5 app: {{ template "oauth2-proxy.name" . }}
6 {{- include "oauth2-proxy.labels" . | indent 4 }}
7 {{- if .Values.deploymentAnnotations }}
9 {{ toYaml .Values.deploymentAnnotations | indent 8 }}
11 name: {{ template "oauth2-proxy.fullname" . }}
13 replicas: {{ .Values.replicaCount }}
14 {{- if .Values.revisionHistoryLimit }}
15 revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
19 {{- include "oauth2-proxy.selectorLabels" . | indent 6 }}
23 checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
24 {{- if .Values.alphaConfig.enabled }}
25 checksum/alpha-config: {{ include (print $.Template.BasePath "/configmap-alpha.yaml") . | sha256sum }}
27 checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
28 checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
29 checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }}
30 checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
31 {{- if .Values.htpasswdFile.enabled }}
32 checksum/htpasswd: {{ include (print $.Template.BasePath "/secret-htpasswd-file.yaml") . | sha256sum }}
34 {{- if .Values.podAnnotations }}
35 {{ toYaml .Values.podAnnotations | indent 8 }}
38 app: {{ template "oauth2-proxy.name" . }}
39 {{- include "oauth2-proxy.labels" . | indent 8 }}
40 {{- if .Values.podLabels }}
41 {{ toYaml .Values.podLabels | indent 8 }}
44 {{- if .Values.priorityClassName }}
45 priorityClassName: "{{ .Values.priorityClassName }}"
47 {{- with .Values.podSecurityContext }}
49 {{- toYaml . | nindent 8 }}
51 serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }}
52 automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }}
53 {{- if .Values.hostAlias.enabled }}
55 - ip: {{ .Values.hostAlias.ip }}
57 - {{ .Values.hostAlias.hostname }}
60 - name: {{ .Chart.Name }}
61 image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}"
62 #image: "{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}"
63 imagePullPolicy: {{ .Values.image.pullPolicy }}
65 {{- if .Values.alphaConfig.enabled }}
66 - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml
68 - --http-address=0.0.0.0:4180
69 - --https-address=0.0.0.0:4443
70 {{- if .Values.metrics.enabled }}
71 - --metrics-address=0.0.0.0:44180
74 {{- if .Values.config.cookieName }}
75 - --cookie-name={{ .Values.config.cookieName }}
77 {{- if kindIs "map" .Values.extraArgs }}
78 {{- range $key, $value := .Values.extraArgs }}
80 - --{{ $key }}={{ tpl ($value | toString) $ }}
86 {{- if kindIs "slice" .Values.extraArgs }}
87 {{- with .Values.extraArgs }}
88 {{- toYaml . | nindent 10 }}
91 {{- if or .Values.config.existingConfig .Values.config.configFile }}
92 - --config=/etc/oauth2_proxy/oauth2_proxy.cfg
94 {{- if .Values.authenticatedEmailsFile.enabled }}
95 {{- if .Values.authenticatedEmailsFile.template }}
96 - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }}
98 - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
101 {{- with .Values.config.google }}
102 {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }}
103 - --google-admin-email={{ .adminEmail }}
104 {{- if .useApplicationDefaultCredentials }}
105 - --google-use-application-default-credentials=true
107 - --google-service-account-json=/google/service-account.json
109 {{- if .targetPrincipal }}
110 - --google-target-principal={{ .targetPrincipal }}
114 {{- range $group := .groups }}
115 - --google-group={{ $group }}
119 {{- if .Values.htpasswdFile.enabled }}
120 - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt
123 {{- if .Values.proxyVarsAsSecrets }}
124 - name: OAUTH2_PROXY_CLIENT_ID
127 name: {{ template "oauth2-proxy.secretName" . }}
129 - name: OAUTH2_PROXY_CLIENT_SECRET
132 name: {{ template "oauth2-proxy.secretName" . }}
134 - name: OAUTH2_PROXY_COOKIE_SECRET
137 name: {{ template "oauth2-proxy.secretName" . }}
140 {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }}
141 - name: OAUTH2_PROXY_SESSION_STORE_TYPE
143 {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}}
144 - name: OAUTH2_PROXY_REDIS_PASSWORD
147 {{- if .Values.sessionStorage.redis.existingSecret }}
148 name: {{ .Values.sessionStorage.redis.existingSecret }}
149 {{- else if .Values.sessionStorage.redis.password }}
150 name: {{ template "oauth2-proxy.fullname" . }}-redis-access
152 name: {{ include "oauth2-proxy.redis.fullname" . }}
154 key: {{ .Values.sessionStorage.redis.passwordKey }}
156 {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }}
157 - name: OAUTH2_PROXY_REDIS_CONNECTION_URL
158 value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }}
159 {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }}
160 - name: OAUTH2_PROXY_REDIS_USE_CLUSTER
162 - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS
163 value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }}
164 {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }}
165 - name: OAUTH2_PROXY_REDIS_USE_SENTINEL
167 - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME
168 value: {{ .Values.sessionStorage.redis.sentinel.masterName }}
169 - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS
170 value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }}
171 {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }}
172 - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD
175 {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }}
176 name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }}
178 name: {{ template "oauth2-proxy.fullname" . }}-redis-access
180 key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }}
184 {{- if .Values.extraEnv }}
185 {{ tpl (toYaml .Values.extraEnv) . | indent 8 }}
188 {{- if .Values.containerPort }}
189 - containerPort: {{ .Values.containerPort }}
190 {{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }}
191 - containerPort: 4180
192 {{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }}
193 - containerPort: 4443
196 name: {{ .Values.httpScheme }}
198 {{- if .Values.metrics.enabled }}
199 - containerPort: 44180
203 {{- if .Values.livenessProbe.enabled }}
207 port: {{ .Values.httpScheme }}
208 scheme: {{ .Values.httpScheme | upper }}
209 initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
210 timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
212 {{- if .Values.readinessProbe.enabled }}
215 path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }}
216 port: {{ .Values.httpScheme }}
217 scheme: {{ .Values.httpScheme | upper }}
218 initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
219 timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
220 successThreshold: {{ .Values.readinessProbe.successThreshold }}
221 periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
224 {{ toYaml .Values.resources | indent 10 }}
226 {{- with .Values.config.google }}
227 {{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
228 - name: google-secret
233 {{- if or .Values.config.existingConfig .Values.config.configFile }}
234 - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
236 subPath: oauth2_proxy.cfg
238 {{- if .Values.alphaConfig.enabled }}
239 - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml
241 subPath: oauth2_proxy.yml
243 {{- if .Values.authenticatedEmailsFile.enabled }}
244 - mountPath: /etc/oauth2-proxy
245 name: configaccesslist
248 {{- if .Values.htpasswdFile.enabled }}
249 - mountPath: /etc/oauth2_proxy/htpasswd
250 name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
253 {{- if ne (len .Values.extraVolumeMounts) 0 }}
254 {{ toYaml .Values.extraVolumeMounts | indent 8 }}
256 {{- if .Values.securityContext.enabled }}
257 {{- $securityContext := unset .Values.securityContext "enabled" }}
259 {{- toYaml $securityContext | nindent 10 }}
261 {{- if .Values.extraContainers }}
262 {{- toYaml .Values.extraContainers | nindent 6 }}
265 {{- with .Values.config.google }}
266 {{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
267 - name: google-secret
269 secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }}
273 {{- if .Values.htpasswdFile.enabled }}
274 - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
276 secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }}
279 {{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }}
280 - name: configaccesslist
283 - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
284 {{- if .Values.authenticatedEmailsFile.template }}
285 path: {{ .Values.authenticatedEmailsFile.template }}
287 path: authenticated-emails-list
289 {{- if .Values.authenticatedEmailsFile.template }}
290 secretName: {{ .Values.authenticatedEmailsFile.template }}
292 secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist
296 {{- if or .Values.config.existingConfig .Values.config.configFile }}
299 name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }}
302 {{- if .Values.alphaConfig.enabled }}
305 name: {{ if .Values.alphaConfig.existingConfig }}{{ .Values.alphaConfig.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }}
308 {{- if ne (len .Values.extraVolumes) 0 }}
309 {{ toYaml .Values.extraVolumes | indent 6 }}
311 {{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }}
313 {{- if .Values.authenticatedEmailsFile.template }}
314 name: {{ .Values.authenticatedEmailsFile.template }}
316 name: {{ template "oauth2-proxy.fullname" . }}-accesslist
319 - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
320 {{- if .Values.authenticatedEmailsFile.template }}
321 path: {{ .Values.authenticatedEmailsFile.template }}
323 path: authenticated-emails-list
325 name: configaccesslist
328 {{- if .Values.imagePullSecrets }}
330 {{ toYaml .Values.imagePullSecrets | indent 8 }}
332 {{- if .Values.affinity }}
334 {{ toYaml .Values.affinity | indent 8 }}
336 {{- if .Values.nodeSelector }}
338 {{ toYaml .Values.nodeSelector | indent 8 }}
341 {{ toYaml .Values.tolerations | indent 8 }}
342 {{- with .Values.topologySpreadConstraints }}
343 topologySpreadConstraints:
344 {{- toYaml . | nindent 8 }}