Skip to content

chore(base-cluster/monitoring): migrate oauth2-proxy away from bitnami #1602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cwrau merged 1 commit into from
Jul 25, 2025
Merged

chore(base-cluster/monitoring): migrate oauth2-proxy away from bitnami #1602

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/trusted_registries.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ quay.io:
jetstack: ALL_IMAGES
kiwigrid:
k8s-sidecar: ALL_TAGS
oauth2-proxy:
oauth2-proxy: ALL_TAGS
prometheus: ALL_IMAGES
prometheus-operator: ALL_IMAGES
reg.kyverno.io:
Expand Down
59 changes: 38 additions & 21 deletions charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,41 +21,58 @@ metadata:
app.kubernetes.io/part-of: {{ $host }}
spec:
chart:
spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "bitnami" "chart" "oauth2-proxy" "context" $) | nindent 6 }}
spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "oauth2-proxy" "chart" "oauth2-proxy" "context" $) | nindent 6 }}
interval: 1h
driftDetection:
mode: enabled
{{- if $.Values.monitoring.prometheus.enabled }}
dependsOn:
- name: kube-prometheus-stack
namespace: monitoring
{{- end }}
values:
fullnameOverride: {{ printf "cluster-%s-oauth-proxy" $host }}
nameOverride: {{ printf "cluster-%s-oauth-proxy" $host }}
Comment thread
cwrau marked this conversation as resolved.
redis:
enabled: false
{{- if $.Values.global.imageRegistry }}
global:
imageRegistry: {{ $.Values.global.imageRegistry }}
{{- end }}
image:
repository: {{ printf "%s/oauth2-proxy/oauth2-proxy" ($.Values.global.imageRegistry | default "quay.io") }}
ingress:
Comment thread
cwrau marked this conversation as resolved.
enabled: true
hostname: {{ include (printf "base-cluster.%s.host" $host) $ }}
tls: true
{{- if $.Values.dns.provider }}
selfSigned: true # `certManager: true` leads to overwritten wildcard certificates
{{- else }}
certManager: true
{{- if not $.Values.dns.provider }}
annotations:
kubernetes.io/tls-acme: "true"
{{- end }}
existingSecretName: {{ include "base-cluster.certificate" (dict "name" $host "customDomain" $ingress.customDomain "context" $) | quote }}
hosts:
- &host {{ include (printf "base-cluster.%s.host" $host) $ }}
tls:
- hosts:
- *host
secretName: {{ include "base-cluster.certificate" (dict "name" $host "customDomain" $ingress.customDomain "context" $) | quote }}
replicaCount: 2
pdb:
create: true
podDisruptionBudget:
enabled: true
minAvailable: 1
maxUnavailable: ""
podSecurityContext:
enabled: true
containerSecurityContext:
enabled: true
fsGroup: 1001
fsGroupChangePolicy: Always
supplementalGroups: []
sysctls: []
securityContext:
privileged: false
seLinuxOptions: {}
resources: {{- include "common.resources" $.Values.global.authentication.oauthProxy | nindent 6 }}
configuration:
enableServiceLinks: false
serviceAccount:
enabled: false
automountServiceAccountToken: false
Comment thread
cwrau marked this conversation as resolved.
metrics:
serviceMonitor:
enabled: {{ $.Values.monitoring.prometheus.enabled }}
additionalLabels: {{- include "common.tplvalues.render" (dict "value" $.Values.monitoring.labels "context" .) | nindent 10 }}
config:
existingSecret: {{ include "common.secrets.name" (dict "defaultNameSuffix" "oauth-proxy" "context" $) }}
content: |-
configFile: |-
provider = "oidc"
reverse_proxy = true
oidc_issuer_url = {{ printf "https://%s%s" $.Values.global.authentication.config.issuerHost $.Values.global.authentication.config.issuerPath | quote }}
Expand All @@ -69,7 +86,7 @@ spec:
upstreams = [ {{ printf "http://%s:%d" $targetServiceName $port | quote }} ]
podAnnotations:
# This might change on every `template` call, this can be ignored
checksum/secret: {{ include "common.utils.checksumTemplate" (dict "path" "/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml" "context" $) }}
checksum/oidc-secret: {{ include "common.utils.checksumTemplate" (dict "path" "/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml" "context" $) }}
{{- if eq (include "common.networkPolicy.type" $) "cilium" }}
---
apiVersion: cilium.io/v2
Expand Down
7 changes: 6 additions & 1 deletion charts/base-cluster/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,9 +114,14 @@ global:
bitnami:
url: oci://docker.io/bitnamicharts
charts:
oauth2-proxy: 6.2.13
metrics-server: 7.4.10
external-dns: 8.9.2
grafana-tempo: 4.0.13
oauth2-proxy:
url: https://oauth2-proxy.github.io/manifests
charts:
oauth2-proxy: 7.14.1
Comment thread
cwrau marked this conversation as resolved.
condition: '{{ and .Values.global.authentication.config .Values.monitoring.prometheus.enabled }}'
descheduler:
url: https://kubernetes-sigs.github.io/descheduler
charts:
Expand Down