Merge pull request #92 from bluebrown/feature/wait-for-redis

add init container to block until redis is ready

Author: pierluigilenoci

helm/oauth2-proxy/Chart.yaml

@@ -1,5 +1,5 @@
 name: oauth2-proxy
-version: 6.14.0
+version: 6.15.0
 apiVersion: v2
 appVersion: 7.4.0
 home: https://oauth2-proxy.github.io/oauth2-proxy/
@@ -32,3 +32,12 @@ maintainers:
   - name: pierluigilenoci
     email: [email protected]
 kubeVersion: ">=1.9.0-0"
+annotations:
+  artifacthub.io/changes: |
+    - kind: added
+      description: optional init container to wait for redis subchart's master pod to be ready
+      links:
+        - name: Github Issue
+          url: https://github.com/oauth2-proxy/manifests/issues/91
+        - name: Github PR
+          url: https://github.com/oauth2-proxy/manifests/pull/92

helm/oauth2-proxy/README.md

@@ -143,6 +143,8 @@ Parameter | Description | Default
 `ingress.annotations` | Ingress annotations | `nil`
 `ingress.hosts` | Ingress accepted hostnames | `nil`
 `ingress.tls` | Ingress TLS configuration | `nil`
+`initContainers.waitForRedis.enabled` | if `redis.enabled` is true, use an init container to wait for the redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list and watch the redis master pod | `true`
+`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor`
 `livenessProbe.enabled`  | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
 `livenessProbe.initialDelaySeconds` | number of seconds | 0
 `livenessProbe.timeoutSeconds` | number of seconds | 1

helm/oauth2-proxy/templates/deployment.yaml

@@ -57,6 +57,21 @@ spec:
           hostnames:
           - {{ .Values.hostAlias.hostname }}
       {{- end }}
+      initContainers:
+      {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
+      - name: wait-for-redis
+        image: "docker.io/bitnami/kubectl:{{ default (printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor) .Values.initContainers.waitForRedis.kubectlVersion }}"
+        args:
+          - wait
+          - pod/{{ include "oauth2-proxy.redis.fullname" . }}-master-0
+          - --for=condition=ready
+          - --timeout=180s
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65534
+      {{- end }}
       containers:
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}"

helm/oauth2-proxy/templates/serviceaccount.yaml

@@ -1,4 +1,10 @@
 {{- if or .Values.serviceAccount.enabled -}}
+{{- $fullName := include "oauth2-proxy.fullname" .  -}}
+{{- $saName := include "oauth2-proxy.serviceAccountName" . -}}
+{{- $name := include "oauth2-proxy.name" . -}}
+{{- $namespace := include "oauth2-proxy.namespace" $ -}}
+{{- $labels := include "oauth2-proxy.labels" . -}}
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -7,9 +13,46 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   labels:
-    app: {{ template "oauth2-proxy.name" . }}
-{{- include "oauth2-proxy.labels" . | indent 4 }}
-  name: {{ template "oauth2-proxy.serviceAccountName" . }}
-  namespace: {{ template "oauth2-proxy.namespace" $ }}
+    app: {{ $name }}
+{{- $labels | indent 4 }}
+  name: {{ $saName }}
+  namespace: {{ $namespace }}
 automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $fullName }}-watch-redis
+  labels:
+    app: {{ $name }}
+    {{- $labels | nindent 4 }}
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  resourceNames:
+    - "{{ include "oauth2-proxy.redis.fullname" . }}-master-0"
+  verbs:
+    - get
+    - list
+    - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $saName }}-watch-redis
+  labels:
+    app: {{ $name }}
+    {{- $labels | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $saName }}
+  apiGroup: ""
+roleRef:
+  kind: Role
+  name: {{ $fullName }}-watch-redis
+  apiGroup: ""
+{{- end -}}
 {{- end -}}

helm/oauth2-proxy/values.yaml

@@ -266,6 +266,17 @@ podSecurityContext: {}
 # whether to use http or https
 httpScheme: http
 
+initContainers:
+  # if the redis sub-chart is enabled, wait for it to be ready
+  # before starting the proxy
+  # creates a role binding to get, list, watch, the redis master pod
+  # if service account is enabled
+  waitForRedis:
+    enabled: true
+    # uses the kubernetes version of the cluster
+    # the chart is deployed on, if not set
+    kubectlVersion: ""
+
 # Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.
 # Alternatively supply an existing secret which contains the required information.
 htpasswdFile: