Skip to content

Commit 002ddbb

Browse files
pierluigilenocipierluigilenoci
authored
Merge pull request #369 from oauth2-proxy/feat/gateway-api-support
feat: add gateway api support
2 parents be3bc00 + 16dca48 commit 002ddbb

File tree

6 files changed

+190
-27
lines changed

6 files changed

+190
-27
lines changed

helm/oauth2-proxy/Chart.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: oauth2-proxy
2-
version: 8.4.0
2+
version: 8.5.0
33
apiVersion: v2
44
appVersion: 7.13.0
55
home: https://oauth2-proxy.github.io/oauth2-proxy/
@@ -32,7 +32,7 @@ kubeVersion: ">=1.16.0-0"
3232
annotations:
3333
artifacthub.io/changes: |
3434
- kind: added
35-
description: Add imagePullSecrets support to ServiceAccount
35+
description: Add HTTPRoutes for Gateway API support
3636
links:
3737
- name: Github PR
38-
url: https://github.com/oauth2-proxy/manifests/pull/368
38+
url: https://github.com/oauth2-proxy/manifests/pull/369

helm/oauth2-proxy/README.md

Lines changed: 60 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart
127127
| `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` |
128128
| `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` |
129129
| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` |
130-
| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` |
130+
| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` |
131131
| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` |
132132
| `alphaConfig.annotations` | Configmap annotations | `{}` |
133133
| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` |
@@ -170,9 +170,16 @@ The following table lists the configurable parameters of the oauth2-proxy chart
170170
| `ingress.annotations` | Ingress annotations | `nil` |
171171
| `ingress.hosts` | Ingress accepted hostnames | `nil` |
172172
| `ingress.tls` | Ingress TLS configuration | `nil` |
173+
| `gatewayApi.enabled` | Enable Gateway API HTTPRoute | `false` |
174+
| `gatewayApi.gatewayRef.name` | Name of the Gateway resource to attach the HTTPRoute to | `""` |
175+
| `gatewayApi.gatewayRef.namespace` | Namespace of the Gateway resource | `""` |
176+
| `gatewayApi.hostnames` | Hostnames to match in the HTTPRoute | `[]` |
177+
| `gatewayApi.rules` | HTTPRoute rule configuration. If not specified, a default rule with PathPrefix `/` will be created | `[]` |
178+
| `gatewayApi.labels` | Additional labels to add to the HTTPRoute | `{}` |
179+
| `gatewayApi.annotations` | Additional annotations to add to the HTTPRoute | `{}` |
173180
| `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` |
174181
| `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` |
175-
| `initContainers.waitForRedis.image.repository` | kubectl image repository | `alpine` |
182+
| `initContainers.waitForRedis.image.repository` | kubectl image repository | `alpine` |
176183
| `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor \| replace "+" "")` |
177184
| `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` |
178185
| `initContainers.waitForRedis.timeout` | number of seconds | 180 |
@@ -191,7 +198,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart
191198
| `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true |
192199
| `podDisruptionBudget.maxUnavailable` | maxUnavailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | null |
193200
| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | 1 |
194-
| `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` |
201+
| `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` |
195202
| `podSecurityContext` | Kubernetes security context to apply to pod | `{}` |
196203
| `priorityClassName` | priorityClassName | `nil` |
197204
| `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` |
@@ -201,7 +208,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart
201208
| `readinessProbe.successThreshold` | number of successes | 1 |
202209
| `replicaCount` | desired number of pods | `1` |
203210
| `resources` | pod resource requests & limits | `{}` |
204-
| `resizePolicy` | Container resize policy for runtime resource updates. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/) | `[]` |
211+
| `resizePolicy` | Container resize policy for runtime resource updates. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/) | `[]` |
205212
| `revisionHistoryLimit` | maximum number of revisions maintained | 10 |
206213
| `service.portNumber` | port number for the service | `80` |
207214
| `service.appProtocol` | application protocol on the port of the service | `http` |
@@ -273,6 +280,55 @@ $ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml
273280

274281
> **Tip**: You can use the default [values.yaml](values.yaml)
275282
283+
## Gateway API HTTPRoute Configuration
284+
285+
This chart supports using [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoute resources as an alternative to traditional Ingress resources. To use Gateway API:
286+
287+
1. Ensure the Gateway API CRDs are installed in your cluster
288+
2. Create a Gateway resource (or use an existing one)
289+
3. Configure the chart to create an HTTPRoute
290+
291+
### Basic Gateway API Configuration
292+
293+
```yaml
294+
gatewayApi:
295+
enabled: true
296+
gatewayRef:
297+
name: my-gateway
298+
namespace: gateway-system
299+
hostnames:
300+
- oauth.example.com
301+
```
302+
303+
### Advanced Gateway API Configuration with Custom Rules
304+
305+
```yaml
306+
gatewayApi:
307+
enabled: true
308+
gatewayRef:
309+
name: my-gateway
310+
namespace: gateway-system
311+
hostnames:
312+
- oauth.example.com
313+
rules:
314+
- matches:
315+
- path:
316+
type: PathPrefix
317+
value: /oauth2
318+
filters:
319+
- type: RequestHeaderModifier
320+
requestHeaderModifier:
321+
add:
322+
- name: X-Auth-Request
323+
value: "true"
324+
labels:
325+
app: oauth2-proxy
326+
annotations:
327+
example.com/annotation: "value"
328+
```
329+
330+
If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service.
331+
276332
## TLS Configuration
277333

278334
See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/).

helm/oauth2-proxy/ci/gateway-api-minimal.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
# Minimal Gateway API configuration with default rule
2+
gatewayApi:
3+
enabled: true
4+
gatewayRef:
5+
name: minimal-gateway
6+
hostnames:
7+
- minimal.example.com

helm/oauth2-proxy/ci/gateway-api.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# Test values for Gateway API HTTPRoute configuration
2+
gatewayApi:
3+
enabled: true
4+
gatewayRef:
5+
name: example-gateway
6+
namespace: gateway-system
7+
hostnames:
8+
- oauth.example.com
9+
rules:
10+
- matches:
11+
- path:
12+
type: PathPrefix
13+
value: /oauth2
14+
annotations:
15+
example.com/annotation: "value"
16+
labels:
17+
example.com/label: "value"

0 commit comments

Comments
 (0)