Skip to content

feat: add gateway api support #369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pierluigilenoci merged 2 commits into from
Nov 15, 2025
+190 −27
Merged

feat: add gateway api support #369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cbb8ca3
feat: add gateway api support
tuunit Nov 14, 2025
16dca48
Merge branch 'main' into feat/gateway-api-support
pierluigilenoci Nov 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions helm/oauth2-proxy/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: oauth2-proxy
version: 8.4.0
version: 8.5.0
apiVersion: v2
appVersion: 7.13.0
home: https://oauth2-proxy.github.io/oauth2-proxy/
Expand Down Expand Up @@ -32,7 +32,7 @@ kubeVersion: ">=1.16.0-0"
annotations:
artifacthub.io/changes: |
- kind: added
description: Add imagePullSecrets support to ServiceAccount
description: Add HTTPRoutes for Gateway API support
links:
- name: Github PR
url: https://github.com/oauth2-proxy/manifests/pull/368
url: https://github.com/oauth2-proxy/manifests/pull/369
64 changes: 60 additions & 4 deletions helm/oauth2-proxy/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart
| `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` |
| `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` |
| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` |
| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` |
| `autoscaling.behavior` | Configure HPA behavior policies for scaling. See [docs](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior) | `{}` |
| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` |
| `alphaConfig.annotations` | Configmap annotations | `{}` |
| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` |
Expand Down Expand Up @@ -170,9 +170,16 @@ The following table lists the configurable parameters of the oauth2-proxy chart
| `ingress.annotations` | Ingress annotations | `nil` |
| `ingress.hosts` | Ingress accepted hostnames | `nil` |
| `ingress.tls` | Ingress TLS configuration | `nil` |
| `gatewayApi.enabled` | Enable Gateway API HTTPRoute | `false` |
| `gatewayApi.gatewayRef.name` | Name of the Gateway resource to attach the HTTPRoute to | `""` |
| `gatewayApi.gatewayRef.namespace` | Namespace of the Gateway resource | `""` |
| `gatewayApi.hostnames` | Hostnames to match in the HTTPRoute | `[]` |
| `gatewayApi.rules` | HTTPRoute rule configuration. If not specified, a default rule with PathPrefix `/` will be created | `[]` |
| `gatewayApi.labels` | Additional labels to add to the HTTPRoute | `{}` |
| `gatewayApi.annotations` | Additional annotations to add to the HTTPRoute | `{}` |
| `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` |
| `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` |
| `initContainers.waitForRedis.image.repository` | kubectl image repository | `alpine` |
| `initContainers.waitForRedis.image.repository` | kubectl image repository | `alpine` |
| `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor \| replace "+" "")` |
| `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` |
| `initContainers.waitForRedis.timeout` | number of seconds | 180 |
Expand All @@ -191,7 +198,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart
| `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true |
| `podDisruptionBudget.maxUnavailable` | maxUnavailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | null |
| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget, one of maxUnavailable and minAvailable must be null | 1 |
| `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` |
| `podDisruptionBudget.unhealthyPodEvictionPolicy` | Policy for when unhealthy pods should be considered for eviction. Valid values are "IfHealthyBudget" and "AlwaysAllow". See [Kubernetes docs](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy) | `""` |
| `podSecurityContext` | Kubernetes security context to apply to pod | `{}` |
| `priorityClassName` | priorityClassName | `nil` |
| `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` |
Expand All @@ -201,7 +208,7 @@ The following table lists the configurable parameters of the oauth2-proxy chart
| `readinessProbe.successThreshold` | number of successes | 1 |
| `replicaCount` | desired number of pods | `1` |
| `resources` | pod resource requests & limits | `{}` |
| `resizePolicy` | Container resize policy for runtime resource updates. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/) | `[]` |
| `resizePolicy` | Container resize policy for runtime resource updates. See [Kubernetes docs](https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/) | `[]` |
| `revisionHistoryLimit` | maximum number of revisions maintained | 10 |
| `service.portNumber` | port number for the service | `80` |
| `service.appProtocol` | application protocol on the port of the service | `http` |
Expand Down Expand Up @@ -273,6 +280,55 @@ $ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml

> **Tip**: You can use the default [values.yaml](values.yaml)

## Gateway API HTTPRoute Configuration

This chart supports using [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) HTTPRoute resources as an alternative to traditional Ingress resources. To use Gateway API:

1. Ensure the Gateway API CRDs are installed in your cluster
2. Create a Gateway resource (or use an existing one)
3. Configure the chart to create an HTTPRoute

### Basic Gateway API Configuration

```yaml
gatewayApi:
enabled: true
gatewayRef:
name: my-gateway
namespace: gateway-system
hostnames:
- oauth.example.com
```

### Advanced Gateway API Configuration with Custom Rules

```yaml
gatewayApi:
enabled: true
gatewayRef:
name: my-gateway
namespace: gateway-system
hostnames:
- oauth.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /oauth2
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
add:
- name: X-Auth-Request
value: "true"
labels:
app: oauth2-proxy
annotations:
example.com/annotation: "value"
```

If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service.

## TLS Configuration

See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/).
Expand Down
7 changes: 7 additions & 0 deletions helm/oauth2-proxy/ci/gateway-api-minimal.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Minimal Gateway API configuration with default rule
gatewayApi:
enabled: true
gatewayRef:
name: minimal-gateway
hostnames:
- minimal.example.com
17 changes: 17 additions & 0 deletions helm/oauth2-proxy/ci/gateway-api.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Test values for Gateway API HTTPRoute configuration
gatewayApi:
enabled: true
gatewayRef:
name: example-gateway
namespace: gateway-system
hostnames:
- oauth.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /oauth2
annotations:
example.com/annotation: "value"
labels:
example.com/label: "value"
Loading
Loading