METAL-2771 v3 with forked gitlab actions (#2)

Signed-off-by: Denis Dabischa <[email protected]>

Co-authored-by: Damian Peckett <[email protected]>

README.md

@@ -1,7 +1,5 @@
 # Buzzfeed SSO
 
-[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/minddocdev)](https://artifacthub.io/packages/search?repo=minddocdev)
-
 Single sign-on for your Kubernetes services using Google OAuth (more providers are welcomed)
 
 - [Blogpost](https://tech.buzzfeed.com/unleashing-the-a6a1a5da39d6?gi=e6db395406ae)
@@ -13,8 +11,6 @@ This helm chart is heavily inspired in [Buzzfeed's example](https://github.com/b
 
 Many of the Kubernetes OAuth solutions require to run an extra container within the pod using [oauth2_proxy](https://github.com/bitly/oauth2_proxy), but the project seems to not be maintained anymore. The approach presented on this chart allows to have a global OAuth2 Proxy that can protect services even in different namespaces, thanks to [Kube DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/).
 
-We use this chart in production at [MindDoc](https://minddoc.de) for protecting endpoints that have no built-in authentication (or that would require to run inner containers), like `Kibana`, `Prometheus`, etc...
-
 ## Introduction
 
 This chart creates a SSO deployment on a [Kubernetes](http://kubernetes.io)
@@ -30,8 +26,8 @@ cluster using the [Helm](https://helm.sh) package manager.
 To install the chart with the release name `my-release`:
 
 ```bash
-helm repo add minddoc https://minddocdev.github.io/charts
-helm install --name my-release minddoc/buzzfeed-sso
+helm repo add kci-buzzfeed-sso https://kloeckner-i.github.io/buzzfeed-sso/
+helm install --name my-release kci-buzzfeed-sso/buzzfeed-sso
 ```
 
 The command deploys SSO on the Kubernetes cluster using the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
@@ -199,7 +195,7 @@ helm upgrade -f values.yaml my-release minddoc/buzzfeed-sso
 
 ## Contributors
 
-This is the list of contributors to the original [incubator/buzfeed-sso](https://github.com/helm/charts/tree/master/incubator/buzzfeed-sso) chart:
+This is the list of contributors to the original [incubator/buzfeed-sso](https://github.com/helm/charts/tree/master/incubator/buzzfeed-sso) chart and the first fork [minddocdev/buzzfeed-sso](https://github.com/minddocdev/buzzfeed-sso):
 
 - @anas-aso
 - @cameronattard
@@ -213,4 +209,5 @@ This is the list of contributors to the original [incubator/buzfeed-sso](https:/
 - @tuanahnguyen-ct
 - @willejs
 
+
 New contributors are always welcomed!

charts/buzzfeed-sso/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 description: Single sign-on for your Kubernetes services using Google OAuth
 name: buzzfeed-sso
-version: 0.3.1-testing
-appVersion: 2.1.0
+version: 0.3.2
+appVersion: 3.0.0
 home: https://github.com/buzzfeed/sso
 sources:
   - https://hub.docker.com/r/buzzfeed/sso/

charts/buzzfeed-sso/templates/auth-deployment.yaml

@@ -87,14 +87,12 @@ spec:
                   key: auth-cookie-secret
             - name: SESSION_COOKIE_SECURE
               value: "true"
-            - name: CLUSTER
-              value: {{ .Values.cluster | quote }}
             # Provider variables
           {{- with .Values.provider.google }}
             - name: PROVIDER_GOOGLE_TYPE
               value: google
             - name: PROVIDER_GOOGLE_SLUG
-              value: {{ .slug | default "oauth2" | quote }}
+              value: {{ .slug | default "google" | quote }}
           {{- if .adminEmail }}
             - name: PROVIDER_GOOGLE_GOOGLE_IMPERSONATE
               value: {{ .adminEmail | quote }}

charts/buzzfeed-sso/templates/proxy-deployment.yaml

@@ -56,34 +56,34 @@ spec:
                 secretKeyRef:
                   name: {{ $proxySecret }}
                   key: proxy-client-secret
-            - name: COOKIE_SECRET
+            - name: SESSION_COOKIE_SECRET
               valueFrom:
                 secretKeyRef:
                   name: {{ $proxySecret }}
                   key: proxy-cookie-secret
             {{- if .Values.proxy.defaultAllowedEmailDomains }}
             {{- if (eq "-" .Values.proxy.defaultAllowedEmailDomains) }}
-            - name: DEFAULT_ALLOWED_EMAIL_DOMAINS
+            - name: UPSTREAM_DEFAULT_EMAIL_DOMAINS
               value: ""
             {{- else }}
-            - name: DEFAULT_ALLOWED_EMAIL_DOMAINS
+            - name: UPSTREAM_DEFAULT_EMAIL_DOMAINS
               value: {{ .Values.proxy.defaultAllowedEmailDomains | quote }}
             {{- end }}
             {{- else }}
-            - name: DEFAULT_ALLOWED_EMAIL_DOMAINS
+            - name: UPSTREAM_DEFAULT_EMAIL_DOMAINS
               value: {{ .Values.emailDomain | quote }}
             {{- end }}
             {{- if .Values.whitelistedEmails }}
-            - name: DEFAULT_ALLOWED_EMAIL_ADDRESSES
+            - name: UPSTREAM_DEFAULT_EMAIL_ADDRESSES
               value: {{ .Values.whitelistedEmails }}
             {{- end }}
-            - name: UPSTREAM_CONFIGS
+            - name: UPSTREAM_CONFIGFILE
               value: /sso/upstream_configs.yml
-            - name: PROVIDER_URL
+            - name: PROVIDER_URL_EXTERNAL
               value: https://{{ .Values.auth.domain }}
-            - name: COOKIE_SECURE
+            - name: SESSION_COOKIE_SECURE
               value: "true"
-            - name: CLUSTER
+            - name: UPSTREAM_CLUSTER
               value: {{ .Values.cluster | quote }}
             - name: DEFAULT_PROVIDER_SLUG
               value: {{ .Values.provider.google.slug | default "oauth2" | quote }}

charts/buzzfeed-sso/values.yaml

@@ -67,7 +67,7 @@ proxy:
   # # Or if you do not want to create the secret via helm
   # customSecret: my-sso-proxy-secret
 
-  # If you are using_allowed groups in upstreams, DEFAULT_ALLOWED_EMAIL_DOMAINS needs to be an empty string
+  # If you are using_allowed groups in upstreams, UPSTREAM_DEFAULT_EMAIL_DOMAINS needs to be an empty string
   # this is explained in this pr https://github.com/buzzfeed/sso/pull/280#issuecomment-584088825
   # to get an empty value, set the string below to -, as per this issue https://github.com/helm/helm/issues/2600#issuecomment-310108850
   # otherwise populate it with your default allowed email domains
@@ -89,7 +89,7 @@ provider:
 
 image:
   repository: buzzfeed/sso
-  tag: v2.1.0
+  tag: v3.0.0
   pullPolicy: IfNotPresent
 
 ingress: