apiVersion: apps/v1 kind: Deployment metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} {{- if .Values.deploymentAnnotations }} annotations: {{ toYaml .Values.deploymentAnnotations | indent 8 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} spec: replicas: {{ .Values.replicaCount }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- with .Values.strategy }} strategy: {{ toYaml . | nindent 4 }} {{- end }} selector: matchLabels: {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} template: metadata: annotations: checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }} {{- if .Values.alphaConfig.enabled }} checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} {{- end }} {{- if .Values.authenticatedEmailsFile.enabled }} checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }} {{- end }} checksum/secret: {{ include "oauth2-proxy.secrets" . | sha256sum }} checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }} checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} {{- if .Values.htpasswdFile.enabled }} checksum/htpasswd: {{ toYaml .Values.htpasswdFile.entries | sha256sum }} {{- end }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} {{- end }} labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 8 }} {{- if .Values.podLabels }} {{ toYaml .Values.podLabels | indent 8 }} {{- end }} spec: {{- if .Values.priorityClassName }} priorityClassName: "{{ .Values.priorityClassName }}" {{- end }} {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{ toYaml .Values.hostAliases | nindent 8}} {{- end }} {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} initContainers: - name: wait-for-redis #image: "{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}" image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}" imagePullPolicy: {{ .Values.initContainers.waitForRedis.image.pullPolicy }} command: ["/bin/sh", "-c", "/scripts/check-redis.sh"] env: - name: TOTAL_RETRY_TIME value: "{{ .Values.initContainers.waitForRedis.timeout }}" {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} - name: OAUTH2_PROXY_REDIS_CONNECTION_URL value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} - name: OAUTH2_PROXY_REDIS_USE_CLUSTER value: "true" - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }} {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} - name: OAUTH2_PROXY_REDIS_USE_SENTINEL value: "true" - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }} {{- end }} {{- if .Values.initContainers.waitForRedis.securityContext.enabled }} {{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }} securityContext: {{- toYaml $securityContext | nindent 10 }} {{- end }} resources: {{- toYaml .Values.initContainers.waitForRedis.resources | nindent 10 }} volumeMounts: - name: redis-script mountPath: /scripts {{- end }} {{- if .Values.terminationGracePeriodSeconds }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" #image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: {{- if .Values.alphaConfig.enabled }} - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml {{- else }} - --http-address=0.0.0.0:4180 - --https-address=0.0.0.0:4443 {{- if .Values.metrics.enabled }} - --metrics-address=0.0.0.0:44180 {{- end }} {{- end }} {{- if .Values.config.cookieName }} - --cookie-name={{ .Values.config.cookieName }} {{- end }} {{- if kindIs "map" .Values.extraArgs }} {{- range $key, $value := .Values.extraArgs }} {{- if not (kindIs "invalid" $value) }} - --{{ $key }}={{ tpl ($value | toString) $ }} {{- else }} - --{{ $key }} {{- end }} {{- end }} {{- end }} {{- if kindIs "slice" .Values.extraArgs }} {{- with .Values.extraArgs }} {{- toYaml . | nindent 10 }} {{- end }} {{- end }} {{- if or .Values.config.existingConfig .Values.config.configFile }} - --config=/etc/oauth2_proxy/oauth2_proxy.cfg {{- end }} {{- if .Values.authenticatedEmailsFile.enabled }} {{- if .Values.authenticatedEmailsFile.template }} - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} {{- else }} - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list {{- end }} {{- end }} {{- with .Values.config.google }} {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }} - --google-admin-email={{ .adminEmail }} {{- if .useApplicationDefaultCredentials }} - --google-use-application-default-credentials=true {{- else }} - --google-service-account-json=/google/service-account.json {{- end }} {{- if .targetPrincipal }} - --google-target-principal={{ .targetPrincipal }} {{- end }} {{- end }} {{- if .groups }} {{- range $group := .groups }} - --google-group={{ $group }} {{- end }} {{- end }} {{- end }} {{- if .Values.htpasswdFile.enabled }} - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt {{- end }} {{- if .Values.lifecycle }} lifecycle: {{ toYaml .Values.lifecycle | indent 10 }} {{- end }} env: {{- if .Values.proxyVarsAsSecrets }} - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: name: {{ template "oauth2-proxy.secretName" . }} key: client-id - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: name: {{ template "oauth2-proxy.secretName" . }} key: client-secret - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: name: {{ template "oauth2-proxy.secretName" . }} key: cookie-secret {{- end }} {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }} - name: OAUTH2_PROXY_SESSION_STORE_TYPE value: "redis" {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}} - name: OAUTH2_PROXY_REDIS_PASSWORD valueFrom: secretKeyRef: {{- if .Values.sessionStorage.redis.existingSecret }} name: {{ .Values.sessionStorage.redis.existingSecret }} {{- else if .Values.sessionStorage.redis.password }} name: {{ template "oauth2-proxy.fullname" . }}-redis-access {{- else }} name: {{ include "oauth2-proxy.redis.fullname" . }} {{- end }} key: {{ .Values.sessionStorage.redis.passwordKey }} {{- end }} {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} - name: OAUTH2_PROXY_REDIS_CONNECTION_URL value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} - name: OAUTH2_PROXY_REDIS_USE_CLUSTER value: "true" - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }} {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} - name: OAUTH2_PROXY_REDIS_USE_SENTINEL value: "true" - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME value: {{ .Values.sessionStorage.redis.sentinel.masterName }} - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }} {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }} - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD valueFrom: secretKeyRef: {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }} name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }} {{- else }} name: {{ template "oauth2-proxy.fullname" . }}-redis-access {{- end }} key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }} {{- end }} {{- end }} {{- end }} {{- if .Values.extraEnv }} {{ tpl (toYaml .Values.extraEnv) . | indent 8 }} {{- end }} {{- if .Values.envFrom }} envFrom: {{ tpl (toYaml .Values.envFrom) . | indent 8 }} {{- end }} ports: {{- if .Values.containerPort }} - containerPort: {{ .Values.containerPort }} {{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }} - containerPort: 4180 {{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }} - containerPort: 4443 {{- else }} {{- end}} name: {{ .Values.httpScheme }} protocol: TCP {{- if .Values.metrics.enabled }} - containerPort: 44180 protocol: TCP name: metrics {{- end }} {{- if .Values.livenessProbe.enabled }} livenessProbe: httpGet: path: /ping port: {{ .Values.httpScheme }} scheme: {{ .Values.httpScheme | upper }} initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} {{- end }} {{- if .Values.readinessProbe.enabled }} readinessProbe: httpGet: path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }} port: {{ .Values.httpScheme }} scheme: {{ .Values.httpScheme | upper }} initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} successThreshold: {{ .Values.readinessProbe.successThreshold }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} {{- end }} resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: {{- with .Values.config.google }} {{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} - name: google-secret mountPath: /google readOnly: true {{- end }} {{- end }} {{- if or .Values.config.existingConfig .Values.config.configFile }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg name: configmain subPath: oauth2_proxy.cfg {{- end }} {{- if .Values.alphaConfig.enabled }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml name: configalpha subPath: oauth2_proxy.yml {{- end }} {{- if .Values.authenticatedEmailsFile.enabled }} - mountPath: /etc/oauth2-proxy name: configaccesslist readOnly: true {{- end }} {{- if .Values.htpasswdFile.enabled }} - mountPath: /etc/oauth2_proxy/htpasswd name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file readOnly: true {{- end }} {{- if ne (len .Values.extraVolumeMounts) 0 }} {{ toYaml .Values.extraVolumeMounts | indent 8 }} {{- end }} {{- if .Values.securityContext.enabled }} {{- $securityContext := unset .Values.securityContext "enabled" }} securityContext: {{- toYaml $securityContext | nindent 10 }} {{- end }} {{- if .Values.extraContainers }} {{- toYaml .Values.extraContainers | nindent 6 }} {{- end }} volumes: {{- with .Values.config.google }} {{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} - name: google-secret secret: secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }} {{- end }} {{- end }} {{- if .Values.htpasswdFile.enabled }} - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file secret: secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }} {{- end }} {{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }} - name: configaccesslist secret: items: - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} {{- if .Values.authenticatedEmailsFile.template }} path: {{ .Values.authenticatedEmailsFile.template }} {{- else }} path: authenticated-emails-list {{- end }} {{- if .Values.authenticatedEmailsFile.template }} secretName: {{ .Values.authenticatedEmailsFile.template }} {{- else }} secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} {{- end }} {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} - name: redis-script configMap: name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis defaultMode: 0775 {{- end }} {{- if or .Values.config.existingConfig .Values.config.configFile }} - configMap: defaultMode: 420 name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }} name: configmain {{- end }} {{- if .Values.alphaConfig.enabled }} {{- if .Values.alphaConfig.existingConfig }} - configMap: defaultMode: 420 name: {{ .Values.alphaConfig.existingConfig }} name: configalpha {{- else }} - secret: defaultMode: 420 secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} name: configalpha {{- end }} {{- end }} {{- if ne (len .Values.extraVolumes) 0 }} {{ toYaml .Values.extraVolumes | indent 6 }} {{- end }} {{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} - configMap: {{- if .Values.authenticatedEmailsFile.template }} name: {{ .Values.authenticatedEmailsFile.template }} {{- else }} name: {{ template "oauth2-proxy.fullname" . }}-accesslist {{- end }} items: - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} {{- if .Values.authenticatedEmailsFile.template }} path: {{ .Values.authenticatedEmailsFile.template }} {{- else }} path: authenticated-emails-list {{- end }} name: configaccesslist {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 8 }} {{- end }} {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} {{- end }} tolerations: {{ toYaml .Values.tolerations | indent 8 }} {{- with .Values.topologySpreadConstraints }} topologySpreadConstraints: {{- toYaml . | nindent 8 }} {{- end }}