-
-
Save randomk/9e8a1145820428f201ab277caf397790 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Oauth client configuration specifics | |
# XXX is your company dns or name | |
config: | |
# -- OAuth client ID | |
clientID: "14qahrp3eskkob6qu0n146m56p" | |
# -- OAuth client secret | |
clientSecret: "1if7352942oiv6k8rel5v8gkvva4rc4fbgngmda33obls6aakr03" | |
# -- server specific cookie for the secret; create a new one with `openssl rand -base64 32 | head -c 32 | base64` | |
cookieSecret: "aXVybTZsUUtEbS9KSlk0Y1plMXYvU09RY01WcHJWQ28=" | |
google: {} | |
# -- user impersonated by the google service account | |
# adminEmail: xxxx | |
# -- google service account json contents | |
# serviceAccountJson: xxxx | |
# -- Alternatively, use an existing secret (see google-secret.yaml for required fields) | |
# existingSecret: google-secret | |
# -- custom [oauth2_proxy.cfg](https://github.com/pusher/oauth2_proxy/blob/master/contrib/oauth2_proxy.cfg.example) contents for settings not overridable via environment nor command line | |
configFile: |- | |
email_domains = [ "*" ] | |
upstreams = [ "file:///dev/null" ] | |
# Custom configuration file: oauth2_proxy.cfg | |
# configFile: |- | |
# pass_basic_auth = false | |
# pass_access_token = true | |
# -- (string)existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/helm/charts/blob/master/stable/oauth2-proxy/templates/configmap.yaml) for the required values | |
existingConfig: | |
image: | |
# -- Image repository | |
repository: "quay.io/oauth2-proxy/oauth2-proxy" | |
# -- Image tag | |
tag: "v7.0.1" | |
# -- Image pull policy | |
pullPolicy: "IfNotPresent" | |
# -- (list) Optionally specify an array of imagePullSecrets. | |
# Secrets must be manually created in the namespace. | |
# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod | |
imagePullSecrets: | |
# - name: myRegistryKeySecretName | |
# -- key:value list of extra arguments to give the binary | |
extraArgs: | |
provider: oidc | |
provider-display-name: "IUPP SSO" | |
oidc-jwks-url: https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_xxxx/.well-known/jwks.json | |
oidc-issuer-url: https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_xxxx | |
cookie-secure: false | |
whitelist-domain: .dev.iupp.io | |
cookie-name: "_oauth2_proxy" | |
cookie-domain: .dev.iupp.io | |
skip-provider-button: true | |
scope: openid | |
# -- key:value list of extra environment variables to give the binary | |
extraEnv: [] | |
# To authorize individual email addresses | |
# That is part of extraArgs but since this needs special treatment we need to do a separate section | |
authenticatedEmailsFile: | |
# -- Enables authorize individual email addresses | |
enabled: false | |
# -- Name of the configmap that is handled outside of that chart | |
# It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. | |
# Be aware the value name in the extern config map in data needs to be named to "restricted_user_access". | |
# One email per line | |
# example: | |
# restricted_access: |- | |
# name1@domain | |
# name2@domain | |
# If you override the config with restricted_access it will configure a user list within this chart what takes care of the | |
# config map resource. | |
template: "" | |
# -- [email addresses](https://github.com/pusher/oauth2_proxy#email-authentication) list config | |
restricted_access: "" | |
service: | |
# -- Kubernetes service type for the GUI | |
type: ClusterIP | |
# -- Kubernetes port where the GUI is exposed | |
port: 80 | |
# -- Service annotations for the GUI | |
annotations: {} | |
# -- (string) Loadbalance IP for the GUI | |
loadBalancerIP: | |
# -- (list) List of IP CIDRs allowed access to load balancer (if supported) | |
loadBalancerSourceRanges: | |
## Create or use ServiceAccount | |
serviceAccount: | |
## Specifies whether a ServiceAccount should be created | |
enabled: true | |
## The name of the ServiceAccount to use. | |
## If not set and create is true, a name is generated using the fullname template | |
name: | |
annotations: {} | |
ingress: | |
# -- Enable Ingress | |
enabled: true | |
# -- Ingress accepted path | |
path: / | |
# -- Ingress accepted hostnames | |
hosts: [ oauth2-proxy.dev.iupp.io ] | |
# -- Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | |
extraPaths: [] | |
# - path: /* | |
# backend: | |
# serviceName: ssl-redirect | |
# servicePort: use-annotation | |
# -- Ingress annotations | |
annotations: | |
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" | |
nginx.ingress.kubernetes.io/proxy-buffering: "on" | |
# kubernetes.io/ingress.class: nginx | |
# kubernetes.io/tls-acme: "true" | |
# -- (list) Ingress TLS configuration | |
tls: | |
# Secrets must be manually created in the namespace. | |
# - secretName: chart-example-tls | |
# hosts: | |
# - chart-example.local | |
# -- (string) Set ingressClassName | |
ingressClassName: nginx | |
resources: {} | |
# limits: | |
# cpu: 100m | |
# memory: 300Mi | |
# requests: | |
# cpu: 100m | |
# memory: 300Mi | |
# -- list of extra volumes | |
extraVolumes: [] | |
# - name: ca-bundle-cert | |
# secret: | |
# secretName: <secret-name> | |
# -- list of extra volumeMounts | |
extraVolumeMounts: [] | |
# - mountPath: /etc/ssl/certs/ | |
# name: ca-bundle-cert | |
priorityClassName: "" | |
# -- node/pod affinities | |
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | |
affinity: {} | |
# -- Tolerations for pod assignment | |
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | |
tolerations: [] | |
# -- Node labels for pod assignment | |
# Ref: https://kubernetes.io/docs/user-guide/node-selection/ | |
nodeSelector: {} | |
# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables | |
proxyVarsAsSecrets: true | |
# -- Configure Kubernetes liveness probes. | |
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ | |
# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks | |
livenessProbe: | |
enabled: true | |
initialDelaySeconds: 0 | |
timeoutSeconds: 1 | |
# -- Configure Kubernetes readiness probes. | |
readinessProbe: | |
enabled: true | |
initialDelaySeconds: 0 | |
timeoutSeconds: 1 | |
periodSeconds: 10 | |
successThreshold: 1 | |
# -- Configure Kubernetes security context for container | |
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | |
securityContext: | |
enabled: false | |
runAsNonRoot: true | |
# -- annotations to add to each pod | |
podAnnotations: {} | |
# -- labels to add to each pod | |
podLabels: {} | |
replicaCount: 1 | |
# -- PodDisruptionBudget settings | |
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | |
podDisruptionBudget: | |
enabled: true | |
minAvailable: 1 | |
# Configure Kubernetes security context for pod | |
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | |
podSecurityContext: {} | |
# -- Configure init containers for pod | |
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ | |
initContainers: [] | |
# -- `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | |
httpScheme: http | |
# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption. | |
# Alternatively supply an existing secret which contains the required information. | |
htpasswdFile: | |
# -- enable htpasswd-file option | |
enabled: false | |
# -- existing Kubernetes secret to use for OAuth2 htpasswd file | |
existingSecret: "" | |
# -- list of [SHA encrypted user:passwords](https://pusher.github.io/oauth2_proxy/configuration#command-line-options) | |
entries: {} | |
# One row for each user | |
# example: | |
# entries: | |
# - testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv | |
# -- Configure Pod Topology Spread Constraints | |
# See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | |
# Requires Kubernetes >= v1.16 | |
topologySpreadConstraints: | |
enabled: false | |
maxSkew: 1 | |
# See https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/ | |
topologyKey: topology.kubernetes.io/zone | |
whenUnsatisfiable: DoNotSchedule |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment