From 37b40adf08f56a72fcb85f54d0aaa62159af5c0e Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 17:10:54 +0200 Subject: [PATCH 1/7] fix: add no-config legacy mode for external config management When alphaConfig.enabled=false and forceLegacyConfig=false, the chart now skips ConfigMap generation, volume mount, and --config flag entirely. This restores support for users managing oauth2-proxy configuration via external means (e.g., CSI SecretStore Driver) that was broken by #385. Closes #385 (discussion_r3001082837) Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/ci/no-config-values.yaml | 6 ++++++ helm/oauth2-proxy/templates/_helpers.tpl | 2 ++ helm/oauth2-proxy/templates/configmap.yaml | 2 +- helm/oauth2-proxy/templates/deployment.yaml | 9 ++++++++- helm/oauth2-proxy/values.yaml | 7 +++++++ 5 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 helm/oauth2-proxy/ci/no-config-values.yaml diff --git a/helm/oauth2-proxy/ci/no-config-values.yaml b/helm/oauth2-proxy/ci/no-config-values.yaml new file mode 100644 index 00000000..7aaa6b43 --- /dev/null +++ b/helm/oauth2-proxy/ci/no-config-values.yaml @@ -0,0 +1,6 @@ +# Test: no legacy config generation (external config management) +# Expected: No ConfigMap generated, no --config flag, no config volume mount. +# Use case: config managed externally via CSI SecretStore Driver or similar. + +config: + forceLegacyConfig: false diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index dfe0ff27..c70f8658 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -177,6 +177,8 @@ existing-configmap inline-custom {{- else if .Values.alphaConfig.enabled -}} generated-alpha-compatible +{{- else if not .Values.config.forceLegacyConfig -}} +no-config {{- else -}} generated-legacy {{- end -}} diff --git a/helm/oauth2-proxy/templates/configmap.yaml b/helm/oauth2-proxy/templates/configmap.yaml index 30e25c55..6fe37e90 100644 --- a/helm/oauth2-proxy/templates/configmap.yaml +++ b/helm/oauth2-proxy/templates/configmap.yaml @@ -1,4 +1,4 @@ -{{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }} +{{- if not (has (include "oauth2-proxy.legacy-config.mode" .) (list "existing-configmap" "no-config")) }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index 4ce265cd..78d8d437 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- $legacyConfigMode := include "oauth2-proxy.legacy-config.mode" . -}} {{- $redisEnabled := eq (include "oauth2-proxy.redis.enabled" .) "true" -}} {{- $redisValues := index .Values "redis-ha" | default dict -}} apiVersion: apps/v1 @@ -27,7 +28,7 @@ spec: template: metadata: annotations: - {{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }} + {{- if not (has $legacyConfigMode (list "existing-configmap" "no-config")) }} checksum/config: {{ include "oauth2-proxy.legacy-config.content" . | sha256sum }} {{- end }} {{- if .Values.alphaConfig.enabled }} @@ -145,7 +146,9 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} {{- end }} + {{- if ne $legacyConfigMode "no-config" }} - --config=/etc/oauth2_proxy/oauth2_proxy.cfg + {{- end }} {{- if .Values.authenticatedEmailsFile.enabled }} {{- if .Values.authenticatedEmailsFile.template }} - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} @@ -302,9 +305,11 @@ spec: readOnly: true {{- end }} {{- end }} +{{- if ne $legacyConfigMode "no-config" }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg name: configmain subPath: oauth2_proxy.cfg +{{- end }} {{- if .Values.alphaConfig.enabled }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml name: configalpha @@ -368,10 +373,12 @@ spec: name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis defaultMode: 0775 {{- end }} +{{- if ne $legacyConfigMode "no-config" }} - configMap: defaultMode: 420 name: {{ include "oauth2-proxy.legacy-config.name" . | trim }} name: configmain +{{- end }} {{- if .Values.alphaConfig.enabled }} {{- if .Values.alphaConfig.existingConfig }} - configMap: diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index dd2f6592..e7a50bed 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -64,6 +64,10 @@ config: # generates a minimal legacy config from emailDomains only. # 3. If configFile is empty/not set, the config is auto-generated # from emailDomains and, when alphaConfig is disabled, upstreams. + # 4. When alphaConfig.enabled=false and forceLegacyConfig=false, + # no ConfigMap is generated or mounted. Use this when you manage + # oauth2-proxy configuration entirely via external means (e.g., + # CSI SecretStore Driver, extraVolumes, etc.). configFile: "" # Email domains allowed to authenticate when the chart generates # the main oauth2_proxy.cfg. @@ -109,6 +113,9 @@ config: # instead (see examples below). # - Move any other relevant settings into alphaConfig and/or # flags rather than relying on a custom legacy configFile. + # 3) If forceLegacyConfig and alphaConfig.enabled are both false, + # no ConfigMap is generated or mounted. This is useful when + # managing config externally (e.g., CSI SecretStore Driver). forceLegacyConfig: true # # Custom configuration file: oauth2_proxy.cfg (overrides From 0b8ceb381e794d611bb790fd4b5fc2aa14f046e9 Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 17:23:20 +0200 Subject: [PATCH 2/7] fix: bump chart version and fix documentation per Copilot review - Bump chart version to 10.4.3 with changelog entry - Fix helper doc comment to accurately describe all legacy-config modes - Clarify that no-config mode only applies when neither configFile nor existingConfig are set (those always take precedence) Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/Chart.yaml | 8 ++++---- helm/oauth2-proxy/templates/_helpers.tpl | 10 +++++++--- helm/oauth2-proxy/values.yaml | 2 ++ 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index efdda9e9..36252451 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 10.4.2 +version: 10.4.3 apiVersion: v2 appVersion: 7.15.1 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -30,8 +30,8 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: changed - description: Bump OAuth2 Proxy image to v7.15.1 + - kind: fixed + description: Add no-config legacy mode for external config management links: - name: GitHub PR - url: https://github.com/oauth2-proxy/manifests/pull/403 + url: https://github.com/oauth2-proxy/manifests/pull/404 diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index c70f8658..9fcc9484 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -164,9 +164,13 @@ metricsServer: {{- end -}} {{/* -If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config. -If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is mounted into the mounted file. -If `config.configFile` is set and `config.forceLegacyConfig=true`, the chart renders that inline content into the mounted file. +Legacy config mode resolution: +- alphaConfig.enabled=true + forceLegacyConfig=false → generated-alpha-compatible (minimal legacy config) +- config.existingConfig is set → existing-configmap (external ConfigMap, regardless of forceLegacyConfig) +- config.configFile is set → inline-custom (user-provided content, regardless of forceLegacyConfig) +- alphaConfig.enabled=true (with forceLegacyConfig=true) → generated-alpha-compatible +- alphaConfig.enabled=false + forceLegacyConfig=false + no configFile/existingConfig → no-config (nothing generated/mounted) +- Default → generated-legacy (full legacy config with emailDomains + upstreams) */}} {{- define "oauth2-proxy.legacy-config.mode" -}} {{- if and .Values.alphaConfig.enabled (not .Values.config.forceLegacyConfig) -}} diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index e7a50bed..c2409966 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -65,6 +65,7 @@ config: # 3. If configFile is empty/not set, the config is auto-generated # from emailDomains and, when alphaConfig is disabled, upstreams. # 4. When alphaConfig.enabled=false and forceLegacyConfig=false, + # and neither config.configFile nor config.existingConfig are set, # no ConfigMap is generated or mounted. Use this when you manage # oauth2-proxy configuration entirely via external means (e.g., # CSI SecretStore Driver, extraVolumes, etc.). @@ -114,6 +115,7 @@ config: # - Move any other relevant settings into alphaConfig and/or # flags rather than relying on a custom legacy configFile. # 3) If forceLegacyConfig and alphaConfig.enabled are both false, + # and no configFile or existingConfig is provided, # no ConfigMap is generated or mounted. This is useful when # managing config externally (e.g., CSI SecretStore Driver). forceLegacyConfig: true From 77b50d6e929d170b3f493b898d0fb042a3368675 Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 17:55:02 +0200 Subject: [PATCH 3/7] docs: clarify legacy-config mode resolution for alphaConfig override The doc comment now accurately reflects that config.existingConfig and config.configFile are ignored when alphaConfig.enabled=true and forceLegacyConfig=false (first branch takes precedence). Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/templates/_helpers.tpl | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index 9fcc9484..1ac0d120 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -165,12 +165,18 @@ metricsServer: {{/* Legacy config mode resolution: -- alphaConfig.enabled=true + forceLegacyConfig=false → generated-alpha-compatible (minimal legacy config) -- config.existingConfig is set → existing-configmap (external ConfigMap, regardless of forceLegacyConfig) -- config.configFile is set → inline-custom (user-provided content, regardless of forceLegacyConfig) -- alphaConfig.enabled=true (with forceLegacyConfig=true) → generated-alpha-compatible -- alphaConfig.enabled=false + forceLegacyConfig=false + no configFile/existingConfig → no-config (nothing generated/mounted) -- Default → generated-legacy (full legacy config with emailDomains + upstreams) +- alphaConfig.enabled=true + forceLegacyConfig=false + → generated-alpha-compatible (minimal legacy config; config.existingConfig and config.configFile are ignored) +- config.existingConfig is set (only when NOT in alphaConfig.enabled + !forceLegacyConfig path) + → existing-configmap (external ConfigMap) +- config.configFile is set (only when NOT in alphaConfig.enabled + !forceLegacyConfig path) + → inline-custom (user-provided content) +- alphaConfig.enabled=true + forceLegacyConfig=true (no existingConfig/configFile) + → generated-alpha-compatible +- alphaConfig.enabled=false + forceLegacyConfig=false + no configFile/existingConfig + → no-config (nothing generated/mounted) +- Default + → generated-legacy (full legacy config with emailDomains + upstreams) */}} {{- define "oauth2-proxy.legacy-config.mode" -}} {{- if and .Values.alphaConfig.enabled (not .Values.config.forceLegacyConfig) -}} From 739cefd09d22890a2841d08f2f6d8a72f3541d09 Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 17:56:34 +0200 Subject: [PATCH 4/7] chore: bump chart version to 10.5.0 (minor, new feature) This is a new feature (no-config mode), not a bug fix, so it warrants a minor version bump per semver. Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index 36252451..0bbfafad 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 10.4.3 +version: 10.5.0 apiVersion: v2 appVersion: 7.15.1 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -30,7 +30,7 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: fixed + - kind: added description: Add no-config legacy mode for external config management links: - name: GitHub PR From b6017639c830a761e566ea3a0f978f605f2753dd Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 19:36:10 +0200 Subject: [PATCH 5/7] fix(ci): add minimum required args to no-config CI test Without a config file, oauth2-proxy needs email-domain and upstream passed via extraArgs to start successfully. Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/ci/no-config-values.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/helm/oauth2-proxy/ci/no-config-values.yaml b/helm/oauth2-proxy/ci/no-config-values.yaml index 7aaa6b43..1cbe2202 100644 --- a/helm/oauth2-proxy/ci/no-config-values.yaml +++ b/helm/oauth2-proxy/ci/no-config-values.yaml @@ -1,6 +1,13 @@ # Test: no legacy config generation (external config management) # Expected: No ConfigMap generated, no --config flag, no config volume mount. # Use case: config managed externally via CSI SecretStore Driver or similar. +# +# Since no config file is mounted, the minimum required settings +# (email-domain, upstream) must be provided via extraArgs. config: forceLegacyConfig: false + +extraArgs: + email-domain: "*" + upstream: "file:///dev/null" From ca0992a6232cff1b49f4b2d6a878fd5d9b303278 Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 21:12:51 +0200 Subject: [PATCH 6/7] docs: update forceLegacyConfig description to cover no-config mode The flag now also has an effect when alphaConfig.enabled=false: setting forceLegacyConfig=false disables config generation entirely. Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/values.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index c2409966..147f8e08 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -82,9 +82,12 @@ config: upstreams: ["file:///dev/null"] # Behavior when using alphaConfig together with a custom config file # - # This flag only has an effect when: - # - alphaConfig.enabled is true, AND - # - you provide a custom config.configFile or config.existingConfig. + # This flag has an effect when: + # - alphaConfig.enabled is true AND you provide a custom + # config.configFile or config.existingConfig, OR + # - alphaConfig.enabled is false AND no configFile/existingConfig + # is provided (setting forceLegacyConfig=false disables config + # generation entirely — see option 3 below). # # Auto-generated config when alphaConfig.enabled=true is always a # minimal legacy config (no upstreams), regardless of this flag. From 4294558b4c2e7bd32ae96c21bdb95ff182cfbdd0 Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 22:09:24 +0200 Subject: [PATCH 7/7] docs: replace ambiguous 'option 3' reference with 'no-config mode' Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/values.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index 147f8e08..9847892a 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -87,7 +87,7 @@ config: # config.configFile or config.existingConfig, OR # - alphaConfig.enabled is false AND no configFile/existingConfig # is provided (setting forceLegacyConfig=false disables config - # generation entirely — see option 3 below). + # generation entirely — see "no-config mode" below). # # Auto-generated config when alphaConfig.enabled=true is always a # minimal legacy config (no upstreams), regardless of this flag. @@ -117,10 +117,12 @@ config: # instead (see examples below). # - Move any other relevant settings into alphaConfig and/or # flags rather than relying on a custom legacy configFile. - # 3) If forceLegacyConfig and alphaConfig.enabled are both false, - # and no configFile or existingConfig is provided, - # no ConfigMap is generated or mounted. This is useful when - # managing config externally (e.g., CSI SecretStore Driver). + # + # no-config mode: + # If forceLegacyConfig and alphaConfig.enabled are both false, + # and no configFile or existingConfig is provided, no ConfigMap + # is generated or mounted. This is useful when managing config + # externally (e.g., CSI SecretStore Driver). forceLegacyConfig: true # # Custom configuration file: oauth2_proxy.cfg (overrides