mirror of
https://github.com/bitnami/charts.git
synced 2026-03-10 15:07:49 +08:00
5cd28bb208
* Added new configuration values that will be added to the args passed to the oauth2-proxy container: 1. redirectUrl 2. oidcIssuerUrl 3. whiteList Signed-off-by: Chadwick Baatz <cbaatz@gosecure.net> * Requested changes Signed-off-by: Chadwick Baatz <cbaatz@gosecure.net> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Chadwick Baatz <cbaatz@gosecure.net> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Carlos Rodríguez Hernández <carlosrh@vmware.com> Signed-off-by: Chadwick Baatz <40895835+cmbaatz@users.noreply.github.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Carlos Rodríguez Hernández <carlosrh@vmware.com>
293 lines
14 KiB
YAML
293 lines
14 KiB
YAML
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
|
|
kind: Deployment
|
|
metadata:
|
|
name: {{ template "common.names.fullname" . }}
|
|
namespace: {{ .Release.Namespace | quote }}
|
|
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
|
app.kubernetes.io/component: oauth2-proxy
|
|
{{- if .Values.commonLabels }}
|
|
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
|
{{- end }}
|
|
{{- if .Values.commonAnnotations }}
|
|
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
replicas: {{ .Values.replicaCount }}
|
|
{{- if .Values.updateStrategy }}
|
|
strategy: {{- toYaml .Values.updateStrategy | nindent 4 }}
|
|
{{- end }}
|
|
selector:
|
|
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
|
|
app.kubernetes.io/component: oauth2-proxy
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
|
{{- if .Values.podAnnotations }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
labels: {{- include "common.labels.standard" . | nindent 8 }}
|
|
app.kubernetes.io/component: oauth2-proxy
|
|
{{- if .Values.podLabels }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
spec:
|
|
serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }}
|
|
{{- include "oauth2-proxy.imagePullSecrets" . | nindent 6 }}
|
|
{{- if .Values.hostAliases }}
|
|
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.affinity }}
|
|
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }}
|
|
{{- else }}
|
|
affinity:
|
|
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "oauth2-proxy" "context" $) | nindent 10 }}
|
|
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "oauth2-proxy" "context" $) | nindent 10 }}
|
|
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
|
|
{{- end }}
|
|
{{- if .Values.nodeSelector }}
|
|
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.tolerations }}
|
|
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.priorityClassName }}
|
|
priorityClassName: {{ .Values.priorityClassName | quote }}
|
|
{{- end }}
|
|
{{- if .Values.schedulerName }}
|
|
schedulerName: {{ .Values.schedulerName }}
|
|
{{- end }}
|
|
{{- if .Values.topologySpreadConstraints }}
|
|
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.podSecurityContext.enabled }}
|
|
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.initContainers }}
|
|
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
containers:
|
|
- name: oauth2-proxy
|
|
image: {{ template "oauth2-proxy.image" . }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
{{- if not .Values.diagnosticMode.enabled }}
|
|
{{- if .Values.lifecycleHooks }}
|
|
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.containerSecurityContext.enabled }}
|
|
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.diagnosticMode.enabled }}
|
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
|
{{- else if .Values.command }}
|
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.diagnosticMode.enabled }}
|
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
|
{{- else if .Values.args }}
|
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
|
|
{{- else }}
|
|
args:
|
|
- --http-address=0.0.0.0:{{ .Values.containerPort }}
|
|
{{- if or .Values.configuration.existingConfigmap .Values.configuration.content }}
|
|
- --config=/bitnami/oauth2-proxy/conf/oauth2_proxy.cfg
|
|
{{- end }}
|
|
{{- if .Values.configuration.authenticatedEmailsFile.enabled }}
|
|
- --authenticated-emails-file=/bitnami/oauth2-proxy/conf/authenticated-emails/authenticated-emails-list
|
|
{{- end }}
|
|
{{- if .Values.configuration.google.enabled }}
|
|
- --google-admin-email={{ .Values.configuration.google.adminEmail }}
|
|
- --google-service-account-json=/bitnami/oauth2-proxy/conf/google/service-account.json
|
|
- --google-group={{ .Values.configuration.google.googleGroup }}
|
|
{{- end }}
|
|
{{- if .Values.configuration.htpasswdFile.enabled }}
|
|
- --htpasswd-file=/bitnami/oauth2-proxy/conf/htpasswd/users.txt
|
|
{{- end }}
|
|
{{- if .Values.configuration.redirectUrl }}
|
|
- --redirect-url={{.Values.configuration.redirectUrl}}
|
|
{{- end }}
|
|
{{- if .Values.configuration.oidcIssuerUrl }}
|
|
- --oidc-issuer-url={{.Values.configuration.oidcIssuerUrl}}
|
|
{{- end }}
|
|
{{- if .Values.configuration.whiteList }}
|
|
- --whitelist-domain={{.Values.configuration.whiteList | quote}}
|
|
{{- end }}
|
|
{{- if .Values.extraArgs }}
|
|
{{- include "common.tplvalues.render" ( dict "value" .Values.extraArgs "context" $ ) | nindent 12 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
env:
|
|
- name: OAUTH2_PROXY_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "oauth2-proxy.secretName" . }}
|
|
key: client-id
|
|
- name: OAUTH2_PROXY_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "oauth2-proxy.secretName" . }}
|
|
key: client-secret
|
|
- name: OAUTH2_PROXY_COOKIE_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ template "oauth2-proxy.secretName" . }}
|
|
key: cookie-secret
|
|
{{- if or .Values.redis.enabled .Values.externalRedis.host }}
|
|
- name: OAUTH2_PROXY_SESSION_STORE_TYPE
|
|
value: "redis"
|
|
{{- if or .Values.redis.auth.enabled .Values.externalRedis.password }}
|
|
- name: OAUTH2_PROXY_REDIS_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "oauth2-proxy.redis.secretName" . }}
|
|
key: {{ include "oauth2-proxy.redis.secretPasswordKey" . }}
|
|
{{- end }}
|
|
- name: OAUTH2_PROXY_REDIS_CONNECTION_URL
|
|
value: {{ include "oauth2-proxy.redis.url" . }}
|
|
{{- if and .Values.redis.sentinel.enabled .Values.redis.enabled }}
|
|
- name: OAUTH2_PROXY_REDIS_USE_SENTINEL
|
|
value: "true"
|
|
- name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME
|
|
value: {{ .Values.redis.sentinel.masterSet }}
|
|
- name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS
|
|
value: {{ include "oauth2-proxy.redis.sentinelUrl" . }}
|
|
{{- if .Values.redis.auth.sentinel }}
|
|
- name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "oauth2-proxy.redis.secretName" . }}
|
|
key: {{ include "oauth2-proxy.redis.secretPasswordKey" . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- else }}
|
|
- name: OAUTH2_PROXY_SESSION_STORE_TYPE
|
|
value: "cookie"
|
|
{{- end }}
|
|
{{- if .Values.extraEnvVars }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
envFrom:
|
|
{{- if .Values.extraEnvVarsCM }}
|
|
- configMapRef:
|
|
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
|
|
{{- end }}
|
|
{{- if .Values.extraEnvVarsSecret }}
|
|
- secretRef:
|
|
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
|
|
{{- end }}
|
|
ports:
|
|
- containerPort: {{ .Values.containerPort }}
|
|
name: http
|
|
protocol: TCP
|
|
{{- if .Values.extraContainerPorts }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.resources }}
|
|
resources: {{ include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if not .Values.diagnosticMode.enabled }}
|
|
{{- if .Values.customStartupProbe }}
|
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
|
|
{{- else if .Values.startupProbe.enabled }}
|
|
startupProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: http
|
|
scheme: HTTP
|
|
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
|
|
successThreshold: {{ .Values.startupProbe.successThreshold }}
|
|
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
|
|
{{- end }}
|
|
{{- if .Values.customLivenessProbe }}
|
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
|
|
{{- else if .Values.livenessProbe.enabled }}
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: http
|
|
scheme: HTTP
|
|
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
|
|
successThreshold: {{ .Values.livenessProbe.successThreshold }}
|
|
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
|
|
{{- end }}
|
|
{{- if .Values.customReadinessProbe }}
|
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
|
|
{{- else if .Values.readinessProbe.enabled }}
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ping
|
|
port: http
|
|
scheme: HTTP
|
|
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
|
|
successThreshold: {{ .Values.readinessProbe.successThreshold }}
|
|
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
|
{{- end }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
{{- if .Values.configuration.google.enabled }}
|
|
- name: google-secret
|
|
mountPath: /bitnami/oauth2-proxy/conf/google
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if or .Values.configuration.existingConfigmap .Values.configuration.content }}
|
|
- name: main-configuration
|
|
mountPath: /bitnami/oauth2-proxy/conf
|
|
{{- end }}
|
|
{{- if .Values.configuration.authenticatedEmailsFile.enabled }}
|
|
- name: authenticated-emails
|
|
mountPath: /bitnami/oauth2-proxy/conf/authenticated-emails
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if .Values.configuration.htpasswdFile.enabled }}
|
|
- name: htpasswd-file
|
|
mountPath: /bitnami/oauth2-proxy/conf/htpasswd
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if .Values.extraVolumeMounts }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.sidecars }}
|
|
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
volumes:
|
|
{{- if .Values.configuration.google.enabled }}
|
|
- name: google-secret
|
|
secret:
|
|
secretName: {{ include "oauth2-proxy.googleSecret" . }}
|
|
{{- end }}
|
|
{{- if .Values.configuration.htpasswdFile.enabled }}
|
|
- name: htpasswd-file
|
|
secret:
|
|
secretName: {{ include "oauth2-proxy.httpasswdSecret" . }}
|
|
{{- end }}
|
|
{{- if .Values.configuration.authenticatedEmailsFile.enabled }}
|
|
- name: authenticated-emails
|
|
secret:
|
|
items:
|
|
- key: authenticated-emails-list
|
|
path: authenticated-emails-list
|
|
secretName: {{ include "oauth2-proxy.authenticatedEmailsSecret" . }}
|
|
{{- end }}
|
|
{{- if or .Values.configuration.existingConfigmap .Values.configuration.content }}
|
|
- name: main-configuration
|
|
configMap:
|
|
defaultMode: 420
|
|
name: {{ include "oauth2-proxy.configmapName" . }}
|
|
{{- end }}
|
|
{{- if .Values.extraVolumes }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.dnsPolicy }}
|
|
dnsPolicy: {{ .Values.dnsPolicy | quote }}
|
|
{{- end }}
|
|
{{- if .Values.dnsConfig }}
|
|
dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" $) | nindent 8 }}
|
|
{{- end }}
|