oauth2-proxy
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
global:
2
# Global registry to pull the images from
3
imageRegistry: ""
4
# To help compatibility with other charts which use global.imagePullSecrets.
5
imagePullSecrets: []
6
# - name: pullSecret1
7
# - name: pullSecret2
8
## Override the deployment namespace
9
##
10
namespaceOverride: ""
11
# Force the target Kubernetes version (it uses Helm `.Capabilities` if not set).
12
# This is especially useful for `helm template` as capabilities are always empty
13
# due to the fact that it doesn't query an actual cluster
14
kubeVersion:
15
# Oauth client configuration specifics
16
config:
17
# Add config annotations
18
annotations: {}
19
# OAuth client ID
20
clientID: "XXXXXXX"
21
# OAuth client secret
22
clientSecret: "XXXXXXXX"
23
# List of secret keys to include in the secret and expose as environment variables.
24
# By default, all three secrets are required. To exclude certain secrets
25
# (e.g., when using federated token authentication), remove them from this list.
26
# Example to exclude client-secret:
27
# requiredSecretKeys:
28
# - client-id
29
# - cookie-secret
30
requiredSecretKeys:
31
- client-id
32
- client-secret
33
- cookie-secret
34
# Create a new secret with the following command
35
# openssl rand -base64 32 | head -c 32 | base64
36
# Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
37
# Example:
38
# existingSecret: secret
39
cookieSecret: "XXXXXXXXXXXXXXXX"
40
# The name of the cookie that oauth2-proxy will create
41
# If left empty, it will default to the release name
42
cookieName: ""
43
google: {}
44
# adminEmail: xxxx
45
# useApplicationDefaultCredentials: true
46
# targetPrincipal: xxxx
47
# serviceAccountJson: xxxx
48
# Alternatively, use an existing secret (see google-secret.yaml for required fields)
49
# Example:
50
# existingSecret: google-secret
51
# groups: []
52
# Example:
53
# - group1@example.com
54
# - group2@example.com
55
#
56
# Configuration file generation precedence
57
# 1. If configFile is set, it takes precedence over the structured
58
# config below.
59
# 2. When alphaConfig.enabled=true and forceLegacyConfig=false,
60
# both configFile and existingConfig are ignored and the chart
61
# generates a minimal legacy config from emailDomains only.
62
# 3. If configFile is empty/not set, the config is auto-generated
63
# from emailDomains and, when alphaConfig is disabled, upstreams.
64
configFile: ""
65
# Email domains allowed to authenticate when the chart generates
66
# the main oauth2_proxy.cfg.
67
# This is always included in generated config, including the
68
# minimal alphaConfig-compatible legacy config.
69
emailDomains: ["*"]
70
# Legacy upstream configuration used only when the chart generates
71
# oauth2_proxy.cfg and alphaConfig is disabled.
72
# When alphaConfig.enabled is true, define upstreams in
73
# alphaConfig.configData.upstreamConfig instead.
74
upstreams: ["file:///dev/null"]
75
# Behavior when using alphaConfig together with a custom config file
76
#
77
# This flag only has an effect when:
78
# - alphaConfig.enabled is true, AND
79
# - you provide a custom config.configFile or config.existingConfig.
80
#
81
# Auto-generated config when alphaConfig.enabled=true is always a
82
# minimal legacy config (no upstreams), regardless of this flag.
83
#
84
# When true (default): Honor a custom configFile/existingConfig
85
# even when alphaConfig.enabled=true. If your custom config still
86
# contains deprecated options (for example 'upstreams'),
87
# oauth2-proxy may fail with:
88
# "failed to load core options: '' has invalid keys: upstreams"
89
#
90
# When false: Ignore any custom configFile/existingConfig when
91
# alphaConfig.enabled=true and instead generate the minimal
92
# legacy config. This preserves compatibility and avoids
93
# invalid legacy options such as 'upstreams'.
94
#
95
# If you are using alphaConfig and see the error:
96
# "failed to load core options: '' has invalid keys: upstreams"
97
# you have two options:
98
# 1) Keep forceLegacyConfig: true (default):
99
# - Continue using your custom legacy config, but ensure it
100
# is alpha-compatible (remove 'upstreams' and any other
101
# keys no longer supported).
102
# 2) Set forceLegacyConfig: false:
103
# - The chart will ignore config.configFile and
104
# config.existingConfig for alphaConfig.
105
# - Define upstreams in alphaConfig.configData.upstreamConfig
106
# instead (see examples below).
107
# - Move any other relevant settings into alphaConfig and/or
108
# flags rather than relying on a custom legacy configFile.
109
forceLegacyConfig: true
110
#
111
# Custom configuration file: oauth2_proxy.cfg (overrides
112
# emailDomains and upstreams when it is honored)
113
# Example:
114
# configFile: |-
115
# email_domains = [ "*" ]
116
# pass_basic_auth = false
117
# pass_access_token = true
118
# Use an existing config map (see configmap.yaml for required fields)
119
# This is ignored when alphaConfig.enabled=true and
120
# forceLegacyConfig=false.
121
# Example:
122
# existingConfig: config
123
existingConfig: ~
124
alphaConfig:
125
enabled: false
126
# Add config annotations
127
annotations: {}
128
# Arbitrary configuration data to append to the server section
129
serverConfigData: {}
130
# Arbitrary configuration data to append to the metrics section
131
metricsConfigData: {}
132
# Arbitrary configuration data to append
133
configData: {}
134
#
135
# Example: Multiple upstreams with path-based routing
136
# configData:
137
# upstreamConfig:
138
# upstreams:
139
# - id: service1
140
# path: /
141
# uri: http://service1:8080
142
# flushInterval: 1s
143
# passHostHeader: true
144
# proxyWebSockets: true
145
# - id: service2
146
# path: /api/
147
# uri: http://service2:8081
148
# rewriteTarget: /v1/
149
# injectResponseHeaders:
150
# - name: X-Custom-Header
151
# values:
152
# - value: custom-value
153
# injectResponseHeaders:
154
# - name: X-Auth-Request-Email
155
# values:
156
# - claim: email
157
#
158
# For more information on alpha config options, see:
159
# https://oauth2-proxy.github.io/oauth2-proxy/configuration/alpha-config
160
#
161
# Arbitrary configuration to append
162
# This is treated as a Go template and rendered with the root context
163
configFile: ""
164
# Use an existing config map (see secret-alpha.yaml for required fields)
165
existingConfig: ~
166
# Use an existing secret
167
existingSecret: ~
168
#
169
# NOTE: When using alphaConfig with external secrets (e.g., Azure
170
# Key Vault CSI Driver), you can inject secrets via the top-level
171
# extraEnv (see the extraEnv section below) instead of embedding
172
# them in the config:
173
#
174
# extraEnv:
175
# - name: OAUTH2_PROXY_CLIENT_ID
176
# valueFrom:
177
# secretKeyRef:
178
# name: external-secret
179
# key: client-id
180
# - name: OAUTH2_PROXY_CLIENT_SECRET
181
# valueFrom:
182
# secretKeyRef:
183
# name: external-secret
184
# key: client-secret
185
image:
186
registry: cgr.dev
187
repository: chainguard-private/oauth2-proxy
188
# appVersion is used by default
189
tag: latest@sha256:5e4c3a009184e84a1709e551ab483c2dd5b0e939f96e3dfd99557b5c7d6bb96e
190
pullPolicy: "IfNotPresent"
191
command: []
192
# Optionally specify an array of imagePullSecrets.
193
# Secrets must be manually created in the namespace.
194
# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
195
imagePullSecrets: []
196
# - name: myRegistryKeySecretName
197
198
# Set a custom containerPort if required.
199
# This will default to 4180 if this value is not set and the httpScheme set to http
200
# This will default to 4443 if this value is not set and the httpScheme set to https
201
# containerPort: 4180
202
extraArgs: {}
203
extraEnv: []
204
# Example: Load secrets from an external secret (e.g., Azure Key
205
# Vault via CSI Driver)
206
# extraEnv:
207
# - name: OAUTH2_PROXY_CLIENT_ID
208
# valueFrom:
209
# secretKeyRef:
210
# name: azure-keyvault-secret
211
# key: client-id
212
# - name: OAUTH2_PROXY_CLIENT_SECRET
213
# valueFrom:
214
# secretKeyRef:
215
# name: azure-keyvault-secret
216
# key: client-secret
217
# - name: OAUTH2_PROXY_COOKIE_SECRET
218
# valueFrom:
219
# secretKeyRef:
220
# name: azure-keyvault-secret
221
# key: cookie-secret
222
223
envFrom: []
224
# Load environment variables from a ConfigMap(s) and/or Secret(s)
225
# that already exists (created and managed by you).
226
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
227
#
228
# PS: Changes in these ConfigMaps or Secrets will not be automatically
229
# detected and you must manually restart the relevant Pods after changes.
230
#
231
# - configMapRef:
232
# name: special-config
233
# - secretRef:
234
# name: special-config-secret
235
236
# -- Custom labels to add into metadata
237
customLabels: {}
238
# To authorize individual email addresses
239
# That is part of extraArgs but since this needs special treatment we need to do a separate section
240
authenticatedEmailsFile:
241
enabled: false
242
# Defines how the email addresses file will be projected, via a configmap or secret
243
persistence: configmap
244
# template is the name of the configmap what contains the email user list but has been configured without this chart.
245
# It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
246
# Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the
247
# provided value in restrictedUserAccessKey field.
248
template: ""
249
# The configmap/secret key under which the list of email access is stored
250
# Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility
251
restrictedUserAccessKey: ""
252
# One email per line
253
# example:
254
# restricted_access: |-
255
# name1@domain
256
# name2@domain
257
# If you override the config with restricted_access it will configure a user list within this chart what takes care of the
258
# config map resource.
259
restricted_access: ""
260
annotations: {}
261
# helm.sh/resource-policy: keep
262
service:
263
type: ClusterIP
264
# when service.type is ClusterIP ...
265
# clusterIP: 192.0.2.20
266
# when service.type is LoadBalancer ...
267
# loadBalancerIP: 198.51.100.40
268
# loadBalancerSourceRanges: 203.0.113.0/24
269
# when service.type is NodePort ...
270
# nodePort: 80
271
portNumber: 80
272
# Protocol set on the service
273
appProtocol: http
274
annotations: {}
275
# foo.io/bar: "true"
276
# configure externalTrafficPolicy
277
externalTrafficPolicy: ""
278
# configure internalTrafficPolicy
279
internalTrafficPolicy: ""
280
# configure service target port
281
targetPort: ""
282
# Configures the service to use IPv4/IPv6 dual-stack.
283
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
284
ipDualStack:
285
enabled: false
286
ipFamilies: ["IPv6", "IPv4"]
287
ipFamilyPolicy: "PreferDualStack"
288
# Configure traffic distribution for the service
289
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
290
trafficDistribution: ""
291
## Create or use ServiceAccount
292
serviceAccount:
293
## Specifies whether a ServiceAccount should be created
294
enabled: true
295
## The name of the ServiceAccount to use.
296
## If not set and create is true, a name is generated using the fullname template
297
name:
298
automountServiceAccountToken: true
299
annotations: {}
300
## imagePullSecrets for the service account
301
imagePullSecrets: []
302
# - name: myRegistryKeySecretName
303
# Network policy settings.
304
networkPolicy:
305
create: false
306
ingress: []
307
egress: []
308
ingress:
309
enabled: false
310
# className: nginx
311
path: /
312
# Only used if API capabilities (networking.k8s.io/v1) allow it
313
pathType: ImplementationSpecific
314
# Used to create an Ingress record.
315
# hosts:
316
# - chart-example.local
317
# Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
318
# Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
319
# extraPaths:
320
# - path: /*
321
# pathType: ImplementationSpecific
322
# backend:
323
# service:
324
# name: ssl-redirect
325
# port:
326
# name: use-annotation
327
labels: {}
328
# annotations:
329
# kubernetes.io/ingress.class: nginx
330
# kubernetes.io/tls-acme: "true"
331
# tls:
332
# Secrets must be manually created in the namespace.
333
# - secretName: chart-example-tls
334
# hosts:
335
# - chart-example.local
336
# Gateway API HTTPRoute configuration
337
# Ref: https://gateway-api.sigs.k8s.io/api-types/httproute/
338
gatewayApi:
339
enabled: false
340
# The name of the Gateway resource to attach the HTTPRoute to
341
# Example:
342
# gatewayRef:
343
# name: gateway
344
# namespace: gateway-system
345
# sectionName: my-gateway-https-listener-name
346
#
347
# https://gateway-api.sigs.k8s.io/reference/spec/#parentreference
348
gatewayRef: {}
349
# HTTPRoute rule configuration
350
# rules:
351
# - name: service # optional: enables targeting by sectionName in policies
352
# matches:
353
# - path:
354
# type: PathPrefix
355
# value: /
356
rules: []
357
# Hostnames to match in the HTTPRoute
358
# hostnames:
359
# - chart-example.local
360
hostnames: []
361
# Additional labels to add to the HTTPRoute
362
labels: {}
363
# Additional annotations to add to the HTTPRoute
364
annotations: {}
365
resources: {}
366
# limits:
367
# cpu: 100m
368
# memory: 300Mi
369
# requests:
370
# cpu: 100m
371
# memory: 300Mi
372
373
# Container resize policy for runtime resource updates
374
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/
375
resizePolicy: []
376
# - resourceName: cpu
377
# restartPolicy: NotRequired
378
# - resourceName: memory
379
# restartPolicy: RestartContainer
380
381
extraVolumes: []
382
# - name: ca-bundle-cert
383
# secret:
384
# secretName: <secret-name>
385
386
extraVolumeMounts: []
387
# - mountPath: /etc/ssl/certs/
388
# name: ca-bundle-cert
389
390
# Additional containers to be added to the pod.
391
extraContainers: []
392
# - name: my-sidecar
393
# image: nginx:latest
394
395
# Additional Init containers to be added to the pod.
396
extraInitContainers: []
397
# - name: wait-for-idp
398
# image: my-idp-wait:latest
399
# command:
400
# - sh
401
# - -c
402
# - wait-for-idp.sh
403
404
priorityClassName: ""
405
# hostAliases is a list of aliases to be added to /etc/hosts for network name resolution
406
hostAliases: []
407
# - ip: "10.xxx.xxx.xxx"
408
# hostnames:
409
# - "auth.example.com"
410
# - ip: 127.0.0.1
411
# hostnames:
412
# - chart-example.local
413
# - example.local
414
415
# [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.
416
# Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
417
# topologySpreadConstraints: []
418
419
# Affinity for pod assignment
420
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
421
# affinity: {}
422
423
# Tolerations for pod assignment
424
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
425
tolerations: []
426
# Node labels for pod assignment
427
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
428
nodeSelector: {}
429
# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
430
proxyVarsAsSecrets: true
431
# Configure Kubernetes liveness and readiness probes.
432
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
433
# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
434
livenessProbe:
435
enabled: true
436
initialDelaySeconds: 0
437
timeoutSeconds: 1
438
readinessProbe:
439
enabled: true
440
initialDelaySeconds: 0
441
timeoutSeconds: 5
442
periodSeconds: 10
443
successThreshold: 1
444
# Configure Kubernetes security context for container
445
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
446
securityContext:
447
enabled: true
448
allowPrivilegeEscalation: false
449
capabilities:
450
drop:
451
- ALL
452
readOnlyRootFilesystem: true
453
runAsNonRoot: true
454
runAsUser: 2000
455
runAsGroup: 2000
456
seccompProfile:
457
type: RuntimeDefault
458
deploymentLabels: {}
459
deploymentAnnotations: {}
460
podAnnotations: {}
461
podLabels: {}
462
replicaCount: 1
463
revisionHistoryLimit: 10
464
strategy: {}
465
enableServiceLinks: true
466
## PodDisruptionBudget settings
467
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
468
## One of maxUnavailable and minAvailable must be set to null.
469
podDisruptionBudget:
470
enabled: true
471
maxUnavailable: null
472
minAvailable: 1
473
# Policy for when unhealthy pods should be considered for eviction.
474
# Valid values are "IfHealthyBudget" and "AlwaysAllow".
475
# Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy
476
unhealthyPodEvictionPolicy: ""
477
## Horizontal Pod Autoscaling
478
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
479
autoscaling:
480
enabled: false
481
minReplicas: 1
482
maxReplicas: 10
483
targetCPUUtilizationPercentage: 80
484
# targetMemoryUtilizationPercentage: 80
485
annotations: {}
486
# Configure HPA behavior policies for scaling if needed
487
# Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior
488
behavior: {}
489
# scaleDown:
490
# stabilizationWindowSeconds: 300
491
# policies:
492
# - type: Percent
493
# value: 100
494
# periodSeconds: 15
495
# selectPolicy: Min
496
# scaleUp:
497
# stabilizationWindowSeconds: 0
498
# policies:
499
# - type: Percent
500
# value: 100
501
# periodSeconds: 15
502
# - type: Pods
503
# value: 4
504
# periodSeconds: 15
505
# selectPolicy: Max
506
# Configure Kubernetes security context for pod
507
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
508
podSecurityContext: {}
509
# whether to use http or https
510
httpScheme: http
511
initContainers:
512
# if the redis sub-chart is enabled, wait for it to be ready
513
# before starting the proxy
514
# creates a role binding to get, list, watch, the redis master pod
515
# if service account is enabled
516
waitForRedis:
517
enabled: true
518
image:
519
repository: cgr.dev/chainguard-private/chainguard-base
520
tag: latest@sha256:909fa8e918c1c05cbc6cf617723270b5eae2ee40718daf4cc5ea751297f0f232
521
pullPolicy: "IfNotPresent"
522
# uses the kubernetes version of the cluster
523
# the chart is deployed on, if not set
524
kubectlVersion: ""
525
securityContext:
526
enabled: true
527
allowPrivilegeEscalation: false
528
capabilities:
529
drop:
530
- ALL
531
readOnlyRootFilesystem: true
532
runAsNonRoot: true
533
runAsUser: 65534
534
runAsGroup: 65534
535
seccompProfile:
536
type: RuntimeDefault
537
timeout: 180
538
resources: {}
539
# limits:
540
# cpu: 100m
541
# memory: 300Mi
542
# requests:
543
# cpu: 100m
544
# memory: 300Mi
545
# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.
546
# Alternatively supply an existing secret which contains the required information.
547
htpasswdFile:
548
enabled: false
549
existingSecret: ""
550
entries: []
551
# One row for each user
552
# example:
553
# entries:
554
# - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy
555
# Configure the session storage type, between cookie and redis
556
sessionStorage:
557
# Can be one of the supported session storage cookie|redis
558
type: cookie
559
redis:
560
# Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`)
561
existingSecret: ""
562
# Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence
563
password: ""
564
# Key of the Kubernetes secret data containing the redis password value. If you use the redis sub chart, make sure
565
# this password matches the one used in redis-ha.redisPassword (see below).
566
passwordKey: "redis-password"
567
# Can be one of standalone|cluster|sentinel
568
clientType: "standalone"
569
standalone:
570
# URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set
571
connectionUrl: ""
572
cluster:
573
# List of Redis cluster connection URLs. Array or single string allowed.
574
connectionUrls: []
575
# - "redis://127.0.0.1:8000"
576
# - "redis://127.0.0.1:8001"
577
sentinel:
578
# Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret`
579
existingSecret: ""
580
# Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password`
581
password: ""
582
# Key of the Kubernetes secret data containing the redis sentinel password value
583
passwordKey: "redis-sentinel-password"
584
# Redis sentinel master name
585
masterName: ""
586
# List of Redis cluster connection URLs. Array or single string allowed.
587
connectionUrls: []
588
# - "redis://127.0.0.1:8000"
589
# - "redis://127.0.0.1:8001"
590
# Enables and configure the automatic deployment of the redis-ha subchart
591
redis-ha:
592
# provision an instance of the redis-ha sub-chart
593
enabled: false
594
# Redis specific helm chart settings, please see:
595
# https://artifacthub.io/packages/helm/dandydev-charts/redis-ha#general-parameters
596
#
597
# Recommended:
598
#
599
# redisPassword: xxxxx
600
# replicas: 1
601
#
602
# IMPORTANT: When using a single replica (replicas: 1), you MUST also configure
603
# min-replicas-to-write to 0 to avoid "NOREPLICAS Not enough good replicas to write" errors.
604
# See: https://stackoverflow.com/a/59737862
605
# redis:
606
# config:
607
# min-replicas-to-write: 0
608
#
609
# persistentVolume:
610
# enabled: false
611
#
612
# If you install Redis using this sub chart, make sure that the password of the sub chart matches the password
613
# you set in sessionStorage.redis.password (see above).
614
#
615
# If you want to use redis in sentinel mode see:
616
# https://artifacthub.io/packages/helm/dandydev-charts/redis-ha#redis-sentinel-parameters
617
# Enables apiVersion deprecation checks
618
checkDeprecation: true
619
# Allows graceful shutdown
620
# terminationGracePeriodSeconds: 65
621
# lifecycle:
622
# preStop:
623
# exec:
624
# command: [ "sh", "-c", "sleep 60" ]
625
metrics:
626
# Enable Prometheus metrics endpoint
627
enabled: true
628
# Serve Prometheus metrics on this port
629
port: 44180
630
# when service.type is NodePort ...
631
# nodePort: 44180
632
# Protocol set on the service for the metrics port
633
service:
634
appProtocol: http
635
serviceMonitor:
636
# Enable Prometheus Operator ServiceMonitor
637
enabled: false
638
# Define the namespace where to deploy the ServiceMonitor resource
639
namespace: ""
640
# Prometheus Instance definition
641
prometheusInstance: default
642
# Prometheus scrape interval
643
interval: 60s
644
# Prometheus scrape timeout
645
scrapeTimeout: 30s
646
# Add custom labels to the ServiceMonitor resource
647
labels: {}
648
## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.
649
scheme: ""
650
## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS.
651
## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
652
tlsConfig: {}
653
## bearerTokenFile: Path to bearer token file.
654
bearerTokenFile: ""
655
## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with
656
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
657
annotations: {}
658
## Metric relabel configs to apply to samples before ingestion.
659
## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
660
metricRelabelings: []
661
# - action: keep
662
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
663
# sourceLabels: [__name__]
664
665
## Relabel configs to apply to samples before ingestion.
666
## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
667
relabelings: []
668
# - sourceLabels: [__meta_kubernetes_pod_node_name]
669
# separator: ;
670
# regex: ^(.*)$
671
# targetLabel: nodename
672
# replacement: $1
673
# action: replace
674
# Extra K8s manifests to deploy
675
extraObjects: []
676
# - apiVersion: secrets-store.csi.x-k8s.io/v1
677
# kind: SecretProviderClass
678
# metadata:
679
# name: oauth2-proxy-secrets-store
680
# spec:
681
# provider: aws
682
# parameters:
683
# objects: |
684
# - objectName: "oauth2-proxy"
685
# objectType: "secretsmanager"
686
# jmesPath:
687
# - path: "client_id"
688
# objectAlias: "client-id"
689
# - path: "client_secret"
690
# objectAlias: "client-secret"
691
# - path: "cookie_secret"
692
# objectAlias: "cookie-secret"
693
# secretObjects:
694
# - data:
695
# - key: client-id
696
# objectName: client-id
697
# - key: client-secret
698
# objectName: client-secret
699
# - key: cookie-secret
700
# objectName: cookie-secret
701
# secretName: oauth2-proxy-secrets-store
702
# type: Opaque
703
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.