stable/oauth2-proxy/README.md
As of Nov 13, 2020, charts in this repo will no longer be updated. For more information, see the Helm Charts Deprecation and Archive Notice, and Update.
oauth2-proxy is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.
This chart is deprecated and no longer supported.
$ helm install stable/oauth2-proxy
This chart bootstraps an oauth2-proxy deployment on a Kubernetes cluster using the Helm package manager.
To install the chart with the release name my-release:
$ helm install stable/oauth2-proxy --name my-release
The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.
To uninstall/delete the my-release deployment:
$ helm delete my-release
The command removes all the Kubernetes components associated with the chart and deletes the release.
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions.
This version upgrade oauth2-proxy to v4.0.0. Please see the changelog in order to upgrade.
Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion apps/v1beta2. See the v1.16 API deprecations page for more information.
Due to this issue there may be errors performing a helm upgradeof this chart from versions earlier than 2.0.0.
Version 3.0.0 introduces support for EKS IAM roles for service accounts by adding a managed service account to the chart. This is a breaking change since the service account is enabled by default. To disable this behaviour set serviceAccount.enabled to false
The following table lists the configurable parameters of the oauth2-proxy chart and their default values.
| Parameter | Description | Default |
|---|---|---|
affinity | node/pod affinities | None |
authenticatedEmailsFile.enabled | Enables authorize individual email addresses | false |
authenticatedEmailsFile.template | Name of the configmap that is handled outside of that chart | "" |
authenticatedEmailsFile.restricted_access | email addresses list config | "" |
config.clientID | oauth client ID | "" |
config.clientSecret | oauth client secret | "" |
config.cookieSecret | server specific cookie for the secret; create a new one with `openssl rand -base64 32 | head -c 32 |
config.existingSecret | existing Kubernetes secret to use for OAuth2 credentials. See secret template for the required values | nil |
config.configFile | custom oauth2_proxy.cfg contents for settings not overridable via environment nor command line | "" |
config.existingConfig | existing Kubernetes configmap to use for the configuration file. See config template for the required values | nil |
config.google.adminEmail | user impersonated by the google service account | "" |
config.google.serviceAccountJson | google service account json contents | "" |
config.google.existingConfig | existing Kubernetes configmap to use for the service account file. See google secret template for the required values | nil |
extraArgs | key:value list of extra arguments to give the binary | {} |
extraEnv | key:value list of extra environment variables to give the binary | [] |
extraVolumes | list of extra volumes | [] |
extraVolumeMounts | list of extra volumeMounts | [] |
htpasswdFile.enabled | enable htpasswd-file option | false |
htpasswdFile.entries | list of SHA encrypted user:passwords | {} |
htpasswdFile.existingSecret | existing Kubernetes secret to use for OAuth2 htpasswd file | "" |
httpScheme | http or https. name used for port on the deployment. httpGet port name and scheme used for liveness- and readinessProbes. name and targetPort used for the service. | http |
image.pullPolicy | Image pull policy | IfNotPresent |
image.repository | Image repository | quay.io/pusher/oauth2_proxy |
image.tag | Image tag | v5.1.0 |
imagePullSecrets | Specify image pull secrets | nil (does not add image pull secrets to deployed pods) |
ingress.enabled | Enable Ingress | false |
ingress.path | Ingress accepted path | / |
ingress.extraPaths | Ingress extra paths to prepend to every host configuration. Useful when configuring custom actions with AWS ALB Ingress Controller. | [] |
ingress.annotations | Ingress annotations | nil |
ingress.hosts | Ingress accepted hostnames | nil |
ingress.tls | Ingress TLS configuration | nil |
livenessProbe.enabled | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See Istio FAQ | true |
livenessProbe.initialDelaySeconds | number of seconds | 0 |
livenessProbe.timeoutSeconds | number of seconds | 1 |
nodeSelector | node labels for pod assignment | {} |
podAnnotations | annotations to add to each pod | {} |
podLabels | additional labesl to add to each pod | {} |
podDisruptionBudget.enabled | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true |
podDisruptionBudget.minAvailable | minAvailable parameter for PodDisruptionBudget | 1 |
podSecurityContext | Kubernetes security context to apply to pod | {} |
priorityClassName | priorityClassName | nil |
readinessProbe.enabled | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See Istio FAQ | true |
readinessProbe.initialDelaySeconds | number of seconds | 0 |
readinessProbe.timeoutSeconds | number of seconds | 1 |
readinessProbe.periodSeconds | number of seconds | 10 |
readinessProbe.successThreshold | number of successes | 1 |
replicaCount | desired number of pods | 1 |
resources | pod resource requests & limits | {} |
service.port | port for the service | 80 |
service.type | type of service | ClusterIP |
service.clusterIP | cluster ip address | nil |
service.loadBalancerIP | ip of load balancer | nil |
service.loadBalancerSourceRanges | allowed source ranges in load balancer | nil |
serviceAccount.enabled | create a service account | true |
serviceAccount.name | the service account name | `` |
serviceAccount.annotations | (optional) annotations for the service account | {} |
tolerations | list of node taints to tolerate | [] |
securityContext.enabled | enable Kubernetes security context on container | false |
securityContext.runAsNonRoot | make sure that the container runs as a non-root user | true |
proxyVarsAsSecrets | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | true |
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
$ helm install stable/oauth2-proxy --name my-release \
--set=image.tag=v0.0.2,resources.limits.cpu=200m
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
$ helm install stable/oauth2-proxy --name my-release -f values.yaml
Tip: You can use the default values.yaml
See: SSL Configuration.
Use values.yaml like:
...
extraArgs:
tls-cert: /path/to/cert.pem
tls-key: /path/to/cert.key
extraVolumes:
- name: ssl-cert
secret:
secretName: my-ssl-secret
extraVolumeMounts:
- mountPath: /path/to/
name: ssl-cert
...
With a secret called my-ssl-secret:
...
data:
cert.pem: AB..==
cert.key: CD..==