Skip to content

feat: add forceLegacyConfig flag for alphaConfig compatibility #385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tuunit merged 6 commits into from
Mar 26, 2026
Merged

feat: add forceLegacyConfig flag for alphaConfig compatibility #385

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
956e983
feat: add forceLegacyConfig flag for alphaConfig compatibility
pierluigilenoci Mar 21, 2026
88c0ce6
test(ci): update test case files for config testing
tuunit Mar 22, 2026
de9be5f
feat(alpha-config): rework forceLegacyConfig flag
tuunit Mar 22, 2026
f0479cb
doc: reword how to use the alpha config
tuunit Mar 23, 2026
8bb02da
fix: typo in README.md "inot" → "into"
pierluigilenoci Mar 23, 2026
7ec8cc6
Merge branch 'main' into fix/alphaconfig-unified-improvements
pierluigilenoci Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions helm/oauth2-proxy/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: oauth2-proxy
version: 10.3.0
version: 10.4.0
apiVersion: v2
appVersion: 7.15.0
home: https://oauth2-proxy.github.io/oauth2-proxy/
Expand Down Expand Up @@ -30,8 +30,23 @@ maintainers:
kubeVersion: ">=1.16.0-0"
annotations:
artifacthub.io/changes: |
- kind: fixed
description: Restructured config.configFile generation to support alphaConfig without conflicts
links:
- name: GitHub Issue
url: https://github.com/oauth2-proxy/manifests/issues/226
- kind: added
description: Added structured configuration with config.emailDomains and config.upstreams for better flexibility
links:
- name: GitHub Issue
url: https://github.com/oauth2-proxy/manifests/issues/226
- kind: added
description: Added config.forceLegacyConfig flag for users with custom configFile when using alphaConfig
links:
- name: GitHub Issue
url: https://github.com/oauth2-proxy/manifests/issues/226
- kind: added
description: Add tpl support for config.cookieName, config.existingSecret, customLabels, image.registry, imagePullSecrets, and networkPolicy.ingress/egress
description: Added comprehensive alphaConfig examples with upstreamConfig configuration
links:
- name: GitHub PR
url: https://github.com/oauth2-proxy/manifests/pull/398
- name: GitHub Issue
url: https://github.com/oauth2-proxy/manifests/issues/311
34 changes: 29 additions & 5 deletions helm/oauth2-proxy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ With above new chart version won't add extra `-ha` suffix to all redis resources
The following table lists the configurable parameters of the oauth2-proxy chart and their default values.

| Parameter | Description | Default |
|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------|
|-------------------------------------------------------| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
| `affinity` | node/pod affinities | None |
| `alphaConfig.annotations` | Configmap annotations | `{}` |
| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` |
Expand All @@ -174,11 +174,14 @@ The following table lists the configurable parameters of the oauth2-proxy chart
| `checkDeprecation` | Enable deprecation checks | `true` |
| `config.clientID` | oauth client ID | `""` |
| `config.clientSecret` | oauth client secret | `""` |
| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` |
| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line. Ignored when `alphaConfig.enabled=true` and `config.forceLegacyConfig=false` | `""` |
| `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` |
| `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` |
| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` |
| `config.upstreams` | Legacy upstreams used only when the chart generates `oauth2_proxy.cfg` and `alphaConfig` is disabled. Under `alphaConfig`, define upstreams in `alphaConfig.configData.upstreamConfig` | `['file:///dev/null']` |
| `config.emailDomains` | Email domains used when the chart generates `oauth2_proxy.cfg`. This remains the only generated legacy setting when `alphaConfig.enabled=true` | `['*']` |
| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. Ignored when `alphaConfig.enabled=true` and `config.forceLegacyConfig=false`. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` |
| `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` |
| `config.forceLegacyConfig` | When `alphaConfig.enabled=true`, keep using custom legacy `config.configFile` or `config.existingConfig` when `true`; when `false`, ignore both and generate only `email_domains` in `oauth2_proxy.cfg` | `true` |
| `config.google.adminEmail` | user impersonated by the Google service account | `""` |
| `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` |
| `config.google.groups` | restrict logins to members of these Google groups | `[]` |
Expand Down Expand Up @@ -373,7 +376,7 @@ gatewayApi:
example.com/annotation: "value"
```

If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service.
If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service.
If you don't specify a sectionName, the rules will be applied to all listeners of the referenced Gateway.

## TLS Configuration
Expand Down Expand Up @@ -462,7 +465,11 @@ extraObjects:
```

## Multi whitelist-domain configuration
You must use the config.configFile section for a multi-whitelist-domain configuration for one Oauth2-proxy instance.
Use the structured `config.emailDomains` and `config.upstreams` values when they cover your case.

Use `config.configFile` only when you need legacy `oauth2_proxy.cfg` settings that are not exposed as structured chart values, such as `whitelist_domains`.

When `alphaConfig.enabled=true`, upstreams belong in `alphaConfig.configData.upstreamConfig`. If you also set `config.forceLegacyConfig=false`, the chart ignores both `config.configFile` and `config.existingConfig` and generates a minimal legacy config with only `email_domains`.

It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` [configuration file](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#config-file).
In this example, Google provider is used, but you can find all other provider configurations here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/).
Expand All @@ -483,5 +490,22 @@ config:
provider = "google"
```

## Alpha config migration
When moving to `alphaConfig`, keep one main config source in mind. The Alpha Config will take precedence and all options
that are already supported by the Alpha Config will need to be removed from the legacy toml config. Have a look at the
[Alpha Config documentation](https://oauth2-proxy.github.io/oauth2-proxy/configuration/alpha-config/).

Keep the following in mind:

- The chart always mounts `/etc/oauth2_proxy/oauth2_proxy.cfg`. (Legacy toml config)
- Per default `config.forceLegacyConfig` is `true`

The evaluation happens in the following order:

1. If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config.
2. If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is used as the mounted file.
3. If `config.configFile` is set and `config.forceLegacyConfig=true`, the chart renders that inline content into the mounted file.
4. Reminder: Put your upstream definitions into `alphaConfig.configData.upstreamConfig`, not in the legacy `config.upstreams` or a legacy config file which will cause an error with the alpha config.

## Route requests to sidecar container
You can route requests to a sidecar container first by setting the `service.targetPort` variable. The possible values for the targetPort field of a Kubernetes Service can be either a port number or the name of a port defined in the pod. By default, the service's `targetPort` value equals to `httpSchema`'s.
20 changes: 20 additions & 0 deletions helm/oauth2-proxy/ci/alphaconfig-1-legacy-true-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Test Case 1: alphaConfig enabled with no custom legacy config
# Expected: Default behavior still generates the minimal legacy config with only email_domains.

alphaConfig:
enabled: true
configData:
providers:
- id: google
provider: google
clientID: fake-client-id
clientSecret: fake-client-secret
upstreamConfig:
upstreams:
- id: alpha-service
path: /
uri: http://alpha-backend:8080

# Implicit through default values, but explicitly set here for clarity in the test case
config:
forceLegacyConfig: true
19 changes: 19 additions & 0 deletions helm/oauth2-proxy/ci/alphaconfig-2-legacy-false-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Test Case 2: alphaConfig enabled with forceLegacyConfig=false and no custom legacy config
# Expected: Chart generates the minimal legacy config with only email_domains.

alphaConfig:
enabled: true
configData:
providers:
- id: google
provider: google
clientID: fake-client-id
clientSecret: fake-client-secret
upstreamConfig:
upstreams:
- id: alpha-service
path: /
uri: http://alpha-backend:8080

config:
forceLegacyConfig: false
22 changes: 22 additions & 0 deletions helm/oauth2-proxy/ci/alphaconfig-3-custom-configfile-legacy-true-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Test Case 3: alphaConfig enabled + custom configFile + forceLegacyConfig=true
# Expected: Chart keeps the custom legacy config file content unchanged.

alphaConfig:
enabled: true
configData:
providers:
- id: google
provider: google
clientID: fake-client-id
clientSecret: fake-client-secret
upstreamConfig:
upstreams:
- id: alpha-service
path: /
uri: http://alpha-backend:8080

config:
configFile: |-
email_domains = [ "example.com" ]
encode_state = true
forceLegacyConfig: true
22 changes: 22 additions & 0 deletions helm/oauth2-proxy/ci/alphaconfig-4-custom-configfile-legacy-false-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Test Case 4: alphaConfig enabled + custom configFile + forceLegacyConfig=false
# Expected: Chart ignores the custom legacy config and generates only email_domains.

alphaConfig:
enabled: true
configData:
providers:
- id: google
provider: google
clientID: fake-client-id
clientSecret: fake-client-secret
upstreamConfig:
upstreams:
- id: alpha-service
path: /
uri: http://alpha-backend:8080

config:
configFile: |-
email_domains = [ "example.com" ]
upstreams = [ "http://ignored-backend:8080" ]
forceLegacyConfig: false
30 changes: 30 additions & 0 deletions helm/oauth2-proxy/ci/alphaconfig-5-existing-configmap-legacy-false-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Test Case 5: alphaConfig enabled + existingConfig + forceLegacyConfig=false
# Expected: Chart ignores the external legacy ConfigMap and generates only email_domains.

alphaConfig:
enabled: true
configData:
providers:
- id: google
provider: google
clientID: fake-client-id
clientSecret: fake-client-secret
upstreamConfig:
upstreams:
- id: alpha-service
path: /
uri: http://alpha-backend:8080

config:
existingConfig: my-external-configmap
forceLegacyConfig: false

extraObjects:
- apiVersion: v1
kind: ConfigMap
metadata:
name: my-external-configmap
data:
oauth2_proxy.cfg: |
email_domains = [ "ignored.example.com" ]
upstreams = [ "http://ignored-backend:8080" ]
30 changes: 30 additions & 0 deletions helm/oauth2-proxy/ci/alphaconfig-6-existing-configmap-legacy-true-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Test Case 6: alphaConfig enabled + existingConfig + forceLegacyConfig=true
# Expected: Chart mounts the external legacy ConfigMap as the main config.

alphaConfig:
enabled: true
configData:
providers:
- id: google
provider: google
clientID: fake-client-id
clientSecret: fake-client-secret
upstreamConfig:
upstreams:
- id: alpha-service
path: /
uri: http://alpha-backend:8080

config:
existingConfig: my-external-configmap
forceLegacyConfig: true

extraObjects:
- apiVersion: v1
kind: ConfigMap
metadata:
name: my-external-configmap
data:
oauth2_proxy.cfg: |
email_domains = [ "legacy.example.com" ]
encode_state = true
13 changes: 13 additions & 0 deletions helm/oauth2-proxy/ci/existing-configmap-values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
config:
existingConfig: "my-external-configmap"

# Create the external ConfigMap that the chart expects
extraObjects:
- apiVersion: v1
kind: ConfigMap
metadata:
name: my-external-configmap
data:
oauth2_proxy.cfg: |
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
Loading
Loading