aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml')
-rw-r--r--kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml406
1 files changed, 406 insertions, 0 deletions
diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml
new file mode 100644
index 0000000000..1a626d1ab8
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml
@@ -0,0 +1,406 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+ {{- if .Values.deploymentAnnotations }}
+ annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 8 }}
+ {{- end }}
+ name: {{ template "oauth2-proxy.fullname" . }}
+ namespace: {{ template "oauth2-proxy.namespace" $ }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+ {{- with .Values.strategy }}
+ strategy:
+ {{ toYaml . | nindent 4 }}
+ {{- end }}
+ selector:
+ matchLabels:
+ {{- include "oauth2-proxy.selectorLabels" . | indent 6 }}
+ template:
+ metadata:
+ annotations:
+ checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }}
+ {{- if .Values.alphaConfig.enabled }}
+ checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }}
+ {{- end }}
+ {{- if .Values.authenticatedEmailsFile.enabled }}
+ checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
+ {{- end }}
+ checksum/secret: {{ include "oauth2-proxy.secrets" . | sha256sum }}
+ checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }}
+ checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
+{{- if .Values.htpasswdFile.enabled }}
+ checksum/htpasswd: {{ toYaml .Values.htpasswdFile.entries | sha256sum }}
+{{- end }}
+ {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+ {{- end }}
+ labels:
+ app: {{ template "oauth2-proxy.name" . }}
+ {{- include "oauth2-proxy.labels" . | indent 8 }}
+ {{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+ {{- end }}
+ spec:
+ {{- if .Values.priorityClassName }}
+ priorityClassName: "{{ .Values.priorityClassName }}"
+ {{- end }}
+ {{- with .Values.podSecurityContext }}
+ securityContext:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }}
+ automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+ {{- if .Values.hostAliases }}
+ hostAliases:
+ {{ toYaml .Values.hostAliases | nindent 8}}
+ {{- end }}
+ {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
+ initContainers:
+ - name: wait-for-redis
+ #image: "{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}"
+ image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}"
+ imagePullPolicy: {{ .Values.initContainers.waitForRedis.image.pullPolicy }}
+ command: ["/bin/sh", "-c", "/scripts/check-redis.sh"]
+ env:
+ - name: TOTAL_RETRY_TIME
+ value: "{{ .Values.initContainers.waitForRedis.timeout }}"
+ {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }}
+ - name: OAUTH2_PROXY_REDIS_CONNECTION_URL
+ value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }}
+ {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }}
+ - name: OAUTH2_PROXY_REDIS_USE_CLUSTER
+ value: "true"
+ - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS
+ value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }}
+ {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }}
+ - name: OAUTH2_PROXY_REDIS_USE_SENTINEL
+ value: "true"
+ - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS
+ value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }}
+ {{- end }}
+ {{- if .Values.initContainers.waitForRedis.securityContext.enabled }}
+ {{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }}
+ securityContext:
+ {{- toYaml $securityContext | nindent 10 }}
+ {{- end }}
+ resources:
+ {{- toYaml .Values.initContainers.waitForRedis.resources | nindent 10 }}
+ volumeMounts:
+ - name: redis-script
+ mountPath: /scripts
+ {{- end }}
+ {{- if .Values.terminationGracePeriodSeconds }}
+ terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
+ {{- end }}
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}"
+ #image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ args:
+ {{- if .Values.alphaConfig.enabled }}
+ - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml
+ {{- else }}
+ - --http-address=0.0.0.0:4180
+ - --https-address=0.0.0.0:4443
+ {{- if .Values.metrics.enabled }}
+ - --metrics-address=0.0.0.0:44180
+ {{- end }}
+ {{- end }}
+ {{- if .Values.config.cookieName }}
+ - --cookie-name={{ .Values.config.cookieName }}
+ {{- end }}
+ {{- if kindIs "map" .Values.extraArgs }}
+ {{- range $key, $value := .Values.extraArgs }}
+ {{- if not (kindIs "invalid" $value) }}
+ - --{{ $key }}={{ tpl ($value | toString) $ }}
+ {{- else }}
+ - --{{ $key }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if kindIs "slice" .Values.extraArgs }}
+ {{- with .Values.extraArgs }}
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- end }}
+ {{- if or .Values.config.existingConfig .Values.config.configFile }}
+ - --config=/etc/oauth2_proxy/oauth2_proxy.cfg
+ {{- end }}
+ {{- if .Values.authenticatedEmailsFile.enabled }}
+ {{- if .Values.authenticatedEmailsFile.template }}
+ - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }}
+ {{- else }}
+ - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
+ {{- end }}
+ {{- end }}
+ {{- with .Values.config.google }}
+ {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }}
+ - --google-admin-email={{ .adminEmail }}
+ {{- if .useApplicationDefaultCredentials }}
+ - --google-use-application-default-credentials=true
+ {{- else }}
+ - --google-service-account-json=/google/service-account.json
+ {{- end }}
+ {{- if .targetPrincipal }}
+ - --google-target-principal={{ .targetPrincipal }}
+ {{- end }}
+ {{- end }}
+ {{- if .groups }}
+ {{- range $group := .groups }}
+ - --google-group={{ $group }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.htpasswdFile.enabled }}
+ - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt
+ {{- end }}
+{{- if .Values.lifecycle }}
+ lifecycle:
+{{ toYaml .Values.lifecycle | indent 10 }}
+{{- end }}
+ env:
+ {{- if .Values.proxyVarsAsSecrets }}
+ - name: OAUTH2_PROXY_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "oauth2-proxy.secretName" . }}
+ key: client-id
+ - name: OAUTH2_PROXY_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "oauth2-proxy.secretName" . }}
+ key: client-secret
+ - name: OAUTH2_PROXY_COOKIE_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "oauth2-proxy.secretName" . }}
+ key: cookie-secret
+ {{- end }}
+ {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }}
+ - name: OAUTH2_PROXY_SESSION_STORE_TYPE
+ value: "redis"
+ {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}}
+ - name: OAUTH2_PROXY_REDIS_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ {{- if .Values.sessionStorage.redis.existingSecret }}
+ name: {{ .Values.sessionStorage.redis.existingSecret }}
+ {{- else if .Values.sessionStorage.redis.password }}
+ name: {{ template "oauth2-proxy.fullname" . }}-redis-access
+ {{- else }}
+ name: {{ include "oauth2-proxy.redis.fullname" . }}
+ {{- end }}
+ key: {{ .Values.sessionStorage.redis.passwordKey }}
+ {{- end }}
+ {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }}
+ - name: OAUTH2_PROXY_REDIS_CONNECTION_URL
+ value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }}
+ {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }}
+ - name: OAUTH2_PROXY_REDIS_USE_CLUSTER
+ value: "true"
+ - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS
+ value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }}
+ {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }}
+ - name: OAUTH2_PROXY_REDIS_USE_SENTINEL
+ value: "true"
+ - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME
+ value: {{ .Values.sessionStorage.redis.sentinel.masterName }}
+ - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS
+ value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }}
+ {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }}
+ - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }}
+ name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }}
+ {{- else }}
+ name: {{ template "oauth2-proxy.fullname" . }}-redis-access
+ {{- end }}
+ key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.extraEnv }}
+{{ tpl (toYaml .Values.extraEnv) . | indent 8 }}
+ {{- end }}
+ {{- if .Values.envFrom }}
+ envFrom:
+{{ tpl (toYaml .Values.envFrom) . | indent 8 }}
+ {{- end }}
+ ports:
+ {{- if .Values.containerPort }}
+ - containerPort: {{ .Values.containerPort }}
+ {{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }}
+ - containerPort: 4180
+ {{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }}
+ - containerPort: 4443
+ {{- else }}
+ {{- end}}
+ name: {{ .Values.httpScheme }}
+ protocol: TCP
+{{- if .Values.metrics.enabled }}
+ - containerPort: 44180
+ protocol: TCP
+ name: metrics
+{{- end }}
+{{- if .Values.livenessProbe.enabled }}
+ livenessProbe:
+ httpGet:
+ path: /ping
+ port: {{ .Values.httpScheme }}
+ scheme: {{ .Values.httpScheme | upper }}
+ initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+{{- end }}
+{{- if .Values.readinessProbe.enabled }}
+ readinessProbe:
+ httpGet:
+ path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }}
+ port: {{ .Values.httpScheme }}
+ scheme: {{ .Values.httpScheme | upper }}
+ initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+ timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+ successThreshold: {{ .Values.readinessProbe.successThreshold }}
+ periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+{{- end }}
+ resources:
+{{ toYaml .Values.resources | indent 10 }}
+ volumeMounts:
+{{- with .Values.config.google }}
+{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
+ - name: google-secret
+ mountPath: /google
+ readOnly: true
+{{- end }}
+{{- end }}
+{{- if or .Values.config.existingConfig .Values.config.configFile }}
+ - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
+ name: configmain
+ subPath: oauth2_proxy.cfg
+{{- end }}
+{{- if .Values.alphaConfig.enabled }}
+ - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml
+ name: configalpha
+ subPath: oauth2_proxy.yml
+{{- end }}
+{{- if .Values.authenticatedEmailsFile.enabled }}
+ - mountPath: /etc/oauth2-proxy
+ name: configaccesslist
+ readOnly: true
+{{- end }}
+{{- if .Values.htpasswdFile.enabled }}
+ - mountPath: /etc/oauth2_proxy/htpasswd
+ name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
+ readOnly: true
+{{- end }}
+{{- if ne (len .Values.extraVolumeMounts) 0 }}
+{{ toYaml .Values.extraVolumeMounts | indent 8 }}
+{{- end }}
+{{- if .Values.securityContext.enabled }}
+{{- $securityContext := unset .Values.securityContext "enabled" }}
+ securityContext:
+ {{- toYaml $securityContext | nindent 10 }}
+{{- end }}
+{{- if .Values.extraContainers }}
+ {{- toYaml .Values.extraContainers | nindent 6 }}
+{{- end }}
+ volumes:
+{{- with .Values.config.google }}
+{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
+ - name: google-secret
+ secret:
+ secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.htpasswdFile.enabled }}
+ - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
+ secret:
+ secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }}
+{{- end }}
+
+{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }}
+ - name: configaccesslist
+ secret:
+ items:
+ - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
+{{- if .Values.authenticatedEmailsFile.template }}
+ path: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+ path: authenticated-emails-list
+{{- end }}
+{{- if .Values.authenticatedEmailsFile.template }}
+ secretName: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+ secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist
+{{- end }}
+{{- end }}
+{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
+ - name: redis-script
+ configMap:
+ name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis
+ defaultMode: 0775
+{{- end }}
+{{- if or .Values.config.existingConfig .Values.config.configFile }}
+ - configMap:
+ defaultMode: 420
+ name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }}
+ name: configmain
+{{- end }}
+{{- if .Values.alphaConfig.enabled }}
+{{- if .Values.alphaConfig.existingConfig }}
+ - configMap:
+ defaultMode: 420
+ name: {{ .Values.alphaConfig.existingConfig }}
+ name: configalpha
+{{- else }}
+ - secret:
+ defaultMode: 420
+ secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }}
+ name: configalpha
+{{- end }}
+{{- end }}
+{{- if ne (len .Values.extraVolumes) 0 }}
+{{ toYaml .Values.extraVolumes | indent 6 }}
+{{- end }}
+{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }}
+ - configMap:
+{{- if .Values.authenticatedEmailsFile.template }}
+ name: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+ name: {{ template "oauth2-proxy.fullname" . }}-accesslist
+{{- end }}
+ items:
+ - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
+{{- if .Values.authenticatedEmailsFile.template }}
+ path: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+ path: authenticated-emails-list
+{{- end }}
+ name: configaccesslist
+{{- end }}
+
+ {{- if .Values.imagePullSecrets }}
+ imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+ {{- end }}
+ {{- if .Values.affinity }}
+ affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+ {{- end }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+ {{- end }}
+ tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+ {{- with .Values.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}