Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-24 23:07:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/oauth2-proxy] feat: 🔒 Add resource preset support (#23500)

Browse Source 
* [bitnami/oauth2-proxy] feat:  🔒 Add resource preset support

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* fix: 🐛 Add missing if-else statement

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-19 11:37:04 +01:00
committed by GitHub
parent f3003ea412
commit 24e7ec360d
6 changed files with 106 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bitnami/oauth2-proxy/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: redis
repository: oci://registry-1.docker.io/bitnamicharts
version: 18.12.1
version: 18.13.0
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.14.1
digest: sha256:8ae85b6bb6ddbc9fedf8e5b2b1368115e04ed9ba305f7ca5fb0c285ad29528a3
generated: "2024-02-07T10:56:46.461344801Z"
version: 2.15.3
digest: sha256:ef15fdb7c834d0d363330ffc2e2893ae2d4064425cdbf1a7a9ebd39c041aefdb
generated: "2024-02-14T15:43:49.824597424+01:00"

2
bitnami/oauth2-proxy/Chart.yaml
View File

@@ -35,4 +35,4 @@ maintainers:
name: oauth2-proxy
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/oauth2-proxy
version: 4.6.3
version: 4.7.0

162
bitnami/oauth2-proxy/README.md
View File

@@ -156,84 +156,84 @@ The command removes all the Kubernetes components associated with the chart and
### OAuth2 Proxy deployment parameters
| Name | Description | Value |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------ | ---------------- |
| `containerPort` | OAuth2 Proxy port number | `4180` |
| `extraContainerPorts` | Array of additional container ports for the OAuth2 Proxy container | `[]` |
| `replicaCount` | Number of OAuth2 Proxy replicas to deploy | `1` |
| `extraArgs` | add extra args to the default command | `[]` |
| `startupProbe.enabled` | Enable startupProbe on OAuth2 Proxy nodes | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `livenessProbe.enabled` | Enable livenessProbe on OAuth2 Proxy nodes | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe on OAuth2 Proxy nodes | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `resources.limits` | The resources limits for the OAuth2 Proxy containers | `{}` |
| `resources.requests` | The requested resources for the OAuth2 Proxy containers | `{}` |
| `pdb.create` | Enable a Pod Disruption Budget creation | `false` |
| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `1` |
| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `""` |
| `podSecurityContext.enabled` | Enabled OAuth2 Proxy pods' Security Context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Set OAuth2 Proxy pod's Security Context fsGroup | `1001` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `hostAliases` | OAuth2 Proxy pods host aliases | `[]` |
| `podLabels` | Extra labels for OAuth2 Proxy pods | `{}` |
| `podAnnotations` | Annotations for OAuth2 Proxy pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
| `affinity` | Affinity for OAuth2 Proxy pods assignment | `{}` |
| `nodeSelector` | Node labels for OAuth2 Proxy pods assignment | `{}` |
| `tolerations` | Tolerations for OAuth2 Proxy pods assignment | `[]` |
| `updateStrategy.type` | OAuth2 Proxy statefulset strategy type | `RollingUpdate` |
| `priorityClassName` | OAuth2 Proxy pods' priorityClassName | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `lifecycleHooks` | for the OAuth2 Proxy container(s) to automate configuration before or after startup | `{}` |
| `extraEnvVars` | Array with extra environment variables to add to OAuth2 Proxy nodes | `[]` |
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for OAuth2 Proxy nodes | `""` |
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for OAuth2 Proxy nodes | `""` |
| `extraVolumes` | Optionally specify extra list of additional volumes for the OAuth2 Proxy pod(s) | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the OAuth2 Proxy container(s) | `[]` |
| `sidecars` | Add additional sidecar containers to the OAuth2 Proxy pod(s) | `[]` |
| `initContainers` | Add additional init containers to the OAuth2 Proxy pod(s) | `[]` |
| `dnsPolicy` | Pod DNS policy. Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. | `""` |
| `dnsConfig` | Pod DNS configuration. | `{}` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to use | `""` |
| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
| Name | Description | Value |
| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| `containerPort` | OAuth2 Proxy port number | `4180` |
| `extraContainerPorts` | Array of additional container ports for the OAuth2 Proxy container | `[]` |
| `replicaCount` | Number of OAuth2 Proxy replicas to deploy | `1` |
| `extraArgs` | add extra args to the default command | `[]` |
| `startupProbe.enabled` | Enable startupProbe on OAuth2 Proxy nodes | `false` |
| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` |
| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` |
| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `livenessProbe.enabled` | Enable livenessProbe on OAuth2 Proxy nodes | `true` |
| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` |
| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` |
| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `readinessProbe.enabled` | Enable readinessProbe on OAuth2 Proxy nodes | `true` |
| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` |
| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` |
| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` |
| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `pdb.create` | Enable a Pod Disruption Budget creation | `false` |
| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `1` |
| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `""` |
| `podSecurityContext.enabled` | Enabled OAuth2 Proxy pods' Security Context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Set OAuth2 Proxy pod's Security Context fsGroup | `1001` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `automountServiceAccountToken` | Mount Service Account token in pod | `false` |
| `hostAliases` | OAuth2 Proxy pods host aliases | `[]` |
| `podLabels` | Extra labels for OAuth2 Proxy pods | `{}` |
| `podAnnotations` | Annotations for OAuth2 Proxy pods | `{}` |
| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` |
| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` |
| `affinity` | Affinity for OAuth2 Proxy pods assignment | `{}` |
| `nodeSelector` | Node labels for OAuth2 Proxy pods assignment | `{}` |
| `tolerations` | Tolerations for OAuth2 Proxy pods assignment | `[]` |
| `updateStrategy.type` | OAuth2 Proxy statefulset strategy type | `RollingUpdate` |
| `priorityClassName` | OAuth2 Proxy pods' priorityClassName | `""` |
| `schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `lifecycleHooks` | for the OAuth2 Proxy container(s) to automate configuration before or after startup | `{}` |
| `extraEnvVars` | Array with extra environment variables to add to OAuth2 Proxy nodes | `[]` |
| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for OAuth2 Proxy nodes | `""` |
| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for OAuth2 Proxy nodes | `""` |
| `extraVolumes` | Optionally specify extra list of additional volumes for the OAuth2 Proxy pod(s) | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the OAuth2 Proxy container(s) | `[]` |
| `sidecars` | Add additional sidecar containers to the OAuth2 Proxy pod(s) | `[]` |
| `initContainers` | Add additional init containers to the OAuth2 Proxy pod(s) | `[]` |
| `dnsPolicy` | Pod DNS policy. Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. | `""` |
| `dnsConfig` | Pod DNS configuration. | `{}` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to use | `""` |
| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. Only used if `create` is `true`. | `{}` |
### External Redis&reg; parameters
@@ -291,6 +291,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/oauth
## Configuration and installation details
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

1
bitnami/oauth2-proxy/templates/NOTES.txt
View File

@@ -43,3 +43,4 @@ Get the application URL by running these commands:
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "oauth2-proxy.validateValues" . }}
{{- include "common.warnings.resources" (dict "sections" (list "") "context" $) }}

2
bitnami/oauth2-proxy/templates/deployment.yaml
View File

@@ -190,6 +190,8 @@ spec:
{{- end }}
{{- if .Values.resources }}
resources: {{ include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.customStartupProbe }}

41
bitnami/oauth2-proxy/values.yaml
View File

@@ -19,7 +19,6 @@ global:
##
imagePullSecrets: []
storageClass: ""
## @section Common parameters
##
@@ -44,7 +43,6 @@ clusterDomain: cluster.local
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []
## Enable diagnostic mode in the deployment
##
diagnosticMode:
@@ -59,7 +57,6 @@ diagnosticMode:
##
args:
- infinity
## @section Traffic Exposure Parameters
##
@@ -115,7 +112,6 @@ service:
## timeoutSeconds: 300
##
sessionAffinityConfig: {}
## Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
@@ -171,7 +167,6 @@ networkPolicy:
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## Configure the ingress resource that allows you to access the OAuth2 Proxy installation
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
@@ -288,7 +283,6 @@ ingress:
## name: http
##
extraRules: []
## @section OAuth2 Proxy Image parameters
##
@@ -319,7 +313,6 @@ image:
## - myRegistryKeySecretName
##
pullSecrets: []
## @section OAuth2 Proxy configuration parameters
##
@@ -370,7 +363,6 @@ configuration:
content: |
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
## @param configuration.existingConfigmap Configmap with the OAuth2 Proxy configuration
##
existingConfigmap: ""
@@ -390,7 +382,6 @@ configuration:
##
content: ""
existingSecret: ""
## Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
## @param configuration.htpasswdFile.enabled Enable htpasswd file
## @param configuration.htpasswdFile.existingSecret Existing secret for htpasswd file
@@ -407,23 +398,18 @@ configuration:
## testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv
##
content: ""
## @param configuration.oidcIssuerUrl OpenID Connect issuer URL
oidcIssuerUrl: ""
## @param configuration.redirectUrl OAuth Redirect URL
redirectUrl: ""
## @param configuration.whiteList Allowed domains for redirection after authentication. Prefix domain with a . or a *. to allow subdomains
whiteList: ""
## @section OAuth2 Proxy deployment parameters
##
## @param containerPort OAuth2 Proxy port number
##
containerPort: 4180
## @param extraContainerPorts Array of additional container ports for the OAuth2 Proxy container
## e.g:
## extraContainerPorts:
@@ -431,11 +417,9 @@ containerPort: 4180
## containerPort: 9100
##
extraContainerPorts: []
## @param replicaCount Number of OAuth2 Proxy replicas to deploy
##
replicaCount: 1
## @param extraArgs add extra args to the default command
##
extraArgs: []
@@ -494,13 +478,21 @@ customLivenessProbe: {}
customReadinessProbe: {}
## OAuth2 Proxy resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param resources.limits The resources limits for the OAuth2 Proxy containers
## @param resources.requests The requested resources for the OAuth2 Proxy containers
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resources:
limits: {}
requests: {}
resourcesPreset: "none"
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Limits the number of pods of the replicated application that are down simultaneously from voluntary disruptions
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions
## e.g:
@@ -515,7 +507,6 @@ pdb:
create: false
minAvailable: 1
maxUnavailable: ""
## Configure Pods Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enabled OAuth2 Proxy pods' Security Context
@@ -554,7 +545,6 @@ containerSecurityContext:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## @param command Override default container command (useful when using custom images)
##
command: []
@@ -695,7 +685,6 @@ dnsPolicy: ""
## - example.com
##
dnsConfig: {}
## ServiceAccount configuration
##
serviceAccount:
@@ -712,7 +701,6 @@ serviceAccount:
## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
##
annotations: {}
## @section External Redis&reg; parameters
##
externalRedis:
@@ -733,7 +721,6 @@ externalRedis:
## @param externalRedis.existingSecretPasswordKey Key inside the existing secret with Redis&reg; credentials
##
existingSecretPasswordKey: ""
## @section Redis&reg; sub-chart parameters
##
redis: