Merge pull request #44 from stakater-charts/add-openshift-oauth

add openshift oauth proxy option

README.md

@@ -56,6 +56,9 @@ To uninstall the chart:
 | deployment.probes.livenessProbes.httpGet.path | The path of the application where liveness probe will send request | `8080` |
 | deployment.probes.livenessProbes.httpGet.port | The port number that the liveness probe will listen on | `8080` |
 | deployment.resources | Application pod resource requests & limits |     limits:<br>&nbsp;&nbsp;memory: 256Mi<br>&nbsp;&nbsp;cpu: 1<br>requests:<br>&nbsp;&nbsp;memory: 128Mi<br>&nbsp;&nbsp;cpu: 0.5 |
+| deployment.openshiftOAuthProxy.enabled | Add Openshift OAuth Proxy as SideCar Container | `false` |
+| deployment.openshiftOAuthProxy.port | Application port so proxy should forward to this port | `8080` |
+| deployment.openshiftOAuthProxy.secretName | Secret name containing the TLS cert | `openshift-oauth-proxy-tls` |
 | deployment.additionalContainers | Add additional containers besides init and app containers | `[]` |
 | deployment.securityContext | Security Context for the pod | `{}` |
 | persistence.enabled | Enable persistence | `false` |

application/templates/deployment.yaml

@@ -87,6 +87,25 @@ spec:
       - name: {{ .Values.deployment.imagePullSecrets }}
       {{- end }}
       containers:
+        {{- if .Values.deployment.openshiftOAuthProxy.enabled }}
+      - args:
+        - --https-address=:8443
+        - --provider=openshift
+        - --upstream=http://localhost:{{ .Values.deployment.openshiftOAuthProxy.port }}
+        - --openshift-service-account={{ template "application.name" . }}
+        - --tls-cert=/etc/tls/private/tls.crt
+        - --tls-key=/etc/tls/private/tls.key
+        - --cookie-secret=SECRET
+        image: openshift/oauth-proxy:latest
+        imagePullPolicy: IfNotPresent
+        name: oauth-proxy
+        ports:
+        - containerPort: 8443
+          name: proxy
+        volumeMounts:
+        - mountPath: /etc/tls/private
+          name: proxy-tls 
+        {{- end }}
       - name: {{ template "application.name" . }}
         image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
         imagePullPolicy: {{ .Values.deployment.image.pullPolicy }}
@@ -136,8 +155,13 @@ spec:
       securityContext:      
 {{ toYaml .Values.deployment.securityContext | indent 8 }}
           {{- end }}
-      {{- if or (.Values.deployment.volumes) (and (eq .Values.persistence.enabled true) (eq .Values.persistence.mountPVC true) )}} 
+      {{- if or (.Values.deployment.openshiftOAuthProxy.enabled) (.Values.deployment.volumes) (and (eq .Values.persistence.enabled true) (eq .Values.persistence.mountPVC true) )}} 
       volumes:
+        {{- if .Values.deployment.openshiftOAuthProxy.enabled }}
+      - name: proxy-tls
+        secret:
+          secretName: {{ .Values.deployment.openshiftOAuthProxy.secretName }}
+        {{- end }}
         {{- if (eq .Values.persistence.mountPVC true) }}
       - name: {{ template "application.name" . }}-data
         persistentVolumeClaim:

application/templates/route.yaml

@@ -19,7 +19,12 @@ spec:
   host: {{ .Values.route.host }}
 {{- end }}
   port:
+    {{- if .Values.deployment.openshiftOAuthProxy.enabled }}
+    targetPort: proxy
+    {{- else }}
 {{ toYaml .Values.route.port | indent 4 }}
+    {{- end }}
+
   to:
     kind: Service
     name: {{ template "application.name" . }}

application/templates/service.yaml

@@ -8,9 +8,14 @@ metadata:
 {{- if .Values.service.additionalLabels }}
 {{ toYaml .Values.service.additionalLabels | indent 4 }}
 {{- end }}
-{{- if .Values.service.annotations }}
+{{- if or .Values.service.annotations .Values.deployment.openshiftOAuthProxy.enabled }}
   annotations:
+  {{- if .Values.service.annotations }}
 {{ toYaml .Values.service.annotations | indent 4 }}
+  {{- end }}
+  {{- if .Values.deployment.openshiftOAuthProxy.enabled }}
+    service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.deployment.openshiftOAuthProxy.secretName }}
+  {{- end }}
 {{- end }}
   name: {{ template "application.name" . }}
 spec:
@@ -20,5 +25,12 @@ spec:
 {{ toYaml .Values.deployment.podLabels | indent 4 }}
 {{- end }}
   ports:
+  {{- if .Values.deployment.openshiftOAuthProxy.enabled }}
+  - name: proxy
+    port: 443
+    protocol: TCP
+    targetPort: 8443
+  {{- else }}
 {{ toYaml .Values.service.ports | indent 4 }}
+  {{- end }}
 {{- end }}

application/templates/serviceaccount.yaml

@@ -8,10 +8,16 @@ metadata:
 {{- if .Values.rbac.serviceAccount.additionalLabels }}
 {{ toYaml .Values.rbac.serviceAccount.additionalLabels | indent 4 }}
 {{- end }}
-{{- if .Values.rbac.serviceAccount.annotations }}
+{{- if or .Values.rbac.serviceAccount.annotations .Values.deployment.openshiftOAuthProxy.enabled }}
   annotations:
+  {{- if .Values.rbac.serviceAccount.annotations }}
 {{ toYaml .Values.rbac.serviceAccount.annotations | indent 4 }}
+  {{- end }}
+  {{- if .Values.deployment.openshiftOAuthProxy.enabled }}
+    serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"{{ template "application.name" . }}"}}'
+  {{- end }}
 {{- end }}
+
 {{- if .Values.rbac.serviceAccount.name }}
   name: {{ .Values.rbac.serviceAccount.name }}
 {{- else }}

application/values.yaml

@@ -135,6 +135,11 @@ deployment:
       memory: 128Mi
       cpu: 0.1
 
+  openshiftOAuthProxy: 
+    enabled: false
+    port: 8080
+    secretName: "openshift-oauth-proxy-tls"
+
   # Add additional containers besides init and app containers
   additionalContainers:
   # - name: sidecar-contaner