Skip to content
Snippets Groups Projects
Verified Commit 4b568bac authored by Janne Mareike Koschinski's avatar Janne Mareike Koschinski
Browse files

feat: add oauth2-proxy chart

parent e0a5f551
No related branches found
No related tags found
No related merge requests found
Pipeline #2786 passed
......@@ -9,4 +9,5 @@ stages:
include:
- jellyfin/pipeline.yml
- mailu/pipeline.yml
- oauth2-proxy/pipeline.yml
- quassel/pipeline.yml
apiVersion: v2
name: oauth2-proxy
description: Helm Chart for oauth2-proxy
type: application
version: 1.0.0
appVersion: "v7.2.1"
lint-oauth2-proxy:
stage: lint
script:
- helm lint oauth2-proxy
release-oauth2-proxy:
stage: release
script:
- apk add --no-cache git
- helm plugin install https://github.com/chartmuseum/helm-push.git
- helm repo add --username gitlab-ci-token --password $CI_JOB_TOKEN repo ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
- helm cm-push oauth2-proxy repo
{{/*
Expand the name of the chart.
*/}}
{{- define "oauth2-proxy-helm.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "oauth2-proxy-helm.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "oauth2-proxy-helm.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "oauth2-proxy-helm.labels" -}}
helm.sh/chart: {{ include "oauth2-proxy-helm.chart" . }}
{{ include "oauth2-proxy-helm.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "oauth2-proxy-helm.selectorLabels" -}}
app.kubernetes.io/name: {{ include "oauth2-proxy-helm.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "oauth2-proxy-helm.sslPath" -}}
/certs
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "oauth2-proxy-helm.fullname" . }}
labels:
{{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "oauth2-proxy-helm.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "oauth2-proxy-helm.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: client-id
name: {{ include "oauth2-proxy-helm.fullname" . }}
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client-secret
name: {{ include "oauth2-proxy-helm.fullname" . }}
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
key: cookie-secret
name: {{ include "oauth2-proxy-helm.fullname" . }}
args:
{{ range .Values.roles }}
- "--allowed-role={{ . }}"
{{ end }}
- "--redirect-url=https://{{ .Values.ingress.host }}{{ .Values.ingress.path }}oauth2/callback"
- "--oidc-issuer-url={{ .Values.oidc.discoveryUrl }}"
- "--upstream=file:///dev/null"
- "--http-address=0.0.0.0:4180"
- "--provider=oidc"
- "--upstream-timeout=120s"
- "--upstream-response-header-timeout=120s"
- "--upstream-expect-continue-timeout=120s"
- "--server-read-timeout=120s"
- "--server-write-timeout=120s"
- "--server-idle-timeout=120s"
- "--enable-default-deny=false"
ports:
- name: http
containerPort: 4180
protocol: TCP
startupProbe:
httpGet:
path: /ping
port: http
livenessProbe:
httpGet:
path: /ping
port: http
readinessProbe:
httpGet:
path: /ping
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "oauth2-proxy-helm.fullname" . }}
labels:
{{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
annotations:
{{- .Values.ingress.annotations | toYaml | nindent 4 }}
spec:
rules:
- host: "{{ .Values.ingress.host }}"
http:
paths:
- path: "{{ .Values.ingress.path }}oauth2"
backend:
service:
name: {{ include "oauth2-proxy-helm.fullname" . }}
port:
name: http
pathType: Prefix
apiVersion: v1
kind: Secret
metadata:
name: {{ include "oauth2-proxy-helm.fullname" . }}
labels:
{{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
data:
client-id: "{{ .Values.oidc.clientId }}"
client-secret: "{{ .Values.oidc.clientSecret }}"
cookie-secret: "{{ .Values.cookieSecret }}"
apiVersion: v1
kind: Service
metadata:
name: {{ include "oauth2-proxy-helm.fullname" . }}
labels:
{{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
{{- include "oauth2-proxy-helm.selectorLabels" . | nindent 4 }}
replicaCount: 1
image:
repository: quay.io/oauth2-proxy/oauth2-proxy
pullPolicy: IfNotPresent
tag: ""
imagePullSecrets: [ ]
nameOverride: ""
fullnameOverride: ""
oidc:
discoveryUrl: "https://example.com/auth/realms/master"
clientId: ""
clientSecret: ""
cookieSecret: ""
service:
type: ClusterIP
ingress:
host: "example.com"
path: "/"
annotations: {}
podAnnotations: { }
podSecurityContext:
fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 400m
memory: 512Mi
nodeSelector: { }
tolerations: [ ]
affinity: { }
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment