From d1bd78da51cae0c9f34d1c0a02f4e2ab4afcd7d5 Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <cwr@teuto.net>
Date: Tue, 3 Jun 2025 12:46:13 +0200
Subject: [PATCH] feat(base-cluster/monitoring): set code_challenge_method for
 oauth2-proxy

This prevents token interceptions
---
 .../templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml
index ab0aa3b5f2..dfa369d986 100644
--- a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml
+++ b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml
@@ -65,6 +65,7 @@ spec:
         {{- else }}
         email_domains = "*"
         {{- end }}
+        code_challenge_method = "S256"
         upstreams = [ {{ printf "http://%s:%d" $targetServiceName $port | quote }} ]
     podAnnotations:
       # This might change on every `template` call, this can be ignored