From cbb8ca3ff81d66babfe70595f7b3ca31e8082706 Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Fri, 14 Nov 2025 19:31:35 +0100 Subject: [PATCH] feat: add gateway api support Signed-off-by: Jan Larwig --- helm/oauth2-proxy/Chart.yaml | 6 +- helm/oauth2-proxy/README.md | 64 ++++++++++++++++-- helm/oauth2-proxy/ci/gateway-api-minimal.yaml | 7 ++ helm/oauth2-proxy/ci/gateway-api.yaml | 17 +++++ helm/oauth2-proxy/templates/httproute.yaml | 65 +++++++++++++++++++ helm/oauth2-proxy/values.yaml | 58 +++++++++++------ 6 files changed, 190 insertions(+), 27 deletions(-) create mode 100644 helm/oauth2-proxy/ci/gateway-api-minimal.yaml create mode 100644 helm/oauth2-proxy/ci/gateway-api.yaml create mode 100644 helm/oauth2-proxy/templates/httproute.yaml diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index b633186..24125a9 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 8.4.0 +version: 8.5.0 apiVersion: v2 appVersion: 7.13.0 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -32,7 +32,7 @@ kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - kind: added - description: Add imagePullSecrets support to ServiceAccount + description: Add HTTPRoutes for Gateway API support links: - name: Github PR - url: https://github.com/oauth2-proxy/manifests/pull/368 + url: https://github.com/oauth2-proxy/manifests/pull/369 diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md index 9928cd4..7181bed 100644 --- a/helm/oauth2-proxy/README.md +++ b/helm/oauth2-proxy/README.md @@ -127,7 +127,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | | `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | | `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | -| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` | +| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` | | `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | | `alphaConfig.annotations` | Configmap annotations | `{}` | | `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | @@ -170,9 +170,16 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `ingress.annotations` | Ingress annotations | `nil` | | `ingress.hosts` | Ingress accepted hostnames | `nil` | | `ingress.tls` | Ingress TLS configuration | `nil` | +| `gatewayApi.enabled` | Enable Gateway API HTTPRoute | `false` | +| `gatewayApi.gatewayRef.name` | Name of the Gateway resource to attach the HTTPRoute to | `""` | +| `gatewayApi.gatewayRef.namespace` | Namespace of the Gateway resource | `""` | +| `gatewayApi.hostnames` | Hostnames to match in the HTTPRoute | `[]` | +| `gatewayApi.rules` | HTTPRoute rule configuration. If not specified, a default rule with PathPrefix `/` will be created | `[]` | +| `gatewayApi.labels` | Additional labels to add to the HTTPRoute | `{}` | +| `gatewayApi.annotations` | Additional annotations to add to the HTTPRoute | `{}` | | `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` | | `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` | -| `initContainers.waitForRedis.image.repository` | kubectl image repository | `alpine` | +| `initContainers.waitForRedis.image.repository` | kubectl image repository | `alpine` | | `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor \| replace "+" "")` | | `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` | | `initContainers.waitForRedis.timeout` | number of seconds | 180 | @@ -191,7 +198,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | | `podDisruptionBudget.maxUnavailable` | maxUnavailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | null | | `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | 1 | -| `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` | +| `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` | | `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | | `priorityClassName` | priorityClassName | `nil` | | `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | @@ -201,7 +208,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `readinessProbe.successThreshold` | number of successes | 1 | | `replicaCount` | desired number of pods | `1` | | `resources` | pod resource requests & limits | `{}` | -| `resizePolicy` | Container resize policy for runtime resource updates. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/) | `[]` | +| `resizePolicy` | Container resize policy for runtime resource updates. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/) | `[]` | | `revisionHistoryLimit` | maximum number of revisions maintained | 10 | | `service.portNumber` | port number for the service | `80` | | `service.appProtocol` | application protocol on the port of the service | `http` | @@ -273,6 +280,55 @@ $ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml > **Tip**: You can use the default [values.yaml](values.yaml) +## Gateway API HTTPRoute Configuration + +This chart supports using [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoute resources as an alternative to traditional Ingress resources. To use Gateway API: + +1. Ensure the Gateway API CRDs are installed in your cluster +2. Create a Gateway resource (or use an existing one) +3. Configure the chart to create an HTTPRoute + +### Basic Gateway API Configuration + +```yaml +gatewayApi: + enabled: true + gatewayRef: + name: my-gateway + namespace: gateway-system + hostnames: + - oauth.example.com +``` + +### Advanced Gateway API Configuration with Custom Rules + +```yaml +gatewayApi: + enabled: true + gatewayRef: + name: my-gateway + namespace: gateway-system + hostnames: + - oauth.example.com + rules: + - matches: + - path: + type: PathPrefix + value: /oauth2 + filters: + - type: RequestHeaderModifier + requestHeaderModifier: + add: + - name: X-Auth-Request + value: "true" + labels: + app: oauth2-proxy + annotations: + example.com/annotation: "value" +``` + +If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service. + ## TLS Configuration See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/). diff --git a/helm/oauth2-proxy/ci/gateway-api-minimal.yaml b/helm/oauth2-proxy/ci/gateway-api-minimal.yaml new file mode 100644 index 0000000..e5a6a4f --- /dev/null +++ b/helm/oauth2-proxy/ci/gateway-api-minimal.yaml @@ -0,0 +1,7 @@ +# Minimal Gateway API configuration with default rule +gatewayApi: + enabled: true + gatewayRef: + name: minimal-gateway + hostnames: + - minimal.example.com diff --git a/helm/oauth2-proxy/ci/gateway-api.yaml b/helm/oauth2-proxy/ci/gateway-api.yaml new file mode 100644 index 0000000..51c8142 --- /dev/null +++ b/helm/oauth2-proxy/ci/gateway-api.yaml @@ -0,0 +1,17 @@ +# Test values for Gateway API HTTPRoute configuration +gatewayApi: + enabled: true + gatewayRef: + name: example-gateway + namespace: gateway-system + hostnames: + - oauth.example.com + rules: + - matches: + - path: + type: PathPrefix + value: /oauth2 + annotations: + example.com/annotation: "value" + labels: + example.com/label: "value" diff --git a/helm/oauth2-proxy/templates/httproute.yaml b/helm/oauth2-proxy/templates/httproute.yaml new file mode 100644 index 0000000..ab9eada --- /dev/null +++ b/helm/oauth2-proxy/templates/httproute.yaml @@ -0,0 +1,65 @@ +{{- if .Values.gatewayApi.enabled -}} +{{- $serviceName := include "oauth2-proxy.fullname" . -}} +{{- $servicePort := .Values.service.portNumber -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.gatewayApi.labels }} +{{ toYaml .Values.gatewayApi.labels | indent 4 }} +{{- end }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +{{- with .Values.gatewayApi.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} +{{- end }} +spec: + {{- if .Values.gatewayApi.gatewayRef.name }} + parentRefs: + - name: {{ .Values.gatewayApi.gatewayRef.name }} + {{- if .Values.gatewayApi.gatewayRef.namespace }} + namespace: {{ .Values.gatewayApi.gatewayRef.namespace }} + {{- end }} + {{- end }} + {{- if .Values.gatewayApi.hostnames }} + hostnames: + {{- range .Values.gatewayApi.hostnames }} + - {{ tpl . $ | quote }} + {{- end }} + {{- end }} + rules: + {{- if .Values.gatewayApi.rules }} + {{- range .Values.gatewayApi.rules }} + - matches: + {{- if .matches }} + {{- toYaml .matches | nindent 4 }} + {{- else }} + - path: + type: PathPrefix + value: / + {{- end }} + backendRefs: + {{- if .backendRefs }} + {{- toYaml .backendRefs | nindent 4 }} + {{- else }} + - name: {{ $serviceName }} + port: {{ $servicePort }} + {{- end }} + {{- if .filters }} + filters: + {{- toYaml .filters | nindent 4 }} + {{- end }} + {{- end }} + {{- else }} + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: {{ $serviceName }} + port: {{ $servicePort }} + {{- end }} +{{- end -}} diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index 728fbaa..33361cc 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -31,8 +31,7 @@ config: # The name of the cookie that oauth2-proxy will create # If left empty, it will default to the release name cookieName: "" - google: - {} + google: {} # adminEmail: xxxx # useApplicationDefaultCredentials: true # targetPrincipal: xxxx @@ -84,8 +83,7 @@ image: # Optionally specify an array of imagePullSecrets. # Secrets must be manually created in the namespace. # ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod -imagePullSecrets: - [] +imagePullSecrets: [] # - name: myRegistryKeySecretName # Set a custom containerPort if required. @@ -215,8 +213,35 @@ ingress: # hosts: # - chart-example.local -resources: - {} +# Gateway API HTTPRoute configuration +# Ref: https://gateway-api.sigs.k8s.io/api-types/httproute/ +gatewayApi: + enabled: false + # The name of the Gateway resource to attach the HTTPRoute to + # Example: + # gatewayRef: + # name: gateway + # namespace: gateway-system + gatewayRef: + name: "" + namespace: "" + # HTTPRoute rule configuration + # rules: + # - matches: + # - path: + # type: PathPrefix + # value: / + rules: [] + # Hostnames to match in the HTTPRoute + # hostnames: + # - chart-example.local + hostnames: [] + # Additional labels to add to the HTTPRoute + labels: {} + # Additional annotations to add to the HTTPRoute + annotations: {} + +resources: {} # limits: # cpu: 100m # memory: 300Mi @@ -232,26 +257,22 @@ resizePolicy: [] # - resourceName: memory # restartPolicy: RestartContainer -extraVolumes: - [] +extraVolumes: [] # - name: ca-bundle-cert # secret: # secretName: -extraVolumeMounts: - [] +extraVolumeMounts: [] # - mountPath: /etc/ssl/certs/ # name: ca-bundle-cert # Additional containers to be added to the pod. -extraContainers: - [] +extraContainers: [] # - name: my-sidecar # image: nginx:latest # Additional Init containers to be added to the pod. -extraInitContainers: - [] +extraInitContainers: [] # - name: wait-for-idp # image: my-idp-wait:latest # command: @@ -351,8 +372,7 @@ autoscaling: annotations: {} # Configure HPA behavior policies for scaling if needed # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior - behavior: - {} + behavior: {} # scaleDown: # stabilizationWindowSeconds: 300 # policies: @@ -405,8 +425,7 @@ initContainers: seccompProfile: type: RuntimeDefault timeout: 180 - resources: - {} + resources: {} # limits: # cpu: 100m # memory: 300Mi @@ -547,8 +566,7 @@ metrics: # action: replace # Extra K8s manifests to deploy -extraObjects: - [] +extraObjects: [] # - apiVersion: secrets-store.csi.x-k8s.io/v1 # kind: SecretProviderClass # metadata: