diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index 8d4d0fe7..558a07ad 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 10.3.0 +version: 10.4.0 apiVersion: v2 appVersion: 7.15.0 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -30,8 +30,23 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | + - kind: fixed + description: Restructured config.configFile generation to support alphaConfig without conflicts + links: + - name: GitHub Issue + url: https://github.com/oauth2-proxy/manifests/issues/226 + - kind: added + description: Added structured configuration with config.emailDomains and config.upstreams for better flexibility + links: + - name: GitHub Issue + url: https://github.com/oauth2-proxy/manifests/issues/226 + - kind: added + description: Added config.forceLegacyConfig flag for users with custom configFile when using alphaConfig + links: + - name: GitHub Issue + url: https://github.com/oauth2-proxy/manifests/issues/226 - kind: added - description: Add tpl support for config.cookieName, config.existingSecret, customLabels, image.registry, imagePullSecrets, and networkPolicy.ingress/egress + description: Added comprehensive alphaConfig examples with upstreamConfig configuration links: - - name: GitHub PR - url: https://github.com/oauth2-proxy/manifests/pull/398 + - name: GitHub Issue + url: https://github.com/oauth2-proxy/manifests/issues/311 diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md index ec875f9b..06238471 100644 --- a/helm/oauth2-proxy/README.md +++ b/helm/oauth2-proxy/README.md @@ -148,7 +148,7 @@ With above new chart version won't add extra `-ha` suffix to all redis resources The following table lists the configurable parameters of the oauth2-proxy chart and their default values. | Parameter | Description | Default | -|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------| +|-------------------------------------------------------| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | | `affinity` | node/pod affinities | None | | `alphaConfig.annotations` | Configmap annotations | `{}` | | `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | @@ -174,11 +174,14 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `checkDeprecation` | Enable deprecation checks | `true` | | `config.clientID` | oauth client ID | `""` | | `config.clientSecret` | oauth client secret | `""` | -| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` | +| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line. Ignored when `alphaConfig.enabled=true` and `config.forceLegacyConfig=false` | `""` | | `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` | | `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` | -| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | +| `config.upstreams` | Legacy upstreams used only when the chart generates `oauth2_proxy.cfg` and `alphaConfig` is disabled. Under `alphaConfig`, define upstreams in `alphaConfig.configData.upstreamConfig` | `['file:///dev/null']` | +| `config.emailDomains` | Email domains used when the chart generates `oauth2_proxy.cfg`. This remains the only generated legacy setting when `alphaConfig.enabled=true` | `['*']` | +| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. Ignored when `alphaConfig.enabled=true` and `config.forceLegacyConfig=false`. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | | `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` | +| `config.forceLegacyConfig` | When `alphaConfig.enabled=true`, keep using custom legacy `config.configFile` or `config.existingConfig` when `true`; when `false`, ignore both and generate only `email_domains` in `oauth2_proxy.cfg` | `true` | | `config.google.adminEmail` | user impersonated by the Google service account | `""` | | `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` | | `config.google.groups` | restrict logins to members of these Google groups | `[]` | @@ -373,7 +376,7 @@ gatewayApi: example.com/annotation: "value" ``` -If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service. +If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service. If you don't specify a sectionName, the rules will be applied to all listeners of the referenced Gateway. ## TLS Configuration @@ -462,7 +465,11 @@ extraObjects: ``` ## Multi whitelist-domain configuration -You must use the config.configFile section for a multi-whitelist-domain configuration for one Oauth2-proxy instance. +Use the structured `config.emailDomains` and `config.upstreams` values when they cover your case. + +Use `config.configFile` only when you need legacy `oauth2_proxy.cfg` settings that are not exposed as structured chart values, such as `whitelist_domains`. + +When `alphaConfig.enabled=true`, upstreams belong in `alphaConfig.configData.upstreamConfig`. If you also set `config.forceLegacyConfig=false`, the chart ignores both `config.configFile` and `config.existingConfig` and generates a minimal legacy config with only `email_domains`. It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` [configuration file](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#config-file). In this example, Google provider is used, but you can find all other provider configurations here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/). @@ -483,5 +490,22 @@ config: provider = "google" ``` +## Alpha config migration +When moving to `alphaConfig`, keep one main config source in mind. The Alpha Config will take precedence and all options +that are already supported by the Alpha Config will need to be removed from the legacy toml config. Have a look at the +[Alpha Config documentation](https://oauth2-proxy.github.io/oauth2-proxy/configuration/alpha-config/). + +Keep the following in mind: + +- The chart always mounts `/etc/oauth2_proxy/oauth2_proxy.cfg`. (Legacy toml config) +- Per default `config.forceLegacyConfig` is `true` + +The evaluation happens in the following order: + +1. If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config. +2. If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is used as the mounted file. +3. If `config.configFile` is set and `config.forceLegacyConfig=true`, the chart renders that inline content into the mounted file. +4. Reminder: Put your upstream definitions into `alphaConfig.configData.upstreamConfig`, not in the legacy `config.upstreams` or a legacy config file which will cause an error with the alpha config. + ## Route requests to sidecar container You can route requests to a sidecar container first by setting the `service.targetPort` variable. The possible values for the targetPort field of a Kubernetes Service can be either a port number or the name of a port defined in the pod. By default, the service's `targetPort` value equals to `httpSchema`'s. diff --git a/helm/oauth2-proxy/ci/alphaconfig-1-legacy-true-values.yaml b/helm/oauth2-proxy/ci/alphaconfig-1-legacy-true-values.yaml new file mode 100644 index 00000000..469f9a5b --- /dev/null +++ b/helm/oauth2-proxy/ci/alphaconfig-1-legacy-true-values.yaml @@ -0,0 +1,20 @@ +# Test Case 1: alphaConfig enabled with no custom legacy config +# Expected: Default behavior still generates the minimal legacy config with only email_domains. + +alphaConfig: + enabled: true + configData: + providers: + - id: google + provider: google + clientID: fake-client-id + clientSecret: fake-client-secret + upstreamConfig: + upstreams: + - id: alpha-service + path: / + uri: http://alpha-backend:8080 + +# Implicit through default values, but explicitly set here for clarity in the test case +config: + forceLegacyConfig: true diff --git a/helm/oauth2-proxy/ci/alphaconfig-2-legacy-false-values.yaml b/helm/oauth2-proxy/ci/alphaconfig-2-legacy-false-values.yaml new file mode 100644 index 00000000..405a72c0 --- /dev/null +++ b/helm/oauth2-proxy/ci/alphaconfig-2-legacy-false-values.yaml @@ -0,0 +1,19 @@ +# Test Case 2: alphaConfig enabled with forceLegacyConfig=false and no custom legacy config +# Expected: Chart generates the minimal legacy config with only email_domains. + +alphaConfig: + enabled: true + configData: + providers: + - id: google + provider: google + clientID: fake-client-id + clientSecret: fake-client-secret + upstreamConfig: + upstreams: + - id: alpha-service + path: / + uri: http://alpha-backend:8080 + +config: + forceLegacyConfig: false diff --git a/helm/oauth2-proxy/ci/alphaconfig-3-custom-configfile-legacy-true-values.yaml b/helm/oauth2-proxy/ci/alphaconfig-3-custom-configfile-legacy-true-values.yaml new file mode 100644 index 00000000..64dd5204 --- /dev/null +++ b/helm/oauth2-proxy/ci/alphaconfig-3-custom-configfile-legacy-true-values.yaml @@ -0,0 +1,22 @@ +# Test Case 3: alphaConfig enabled + custom configFile + forceLegacyConfig=true +# Expected: Chart keeps the custom legacy config file content unchanged. + +alphaConfig: + enabled: true + configData: + providers: + - id: google + provider: google + clientID: fake-client-id + clientSecret: fake-client-secret + upstreamConfig: + upstreams: + - id: alpha-service + path: / + uri: http://alpha-backend:8080 + +config: + configFile: |- + email_domains = [ "example.com" ] + encode_state = true + forceLegacyConfig: true diff --git a/helm/oauth2-proxy/ci/alphaconfig-4-custom-configfile-legacy-false-values.yaml b/helm/oauth2-proxy/ci/alphaconfig-4-custom-configfile-legacy-false-values.yaml new file mode 100644 index 00000000..55475297 --- /dev/null +++ b/helm/oauth2-proxy/ci/alphaconfig-4-custom-configfile-legacy-false-values.yaml @@ -0,0 +1,22 @@ +# Test Case 4: alphaConfig enabled + custom configFile + forceLegacyConfig=false +# Expected: Chart ignores the custom legacy config and generates only email_domains. + +alphaConfig: + enabled: true + configData: + providers: + - id: google + provider: google + clientID: fake-client-id + clientSecret: fake-client-secret + upstreamConfig: + upstreams: + - id: alpha-service + path: / + uri: http://alpha-backend:8080 + +config: + configFile: |- + email_domains = [ "example.com" ] + upstreams = [ "http://ignored-backend:8080" ] + forceLegacyConfig: false diff --git a/helm/oauth2-proxy/ci/alphaconfig-5-existing-configmap-legacy-false-values.yaml b/helm/oauth2-proxy/ci/alphaconfig-5-existing-configmap-legacy-false-values.yaml new file mode 100644 index 00000000..370eb62e --- /dev/null +++ b/helm/oauth2-proxy/ci/alphaconfig-5-existing-configmap-legacy-false-values.yaml @@ -0,0 +1,30 @@ +# Test Case 5: alphaConfig enabled + existingConfig + forceLegacyConfig=false +# Expected: Chart ignores the external legacy ConfigMap and generates only email_domains. + +alphaConfig: + enabled: true + configData: + providers: + - id: google + provider: google + clientID: fake-client-id + clientSecret: fake-client-secret + upstreamConfig: + upstreams: + - id: alpha-service + path: / + uri: http://alpha-backend:8080 + +config: + existingConfig: my-external-configmap + forceLegacyConfig: false + +extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: my-external-configmap + data: + oauth2_proxy.cfg: | + email_domains = [ "ignored.example.com" ] + upstreams = [ "http://ignored-backend:8080" ] diff --git a/helm/oauth2-proxy/ci/alphaconfig-6-existing-configmap-legacy-true-values.yaml b/helm/oauth2-proxy/ci/alphaconfig-6-existing-configmap-legacy-true-values.yaml new file mode 100644 index 00000000..d56e2d85 --- /dev/null +++ b/helm/oauth2-proxy/ci/alphaconfig-6-existing-configmap-legacy-true-values.yaml @@ -0,0 +1,30 @@ +# Test Case 6: alphaConfig enabled + existingConfig + forceLegacyConfig=true +# Expected: Chart mounts the external legacy ConfigMap as the main config. + +alphaConfig: + enabled: true + configData: + providers: + - id: google + provider: google + clientID: fake-client-id + clientSecret: fake-client-secret + upstreamConfig: + upstreams: + - id: alpha-service + path: / + uri: http://alpha-backend:8080 + +config: + existingConfig: my-external-configmap + forceLegacyConfig: true + +extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: my-external-configmap + data: + oauth2_proxy.cfg: | + email_domains = [ "legacy.example.com" ] + encode_state = true diff --git a/helm/oauth2-proxy/ci/existing-configmap-values.yaml b/helm/oauth2-proxy/ci/existing-configmap-values.yaml new file mode 100644 index 00000000..ba219a46 --- /dev/null +++ b/helm/oauth2-proxy/ci/existing-configmap-values.yaml @@ -0,0 +1,13 @@ +config: + existingConfig: "my-external-configmap" + +# Create the external ConfigMap that the chart expects +extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: my-external-configmap + data: + oauth2_proxy.cfg: | + email_domains = [ "*" ] + upstreams = [ "file:///dev/null" ] diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index f0b5321e..dfe0ff27 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -163,6 +163,44 @@ metricsServer: {{- end }} {{- end -}} +{{/* +If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config. +If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is mounted into the mounted file. +If `config.configFile` is set and `config.forceLegacyConfig=true`, the chart renders that inline content into the mounted file. +*/}} +{{- define "oauth2-proxy.legacy-config.mode" -}} +{{- if and .Values.alphaConfig.enabled (not .Values.config.forceLegacyConfig) -}} +generated-alpha-compatible +{{- else if .Values.config.existingConfig -}} +existing-configmap +{{- else if .Values.config.configFile -}} +inline-custom +{{- else if .Values.alphaConfig.enabled -}} +generated-alpha-compatible +{{- else -}} +generated-legacy +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.legacy-config.name" -}} +{{- if eq (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" -}} +{{- .Values.config.existingConfig -}} +{{- else -}} +{{- template "oauth2-proxy.fullname" . -}} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.legacy-config.content" -}} +{{- if eq (include "oauth2-proxy.legacy-config.mode" .) "inline-custom" -}} +{{- tpl .Values.config.configFile $ -}} +{{- else if eq (include "oauth2-proxy.legacy-config.mode" .) "generated-alpha-compatible" -}} +email_domains = {{ .Values.config.emailDomains | toJson }} +{{- else -}} +email_domains = {{ .Values.config.emailDomains | toJson }} +upstreams = {{ .Values.config.upstreams | toJson }} +{{- end -}} +{{- end -}} + {{- define "oauth2-proxy.secrets" -}} {{- if has "cookie-secret" .Values.config.requiredSecretKeys }} cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }} diff --git a/helm/oauth2-proxy/templates/configmap.yaml b/helm/oauth2-proxy/templates/configmap.yaml index 0f164d23..30e25c55 100644 --- a/helm/oauth2-proxy/templates/configmap.yaml +++ b/helm/oauth2-proxy/templates/configmap.yaml @@ -1,5 +1,4 @@ -{{- if not .Values.config.existingConfig }} -{{- if .Values.config.configFile }} +{{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }} apiVersion: v1 kind: ConfigMap metadata: @@ -13,6 +12,6 @@ metadata: name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} data: - oauth2_proxy.cfg: {{ tpl .Values.config.configFile $ | quote }} -{{- end }} + oauth2_proxy.cfg: | +{{ include "oauth2-proxy.legacy-config.content" . | nindent 4 }} {{- end }} diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index df638acc..4ce265cd 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -27,8 +27,8 @@ spec: template: metadata: annotations: - {{- if .Values.config.configFile }} - checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }} + {{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }} + checksum/config: {{ include "oauth2-proxy.legacy-config.content" . | sha256sum }} {{- end }} {{- if .Values.alphaConfig.enabled }} checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} @@ -145,9 +145,7 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} {{- end }} - {{- if or .Values.config.existingConfig .Values.config.configFile }} - --config=/etc/oauth2_proxy/oauth2_proxy.cfg - {{- end }} {{- if .Values.authenticatedEmailsFile.enabled }} {{- if .Values.authenticatedEmailsFile.template }} - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} @@ -304,11 +302,9 @@ spec: readOnly: true {{- end }} {{- end }} -{{- if or .Values.config.existingConfig .Values.config.configFile }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg name: configmain subPath: oauth2_proxy.cfg -{{- end }} {{- if .Values.alphaConfig.enabled }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml name: configalpha @@ -372,12 +368,10 @@ spec: name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis defaultMode: 0775 {{- end }} -{{- if or .Values.config.existingConfig .Values.config.configFile }} - configMap: defaultMode: 420 - name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }} + name: {{ include "oauth2-proxy.legacy-config.name" . | trim }} name: configmain -{{- end }} {{- if .Values.alphaConfig.enabled }} {{- if .Values.alphaConfig.existingConfig }} - configMap: diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index e2538b0e..dd2f6592 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -55,17 +55,75 @@ config: # Example: # - group1@example.com # - group2@example.com - # Default configuration, to be overridden - configFile: |- - email_domains = [ "*" ] - upstreams = [ "file:///dev/null" ] - # Custom configuration file: oauth2_proxy.cfg + # + # Configuration file generation precedence + # 1. If configFile is set, it takes precedence over the structured + # config below. + # 2. When alphaConfig.enabled=true and forceLegacyConfig=false, + # both configFile and existingConfig are ignored and the chart + # generates a minimal legacy config from emailDomains only. + # 3. If configFile is empty/not set, the config is auto-generated + # from emailDomains and, when alphaConfig is disabled, upstreams. + configFile: "" + # Email domains allowed to authenticate when the chart generates + # the main oauth2_proxy.cfg. + # This is always included in generated config, including the + # minimal alphaConfig-compatible legacy config. + emailDomains: ["*"] + # Legacy upstream configuration used only when the chart generates + # oauth2_proxy.cfg and alphaConfig is disabled. + # When alphaConfig.enabled is true, define upstreams in + # alphaConfig.configData.upstreamConfig instead. + upstreams: ["file:///dev/null"] + # Behavior when using alphaConfig together with a custom config file + # + # This flag only has an effect when: + # - alphaConfig.enabled is true, AND + # - you provide a custom config.configFile or config.existingConfig. + # + # Auto-generated config when alphaConfig.enabled=true is always a + # minimal legacy config (no upstreams), regardless of this flag. + # + # When true (default): Honor a custom configFile/existingConfig + # even when alphaConfig.enabled=true. If your custom config still + # contains deprecated options (for example 'upstreams'), + # oauth2-proxy may fail with: + # "failed to load core options: '' has invalid keys: upstreams" + # + # When false: Ignore any custom configFile/existingConfig when + # alphaConfig.enabled=true and instead generate the minimal + # legacy config. This preserves compatibility and avoids + # invalid legacy options such as 'upstreams'. + # + # If you are using alphaConfig and see the error: + # "failed to load core options: '' has invalid keys: upstreams" + # you have two options: + # 1) Keep forceLegacyConfig: true (default): + # - Continue using your custom legacy config, but ensure it + # is alpha-compatible (remove 'upstreams' and any other + # keys no longer supported). + # 2) Set forceLegacyConfig: false: + # - The chart will ignore config.configFile and + # config.existingConfig for alphaConfig. + # - Define upstreams in alphaConfig.configData.upstreamConfig + # instead (see examples below). + # - Move any other relevant settings into alphaConfig and/or + # flags rather than relying on a custom legacy configFile. + forceLegacyConfig: true + # + # Custom configuration file: oauth2_proxy.cfg (overrides + # emailDomains and upstreams when it is honored) + # Example: # configFile: |- + # email_domains = [ "*" ] # pass_basic_auth = false # pass_access_token = true # Use an existing config map (see configmap.yaml for required fields) + # This is ignored when alphaConfig.enabled=true and + # forceLegacyConfig=false. # Example: # existingConfig: config + existingConfig: ~ alphaConfig: enabled: false @@ -77,6 +135,33 @@ alphaConfig: metricsConfigData: {} # Arbitrary configuration data to append configData: {} + # + # Example: Multiple upstreams with path-based routing + # configData: + # upstreamConfig: + # upstreams: + # - id: service1 + # path: / + # uri: http://service1:8080 + # flushInterval: 1s + # passHostHeader: true + # proxyWebSockets: true + # - id: service2 + # path: /api/ + # uri: http://service2:8081 + # rewriteTarget: /v1/ + # injectResponseHeaders: + # - name: X-Custom-Header + # values: + # - value: custom-value + # injectResponseHeaders: + # - name: X-Auth-Request-Email + # values: + # - claim: email + # + # For more information on alpha config options, see: + # https://oauth2-proxy.github.io/oauth2-proxy/configuration/alpha-config + # # Arbitrary configuration to append # This is treated as a Go template and rendered with the root context configFile: "" @@ -84,6 +169,23 @@ alphaConfig: existingConfig: ~ # Use an existing secret existingSecret: ~ + # + # NOTE: When using alphaConfig with external secrets (e.g., Azure + # Key Vault CSI Driver), you can inject secrets via the top-level + # extraEnv (see the extraEnv section below) instead of embedding + # them in the config: + # + # extraEnv: + # - name: OAUTH2_PROXY_CLIENT_ID + # valueFrom: + # secretKeyRef: + # name: external-secret + # key: client-id + # - name: OAUTH2_PROXY_CLIENT_SECRET + # valueFrom: + # secretKeyRef: + # name: external-secret + # key: client-secret image: registry: "" @@ -106,6 +208,24 @@ imagePullSecrets: [] extraArgs: {} extraEnv: [] +# Example: Load secrets from an external secret (e.g., Azure Key +# Vault via CSI Driver) +# extraEnv: +# - name: OAUTH2_PROXY_CLIENT_ID +# valueFrom: +# secretKeyRef: +# name: azure-keyvault-secret +# key: client-id +# - name: OAUTH2_PROXY_CLIENT_SECRET +# valueFrom: +# secretKeyRef: +# name: azure-keyvault-secret +# key: client-secret +# - name: OAUTH2_PROXY_COOKIE_SECRET +# valueFrom: +# secretKeyRef: +# name: azure-keyvault-secret +# key: cookie-secret envFrom: [] # Load environment variables from a ConfigMap(s) and/or Secret(s)