randomk/values-oauth2-proxy.yaml Secret

## values-oauth2-proxy.yaml
# Oauth client configuration specifics
# XXX is your company dns or name
config:
  # -- OAuth client ID
  clientID: "14qahrp3eskkob6qu0n146m56p"
  # -- OAuth client secret
  clientSecret: "1if7352942oiv6k8rel5v8gkvva4rc4fbgngmda33obls6aakr03"
  # -- server specific cookie for the secret; create a new one with `openssl rand -base64 32 | head -c 32 | base64`
  cookieSecret: "aXVybTZsUUtEbS9KSlk0Y1plMXYvU09RY01WcHJWQ28="
  google: {}
    # -- user impersonated by the google service account
    # adminEmail: xxxx

    # -- google service account json contents
    # serviceAccountJson: xxxx

    # -- Alternatively, use an existing secret (see google-secret.yaml for required fields)
    # existingSecret: google-secret

  # -- custom [oauth2_proxy.cfg](https://github.com/pusher/oauth2_proxy/blob/master/contrib/oauth2_proxy.cfg.example) contents for settings not overridable via environment nor command line
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]
  # Custom configuration file: oauth2_proxy.cfg
  # configFile: |-
  #   pass_basic_auth = false
  #   pass_access_token = true

  # -- (string)existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/helm/charts/blob/master/stable/oauth2-proxy/templates/configmap.yaml) for the required values
  existingConfig:

image:
  # -- Image repository
  repository: "quay.io/oauth2-proxy/oauth2-proxy"
  # -- Image tag
  tag: "v7.0.1"
  # -- Image pull policy
  pullPolicy: "IfNotPresent"

# -- (list) Optionally specify an array of imagePullSecrets.
# Secrets must be manually created in the namespace.
# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
imagePullSecrets:
  # - name: myRegistryKeySecretName

# -- key:value list of extra arguments to give the binary
extraArgs:
  provider: oidc
  provider-display-name: "IUPP SSO"
  oidc-jwks-url: https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_xxxx/.well-known/jwks.json
  oidc-issuer-url: https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_xxxx
  cookie-secure: false
  whitelist-domain: .dev.iupp.io
  cookie-name: "_oauth2_proxy"
  cookie-domain: .dev.iupp.io
  skip-provider-button: true
  scope: openid
# -- key:value list of extra environment variables to give the binary
extraEnv: []

# To authorize individual email addresses
# That is part of extraArgs but since this needs special treatment we need to do a separate section
authenticatedEmailsFile:
  # -- Enables authorize individual email addresses
  enabled: false
  # -- Name of the configmap that is handled outside of that chart
  # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
  # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access".
  # One email per line
  # example:
  # restricted_access: |-
  #   name1@domain
  #   name2@domain
  # If you override the config with restricted_access it will configure a user list within this chart what takes care of the
  # config map resource.
  template: ""

  # -- [email addresses](https://github.com/pusher/oauth2_proxy#email-authentication) list config
  restricted_access: ""

service:
  # -- Kubernetes service type for the GUI
  type: ClusterIP
  # -- Kubernetes port where the GUI is exposed
  port: 80
  # -- Service annotations for the GUI
  annotations: {}
  # -- (string) Loadbalance IP for the GUI
  loadBalancerIP:
  # -- (list) List of IP CIDRs allowed access to load balancer (if supported)
  loadBalancerSourceRanges:

## Create or use ServiceAccount
serviceAccount:
  ## Specifies whether a ServiceAccount should be created
  enabled: true
  ## The name of the ServiceAccount to use.
  ## If not set and create is true, a name is generated using the fullname template
  name:
  annotations: {}

ingress:
  # -- Enable Ingress
  enabled: true
  # -- Ingress accepted path
  path: /
  # -- Ingress accepted hostnames
  hosts: [ oauth2-proxy.dev.iupp.io ]
  # -- Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions).
  extraPaths: []
  # - path: /*
  #   backend:
  #     serviceName: ssl-redirect
  #     servicePort: use-annotation

  # -- Ingress annotations
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
  #   kubernetes.io/ingress.class: nginx
  #   kubernetes.io/tls-acme: "true"

  # -- (list) Ingress TLS configuration
  tls:
    # Secrets must be manually created in the namespace.
    # - secretName: chart-example-tls
    #   hosts:
    #     - chart-example.local

  # -- (string) Set ingressClassName
  ingressClassName: nginx

resources: {}
  # limits:
  #   cpu: 100m
  #   memory: 300Mi
  # requests:
  #   cpu: 100m
  #   memory: 300Mi

# -- list of extra volumes
extraVolumes: []
  # - name: ca-bundle-cert
  #   secret:
  #     secretName: <secret-name>

# -- list of extra volumeMounts
extraVolumeMounts: []
  # - mountPath: /etc/ssl/certs/
  #   name: ca-bundle-cert

priorityClassName: ""

# -- node/pod affinities
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}

# -- Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []

# -- Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}

# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
proxyVarsAsSecrets: true

# -- Configure Kubernetes liveness probes.
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
livenessProbe:
  enabled: true
  initialDelaySeconds: 0
  timeoutSeconds: 1

# -- Configure Kubernetes readiness probes.
readinessProbe:
  enabled: true
  initialDelaySeconds: 0
  timeoutSeconds: 1
  periodSeconds: 10
  successThreshold: 1

# -- Configure Kubernetes security context for container
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
  enabled: false
  runAsNonRoot: true

# -- annotations to add to each pod
podAnnotations: {}
# -- labels to add to each pod
podLabels: {}
replicaCount: 1

# -- PodDisruptionBudget settings
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
  enabled: true
  minAvailable: 1

# Configure Kubernetes security context for pod
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
podSecurityContext: {}

# -- Configure init containers for pod
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []

# -- `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service.
httpScheme: http

# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption.
# Alternatively supply an existing secret which contains the required information.
htpasswdFile:
  # -- enable htpasswd-file option
  enabled: false
  # -- existing Kubernetes secret to use for OAuth2 htpasswd file
  existingSecret: ""
  # -- list of [SHA encrypted user:passwords](https://pusher.github.io/oauth2_proxy/configuration#command-line-options)
  entries: {}
  # One row for each user
  # example:
  # entries:
  #  - testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv

# -- Configure Pod Topology Spread Constraints
# See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# Requires Kubernetes >= v1.16
topologySpreadConstraints:
  enabled: false
  maxSkew: 1
  # See https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: DoNotSchedule
	# Oauth client configuration specifics
	# XXX is your company dns or name
	config:
	# -- OAuth client ID
	clientID: "14qahrp3eskkob6qu0n146m56p"
	# -- OAuth client secret
	clientSecret: "1if7352942oiv6k8rel5v8gkvva4rc4fbgngmda33obls6aakr03"
	# -- server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64`
	cookieSecret: "aXVybTZsUUtEbS9KSlk0Y1plMXYvU09RY01WcHJWQ28="
	google: {}
	# -- user impersonated by the google service account
	# adminEmail: xxxx

	# -- google service account json contents
	# serviceAccountJson: xxxx

	# -- Alternatively, use an existing secret (see google-secret.yaml for required fields)
	# existingSecret: google-secret

	# -- custom [oauth2_proxy.cfg](https://github.com/pusher/oauth2_proxy/blob/master/contrib/oauth2_proxy.cfg.example) contents for settings not overridable via environment nor command line
	configFile: \|-
	email_domains = [ "*" ]
	upstreams = [ "file:///dev/null" ]
	# Custom configuration file: oauth2_proxy.cfg
	# configFile: \|-
	# pass_basic_auth = false
	# pass_access_token = true

	# -- (string)existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/helm/charts/blob/master/stable/oauth2-proxy/templates/configmap.yaml) for the required values
	existingConfig:

	image:
	# -- Image repository
	repository: "quay.io/oauth2-proxy/oauth2-proxy"
	# -- Image tag
	tag: "v7.0.1"
	# -- Image pull policy
	pullPolicy: "IfNotPresent"

	# -- (list) Optionally specify an array of imagePullSecrets.
	# Secrets must be manually created in the namespace.
	# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
	imagePullSecrets:
	# - name: myRegistryKeySecretName

	# -- key:value list of extra arguments to give the binary
	extraArgs:
	provider: oidc
	provider-display-name: "IUPP SSO"
	oidc-jwks-url: https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_xxxx/.well-known/jwks.json
	oidc-issuer-url: https://cognito-idp.sa-east-1.amazonaws.com/sa-east-1_xxxx
	cookie-secure: false
	whitelist-domain: .dev.iupp.io
	cookie-name: "_oauth2_proxy"
	cookie-domain: .dev.iupp.io
	skip-provider-button: true
	scope: openid
	# -- key:value list of extra environment variables to give the binary
	extraEnv: []

	# To authorize individual email addresses
	# That is part of extraArgs but since this needs special treatment we need to do a separate section
	authenticatedEmailsFile:
	# -- Enables authorize individual email addresses
	enabled: false
	# -- Name of the configmap that is handled outside of that chart
	# It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
	# Be aware the value name in the extern config map in data needs to be named to "restricted_user_access".
	# One email per line
	# example:
	# restricted_access: \|-
	# name1@domain
	# name2@domain
	# If you override the config with restricted_access it will configure a user list within this chart what takes care of the
	# config map resource.
	template: ""

	# -- [email addresses](https://github.com/pusher/oauth2_proxy#email-authentication) list config
	restricted_access: ""

	service:
	# -- Kubernetes service type for the GUI
	type: ClusterIP
	# -- Kubernetes port where the GUI is exposed
	port: 80
	# -- Service annotations for the GUI
	annotations: {}
	# -- (string) Loadbalance IP for the GUI
	loadBalancerIP:
	# -- (list) List of IP CIDRs allowed access to load balancer (if supported)
	loadBalancerSourceRanges:

	## Create or use ServiceAccount
	serviceAccount:
	## Specifies whether a ServiceAccount should be created
	enabled: true
	## The name of the ServiceAccount to use.
	## If not set and create is true, a name is generated using the fullname template
	name:
	annotations: {}

	ingress:
	# -- Enable Ingress
	enabled: true
	# -- Ingress accepted path
	path: /
	# -- Ingress accepted hostnames
	hosts: [ oauth2-proxy.dev.iupp.io ]
	# -- Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions).
	extraPaths: []
	# - path: /*
	# backend:
	# serviceName: ssl-redirect
	# servicePort: use-annotation

	# -- Ingress annotations
	annotations:
	nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
	nginx.ingress.kubernetes.io/proxy-buffering: "on"
	# kubernetes.io/ingress.class: nginx
	# kubernetes.io/tls-acme: "true"

	# -- (list) Ingress TLS configuration
	tls:
	# Secrets must be manually created in the namespace.
	# - secretName: chart-example-tls
	# hosts:
	# - chart-example.local

	# -- (string) Set ingressClassName
	ingressClassName: nginx

	resources: {}
	# limits:
	# cpu: 100m
	# memory: 300Mi
	# requests:
	# cpu: 100m
	# memory: 300Mi

	# -- list of extra volumes
	extraVolumes: []
	# - name: ca-bundle-cert
	# secret:
	# secretName: <secret-name>

	# -- list of extra volumeMounts
	extraVolumeMounts: []
	# - mountPath: /etc/ssl/certs/
	# name: ca-bundle-cert

	priorityClassName: ""

	# -- node/pod affinities
	# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
	affinity: {}

	# -- Tolerations for pod assignment
	# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
	tolerations: []

	# -- Node labels for pod assignment
	# Ref: https://kubernetes.io/docs/user-guide/node-selection/
	nodeSelector: {}

	# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
	proxyVarsAsSecrets: true

	# -- Configure Kubernetes liveness probes.
	# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
	# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
	livenessProbe:
	enabled: true
	initialDelaySeconds: 0
	timeoutSeconds: 1

	# -- Configure Kubernetes readiness probes.
	readinessProbe:
	enabled: true
	initialDelaySeconds: 0
	timeoutSeconds: 1
	periodSeconds: 10
	successThreshold: 1

	# -- Configure Kubernetes security context for container
	# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
	securityContext:
	enabled: false
	runAsNonRoot: true

	# -- annotations to add to each pod
	podAnnotations: {}
	# -- labels to add to each pod
	podLabels: {}
	replicaCount: 1

	# -- PodDisruptionBudget settings
	# Ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
	podDisruptionBudget:
	enabled: true
	minAvailable: 1

	# Configure Kubernetes security context for pod
	# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
	podSecurityContext: {}

	# -- Configure init containers for pod
	# Ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
	initContainers: []

	# -- `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service.
	httpScheme: http

	# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption.
	# Alternatively supply an existing secret which contains the required information.
	htpasswdFile:
	# -- enable htpasswd-file option
	enabled: false
	# -- existing Kubernetes secret to use for OAuth2 htpasswd file
	existingSecret: ""
	# -- list of [SHA encrypted user:passwords](https://pusher.github.io/oauth2_proxy/configuration#command-line-options)
	entries: {}
	# One row for each user
	# example:
	# entries:
	# - testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv

	# -- Configure Pod Topology Spread Constraints
	# See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
	# Requires Kubernetes >= v1.16
	topologySpreadConstraints:
	enabled: false
	maxSkew: 1
	# See https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/
	topologyKey: topology.kubernetes.io/zone
	whenUnsatisfiable: DoNotSchedule