Skip to content


Merge branch 'main' into hspitzley/generate_values_schema
Browse files Browse the repository at this point in the history
  • Loading branch information
hspitzley-czi authored Oct 25, 2024
2 parents 15f7417 + d897a21 commit 33bb463
Show file tree
Hide file tree
Showing 9 changed files with 234 additions and 145 deletions.
2 changes: 1 addition & 1 deletion .release-please-manifest.json
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
"stack": "2.1.3",
"stack": "2.2.1",
"argus-config": "1.2.2"
19 changes: 19 additions & 0 deletions stack/
Original file line number Diff line number Diff line change
@@ -1,5 +1,24 @@
# Changelog

## [2.2.1]( (2024-10-25)

### Bug Fixes

* trailing slash on upstreams ([#159]( ([ed0ef29](

## [2.2.0]( (2024-10-25)

### Features

* allow for overwritting the cookie-domain flag on the oidc proxy ([#157]( ([23a7471](

### Bug Fixes

* broken oauth2_proxy flags; change the behavior of oauth2_proxy to be used as proxy ([#149]( ([271aabe](

## [2.1.3]( (2024-10-24)

Expand Down
2 changes: 1 addition & 1 deletion stack/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (
version: 2.1.3
version: 2.2.1

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
63 changes: 17 additions & 46 deletions stack/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,24 @@ Expand the name of the chart.
{{- define "" -}}
{{- default .Chart.Name .nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end -}}

{{- define "" -}}
{{- | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end -}}

{{- define "service.backend" -}}
{{- if .Values.ingress.oidcProtected -}}
name: {{ include "" . }}
number: {{ include "oidcProxy.port" .}}
{{- else }}
name: {{ include "service.fullname" . }}
number: {{ .Values.service.port | int}}
{{- end -}}
{{- end -}}

Create a default fully qualified app name.
Expand Down Expand Up @@ -147,7 +160,7 @@ Container probes cannot have both httpGet and tcpSocket fields, so we use omit t

{{- define "" -}}
{{ include "stack.fullname" . | lower }}-oidc-proxy
{{- end }}
{{- end -}}

{{- define "oidcProxy.port" -}}
{{ .Values.oidcProxy.port | default 4180 | int }}
Expand Down Expand Up @@ -180,46 +193,4 @@ {{ .Release.Name }}

{{- define "oidcProxy.authDomain" -}}
{{ }}
{{- end -}}

{{- define "oidcProxy.skipAuthConfig" -}}
{{- $letsEncryptVerifySkip := (dict "path" "/.well-known/*" "method" "GET") -}}
{{- range $k, $v := append .Values.oidcProxy.skipAuth $letsEncryptVerifySkip -}}
{{- $id := printf "%s_%s" ($v.method |lower) ($v.path | replace "/" "")}}
{{- $id := regexReplaceAll "\\W+" $id "_" -}}
{{- $var_name := printf "%s_%s" "skip_auth" $id }}
set ${{ $var_name }} 1;

if ( $request_uri !~ "{{$v.path}}" ) {
set ${{ $var_name }} 0;

if ( $request_method !~ "{{$v.method}}" ) {
set ${{ $var_name }} 0;

if ( ${{ $var_name }} ) {
return 200;
{{- end -}}
{{- end -}}

{{- define "oidcProxy.nginxAuthAnnotations" -}} "http://{{ include "" . }}.{{ .Release.Namespace }}.svc.cluster.local:4180/oauth2/auth" "https://$host/oauth2/sign_in?rd=https://$host$escaped_request_uri" {{join "," (concat (list "Authorization" "X-Auth-Request-User" "X-Auth-Request-Groups" "X-Auth-Request-Email" "X-Auth-Request-Preferred-Username") .Values.oidcProxy.additionalHeaders) }} |
{{- include "oidcProxy.skipAuthConfig" . | nindent 4 }} |
auth_request_set $email $upstream_http_x_auth_request_email;
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $groups $upstream_http_x_auth_request_groups;
auth_request_set $preferred_username $upstream_http_x_auth_request_preferred_username;

proxy_set_header X-Forwarded-Email $email;
proxy_set_header X-Forwarded-User $user;
proxy_set_header X-Forwarded-Groups $groups;
proxy_set_header X-Forwarded-Preferred-Username $preferred_username;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
{{- end -}}
{{- end -}}
36 changes: 12 additions & 24 deletions stack/templates/ingress.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{ $global := . }}
{{- $global := . -}}
{{ range $serviceName, $serviceValues := }}
{{- $globalValuesDict := $ | toYaml -}}
{{- $values := fromYaml $globalValuesDict -}}
Expand All @@ -7,25 +7,18 @@
{{- $service := dict "Chart" $global.Chart "Release" $global.Release "Capabilities" $global.Capabilities "Values" $values -}}
{{- with $service }}

{{- if .Values.ingress.enabled -}}
{{ if .Values.ingress.enabled }}
{{- $fullName := include "service.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
kind: Ingress
name: {{ $fullName }}
name: {{ include "service.fullname" . }}
{{- include "service.labels" . | nindent 4 }}
{{- $nginxAuthAnnotations := dict}}
{{- if .Values.ingress.oidcProtected }}
{{- $nginxAuthAnnotations = (fromYaml (include "oidcProxy.nginxAuthAnnotations" . )) -}}
{{- end}}
{{- $certManagerAnnotations := (fromYaml (include "certManagerAnnotations" . )) }}
{{- with (mergeOverwrite
Expand All @@ -45,15 +38,13 @@ spec:
{{- end }}
name: {{ $fullName }}
number: {{ $svcPort }}
{{- include "service.backend" $service | nindent 16}}
{{- end }}
{{ $customHosts := list}}
{{ range $i, $rule := .Values.ingress.rules }}
{{- $customHosts := list -}}
{{- range $i, $rule := .Values.ingress.rules -}}
{{- $ruleValues := mergeOverwrite (dict "host" $ "paths" $service.Values.ingress.paths) $rule -}}
{{ $customHosts = append $customHosts $ }}
- host: {{ $ | quote }}
- host: {{ $ }}
{{- range $ruleValues.paths }}
Expand All @@ -63,11 +54,9 @@ spec:
{{- end }}
name: {{ $fullName }}
number: {{ $svcPort }}
{{- end }}
{{ end }}
{{- (include "service.backend" $service) | nindent 16 -}}
{{ end -}}
{{- end }}
- hosts:
- {{ $ }}
Expand All @@ -83,8 +72,7 @@ spec:
{{- toYaml $customHosts | nindent 6 }}
{{- $secretName := printf "%s-%s-%s" "custom-hosts" (include "stack.fullname" .) "tls-secret" }}
secretName: {{ regexReplaceAll "[^a-zA-Z0-9-]" $secretName "-" }}
{{- end -}}
{{- end }}
{{ end }}
{{ end }}
{{- end }}
{{- end }}
45 changes: 44 additions & 1 deletion stack/templates/oidc_proxy.yaml
Original file line number Diff line number Diff line change
@@ -1,16 +1,33 @@
{{ $global := . }}
{{- $allHosts := list -}}
{{- $allOIDCProtectedServces := list -}}
{{ range $serviceName, $serviceValues := }}
{{- $globalValuesDict := $ | toYaml -}}
{{- $values := fromYaml $globalValuesDict -}}
{{- $values = set $values "name" $serviceName -}}
{{- $values := mergeOverwrite $values $serviceValues -}}

{{- with $values -}}
{{ $serviceScope := dict "Chart" $global.Chart "Release" $global.Release "Capabilities" $global.Capabilities "Values" .}}
{{- if .ingress.oidcProtected -}}
{{ range $i, $path := .ingress.paths }}
{{- if (eq $path.pathType "Exact") -}}
{{- $allOIDCProtectedServces = append
(printf "http://%s.%s.svc.cluster.local:%d%s" (include "service.fullname" $serviceScope) $global.Release.Namespace ($values.service.port | int) ($path.path))
{{- else -}}
{{- $allOIDCProtectedServces = append
(printf "http://%s.%s.svc.cluster.local:%d%s/" (include "service.fullname" $serviceScope) $global.Release.Namespace ($values.service.port | int) ($path.path))
{{- end -}}
{{- end -}}

{{ range $i, $rule := .ingress.rules }}
{{- $allHosts = append $allHosts $ }}
{{- end -}}

{{- end -}}
{{- end -}}
{{- end -}}
Expand Down Expand Up @@ -51,17 +68,42 @@ spec:
- --provider=oidc
- --email-domain=*
- --cookie-secure=true
- --set-authorization-header
- --set-xauthrequest
- --cookie-domain={{- include "baseDomain" . }}
- --whitelist-domain=.{{- include "baseDomain" . }}
- --skip-provider-button=true
- --pass-authorization-header=true
- --reverse-proxy
- --skip-jwt-bearer-tokens

{{- range $allOIDCProtectedServces }}
- --upstream={{ . }}
{{- end -}}

{{- range .Values.oidcProxy.skipAuth }}
{{ if contains "*" .method }}
# for backwards compatibility, could also just be provided using extraArgs
- --skip-auth-route={{ .path }}
{{- else -}}
- --skip-auth-route={{ .method }}={{ .path }}
{{- end -}}
{{- end -}}

{{ $cookiePrefix := list }}
{{ range .Values.oidcProxy.extraArgs }}
{{ if (hasPrefix "--cookie-domain" . ) }}
{{ $cookiePrefix = append $cookiePrefix . }}
{{ end }}
{{ end }}
{{- range $allHosts -}}
{{- printf "- --whitelist-domain=%s" . | nindent 12 -}}

{{ if eq (len $cookiePrefix) 0 }}
# if a user provides a cookie-domain flag, we want to use that instead of the
# default cookie-domain
{{- printf "- --cookie-domain=%s" . | nindent 12 -}}
{{ end }}

{{- end -}}
{{- if gt (len .Values.oidcProxy.extraArgs) 0 }}
{{- toYaml .Values.oidcProxy.extraArgs | nindent 12}}
Expand Down Expand Up @@ -108,6 +150,7 @@ spec:
{{- include "oidcProxy.selectorLabels" . | nindent 4 }}


{{- if .Values.ingress.enabled }}
kind: Ingress
Expand Down

0 comments on commit 33bb463

Please sign in to comment.