diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index efdda9e9..0bbfafad 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 10.4.2 +version: 10.5.0 apiVersion: v2 appVersion: 7.15.1 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -30,8 +30,8 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: changed - description: Bump OAuth2 Proxy image to v7.15.1 + - kind: added + description: Add no-config legacy mode for external config management links: - name: GitHub PR - url: https://github.com/oauth2-proxy/manifests/pull/403 + url: https://github.com/oauth2-proxy/manifests/pull/404 diff --git a/helm/oauth2-proxy/ci/no-config-values.yaml b/helm/oauth2-proxy/ci/no-config-values.yaml new file mode 100644 index 00000000..1cbe2202 --- /dev/null +++ b/helm/oauth2-proxy/ci/no-config-values.yaml @@ -0,0 +1,13 @@ +# Test: no legacy config generation (external config management) +# Expected: No ConfigMap generated, no --config flag, no config volume mount. +# Use case: config managed externally via CSI SecretStore Driver or similar. +# +# Since no config file is mounted, the minimum required settings +# (email-domain, upstream) must be provided via extraArgs. + +config: + forceLegacyConfig: false + +extraArgs: + email-domain: "*" + upstream: "file:///dev/null" diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index dfe0ff27..1ac0d120 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -164,9 +164,19 @@ metricsServer: {{- end -}} {{/* -If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config. -If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is mounted into the mounted file. -If `config.configFile` is set and `config.forceLegacyConfig=true`, the chart renders that inline content into the mounted file. +Legacy config mode resolution: +- alphaConfig.enabled=true + forceLegacyConfig=false + → generated-alpha-compatible (minimal legacy config; config.existingConfig and config.configFile are ignored) +- config.existingConfig is set (only when NOT in alphaConfig.enabled + !forceLegacyConfig path) + → existing-configmap (external ConfigMap) +- config.configFile is set (only when NOT in alphaConfig.enabled + !forceLegacyConfig path) + → inline-custom (user-provided content) +- alphaConfig.enabled=true + forceLegacyConfig=true (no existingConfig/configFile) + → generated-alpha-compatible +- alphaConfig.enabled=false + forceLegacyConfig=false + no configFile/existingConfig + → no-config (nothing generated/mounted) +- Default + → generated-legacy (full legacy config with emailDomains + upstreams) */}} {{- define "oauth2-proxy.legacy-config.mode" -}} {{- if and .Values.alphaConfig.enabled (not .Values.config.forceLegacyConfig) -}} @@ -177,6 +187,8 @@ existing-configmap inline-custom {{- else if .Values.alphaConfig.enabled -}} generated-alpha-compatible +{{- else if not .Values.config.forceLegacyConfig -}} +no-config {{- else -}} generated-legacy {{- end -}} diff --git a/helm/oauth2-proxy/templates/configmap.yaml b/helm/oauth2-proxy/templates/configmap.yaml index 30e25c55..6fe37e90 100644 --- a/helm/oauth2-proxy/templates/configmap.yaml +++ b/helm/oauth2-proxy/templates/configmap.yaml @@ -1,4 +1,4 @@ -{{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }} +{{- if not (has (include "oauth2-proxy.legacy-config.mode" .) (list "existing-configmap" "no-config")) }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index 4ce265cd..78d8d437 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- $legacyConfigMode := include "oauth2-proxy.legacy-config.mode" . -}} {{- $redisEnabled := eq (include "oauth2-proxy.redis.enabled" .) "true" -}} {{- $redisValues := index .Values "redis-ha" | default dict -}} apiVersion: apps/v1 @@ -27,7 +28,7 @@ spec: template: metadata: annotations: - {{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }} + {{- if not (has $legacyConfigMode (list "existing-configmap" "no-config")) }} checksum/config: {{ include "oauth2-proxy.legacy-config.content" . | sha256sum }} {{- end }} {{- if .Values.alphaConfig.enabled }} @@ -145,7 +146,9 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} {{- end }} + {{- if ne $legacyConfigMode "no-config" }} - --config=/etc/oauth2_proxy/oauth2_proxy.cfg + {{- end }} {{- if .Values.authenticatedEmailsFile.enabled }} {{- if .Values.authenticatedEmailsFile.template }} - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} @@ -302,9 +305,11 @@ spec: readOnly: true {{- end }} {{- end }} +{{- if ne $legacyConfigMode "no-config" }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg name: configmain subPath: oauth2_proxy.cfg +{{- end }} {{- if .Values.alphaConfig.enabled }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml name: configalpha @@ -368,10 +373,12 @@ spec: name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis defaultMode: 0775 {{- end }} +{{- if ne $legacyConfigMode "no-config" }} - configMap: defaultMode: 420 name: {{ include "oauth2-proxy.legacy-config.name" . | trim }} name: configmain +{{- end }} {{- if .Values.alphaConfig.enabled }} {{- if .Values.alphaConfig.existingConfig }} - configMap: diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index dd2f6592..9847892a 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -64,6 +64,11 @@ config: # generates a minimal legacy config from emailDomains only. # 3. If configFile is empty/not set, the config is auto-generated # from emailDomains and, when alphaConfig is disabled, upstreams. + # 4. When alphaConfig.enabled=false and forceLegacyConfig=false, + # and neither config.configFile nor config.existingConfig are set, + # no ConfigMap is generated or mounted. Use this when you manage + # oauth2-proxy configuration entirely via external means (e.g., + # CSI SecretStore Driver, extraVolumes, etc.). configFile: "" # Email domains allowed to authenticate when the chart generates # the main oauth2_proxy.cfg. @@ -77,9 +82,12 @@ config: upstreams: ["file:///dev/null"] # Behavior when using alphaConfig together with a custom config file # - # This flag only has an effect when: - # - alphaConfig.enabled is true, AND - # - you provide a custom config.configFile or config.existingConfig. + # This flag has an effect when: + # - alphaConfig.enabled is true AND you provide a custom + # config.configFile or config.existingConfig, OR + # - alphaConfig.enabled is false AND no configFile/existingConfig + # is provided (setting forceLegacyConfig=false disables config + # generation entirely — see "no-config mode" below). # # Auto-generated config when alphaConfig.enabled=true is always a # minimal legacy config (no upstreams), regardless of this flag. @@ -109,6 +117,12 @@ config: # instead (see examples below). # - Move any other relevant settings into alphaConfig and/or # flags rather than relying on a custom legacy configFile. + # + # no-config mode: + # If forceLegacyConfig and alphaConfig.enabled are both false, + # and no configFile or existingConfig is provided, no ConfigMap + # is generated or mounted. This is useful when managing config + # externally (e.g., CSI SecretStore Driver). forceLegacyConfig: true # # Custom configuration file: oauth2_proxy.cfg (overrides