailsFile.template }} - path: {{ .Values.authenticatedEmailsFile.template }} -{{- else }} - path: {{ template "oauth2-proxy.fullname" . }}-accesslist -{{- end }} -{{- if .Values.authenticatedEmailsFile.template }} - secretName: {{ .Values.authenticatedEmailsFile.template }} -{{- else }} - secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist -{{- end }} -{{- end }} -{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} - - name: redis-script - configMap: - name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis - defaultMode: 0775 -{{- end }} -{{- if or .Values.config.existingConfig .Values.config.configFile }} - - configMap: - defaultMode: 420 - name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }} - name: configmain -{{- end }} -{{- if .Values.alphaConfig.enabled }} -{{- if .Values.alphaConfig.existingConfig }} - - configMap: - defaultMode: 420 - name: {{ .Values.alphaConfig.existingConfig }} - name: configalpha -{{- else }} - - secret: - defaultMode: 420 - secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} - name: configalpha -{{- end }} -{{- end }} -{{- if ne (len .Values.extraVolumes) 0 }} -{{ tpl (toYaml .Values.extraVolumes) . | indent 6 }} -{{- end }} -{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} - - configMap: -{{- if .Values.authenticatedEmailsFile.template }} - name: {{ .Values.authenticatedEmailsFile.template }} -{{- else }} - name: {{ template "oauth2-proxy.fullname" . }}-accesslist -{{- end }} - items: - - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} -{{- if .Values.authenticatedEmailsFile.template }} - path: {{ .Values.authenticatedEmailsFile.template }} -{{- else }} - path: {{ template "oauth2-proxy.fullname" . }}-accesslist -{{- end }} - name: configaccesslist -{{- end }} - - {{- with (.Values.imagePullSecrets | default .Values.global.imagePullSecrets) }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml deleted file mode 100644 index 126d3e7a18..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.checkDeprecation }} - {{- if .Values.service.port }} - {{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }} - {{- end }} - {{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}} - {{- range .Values.ingress.extraPaths }} - {{- if or (.backend.serviceName) (.backend.servicePort) }} - {{ fail "Please update the format of your `ingress.extraPaths` to the new ingress apiVersion `networking.k8s.io/v1` format" }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml deleted file mode 100644 index a9bb3b6ba8..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml +++ /dev/null @@ -1,4 +0,0 @@ -{{ range .Values.extraObjects }} ---- -{{ tpl (toYaml .) $ }} -{{ end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml deleted file mode 100644 index 30a9ae1bb6..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if and .Values.config.google (and (not .Values.config.google.existingSecret) (not .Values.config.google.useApplicationDefaultCredentials)) }} -apiVersion: v1 -kind: Secret -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }}-google - namespace: {{ template "oauth2-proxy.namespace" $ }} -type: Opaque -data: - service-account.json: {{ .Values.config.google.serviceAccountJson | b64enc | quote }} -{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml deleted file mode 100644 index a6d7461797..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - {{- with .Values.autoscaling.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 8 }} - {{- end }} - name: {{ template "oauth2-proxy.fullname" . }} - namespace: {{ template "oauth2-proxy.namespace" $ }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ template "oauth2-proxy.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml deleted file mode 100644 index 8cc7953ee9..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $serviceName := include "oauth2-proxy.fullname" . -}} -{{- $servicePort := .Values.service.portNumber -}} -{{- $ingressPath := .Values.ingress.path -}} -{{- $ingressPathType := .Values.ingress.pathType -}} -{{- $extraPaths := .Values.ingress.extraPaths -}} -apiVersion: {{ include "capabilities.ingress.apiVersion" . }} -kind: Ingress -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} - {{- include "oauth2-proxy.labels" . | indent 4 }} -{{- if .Values.ingress.labels }} -{{ toYaml .Values.ingress.labels | indent 4 }} -{{- end }} - name: {{ template "oauth2-proxy.fullname" . }} - namespace: {{ template "oauth2-proxy.namespace" $ }} -{{- with .Values.ingress.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} -{{- end }} -spec: - {{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }} - ingressClassName: {{ .Values.ingress.className | quote }} - {{- end }} - rules: - {{- range $host := .Values.ingress.hosts }} - - host: {{ tpl $host $ | quote }} - http: - paths: -{{- if $extraPaths }} -{{ toYaml $extraPaths | indent 10 }} -{{- end }} - - path: {{ $ingressPath }} - {{- if eq "true" ( include "ingress.supportsPathType" $ ) }} - pathType: {{ $ingressPathType }} - {{- end }} - backend: {{- include "ingress.backend" ( dict "serviceName" $serviceName "servicePort" $servicePort "context" $ ) | nindent 14 }} - {{- end -}} - {{- if .Values.ingress.tls }} - tls: -{{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml deleted file mode 100644 index 1fc8ecc005..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if and .Values.podDisruptionBudget.enabled (gt (.Values.replicaCount | int) 1) }} -apiVersion: {{ include "capabilities.podDisruptionBudget.apiVersion" . }} -kind: PodDisruptionBudget -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }} - namespace: {{ template "oauth2-proxy.namespace" $ }} -spec: - selector: - matchLabels: - {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml deleted file mode 100644 index 202e9243e3..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- $name := include "oauth2-proxy.name" . -}} -{{- $fullName := include "oauth2-proxy.fullname" . -}} -{{- $labels := include "oauth2-proxy.labels" . -}} -{{- with .Values.sessionStorage }} -{{- if and (eq .type "redis") (not .redis.existingSecret) (or .redis.password .redis.sentinel.password) }} -apiVersion: v1 -kind: Secret -metadata: - labels: - app: {{ $name }} - {{- $labels | indent 4 }} - name: {{ $fullName }}-redis-access - namespace: {{ template "oauth2-proxy.namespace" $ }} -type: Opaque -data: - {{- if and .redis.password (not .redis.existingSecret) }} - {{ .redis.passwordKey }}: {{ .redis.password | b64enc | quote }} - {{- end }} - {{- if and .redis.sentinel.password (not .redis.sentinel.existingSecret) (ne .redis.sentinel.passwordKey .redis.passwordKey) }} - {{ .redis.sentinel.passwordKey }}: {{ .redis.sentinel.password | b64enc | quote }} - {{- end }} -{{- end }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml deleted file mode 100644 index ba2c02d5aa..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- - if and - .Values.alphaConfig.enabled - (not .Values.alphaConfig.existingConfig) - (not .Values.alphaConfig.existingSecret) -}} -apiVersion: v1 -kind: Secret -metadata: -{{- with .Values.alphaConfig.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} -{{- end }} - labels: - app: {{ template "oauth2-proxy.name" . }} - {{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }}-alpha - namespace: {{ template "oauth2-proxy.namespace" $ }} -data: - oauth2_proxy.yml: {{ include "oauth2-proxy.alpha-config" . | b64enc | quote }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml deleted file mode 100644 index 9b607dd34a..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.authenticatedEmailsFile.enabled }} -{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "secret") }} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} -{{- with .Values.authenticatedEmailsFile.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} -{{- end }} - name: {{ template "oauth2-proxy.fullname" . }}-accesslist - namespace: {{ template "oauth2-proxy.namespace" $ }} -data: - {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | b64enc }} -{{- end }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml deleted file mode 100644 index c5ea330ff7..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and .Values.htpasswdFile.enabled (not .Values.htpasswdFile.existingSecret) }} -apiVersion: v1 -kind: Secret -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file - namespace: {{ template "oauth2-proxy.namespace" $ }} -type: Opaque -stringData: - users.txt: |- - {{- range $entries := .Values.htpasswdFile.entries }} - {{ $entries }} - {{- end -}} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml deleted file mode 100644 index a041843484..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and (not .Values.config.existingSecret) (.Values.proxyVarsAsSecrets) }} -apiVersion: v1 -kind: Secret -metadata: -{{- with .Values.config.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} -{{- end }} - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }} - namespace: {{ template "oauth2-proxy.namespace" $ }} -type: Opaque -data: -{{- include "oauth2-proxy.secrets" . | nindent 2 }} -{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml deleted file mode 100644 index e8d02aeba8..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }} - namespace: {{ template "oauth2-proxy.namespace" $ }} -{{- with .Values.service.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} -{{- end }} -spec: -{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} - type: ClusterIP - {{- if .Values.service.clusterIP }} - clusterIP: {{ .Values.service.clusterIP }} - {{end}} -{{- else if eq .Values.service.type "LoadBalancer" }} - type: {{ .Values.service.type }} - {{- if .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - {{- if .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} - {{- end -}} -{{- else }} - type: {{ .Values.service.type }} -{{- end }} -{{- if .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} -{{- end }} -{{- if .Values.service.internalTrafficPolicy }} - internalTrafficPolicy: {{ .Values.service.internalTrafficPolicy }} -{{- end }} - ports: - - port: {{ .Values.service.portNumber }} - targetPort: {{ .Values.httpScheme }} - {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - protocol: TCP - {{- with .Values.service.appProtocol }} - appProtocol: {{ . }} - {{- end }} - name: {{ .Values.httpScheme }} - {{- if and .Values.metrics.enabled .Values.metrics.port }} - - port: {{ .Values.metrics.port }} - protocol: TCP - {{- with .Values.metrics.service.appProtocol }} - appProtocol: {{ . }} - {{- end }} - targetPort: metrics - {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.metrics.nodePort))) }} - nodePort: {{ .Values.metrics.nodePort }} - {{- end }} - name: metrics - {{- end }} - selector: - {{- include "oauth2-proxy.selectorLabels" . | indent 4 }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml deleted file mode 100644 index e38cd7a7a6..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if or .Values.serviceAccount.enabled -}} -{{- $fullName := include "oauth2-proxy.fullname" . -}} -{{- $saName := include "oauth2-proxy.serviceAccountName" . -}} -{{- $name := include "oauth2-proxy.name" . -}} -{{- $namespace := include "oauth2-proxy.namespace" $ -}} -{{- $labels := include "oauth2-proxy.labels" . -}} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - {{- with .Values.serviceAccount.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} - {{- end }} - labels: - app: {{ $name }} -{{- $labels | indent 4 }} - name: {{ $saName }} - namespace: {{ $namespace }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $fullName }}-watch-redis - namespace: {{ $namespace }} - labels: - app: {{ $name }} - {{- $labels | nindent 4 }} -rules: -- apiGroups: - - "" - resources: - - pods - resourceNames: - - "{{ include "oauth2-proxy.redis.fullname" . }}-master-0" - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $saName }}-watch-redis - namespace: {{ $namespace }} - labels: - app: {{ $name }} - {{- $labels | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ $saName }} - apiGroup: "" -roleRef: - kind: Role - name: {{ $fullName }}-watch-redis - apiGroup: "" -{{- end -}} -{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml deleted file mode 100644 index 99d62fd4ad..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - {{- with .Values.metrics.serviceMonitor.annotations }} - annotations: -{{ tpl ( toYaml . ) $ | indent 4 }} - {{- end }} - name: {{ template "oauth2-proxy.fullname" . }} -{{- if .Values.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.metrics.serviceMonitor.namespace }} -{{- else }} - namespace: {{ template "oauth2-proxy.namespace" $ }} -{{- end }} - labels: - prometheus: {{ .Values.metrics.serviceMonitor.prometheusInstance }} - app: {{ template "oauth2-proxy.name" . }} -{{- include "oauth2-proxy.labels" . | indent 4 }} -{{- if .Values.metrics.serviceMonitor.labels }} -{{ toYaml .Values.metrics.serviceMonitor.labels | indent 4}} -{{- end }} -spec: - jobLabel: {{ template "oauth2-proxy.fullname" . }} - selector: - matchLabels: - {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} - namespaceSelector: - matchNames: - - {{ template "oauth2-proxy.namespace" $ }} - endpoints: - - port: metrics - path: "/metrics" - {{- with .Values.metrics.serviceMonitor.interval }} - interval: {{ . }} - {{- end }} - {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ . }} - {{- end }} - {{- with .Values.metrics.serviceMonitor.scheme }} - scheme: {{ . }} - {{- end }} - {{- with .Values.metrics.serviceMonitor.bearerTokenFile }} - bearerTokenFile: {{ . }} - {{- end }} - {{- with .Values.metrics.serviceMonitor.tlsConfig }} - tlsConfig: - {{- toYaml .| nindent 6 }} - {{- end }} - {{- with .Values.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.metrics.serviceMonitor.relabelings }} - relabelings: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/values.yaml b/kubernetes/authentication/components/oauth2-proxy/values.yaml deleted file mode 100644 index 7157aa0c72..0000000000 --- a/kubernetes/authentication/components/oauth2-proxy/values.yaml +++ /dev/null @@ -1,497 +0,0 @@ -global: - quayRepository: quay.io - dockerHubRepository: docker.io - # Additions for Redis **************************** - # If dockerHubRepository is changes the following entry needs - # to be changed as well - imageRegistry: docker.io - imagePullSecrets: - - '{{ include "common.names.namespace" . }}-docker-registry-key' - - # Workaround to avoid redis restarts with ArgoCD - redis: - password: "32ugd3783rhfjdhow" - # ************************************************* - -## Override the deployment namespace -## -namespaceOverride: "" - -# Force the target Kubernetes version (it uses Helm `.Capabilities` if not set). -# This is especially useful for `helm template` as capabilities are always empty -# due to the fact that it doesn't query an actual cluster -kubeVersion: - -# Oauth client configuration specifics -config: - # Add config annotations - annotations: {} - # OAuth client ID - clientID: "XXXXXXX" - # OAuth client secret - clientSecret: "XXXXXXXX" - # Create a new secret with the following command - # openssl rand -base64 32 | head -c 32 | base64 - # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields) - # Example: - # existingSecret: secret - cookieSecret: "XXXXXXXXXXXXXXXX" - # The name of the cookie that oauth2-proxy will create - # If left empty, it will default to the release name - cookieName: "" - google: {} - # adminEmail: xxxx - # useApplicationDefaultCredentials: true - # targetPrincipal: xxxx - # serviceAccountJson: xxxx - # Alternatively, use an existing secret (see google-secret.yaml for required fields) - # Example: - # existingSecret: google-secret - # groups: [] - # Example: - # - group1@example.com - # - group2@example.com - # Default configuration, to be overridden - configFile: |- - email_domains = [ "*" ] - upstreams = [ "file:///dev/null" ] - # Custom configuration file: oauth2_proxy.cfg - # configFile: |- - # pass_basic_auth = false - # pass_access_token = true - # Use an existing config map (see configmap.yaml for required fields) - # Example: - # existingConfig: config - -alphaConfig: - enabled: false - # Add config annotations - annotations: {} - # Arbitrary configuration data to append to the server section - serverConfigData: {} - # Arbitrary configuration data to append to the metrics section - metricsConfigData: {} - # Arbitrary configuration data to append - configData: {} - # Arbitrary configuration to append - # This is treated as a Go template and rendered with the root context - configFile: "" - # Use an existing config map (see secret-alpha.yaml for required fields) - existingConfig: ~ - # Use an existing secret - existingSecret: ~ - -image: - #repository: "quay.io/oauth2-proxy/oauth2-proxy" - repository: "oauth2-proxy/oauth2-proxy" - # appVersion is used by default - tag: "" - pullPolicy: "IfNotPresent" - command: [] - -# Optionally specify an array of imagePullSecrets. -# Secrets must be manually created in the namespace. -# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod -# imagePullSecrets: - # - name: myRegistryKeySecretName - -# Set a custom containerPort if required. -# This will default to 4180 if this value is not set and the httpScheme set to http -# This will default to 4443 if this value is not set and the httpScheme set to https -# containerPort: 4180 - -extraArgs: {} -extraEnv: [] - -envFrom: [] -# Load environment variables from a ConfigMap(s) and/or Secret(s) -# that already exists (created and managed by you). -# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables -# -# PS: Changes in these ConfigMaps or Secrets will not be automatically -# detected and you must manually restart the relevant Pods after changes. -# -# - configMapRef: -# name: special-config -# - secretRef: -# name: special-config-secret - -# -- Custom labels to add into metadata -customLabels: {} - -# To authorize individual email addresses -# That is part of extraArgs but since this needs special treatment we need to do a separate section -authenticatedEmailsFile: - enabled: false - # Defines how the email addresses file will be projected, via a configmap or secret - persistence: configmap - # template is the name of the configmap what contains the email user list but has been configured without this chart. - # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. - # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the - # provided value in restrictedUserAccessKey field. - template: "" - # The configmap/secret key under which the list of email access is stored - # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility - restrictedUserAccessKey: "" - # One email per line - # example: - # restricted_access: |- - # name1@domain - # name2@domain - # If you override the config with restricted_access it will configure a user list within this chart what takes care of the - # config map resource. - restricted_access: "" - annotations: {} - # helm.sh/resource-policy: keep - -service: - type: ClusterIP - # when service.type is ClusterIP ... - # clusterIP: 192.0.2.20 - # when service.type is LoadBalancer ... - # loadBalancerIP: 198.51.100.40 - # loadBalancerSourceRanges: 203.0.113.0/24 - # when service.type is NodePort ... - # nodePort: 80 - portNumber: 80 - # Protocol set on the service - appProtocol: http - annotations: {} - # foo.io/bar: "true" - # configure externalTrafficPolicy - externalTrafficPolicy: "" - # configure internalTrafficPolicy - internalTrafficPolicy: "" - -## Create or use ServiceAccount -serviceAccount: - ## Specifies whether a ServiceAccount should be created - enabled: true - ## The name of the ServiceAccount to use. - ## If not set and create is true, a name is generated using the fullname template - name: - automountServiceAccountToken: true - annotations: {} - -ingress: - enabled: false - # className: nginx - path: / - # Only used if API capabilities (networking.k8s.io/v1) allow it - pathType: ImplementationSpecific - # Used to create an Ingress record. - # hosts: - # - chart-example.local - # Extra paths to prepend to every host configuration. This is useful when working with annotation based services. - # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1) - # extraPaths: - # - path: /* - # pathType: ImplementationSpecific - # backend: - # service: - # name: ssl-redirect - # port: - # name: use-annotation - labels: {} - # annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - # tls: - # Secrets must be manually created in the namespace. - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # limits: - # cpu: 100m - # memory: 300Mi - # requests: - # cpu: 100m - # memory: 300Mi - -extraVolumes: [] - # - name: ca-bundle-cert - # secret: - # secretName: - -extraVolumeMounts: [] - # - mountPath: /etc/ssl/certs/ - # name: ca-bundle-cert - -# Additional containers to be added to the pod. -extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - -priorityClassName: "" - -# hostAliases is a list of aliases to be added to /etc/hosts for network name resolution -hostAliases: [] -# - ip: "10.xxx.xxx.xxx" -# hostnames: -# - "auth.example.com" -# - ip: 127.0.0.1 -# hostnames: -# - chart-example.local -# - example.local - -# [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. -# Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling -# topologySpreadConstraints: [] - -# Affinity for pod assignment -# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -# affinity: {} - -# Tolerations for pod assignment -# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -tolerations: [] - -# Node labels for pod assignment -# Ref: https://kubernetes.io/docs/user-guide/node-selection/ -nodeSelector: {} - -# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables -proxyVarsAsSecrets: true - -# Configure Kubernetes liveness and readiness probes. -# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ -# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks -livenessProbe: - enabled: true - initialDelaySeconds: 0 - timeoutSeconds: 1 - -readinessProbe: - enabled: true - initialDelaySeconds: 0 - timeoutSeconds: 5 - periodSeconds: 10 - successThreshold: 1 - -# Configure Kubernetes security context for container -# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -securityContext: - enabled: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 2000 - runAsGroup: 2000 - seccompProfile: - type: RuntimeDefault - -deploymentAnnotations: {} -podAnnotations: {} -podLabels: {} -replicaCount: 1 -revisionHistoryLimit: 10 -strategy: {} - -## PodDisruptionBudget settings -## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ -podDisruptionBudget: - enabled: true - minAvailable: 1 - -## Horizontal Pod Autoscaling -## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 10 - targetCPUUtilizationPercentage: 80 -# targetMemoryUtilizationPercentage: 80 - annotations: {} - -# Configure Kubernetes security context for pod -# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -podSecurityContext: {} - -# whether to use http or https -httpScheme: http - -initContainers: - # if the redis sub-chart is enabled, wait for it to be ready - # before starting the proxy - # creates a role binding to get, list, watch, the redis master pod - # if service account is enabled - waitForRedis: - enabled: true - image: - repository: "alpine" - tag: "latest" - pullPolicy: "IfNotPresent" - # uses the kubernetes version of the cluster - # the chart is deployed on, if not set - kubectlVersion: "" - securityContext: - enabled: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - seccompProfile: - type: RuntimeDefault - timeout: 180 - resources: {} - # limits: - # cpu: 100m - # memory: 300Mi - # requests: - # cpu: 100m - # memory: 300Mi - -# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption. -# Alternatively supply an existing secret which contains the required information. -htpasswdFile: - enabled: false - existingSecret: "" - entries: [] - # One row for each user - # example: - # entries: - # - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy - -# Configure the session storage type, between cookie and redis -sessionStorage: - # Can be one of the supported session storage cookie|redis - type: cookie - redis: - # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) - existingSecret: "" - # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence - password: "" - # Key of the Kubernetes secret data containing the redis password value - passwordKey: "redis-password" - # Can be one of standalone|cluster|sentinel - clientType: "standalone" - standalone: - # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set - connectionUrl: "" - cluster: - # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) - connectionUrls: [] - sentinel: - # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` - existingSecret: "" - # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` - password: "" - # Key of the Kubernetes secret data containing the redis sentinel password value - passwordKey: "redis-sentinel-password" - # Redis sentinel master name - masterName: "" - # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) - connectionUrls: [] - -# Enables and configure the automatic deployment of the redis subchart -redis: - # provision an instance of the redis sub-chart - enabled: false - # Redis specific helm chart settings, please see: - # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters - # redisPort: 6379 - # architecture: standalone - -# Enables apiVersion deprecation checks -checkDeprecation: true - -# Allows graceful shutdown -# terminationGracePeriodSeconds: 65 -# lifecycle: -# preStop: -# exec: -# command: [ "sh", "-c", "sleep 60" ] - -metrics: - # Enable Prometheus metrics endpoint - enabled: true - # Serve Prometheus metrics on this port - port: 44180 - # when service.type is NodePort ... - # nodePort: 44180 - # Protocol set on the service for the metrics port - service: - appProtocol: http - serviceMonitor: - # Enable Prometheus Operator ServiceMonitor - enabled: false - # Define the namespace where to deploy the ServiceMonitor resource - namespace: "" - # Prometheus Instance definition - prometheusInstance: default - # Prometheus scrape interval - interval: 60s - # Prometheus scrape timeout - scrapeTimeout: 30s - # Add custom labels to the ServiceMonitor resource - labels: {} - - ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. - scheme: "" - - ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. - ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig - tlsConfig: {} - - ## bearerTokenFile: Path to bearer token file. - bearerTokenFile: "" - - ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec - annotations: {} - - ## Metric relabel configs to apply to samples before ingestion. - ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) - metricRelabelings: [] - # - action: keep - # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' - # sourceLabels: [__name__] - - ## Relabel configs to apply to samples before ingestion. - ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) - relabelings: [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - -# Extra K8s manifests to deploy -extraObjects: [] - # - apiVersion: secrets-store.csi.x-k8s.io/v1 - # kind: SecretProviderClass - # metadata: - # name: oauth2-proxy-secrets-store - # spec: - # provider: aws - # parameters: - # objects: | - # - objectName: "oauth2-proxy" - # objectType: "secretsmanager" - # jmesPath: - # - path: "client_id" - # objectAlias: "client-id" - # - path: "client_secret" - # objectAlias: "client-secret" - # - path: "cookie_secret" - # objectAlias: "cookie-secret" - # secretObjects: - # - data: - # - key: client-id - # objectName: client-id - # - key: client-secret - # objectName: client-secret - # - key: cookie-secret - # objectName: cookie-secret - # secretName: oauth2-proxy-secrets-store - # type: Opaque diff --git a/kubernetes/authentication/resources/oauth2_proxy.cfg b/kubernetes/authentication/resources/oauth2_proxy.cfg index 60aaad4b52..cdcbce187b 100644 --- a/kubernetes/authentication/resources/oauth2_proxy.cfg +++ b/kubernetes/authentication/resources/oauth2_proxy.cfg @@ -1,7 +1,7 @@ provider = "oidc" provider_display_name = "ONAPKeycloakID" -client_id = "{{ index .Values "onap-oauth2-proxy" "config" "clientId" }}" -client_secret = "{{ index .Values "onap-oauth2-proxy" "config" "clientSecret" }}" +client_id = "{{ index .Values "oauth2-proxy" "config" "clientId" }}" +client_secret = "{{ index .Values "oauth2-proxy" "config" "clientSecret" }}" oidc_issuer_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap' oidc_jwks_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx-http.{{ include "common.namespace" . }}/realms/onap/protocol/openid-connect/certs' profile_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/userinfo' @@ -10,7 +10,7 @@ redeem_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx scope = "openid email profile groups onap_roles" skip_oidc_discovery = true cookie_secure = false -cookie_secret = "{{ index .Values "onap-oauth2-proxy" "config" "cookieSecret" }}" +cookie_secret = "{{ index .Values "oauth2-proxy" "config" "cookieSecret" }}" email_domains = [ "*" ] auth_logging = true request_logging = true diff --git a/kubernetes/authentication/values.yaml b/kubernetes/authentication/values.yaml index bc04f6a7cd..70ec9b4ecc 100644 --- a/kubernetes/authentication/values.yaml +++ b/kubernetes/authentication/values.yaml @@ -24,6 +24,14 @@ global: # postfix for baseaddr # can be overwritten in component by setting ingress.postaddrOverride postaddr: "" + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + + # Workaround to avoid redis restarts with ArgoCD + redis: + password: "32ugd3783rhfjdhow" + # ************************************************* + keycloak: intURL: "http://keycloak-http.keycloak.svc.cluster.local/" @@ -40,7 +48,6 @@ onap-keycloak-config-cli: image: # "edge" is the latest build release and need to be replaced with a new version # compatible with keycloak 26.x.y - tag: edge tag: "6.2.1-26.0.5" pullSecrets: - name: onap-docker-registry-key @@ -84,8 +91,7 @@ onap-keycloak-config-cli: cpu: 100m memory: 10Mi -onap-oauth2-proxy: - +oauth2-proxy: # Addition for oauth2-proxy deployment imagePullSecrets: - name: '{{ include "common.namespace" . }}-docker-registry-key' -- 2.16.6