Merge pull request #127 from kvanzuijlen/workload-identity-support

Added support for using Workload Identity to the Helm chart

Merge pull request #127 from kvanzuijlen/workload-identity-support
Added support for using Workload Identity to the Helm chart
3500132e · Pierluigi Lenoci · GitHub · 2f2f3854 · c09d01b5 · 3500132e
Unverified Commit 3500132e authored 2 years ago by Pierluigi Lenoci Committed by GitHub 2 years ago
--- a/helm/oauth2-proxy/Chart.yaml
+++ b/helm/oauth2-proxy/Chart.yaml
 name: oauth2-proxy
-version: 6.7.3
+version: 6.8.0
 apiVersion: v2
 appVersion: 7.4.0
 home: https://oauth2-proxy.github.io/oauth2-proxy/

--- a/helm/oauth2-proxy/README.md
+++ b/helm/oauth2-proxy/README.md
@@ -110,6 +110,8 @@ Parameter | Description | Default
 `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap-alpha.yaml) for the required values | `nil`
 `customLabels` | Custom labels to add into metadata | `{}` |
 `config.google.adminEmail` | user impersonated by the google service account | `""`
+`config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false`
+`config.google.targetPrincipal` | service account to use/impersonate | `""`
 `config.google.serviceAccountJson` | google service account json contents | `""`
 `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil`
 `config.google.groups` | restrict logins to members of these google groups | `[]`

--- a/helm/oauth2-proxy/templates/deployment.yaml
+++ b/helm/oauth2-proxy/templates/deployment.yaml
@@ -95,10 +95,17 @@ spec:
        {{- end }}
        {{- end }}
        {{- with .Values.config.google }}
-        {{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
+        {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }}
          - --google-admin-email={{ .adminEmail }}
+        {{- if .useApplicationDefaultCredentials }}
+          - --google-use-application-default-credentials=true
+        {{- else }}
          - --google-service-account-json=/google/service-account.json
        {{- end }}
+        {{- if .targetPrincipal }}
+          - --google-target-principal={{ .targetPrincipal }}
+        {{- end }}
+        {{- end }}
        {{- if .groups }}
        {{- range $group := .groups }}
          - --google-group={{ $group }}

--- a/helm/oauth2-proxy/templates/google-secret.yaml
+++ b/helm/oauth2-proxy/templates/google-secret.yaml
-{{- if and .Values.config.google (not .Values.config.google.existingSecret) }}
+{{- if and .Values.config.google (and (not .Values.config.google.existingSecret) (not .Values.config.google.useApplicationDefaultCredentials)) }}
 apiVersion: v1
 kind: Secret
 metadata:

--- a/helm/oauth2-proxy/values.yaml
+++ b/helm/oauth2-proxy/values.yaml
@@ -22,6 +22,8 @@ config:
  cookieName: ""
  google: {}
    # adminEmail: xxxx
+    # useApplicationDefaultCredentials: true
+    # targetPrincipal: xxxx
    # serviceAccountJson: xxxx
    # Alternatively, use an existing secret (see google-secret.yaml for required fields)
    # Example: