diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index de8ff3a..0729b25 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 8.5.1 +version: 9.0.0 apiVersion: v2 appVersion: 7.13.0 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -31,8 +31,8 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: added - description: Add HTTPRoutes for Gateway API support + - kind: changed + description: Breaking change: Separate image.repository into (image.registry / image.repository) and support .global.imageRegistry links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/pull/369 + url: https://github.com/oauth2-proxy/manifests/pull/367 diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md index 7181bed..e698e49 100644 --- a/helm/oauth2-proxy/README.md +++ b/helm/oauth2-proxy/README.md @@ -85,13 +85,13 @@ For users who don't want downtime, you can perform these actions: ### To 6.0.0 Version 6.0.0 bumps the version of the Redis subchart from ~10.6.0 to ~16.4.0. -You probably need to adjust your Redis configuration. +You probably need to adjust your Redis configuration. See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. ### To 7.0.0 -Version 7.0.0 introduces a new implementation to support multiple hostAliases. -You probably need to adjust your hostAliases config. +Version 7.0.0 introduces a new implementation to support multiple hostAliases. +You probably need to adjust your hostAliases config. See [here](https://github.com/oauth2-proxy/manifests/pull/164/) for detailed information. ### To 8.0.0 - Bitnami 💀 @@ -100,6 +100,12 @@ Version 8.0.0 removes the dependency on the Bitnami Redis subchart and replaces Furthermore, you can read up on why this change was necessary in [Breaking changes in Bitnami Catalog #323](https://github.com/oauth2-proxy/manifests/issues/323) +### To 9.0.0 + +Version 9.0.0 introduces a breaking change by splitting the `image.repository` value into `image.registry` and `image.repository` to support +custom registries. Furthermore, it introduces the `global.imageRegistry` value to allow for centrally overriding the image registry that is used to pull images. + +This means if you were using an override for `image.repository` (to pull from a different artifact repository), you will likely have to adjust it for the new `image.registry` value. See [#367](https://github.com/oauth2-proxy/manifests/pull/367) for detailed information. ## Configuration @@ -108,162 +114,165 @@ The following table lists the configurable parameters of the oauth2-proxy chart | Parameter | Description | Default | | ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | | `affinity` | node/pod affinities | None | +| `alphaConfig.annotations` | Configmap annotations | `{}` | +| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | +| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` | +| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | +| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` | +| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | +| `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` | | `authenticatedEmailsFile.enabled` | Enables authorize individual e-mail addresses | `false` | | `authenticatedEmailsFile.persistence` | Defines how the e-mail addresses file will be projected, via a configmap or secret | `configmap` | -| `authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` | | `authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the e-mail addresses list | `""` | | `authenticatedEmailsFile.restricted_access` | [e-mail addresses](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/#email-authentication) list config | `""` | -| `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` | -| `config.clientID` | oauth client ID | `""` | -| `config.clientSecret` | oauth client secret | `""` | -| `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` | -| `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` | -| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` | -| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | -| `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` | +| `authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` | +| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | +| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` | | `autoscaling.enabled` | Deploy a Horizontal Pod Autoscaler. | `false` | -| `autoscaling.minReplicas` | Minimum replicas for the Horizontal Pod Autoscaler. | `1` | | `autoscaling.maxReplicas` | Maximum replicas for the Horizontal Pod Autoscaler. | `10` | +| `autoscaling.minReplicas` | Minimum replicas for the Horizontal Pod Autoscaler. | `1` | | `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | | `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | -| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | -| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` | -| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | -| `alphaConfig.annotations` | Configmap annotations | `{}` | -| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | -| `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` | -| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | -| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` | -| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | -| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | -| `customLabels` | Custom labels to add into metadata | `{}` | +| `checkDeprecation` | Enable deprecation checks | `true` | +| `config.clientID` | oauth client ID | `""` | +| `config.clientSecret` | oauth client secret | `""` | +| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` | +| `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` | +| `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` | +| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | +| `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` | | `config.google.adminEmail` | user impersonated by the Google service account | `""` | -| `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` | -| `config.google.targetPrincipal` | service account to use/impersonate | `""` | -| `config.google.serviceAccountJson` | Google service account JSON contents | `""` | | `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` | | `config.google.groups` | restrict logins to members of these Google groups | `[]` | +| `config.google.serviceAccountJson` | Google service account JSON contents | `""` | +| `config.google.targetPrincipal` | service account to use/impersonate | `""` | +| `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` | | `containerPort` | used to customize port on the deployment | `""` | +| `customLabels` | Custom labels to add into metadata | `{}` | +| `deploymentAnnotations` | annotations to add to the deployment | `{}` | | `enableServiceLinks` | configure deployment enableServiceLinks | `true` | | `extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows the same flag to be configured multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` | | `extraContainers` | List of extra containers to be added to the pod | `[]` | -| `extraInitContainers` | List of extra initContainers to be added to the pod | `[]` | | `extraEnv` | key:value list of extra environment variables to give the binary | `[]` | -| `extraVolumes` | list of extra volumes | `[]` | +| `extraInitContainers` | List of extra initContainers to be added to the pod | `[]` | +| `extraObjects` | Extra K8s manifests to deploy | `[]` | | `extraVolumeMounts` | list of extra volumeMounts | `[]` | +| `extraVolumes` | list of extra volumes | `[]` | +| `gatewayApi.annotations` | Additional annotations to add to the HTTPRoute | `{}` | +| `gatewayApi.enabled` | Enable Gateway API HTTPRoute | `false` | +| `gatewayApi.gatewayRef.name` | Name of the Gateway resource to attach the HTTPRoute to | `""` | +| `gatewayApi.gatewayRef.namespace` | Namespace of the Gateway resource | `""` | +| `gatewayApi.hostnames` | Hostnames to match in the HTTPRoute | `[]` | +| `gatewayApi.labels` | Additional labels to add to the HTTPRoute | `{}` | +| `gatewayApi.rules` | HTTPRoute rule configuration. If not specified, a default rule with PathPrefix `/` will be created | `[]` | +| `global.imageRegistry` | For globally overriding the image registry otherwise defaulting to `image.registry` | | +| `global.imagePullSecrets` | For globally overriding the image pull secrets otherwise defaulting to `imagePullSecrets` | `[]` | | `hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. | | | `htpasswdFile.enabled` | enable htpasswd-file option | `false` | | `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#command-line-options) | `{}` | | `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` | | `httpScheme` | `http` or `https`. `name` used for the port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | | `image.command` | Define command to be executed by container at startup | `[]` | -| `image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.registry` | Image registry | `quay.io` | +| `image.repository` | Image repository | `oauth2-proxy/oauth2-proxy` | | `image.tag` | Image tag | `""` (defaults to appVersion) | | `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | -| `ingress.enabled` | Enable Ingress | `false` | +| `ingress.annotations` | Ingress annotations | `nil` | | `ingress.className` | name referencing IngressClass | `nil` | -| `ingress.path` | Ingress accepted path | `/` | -| `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` | +| `ingress.enabled` | Enable Ingress | `false` | | `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/). | `[]` | -| `ingress.labels` | Ingress extra labels | `{}` | -| `ingress.annotations` | Ingress annotations | `nil` | | `ingress.hosts` | Ingress accepted hostnames | `nil` | +| `ingress.labels` | Ingress extra labels | `{}` | +| `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` | +| `ingress.path` | Ingress accepted path | `/` | | `ingress.tls` | Ingress TLS configuration | `nil` | -| `gatewayApi.enabled` | Enable Gateway API HTTPRoute | `false` | -| `gatewayApi.gatewayRef.name` | Name of the Gateway resource to attach the HTTPRoute to | `""` | -| `gatewayApi.gatewayRef.namespace` | Namespace of the Gateway resource | `""` | -| `gatewayApi.hostnames` | Hostnames to match in the HTTPRoute | `[]` | -| `gatewayApi.rules` | HTTPRoute rule configuration. If not specified, a default rule with PathPrefix `/` will be created | `[]` | -| `gatewayApi.labels` | Additional labels to add to the HTTPRoute | `{}` | -| `gatewayApi.annotations` | Additional annotations to add to the HTTPRoute | `{}` | | `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` | | `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` | | `initContainers.waitForRedis.image.repository` | kubectl image repository | `alpine` | | `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor \| replace "+" "")` | +| `initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` | | `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` | | `initContainers.waitForRedis.timeout` | number of seconds | 180 | -| `initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` | | `livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | | `livenessProbe.initialDelaySeconds` | number of seconds | 0 | | `livenessProbe.timeoutSeconds` | number of seconds | 1 | +| `metrics.enabled` | Enable Prometheus metrics endpoint | `true` | +| `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` | +| `metrics.port` | Serve Prometheus metrics on this port | `44180` | +| `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` | +| `metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster | `{}` | +| `metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file. | `""` | +| `metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` | +| `metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` | +| `metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource | `{}` | +| `metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` | +| `metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` | +| `metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.scheme` | HTTP scheme for scraping. It can be used with `tlsConfig` for example, if using Istio mTLS. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | +| `metrics.serviceMonitor.tlsConfig` | TLS configuration when scraping the endpoint. For example, if using Istio mTLS. | `{}` | | `namespaceOverride` | Override the deployment namespace | `""` | | `networkPolicy.create` | Create a NetworkPolicy resource | `false` | -| `networkPolicy.ingress` | List of ingress configuration objects | `[]` | | `networkPolicy.egress` | List of egress configuration objects | `[]` | +| `networkPolicy.ingress` | List of ingress configuration objects | `[]` | | `nodeSelector` | node labels for pod assignment | `{}` | -| `deploymentAnnotations` | annotations to add to the deployment | `{}` | | `podAnnotations` | annotations to add to each pod | `{}` | -| `podLabels` | additional labels to add to each pod | `{}` | | `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | | `podDisruptionBudget.maxUnavailable` | maxUnavailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | null | | `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | 1 | | `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` | +| `podLabels` | additional labels to add to each pod | `{}` | | `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | | `priorityClassName` | priorityClassName | `nil` | +| `proxyVarsAsSecrets` | Choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` | | `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | | `readinessProbe.initialDelaySeconds` | number of seconds | 0 | -| `readinessProbe.timeoutSeconds` | number of seconds | 5 | | `readinessProbe.periodSeconds` | number of seconds | 10 | | `readinessProbe.successThreshold` | number of successes | 1 | +| `readinessProbe.timeoutSeconds` | number of seconds | 5 | +| `redis.enabled` | Enable the Redis subchart deployment | `false` | | `replicaCount` | desired number of pods | `1` | -| `resources` | pod resource requests & limits | `{}` | | `resizePolicy` | Container resize policy for runtime resource updates. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/) | `[]` | +| `resources` | pod resource requests & limits | `{}` | | `revisionHistoryLimit` | maximum number of revisions maintained | 10 | -| `service.portNumber` | port number for the service | `80` | +| `securityContext.enabled` | enable Kubernetes security context on container | `true` | | `service.appProtocol` | application protocol on the port of the service | `http` | +| `service.clusterIP` | cluster ip address | `nil` | | `service.externalTrafficPolicy` | denotes if the service desires to route external traffic to node-local or cluster-wide endpoints | `Cluster` | | `service.internalTrafficPolicy` | denotes if the service desires to route internal traffic to node-local or cluster-wide endpoints | `Cluster` | -| `service.type` | type of service | `ClusterIP` | -| `service.clusterIP` | cluster ip address | `nil` | +| `service.ipDualStack.enabled` | enable IPv4/IPv6 dual-stack for the service | `false` | +| `service.ipDualStack.ipFamilies` | ip families for the service if IPv4/IPv6 dual-stack is enabled | `["IPv6", "IPv4"]` | +| `service.ipDualStack.ipFamilyPolicy` | ip family policy for the service if IPv4/IPv6 dual-stack is enabled | `"PreferDualStack"` | | `service.loadBalancerIP` | ip of load balancer | `nil` | | `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` | | `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` | +| `service.portNumber` | port number for the service | `80` | | `service.targetPort` | (optional) a numeric port number (e.g., 80) or a port name defined in the pod's container(s) (e.g., http) | `""` | -| `service.ipDualStack.enabled` | enable IPv4/IPv6 dual-stack for the service | `false` | -| `service.ipDualStack.ipFamilies` | ip families for the service if IPv4/IPv6 dual-stack is enabled | `["IPv6", "IPv4"]` | -| `service.ipDualStack.ipFamilyPolicy` | ip family policy for the service if IPv4/IPv6 dual-stack is enabled | `"PreferDualStack"` | | `service.trafficDistribution` | traffic distribution policy for the service. See [Kubernetes docs](https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution) | `""` | -| `serviceAccount.enabled` | create a service account | `true` | -| `serviceAccount.name` | the service account name | `` | +| `service.type` | type of service | `ClusterIP` | | `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | +| `serviceAccount.enabled` | create a service account | `true` | | `serviceAccount.imagePullSecrets` | imagePullSecrets for the service account | `[]` | -| `strategy` | configure deployment strategy | `{}` | -| `tolerations` | list of node taints to tolerate | `[]` | -| `securityContext.enabled` | enable Kubernetes security context on container | `true` | -| `proxyVarsAsSecrets` | Choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` | -| `sessionStorage.type` | Session storage type which can be one of the following: `cookie` or `redis` | `cookie` | -| `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the Redis & Redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` | -| `sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from Redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence | `nil` | -| `sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the Redis password value | `redis-password` | +| `serviceAccount.name` | the service account name | `` | | `sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for the Redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` | -| `sessionStorage.redis.standalone.connectionUrl` | URL of Redis standalone server for Redis session storage (e.g., `redis://HOST[:PORT]`). Automatically generated if not set. | `""` | | `sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g., `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the Redis & Redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` | +| `sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the Redis password value | `redis-password` | +| `sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from Redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence | `nil` | +| `sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | | `sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the Redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` | -| `sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any Redis node passwords need to use `sessionStorage.redis.password` | `nil` | -| `sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the Redis sentinel password value | `redis-sentinel-password` | | `sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` | -| `sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the Redis sentinel password value | `redis-sentinel-password` | +| `sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any Redis node passwords need to use `sessionStorage.redis.password` | `nil` | +| `sessionStorage.redis.standalone.connectionUrl` | URL of Redis standalone server for Redis session storage (e.g., `redis://HOST[:PORT]`). Automatically generated if not set. | `""` | +| `sessionStorage.type` | Session storage type which can be one of the following: `cookie` or `redis` | `cookie` | +| `strategy` | configure deployment strategy | `{}` | +| `tolerations` | list of node taints to tolerate | `[]` | | `topologySpreadConstraints` | List of pod topology spread constraints | `[]` | -| `redis.enabled` | Enable the Redis subchart deployment | `false` | -| `checkDeprecation` | Enable deprecation checks | `true` | -| `metrics.enabled` | Enable Prometheus metrics endpoint | `true` | -| `metrics.port` | Serve Prometheus metrics on this port | `44180` | -| `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` | -| `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` | -| `metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` | -| `metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` | -| `metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` | -| `metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` | -| `metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | -| `metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource | `{}` | -| `metrics.serviceMonitor.scheme` | HTTP scheme for scraping. It can be used with `tlsConfig` for example, if using Istio mTLS. | `""` | -| `metrics.serviceMonitor.tlsConfig` | TLS configuration when scraping the endpoint. For example, if using Istio mTLS. | `{}` | -| `metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file. | `""` | -| `metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster | `{}` | -| `metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion. | `[]` | -| `metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion. | `[]` | -| `extraObjects` | Extra K8s manifests to deploy | `[]` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index aae00df..4c8fcdc 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -108,7 +108,7 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" + image: "{{ .Values.global.imageRegistry | default .Values.image.registry }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if .Values.image.command }} command: diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index 33361cc..416e9e3 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -1,9 +1,10 @@ -global: {} -# To help compatibility with other charts which use global.imagePullSecrets. -# global: -# imagePullSecrets: -# - name: pullSecret1 -# - name: pullSecret2 +global: + # Global registry to pull the images from + imageRegistry: "" + # To help compatibility with other charts which use global.imagePullSecrets. + imagePullSecrets: [] + # - name: pullSecret1 + # - name: pullSecret2 ## Override the deployment namespace ## @@ -74,7 +75,8 @@ alphaConfig: existingSecret: ~ image: - repository: "quay.io/oauth2-proxy/oauth2-proxy" + registry: "quay.io" + repository: "oauth2-proxy/oauth2-proxy" # appVersion is used by default tag: "" pullPolicy: "IfNotPresent"