Merge pull request #384 from pierluigilenoci/fix/exclude-client-secret-federated-auth

feat: add config.secretKeys to selectively include secrets

Author: pierluigilenoci

helm/oauth2-proxy/Chart.yaml

@@ -1,5 +1,5 @@
 name: oauth2-proxy
-version: 10.0.3
+version: 10.1.0
 apiVersion: v2
 appVersion: 7.13.0
 home: https://oauth2-proxy.github.io/oauth2-proxy/
@@ -30,15 +30,10 @@ maintainers:
 kubeVersion: ">=1.16.0-0"
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: Fix error msg which mentioned the old redis.… subchart values
+    - kind: added
+      description: Added config.requiredSecretKeys option to selectively include secrets (allows excluding client-secret for federated auth scenarios)
       links:
         - name: Github PR
-          url: https://github.com/oauth2-proxy/manifests/pull/386
-    - kind: fixed
-      description: Fix image registry priority order - local image.registry now takes precedence over global.imageRegistry
-      links:
-        - name: Github PR
-          url: https://github.com/oauth2-proxy/manifests/pull/383
+          url: https://github.com/oauth2-proxy/manifests/pull/384
         - name: Github Issue
-          url: https://github.com/oauth2-proxy/manifests/issues/379
+          url: https://github.com/oauth2-proxy/manifests/issues/376

helm/oauth2-proxy/templates/_helpers.tpl

@@ -164,7 +164,13 @@ metricsServer:
 {{- end -}}
 
 {{- define "oauth2-proxy.secrets" -}}
+{{- if has "cookie-secret" .Values.config.requiredSecretKeys }}
 cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }}
+{{- end }}
+{{- if has "client-secret" .Values.config.requiredSecretKeys }}
 client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }}
+{{- end }}
+{{- if has "client-id" .Values.config.requiredSecretKeys }}
 client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }}
+{{- end }}
 {{- end -}}

helm/oauth2-proxy/templates/deployment.yaml

@@ -182,22 +182,28 @@ spec:
 {{- end }}
         env:
         {{- if .Values.proxyVarsAsSecrets }}
+        {{- if has "client-id" .Values.config.requiredSecretKeys }}
         - name: OAUTH2_PROXY_CLIENT_ID
           valueFrom:
             secretKeyRef:
               name:  {{ template "oauth2-proxy.secretName" . }}
               key: client-id
+        {{- end }}
+        {{- if has "client-secret" .Values.config.requiredSecretKeys }}
         - name: OAUTH2_PROXY_CLIENT_SECRET
           valueFrom:
             secretKeyRef:
               name:  {{ template "oauth2-proxy.secretName" . }}
               key: client-secret
+        {{- end }}
+        {{- if has "cookie-secret" .Values.config.requiredSecretKeys }}
         - name: OAUTH2_PROXY_COOKIE_SECRET
           valueFrom:
             secretKeyRef:
               name:  {{ template "oauth2-proxy.secretName" . }}
               key: cookie-secret
         {{- end }}
+        {{- end }}
         {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }}
         - name: OAUTH2_PROXY_SESSION_STORE_TYPE
           value: "redis"

helm/oauth2-proxy/values.yaml

@@ -23,6 +23,17 @@ config:
   clientID: "XXXXXXX"
   # OAuth client secret
   clientSecret: "XXXXXXXX"
+  # List of secret keys to include in the secret and expose as environment variables.
+  # By default, all three secrets are required. To exclude certain secrets
+  # (e.g., when using federated token authentication), remove them from this list.
+  # Example to exclude client-secret:
+  # requiredSecretKeys:
+  #   - client-id
+  #   - cookie-secret
+  requiredSecretKeys:
+    - client-id
+    - client-secret
+    - cookie-secret
   # Create a new secret with the following command
   # openssl rand -base64 32 | head -c 32 | base64
   # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)