diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 48badfaefb..0bf2ee51f1 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -81,7 +81,7 @@ dependencies: version: 5.4.0 repository: https://charts.min.io/ - name: oauth2-proxy - version: 8.3.3 + version: 8.5.0 repository: https://oauth2-proxy.github.io/manifests - name: opentelemetry-operator alias: otel-operator diff --git a/charts/oauth2-proxy/Chart.yaml b/charts/oauth2-proxy/Chart.yaml index 3e5f12068d..b72f66a831 100644 --- a/charts/oauth2-proxy/Chart.yaml +++ b/charts/oauth2-proxy/Chart.yaml @@ -1,10 +1,10 @@ annotations: artifacthub.io/changes: | - - kind: changed - description: Updated OAuth2-Proxy image to v7.13.0 + - kind: added + description: Add HTTPRoutes for Gateway API support links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/pull/366 + url: https://github.com/oauth2-proxy/manifests/pull/369 apiVersion: v2 appVersion: 7.13.0 dependencies: @@ -36,4 +36,4 @@ name: oauth2-proxy sources: - https://github.com/oauth2-proxy/oauth2-proxy - https://github.com/oauth2-proxy/manifests -version: 8.3.3 +version: 8.5.0 diff --git a/charts/oauth2-proxy/README.md b/charts/oauth2-proxy/README.md index 9d7de12c60..7181beda4b 100644 --- a/charts/oauth2-proxy/README.md +++ b/charts/oauth2-proxy/README.md @@ -127,7 +127,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | | `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | | `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | -| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` | +| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` | | `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | | `alphaConfig.annotations` | Configmap annotations | `{}` | | `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | @@ -170,9 +170,16 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `ingress.annotations` | Ingress annotations | `nil` | | `ingress.hosts` | Ingress accepted hostnames | `nil` | | `ingress.tls` | Ingress TLS configuration | `nil` | +| `gatewayApi.enabled` | Enable Gateway API HTTPRoute | `false` | +| `gatewayApi.gatewayRef.name` | Name of the Gateway resource to attach the HTTPRoute to | `""` | +| `gatewayApi.gatewayRef.namespace` | Namespace of the Gateway resource | `""` | +| `gatewayApi.hostnames` | Hostnames to match in the HTTPRoute | `[]` | +| `gatewayApi.rules` | HTTPRoute rule configuration. If not specified, a default rule with PathPrefix `/` will be created | `[]` | +| `gatewayApi.labels` | Additional labels to add to the HTTPRoute | `{}` | +| `gatewayApi.annotations` | Additional annotations to add to the HTTPRoute | `{}` | | `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` | | `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` | -| `initContainers.waitForRedis.image.repository` | kubectl image repository | `alpine` | +| `initContainers.waitForRedis.image.repository` | kubectl image repository | `alpine` | | `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor \| replace "+" "")` | | `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` | | `initContainers.waitForRedis.timeout` | number of seconds | 180 | @@ -191,7 +198,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | | `podDisruptionBudget.maxUnavailable` | maxUnavailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | null | | `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | 1 | -| `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` | +| `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` | | `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | | `priorityClassName` | priorityClassName | `nil` | | `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | @@ -201,7 +208,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `readinessProbe.successThreshold` | number of successes | 1 | | `replicaCount` | desired number of pods | `1` | | `resources` | pod resource requests & limits | `{}` | -| `resizePolicy` | Container resize policy for runtime resource updates. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/) | `[]` | +| `resizePolicy` | Container resize policy for runtime resource updates. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/) | `[]` | | `revisionHistoryLimit` | maximum number of revisions maintained | 10 | | `service.portNumber` | port number for the service | `80` | | `service.appProtocol` | application protocol on the port of the service | `http` | @@ -220,6 +227,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `serviceAccount.enabled` | create a service account | `true` | | `serviceAccount.name` | the service account name | `` | | `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | +| `serviceAccount.imagePullSecrets` | imagePullSecrets for the service account | `[]` | | `strategy` | configure deployment strategy | `{}` | | `tolerations` | list of node taints to tolerate | `[]` | | `securityContext.enabled` | enable Kubernetes security context on container | `true` | @@ -272,6 +280,55 @@ $ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml > **Tip**: You can use the default [values.yaml](values.yaml) +## Gateway API HTTPRoute Configuration + +This chart supports using [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoute resources as an alternative to traditional Ingress resources. To use Gateway API: + +1. Ensure the Gateway API CRDs are installed in your cluster +2. Create a Gateway resource (or use an existing one) +3. Configure the chart to create an HTTPRoute + +### Basic Gateway API Configuration + +```yaml +gatewayApi: + enabled: true + gatewayRef: + name: my-gateway + namespace: gateway-system + hostnames: + - oauth.example.com +``` + +### Advanced Gateway API Configuration with Custom Rules + +```yaml +gatewayApi: + enabled: true + gatewayRef: + name: my-gateway + namespace: gateway-system + hostnames: + - oauth.example.com + rules: + - matches: + - path: + type: PathPrefix + value: /oauth2 + filters: + - type: RequestHeaderModifier + requestHeaderModifier: + add: + - name: X-Auth-Request + value: "true" + labels: + app: oauth2-proxy + annotations: + example.com/annotation: "value" +``` + +If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service. + ## TLS Configuration See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/). diff --git a/charts/oauth2-proxy/ci/gateway-api-minimal.yaml b/charts/oauth2-proxy/ci/gateway-api-minimal.yaml new file mode 100644 index 0000000000..e5a6a4fa05 --- /dev/null +++ b/charts/oauth2-proxy/ci/gateway-api-minimal.yaml @@ -0,0 +1,7 @@ +# Minimal Gateway API configuration with default rule +gatewayApi: + enabled: true + gatewayRef: + name: minimal-gateway + hostnames: + - minimal.example.com diff --git a/charts/oauth2-proxy/ci/gateway-api.yaml b/charts/oauth2-proxy/ci/gateway-api.yaml new file mode 100644 index 0000000000..51c8142555 --- /dev/null +++ b/charts/oauth2-proxy/ci/gateway-api.yaml @@ -0,0 +1,17 @@ +# Test values for Gateway API HTTPRoute configuration +gatewayApi: + enabled: true + gatewayRef: + name: example-gateway + namespace: gateway-system + hostnames: + - oauth.example.com + rules: + - matches: + - path: + type: PathPrefix + value: /oauth2 + annotations: + example.com/annotation: "value" + labels: + example.com/label: "value" diff --git a/charts/oauth2-proxy/templates/httproute.yaml b/charts/oauth2-proxy/templates/httproute.yaml new file mode 100644 index 0000000000..ab9eada443 --- /dev/null +++ b/charts/oauth2-proxy/templates/httproute.yaml @@ -0,0 +1,65 @@ +{{- if .Values.gatewayApi.enabled -}} +{{- $serviceName := include "oauth2-proxy.fullname" . -}} +{{- $servicePort := .Values.service.portNumber -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.gatewayApi.labels }} +{{ toYaml .Values.gatewayApi.labels | indent 4 }} +{{- end }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +{{- with .Values.gatewayApi.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} +{{- end }} +spec: + {{- if .Values.gatewayApi.gatewayRef.name }} + parentRefs: + - name: {{ .Values.gatewayApi.gatewayRef.name }} + {{- if .Values.gatewayApi.gatewayRef.namespace }} + namespace: {{ .Values.gatewayApi.gatewayRef.namespace }} + {{- end }} + {{- end }} + {{- if .Values.gatewayApi.hostnames }} + hostnames: + {{- range .Values.gatewayApi.hostnames }} + - {{ tpl . $ | quote }} + {{- end }} + {{- end }} + rules: + {{- if .Values.gatewayApi.rules }} + {{- range .Values.gatewayApi.rules }} + - matches: + {{- if .matches }} + {{- toYaml .matches | nindent 4 }} + {{- else }} + - path: + type: PathPrefix + value: / + {{- end }} + backendRefs: + {{- if .backendRefs }} + {{- toYaml .backendRefs | nindent 4 }} + {{- else }} + - name: {{ $serviceName }} + port: {{ $servicePort }} + {{- end }} + {{- if .filters }} + filters: + {{- toYaml .filters | nindent 4 }} + {{- end }} + {{- end }} + {{- else }} + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: {{ $serviceName }} + port: {{ $servicePort }} + {{- end }} +{{- end -}} diff --git a/charts/oauth2-proxy/templates/serviceaccount.yaml b/charts/oauth2-proxy/templates/serviceaccount.yaml index e38cd7a7a6..97aeffebad 100644 --- a/charts/oauth2-proxy/templates/serviceaccount.yaml +++ b/charts/oauth2-proxy/templates/serviceaccount.yaml @@ -17,6 +17,10 @@ metadata: {{- $labels | indent 4 }} name: {{ $saName }} namespace: {{ $namespace }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: +{{ toYaml . | indent 2 }} +{{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} --- diff --git a/charts/oauth2-proxy/values.yaml b/charts/oauth2-proxy/values.yaml index 8516e9c4a8..33361cc72e 100644 --- a/charts/oauth2-proxy/values.yaml +++ b/charts/oauth2-proxy/values.yaml @@ -31,8 +31,7 @@ config: # The name of the cookie that oauth2-proxy will create # If left empty, it will default to the release name cookieName: "" - google: - {} + google: {} # adminEmail: xxxx # useApplicationDefaultCredentials: true # targetPrincipal: xxxx @@ -84,8 +83,7 @@ image: # Optionally specify an array of imagePullSecrets. # Secrets must be manually created in the namespace. # ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod -imagePullSecrets: - [] +imagePullSecrets: [] # - name: myRegistryKeySecretName # Set a custom containerPort if required. @@ -176,6 +174,9 @@ serviceAccount: name: automountServiceAccountToken: true annotations: {} + ## imagePullSecrets for the service account + imagePullSecrets: [] + # - name: myRegistryKeySecretName # Network policy settings. networkPolicy: @@ -212,8 +213,35 @@ ingress: # hosts: # - chart-example.local -resources: - {} +# Gateway API HTTPRoute configuration +# Ref: https://gateway-api.sigs.k8s.io/api-types/httproute/ +gatewayApi: + enabled: false + # The name of the Gateway resource to attach the HTTPRoute to + # Example: + # gatewayRef: + # name: gateway + # namespace: gateway-system + gatewayRef: + name: "" + namespace: "" + # HTTPRoute rule configuration + # rules: + # - matches: + # - path: + # type: PathPrefix + # value: / + rules: [] + # Hostnames to match in the HTTPRoute + # hostnames: + # - chart-example.local + hostnames: [] + # Additional labels to add to the HTTPRoute + labels: {} + # Additional annotations to add to the HTTPRoute + annotations: {} + +resources: {} # limits: # cpu: 100m # memory: 300Mi @@ -229,26 +257,22 @@ resizePolicy: [] # - resourceName: memory # restartPolicy: RestartContainer -extraVolumes: - [] +extraVolumes: [] # - name: ca-bundle-cert # secret: # secretName: -extraVolumeMounts: - [] +extraVolumeMounts: [] # - mountPath: /etc/ssl/certs/ # name: ca-bundle-cert # Additional containers to be added to the pod. -extraContainers: - [] +extraContainers: [] # - name: my-sidecar # image: nginx:latest # Additional Init containers to be added to the pod. -extraInitContainers: - [] +extraInitContainers: [] # - name: wait-for-idp # image: my-idp-wait:latest # command: @@ -348,8 +372,7 @@ autoscaling: annotations: {} # Configure HPA behavior policies for scaling if needed # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior - behavior: - {} + behavior: {} # scaleDown: # stabilizationWindowSeconds: 300 # policies: @@ -402,8 +425,7 @@ initContainers: seccompProfile: type: RuntimeDefault timeout: 180 - resources: - {} + resources: {} # limits: # cpu: 100m # memory: 300Mi @@ -544,8 +566,7 @@ metrics: # action: replace # Extra K8s manifests to deploy -extraObjects: - [] +extraObjects: [] # - apiVersion: secrets-store.csi.x-k8s.io/v1 # kind: SecretProviderClass # metadata: