Skip to content

Commit

Permalink
Include the redis sub-chart dependency (#7)
Browse files Browse the repository at this point in the history
* Design of including the redis sub-chart dependency

* Changing the sessionStorage to a string input based

* Adding redis deployment dep

* Moving redis passwords to secret

* Adding the redis secret resource

* Adding new existingSecret documentation in README

* Removing lint error

* Update Chart.yaml

Bumping up the chart version.

* add ci test for redis standalone case

* Changing the redis secret name due to ci clash
  • Loading branch information
morarucostel authored Mar 25, 2021
1 parent 3a98e77 commit 9c0ad1c
Show file tree
Hide file tree
Showing 6 changed files with 110 additions and 2 deletions.
11 changes: 9 additions & 2 deletions helm/oauth2-proxy/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: oauth2-proxy
version: 3.2.7
apiVersion: v1
version: 3.2.8
apiVersion: v2
appVersion: 5.1.0
home: https://oauth2-proxy.github.io/oauth2-proxy/
description: A reverse proxy that provides authentication with Google, Github or other providers
Expand All @@ -11,6 +11,13 @@ keywords:
- authentication
- google
- github
- redis
dependencies:
- name: redis
version: ~10.6.0
repository: https://charts.bitnami.com/bitnami
alias: redis
condition: redis.enabled
sources:
- https://github.com/oauth2-proxy/oauth2-proxy
- https://github.com/oauth2-proxy/manifests
Expand Down
10 changes: 10 additions & 0 deletions helm/oauth2-proxy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,16 @@ Parameter | Description | Default
`securityContext.enabled` | enable Kubernetes security context on container | `false`
`securityContext.runAsNonRoot` | make sure that the container runs as a non-root user | `true`
`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true`
`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie`
`sessionStorage.redis.existingSecret` | existing Kubernetes secret to use for redis-password and redis-sentinel-password | `""`
`sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations | `nil`
`sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone`
`sessionStorage.redis.standalone.connectionUrl` | URL of redis standalone server for redis session storage (e.g. redis://HOST[:PORT]) | `nil`
`sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g. redis://HOST[:PORT]) | `[]`
`sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` | `nil`
`sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil`
`sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. redis://HOST[:PORT]) | `[]`
`redis.enabled` | Enable the redis subchart deployment | `false`


Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
Expand Down
9 changes: 9 additions & 0 deletions helm/oauth2-proxy/ci/redis-standalone-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
sessionStorage:
type: redis
redis:
clientType: "standalone"
standalone:
connectionUrl: "redis://oauth2-proxy-redis-master:6379"
redis:
# provision an instance of the redis sub-chart
enabled: true
35 changes: 35 additions & 0 deletions helm/oauth2-proxy/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ spec:
checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }}
checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
{{- if .Values.htpasswdFile.enabled }}
checksum/htpasswd: {{ include (print $.Template.BasePath "/configmap-htpasswd-file.yaml") . | sha256sum }}
{{- end }}
Expand Down Expand Up @@ -91,6 +92,40 @@ spec:
name: {{ template "oauth2-proxy.secretName" . }}
key: cookie-secret
{{- end }}
{{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }}
- name: OAUTH2_PROXY_SESSION_STORE_TYPE
value: "redis"
{{- if .Values.sessionStorage.redis.password }}
- name: OAUTH2_PROXY_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "oauth2-proxy.fullname" . }}-redis-access
key: redis-password
{{- end }}
{{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }}
- name: OAUTH2_PROXY_REDIS_CONNECTION_URL
value: {{ .Values.sessionStorage.redis.standalone.connectionUrl }}
{{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }}
- name: OAUTH2_PROXY_REDIS_USE_CLUSTER
value: "true"
- name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS
value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }}
{{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }}
- name: OAUTH2_PROXY_REDIS_USE_SENTINEL
value: "true"
- name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME
value: {{ .Values.sessionStorage.redis.sentinel.masterName }}
- name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS
value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }}
{{- if .Values.sessionStorage.redis.sentinel.password }}
- name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ if .Values.sessionStorage.redis.existingSecret }} {{ .Values.sessionStorage.redis.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-redis-access{{ end }}
key: redis-sentinel-password
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.extraEnv }}
{{ toYaml .Values.extraEnv | indent 8 }}
{{- end }}
Expand Down
15 changes: 15 additions & 0 deletions helm/oauth2-proxy/templates/redis-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if and (eq .Values.sessionStorage.type "redis") (not .Values.sessionStorage.redis.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
labels:
app: {{ template "oauth2-proxy.name" . }}
chart: {{ template "oauth2-proxy.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "oauth2-proxy.fullname" . }}-redis-access
type: Opaque
data:
redis-password: {{ .Values.sessionStorage.redis.password | b64enc | quote }}
redis-sentinel-password: {{ .Values.sessionStorage.redis.sentinel.password | b64enc | quote }}
{{- end -}}
32 changes: 32 additions & 0 deletions helm/oauth2-proxy/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -186,3 +186,35 @@ htpasswdFile:
# example:
# entries:
# - testuser:{SHA}EWhzdhgoYJWy0z2gyzhRYlN9DSiv

# Configure the session storage type, between cookie and redis
sessionStorage:
# Can be one of the supported session storage cookie/redis
type: cookie
redis:
# Secret name that holds the redis-password and redis-sentinel-password values
existingSecret: ""
password: ""
# Can be one of sentinel/cluster/standalone
clientType: "standalone"
standalone:
connectionUrl: ""
cluster:
# connectionUrls: ["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]
connectionUrls: []
sentinel:
password: ""
masterName: ""
# connectionUrls: ["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]
connectionUrls: []

# Enables and configure the automatic deployment of the redis subchart
redis:
# provision an instance of the redis sub-chart
enabled: false
# Redis specific helm chart settings, please see:
# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
# redisPort: 6379
# cluster:
# enabled: false
# slaveCount: 1

0 comments on commit 9c0ad1c

Please sign in to comment.