From 679ebea39a20515c7ef5bba3ceea337cfa3639ec Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Wed, 25 Mar 2026 10:19:44 -0400 Subject: [PATCH 1/6] Add tpl support for ingress.labels and ingress.extraPaths Signed-off-by: Trey Dockendorf --- helm/oauth2-proxy/Chart.yaml | 23 ++++------------------- helm/oauth2-proxy/ci/tpl-values.yaml | 10 ++++++++++ helm/oauth2-proxy/templates/ingress.yaml | 4 ++-- 3 files changed, 16 insertions(+), 21 deletions(-) diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index 558a07ad..ffce8f6f 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 10.4.0 +version: 10.5.0 apiVersion: v2 appVersion: 7.15.0 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -30,23 +30,8 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: fixed - description: Restructured config.configFile generation to support alphaConfig without conflicts - links: - - name: GitHub Issue - url: https://github.com/oauth2-proxy/manifests/issues/226 - - kind: added - description: Added structured configuration with config.emailDomains and config.upstreams for better flexibility - links: - - name: GitHub Issue - url: https://github.com/oauth2-proxy/manifests/issues/226 - - kind: added - description: Added config.forceLegacyConfig flag for users with custom configFile when using alphaConfig - links: - - name: GitHub Issue - url: https://github.com/oauth2-proxy/manifests/issues/226 - kind: added - description: Added comprehensive alphaConfig examples with upstreamConfig configuration + description: Add tpl support for ingress.labels and ingress.extraPaths links: - - name: GitHub Issue - url: https://github.com/oauth2-proxy/manifests/issues/311 + - name: GitHub PR + url: https://github.com/oauth2-proxy/manifests/pull/400 diff --git a/helm/oauth2-proxy/ci/tpl-values.yaml b/helm/oauth2-proxy/ci/tpl-values.yaml index 0e98ad60..9d9abbd9 100644 --- a/helm/oauth2-proxy/ci/tpl-values.yaml +++ b/helm/oauth2-proxy/ci/tpl-values.yaml @@ -13,6 +13,16 @@ ingress: - "{{ $.Release.Name }}.local" annotations: test-annotations/test: "{{ $.Release.Name }}" + labels: + test-annotations/test: "{{ $.Release.Name }}" + extraPaths: + - path: /ping + pathType: Prefix + backend: + service: + name: '{{ include "oauth2-proxy.fullname" $ }}' + port: + name: '{{ $.Values.httpScheme }}' oauth2-proxy: checkDeprecation: false config: diff --git a/helm/oauth2-proxy/templates/ingress.yaml b/helm/oauth2-proxy/templates/ingress.yaml index 8cc7953e..560e75d3 100644 --- a/helm/oauth2-proxy/templates/ingress.yaml +++ b/helm/oauth2-proxy/templates/ingress.yaml @@ -11,7 +11,7 @@ metadata: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} {{- if .Values.ingress.labels }} -{{ toYaml .Values.ingress.labels | indent 4 }} +{{ tpl (toYaml .Values.ingress.labels) $ | indent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} @@ -29,7 +29,7 @@ spec: http: paths: {{- if $extraPaths }} -{{ toYaml $extraPaths | indent 10 }} +{{ tpl (toYaml $extraPaths) $ | indent 10 }} {{- end }} - path: {{ $ingressPath }} {{- if eq "true" ( include "ingress.supportsPathType" $ ) }} From 959a98574b7926223a6e2578bca4e161a8b14c98 Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Wed, 25 Mar 2026 12:36:52 -0400 Subject: [PATCH 2/6] Edits based on copilot review Signed-off-by: Trey Dockendorf --- helm/oauth2-proxy/templates/ingress.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/oauth2-proxy/templates/ingress.yaml b/helm/oauth2-proxy/templates/ingress.yaml index 560e75d3..b31e1e78 100644 --- a/helm/oauth2-proxy/templates/ingress.yaml +++ b/helm/oauth2-proxy/templates/ingress.yaml @@ -11,7 +11,7 @@ metadata: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} {{- if .Values.ingress.labels }} -{{ tpl (toYaml .Values.ingress.labels) $ | indent 4 }} +{{- tpl (toYaml .Values.ingress.labels) $ | nindent 4 }} {{- end }} name: {{ template "oauth2-proxy.fullname" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} @@ -29,7 +29,7 @@ spec: http: paths: {{- if $extraPaths }} -{{ tpl (toYaml $extraPaths) $ | indent 10 }} +{{- tpl (toYaml $extraPaths) $ | nindent 10 }} {{- end }} - path: {{ $ingressPath }} {{- if eq "true" ( include "ingress.supportsPathType" $ ) }} From 04b31ec34cead8a9aa231359359aece08ac2442b Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Thu, 26 Mar 2026 09:26:01 -0400 Subject: [PATCH 3/6] Fix spacing Signed-off-by: Trey Dockendorf --- helm/oauth2-proxy/ci/tpl-values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/helm/oauth2-proxy/ci/tpl-values.yaml b/helm/oauth2-proxy/ci/tpl-values.yaml index 9d9abbd9..74f3627d 100644 --- a/helm/oauth2-proxy/ci/tpl-values.yaml +++ b/helm/oauth2-proxy/ci/tpl-values.yaml @@ -16,13 +16,13 @@ ingress: labels: test-annotations/test: "{{ $.Release.Name }}" extraPaths: - - path: /ping - pathType: Prefix - backend: - service: - name: '{{ include "oauth2-proxy.fullname" $ }}' - port: - name: '{{ $.Values.httpScheme }}' + - path: /ping + pathType: Prefix + backend: + service: + name: '{{ include "oauth2-proxy.fullname" $ }}' + port: + name: '{{ $.Values.httpScheme }}' oauth2-proxy: checkDeprecation: false config: From b2c8416c009e93df6659c883f6f54e9123b1bf0c Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Thu, 26 Mar 2026 14:18:07 -0400 Subject: [PATCH 4/6] Also allow nodeSelector tpl Signed-off-by: Trey Dockendorf --- helm/oauth2-proxy/Chart.yaml | 2 +- helm/oauth2-proxy/ci/tpl-values.yaml | 4 ++++ helm/oauth2-proxy/templates/deployment.yaml | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index ffce8f6f..379bb8bc 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -31,7 +31,7 @@ kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - kind: added - description: Add tpl support for ingress.labels and ingress.extraPaths + description: Add tpl support for ingress.labels, ingress.extraPaths and nodeSelector links: - name: GitHub PR url: https://github.com/oauth2-proxy/manifests/pull/400 diff --git a/helm/oauth2-proxy/ci/tpl-values.yaml b/helm/oauth2-proxy/ci/tpl-values.yaml index 74f3627d..a09ea175 100644 --- a/helm/oauth2-proxy/ci/tpl-values.yaml +++ b/helm/oauth2-proxy/ci/tpl-values.yaml @@ -82,3 +82,7 @@ serviceMonitor: customLabels: test-labels/test: "{{ $.Release.Name }}" + +nodeOS: linux +nodeSelector: + kubernetes.io/os: "{{ .Values.nodeOS }}" diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index 4ce265cd..65bba91a 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -415,7 +415,7 @@ spec: {{- end }} {{- with .Values.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} + {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- with .Values.tolerations }} tolerations: From dd11ffe7f769dd46f0f3ad6c78360f9b9a2ebffc Mon Sep 17 00:00:00 2001 From: treydock Date: Thu, 26 Mar 2026 18:22:25 -0400 Subject: [PATCH 5/6] Update helm/oauth2-proxy/Chart.yaml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Trey Dockendorf --- helm/oauth2-proxy/Chart.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index 379bb8bc..be64c2ce 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -31,7 +31,10 @@ kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - kind: added - description: Add tpl support for ingress.labels, ingress.extraPaths and nodeSelector + description: > + Add tpl support for ingress.labels, ingress.extraPaths and nodeSelector. This is a + behavior change: any values containing `{{ ... }}` will now be evaluated as templates. + To keep literal `{{` sequences, escape them (for example, use `{{"{{"}}`). links: - name: GitHub PR url: https://github.com/oauth2-proxy/manifests/pull/400 From b52ac9edb6d0e9f0f32057c3852569e29e429d30 Mon Sep 17 00:00:00 2001 From: Trey Dockendorf Date: Mon, 6 Apr 2026 18:04:20 -0400 Subject: [PATCH 6/6] Support deploymentLabels Signed-off-by: Trey Dockendorf --- helm/oauth2-proxy/Chart.yaml | 1 + helm/oauth2-proxy/README.md | 1 + helm/oauth2-proxy/ci/tpl-values.yaml | 3 +++ helm/oauth2-proxy/templates/deployment.yaml | 3 +++ helm/oauth2-proxy/values.yaml | 1 + 5 files changed, 9 insertions(+) diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index 44ea41ae..6e4889f7 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -32,6 +32,7 @@ annotations: artifacthub.io/changes: | - kind: added description: > + Add deploymentLabels to allow setting deployment specific labels. Add tpl support for ingress.labels, ingress.extraPaths and nodeSelector. This is a behavior change: any values containing `{{ ... }}` will now be evaluated as templates. To keep literal `{{` sequences, escape them (for example, use `{{"{{"}}`). diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md index 06238471..d983f8ef 100644 --- a/helm/oauth2-proxy/README.md +++ b/helm/oauth2-proxy/README.md @@ -190,6 +190,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` | | `containerPort` | used to customize port on the deployment | `""` | | `customLabels` | Custom labels to add into metadata | `{}` | +| `deploymentLabels` | labels to add to the deployment | `{}` | | `deploymentAnnotations` | annotations to add to the deployment | `{}` | | `enableServiceLinks` | configure deployment enableServiceLinks | `true` | | `extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows the same flag to be configured multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` | diff --git a/helm/oauth2-proxy/ci/tpl-values.yaml b/helm/oauth2-proxy/ci/tpl-values.yaml index a09ea175..18e654a8 100644 --- a/helm/oauth2-proxy/ci/tpl-values.yaml +++ b/helm/oauth2-proxy/ci/tpl-values.yaml @@ -57,6 +57,9 @@ config: test-annotations/test: "{{ $.Release.Name }}" cookieName: '{{ $.Release.Name }}' +deploymentLabels: + test-deployment-label/test: "{{ $.Release.Name }}" + deploymentAnnotations: test-annotations/test: "{{ $.Release.Name }}" diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index 65bba91a..6d12c5af 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -6,6 +6,9 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} + {{- with .Values.deploymentLabels }} +{{ tpl ( toYaml . ) $ | indent 4 }} + {{- end }} {{- with .Values.deploymentAnnotations }} annotations: {{ tpl ( toYaml . ) $ | indent 4 }} diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index dd2f6592..d6ac241c 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -475,6 +475,7 @@ securityContext: seccompProfile: type: RuntimeDefault +deploymentLabels: {} deploymentAnnotations: {} podAnnotations: {} podLabels: {}