From 4b568bacb24b49a368431058bb914078021eacc4 Mon Sep 17 00:00:00 2001
From: Janne Mareike Koschinski <janne@kuschku.de>
Date: Wed, 11 May 2022 17:11:31 +0200
Subject: [PATCH] feat: add oauth2-proxy chart
---
.gitlab-ci.yml | 1 +
oauth2-proxy/Chart.yaml | 6 ++
oauth2-proxy/pipeline.yml | 13 ++++
oauth2-proxy/templates/_helpers.tpl | 56 +++++++++++++++
oauth2-proxy/templates/deployment.yaml | 94 ++++++++++++++++++++++++++
oauth2-proxy/templates/ingress.yaml | 20 ++++++
oauth2-proxy/templates/secret.yaml | 10 +++
oauth2-proxy/templates/service.yaml | 15 ++++
oauth2-proxy/values.yaml | 51 ++++++++++++++
9 files changed, 266 insertions(+)
create mode 100644 oauth2-proxy/Chart.yaml
create mode 100644 oauth2-proxy/pipeline.yml
create mode 100644 oauth2-proxy/templates/_helpers.tpl
create mode 100644 oauth2-proxy/templates/deployment.yaml
create mode 100644 oauth2-proxy/templates/ingress.yaml
create mode 100644 oauth2-proxy/templates/secret.yaml
create mode 100644 oauth2-proxy/templates/service.yaml
create mode 100644 oauth2-proxy/values.yaml
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b02b529..9d11548 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,4 +9,5 @@ stages:
include:
- jellyfin/pipeline.yml
- mailu/pipeline.yml
+- oauth2-proxy/pipeline.yml
- quassel/pipeline.yml
diff --git a/oauth2-proxy/Chart.yaml b/oauth2-proxy/Chart.yaml
new file mode 100644
index 0000000..79672c7
--- /dev/null
+++ b/oauth2-proxy/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: oauth2-proxy
+description: Helm Chart for oauth2-proxy
+type: application
+version: 1.0.0
+appVersion: "v7.2.1"
diff --git a/oauth2-proxy/pipeline.yml b/oauth2-proxy/pipeline.yml
new file mode 100644
index 0000000..d953e10
--- /dev/null
+++ b/oauth2-proxy/pipeline.yml
@@ -0,0 +1,13 @@
+lint-oauth2-proxy:
+ stage: lint
+ script:
+ - helm lint oauth2-proxy
+
+release-oauth2-proxy:
+ stage: release
+ script:
+ - apk add --no-cache git
+ - helm plugin install https://github.com/chartmuseum/helm-push.git
+ - helm repo add --username gitlab-ci-token --password $CI_JOB_TOKEN repo ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
+ - helm cm-push oauth2-proxy repo
+
diff --git a/oauth2-proxy/templates/_helpers.tpl b/oauth2-proxy/templates/_helpers.tpl
new file mode 100644
index 0000000..20e21b3
--- /dev/null
+++ b/oauth2-proxy/templates/_helpers.tpl
@@ -0,0 +1,56 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "oauth2-proxy-helm.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "oauth2-proxy-helm.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "oauth2-proxy-helm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "oauth2-proxy-helm.labels" -}}
+helm.sh/chart: {{ include "oauth2-proxy-helm.chart" . }}
+{{ include "oauth2-proxy-helm.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "oauth2-proxy-helm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "oauth2-proxy-helm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+
+{{- define "oauth2-proxy-helm.sslPath" -}}
+/certs
+{{- end }}
diff --git a/oauth2-proxy/templates/deployment.yaml b/oauth2-proxy/templates/deployment.yaml
new file mode 100644
index 0000000..45e90b6
--- /dev/null
+++ b/oauth2-proxy/templates/deployment.yaml
@@ -0,0 +1,94 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ labels:
+ {{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "oauth2-proxy-helm.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "oauth2-proxy-helm.selectorLabels" . | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ containers:
+ - name: {{ .Chart.Name }}
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 12 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ env:
+ - name: OAUTH2_PROXY_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: client-id
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ - name: OAUTH2_PROXY_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: client-secret
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ - name: OAUTH2_PROXY_COOKIE_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: cookie-secret
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ args:
+ {{ range .Values.roles }}
+ - "--allowed-role={{ . }}"
+ {{ end }}
+ - "--redirect-url=https://{{ .Values.ingress.host }}{{ .Values.ingress.path }}oauth2/callback"
+ - "--oidc-issuer-url={{ .Values.oidc.discoveryUrl }}"
+ - "--upstream=file:///dev/null"
+ - "--http-address=0.0.0.0:4180"
+ - "--provider=oidc"
+ - "--upstream-timeout=120s"
+ - "--upstream-response-header-timeout=120s"
+ - "--upstream-expect-continue-timeout=120s"
+ - "--server-read-timeout=120s"
+ - "--server-write-timeout=120s"
+ - "--server-idle-timeout=120s"
+ - "--enable-default-deny=false"
+ ports:
+ - name: http
+ containerPort: 4180
+ protocol: TCP
+ startupProbe:
+ httpGet:
+ path: /ping
+ port: http
+ livenessProbe:
+ httpGet:
+ path: /ping
+ port: http
+ readinessProbe:
+ httpGet:
+ path: /ping
+ port: http
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
diff --git a/oauth2-proxy/templates/ingress.yaml b/oauth2-proxy/templates/ingress.yaml
new file mode 100644
index 0000000..dbad3e8
--- /dev/null
+++ b/oauth2-proxy/templates/ingress.yaml
@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ labels:
+ {{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
+ annotations:
+ {{- .Values.ingress.annotations | toYaml | nindent 4 }}
+spec:
+ rules:
+ - host: "{{ .Values.ingress.host }}"
+ http:
+ paths:
+ - path: "{{ .Values.ingress.path }}oauth2"
+ backend:
+ service:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ port:
+ name: http
+ pathType: Prefix
diff --git a/oauth2-proxy/templates/secret.yaml b/oauth2-proxy/templates/secret.yaml
new file mode 100644
index 0000000..4f836d0
--- /dev/null
+++ b/oauth2-proxy/templates/secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ labels:
+ {{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
+data:
+ client-id: "{{ .Values.oidc.clientId }}"
+ client-secret: "{{ .Values.oidc.clientSecret }}"
+ cookie-secret: "{{ .Values.cookieSecret }}"
diff --git a/oauth2-proxy/templates/service.yaml b/oauth2-proxy/templates/service.yaml
new file mode 100644
index 0000000..3c6056a
--- /dev/null
+++ b/oauth2-proxy/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "oauth2-proxy-helm.fullname" . }}
+ labels:
+ {{- include "oauth2-proxy-helm.labels" . | nindent 4 }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ {{- include "oauth2-proxy-helm.selectorLabels" . | nindent 4 }}
diff --git a/oauth2-proxy/values.yaml b/oauth2-proxy/values.yaml
new file mode 100644
index 0000000..275d82c
--- /dev/null
+++ b/oauth2-proxy/values.yaml
@@ -0,0 +1,51 @@
+replicaCount: 1
+
+image:
+ repository: quay.io/oauth2-proxy/oauth2-proxy
+ pullPolicy: IfNotPresent
+ tag: ""
+
+imagePullSecrets: [ ]
+nameOverride: ""
+fullnameOverride: ""
+
+oidc:
+ discoveryUrl: "https://example.com/auth/realms/master"
+ clientId: ""
+ clientSecret: ""
+
+cookieSecret: ""
+
+service:
+ type: ClusterIP
+
+ingress:
+ host: "example.com"
+ path: "/"
+ annotations: {}
+
+podAnnotations: { }
+
+podSecurityContext:
+ fsGroup: 2000
+
+securityContext:
+ capabilities:
+ drop:
+ - ALL
+ runAsNonRoot: true
+ runAsUser: 1000
+
+resources:
+ limits:
+ cpu: "2"
+ memory: 2Gi
+ requests:
+ cpu: 400m
+ memory: 512Mi
+
+nodeSelector: { }
+
+tolerations: [ ]
+
+affinity: { }
--
GitLab