oauth2-proxy
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
global:
2
# Global registry to pull the images from
3
imageRegistry: ""
4
# To help compatibility with other charts which use global.imagePullSecrets.
5
imagePullSecrets: []
6
# - name: pullSecret1
7
# - name: pullSecret2
8
## Override the deployment namespace
9
##
10
namespaceOverride: ""
11
# Force the target Kubernetes version (it uses Helm `.Capabilities` if not set).
12
# This is especially useful for `helm template` as capabilities are always empty
13
# due to the fact that it doesn't query an actual cluster
14
kubeVersion:
15
# Oauth client configuration specifics
16
config:
17
# Add config annotations
18
annotations: {}
19
# OAuth client ID
20
clientID: "XXXXXXX"
21
# OAuth client secret
22
clientSecret: "XXXXXXXX"
23
# List of secret keys to include in the secret and expose as environment variables.
24
# By default, all three secrets are required. To exclude certain secrets
25
# (e.g., when using federated token authentication), remove them from this list.
26
# Example to exclude client-secret:
27
# requiredSecretKeys:
28
# - client-id
29
# - cookie-secret
30
requiredSecretKeys:
31
- client-id
32
- client-secret
33
- cookie-secret
34
# Create a new secret with the following command
35
# openssl rand -base64 32 | head -c 32 | base64
36
# Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
37
# Example:
38
# existingSecret: secret
39
cookieSecret: "XXXXXXXXXXXXXXXX"
40
# The name of the cookie that oauth2-proxy will create
41
# If left empty, it will default to the release name
42
cookieName: ""
43
google: {}
44
# adminEmail: xxxx
45
# useApplicationDefaultCredentials: true
46
# targetPrincipal: xxxx
47
# serviceAccountJson: xxxx
48
# Alternatively, use an existing secret (see google-secret.yaml for required fields)
49
# Example:
50
# existingSecret: google-secret
51
# groups: []
52
# Example:
53
# - group1@example.com
54
# - group2@example.com
55
#
56
# Configuration file generation precedence
57
# 1. If configFile is set, it takes precedence over the structured
58
# config below.
59
# 2. When alphaConfig.enabled=true and forceLegacyConfig=false,
60
# both configFile and existingConfig are ignored and the chart
61
# generates a minimal legacy config from emailDomains only.
62
# 3. If configFile is empty/not set, the config is auto-generated
63
# from emailDomains and, when alphaConfig is disabled, upstreams.
64
# 4. When alphaConfig.enabled=false and forceLegacyConfig=false,
65
# and neither config.configFile nor config.existingConfig are set,
66
# no ConfigMap is generated or mounted. Use this when you manage
67
# oauth2-proxy configuration entirely via external means (e.g.,
68
# CSI SecretStore Driver, extraVolumes, etc.).
69
configFile: ""
70
# Email domains allowed to authenticate when the chart generates
71
# the main oauth2_proxy.cfg.
72
# This is always included in generated config, including the
73
# minimal alphaConfig-compatible legacy config.
74
emailDomains: ["*"]
75
# Legacy upstream configuration used only when the chart generates
76
# oauth2_proxy.cfg and alphaConfig is disabled.
77
# When alphaConfig.enabled is true, define upstreams in
78
# alphaConfig.configData.upstreamConfig instead.
79
upstreams: ["file:///dev/null"]
80
# Behavior when using alphaConfig together with a custom config file
81
#
82
# This flag has an effect when:
83
# - alphaConfig.enabled is true AND you provide a custom
84
# config.configFile or config.existingConfig, OR
85
# - alphaConfig.enabled is false AND no configFile/existingConfig
86
# is provided (setting forceLegacyConfig=false disables config
87
# generation entirely — see "no-config mode" below).
88
#
89
# Auto-generated config when alphaConfig.enabled=true is always a
90
# minimal legacy config (no upstreams), regardless of this flag.
91
#
92
# When true (default): Honor a custom configFile/existingConfig
93
# even when alphaConfig.enabled=true. If your custom config still
94
# contains deprecated options (for example 'upstreams'),
95
# oauth2-proxy may fail with:
96
# "failed to load core options: '' has invalid keys: upstreams"
97
#
98
# When false: Ignore any custom configFile/existingConfig when
99
# alphaConfig.enabled=true and instead generate the minimal
100
# legacy config. This preserves compatibility and avoids
101
# invalid legacy options such as 'upstreams'.
102
#
103
# If you are using alphaConfig and see the error:
104
# "failed to load core options: '' has invalid keys: upstreams"
105
# you have two options:
106
# 1) Keep forceLegacyConfig: true (default):
107
# - Continue using your custom legacy config, but ensure it
108
# is alpha-compatible (remove 'upstreams' and any other
109
# keys no longer supported).
110
# 2) Set forceLegacyConfig: false:
111
# - The chart will ignore config.configFile and
112
# config.existingConfig for alphaConfig.
113
# - Define upstreams in alphaConfig.configData.upstreamConfig
114
# instead (see examples below).
115
# - Move any other relevant settings into alphaConfig and/or
116
# flags rather than relying on a custom legacy configFile.
117
#
118
# no-config mode:
119
# If forceLegacyConfig and alphaConfig.enabled are both false,
120
# and no configFile or existingConfig is provided, no ConfigMap
121
# is generated or mounted. This is useful when managing config
122
# externally (e.g., CSI SecretStore Driver).
123
forceLegacyConfig: true
124
#
125
# Custom configuration file: oauth2_proxy.cfg (overrides
126
# emailDomains and upstreams when it is honored)
127
# Example:
128
# configFile: |-
129
# email_domains = [ "*" ]
130
# pass_basic_auth = false
131
# pass_access_token = true
132
# Use an existing config map (see configmap.yaml for required fields)
133
# This is ignored when alphaConfig.enabled=true and
134
# forceLegacyConfig=false.
135
# Example:
136
# existingConfig: config
137
existingConfig: ~
138
alphaConfig:
139
enabled: false
140
# Add config annotations
141
annotations: {}
142
# Arbitrary configuration data to append to the server section
143
serverConfigData: {}
144
# Arbitrary configuration data to append to the metrics section
145
metricsConfigData: {}
146
# Arbitrary configuration data to append
147
configData: {}
148
#
149
# Example: Multiple upstreams with path-based routing
150
# configData:
151
# upstreamConfig:
152
# upstreams:
153
# - id: service1
154
# path: /
155
# uri: http://service1:8080
156
# flushInterval: 1s
157
# passHostHeader: true
158
# proxyWebSockets: true
159
# - id: service2
160
# path: /api/
161
# uri: http://service2:8081
162
# rewriteTarget: /v1/
163
# injectResponseHeaders:
164
# - name: X-Custom-Header
165
# values:
166
# - value: custom-value
167
# injectResponseHeaders:
168
# - name: X-Auth-Request-Email
169
# values:
170
# - claim: email
171
#
172
# For more information on alpha config options, see:
173
# https://oauth2-proxy.github.io/oauth2-proxy/configuration/alpha-config
174
#
175
# Arbitrary configuration to append
176
# This is treated as a Go template and rendered with the root context
177
configFile: ""
178
# Use an existing config map (see secret-alpha.yaml for required fields).
179
# Mutually exclusive with existingSecret and all generated alpha config
180
# content options (serverConfigData, metricsConfigData, configData, configFile).
181
existingConfig: ~
182
# Use an existing secret.
183
# Mutually exclusive with existingConfig and all generated alpha config
184
# content options (serverConfigData, metricsConfigData, configData, configFile).
185
existingSecret: ~
186
#
187
# NOTE: When using alphaConfig with external secrets (e.g., Azure
188
# Key Vault CSI Driver), you can inject secrets via the top-level
189
# extraEnv (see the extraEnv section below) instead of embedding
190
# them in the config:
191
#
192
# extraEnv:
193
# - name: OAUTH2_PROXY_CLIENT_ID
194
# valueFrom:
195
# secretKeyRef:
196
# name: external-secret
197
# key: client-id
198
# - name: OAUTH2_PROXY_CLIENT_SECRET
199
# valueFrom:
200
# secretKeyRef:
201
# name: external-secret
202
# key: client-secret
203
image:
204
registry: cgr.dev
205
repository: chainguard-private/oauth2-proxy
206
# appVersion is used by default
207
tag: latest@sha256:715c6df020f8bbea096e18c31d3633a9baa4f4068011648e3612c5cd32867973
208
pullPolicy: "IfNotPresent"
209
command: []
210
# Optionally specify an array of imagePullSecrets.
211
# Secrets must be manually created in the namespace.
212
# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
213
imagePullSecrets: []
214
# - name: myRegistryKeySecretName
215
216
# Set a custom containerPort if required.
217
# This will default to 4180 if this value is not set and the httpScheme set to http
218
# This will default to 4443 if this value is not set and the httpScheme set to https
219
# containerPort: 4180
220
extraArgs: {}
221
extraEnv: []
222
# Example: Load secrets from an external secret (e.g., Azure Key
223
# Vault via CSI Driver)
224
# extraEnv:
225
# - name: OAUTH2_PROXY_CLIENT_ID
226
# valueFrom:
227
# secretKeyRef:
228
# name: azure-keyvault-secret
229
# key: client-id
230
# - name: OAUTH2_PROXY_CLIENT_SECRET
231
# valueFrom:
232
# secretKeyRef:
233
# name: azure-keyvault-secret
234
# key: client-secret
235
# - name: OAUTH2_PROXY_COOKIE_SECRET
236
# valueFrom:
237
# secretKeyRef:
238
# name: azure-keyvault-secret
239
# key: cookie-secret
240
241
envFrom: []
242
# Load environment variables from a ConfigMap(s) and/or Secret(s)
243
# that already exists (created and managed by you).
244
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
245
#
246
# PS: Changes in these ConfigMaps or Secrets will not be automatically
247
# detected and you must manually restart the relevant Pods after changes.
248
#
249
# - configMapRef:
250
# name: special-config
251
# - secretRef:
252
# name: special-config-secret
253
254
# -- Custom labels to add into metadata
255
customLabels: {}
256
# To authorize individual email addresses
257
# That is part of extraArgs but since this needs special treatment we need to do a separate section
258
authenticatedEmailsFile:
259
enabled: false
260
# Defines how the email addresses file will be projected, via a configmap or secret
261
persistence: configmap
262
# template is the name of the configmap what contains the email user list but has been configured without this chart.
263
# It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
264
# Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the
265
# provided value in restrictedUserAccessKey field.
266
template: ""
267
# The configmap/secret key under which the list of email access is stored
268
# Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility
269
restrictedUserAccessKey: ""
270
# One email per line
271
# example:
272
# restricted_access: |-
273
# name1@domain
274
# name2@domain
275
# If you override the config with restricted_access it will configure a user list within this chart what takes care of the
276
# config map resource.
277
restricted_access: ""
278
annotations: {}
279
# helm.sh/resource-policy: keep
280
service:
281
type: ClusterIP
282
# when service.type is ClusterIP ...
283
# clusterIP: 192.0.2.20
284
# when service.type is LoadBalancer ...
285
# loadBalancerIP: 198.51.100.40
286
# loadBalancerSourceRanges: 203.0.113.0/24
287
# when service.type is NodePort ...
288
# nodePort: 80
289
portNumber: 80
290
# Protocol set on the service
291
appProtocol: http
292
annotations: {}
293
# foo.io/bar: "true"
294
# configure externalTrafficPolicy
295
externalTrafficPolicy: ""
296
# configure internalTrafficPolicy
297
internalTrafficPolicy: ""
298
# configure service target port
299
targetPort: ""
300
# Configures the service to use IPv4/IPv6 dual-stack.
301
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
302
ipDualStack:
303
enabled: false
304
ipFamilies: ["IPv6", "IPv4"]
305
ipFamilyPolicy: "PreferDualStack"
306
# Configure traffic distribution for the service
307
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
308
trafficDistribution: ""
309
## Create or use ServiceAccount
310
serviceAccount:
311
## Specifies whether a ServiceAccount should be created
312
enabled: true
313
## The name of the ServiceAccount to use.
314
## If not set and create is true, a name is generated using the fullname template
315
name:
316
automountServiceAccountToken: true
317
annotations: {}
318
## imagePullSecrets for the service account
319
imagePullSecrets: []
320
# - name: myRegistryKeySecretName
321
# Network policy settings.
322
networkPolicy:
323
create: false
324
ingress: []
325
egress: []
326
ingress:
327
enabled: false
328
# className: nginx
329
path: /
330
# Only used if API capabilities (networking.k8s.io/v1) allow it
331
pathType: ImplementationSpecific
332
# Used to create an Ingress record.
333
# hosts:
334
# - chart-example.local
335
# Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
336
# Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
337
# extraPaths:
338
# - path: /*
339
# pathType: ImplementationSpecific
340
# backend:
341
# service:
342
# name: ssl-redirect
343
# port:
344
# name: use-annotation
345
labels: {}
346
# annotations:
347
# kubernetes.io/ingress.class: nginx
348
# kubernetes.io/tls-acme: "true"
349
# tls:
350
# Secrets must be manually created in the namespace.
351
# - secretName: chart-example-tls
352
# hosts:
353
# - chart-example.local
354
# Gateway API HTTPRoute configuration
355
# Ref: https://gateway-api.sigs.k8s.io/api-types/httproute/
356
gatewayApi:
357
enabled: false
358
# The name of the Gateway resource to attach the HTTPRoute to
359
# Example:
360
# gatewayRef:
361
# name: gateway
362
# namespace: gateway-system
363
# sectionName: my-gateway-https-listener-name
364
#
365
# https://gateway-api.sigs.k8s.io/reference/spec/#parentreference
366
gatewayRef: {}
367
# HTTPRoute rule configuration
368
# rules:
369
# - name: service # optional: enables targeting by sectionName in policies
370
# matches:
371
# - path:
372
# type: PathPrefix
373
# value: /
374
rules: []
375
# Hostnames to match in the HTTPRoute
376
# hostnames:
377
# - chart-example.local
378
hostnames: []
379
# Additional labels to add to the HTTPRoute
380
labels: {}
381
# Additional annotations to add to the HTTPRoute
382
annotations: {}
383
resources: {}
384
# limits:
385
# cpu: 100m
386
# memory: 300Mi
387
# requests:
388
# cpu: 100m
389
# memory: 300Mi
390
391
# Container resize policy for runtime resource updates
392
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/
393
resizePolicy: []
394
# - resourceName: cpu
395
# restartPolicy: NotRequired
396
# - resourceName: memory
397
# restartPolicy: RestartContainer
398
399
extraVolumes: []
400
# - name: ca-bundle-cert
401
# secret:
402
# secretName: <secret-name>
403
404
extraVolumeMounts: []
405
# - mountPath: /etc/ssl/certs/
406
# name: ca-bundle-cert
407
408
# Additional containers to be added to the pod.
409
extraContainers: []
410
# - name: my-sidecar
411
# image: nginx:latest
412
413
# Additional Init containers to be added to the pod.
414
extraInitContainers: []
415
# - name: wait-for-idp
416
# image: my-idp-wait:latest
417
# command:
418
# - sh
419
# - -c
420
# - wait-for-idp.sh
421
422
priorityClassName: ""
423
# hostAliases is a list of aliases to be added to /etc/hosts for network name resolution
424
hostAliases: []
425
# - ip: "10.xxx.xxx.xxx"
426
# hostnames:
427
# - "auth.example.com"
428
# - ip: 127.0.0.1
429
# hostnames:
430
# - chart-example.local
431
# - example.local
432
433
# [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.
434
# Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
435
# topologySpreadConstraints: []
436
437
# Affinity for pod assignment
438
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
439
# affinity: {}
440
441
# Tolerations for pod assignment
442
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
443
tolerations: []
444
# Node labels for pod assignment
445
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
446
nodeSelector: {}
447
# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
448
proxyVarsAsSecrets: true
449
# Configure Kubernetes liveness and readiness probes.
450
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
451
# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
452
livenessProbe:
453
enabled: true
454
initialDelaySeconds: 0
455
timeoutSeconds: 1
456
readinessProbe:
457
enabled: true
458
initialDelaySeconds: 0
459
timeoutSeconds: 5
460
periodSeconds: 10
461
successThreshold: 1
462
# Configure Kubernetes security context for container
463
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
464
securityContext:
465
enabled: true
466
allowPrivilegeEscalation: false
467
capabilities:
468
drop:
469
- ALL
470
readOnlyRootFilesystem: true
471
runAsNonRoot: true
472
runAsUser: 2000
473
runAsGroup: 2000
474
seccompProfile:
475
type: RuntimeDefault
476
deploymentLabels: {}
477
deploymentAnnotations: {}
478
podAnnotations: {}
479
podLabels: {}
480
replicaCount: 1
481
revisionHistoryLimit: 10
482
strategy: {}
483
enableServiceLinks: true
484
## PodDisruptionBudget settings
485
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
486
## One of maxUnavailable and minAvailable must be set to null.
487
podDisruptionBudget:
488
enabled: true
489
maxUnavailable: null
490
minAvailable: 1
491
# Policy for when unhealthy pods should be considered for eviction.
492
# Valid values are "IfHealthyBudget" and "AlwaysAllow".
493
# Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy
494
unhealthyPodEvictionPolicy: ""
495
## Horizontal Pod Autoscaling
496
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
497
autoscaling:
498
enabled: false
499
minReplicas: 1
500
maxReplicas: 10
501
targetCPUUtilizationPercentage: 80
502
# targetMemoryUtilizationPercentage: 80
503
annotations: {}
504
# Configure HPA behavior policies for scaling if needed
505
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior
506
behavior: {}
507
# scaleDown:
508
# stabilizationWindowSeconds: 300
509
# policies:
510
# - type: Percent
511
# value: 100
512
# periodSeconds: 15
513
# selectPolicy: Min
514
# scaleUp:
515
# stabilizationWindowSeconds: 0
516
# policies:
517
# - type: Percent
518
# value: 100
519
# periodSeconds: 15
520
# - type: Pods
521
# value: 4
522
# periodSeconds: 15
523
# selectPolicy: Max
524
# Configure Kubernetes security context for pod
525
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
526
podSecurityContext: {}
527
# whether to use http or https
528
httpScheme: http
529
initContainers:
530
# if the redis sub-chart is enabled, wait for it to be ready
531
# before starting the proxy
532
# creates a role binding to get, list, watch, the redis master pod
533
# if service account is enabled
534
waitForRedis:
535
enabled: true
536
image:
537
repository: cgr.dev/chainguard-private/chainguard-base
538
tag: latest@sha256:1e3516fab5d8e4995b8efc648a5b09943a180b0d9caf77c7b29f7df662c91ab3
539
pullPolicy: "IfNotPresent"
540
# uses the kubernetes version of the cluster
541
# the chart is deployed on, if not set
542
kubectlVersion: ""
543
securityContext:
544
enabled: true
545
allowPrivilegeEscalation: false
546
capabilities:
547
drop:
548
- ALL
549
readOnlyRootFilesystem: true
550
runAsNonRoot: true
551
runAsUser: 65534
552
runAsGroup: 65534
553
seccompProfile:
554
type: RuntimeDefault
555
timeout: 180
556
resources: {}
557
# limits:
558
# cpu: 100m
559
# memory: 300Mi
560
# requests:
561
# cpu: 100m
562
# memory: 300Mi
563
# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.
564
# Alternatively supply an existing secret which contains the required information.
565
htpasswdFile:
566
enabled: false
567
existingSecret: ""
568
entries: []
569
# One row for each user
570
# example:
571
# entries:
572
# - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy
573
# Configure the session storage type, between cookie and redis
574
sessionStorage:
575
# Can be one of the supported session storage cookie|redis
576
type: cookie
577
redis:
578
# Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`)
579
existingSecret: ""
580
# Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence
581
password: ""
582
# Key of the Kubernetes secret data containing the redis password value. If you use the redis sub chart, make sure
583
# this password matches the one used in redis-ha.redisPassword (see below).
584
passwordKey: "redis-password"
585
# Can be one of standalone|cluster|sentinel
586
clientType: "standalone"
587
standalone:
588
# URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set
589
connectionUrl: ""
590
cluster:
591
# List of Redis cluster connection URLs. Array or single string allowed.
592
connectionUrls: []
593
# - "redis://127.0.0.1:8000"
594
# - "redis://127.0.0.1:8001"
595
sentinel:
596
# Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret`
597
existingSecret: ""
598
# Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password`
599
password: ""
600
# Key of the Kubernetes secret data containing the redis sentinel password value
601
passwordKey: "redis-sentinel-password"
602
# Redis sentinel master name
603
masterName: ""
604
# List of Redis cluster connection URLs. Array or single string allowed.
605
connectionUrls: []
606
# - "redis://127.0.0.1:8000"
607
# - "redis://127.0.0.1:8001"
608
# Enables and configure the automatic deployment of the redis-ha subchart
609
redis-ha:
610
# provision an instance of the redis-ha sub-chart
611
enabled: false
612
# Redis specific helm chart settings, please see:
613
# https://artifacthub.io/packages/helm/dandydev-charts/redis-ha#general-parameters
614
#
615
# Recommended:
616
#
617
# redisPassword: xxxxx
618
# replicas: 1
619
#
620
# IMPORTANT: When using a single replica (replicas: 1), you MUST also configure
621
# min-replicas-to-write to 0 to avoid "NOREPLICAS Not enough good replicas to write" errors.
622
# See: https://stackoverflow.com/a/59737862
623
# redis:
624
# config:
625
# min-replicas-to-write: 0
626
#
627
# persistentVolume:
628
# enabled: false
629
#
630
# If you install Redis using this sub chart, make sure that the password of the sub chart matches the password
631
# you set in sessionStorage.redis.password (see above).
632
#
633
# If you want to use redis in sentinel mode see:
634
# https://artifacthub.io/packages/helm/dandydev-charts/redis-ha#redis-sentinel-parameters
635
# Enables apiVersion deprecation checks
636
checkDeprecation: true
637
# Allows graceful shutdown
638
# terminationGracePeriodSeconds: 65
639
# lifecycle:
640
# preStop:
641
# exec:
642
# command: [ "sh", "-c", "sleep 60" ]
643
metrics:
644
# Enable Prometheus metrics endpoint
645
enabled: true
646
# Serve Prometheus metrics on this port
647
port: 44180
648
# when service.type is NodePort ...
649
# nodePort: 44180
650
# Protocol set on the service for the metrics port
651
service:
652
appProtocol: http
653
serviceMonitor:
654
# Enable Prometheus Operator ServiceMonitor
655
enabled: false
656
# Define the namespace where to deploy the ServiceMonitor resource
657
namespace: ""
658
# Prometheus Instance definition
659
prometheusInstance: default
660
# Prometheus scrape interval
661
interval: 60s
662
# Prometheus scrape timeout
663
scrapeTimeout: 30s
664
# Add custom labels to the ServiceMonitor resource
665
labels: {}
666
## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.
667
scheme: ""
668
## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS.
669
## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
670
tlsConfig: {}
671
## bearerTokenFile: Path to bearer token file.
672
bearerTokenFile: ""
673
## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with
674
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
675
annotations: {}
676
## Metric relabel configs to apply to samples before ingestion.
677
## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
678
metricRelabelings: []
679
# - action: keep
680
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
681
# sourceLabels: [__name__]
682
683
## Relabel configs to apply to samples before ingestion.
684
## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
685
relabelings: []
686
# - sourceLabels: [__meta_kubernetes_pod_node_name]
687
# separator: ;
688
# regex: ^(.*)$
689
# targetLabel: nodename
690
# replacement: $1
691
# action: replace
692
# Extra K8s manifests to deploy
693
extraObjects: []
694
# - apiVersion: secrets-store.csi.x-k8s.io/v1
695
# kind: SecretProviderClass
696
# metadata:
697
# name: oauth2-proxy-secrets-store
698
# spec:
699
# provider: aws
700
# parameters:
701
# objects: |
702
# - objectName: "oauth2-proxy"
703
# objectType: "secretsmanager"
704
# jmesPath:
705
# - path: "client_id"
706
# objectAlias: "client-id"
707
# - path: "client_secret"
708
# objectAlias: "client-secret"
709
# - path: "cookie_secret"
710
# objectAlias: "cookie-secret"
711
# secretObjects:
712
# - data:
713
# - key: client-id
714
# objectName: client-id
715
# - key: client-secret
716
# objectName: client-secret
717
# - key: cookie-secret
718
# objectName: cookie-secret
719
# secretName: oauth2-proxy-secrets-store
720
# type: Opaque
721
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.