jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
8153a1984a
charts/oauth2-proxy/templates/deployment.yaml

368 lines
15 KiB
YAML
Raw Blame History

apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
{{- include "oauth2-proxy.labels" . | indent 4 }}
{{- if .Values.deploymentAnnotations }}
annotations:
{{ toYaml .Values.deploymentAnnotations | indent 8 }}
{{- end }}
name: {{ template "oauth2-proxy.fullname" . }}
namespace: {{ template "oauth2-proxy.namespace" $ }}
spec:
replicas: {{ .Values.replicaCount }}
{{- if .Values.revisionHistoryLimit }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- end }}
selector:
matchLabels:
{{- include "oauth2-proxy.selectorLabels" . | indent 6 }}
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- if .Values.alphaConfig.enabled }}
checksum/alpha-config: {{ include (print $.Template.BasePath "/secret-alpha.yaml") . | sha256sum }}
{{- end }}
checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }}
checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
{{- if .Values.htpasswdFile.enabled }}
checksum/htpasswd: {{ include (print $.Template.BasePath "/secret-htpasswd-file.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "oauth2-proxy.name" . }}
{{- include "oauth2-proxy.labels" . | indent 8 }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }}
automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- if .Values.hostAlias.enabled }}
hostAliases:
- ip: {{ .Values.hostAlias.ip }}
hostnames:
- {{ .Values.hostAlias.hostname }}
{{- end }}
{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
initContainers:
- name: wait-for-redis
image: "docker.io/bitnami/kubectl:{{ include "kubectl.version" . }}"
args:
- wait
- pod/{{ include "oauth2-proxy.redis.fullname" . }}-master-0
- --for=condition=ready
- --timeout={{ .Values.initContainers.waitForRedis.timeout }}s
{{- if .Values.initContainers.waitForRedis.securityContext.enabled }}
{{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }}
securityContext:
{{- toYaml $securityContext | nindent 10 }}
{{- end }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- if .Values.alphaConfig.enabled }}
- --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml
{{- else }}
- --http-address=0.0.0.0:4180
- --https-address=0.0.0.0:4443
{{- if .Values.metrics.enabled }}
- --metrics-address=0.0.0.0:44180
{{- end }}
{{- end }}
{{- if .Values.config.cookieName }}
- --cookie-name={{ .Values.config.cookieName }}
{{- end }}
{{- if kindIs "map" .Values.extraArgs }}
{{- range $key, $value := .Values.extraArgs }}
{{- if not (kindIs "invalid" $value) }}
- --{{ $key }}={{ tpl ($value | toString) $ }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- end }}
{{- if kindIs "slice" .Values.extraArgs }}
{{- with .Values.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- if or .Values.config.existingConfig .Values.config.configFile }}
- --config=/etc/oauth2_proxy/oauth2_proxy.cfg
{{- end }}
{{- if .Values.authenticatedEmailsFile.enabled }}
{{- if .Values.authenticatedEmailsFile.template }}
- --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }}
{{- else }}
- --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
{{- end }}
{{- end }}
{{- with .Values.config.google }}
{{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }}
- --google-admin-email={{ .adminEmail }}
{{- if .useApplicationDefaultCredentials }}
- --google-use-application-default-credentials=true
{{- else }}
- --google-service-account-json=/google/service-account.json
{{- end }}
{{- if .targetPrincipal }}
- --google-target-principal={{ .targetPrincipal }}
{{- end }}
{{- end }}
{{- if .groups }}
{{- range $group := .groups }}
- --google-group={{ $group }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.htpasswdFile.enabled }}
- --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt
{{- end }}
env:
{{- if .Values.proxyVarsAsSecrets }}
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "oauth2-proxy.secretName" . }}
key: client-id
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "oauth2-proxy.secretName" . }}
key: client-secret
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "oauth2-proxy.secretName" . }}
key: cookie-secret
{{- end }}
{{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }}
- name: OAUTH2_PROXY_SESSION_STORE_TYPE
value: "redis"
{{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}}
- name: OAUTH2_PROXY_REDIS_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.sessionStorage.redis.existingSecret }}
name: {{ .Values.sessionStorage.redis.existingSecret }}
{{- else if .Values.sessionStorage.redis.password }}
name: {{ template "oauth2-proxy.fullname" . }}-redis-access
{{- else }}
name: {{ include "oauth2-proxy.redis.fullname" . }}
{{- end }}
key: {{ .Values.sessionStorage.redis.passwordKey }}
{{- end }}
{{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }}
- name: OAUTH2_PROXY_REDIS_CONNECTION_URL
value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }}
{{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }}
- name: OAUTH2_PROXY_REDIS_USE_CLUSTER
value: "true"
- name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS
value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }}
{{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }}
- name: OAUTH2_PROXY_REDIS_USE_SENTINEL
value: "true"
- name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME
value: {{ .Values.sessionStorage.redis.sentinel.masterName }}
- name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS
value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }}
{{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }}
- name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
{{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }}
name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }}
{{- else }}
name: {{ template "oauth2-proxy.fullname" . }}-redis-access
{{- end }}
key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.extraEnv }}
{{ tpl (toYaml .Values.extraEnv) . | indent 8 }}
{{- end }}
ports:
{{- if .Values.containerPort }}
- containerPort: {{ .Values.containerPort }}
{{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }}
- containerPort: 4180
{{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }}
- containerPort: 4443
{{- else }}
{{- end}}
name: {{ .Values.httpScheme }}
protocol: TCP
{{- if .Values.metrics.enabled }}
- containerPort: 44180
protocol: TCP
name: metrics
{{- end }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /ping
port: {{ .Values.httpScheme }}
scheme: {{ .Values.httpScheme | upper }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }}
port: {{ .Values.httpScheme }}
scheme: {{ .Values.httpScheme | upper }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
{{- with .Values.config.google }}
{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
- name: google-secret
mountPath: /google
readOnly: true
{{- end }}
{{- end }}
{{- if or .Values.config.existingConfig .Values.config.configFile }}
- mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
name: configmain
subPath: oauth2_proxy.cfg
{{- end }}
{{- if .Values.alphaConfig.enabled }}
- mountPath: /etc/oauth2_proxy/oauth2_proxy.yml
name: configalpha
subPath: oauth2_proxy.yml
{{- end }}
{{- if .Values.authenticatedEmailsFile.enabled }}
- mountPath: /etc/oauth2-proxy
name: configaccesslist
readOnly: true
{{- end }}
{{- if .Values.htpasswdFile.enabled }}
- mountPath: /etc/oauth2_proxy/htpasswd
name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
readOnly: true
{{- end }}
{{- if ne (len .Values.extraVolumeMounts) 0 }}
{{ toYaml .Values.extraVolumeMounts | indent 8 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
{{- $securityContext := unset .Values.securityContext "enabled" }}
securityContext:
{{- toYaml $securityContext | nindent 10 }}
{{- end }}
{{- if .Values.extraContainers }}
{{- toYaml .Values.extraContainers | nindent 6 }}
{{- end }}
volumes:
{{- with .Values.config.google }}
{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
- name: google-secret
secret:
secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }}
{{- end }}
{{- end }}
{{- if .Values.htpasswdFile.enabled }}
- name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
secret:
secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }}
{{- end }}
{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }}
- name: configaccesslist
secret:
items:
- key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
{{- if .Values.authenticatedEmailsFile.template }}
path: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
path: authenticated-emails-list
{{- end }}
{{- if .Values.authenticatedEmailsFile.template }}
secretName: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist
{{- end }}
{{- end }}
{{- if or .Values.config.existingConfig .Values.config.configFile }}
- configMap:
defaultMode: 420
name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }}
name: configmain
{{- end }}
{{- if .Values.alphaConfig.enabled }}
{{- if .Values.alphaConfig.existingConfig }}
- configMap:
defaultMode: 420
name: {{ .Values.alphaConfig.existingConfig }}
name: configalpha
{{- else }}
- secret:
defaultMode: 420
secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }}
name: configalpha
{{- end }}
{{- end }}
{{- if ne (len .Values.extraVolumes) 0 }}
{{ toYaml .Values.extraVolumes | indent 6 }}
{{- end }}
{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }}
- configMap:
{{- if .Values.authenticatedEmailsFile.template }}
name: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
name: {{ template "oauth2-proxy.fullname" . }}-accesslist
{{- end }}
items:
- key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
{{- if .Values.authenticatedEmailsFile.template }}
path: {{ .Values.authenticatedEmailsFile.template }}
{{- else }}
path: authenticated-emails-list
{{- end }}
name: configaccesslist
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink