open-engineering/vouch-helm
2
0
Fork
You've already forked vouch-helm
0
No description
  • Go Template 100%
2026年06月16日 21:20:09 +02:00
.forgejo allow manual run of releases 2026年06月16日 21:20:09 +02:00
charts/vouch Update to version 5.2.1 and regenerate docs. 2026年06月16日 19:17:05 +00:00
.gitignore Update deployment.yaml - fix wrong values.yaml parameter name for overrideConfigExistingSecret ( #45 ) 2025年01月19日 21:10:57 +01:00
.pre-commit-config.yaml generate some docs, add renovatebot to keep everything up to date, add some more comments in the readme ( #1 ) 2023年08月09日 11:43:45 +02:00
CONTRIBUTING.md Update CONTRIBUTING.md 2026年05月14日 10:32:03 +00:00
LICENSE Housekeeping related to taking ownership 2022年02月25日 14:13:41 +00:00
README.md clean up installation 2026年06月16日 21:15:48 +02:00
renovate.json update release process to use PR labels 2026年06月16日 21:14:06 +02:00

Vouch Helm Charts

This is a fork of the official Vouch helm chart with some quality of life updates to match standard helm chart style. It's actively maintained and kept up to date by @jessebot and renovateBot, so if a new version of the Vouch docker image comes out, we'll automatically get a PR to update it :)

Usage

Make sure you have helm installed. To get started with helm, read their documentation. Here's the basics of running this chart, however you'll want to update your values.yaml.

helm repo add codeberg.org https://codeberg.org/api/packages/open-engineering/helm
helm repo update
helm install codeberg.org/vouch vouch --values.yaml

Docs for the values.yaml can be found in in the chart README.

Using Existing Kubernetes Secrets for Private Info

Existing Secret for the Oauth config

In your values.yaml specify the name of the of the secret and then the names of the keys that will store the sensitive info:

config:# https://console.developers.google.com/apis/credentialsoauth:# -- existingSecret for clientId, clientSecret, authUrl, tokenUrl,userInfoUrl, callbackUrls, and preferredDomain.# If this value is not empty, we will ignore all of those plain text values and only use your secret keysexistingSecret:'my-vouch-oauth-secret'# keys in oauth.existingSecret to use for Oauth2 configsecretKeys:# -- key in existingSecret for the clientID from your providerclientId:'clientId'# -- key in existingSecret for clientSecret from your providerclientSecret:'clientSecret'# -- key in existingSecret for authentication url from your oidc providerauthUrl:'authUrl'# -- key in existingSecret for token url from your oidc providertokenUrl:'tokenUrl'# -- key in existingSecret for userInfoUrl from your oidc provideruserInfoUrl:'userInfoUrl'# -- key in oauth.existingSecret for comma seperated list of valid# callback urls to use, example value for your key in your existing secert:# 'https://vouch.example.com/auth,https://vouch.example.com/login'callbackUrls:'callbackUrls'# -- secret key in oauth.existingSecret for your preferred domainpreferredDomain:'preferredDomain'

Example secret:

apiVersion:v1kind:Secretmetadata:name:my-vouch-oauth-secret# "stringData" doesn't have to be used, but if you use "data", you have to base64 encode the string values belowstringData:clientId:'vouch'clientSecret:'6f7dag78dagr4bcfydsuoivh9a8fh89'authUrl:'https://iam.example.com/realms/demo-realm/protocol/openid-connect/auth'tokenUrl:'https://iam.example.com/realms/master/protocol/openid-connect/token'userInfoUrl:'https://iam.example.com/realms/master/protocol/openid-connect/userinfo'callbackUrls:'https://vouch.example.com/auth'

Existing Secret for vouch allowed domains and allowed emails

In your values.yaml specify the name of the of the secret and then the names of the keys that will store the sensitive info:

config:vouch:# -- existingSecret for domains, whiteList, and jwtSecret. If this value is# not empty, we ignore vouch.domains, vouch.whiteList, and vouch.jwt.secretexistingSecret:'my-vouch-config-secret'# keys in vouch.existingSecret to use for vouch configsecretKeys:# -- secret key in vouch.existingSecret with comma seperated list of# domains you'd like to allow access from.domains:'domains'# -- secret key in vouch.existingSecret with comma seperated list of emails# for users that allowed to use SSO via vouch.whiteList:'whiteList'# -- secret key in vouch.existingSecret to pass in a secret to used for cookiesjwtSecret:'jwtSecret'

Make sure that config.vouch.secretKeys.domains and config.vouch.secretKeys.whiteList are both comma seperated lists.

Example secret:

apiVersion:v1kind:Secretmetadata:name:my-vouch-config-secret# "stringData" doesn't have to be used, but if you use "data", you have to base64 encode the string values belowstringData:domains:"coolcats.com,cooldogs.com"whiteList:"not-a-dog@gmail.com,cat@coolcats.com"

Overriding the entire config.yaml for vouch-proxy

You can configure your values.yml for vouch to use an existing Kubernetes Secret for it's ENTIRE config file.

Example values.yaml:

config:# -- Allow overriding the config value with an existing secret, like a sealed secretoverrideConfigExistingSecret:"vouch-existing-secret"

Example of setting an existing Secret via the helm cli:

helm install codeberg.org/vouch vouch --set existingSecretName=vouch-existing-secret

Here's a Kubernetes Secret containing a Vouch config that uses keycloak as the OIDC provider:

apiVersion:v1kind:Secretmetadata:name:vouch-existing-secretstringData:config.yaml:| vouch:
 logLevel: debug
 testing: false
 domains:
 - example.com
 whiteList:
 - myuser@myemaildomain.com
 allowAllUsers: false
 cookie:
 maxAge: 900
 secure: true
 domain: example.com
 oauth:
 provider: oidc
 client_id: vouch
 client_secret: 8943hncds9aavy89hn39ncdsa89y79vh79as
 auth_url: https://iam.example.com/realms/master/protocol/openid-connect/auth
 token_url: https://iam.example.com/realms/master/protocol/openid-connect/token
 user_info_url: https://iam.example.com/realms/master/protocol/openid-connect/userinfo
 scopes:
 - openid
 - email
 - profile
 callback_urls:
 - https://vouch.example.com/auth
 preferredDomain:

License

This uses the MIT licencse. We've kept it the same as the upstream chart. All credit for the vouch-proxy goes to the Vouch project :)

Contributing

We'd love to have you contribute! Please refer to our contribution guidelines for details.