Skip to content

feat: add config.secretKeys to selectively include secrets #384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pierluigilenoci wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add config.secretKeys to selectively include secrets #384

pierluigilenoci wants to merge 3 commits into from
+29 −4

Conversation

@pierluigilenoci
Copy link
Contributor

@pierluigilenoci pierluigilenoci commented Jan 6, 2026
edited
Loading

Summary

This PR implements the config.requiredSecretKeys option to provide granular control over which secrets are included in the Kubernetes secret and exposed as environment variables.

Problem

When using authentication methods like Azure Entra ID federated token authentication, the client-secret is not required. However, the chart currently always includes and requires all three secrets (client-id, client-secret, cookie-secret), causing issues when using proxyVarsAsSecrets: true with existingSecret.

Solution

Added a config.requiredSecretKeys list that allows users to explicitly specify which secrets to include:

config:
  requiredSecretKeys:
    - client-id
    - cookie-secret
    # client-secret excluded

Implementation Details

Following maintainer feedback, the implementation now uses:

  1. values.yaml: config.requiredSecretKeys list with explicit defaults: 
    requiredSecretKeys:
  - client-id
  - client-secret
  - cookie-secret
  2. _helpers.tpl: Modified oauth2-proxy.secrets template to conditionally include secrets based on the list
  3. deployment.yaml: Modified environment variable section to conditionally set vars based on the list

Default Behavior (Backward Compatible)

The defaults are now explicitly defined in values.yaml:

requiredSecretKeys:
  - client-id
  - client-secret
  - cookie-secret

This ensures full backward compatibility with existing deployments while making the configuration more explicit and easier to understand.

Usage Examples

Scenario 1: Default (all secrets)

config:
  requiredSecretKeys:
    - client-id
    - client-secret
    - cookie-secret

→ Includes all three secrets (default behavior)

Scenario 2: Exclude client-secret (federated auth)

config:
  requiredSecretKeys:
    - client-id
    - cookie-secret

→ Includes only client-id and cookie-secret

Scenario 3: Custom subset

config:
  requiredSecretKeys:
    - cookie-secret

→ Includes only cookie-secret

Benefits

  • User-requested approach: Implements the exact solution proposed by the issue author
  • Backward compatible: Explicit defaults maintain current behavior
  • Future-proof: Extensible for additional secrets
  • Explicit control: Clear which secrets are being used
  • Flexible: Works with both chart-managed and existing secrets
  • Follows Helm best practices: Defaults defined in values.yaml rather than templates

Changes Based on Maintainer Feedback

  • Renamed secretKeys to requiredSecretKeys for clarity
  • Moved default values from template (| default) to explicit defaults in values.yaml
  • Simplified template logic by removing fallback conditions

Testing

Tested with helm template to verify:

  • ✅ Secrets are created with all three keys by default
  • ✅ Secrets can be selectively excluded
  • ✅ Environment variables are only created for included secrets
  • ✅ Backward compatibility is maintained

Checklist

  • Chart version bumped to 10.1.0 (minor version for new feature)
  • Changelog updated in Chart.yaml
  • Template logic simplified following maintainer feedback
  • Defaults moved to values.yaml
  • DCO sign-off included in all commits
  • Zero breaking changes confirmed via testing

Fixes #376

@pierluigilenoci
feat: add config.secretKeys to selectively include secrets
74f34ba 
Added config.secretKeys option to provide granular control over which
secrets are included in the Kubernetes secret and exposed as environment
variables. This addresses scenarios where certain authentication methods
don't require all secrets (e.g., Azure Entra ID federated token authentication
doesn't need client-secret).

Implementation:
- Added config.secretKeys list in values.yaml (defaults to empty list)
- When empty, defaults to all three secrets: [client-id, client-secret, cookie-secret]
- Modified _helpers.tpl to conditionally include secrets based on allowlist
- Modified deployment.yaml to conditionally set environment variables

Example usage to exclude client-secret:
config:
  secretKeys:
    - client-id
    - cookie-secret

This provides explicit control and future extensibility for additional
secrets while maintaining full backward compatibility.

Fixes oauth2-proxy#376

Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
@pierluigilenoci pierluigilenoci mentioned this pull request Jan 6, 2026
Open
@pierluigilenoci pierluigilenoci requested a review from tuunit January 6, 2026 15:45
tuunit
tuunit requested changes Jan 7, 2026
View reviewed changes
@pierluigilenoci
refactor: rename secretKeys to requiredSecretKeys with explicit defaults
8ec5439 
Address maintainer feedback from PR review:
- Renamed config.secretKeys to config.requiredSecretKeys for clarity
- Moved default values from template to values.yaml as suggested
- Removed the '| default' logic from templates

Changes:
- values.yaml: Define requiredSecretKeys with explicit defaults:
  [client-id, client-secret, cookie-secret]
- _helpers.tpl: Use requiredSecretKeys directly without fallback
- deployment.yaml: Use requiredSecretKeys directly without fallback

This makes the configuration more explicit and easier to understand,
following Helm best practices of defining defaults in values.yaml
rather than in templates.

Addresses: oauth2-proxy#384 (review comments)
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
@pierluigilenoci
docs: update Chart.yaml to reflect requiredSecretKeys rename
b510494 
Update changelog annotation to use the correct field name
'requiredSecretKeys' instead of 'secretKeys' to match the
implemented changes.

Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
@pierluigilenoci pierluigilenoci requested a review from tuunit January 7, 2026 11:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuunit tuunit Awaiting requested review from tuunit

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Issue: Unable to exclude client-secret from secrets when using entra-id-federated-token-auth with proxyVarsAsSecrets: true

2 participants

@pierluigilenoci @tuunit