apiVersion: apps/v1 kind: Deployment metadata: name: oauth2-proxy labels: app: oauth2-proxy spec: replicas: 2 selector: matchLabels: app.kubernetes.io/name: oauth2-proxy template: metadata: labels: app.kubernetes.io/name: oauth2-proxy spec: volumes: - name: oauth2-proxy-config configMap: name: oauth2-proxy - name: oauth2-proxy-theme configMap: name: oauth2-proxy-theme containers: - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:latest args: - --http-address=0.0.0.0:4180 - --config=/etc/oauth2_proxy/oauth2_proxy.cfg ports: - name: http containerPort: 4180 protocol: TCP - name: metrics containerPort: 44180 protocol: TCP env: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: name: oauth2-proxy key: client-id - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: name: oauth2-proxy key: client-secret - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: name: oauth2-proxy key: cookie-secret - name: OAUTH2_PROXY_COOKIE_SECURE valueFrom: configMapKeyRef: name: oauth2-proxy-parameters key: FORCE_HTTPS - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY valueFrom: configMapKeyRef: name: oauth2-proxy-parameters key: ALLOW_SELF_SIGNED_ISSUER - name: OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS valueFrom: configMapKeyRef: name: oauth2-proxy-parameters key: ENABLE_M2M_TOKENS - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS valueFrom: configMapKeyRef: name: oauth2-proxy-parameters key: EXTRA_JWT_ISSUERS securityContext: allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault runAsNonRoot: true capabilities: drop: - ALL volumeMounts: - name: oauth2-proxy-config mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg subPath: oauth2_proxy.cfg readOnly: true - name: oauth2-proxy-theme mountPath: /custom-theme/kubeflow-logo.svg subPath: kubeflow-logo.svg readOnly: true livenessProbe: httpGet: path: /ping port: http scheme: HTTP readinessProbe: httpGet: path: /ready port: http scheme: HTTP resources: {}