Merge pull request #127 from kvanzuijlen/workload-identity-support

Added support for using Workload Identity to the Helm chart
oauth2-proxy · Jan 16, 2023 · 3500132 · 3500132
2 parents 2f2f385 + c09d01b
commit 3500132
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 3 deletions.
diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml
@@ -1,5 +1,5 @@
 name: oauth2-proxy
-version: 6.7.3
+version: 6.8.0
 apiVersion: v2
 appVersion: 7.4.0
 home: https://oauth2-proxy.github.io/oauth2-proxy/

diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md
@@ -110,6 +110,8 @@ Parameter | Description | Default
 `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap-alpha.yaml) for the required values | `nil`
 `customLabels` | Custom labels to add into metadata | `{}` |
 `config.google.adminEmail` | user impersonated by the google service account | `""`
+`config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false`
+`config.google.targetPrincipal` | service account to use/impersonate | `""`
 `config.google.serviceAccountJson` | google service account json contents | `""`
 `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil`
 `config.google.groups` | restrict logins to members of these google groups | `[]`

diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml
@@ -95,10 +95,17 @@ spec:
         {{- end }}
         {{- end }}
         {{- with .Values.config.google }}
-        {{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
+        {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }}
           - --google-admin-email={{ .adminEmail }}
+        {{- if .useApplicationDefaultCredentials }}
+          - --google-use-application-default-credentials=true
+        {{- else }}
           - --google-service-account-json=/google/service-account.json
         {{- end }}
+        {{- if .targetPrincipal }}
+          - --google-target-principal={{ .targetPrincipal }}
+        {{- end }}
+        {{- end }}
         {{- if .groups }}
         {{- range $group := .groups }}
           - --google-group={{ $group }}

diff --git a/helm/oauth2-proxy/templates/google-secret.yaml b/helm/oauth2-proxy/templates/google-secret.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.config.google (not .Values.config.google.existingSecret) }}
+{{- if and .Values.config.google (and (not .Values.config.google.existingSecret) (not .Values.config.google.useApplicationDefaultCredentials)) }}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml
@@ -22,6 +22,8 @@ config:
   cookieName: ""
   google: {}
     # adminEmail: xxxx
+    # useApplicationDefaultCredentials: true
+    # targetPrincipal: xxxx
     # serviceAccountJson: xxxx
     # Alternatively, use an existing secret (see google-secret.yaml for required fields)
     # Example: