diff --git a/.github/workflows/generate-chart-readme.yml b/.github/workflows/generate-chart-readme.yml index 1279929d59..068ac31e15 100644 --- a/.github/workflows/generate-chart-readme.yml +++ b/.github/workflows/generate-chart-readme.yml @@ -1,8 +1,8 @@ name: Generate Chart Readme -on: +on: pull_request: - branches: + branches: - master paths: - 'bitnami/airflow/values.yaml' @@ -30,6 +30,7 @@ on: - 'bitnami/metrics-server/values.yaml' - 'bitnami/minio/values.yaml' - 'bitnami/mongodb/values.yaml' + - "bitnami/oauth2-proxy/values.yaml" - 'bitnami/nginx-ingress-controller/values.yaml' - 'bitnami/node/values.yaml' - 'bitnami/node-exporter/values.yaml' @@ -45,11 +46,10 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout bitnami-labs/readme-generator-for-helm uses: actions/checkout@v2 with: - repository: 'bitnami-labs/readme-generator-for-helm' + repository: "bitnami-labs/readme-generator-for-helm" path: readme-generator-for-helm - name: Cache node modules @@ -75,7 +75,7 @@ jobs: id: pr-file-changes uses: trilom/file-changes-action@v1.2.3 with: - fileOutput: ' ' + fileOutput: " " - name: Prepare readme-generator-for-helm inputs run: | diff --git a/bitnami/oauth2-proxy/.helmignore b/bitnami/oauth2-proxy/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/bitnami/oauth2-proxy/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/bitnami/oauth2-proxy/Chart.lock b/bitnami/oauth2-proxy/Chart.lock new file mode 100644 index 0000000000..880bd420e6 --- /dev/null +++ b/bitnami/oauth2-proxy/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 1.7.0 +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 14.6.6 +digest: sha256:f7cb382986699af743e03d00cfcda3772ea4209b56edd62c1d50445b7ae11070 +generated: "2021-07-13T11:25:41.300914+02:00" diff --git a/bitnami/oauth2-proxy/Chart.yaml b/bitnami/oauth2-proxy/Chart.yaml new file mode 100644 index 0000000000..055ea39c59 --- /dev/null +++ b/bitnami/oauth2-proxy/Chart.yaml @@ -0,0 +1,33 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 7.1.3 +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x + - name: redis + repository: https://charts.bitnami.com/bitnami + condition: redis.enabled + version: 14.x.x +description: A reverse proxy and static file server that provides authentication using different providers +engine: gotpl +home: https://github.com/bitnami/charts/tree/master/bitnami/oauth2-proxy +icon: https://bitnami.com/assets/stacks/oauth2-proxy/img/oauth2-proxy-stack-220x234.png +keywords: + - kubernetes + - oauth + - oauth2 + - authentication + - google + - github +maintainers: + - email: containers@bitnami.com + name: Bitnami +name: oauth2-proxy +sources: + - https://github.com/bitnami/bitnami-docker-oauth2-proxy + - https://github.com/oauth2-proxy/oauth2-proxy +version: 0.1.0 diff --git a/bitnami/oauth2-proxy/README.md b/bitnami/oauth2-proxy/README.md new file mode 100644 index 0000000000..176cab9ba2 --- /dev/null +++ b/bitnami/oauth2-proxy/README.md @@ -0,0 +1,287 @@ +# OAuth2 Proxy + +[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. + +## TL;DR + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/oauth2-proxy +``` + +## Introduction + +Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads. + +This chart bootstraps a [OAuth2 Proxy](https://github.com/oauth2-proxy/oauth2-proxy) Deployment in a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 +- PV provisioner support in the underlying infrastructure +- ReadWriteMany volumes for deployment scaling + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release bitnami/oauth2-proxys +``` + +The command deploys OAuth2 Proxy on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ------------------------- | ----------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `nil` | + + +### Common parameters + +| Name | Description | Value | +| ------------------- | -------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `nil` | +| `nameOverride` | String to partially override common.names.fullname | `nil` | +| `fullnameOverride` | String to fully override common.names.fullname | `nil` | +| `commonLabels` | Labels to add to all deployed objects | `{}` | +| `commonAnnotations` | Annotations to add to all deployed objects | `{}` | +| `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | + + +### Traffic Exposure Parameters + +| Name | Description | Value | +| ---------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | OAuth2 Proxy service type | `ClusterIP` | +| `service.port` | OAuth2 Proxy service HTTP port | `80` | +| `service.nodePorts.http` | Node port for HTTP | `nil` | +| `service.clusterIP` | OAuth2 Proxy service Cluster IP | `nil` | +| `service.loadBalancerIP` | OAuth2 Proxy service Load Balancer IP | `nil` | +| `service.loadBalancerSourceRanges` | OAuth2 Proxy service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | OAuth2 Proxy service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for OAuth2 Proxy service | `{}` | +| `ingress.enabled` | Enable ingress record generation for WordPress | `false` | +| `ingress.certManager` | Add the corresponding annotations for cert-manager integration | `false` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `nil` | +| `ingress.hostname` | Default host for the ingress record | `oaut2-proxy.local` | +| `ingress.path` | Default path for the ingress record | `ImplementationSpecific` | +| `ingress.annotations` | Additional custom annotations for the ingress record | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | + + +### OAuth2 Proxy Image parameters + +| Name | Description | Value | +| ------------------- | ------------------------------------------------------- | ---------------------- | +| `image.registry` | OAuth2 Proxy image registry | `docker.io` | +| `image.repository` | OAuth2 Proxy image repository | `bitnami/oauth2-proxy` | +| `image.tag` | OAuth2 Proxy image tag (immutable tags are recommended) | `7.1.3-debian-10-r25` | +| `image.pullPolicy` | OAuth2 Proxy image pull policy | `IfNotPresent` | +| `image.pullSecrets` | OAuth2 Proxy image pull secrets | `[]` | + + +### OAuth2 Proxy configuration parameters + +| Name | Description | Value | +| ------------------------------------------------------ | --------------------------------------------------- | ------------------------------------------------------------ | +| `configuration.clientID` | OAuth client ID | `XXXXXXX` | +| `configuration.clientSecret` | OAuth client secret | `XXXXXXXX` | +| `configuration.cookieSecret` | OAuth cookie secret | `XXXXXXXXXXXXXXXX` | +| `configuration.existingSecret` | Secret with the client ID, secret and cookie secret | `nil` | +| `configuration.google.enabled` | Enable Google service account | `false` | +| `configuration.google.adminEmail` | Google admin email | `nil` | +| `configuration.google.serviceAccountJson` | Google Service account JSON | `nil` | +| `configuration.google.existingSecret` | Existing secret containing Google Service Account | `nil` | +| `configuration.content` | Default configuration | `email_domains = [ "*" ] +upstreams = [ "file:///dev/null" ]` | +| `configuration.existingConfigmap` | Configmap with the OAuth2 Proxy configuration | `nil` | +| `configuration.authenticatedEmailsFile.enabled` | Enable authenticated emails file | `false` | +| `configuration.authenticatedEmailsFile.content` | Restricted access list (one email per line) | `nil` | +| `configuration.authenticatedEmailsFile.existingSecret` | Secret with the authenticated emails file | `nil` | +| `configuration.htpasswdFile.enabled` | Enable htpasswd file | `false` | +| `configuration.htpasswdFile.existingSecret` | Existing secret for htpasswd file | `""` | +| `configuration.htpasswdFile.content` | htpasswd file entries (one row per user) | `nil` | + + +### OAuth2 Proxy deployment parameters + +| Name | Description | Value | +| ------------------------------------ | ------------------------------------------------------------------------------------------ | --------------- | +| `containerPort` | OAuth2 Proxy port number | `4180` | +| `replicaCount` | Number of OAuth2 Proxy replicas to deploy | `1` | +| `extraArgs` | add extra args to the default command | `nil` | +| `livenessProbe.enabled` | Enable livenessProbe on OAuth2 Proxy nodes | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe on OAuth2 Proxy nodes | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `5` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `resources.limits` | The resources limits for the OAuth2 Proxy containers | `{}` | +| `resources.requests` | The requested resources for the OAuth2 Proxy containers | `{}` | +| `pdb.create` | Enable a Pod Disruption Budget creation | `false` | +| `pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `1` | +| `pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable | `1` | +| `podSecurityContext.enabled` | Enabled OAuth2 Proxy pods' Security Context | `true` | +| `podSecurityContext.fsGroup` | Set OAuth2 Proxy pod's Security Context fsGroup | `1001` | +| `containerSecurityContext.enabled` | Enabled OAuth2 Proxy containers' Security Context | `true` | +| `containerSecurityContext.runAsUser` | Set OAuth2 Proxy containers' Security Context runAsUser | `1001` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `hostAliases` | OAuth2 Proxy pods host aliases | `[]` | +| `podLabels` | Extra labels for OAuth2 Proxy pods | `{}` | +| `podAnnotations` | Annotations for OAuth2 Proxy pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match. Ignored if `affinity` is set | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set | `[]` | +| `affinity` | Affinity for OAuth2 Proxy pods assignment | `{}` | +| `nodeSelector` | Node labels for OAuth2 Proxy pods assignment | `{}` | +| `tolerations` | Tolerations for OAuth2 Proxy pods assignment | `[]` | +| `updateStrategy.type` | OAuth2 Proxy statefulset strategy type | `RollingUpdate` | +| `priorityClassName` | OAuth2 Proxy pods' priorityClassName | `""` | +| `lifecycleHooks` | for the OAuth2 Proxy container(s) to automate configuration before or after startup | `{}` | +| `extraEnvVars` | Array with extra environment variables to add to OAuth2 Proxy nodes | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for OAuth2 Proxy nodes | `nil` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for OAuth2 Proxy nodes | `nil` | +| `extraVolumes` | Optionally specify extra list of additional volumes for the OAuth2 Proxy pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the OAuth2 Proxy container(s) | `[]` | +| `sidecars` | Add additional sidecar containers to the OAuth2 Proxy pod(s) | `{}` | +| `initContainers` | Add additional init containers to the OAuth2 Proxy pod(s) | `{}` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use | `""` | + + +### External Redis(TM) parameters + +| Name | Description | Value | +| ------------------------------ | --------------------------------------------------------- | ------ | +| `externalRedis.host` | External Redis(TM) server host | `nil` | +| `externalRedis.password` | External Redis(TM) user password | `nil` | +| `externalRedis.port` | External Redis(TM) server port | `6379` | +| `externalRedis.existingSecret` | The name of an existing secret with Redis(TM) credentials | `nil` | + + +### Redis(TM) sub-chart parameters + +| Name | Description | Value | +| -------------------------------------- | --------------------------------------------------------- | ------------ | +| `redis.enabled` | Deploy Redis(TM) sub-chart | `true` | +| `redis.architecture` | Redis(TM) architecture | `standalone` | +| `redis.master.service.port` | Redis(TM) (without Sentinel) service port | `6379` | +| `redis.replica.replicaCount` | Number of Redis(TM) replicas | `3` | +| `redis.auth.enabled` | Enable Redis(TM) authentication | `true` | +| `redis.auth.existingSecret` | Secret with Redis(TM) credentials | `nil` | +| `redis.auth.existingSecretPasswordKey` | Key inside the existing secret with Redis(TM) credentials | `nil` | +| `redis.auth.sentinel` | Enable authentication in the Sentinel nodes | `true` | +| `redis.sentinel.enabled` | Enable Redis(TM) sentinel in the deployment | `false` | +| `redis.sentinel.masterSet` | Name of the Redis(TM) Sentinel master set | `mymaster` | +| `redis.sentinel.service.port` | Redis(TM) (with Sentinel) service port | `6379` | +| `redis.sentinel.service.sentinelPort` | Redis(TM) (with Sentinel) sentinel service port | `26379` | + + +See https://github.com/bitnami-labs/readmenator to create the table + +The above parameters map to the env variables defined in [bitnami/oauth2-proxy](http://github.com/bitnami/bitnami-docker-oauth2-proxy). For more information please refer to the [bitnami/oauth2-proxy](http://github.com/bitnami/bitnami-docker-oauth2-proxy) image documentation. + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set replicaCount=2 \ + bitnami/oauth2-proxy +``` + +The above command increase the default number of replicas. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml bitnami/oauth2-proxy +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Ingress + +This chart provides support for Ingress resources. If an Ingress controller, such as [nginx-ingress](https://kubeapps.com/charts/stable/nginx-ingress) or [traefik](https://kubeapps.com/charts/stable/traefik), that Ingress controller can be used to serve OAuth2 Proxy. + +To enable Ingress integration, set `ingress.enabled` to `true`. The `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. It is also possible to have more than one host, with a separate TLS configuration for each host. [Learn more about configuring and using Ingress](https://docs.bitnami.com/kubernetes/apps/oauth2-proxy/configuration/configure-use-ingress/). + +### TLS secrets + +The chart also facilitates the creation of TLS secrets for use with the Ingress controller, with different options for certificate management. [Learn more about TLS secrets](https://docs.bitnami.com/kubernetes/apps/oauth2-proxy/administration/enable-tls/). + +## Persistence + +The [Bitnami OAuth2 Proxy](https://github.com/bitnami/bitnami-docker-oauth2-proxy) image stores the OAuth2 Proxy data and configurations at the `/bitnami` path of the container. Persistent Volume Claims are used to keep the data across deployments. [Learn more about persistence in the chart documentation](https://docs.bitnami.com/kubernetes/apps/oauth2-proxy/configuration/chart-persistence/). + +### Additional environment variables + +In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. + +### Sidecars + +If additional containers are needed in the same pod as OAuth2 Proxy (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter. [Learn more about configuring and using sidecar containers](https://docs.bitnami.com/kubernetes/apps/oauth2-proxy/administration/configure-use-sidecars/). + +### Pod affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, use one of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/master/bitnami/common#affinities) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). diff --git a/bitnami/oauth2-proxy/templates/NOTES.txt b/bitnami/oauth2-proxy/templates/NOTES.txt new file mode 100644 index 0000000000..f0fb7cd0ac --- /dev/null +++ b/bitnami/oauth2-proxy/templates/NOTES.txt @@ -0,0 +1,25 @@ +** Please be patient while the chart is being deployed ** + +To verify that oauth2-proxy has started, run: + + kubectl --namespace={{ .Release.Namespace }} get pods + +Get the application URL by running these commands: + +{{- if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ template "common.names.fullname" . }} + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + echo "The renconciler is available at http://127.0.0.1:{{ .Values.service.port }}" + kubectl port-forward svc/{{ template "common.names.fullname" . }} {{ .Values.service.port }}:{{ .Values.service.port }} & +{{- end }} + +{{- include "common.warnings.rollingTag" .Values.image }} + +{{- include "oauth2-proxy.validateValues" . }} diff --git a/bitnami/oauth2-proxy/templates/_helpers.tpl b/bitnami/oauth2-proxy/templates/_helpers.tpl new file mode 100644 index 0000000000..8b39f1744d --- /dev/null +++ b/bitnami/oauth2-proxy/templates/_helpers.tpl @@ -0,0 +1,141 @@ +{{/* +Return the proper OAuth2 Proxy image name +*/}} +{{- define "oauth2-proxy.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "oauth2-proxy.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "oauth2-proxy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.redis.fullname" -}} +{{- printf "%s-redis" .Release.Name -}} +{{- end -}} + +{{- define "oauth2-proxy.configmapName" -}} +{{- if .Values.configuration.existingConfigmap -}} +{{- .Values.configuration.existingConfigmap -}} +{{- else -}} +{{- include "common.names.fullname" . -}} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.secretName" -}} +{{- if .Values.configuration.existingSecret -}} +{{- .Values.configuration.existingSecret -}} +{{- else -}} +{{- include "common.names.fullname" . -}} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.authenticatedEmailsSecret" -}} +{{- if .Values.configuration.authenticatedEmailsFile.existingSecret -}} +{{- .Values.configuration.authenticatedEmailsFile.existingSecret -}} +{{- else -}} +{{- printf "%s-external-redis" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.httpasswdSecret" -}} +{{- if .Values.configuration.htpasswdFile.existingSecret -}} +{{- .Values.configuration.htpasswdFile.existingSecret -}} +{{- else -}} +{{- include "common.names.fullname" . -}} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.googleSecret" -}} +{{- if .Values.configuration.google.existingSecret -}} +{{- .Values.configuration.google.existingSecret -}} +{{- else -}} +{{- include "common.names.fullname" . -}} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.redis.url" -}} +{{- if .Values.redis.enabled -}} +{{- if .Values.redis.sentinel.enabled -}} +{{- $port := printf "%v" .Values.redis.sentinel.service.port -}} +{{- printf "redis://%s:%s" (include "oauth2-proxy.redis.fullname" .) $port -}} +{{- else -}} +{{- $port := printf "%v" .Values.redis.master.service.port -}} +{{- printf "redis://%s-master:%s" (include "oauth2-proxy.redis.fullname" .) $port -}} +{{- end -}} +{{- else if .Values.externalRedis.host -}} +{{- $port := printf "%v" .Values.externalRedis.port -}} +{{- printf "redis://%s:%s" .Values.externalRedis.host $port -}} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.redis.sentinelUrl" -}} +{{- $port := printf "%v" .Values.redis.sentinel.service.sentinelPort -}} +{{- printf "redis://%s:%s" (include "oauth2-proxy.redis.fullname" .) $port -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "oauth2-proxy.redis.secretName" -}} +{{- if .Values.redis.enabled }} +{{- if .Values.redis.auth.existingSecret -}} +{{- .Values.redis.auth.existingSecret -}} +{{- else -}} +{{- include "oauth2-proxy.redis.fullname" . -}} +{{- end -}} +{{- else if .Values.externalRedis.existingSecret }} +{{- .Values.externalRedis.existingSecret -}} +{{- else -}} +{{- printf "%s-external-redis" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password key to be retrieved from Redis(TM) secret. +*/}} +{{- define "oauth2-proxy.redis.secretPasswordKey" -}} +{{- if and .Values.redis.auth.existingSecret .Values.redis.auth.existingSecretPasswordKey -}} +{{- printf "%s" .Values.redis.auth.existingSecretPasswordKey -}} +{{- else -}} +{{- printf "redis-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message. +*/}} +{{- define "oauth2-proxy.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "oauth2-proxy.validateValues.redis" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message -}} +{{- end -}} +{{- end -}} + +{{/* Validate values of Wavefront - clusterName */}} +{{- define "oauth2-proxy.validateValues.redis" -}} +{{- if and .Values.redis.enabled .Values.externalRedis.host -}} +oauth2-proxy: BothRedis + The redis sub-chart was enabled and an external Redis host was set at the same time. Please set only one of the following: + + a) Enable the redis sub-chart with redis.enabled + b) Set redis.enabled=false and set the externalRedis section +{{- end -}} +{{- end -}} diff --git a/bitnami/oauth2-proxy/templates/configmap.yaml b/bitnami/oauth2-proxy/templates/configmap.yaml new file mode 100644 index 0000000000..e845900384 --- /dev/null +++ b/bitnami/oauth2-proxy/templates/configmap.yaml @@ -0,0 +1,18 @@ +{{- if and (.Values.configuration.content) (not .Values.configuration.existingConfigmap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + oauth2_proxy.cfg: | + {{- include "common.tplvalues.render" ( dict "value" .Values.configuration.content "context" $ ) | nindent 4 }} +{{- end }} diff --git a/bitnami/oauth2-proxy/templates/deployment.yaml b/bitnami/oauth2-proxy/templates/deployment.yaml new file mode 100644 index 0000000000..6860a62537 --- /dev/null +++ b/bitnami/oauth2-proxy/templates/deployment.yaml @@ -0,0 +1,242 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + {{- if .Values.updateStrategy }} + strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: oauth2-proxy + template: + metadata: + {{- if .Values.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }} + {{- include "oauth2-proxy.imagePullSecrets" . | nindent 6 }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "oauth2-proxy" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "oauth2-proxy" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.initContainers }} + initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: oauth2-proxy + image: {{ template "oauth2-proxy.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- else }} + args: + - --http-address=0.0.0.0:{{ .Values.containerPort }} + {{- if or .Values.configuration.existingConfigmap .Values.configuration.content }} + - --config=/bitnami/oauth2-proxy/conf/oauth2_proxy.cfg + {{- end }} + {{- if .Values.configuration.authenticatedEmailsFile.enabled }} + - --authenticated-emails-file=/bitnami/oauth2-proxy/conf/authenticated-emails/authenticated-emails-list + {{- end }} + {{- if .Values.configuration.google.enabled }} + - --google-admin-email={{ .Values.configuration.google.adminEmail }} + - --google-service-account-json=/bitnami/oauth2-proxy/conf/google/service-account.json + {{- end }} + {{- if .Values.configuration.htpasswdFile.enabled }} + - --htpasswd-file=/bitnami/oauth2-proxy/conf/htpasswd/users.txt + {{- end }} + {{- if .Values.extraArgs }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraArgs "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: client-secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: cookie-secret + {{- if or .Values.redis.enabled .Values.externalRedis.host }} + - name: OAUTH2_PROXY_SESSION_STORE_TYPE + value: "redis" + {{- if or .Values.redis.auth.enabled .Values.externalRedis.password }} + - name: OAUTH2_PROXY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "oauth2-proxy.redis.secretName" . }} + key: {{ include "oauth2-proxy.redis.secretPasswordKey" . }} + {{- end }} + - name: OAUTH2_PROXY_REDIS_CONNECTION_URL + value: {{ include "oauth2-proxy.redis.url" . }} + {{- if and .Values.redis.sentinel.enabled .Values.redis.enabled }} + - name: OAUTH2_PROXY_REDIS_USE_SENTINEL + value: "true" + - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME + value: {{ .Values.redis.sentinel.masterSet }} + - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS + value: {{ include "oauth2-proxy.redis.sentinelUrl" . }} + {{- if .Values.redis.auth.sentinel }} + - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "oauth2-proxy.redis.secretName" . }} + key: {{ include "oauth2-proxy.redis.secretPasswordKey" . }} + {{- end }} + {{- end }} + {{- else }} + - name: OAUTH2_PROXY_SESSION_STORE_TYPE + value: "cookie" + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + ports: + - containerPort: {{ .Values.containerPort }} + name: http + protocol: TCP + {{- if .Values.resources }} + resources: {{ include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /ping + port: http + scheme: HTTP + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /ping + port: http + scheme: HTTP + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.configuration.google.enabled }} + - name: google-secret + mountPath: /bitnami/oauth2-proxy/conf/google + readOnly: true + {{- end }} + {{- if or .Values.configuration.existingConfigmap .Values.configuration.content }} + - name: main-configuration + mountPath: /bitnami/oauth2-proxy/conf + {{- end }} + {{- if .Values.configuration.authenticatedEmailsFile.enabled }} + - name: authenticated-emails + mountPath: /bitnami/oauth2-proxy/conf/authenticated-emails + readOnly: true + {{- end }} + {{- if .Values.configuration.htpasswdFile.enabled }} + - name: htpasswd-file + mountPath: /bitnami/oauth2-proxy/conf/htpasswd + readOnly: true + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.configuration.google.enabled }} + - name: google-secret + secret: + secretName: {{ include "oauth2-proxy.googleSecret" . }} + {{- end }} + {{- if .Values.configuration.htpasswdFile.enabled }} + - name: htpasswd-file + secret: + secretName: {{ include "oauth2-proxy.httpasswdSecret" . }} + {{- end }} + {{- if .Values.configuration.authenticatedEmailsFile.enabled }} + - name: authenticated-emails + secret: + items: + - key: authenticated-emails-list + secretName: {{ include "oauth2-proxy.authenticatedEmailsSecret" . }} + {{- end }} + {{- if or .Values.configuration.existingConfigmap .Values.configuration.content }} + - name: main-configuration + configMap: + defaultMode: 420 + name: {{ include "oauth2-proxy.configmapName" . }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/bitnami/oauth2-proxy/templates/extra-list.yaml b/bitnami/oauth2-proxy/templates/extra-list.yaml new file mode 100644 index 0000000000..9ac65f9e16 --- /dev/null +++ b/bitnami/oauth2-proxy/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/bitnami/oauth2-proxy/templates/ingress.yaml b/bitnami/oauth2-proxy/templates/ingress.yaml new file mode 100644 index 0000000000..f73faaf83a --- /dev/null +++ b/bitnami/oauth2-proxy/templates/ingress.yaml @@ -0,0 +1,58 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.ingress.certManager }} + kubernetes.io/tls-acme: "true" + {{- end }} + {{- if .Values.ingress.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + rules: + {{- if .Values.ingress.hostname }} + - host: {{ .Values.ingress.hostname }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if or .Values.ingress.tls .Values.ingress.extraTls }} + tls: + {{- if .Values.ingress.tls }} + - hosts: + - {{ .Values.ingress.hostname }} + secretName: {{ printf "%s-tls" .Values.ingress.hostname }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" ( dict "value" .Values.ingress.extraTls "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/bitnami/oauth2-proxy/templates/pdb.yaml b/bitnami/oauth2-proxy/templates/pdb.yaml new file mode 100644 index 0000000000..a238588ae5 --- /dev/null +++ b/bitnami/oauth2-proxy/templates/pdb.yaml @@ -0,0 +1,25 @@ +{{- if .Values.pdb.create }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: oauth2-proxy +{{- end }} diff --git a/bitnami/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/bitnami/oauth2-proxy/templates/secret-authenticated-emails-file.yaml new file mode 100644 index 0000000000..1ce8455e83 --- /dev/null +++ b/bitnami/oauth2-proxy/templates/secret-authenticated-emails-file.yaml @@ -0,0 +1,18 @@ +{{- if and (.Values.configuration.authenticatedEmailsFile.enabled) (not .Values.configuration.authenticatedEmailsFile.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }}-access-list + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + authenticated-emails: {{ include "common.tplvalues.render" ( dict "value" .Values.configuration.authenticatedEmailsFile.content "context" $ ) | b64enc | quote }} +{{- end -}} diff --git a/bitnami/oauth2-proxy/templates/secret-google.yaml b/bitnami/oauth2-proxy/templates/secret-google.yaml new file mode 100644 index 0000000000..08dd73236f --- /dev/null +++ b/bitnami/oauth2-proxy/templates/secret-google.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.configuration.google (not .Values.configuration.google.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }}-google + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + service-account.json: {{ include "common.tplvalues.render" ( dict "value" .Values.configuration.google.serviceAccountJson "context" $ ) | b64enc | quote }} +{{- end -}} diff --git a/bitnami/oauth2-proxy/templates/secret-htpasswd-file.yaml b/bitnami/oauth2-proxy/templates/secret-htpasswd-file.yaml new file mode 100644 index 0000000000..90f43097c7 --- /dev/null +++ b/bitnami/oauth2-proxy/templates/secret-htpasswd-file.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.configuration.htpasswdFile.enabled (not .Values.configuration.htpasswdFile.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }}-htpasswd-file + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +stringData: + users.txt: {{- include "common.tplvalues.render" ( dict "value" .Values.configuration.htpasswdFile.content "context" $ ) | b64enc | quote }} +{{- end }} diff --git a/bitnami/oauth2-proxy/templates/secret.yaml b/bitnami/oauth2-proxy/templates/secret.yaml new file mode 100644 index 0000000000..cb5b88d099 --- /dev/null +++ b/bitnami/oauth2-proxy/templates/secret.yaml @@ -0,0 +1,20 @@ +{{- if not .Values.configuration.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + cookie-secret: {{ .Values.configuration.cookieSecret | b64enc | quote }} + client-secret: {{ .Values.configuration.clientSecret | b64enc | quote }} + client-id: {{ .Values.configuration.clientID | b64enc | quote }} +{{- end -}} diff --git a/bitnami/oauth2-proxy/templates/service-account.yaml b/bitnami/oauth2-proxy/templates/service-account.yaml new file mode 100644 index 0000000000..50d3ad23ca --- /dev/null +++ b/bitnami/oauth2-proxy/templates/service-account.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "oauth2-proxy.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/bitnami/oauth2-proxy/templates/service.yaml b/bitnami/oauth2-proxy/templates/service.yaml new file mode 100644 index 0000000000..331c1e8188 --- /dev/null +++ b/bitnami/oauth2-proxy/templates/service.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.commonAnnotations .Values.service.annotations }} + annotations: + {{- if .Values.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if (and (eq .Values.service.type "ClusterIP") (not (empty .Values.service.clusterIP))) }} + clusterIP: {{ .Values.service.clusterIP }} + {{end}} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{ if eq .Values.service.type "LoadBalancer" }} + loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }} + {{ end }} + {{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.port }} + protocol: TCP + targetPort: http + {{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http))) }} + nodePort: {{ .Values.service.nodePorts.http }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: oauth2-proxy diff --git a/bitnami/oauth2-proxy/values.yaml b/bitnami/oauth2-proxy/values.yaml new file mode 100644 index 0000000000..defb29981b --- /dev/null +++ b/bitnami/oauth2-proxy/values.yaml @@ -0,0 +1,537 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + imageRegistry: + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param clusterDomain Kubernetes cluster domain name +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] + +## @section Traffic Exposure Parameters +## + +## OAuth2 Proxy service parameters +## +service: + ## @param service.type OAuth2 Proxy service type + ## + type: ClusterIP + ## @param service.port OAuth2 Proxy service HTTP port + ## + port: 80 + ## Node ports to expose + ## @param service.nodePorts.http Node port for HTTP + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + http: + ## @param service.clusterIP OAuth2 Proxy service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: + ## @param service.loadBalancerIP OAuth2 Proxy service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: + ## @param service.loadBalancerSourceRanges OAuth2 Proxy service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy OAuth2 Proxy service external traffic policy + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.annotations Additional custom annotations for OAuth2 Proxy service + ## + annotations: {} + +## Configure the ingress resource that allows you to access the WordPress installation +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for WordPress + ## + enabled: false + ## @param ingress.certManager Add the corresponding annotations for cert-manager integration + ## + certManager: false + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: + ## @param ingress.hostname Default host for the ingress record + ## + hostname: oaut2-proxy.local + ## @param ingress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param ingress.annotations Additional custom annotations for the ingress record + ## NOTE: If `ingress.certManager=true`, annotation `kubernetes.io/tls-acme: "true"` will automatically be added + ## + annotations: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}` + ## You can: + ## - Relay on cert-manager to create it by setting `ingress.certManager=true` + ## - Relay on Helm to create self-signed certificates by setting `ingress.tls=true` and `ingress.certManager=false` + ## + tls: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: oaut2-proxy.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## e.g: + ## extraTls: + ## - hosts: + ## - oaut2-proxy.local + ## secretName: oaut2-proxy.local-tls + ## + extraTls: [] + +## @section OAuth2 Proxy Image parameters +## + +## Bitnami OAuth2 Proxy image +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## @param image.registry OAuth2 Proxy image registry +## @param image.repository OAuth2 Proxy image repository +## @param image.tag OAuth2 Proxy image tag (immutable tags are recommended) +## @param image.pullPolicy OAuth2 Proxy image pull policy +## @param image.pullSecrets OAuth2 Proxy image pull secrets +## +image: + registry: docker.io + repository: bitnami/oauth2-proxy + tag: 7.1.3-debian-10-r25 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets + ## Secrets must be manually created in the namespace + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + +## @section OAuth2 Proxy configuration parameters +## + +## Configuration section +## +configuration: + ## @param configuration.clientID OAuth client ID + ## + clientID: "XXXXXXX" + ## @param configuration.clientSecret OAuth client secret + ## + clientSecret: "XXXXXXXX" + ## Create a new secret with the following command openssl rand -base64 32 | head -c 32 | base64 + ## Use an existing secret for OAuth2 credentials (see secret.yaml for required fields) + ## + ## @param configuration.cookieSecret OAuth cookie secret + ## + cookieSecret: "XXXXXXXXXXXXXXXX" + ## @param configuration.existingSecret Secret with the client ID, secret and cookie secret + ## + existingSecret: + ## e.g: + ## google: + ## adminEmail: xxxx + ## serviceAccountJson: xxxx + ## existingSecret: google-secret + ## Alternatively, use an existing secret (see secret-google.yaml for required fields) + ## + ## @param configuration.google.enabled Enable Google service account + ## @param configuration.google.adminEmail Google admin email + ## @param configuration.google.serviceAccountJson Google Service account JSON + ## @param configuration.google.existingSecret Existing secret containing Google Service Account + ## + google: + enabled: false + adminEmail: + serviceAccountJson: + existingSecret: + ## Custom configuration file: oauth2_proxy.cfg + ## content: | + ## pass_basic_auth = false + ## pass_access_token = true + ## + ## @param configuration.content Default configuration + ## + content: | + email_domains = [ "*" ] + upstreams = [ "file:///dev/null" ] + + ## @param configuration.existingConfigmap Configmap with the OAuth2 Proxy configuration + ## + existingConfigmap: + ## Authorize individual email addresses + ## @param configuration.authenticatedEmailsFile.enabled Enable authenticated emails file + ## @param configuration.authenticatedEmailsFile.content Restricted access list (one email per line) + ## @param configuration.authenticatedEmailsFile.existingSecret Secret with the authenticated emails file + ## + authenticatedEmailsFile: + enabled: false + ## One email per line + ## e.g: + ## content: |- + ## name1@domain + ## name2@domain + ## If you override the config with restricted_access it will configure a user list within this chart what takes care of the configmap + ## + content: + existingSecret: + + ## Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption + ## @param configuration.htpasswdFile.enabled Enable htpasswd file + ## @param configuration.htpasswdFile.existingSecret Existing secret for htpasswd file + ## @param configuration.htpasswdFile.content htpasswd file entries (one row per user) + ## + htpasswdFile: + enabled: false + ## Alternatively supply an existing secret which contains the required information + ## + existingSecret: "" + ## One row for each user + ## e.g: + ## entries: | + ## testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv + ## + content: + +## @section OAuth2 Proxy deployment parameters +## + +## @param containerPort OAuth2 Proxy port number +## +containerPort: 4180 + +## @param replicaCount Number of OAuth2 Proxy replicas to deploy +## +replicaCount: 1 + +## @param extraArgs add extra args to the default command +## +extraArgs: +## Configure extra options for OAuth2 Proxy containers' liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe on OAuth2 Proxy nodes +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 5 + successThreshold: 1 +## @param readinessProbe.enabled Enable readinessProbe on OAuth2 Proxy nodes +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 5 + successThreshold: 1 +## @param customLivenessProbe Custom livenessProbe that overrides the default one +## +customLivenessProbe: {} +## @param customReadinessProbe Custom readinessProbe that overrides the default one +## +customReadinessProbe: {} +## OAuth2 Proxy resource requests and limits +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## @param resources.limits The resources limits for the OAuth2 Proxy containers +## @param resources.requests The requested resources for the OAuth2 Proxy containers +## +resources: + limits: {} + requests: {} + +## Limits the number of pods of the replicated application that are down simultaneously from voluntary disruptions +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions +## e.g: +## podDisruptionBudget: +## minAvailable: 1 +## maxUnavailable: 1 +## @param pdb.create Enable a Pod Disruption Budget creation +## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable +## +pdb: + create: false + minAvailable: 1 + maxUnavailable: 1 + +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled OAuth2 Proxy pods' Security Context +## @param podSecurityContext.fsGroup Set OAuth2 Proxy pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroup: 1001 +## Configure Container Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param containerSecurityContext.enabled Enabled OAuth2 Proxy containers' Security Context +## @param containerSecurityContext.runAsUser Set OAuth2 Proxy containers' Security Context runAsUser +## +containerSecurityContext: + enabled: true + runAsUser: 1001 + +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param hostAliases OAuth2 Proxy pods host aliases +## ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param podLabels Extra labels for OAuth2 Proxy pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Annotations for OAuth2 Proxy pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for OAuth2 Proxy pods assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## NOTE: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set +## +affinity: {} +## @param nodeSelector Node labels for OAuth2 Proxy pods assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## @param tolerations Tolerations for OAuth2 Proxy pods assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param updateStrategy.type OAuth2 Proxy statefulset strategy type +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate +## @param priorityClassName OAuth2 Proxy pods' priorityClassName +## +priorityClassName: "" +## @param lifecycleHooks for the OAuth2 Proxy container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +## @param extraEnvVars Array with extra environment variables to add to OAuth2 Proxy nodes +## e.g: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for OAuth2 Proxy nodes +## +extraEnvVarsCM: +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for OAuth2 Proxy nodes +## +extraEnvVarsSecret: +## @param extraVolumes Optionally specify extra list of additional volumes for the OAuth2 Proxy pod(s) +## +extraVolumes: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the OAuth2 Proxy container(s) +## +extraVolumeMounts: [] +## @param sidecars Add additional sidecar containers to the OAuth2 Proxy pod(s) +## e.g: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: {} +## @param initContainers Add additional init containers to the OAuth2 Proxy pod(s) +## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +## e.g: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## command: ['sh', '-c', 'echo "hello world"'] +## +initContainers: {} + +## ServiceAccount configuration +## +serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + +## @section External Redis(TM) parameters +## +externalRedis: + ## @param externalRedis.host External Redis(TM) server host + ## + host: + ## @param externalRedis.password External Redis(TM) user password + ## + password: + ## @param externalRedis.port External Redis(TM) server port + ## + port: 6379 + ## @param externalRedis.existingSecret The name of an existing secret with Redis(TM) credentials + ## NOTE: Must contain key `redis-password` + ## NOTE: When it's set, the `externalRedis.password` parameter is ignored + ## + existingSecret: + +## @section Redis(TM) sub-chart parameters +## +redis: + ## @param redis.enabled Deploy Redis(TM) sub-chart + ## + enabled: true + ## @param redis.architecture Redis(TM) architecture + ## + architecture: "standalone" + master: + ## @param redis.master.service.port Redis(TM) (without Sentinel) service port + ## + service: + port: 6379 + replica: + ## @param redis.replica.replicaCount Number of Redis(TM) replicas + ## + replicaCount: 3 + auth: + ## @param redis.auth.enabled Enable Redis(TM) authentication + ## + enabled: true + ## @param redis.auth.existingSecret Secret with Redis(TM) credentials + ## + existingSecret: + ## @param redis.auth.existingSecretPasswordKey Key inside the existing secret with Redis(TM) credentials + ## + existingSecretPasswordKey: + ## @param redis.auth.sentinel Enable authentication in the Sentinel nodes + ## + sentinel: true + sentinel: + ## @param redis.sentinel.enabled Enable Redis(TM) sentinel in the deployment + ## + enabled: false + ## @param redis.sentinel.masterSet Name of the Redis(TM) Sentinel master set + ## + masterSet: mymaster + service: + ## @param redis.sentinel.service.port Redis(TM) (with Sentinel) service port + ## + port: 6379 + ## @param redis.sentinel.service.sentinelPort Redis(TM) (with Sentinel) sentinel service port + ## + sentinelPort: 26379