feat: Add forceLegacyConfig flag for alphaConfig compatibility#385
Open
pierluigilenoci wants to merge 20 commits intooauth2-proxy:mainfrom
Open
feat: Add forceLegacyConfig flag for alphaConfig compatibility#385pierluigilenoci wants to merge 20 commits intooauth2-proxy:mainfrom
pierluigilenoci wants to merge 20 commits intooauth2-proxy:mainfrom
Conversation
When a GitHub release already exists, the chart-releaser-action fails with a "422 Validation Failed" error, preventing the subsequent "Push Charts to GHCR and Sign" step from executing. This causes OCI artifacts to not be published to GHCR. This fix adds `skip_existing: true` to the chart-releaser-action configuration, which allows the workflow to skip the GitHub release creation if it already exists and continue to the GHCR push step. Fixes oauth2-proxy#380 Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
…sting-releases fix: add skip_existing to chart-releaser to prevent workflow failures
pierluigilenoci
force-pushed
the
fix/alphaconfig-unified-improvements
branch
6 times, most recently
from
2226bf0 to
ed7aef1
Compare
pierluigilenoci
changed the title
pierluigilenoci
force-pushed
the
fix/alphaconfig-unified-improvements
branch
from
1314875 to
9f00757
Compare
pierluigilenoci
changed the title
tuunit
reviewed
Jan 7, 2026
Comment on lines
+78
to
+95
| # IMPORTANT: If you have a custom configFile with 'upstreams', | ||
| # you MUST: | ||
| # 1. Remove 'upstreams' from your custom configFile | ||
| # 2. Define upstreams in alphaConfig.configData.upstreamConfig | ||
| # (see examples below) | ||
| # 3. Set forceLegacyConfig: false | ||
| forceLegacyConfig: true |
Member
Author
There was a problem hiding this comment.
No, it is not a breaking change. Here's why:
The Scenario Didn't Work Before
When alphaConfig.enabled=true without a custom configFile, the old chart:
- Did not generate a ConfigMap (required
configFileto exist) - Did not mount the config or add
--configflag - Failed with error:
missing setting for email validation
This scenario was broken before this PR.
This PR Fixes That Bug
Now with this PR, the same scenario:
- Automatically generates a minimal ConfigMap with
email_domains - Always mounts it and adds
--configflag - Works correctly - fixes issue failed to load alpha options: unable to load config file: read /etc/oauth2_proxy/oauth2_proxy.yml: is a directory #226
What forceLegacyConfig: true Does
The default forceLegacyConfig: true preserves behavior for users who DO have a custom configFile:
Before PR (with custom configFile):
config:
configFile: |
email_domains = ["*"]
upstreams = ["http://backend"]
alphaConfig:
enabled: true→ Uses the custom configFile
After PR (with custom configFile + default):
config:
forceLegacyConfig: true # DEFAULT
configFile: |
email_domains = ["*"]
upstreams = ["http://backend"]
alphaConfig:
enabled: true→ Still uses the custom configFile (identical behavior)
Not Breaking Because
- The scenario without custom configFile didn't work before → now it works (bug fix)
- The scenario with custom configFile works the same with the default (backward compatible)
- All CI tests pass, confirming no regressions
The tests validate both scenarios work correctly.
A previous template error still mentioned the old "redis.enabled" value even though that has been renamed to redis-ha.enabled in v10.0.0. Signed-off-by: Lilly Sell <sell@b1-systems.de>
…t-in-fail-msg doc: Fix mention of old `redis.enabled` value in failure message
pierluigilenoci
force-pushed
the
fix/alphaconfig-unified-improvements
branch
from
81e4ac9 to
2b757e4
Compare
* fix: correct image registry priority order Local image.registry setting should take precedence over global.imageRegistry to allow proper configuration when oauth2-proxy is used as a subchart. Previous behavior: 1. global.imageRegistry (highest priority) 2. image.registry 3. quay.io (default in values.yaml) New behavior: 1. image.registry (highest priority) 2. global.imageRegistry 3. quay.io (default in template) This aligns with standard Helm chart behavior where local settings override global settings. Changes: - Updated deployment.yaml template to prioritize local over global registry - Removed default registry value from values.yaml (now defaults in template) - Bumped chart version to 10.1.0 (minor version for behavior change) Fixes oauth2-proxy#379 Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com> * Downgrade oauth2-proxy version to 10.0.1 Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com> * Bump oauth2-proxy version to 10.0.3 Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com> --------- Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Added config.secretKeys option to provide granular control over which
secrets are included in the Kubernetes secret and exposed as environment
variables. This addresses scenarios where certain authentication methods
don't require all secrets (e.g., Azure Entra ID federated token authentication
doesn't need client-secret).
Implementation:
- Added config.secretKeys list in values.yaml (defaults to empty list)
- When empty, defaults to all three secrets: [client-id, client-secret, cookie-secret]
- Modified _helpers.tpl to conditionally include secrets based on allowlist
- Modified deployment.yaml to conditionally set environment variables
Example usage to exclude client-secret:
config:
requiredSecretKeys:
- client-id
- cookie-secret
This provides explicit control and future extensibility for additional
secrets while maintaining full backward compatibility.
Fixes oauth2-proxy#376
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Address maintainer feedback from PR review: - Renamed config.secretKeys to config.requiredSecretKeys for clarity - Moved default values from template to values.yaml as suggested - Removed the '| default' logic from templates Changes: - values.yaml: Define requiredSecretKeys with explicit defaults: [client-id, client-secret, cookie-secret] - _helpers.tpl: Use requiredSecretKeys directly without fallback - deployment.yaml: Use requiredSecretKeys directly without fallback This makes the configuration more explicit and easier to understand, following Helm best practices of defining defaults in values.yaml rather than in templates. Addresses: oauth2-proxy#384 (review comments) Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Update changelog annotation to use the correct field name 'requiredSecretKeys' instead of 'secretKeys' to match the implemented changes. Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
…client-secret-federated-auth feat: add config.secretKeys to selectively include secrets
…uth2-proxy#382) * docs: add explicit warning for redis single replica configuration When using redis-ha with a single replica (replicas: 1), Redis requires min-replicas-to-write to be set to 0, otherwise write operations fail with 'NOREPLICAS Not enough good replicas to write' error. This change adds an explicit IMPORTANT note in the values.yaml documentation, positioned immediately after the replicas setting to make the requirement clear to users. This configuration is already used in the CI tests (helm/oauth2-proxy/ci/redis-standalone-values.yaml:29) and is documented in the Redis documentation. Supersedes oauth2-proxy#359 Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com> * Bump oauth2-proxy version to 10.0.2 Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com> * docs: remove release for a pure documentation change Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
tuunit
force-pushed
the
fix/alphaconfig-unified-improvements
branch
from
1692125 to
a7ae6d4
Compare
Introduces structured configuration to resolve conflicts between legacy config and alphaConfig modes when upstreams option is used. Fixes: oauth2-proxy#226 Closes: oauth2-proxy#302 Closes: oauth2-proxy#311 Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Add comprehensive test cases covering: - Custom configFile with alphaConfig disabled - alphaConfig with forceLegacyConfig=true (backward compatible) - alphaConfig with forceLegacyConfig=false (fix for oauth2-proxy#226) - alphaConfig + custom configFile + forceLegacyConfig=true - alphaConfig + custom configFile + forceLegacyConfig=false - Existing external ConfigMap via extraObjects These tests ensure all configuration scenarios work correctly and prevent regressions in the forceLegacyConfig feature. Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
When alphaConfig.enabled=true and forceLegacyConfig=false, the deployment was not mounting the ConfigMap or adding the --config flag because the condition checked for existingConfig OR configFile. Since configFile defaults to empty string, the condition was false and oauth2-proxy failed with 'missing setting for email validation'. Fixed by removing the conditions entirely: - ConfigMap volume is always created (using existingConfig if specified) - ConfigMap is always mounted - --config flag is always added This ensures email_domains is always provided to oauth2-proxy, whether using the generated ConfigMap or an existingConfig. This is NOT a breaking change - it fixes a bug where the app didn't work with default values when using alphaConfig. Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
When alphaConfig is enabled, oauth2-proxy loads BOTH config files (--alpha-config and --config) but the legacy config CANNOT contain options that were removed by alphaConfig like 'upstreams'. This is true ALWAYS when alphaConfig is enabled, regardless of forceLegacyConfig value. Changed logic: - When alphaConfig DISABLED → full legacy config (email_domains + upstreams) - When alphaConfig ENABLED → minimal legacy config (only email_domains) The forceLegacyConfig flag now only controls whether to use a custom configFile when alphaConfig is enabled (not whether to include upstreams in auto-generated config). Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
tuunit
force-pushed
the
fix/alphaconfig-unified-improvements
branch
from
a7ae6d4 to
9468636
Compare
…tch-updates chore(deps): update helm release redis-ha to v4.35.6
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
pierluigilenoci
force-pushed
the
fix/alphaconfig-unified-improvements
branch
2 times, most recently
from
e9822cd to
9683e02
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes critical bugs in alphaConfig integration and introduces the
forceLegacyConfigflag to provide backward compatibility for users with custom configuration files.Problem Statement
Issue #226: alphaConfig fails with "invalid keys: upstreams"
When
alphaConfig.enabled = true, oauth2-proxy loads BOTH configuration files:oauth2_proxy.cfg) via--configflagoauth2_proxy.yml) via--alpha-configflagHowever, alphaConfig removed support for the
upstreamsoption. If the legacy config containsupstreams, oauth2-proxy fails with:Critical Bug: Missing email_domains validation
When
alphaConfig.enabled=truewith default values, the deployment was not mounting the ConfigMap or adding the--configflag, causing oauth2-proxy to fail with:Issue #302: Difficulty using external secrets with alphaConfig
Users wanting to load secrets from external sources (e.g., Azure Key Vault CSI Driver) lacked clear documentation on how to inject secrets via environment variables.
Issue #311: Missing alphaConfig documentation
Users needed examples showing how to configure
upstreamConfigin alphaConfig mode, particularly for multi-upstream scenarios with path-based routing.Solution
1. Fixed Critical Bug: Always mount ConfigMap
Commit: 7e6bd35
Fixed deployment template to ALWAYS mount the ConfigMap and add
--configflag, regardless of alphaConfig settings. This ensuresemail_domainsis always provided to oauth2-proxy.2. Fixed alphaConfig Incompatibility
Commit: 9f00757
Changed the auto-generated legacy config logic:
email_domains+upstreamsemail_domainsONLY (no upstreams)This is because when alphaConfig is enabled, oauth2-proxy loads BOTH config files, and the legacy config CANNOT contain options removed by alphaConfig.
3. Introduced forceLegacyConfig Flag
Commit: 4a7c93a
Added
config.forceLegacyConfig(default:true) to control whether customconfigFileshould be used when alphaConfig is enabled:forceLegacyConfig = true(default): Use custom configFile as-is (backward compatible)forceLegacyConfig = false: Ignore custom configFile and auto-generate minimal configIMPORTANT: This flag ONLY affects custom configFile behavior. It does NOT control whether upstreams are included in auto-generated configs.
4. Structured Configuration
Changed from hardcoded
config.configFileto structured fields:config.emailDomains: Email domains allowed to authenticate (default:[ "*" ])config.upstreams: Legacy upstream configuration (default:[ "file:///dev/null" ])config.configFile: Custom config template (empty by default)5. Configuration Generation Logic
The
configmap.yamltemplate now implements this logic:email_domains+upstreamsemail_domainsONLY (no upstreams)email_domainsONLY (ignores custom)Key Points:
upstreams(regardless of forceLegacyConfig)forceLegacyConfigonly controls whether to use or ignore custom configFile when alphaConfig is enabled--configflag is ALWAYS added6. Comprehensive Documentation
Added examples for:
extraEnvto load secrets from Azure Key Vault CSI DriverMigration Guide
For most users (NOT experiencing issue #226)
No action required. The chart now works correctly with alphaConfig enabled using default values.
For users experiencing "invalid keys: upstreams" error
If you're getting this error with alphaConfig enabled, you have two options:
Option A: Use alphaConfig upstreams (RECOMMENDED)
Option B: Use custom configFile with forceLegacyConfig
If you have a custom
config.configFilethat includesupstreams:For users with custom configFile (backward compatibility)
If you have a custom
config.configFilethat does NOT contain removed alphaConfig options:Testing
Commit: 88ae305
Created comprehensive CI test suite covering all configuration scenarios:
All test cases pass successfully.
Breaking Changes
None. This is a non-breaking change.
forceLegacyConfigdefaults totruefor backward compatibility with custom configFilesChecklist
Related Issues