just updating some docs :)

CONTRIBUTING.md

@@ -0,0 +1,12 @@
+# To get started helping out
+Please install [pre-commit] and [helm-docs] locally and then install our pre-commit hooks.
+
+```bash
+pre-commit install
+pre-commit install-hooks
+```
+
+Right now, these just keep the docs up to date, but in the future, will provide other useful tools :)
+
+[pre-commit]: https://pre-commit.com/#install
+[helm-docs]: https://github.com/norwoodj/helm-docs#installation

README.md

@@ -16,8 +16,61 @@ helm install vouch/vouch vouch --values.yaml
 
 Docs for the [`values.yaml`](./charts/vouch/values.yaml) can be found in in the chart [README](./charts/vouch/README.md).
 
+### Using an external secret
+
+You can configure your values.yml for vouch to use an existing Kubernetes Secret for it's config file. Example `values.yaml`:
+
+```yaml
+config:
+  # -- Allow overriding the config value with an existing secret, like a sealed secret
+  existingSecretName: "vouch-existing-secret"
+```
+
+Example of setting an existing Secret via the helm cli:
+
+```console
+helm install vouch/vouch vouch --set existingSecretName=vouch-existing-secret
+```
+
+Here's a Kubernetes Secret containing a Vouch config that uses keycloak as the OIDC provider:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vouch-existing-secret
+stringData:
+  config.yaml: |
+    vouch:
+      logLevel: debug
+      testing: false
+      domains:
+      - example.com
+      whiteList:
+      - myuser@myemaildomain.com
+      allowAllUsers: false
+      cookie:
+        maxAge: 900
+        secure: true
+        domain: example.com
+    oauth:
+      provider: oidc
+      client_id: vouch
+      client_secret: 8943hncds9aavy89hn39ncdsa89y79vh79as 
+      auth_url: https://iam.example.com/realms/master/protocol/openid-connect/auth
+      token_url: https://iam.example.com/realms/master/protocol/openid-connect/token
+      user_info_url: https://iam.example.com/realms/master/protocol/openid-connect/userinfo
+      scopes:
+        - openid
+        - email
+        - profile
+      callback_urls:
+        - https://vouch.example.com/auth
+      preferredDomain:
+```
+
 ## License
 Chart documentation is available in [helm-charts licencse](./LICENSE). We've kept it the same as the upstream chart.
 
-### Contributing
+## Contributing
 We'd love to have you contribute! Please refer to our [contribution guidelines](./CONTRIBUTING.md) for details.

charts/vouch/Chart.yaml

@@ -17,7 +17,7 @@ keywords:
   - sso
   - sso-login
 
-version: 3.3.0
+version: 3.3.1
 
 # renovate: image=quay.io/vouch/vouch-proxy
 appVersion: "0.39"

charts/vouch/README.md

@@ -1,6 +1,6 @@
 # vouch
 
-![Version: 3.3.0](https://img.shields.io/badge/Version-3.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.39](https://img.shields.io/badge/AppVersion-0.39-informational?style=flat-square)
+![Version: 3.3.1](https://img.shields.io/badge/Version-3.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.39](https://img.shields.io/badge/AppVersion-0.39-informational?style=flat-square)
 
 An SSO and OAuth login solution for nginx using the auth_request module.
 
@@ -23,24 +23,24 @@ An SSO and OAuth login solution for nginx using the auth_request module.
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
-| args | list | `[]` |  |
-| command | list | `[]` | Allow to specify an alternate command before launching vouch ex: command: ["/bin/sh", "-c", "source /vault/secrets/config && /vouch-proxy"] |
+| args | list | `[]` | arguments to command for container |
+| command | list | `[]` | Allow to specify an alternate command before launching vouch example: command: ["/bin/sh", "-c", "source /vault/secrets/config && /vouch-proxy"] |
 | config.existingSecretName | string | `""` | Allow overriding the config value with an existing secret, like a sealed secret |
-| config.oauth.callback_urls | list | `[]` |  |
+| config.oauth.callback_urls | list | `[]` | valid callback urls to use, example https://vouch.example.com/auth |
 | config.oauth.client_id | string | `""` | clientID from  your provider |
 | config.oauth.client_secret | string | `""` | clientSecret from your provider |
-| config.oauth.preferredDomain | string | `""` |  |
+| config.oauth.preferredDomain | string | `""` | preferred domain |
 | config.oauth.provider | string | `""` | oauth2 provider, such as keycloak |
-| config.vouch.allowAllUsers | bool | `false` |  |
-| config.vouch.domains | list | `[]` |  |
-| config.vouch.jwt.secret | string | `""` |  |
-| config.vouch.port | int | `9090` |  |
-| config.vouch.testing | bool | `false` |  |
-| config.vouch.whiteList | list | `[]` |  |
+| config.vouch.allowAllUsers | bool | `false` | wheather or not to allow ALL users to login |
+| config.vouch.domains | list | `[]` | specific domains you'd like to allow access from |
+| config.vouch.jwt.secret | string | `""` | pass in a secret to used for cookies |
+| config.vouch.port | int | `9090` | the container port for vouch |
+| config.vouch.testing | bool | `false` | set to true to enable a testing mode, see more: https://github.com/vouch/vouch-proxy#im-getting-an-infinite-redirect-loop-which-returns-me-to-my-idp-googleoktagithub |
+| config.vouch.whiteList | list | `[]` | list of emails for users that allowed to use SSO via vouch |
 | deploymentAnnotations | object | `{}` |  |
 | extraEnvVars | list | `[]` | An array to add extra environment variables |
 | fullnameOverride | string | `""` |  |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy, set to always if using an image with the latest tag |
 | image.repository | string | `"quay.io/vouch/vouch-proxy"` |  |
 | image.tag | string | `""` | change the tag we use for the vouch docker image |
 | imagePullSecrets | list | `[]` |  |
@@ -52,7 +52,7 @@ An SSO and OAuth login solution for nginx using the auth_request module.
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
+| podSecurityContext | object | `{}` | securityContext for the pod. see more: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
 | probes.liveness.enabled | bool | `true` |  |
 | probes.liveness.failureThreshold | int | `5` |  |
 | probes.liveness.initialDelaySeconds | int | `0` |  |
@@ -71,7 +71,7 @@ An SSO and OAuth login solution for nginx using the auth_request module.
 | probes.startup.periodSeconds | int | `10` |  |
 | replicaCount | int | `1` | how many pod replicas to deploy |
 | resources | object | `{}` |  |
-| securityContext | object | `{}` |  |
+| securityContext | object | `{}` | securityContext for the container. see more: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
 | service.externalTrafficPolicy | string | `nil` |  |
 | service.port | int | `9090` |  |
 | service.type | string | `"ClusterIP"` |  |

charts/vouch/values.yaml

@@ -9,11 +9,13 @@ image:
   repository: quay.io/vouch/vouch-proxy
   # -- change the tag we use for the vouch docker image
   tag: ""
+  # -- image pullPolicy, set to always if using an image with the latest tag
   pullPolicy: IfNotPresent
 
 # -- Allow to specify an alternate command before launching vouch
-# ex: command: ["/bin/sh", "-c", "source /vault/secrets/config && /vouch-proxy"]
+# example: command: ["/bin/sh", "-c", "source /vault/secrets/config && /vouch-proxy"]
 command: []
+# -- arguments to command for container
 args: []
 
 imagePullSecrets: []
@@ -29,9 +31,11 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name:
 
+# -- securityContext for the pod. see more: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 podSecurityContext: {}
   # fsGroup: 2000
 
+# -- securityContext for the container. see more: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 securityContext: {}
   # privileged: true
   # capabilities:
@@ -111,12 +115,18 @@ config:
   existingSecretName: ""
 
   vouch:
+    # -- the container port for vouch
     port: 9090
+    # -- specific domains you'd like to allow access from
     domains: []
+    # -- wheather or not to allow ALL users to login
     allowAllUsers: false
+    # -- list of emails for users that allowed to use SSO via vouch
     whiteList: []
     jwt:
+      # -- pass in a secret to used for cookies
       secret: ''
+    # -- set to true to enable a testing mode, see more: https://github.com/vouch/vouch-proxy#im-getting-an-infinite-redirect-loop-which-returns-me-to-my-idp-googleoktagithub
     testing: false
 
   # https://console.developers.google.com/apis/credentials
@@ -127,7 +137,9 @@ config:
     client_id: ""
     # -- clientSecret from your provider
     client_secret: ""
+    # -- valid callback urls to use, example https://vouch.example.com/auth
     callback_urls: []
+    # -- preferred domain
     preferredDomain: ""
 
 # -- An array to add extra environment variables