From 2533a13ff49eed6718c7020cbce5d44981dbfec3 Mon Sep 17 00:00:00 2001 From: Matt Pryor Date: Wed, 7 Jun 2023 08:59:37 +0100 Subject: [PATCH 1/3] Use a secret for alpha config --- helm/oauth2-proxy/README.md | 3 ++- helm/oauth2-proxy/templates/deployment.yaml | 9 ++++++++- .../{configmap-alpha.yaml => secret-alpha.yaml} | 13 ++++++++----- helm/oauth2-proxy/values.yaml | 4 +++- 4 files changed, 21 insertions(+), 8 deletions(-) rename helm/oauth2-proxy/templates/{configmap-alpha.yaml => secret-alpha.yaml} (86%) diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md index ce07e0ec..91c288a3 100644 --- a/helm/oauth2-proxy/README.md +++ b/helm/oauth2-proxy/README.md @@ -108,7 +108,8 @@ Parameter | Description | Default `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` `alphaConfig.configData` | Arbitrary configuration data to append | `{}` `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` -`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap-alpha.yaml) for the required values | `nil` +`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` +`alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` `customLabels` | Custom labels to add into metadata | `{}` | `config.google.adminEmail` | user impersonated by the google service account | `""` `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false` diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index 384adfa5..498202e7 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -300,10 +300,17 @@ spec: name: configmain {{- end }} {{- if .Values.alphaConfig.enabled }} +{{- if .Values.alphaConfig.existingConfig }} - configMap: defaultMode: 420 - name: {{ if .Values.alphaConfig.existingConfig }}{{ .Values.alphaConfig.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} + name: {{ .Values.alphaConfig.existingConfig }} name: configalpha +{{- else }} + - secret: + defaultMode: 420 + secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} + name: configalpha +{{- end }} {{- end }} {{- if ne (len .Values.extraVolumes) 0 }} {{ toYaml .Values.extraVolumes | indent 6 }} diff --git a/helm/oauth2-proxy/templates/configmap-alpha.yaml b/helm/oauth2-proxy/templates/secret-alpha.yaml similarity index 86% rename from helm/oauth2-proxy/templates/configmap-alpha.yaml rename to helm/oauth2-proxy/templates/secret-alpha.yaml index 6a2cec26..4de5c800 100644 --- a/helm/oauth2-proxy/templates/configmap-alpha.yaml +++ b/helm/oauth2-proxy/templates/secret-alpha.yaml @@ -1,7 +1,11 @@ -{{- if .Values.alphaConfig.enabled }} -{{- if not .Values.alphaConfig.existingConfig }} +{{- + if and + .Values.alphaConfig.enabled + (not .Values.alphaConfig.existingConfig) + (not .Values.alphaConfig.existingSecret) +}} apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: {{- if .Values.alphaConfig.annotations }} annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }} @@ -11,7 +15,7 @@ metadata: {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }}-alpha namespace: {{ template "oauth2-proxy.namespace" $ }} -data: +stringData: oauth2_proxy.yml: | --- server: @@ -33,4 +37,3 @@ data: {{- tpl .Values.alphaConfig.configFile $ | nindent 4 }} {{- end }} {{- end }} -{{- end }} diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index 2c9049a7..d2e5f8b4 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -61,8 +61,10 @@ alphaConfig: # Arbitrary configuration to append # This is treated as a Go template and rendered with the root context configFile: "" - # Use an existing config map (see configmap-alpha.yaml for required fields) + # Use an existing config map (see secret-alpha.yaml for required fields) existingConfig: ~ + # Use an existing secret + existingSecret: ~ image: repository: "quay.io/oauth2-proxy/oauth2-proxy" From 040029aeffd555b7da7b6519d38f46dde0ebdd8b Mon Sep 17 00:00:00 2001 From: Matt Pryor Date: Wed, 7 Jun 2023 12:31:26 +0100 Subject: [PATCH 2/3] Correct path in alpha-config annotation --- helm/oauth2-proxy/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index 498202e7..46451f89 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -23,7 +23,7 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} {{- if .Values.alphaConfig.enabled }} - checksum/alpha-config: {{ include (print $.Template.BasePath "/configmap-alpha.yaml") . | sha256sum }} + checksum/alpha-config: {{ include (print $.Template.BasePath "/secret-alpha.yaml") . | sha256sum }} {{- end }} checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} From 7810d4d116b2cd0160ee10c6c69a18538e935f05 Mon Sep 17 00:00:00 2001 From: Matt Pryor Date: Wed, 7 Jun 2023 17:10:59 +0100 Subject: [PATCH 3/3] Bump patch version of chart --- helm/oauth2-proxy/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index 9e7d7487..8112b577 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 6.13.1 +version: 6.13.2 apiVersion: v2 appVersion: 7.4.0 home: https://oauth2-proxy.github.io/oauth2-proxy/