feat(oauth2-proxy): add sidecar oauth2-proxy

charts/atlantis/README.md

@@ -164,6 +164,21 @@ extraManifests:
 | netrc | string | `""` | When referencing Terraform modules in private repositories or registries (such as Artfactory) configuing a .netrc file for authentication may be required. Check values.yaml for examples. |
 | netrcSecretName | string | `""` | If managing secrets outside the chart for the netrc file, use this variable to reference the secret name |
 | nodeSelector | object | `{}` |  |
+| oAuthSidecar.args | list | `["--show-debug-on-error=true"]` | Additional arguments for OAuth-Proxy Check values.yaml for example with config |
+| oAuthSidecar.containerPort | int | `4180` | Container port for OAuth-Proxy |
+| oAuthSidecar.enableConfig | bool | `false` | Enable CM Config for OAuth-Proxy Check values.yaml for example. |
+| oAuthSidecar.enabled | bool | `false` | Enable Oauth-proxy sidecar for Atlantis |
+| oAuthSidecar.env | list | `[]` | Env for OAuth-Proxy Check values.yaml for example with config |
+| oAuthSidecar.envFrom | list | `[]` | EnvFrom for OAuth-Proxy |
+| oAuthSidecar.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| oAuthSidecar.image.pullSecrets | list | `[]` | Image pull secrets |
+| oAuthSidecar.image.repository | string | `"quay.io/oauth2-proxy/oauth2-proxy"` | Docker registry for OAuth-Proxy image |
+| oAuthSidecar.image.tag | string | `"v7.7.1"` | Tag for OAuth-Proxy image |
+| oAuthSidecar.livenessProbe | object | `{"initialDelaySeconds":0,"timeoutSeconds":1}` | Liveness probe configuration for OAuth-Proxy |
+| oAuthSidecar.readinessProbe | object | `{"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | Readiness probe configuration for OAuth-Proxy |
+| oAuthSidecar.resources | object | `{}` | Resources for OAuth-Proxy Check values.yaml for examples. |
+| oAuthSidecar.securityContext | object | `{}` | Container security context for OAuth-Proxy |
+| oAuthSidecar.volumeMounts | list | `[]` | Volume mounts for OAuth-Proxy |
 | orgAllowlist | string | `"<replace-me>"` | Replace this with your own repo allowlist. |
 | orgWhitelist | string | `"<deprecated>"` | Deprecated in favor of orgAllowlist. |
 | podMonitor | object | `{"enabled":false,"interval":"30s"}` | Enable this if you're using Google Managed Prometheus. |

charts/atlantis/templates/oauth-sidecar-configmap.yaml

@@ -0,0 +1,12 @@
+{{- if and .Values.oAuthSidecar.enabled .Values.oAuthSidecar.enableConfig }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: oauth-configuration
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "atlantis.labels" . | nindent 4 }}
+data:
+  oauth2-proxy.cfg: |-
+{{ tpl .Values.oAuthSidecar.config . | indent 4 }}
+{{- end }}

charts/atlantis/templates/service.yaml

@@ -28,7 +28,11 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
+      {{- if .Values.oAuthSidecar.enabled }}
+      targetPort: "oauth-proxy"
+      {{- else }}
       targetPort: {{ .Values.service.targetPort }}
+      {{- end }}
     {{- if .Values.service.nodePort }}
       nodePort: {{ .Values.service.nodePort }}
     {{- end }}

charts/atlantis/templates/statefulset.yaml

@@ -83,6 +83,11 @@ spec:
       priorityClassName: {{ .Values.statefulSet.priorityClassName }}
       {{- end }}
       volumes:
+      {{- if and .Values.oAuthSidecar.enabled .Values.oAuthSidecar.enableConfig }}
+      - name: oauth-configuration
+        configMap:
+          name: oauth-configuration
+      {{- end }}
       {{- if and .Values.volumeClaim.enabled ( not .Values.dataStorage ) }}
       - name : atlantis-data
         persistentVolumeClaim:
@@ -201,7 +206,7 @@ spec:
           workingDir: {{ .Values.initConfig.workDir }}
           env:
             - name: PATH
-              value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:{{ .Values.initConfig.sharedDir }}
+              value: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:{{ .Values.initConfig.sharedDir }}"
             - name: INIT_SHARED_DIR
               value: {{ .Values.initConfig.sharedDir }}
           volumeMounts:
@@ -216,6 +221,48 @@ spec:
         {{- end }}
       {{- end }}
       containers:
+      {{- if .Values.oAuthSidecar.enabled }}
+        - name: "{{ .Release.Name }}-oauth2-sidecar"
+          {{- with .Values.oAuthSidecar.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.oAuthSidecar.image.repository }}:{{ .Values.oAuthSidecar.image.tag }}"
+          imagePullPolicy: "{{ .Values.oAuthSidecar.image.pullPolicy }}"
+          args:
+          {{- range .Values.oAuthSidecar.args }}
+            - {{ . }}
+          {{- end }}
+          {{- with .Values.oAuthSidecar.env }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.oAuthSidecar.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+          {{- with .Values.oAuthSidecar.volumeMounts }}
+            {{ toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if or .Values.oAuthSidecar.enableConfig }}
+            - name: oauth-configuration
+              mountPath: /etc/oauth2-proxy
+          {{- end }}
+          ports:
+            - containerPort: {{ .Values.oAuthSidecar.containerPort }}
+              name: oauth-proxy
+          resources:
+            {{- toYaml .Values.oAuthSidecar.resources | nindent 12 }}
+          {{- if .Values.oAuthSidecar.livenessProbe }}
+          livenessProbe:
+            {{- toYaml .Values.oAuthSidecar.livenessProbe | nindent 12 }}
+          {{- end }}
+          {{- if .Values.oAuthSidecar.readinessProbe }}
+          readinessProbe:
+            {{- toYaml .Values.oAuthSidecar.readinessProbe | nindent 12 }}
+          {{- end }}
+      {{- end }}
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}

charts/atlantis/tests/misc_test.yaml

@@ -35,11 +35,15 @@ tests:
       webhook_ingress:
         enabled: true
       extraManifests:
-      - apiVersion: v1
-        kind: Pod
-        metadata:
-          name: dummy
-          namespace: "my-namespace"
+        - apiVersion: v1
+          kind: Pod
+          metadata:
+            name: dummy
+            namespace: "my-namespace"
+      oAuthSidecar:
+        enabled: true
+        enableConfig: true
+        config: dummy
 
     asserts:
       - equal:

charts/atlantis/tests/oauth-sidecar_test.yaml

@@ -0,0 +1,157 @@
+suite: test statefulset with sidecar
+templates:
+  - oauth-sidecar-configmap.yaml
+  - statefulset.yaml
+  - service.yaml
+  - configmap-config.yaml
+  - configmap-repo-config.yaml
+release:
+  name: my-release
+tests:
+  - it: default values
+    template: statefulset.yaml
+    set:
+      oAuthSidecar:
+        enabled: true
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].name
+          value: my-release-oauth2-sidecar
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
+      - equal:
+          path: spec.template.spec.containers[0].ports[0]
+          value:
+            containerPort: 4180
+            name: oauth-proxy
+      - equal:
+          path: spec.template.spec.containers[0].args
+          value: ["--show-debug-on-error=true"]
+      - equal:
+          path: spec.template.spec.containers[0].livenessProbe
+          value:
+            initialDelaySeconds: 0
+            timeoutSeconds: 1
+      - equal:
+          path: spec.template.spec.containers[0].readinessProbe
+          value:
+            initialDelaySeconds: 0
+            timeoutSeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+      - notExists:
+          path: spec.template.spec.containers[0].securityContext
+  - it: default service with oauth
+    template: service.yaml
+    set:
+      oAuthSidecar:
+        enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: oauth-proxy
+  - it: env
+    template: statefulset.yaml
+    set:
+      oAuthSidecar:
+        enabled: true
+        env:
+          - name: client-secret
+            valueFrom:
+              secretKeyRef:
+                name: client-secret
+                key: client-secret-key
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env
+          value:
+            - name: client-secret
+              valueFrom:
+                secretKeyRef:
+                  name: client-secret
+                  key: client-secret-key
+  - it: envFrom
+    template: statefulset.yaml
+    set:
+      oAuthSidecar:
+        enabled: true
+        envFrom:
+          - secretRef:
+              name: dummy-oidc
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].envFrom
+          value:
+            - secretRef:
+                name: dummy-oidc
+  - it: volumeMount
+    template: statefulset.yaml
+    set:
+      oAuthSidecar:
+        enabled: true
+        volumeMounts:
+          - mountPath: dummyPath
+            name: dummyName
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].volumeMounts
+          value:
+            - mountPath: dummyPath
+              name: dummyName
+  - it: imagePullPolicy
+    template: statefulset.yaml
+    set:
+      oAuthSidecar:
+        enabled: true
+        image:
+          pullPolicy: Always
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+  - it: securityContext
+    template: statefulset.yaml
+    set:
+      oAuthSidecar:
+        enabled: true
+        securityContext:
+          runAsUser: 1000
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            runAsUser: 1000
+  - it: configMap oauth2 cfg
+    template: oauth-sidecar-configmap.yaml
+    set:
+      oAuthSidecar:
+        enabled: true
+        enableConfig: true
+        config: |-
+          dummy: config
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.name
+          value: oauth-configuration
+      - equal:
+          path: data
+          value:
+            oauth2-proxy.cfg: |-
+              dummy: config
+  - it: configmap mounted to sidecar
+    template: statefulset.yaml
+    set:
+      oAuthSidecar:
+        enabled: true
+        enableConfig: true
+        config: |-
+          dummy: config
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].volumeMounts
+          value:
+            - name: oauth-configuration
+              mountPath: /etc/oauth2-proxy

charts/atlantis/tests/statefulset_test.yaml

@@ -170,6 +170,8 @@ tests:
           path: spec.template.spec.updateStrategy
       - notExists:
           path: spec.volumeClaimTemplates
+      - notExists:
+          path: spec.containers[1]
   - it: custom port values
     template: statefulset.yaml
     set: