aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/authentication/components/oauth2-proxy/values.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/authentication/components/oauth2-proxy/values.yaml')
-rw-r--r--kubernetes/authentication/components/oauth2-proxy/values.yaml478
1 files changed, 478 insertions, 0 deletions
diff --git a/kubernetes/authentication/components/oauth2-proxy/values.yaml b/kubernetes/authentication/components/oauth2-proxy/values.yaml
new file mode 100644
index 0000000000..f49cb638fa
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/values.yaml
@@ -0,0 +1,478 @@
+global:
+ quayRepository: quay.io
+ dockerHubRepository: docker.io
+ # Additions for Redis ****************************
+ # If dockerHubRepository is changes the following entry needs
+ # to be changed as well
+ imageRegistry: docker.io
+ imagePullSecrets:
+ - '{{ include "common.names.namespace" . }}-docker-registry-key'
+ # *************************************************
+
+## Override the deployment namespace
+##
+namespaceOverride: ""
+
+# Force the target Kubernetes version (it uses Helm `.Capabilities` if not set).
+# This is especially useful for `helm template` as capabilities are always empty
+# due to the fact that it doesn't query an actual cluster
+kubeVersion:
+
+# Oauth client configuration specifics
+config:
+ # Add config annotations
+ annotations: {}
+ # OAuth client ID
+ clientID: "XXXXXXX"
+ # OAuth client secret
+ clientSecret: "XXXXXXXX"
+ # Create a new secret with the following command
+ # openssl rand -base64 32 | head -c 32 | base64
+ # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
+ # Example:
+ # existingSecret: secret
+ cookieSecret: "XXXXXXXXXXXXXXXX"
+ # The name of the cookie that oauth2-proxy will create
+ # If left empty, it will default to the release name
+ cookieName: ""
+ google: {}
+ # adminEmail: xxxx
+ # useApplicationDefaultCredentials: true
+ # targetPrincipal: xxxx
+ # serviceAccountJson: xxxx
+ # Alternatively, use an existing secret (see google-secret.yaml for required fields)
+ # Example:
+ # existingSecret: google-secret
+ # groups: []
+ # Example:
+ # - group1@example.com
+ # - group2@example.com
+ # Default configuration, to be overridden
+ configFile: |-
+ email_domains = [ "*" ]
+ upstreams = [ "file:///dev/null" ]
+ # Custom configuration file: oauth2_proxy.cfg
+ # configFile: |-
+ # pass_basic_auth = false
+ # pass_access_token = true
+ # Use an existing config map (see configmap.yaml for required fields)
+ # Example:
+ # existingConfig: config
+
+alphaConfig:
+ enabled: false
+ # Add config annotations
+ annotations: {}
+ # Arbitrary configuration data to append to the server section
+ serverConfigData: {}
+ # Arbitrary configuration data to append to the metrics section
+ metricsConfigData: {}
+ # Arbitrary configuration data to append
+ configData: {}
+ # Arbitrary configuration to append
+ # This is treated as a Go template and rendered with the root context
+ configFile: ""
+ # Use an existing config map (see secret-alpha.yaml for required fields)
+ existingConfig: ~
+ # Use an existing secret
+ existingSecret: ~
+
+image:
+ #repository: "quay.io/oauth2-proxy/oauth2-proxy"
+ repository: "oauth2-proxy/oauth2-proxy"
+ # appVersion is used by default
+ tag: ""
+ pullPolicy: "IfNotPresent"
+
+# Optionally specify an array of imagePullSecrets.
+# Secrets must be manually created in the namespace.
+# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+# imagePullSecrets:
+ # - name: myRegistryKeySecretName
+
+# Set a custom containerPort if required.
+# This will default to 4180 if this value is not set and the httpScheme set to http
+# This will default to 4443 if this value is not set and the httpScheme set to https
+# containerPort: 4180
+
+extraArgs: {}
+extraEnv: []
+
+envFrom: []
+# Load environment variables from a ConfigMap(s) and/or Secret(s)
+# that already exists (created and managed by you).
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
+#
+# PS: Changes in these ConfigMaps or Secrets will not be automatically
+# detected and you must manually restart the relevant Pods after changes.
+#
+# - configMapRef:
+# name: special-config
+# - secretRef:
+# name: special-config-secret
+
+# -- Custom labels to add into metadata
+customLabels: {}
+
+# To authorize individual email addresses
+# That is part of extraArgs but since this needs special treatment we need to do a separate section
+authenticatedEmailsFile:
+ enabled: false
+ # Defines how the email addresses file will be projected, via a configmap or secret
+ persistence: configmap
+ # template is the name of the configmap what contains the email user list but has been configured without this chart.
+ # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
+ # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the
+ # provided value in restrictedUserAccessKey field.
+ template: ""
+ # The configmap/secret key under which the list of email access is stored
+ # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility
+ restrictedUserAccessKey: ""
+ # One email per line
+ # example:
+ # restricted_access: |-
+ # name1@domain
+ # name2@domain
+ # If you override the config with restricted_access it will configure a user list within this chart what takes care of the
+ # config map resource.
+ restricted_access: ""
+ annotations: {}
+ # helm.sh/resource-policy: keep
+
+service:
+ type: ClusterIP
+ # when service.type is ClusterIP ...
+ # clusterIP: 192.0.2.20
+ # when service.type is LoadBalancer ...
+ # loadBalancerIP: 198.51.100.40
+ # loadBalancerSourceRanges: 203.0.113.0/24
+ # when service.type is NodePort ...
+ # nodePort: 80
+ portNumber: 80
+ # Protocol set on the service
+ appProtocol: http
+ annotations: {}
+ # foo.io/bar: "true"
+
+## Create or use ServiceAccount
+serviceAccount:
+ ## Specifies whether a ServiceAccount should be created
+ enabled: true
+ ## The name of the ServiceAccount to use.
+ ## If not set and create is true, a name is generated using the fullname template
+ name:
+ automountServiceAccountToken: true
+ annotations: {}
+
+ingress:
+ enabled: false
+ # className: nginx
+ path: /
+ # Only used if API capabilities (networking.k8s.io/v1) allow it
+ pathType: ImplementationSpecific
+ # Used to create an Ingress record.
+ # hosts:
+ # - chart-example.local
+ # Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
+ # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
+ # extraPaths:
+ # - path: /*
+ # pathType: ImplementationSpecific
+ # backend:
+ # service:
+ # name: ssl-redirect
+ # port:
+ # name: use-annotation
+ labels: {}
+ # annotations:
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ # tls:
+ # Secrets must be manually created in the namespace.
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 300Mi
+ # requests:
+ # cpu: 100m
+ # memory: 300Mi
+
+extraVolumes: []
+ # - name: ca-bundle-cert
+ # secret:
+ # secretName: <secret-name>
+
+extraVolumeMounts: []
+ # - mountPath: /etc/ssl/certs/
+ # name: ca-bundle-cert
+
+# Additional containers to be added to the pod.
+extraContainers: []
+ # - name: my-sidecar
+ # image: nginx:latest
+
+priorityClassName: ""
+
+# hostAliases is a list of aliases to be added to /etc/hosts for network name resolution
+hostAliases: []
+# - ip: "10.xxx.xxx.xxx"
+# hostnames:
+# - "auth.example.com"
+# - ip: 127.0.0.1
+# hostnames:
+# - chart-example.local
+# - example.local
+
+# [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.
+# Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+# topologySpreadConstraints: []
+
+# Affinity for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+# affinity: {}
+
+# Tolerations for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+
+# Node labels for pod assignment
+# Ref: https://kubernetes.io/docs/user-guide/node-selection/
+nodeSelector: {}
+
+# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
+proxyVarsAsSecrets: true
+
+# Configure Kubernetes liveness and readiness probes.
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
+livenessProbe:
+ enabled: true
+ initialDelaySeconds: 0
+ timeoutSeconds: 1
+
+readinessProbe:
+ enabled: true
+ initialDelaySeconds: 0
+ timeoutSeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+
+# Configure Kubernetes security context for container
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+ enabled: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 2000
+ runAsGroup: 2000
+ seccompProfile:
+ type: RuntimeDefault
+
+deploymentAnnotations: {}
+podAnnotations: {}
+podLabels: {}
+replicaCount: 1
+revisionHistoryLimit: 10
+strategy: {}
+
+## PodDisruptionBudget settings
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+podDisruptionBudget:
+ enabled: true
+ minAvailable: 1
+
+# Configure Kubernetes security context for pod
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+podSecurityContext: {}
+
+# whether to use http or https
+httpScheme: http
+
+initContainers:
+ # if the redis sub-chart is enabled, wait for it to be ready
+ # before starting the proxy
+ # creates a role binding to get, list, watch, the redis master pod
+ # if service account is enabled
+ waitForRedis:
+ enabled: true
+ image:
+ repository: "alpine"
+ tag: "latest"
+ pullPolicy: "IfNotPresent"
+ # uses the kubernetes version of the cluster
+ # the chart is deployed on, if not set
+ kubectlVersion: ""
+ securityContext:
+ enabled: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 65534
+ runAsGroup: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ timeout: 180
+ resources: {}
+ # limits:
+ # cpu: 100m
+ # memory: 300Mi
+ # requests:
+ # cpu: 100m
+ # memory: 300Mi
+
+# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.
+# Alternatively supply an existing secret which contains the required information.
+htpasswdFile:
+ enabled: false
+ existingSecret: ""
+ entries: []
+ # One row for each user
+ # example:
+ # entries:
+ # - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy
+
+# Configure the session storage type, between cookie and redis
+sessionStorage:
+ # Can be one of the supported session storage cookie|redis
+ type: cookie
+ redis:
+ # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`)
+ existingSecret: ""
+ # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence
+ password: ""
+ # Key of the Kubernetes secret data containing the redis password value
+ passwordKey: "redis-password"
+ # Can be one of standalone|cluster|sentinel
+ clientType: "standalone"
+ standalone:
+ # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set
+ connectionUrl: ""
+ cluster:
+ # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`)
+ connectionUrls: []
+ sentinel:
+ # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret`
+ existingSecret: ""
+ # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password`
+ password: ""
+ # Key of the Kubernetes secret data containing the redis sentinel password value
+ passwordKey: "redis-sentinel-password"
+ # Redis sentinel master name
+ masterName: ""
+ # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`)
+ connectionUrls: []
+
+# Enables and configure the automatic deployment of the redis subchart
+redis:
+ # provision an instance of the redis sub-chart
+ enabled: false
+ # Redis specific helm chart settings, please see:
+ # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
+ # redisPort: 6379
+ # architecture: standalone
+
+# Enables apiVersion deprecation checks
+checkDeprecation: true
+
+# Allows graceful shutdown
+# terminationGracePeriodSeconds: 65
+# lifecycle:
+# preStop:
+# exec:
+# command: [ "sh", "-c", "sleep 60" ]
+
+metrics:
+ # Enable Prometheus metrics endpoint
+ enabled: true
+ # Serve Prometheus metrics on this port
+ port: 44180
+ # when service.type is NodePort ...
+ # nodePort: 44180
+ # Protocol set on the service for the metrics port
+ service:
+ appProtocol: http
+ serviceMonitor:
+ # Enable Prometheus Operator ServiceMonitor
+ enabled: false
+ # Define the namespace where to deploy the ServiceMonitor resource
+ namespace: ""
+ # Prometheus Instance definition
+ prometheusInstance: default
+ # Prometheus scrape interval
+ interval: 60s
+ # Prometheus scrape timeout
+ scrapeTimeout: 30s
+ # Add custom labels to the ServiceMonitor resource
+ labels: {}
+
+ ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.
+ scheme: ""
+
+ ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS.
+ ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
+ tlsConfig: {}
+
+ ## bearerTokenFile: Path to bearer token file.
+ bearerTokenFile: ""
+
+ ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with
+ ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
+ annotations: {}
+
+ ## Metric relabel configs to apply to samples before ingestion.
+ ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
+ metricRelabelings: []
+ # - action: keep
+ # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
+ # sourceLabels: [__name__]
+
+ ## Relabel configs to apply to samples before ingestion.
+ ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
+ relabelings: []
+ # - sourceLabels: [__meta_kubernetes_pod_node_name]
+ # separator: ;
+ # regex: ^(.*)$
+ # targetLabel: nodename
+ # replacement: $1
+ # action: replace
+
+# Extra K8s manifests to deploy
+extraObjects: []
+ # - apiVersion: secrets-store.csi.x-k8s.io/v1
+ # kind: SecretProviderClass
+ # metadata:
+ # name: oauth2-proxy-secrets-store
+ # spec:
+ # provider: aws
+ # parameters:
+ # objects: |
+ # - objectName: "oauth2-proxy"
+ # objectType: "secretsmanager"
+ # jmesPath:
+ # - path: "client_id"
+ # objectAlias: "client-id"
+ # - path: "client_secret"
+ # objectAlias: "client-secret"
+ # - path: "cookie_secret"
+ # objectAlias: "cookie-secret"
+ # secretObjects:
+ # - data:
+ # - key: client-id
+ # objectName: client-id
+ # - key: client-secret
+ # objectName: client-secret
+ # - key: cookie-secret
+ # objectName: cookie-secret
+ # secretName: oauth2-proxy-secrets-store
+ # type: Opaque