diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b02b52964fe54dc9588da9453c2561ea5e302d9e..9d115484812f8abb40bdcdf3d7dfbfc3932c9c79 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,4 +9,5 @@ stages:
include:
- jellyfin/pipeline.yml
- mailu/pipeline.yml
+- oauth2-proxy/pipeline.yml
- quassel/pipeline.yml
diff --git a/oauth2-proxy/Chart.yaml b/oauth2-proxy/Chart.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..79672c7774c4d4498e5d7a359b1dd3fdb103d5ee
--- /dev/null
+++ b/oauth2-proxy/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: oauth2-proxy
+description: Helm Chart for oauth2-proxy
+type: application
+version: 1.0.0
+appVersion: "v7.2.1"
diff --git a/oauth2-proxy/pipeline.yml b/oauth2-proxy/pipeline.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d953e105bd95c18cca2d720de82885381933e886
--- /dev/null
+++ b/oauth2-proxy/pipeline.yml
@@ -0,0 +1,13 @@
+lint-oauth2-proxy:
+ stage: lint
+ script:
+ - helm lint oauth2-proxy
+
+release-oauth2-proxy:
+ stage: release
+ script:
+ - apk add --no-cache git
+ - helm plugin install https://github.com/chartmuseum/helm-push.git
+ - helm repo add --username gitlab-ci-token --password $CI_JOB_TOKEN repo ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
+ - helm cm-push oauth2-proxy repo
+
diff --git a/oauth2-proxy/templates/_helpers.tpl b/oauth2-proxy/templates/_helpers.tpl
new file mode 100644
index 0000000000000000000000000000000000000000..20e21b31d704c06e73dab3ba4a561023d2725276
--- /dev/null
+++ b/oauth2-proxy/templates/_helpers.tpl
@@ -0,0 +1,56 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "oauth2-proxy-helm.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "oauth2-proxy-helm.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "oauth2-proxy-helm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "oauth2-proxy-helm.labels" -}}
+helm.sh/chart: {{ include "oauth2-proxy-helm.chart" . }}
+{{ include "oauth2-proxy-helm.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "oauth2-proxy-helm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "oauth2-proxy-helm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+
+{{- define "oauth2-proxy-helm.sslPath" -}}
+/certs
+{{- end }}
diff --git a/oauth2-proxy/templates/deployment.yaml b/oauth2-proxy/templates/deployment.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..45e90b65b19a87b0b4521945285a89508c3c8636
--- /dev/null
+++ b/oauth2-proxy/templates/deployment.yaml
@@ -0,0 +1,94 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ labels:
+ {{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "oauth2-proxy-helm.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "oauth2-proxy-helm.selectorLabels" . | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ containers:
+ - name: {{ .Chart.Name }}
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 12 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ env:
+ - name: OAUTH2_PROXY_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: client-id
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ - name: OAUTH2_PROXY_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: client-secret
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ - name: OAUTH2_PROXY_COOKIE_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: cookie-secret
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ args:
+ {{ range .Values.roles }}
+ - "--allowed-role={{ . }}"
+ {{ end }}
+ - "--redirect-url=https://{{ .Values.ingress.host }}{{ .Values.ingress.path }}oauth2/callback"
+ - "--oidc-issuer-url={{ .Values.oidc.discoveryUrl }}"
+ - "--upstream=file:///dev/null"
+ - "--http-address=0.0.0.0:4180"
+ - "--provider=oidc"
+ - "--upstream-timeout=120s"
+ - "--upstream-response-header-timeout=120s"
+ - "--upstream-expect-continue-timeout=120s"
+ - "--server-read-timeout=120s"
+ - "--server-write-timeout=120s"
+ - "--server-idle-timeout=120s"
+ - "--enable-default-deny=false"
+ ports:
+ - name: http
+ containerPort: 4180
+ protocol: TCP
+ startupProbe:
+ httpGet:
+ path: /ping
+ port: http
+ livenessProbe:
+ httpGet:
+ path: /ping
+ port: http
+ readinessProbe:
+ httpGet:
+ path: /ping
+ port: http
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
diff --git a/oauth2-proxy/templates/ingress.yaml b/oauth2-proxy/templates/ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..dbad3e80ffe7c9eb87dd10d6141639d445ddd925
--- /dev/null
+++ b/oauth2-proxy/templates/ingress.yaml
@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ labels:
+ {{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
+ annotations:
+ {{- .Values.ingress.annotations | toYaml | nindent 4 }}
+spec:
+ rules:
+ - host: "{{ .Values.ingress.host }}"
+ http:
+ paths:
+ - path: "{{ .Values.ingress.path }}oauth2"
+ backend:
+ service:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ port:
+ name: http
+ pathType: Prefix
diff --git a/oauth2-proxy/templates/secret.yaml b/oauth2-proxy/templates/secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4f836d0f41fd36e9c9e3139eefa70261ae09ecd5
--- /dev/null
+++ b/oauth2-proxy/templates/secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ labels:
+ {{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
+data:
+ client-id: "{{ .Values.oidc.clientId }}"
+ client-secret: "{{ .Values.oidc.clientSecret }}"
+ cookie-secret: "{{ .Values.cookieSecret }}"
diff --git a/oauth2-proxy/templates/service.yaml b/oauth2-proxy/templates/service.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..3c6056ac8107c6075cb41e4e7547316da1a0c2da
--- /dev/null
+++ b/oauth2-proxy/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ labels:
+ {{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ {{- include "oauth2-proxy-helm.selectorLabels" . | nindent 4 }}
diff --git a/oauth2-proxy/values.yaml b/oauth2-proxy/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..275d82c3a7b81593f8934cadd99c68ad819acdce
--- /dev/null
+++ b/oauth2-proxy/values.yaml
@@ -0,0 +1,51 @@
+replicaCount: 1
+
+image:
+ repository: quay.io/oauth2-proxy/oauth2-proxy
+ pullPolicy: IfNotPresent
+ tag: ""
+
+imagePullSecrets: [ ]
+nameOverride: ""
+fullnameOverride: ""
+
+oidc:
+ discoveryUrl: "https://example.com/auth/realms/master"
+ clientId: ""
+ clientSecret: ""
+
+cookieSecret: ""
+
+service:
+ type: ClusterIP
+
+ingress:
+ host: "example.com"
+ path: "/"
+ annotations: {}
+
+podAnnotations: { }
+
+podSecurityContext:
+ fsGroup: 2000
+
+securityContext:
+ capabilities:
+ drop:
+ - ALL
+ runAsNonRoot: true
+ runAsUser: 1000
+
+resources:
+ limits:
+ cpu: "2"
+ memory: 2Gi
+ requests:
+ cpu: 400m
+ memory: 512Mi
+
+nodeSelector: { }
+
+tolerations: [ ]
+
+affinity: { }