From 6bd6bd827846576234619bcc44856ad49f8044a6 Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 18:08:20 +0200 Subject: [PATCH 1/3] feat: add alpha-config helpers and deprecation guards - Add alpha-config.source and alpha-config.name template helpers to centralize alpha config type detection and name resolution - Add deprecation guards: fail fast when existingConfig and existingSecret are both set, or when external sources are combined with generated alpha content - Simplify secret-alpha.yaml and deployment.yaml volume definitions using the new helpers - Only compute checksum/alpha-config for generated alpha configs - Document mutual exclusivity of existingConfig/existingSecret - Add CI test for alphaConfig.existingSecret scenario Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/Chart.yaml | 13 +++++--- .../alphaconfig-7-existing-secret-values.yaml | 23 ++++++++++++++ helm/oauth2-proxy/templates/_helpers.tpl | 30 +++++++++++++++++++ helm/oauth2-proxy/templates/deployment.yaml | 15 +++++----- helm/oauth2-proxy/templates/deprecation.yaml | 6 ++++ helm/oauth2-proxy/templates/secret-alpha.yaml | 9 ++---- helm/oauth2-proxy/values.yaml | 8 +++-- 7 files changed, 83 insertions(+), 21 deletions(-) create mode 100644 helm/oauth2-proxy/ci/alphaconfig-7-existing-secret-values.yaml diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index efdda9e9..205bbf0a 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 10.4.2 +version: 10.5.0 apiVersion: v2 appVersion: 7.15.1 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -30,8 +30,13 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: changed - description: Bump OAuth2 Proxy image to v7.15.1 + - kind: added + description: Add alpha-config.source and alpha-config.name helpers for centralized alpha config resolution links: - name: GitHub PR - url: https://github.com/oauth2-proxy/manifests/pull/403 + url: https://github.com/oauth2-proxy/manifests/pull/405 + - kind: added + description: Add deprecation guards for invalid alphaConfig combinations + links: + - name: GitHub PR + url: https://github.com/oauth2-proxy/manifests/pull/405 diff --git a/helm/oauth2-proxy/ci/alphaconfig-7-existing-secret-values.yaml b/helm/oauth2-proxy/ci/alphaconfig-7-existing-secret-values.yaml new file mode 100644 index 00000000..a6b7df10 --- /dev/null +++ b/helm/oauth2-proxy/ci/alphaconfig-7-existing-secret-values.yaml @@ -0,0 +1,23 @@ +# Test Case 7: alphaConfig enabled + existingSecret +# Expected: Chart mounts the external alpha Secret instead of generating one. + +alphaConfig: + enabled: true + existingSecret: my-external-alpha-secret + +extraObjects: + - apiVersion: v1 + kind: Secret + metadata: + name: my-external-alpha-secret + type: Opaque + stringData: + oauth2_proxy.yml: | + --- + server: + BindAddress: 0.0.0.0:4180 + providers: + - id: google + provider: google + clientID: fake-client-id + clientSecret: fake-client-secret diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index dfe0ff27..f7a69fc1 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -163,6 +163,36 @@ metricsServer: {{- end }} {{- end -}} +{{/* +Alpha config source resolution: +- disabled: alphaConfig.enabled=false +- existing-configmap: alphaConfig.existingConfig is set +- existing-secret: alphaConfig.existingSecret is set +- generated: alphaConfig enabled with no external source +*/}} +{{- define "oauth2-proxy.alpha-config.source" -}} +{{- if not .Values.alphaConfig.enabled -}} +disabled +{{- else if .Values.alphaConfig.existingConfig -}} +existing-configmap +{{- else if .Values.alphaConfig.existingSecret -}} +existing-secret +{{- else -}} +generated +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.alpha-config.name" -}} +{{- $source := include "oauth2-proxy.alpha-config.source" . -}} +{{- if eq $source "existing-configmap" -}} +{{- .Values.alphaConfig.existingConfig -}} +{{- else if eq $source "existing-secret" -}} +{{- .Values.alphaConfig.existingSecret -}} +{{- else if eq $source "generated" -}} +{{- printf "%s-alpha" (include "oauth2-proxy.fullname" .) -}} +{{- end -}} +{{- end -}} + {{/* If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config. If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is mounted into the mounted file. diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index 4ce265cd..c29f512a 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- $alphaSource := include "oauth2-proxy.alpha-config.source" . -}} {{- $redisEnabled := eq (include "oauth2-proxy.redis.enabled" .) "true" -}} {{- $redisValues := index .Values "redis-ha" | default dict -}} apiVersion: apps/v1 @@ -30,7 +31,7 @@ spec: {{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }} checksum/config: {{ include "oauth2-proxy.legacy-config.content" . | sha256sum }} {{- end }} - {{- if .Values.alphaConfig.enabled }} + {{- if eq $alphaSource "generated" }} checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} {{- end }} {{- if .Values.authenticatedEmailsFile.enabled }} @@ -305,7 +306,7 @@ spec: - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg name: configmain subPath: oauth2_proxy.cfg -{{- if .Values.alphaConfig.enabled }} +{{- if ne $alphaSource "disabled" }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml name: configalpha subPath: oauth2_proxy.yml @@ -372,19 +373,17 @@ spec: defaultMode: 420 name: {{ include "oauth2-proxy.legacy-config.name" . | trim }} name: configmain -{{- if .Values.alphaConfig.enabled }} -{{- if .Values.alphaConfig.existingConfig }} +{{- if eq $alphaSource "existing-configmap" }} - configMap: defaultMode: 420 - name: {{ .Values.alphaConfig.existingConfig }} + name: {{ include "oauth2-proxy.alpha-config.name" . }} name: configalpha -{{- else }} +{{- else if or (eq $alphaSource "existing-secret") (eq $alphaSource "generated") }} - secret: defaultMode: 420 - secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} + secretName: {{ include "oauth2-proxy.alpha-config.name" . }} name: configalpha {{- end }} -{{- end }} {{- if ne (len .Values.extraVolumes) 0 }} {{ tpl (toYaml .Values.extraVolumes) . | indent 6 }} {{- end }} diff --git a/helm/oauth2-proxy/templates/deprecation.yaml b/helm/oauth2-proxy/templates/deprecation.yaml index 126d3e7a..65f89f0d 100644 --- a/helm/oauth2-proxy/templates/deprecation.yaml +++ b/helm/oauth2-proxy/templates/deprecation.yaml @@ -2,6 +2,12 @@ {{- if .Values.service.port }} {{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }} {{- end }} + {{- if and .Values.alphaConfig.enabled .Values.alphaConfig.existingConfig .Values.alphaConfig.existingSecret }} + {{ fail "`alphaConfig.existingConfig` and `alphaConfig.existingSecret` are mutually exclusive. Configure exactly one external alpha config source." }} + {{- end }} + {{- if and .Values.alphaConfig.enabled (or .Values.alphaConfig.existingConfig .Values.alphaConfig.existingSecret) (or .Values.alphaConfig.serverConfigData .Values.alphaConfig.metricsConfigData .Values.alphaConfig.configData .Values.alphaConfig.configFile) }} + {{ fail "External alpha config sources (`alphaConfig.existingConfig` or `alphaConfig.existingSecret`) cannot be combined with generated alpha config content (`serverConfigData`, `metricsConfigData`, `configData`, or `configFile`). Choose one alpha config source." }} + {{- end }} {{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}} {{- range .Values.ingress.extraPaths }} {{- if or (.backend.serviceName) (.backend.servicePort) }} diff --git a/helm/oauth2-proxy/templates/secret-alpha.yaml b/helm/oauth2-proxy/templates/secret-alpha.yaml index ba2c02d5..6edfad12 100644 --- a/helm/oauth2-proxy/templates/secret-alpha.yaml +++ b/helm/oauth2-proxy/templates/secret-alpha.yaml @@ -1,9 +1,4 @@ -{{- - if and - .Values.alphaConfig.enabled - (not .Values.alphaConfig.existingConfig) - (not .Values.alphaConfig.existingSecret) -}} +{{- if eq (include "oauth2-proxy.alpha-config.source" .) "generated" }} apiVersion: v1 kind: Secret metadata: @@ -14,7 +9,7 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }}-alpha + name: {{ include "oauth2-proxy.alpha-config.name" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} data: oauth2_proxy.yml: {{ include "oauth2-proxy.alpha-config" . | b64enc | quote }} diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index dd2f6592..5c93507f 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -165,9 +165,13 @@ alphaConfig: # Arbitrary configuration to append # This is treated as a Go template and rendered with the root context configFile: "" - # Use an existing config map (see secret-alpha.yaml for required fields) + # Use an existing config map (see secret-alpha.yaml for required fields). + # Mutually exclusive with existingSecret and all generated alpha config + # content options (serverConfigData, metricsConfigData, configData, configFile). existingConfig: ~ - # Use an existing secret + # Use an existing secret. + # Mutually exclusive with existingConfig and all generated alpha config + # content options (serverConfigData, metricsConfigData, configData, configFile). existingSecret: ~ # # NOTE: When using alphaConfig with external secrets (e.g., Azure From 1ebc363b05e1508b502df7bbd99f3466c1af34a3 Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 19:28:55 +0200 Subject: [PATCH 2/3] fix: prefix alphaConfig fields in deprecation error message Use fully qualified field names (alphaConfig.serverConfigData, etc.) in the error message for clarity. Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/templates/deprecation.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/oauth2-proxy/templates/deprecation.yaml b/helm/oauth2-proxy/templates/deprecation.yaml index 65f89f0d..c0643f1f 100644 --- a/helm/oauth2-proxy/templates/deprecation.yaml +++ b/helm/oauth2-proxy/templates/deprecation.yaml @@ -6,7 +6,7 @@ {{ fail "`alphaConfig.existingConfig` and `alphaConfig.existingSecret` are mutually exclusive. Configure exactly one external alpha config source." }} {{- end }} {{- if and .Values.alphaConfig.enabled (or .Values.alphaConfig.existingConfig .Values.alphaConfig.existingSecret) (or .Values.alphaConfig.serverConfigData .Values.alphaConfig.metricsConfigData .Values.alphaConfig.configData .Values.alphaConfig.configFile) }} - {{ fail "External alpha config sources (`alphaConfig.existingConfig` or `alphaConfig.existingSecret`) cannot be combined with generated alpha config content (`serverConfigData`, `metricsConfigData`, `configData`, or `configFile`). Choose one alpha config source." }} + {{ fail "External alpha config sources (`alphaConfig.existingConfig` or `alphaConfig.existingSecret`) cannot be combined with generated alpha config content (`alphaConfig.serverConfigData`, `alphaConfig.metricsConfigData`, `alphaConfig.configData`, or `alphaConfig.configFile`). Choose one alpha config source." }} {{- end }} {{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}} {{- range .Values.ingress.extraPaths }} From 09668b1d5366a2c00b0a829b7857d56a881b779c Mon Sep 17 00:00:00 2001 From: Pierluigi Lenoci Date: Sun, 29 Mar 2026 21:13:25 +0200 Subject: [PATCH 3/3] fix: truncate alpha-config.name to 63 chars for DNS compliance fullname is already 63 chars max; appending '-alpha' could exceed the Kubernetes name limit. Signed-off-by: Pierluigi Lenoci --- helm/oauth2-proxy/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index f7a69fc1..9e8d3441 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -189,7 +189,7 @@ generated {{- else if eq $source "existing-secret" -}} {{- .Values.alphaConfig.existingSecret -}} {{- else if eq $source "generated" -}} -{{- printf "%s-alpha" (include "oauth2-proxy.fullname" .) -}} +{{- printf "%s-alpha" (include "oauth2-proxy.fullname" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}}