helm: fix oauth2-proxy namespace names

danish9039 · danish9039 · commit c45c03bb04fd · 2026-06-09T17:00:21.000+05:30
Signed-off-by: danish9039 &lt;danishsiddiqui040@gmail.com&gt;
diff --git a/experimental/helm/charts/oauth2-proxy/README.md b/experimental/helm/charts/oauth2-proxy/README.md
@@ -10,6 +10,10 @@ Install foundation, cert-manager, and Istio first. The `kubeflow-namespaces`
 foundation chart creates `Namespace/oauth2-proxy`; this chart stores Helm
 release metadata in that same workload namespace.
 
+## Namespace names
+
+Namespace names are fixed to match the Kustomize baseline and `kubeflow-namespaces` foundation chart. oauth2-proxy workloads use `oauth2-proxy`, Istio auth resources use `istio-system`, and gateway references use `kubeflow`. These names are not configurable.
+
 ```bash
 helm install oauth2-proxy ./experimental/helm/charts/oauth2-proxy \
   --namespace oauth2-proxy \
diff --git a/experimental/helm/charts/oauth2-proxy/templates/_helpers.tpl b/experimental/helm/charts/oauth2-proxy/templates/_helpers.tpl
@@ -1,24 +1,3 @@
-{{/*
-oauth2-proxy workload namespace.
-*/}}
-{{- define "oauth2-proxy.namespace" -}}
-{{- .Values.global.oauth2ProxyNamespace -}}
-{{- end -}}
-
-{{/*
-Istio namespace.
-*/}}
-{{- define "oauth2-proxy.istioNamespace" -}}
-{{- .Values.global.istioNamespace -}}
-{{- end -}}
-
-{{/*
-Kubeflow namespace.
-*/}}
-{{- define "oauth2-proxy.kubeflowNamespace" -}}
-{{- .Values.global.kubeflowNamespace -}}
-{{- end -}}
-
 {{/*
 Render a JWT rule for Istio RequestAuthentication.
 */}}
diff --git a/experimental/helm/charts/oauth2-proxy/templates/cluster-jwks-proxy.yaml b/experimental/helm/charts/oauth2-proxy/templates/cluster-jwks-proxy.yaml
@@ -5,15 +5,15 @@ metadata:
   labels:
     app.kubernetes.io/name: cluster-jwks-proxy
   name: cluster-jwks-proxy
-  namespace: {{ include "oauth2-proxy.istioNamespace" . }}
+  namespace: istio-system
 ---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     app.kubernetes.io/name: cluster-jwks-proxy
   name: cluster-jwks-proxy
-  namespace: {{ include "oauth2-proxy.istioNamespace" . }}
+  namespace: istio-system
 spec:
   ports:
   - name: http
@@ -28,7 +28,7 @@ metadata:
   labels:
     app.kubernetes.io/name: cluster-jwks-proxy
   name: cluster-jwks-proxy
-  namespace: {{ include "oauth2-proxy.istioNamespace" . }}
+  namespace: istio-system
 spec:
   replicas: 1
   selector:
diff --git a/experimental/helm/charts/oauth2-proxy/templates/istio-external-auth.yaml b/experimental/helm/charts/oauth2-proxy/templates/istio-external-auth.yaml
@@ -3,7 +3,7 @@ apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: istio-ingressgateway-oauth2-proxy
-  namespace: {{ include "oauth2-proxy.istioNamespace" . }}
+  namespace: istio-system
 spec:
   action: CUSTOM
   provider:
@@ -27,7 +27,7 @@ apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: istio-ingressgateway-require-jwt
-  namespace: {{ include "oauth2-proxy.istioNamespace" . }}
+  namespace: istio-system
 spec:
   action: DENY
   rules:
@@ -49,7 +49,7 @@ apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: dex-jwt
-  namespace: {{ include "oauth2-proxy.istioNamespace" . }}
+  namespace: istio-system
 spec:
   jwtRules:
   - forwardOriginalToken: true
diff --git a/experimental/helm/charts/oauth2-proxy/templates/m2m.yaml b/experimental/helm/charts/oauth2-proxy/templates/m2m.yaml
@@ -3,7 +3,7 @@ apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: m2m-token-issuer
-  namespace: {{ include "oauth2-proxy.istioNamespace" . }}
+  namespace: istio-system
 spec:
   jwtRules:
 {{ include "oauth2-proxy.m2mJwtRule" (dict "issuer" .Values.m2m.issuer "jwksUri" .Values.m2m.jwksUri) | nindent 2 }}
diff --git a/experimental/helm/charts/oauth2-proxy/templates/networkpolicies.yaml b/experimental/helm/charts/oauth2-proxy/templates/networkpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: allow-istio-ingressgateway
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 spec:
   ingress:
   - from:
@@ -12,7 +12,7 @@ spec:
         - key: kubernetes.io/metadata.name
           operator: In
           values:
-          - {{ include "oauth2-proxy.istioNamespace" . }}
+          - istio-system
       podSelector:
         matchLabels:
           app: istio-ingressgateway
@@ -29,7 +29,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: default-allow-same-namespace-oauth2-proxy
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 spec:
   ingress:
   - from:
diff --git a/experimental/helm/charts/oauth2-proxy/templates/oauth2-proxy.yaml b/experimental/helm/charts/oauth2-proxy/templates/oauth2-proxy.yaml
@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: oauth2-proxy
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 ---
 apiVersion: v1
 data:
@@ -12,7 +12,7 @@ data:
 kind: ConfigMap
 metadata:
   name: oauth2-proxy
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 ---
 apiVersion: v1
 data:
@@ -23,7 +23,7 @@ data:
 kind: ConfigMap
 metadata:
   name: oauth2-proxy-parameters
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 ---
 apiVersion: v1
 data:
@@ -32,7 +32,7 @@ data:
 kind: ConfigMap
 metadata:
   name: oauth2-proxy-theme
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 ---
 apiVersion: v1
 data:
@@ -42,14 +42,14 @@ data:
 kind: Secret
 metadata:
   name: oauth2-proxy
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 type: Opaque
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: oauth2-proxy
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 spec:
   ports:
   - name: http
@@ -66,7 +66,7 @@ metadata:
   labels:
     app: oauth2-proxy
   name: oauth2-proxy
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 spec:
   replicas: 2
   selector:
@@ -166,10 +166,10 @@ apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   name: oauth2-proxy
-  namespace: {{ include "oauth2-proxy.namespace" . }}
+  namespace: oauth2-proxy
 spec:
   gateways:
-  - {{ include "oauth2-proxy.kubeflowNamespace" . }}/kubeflow-gateway
+  - kubeflow/kubeflow-gateway
   hosts:
   - '*'
   http:
@@ -178,7 +178,7 @@ spec:
         prefix: /oauth2/
     route:
     - destination:
-        host: oauth2-proxy.{{ include "oauth2-proxy.namespace" . }}.svc.cluster.local
+        host: oauth2-proxy.oauth2-proxy.svc.cluster.local
         port:
           number: 80
 {{- end }}
diff --git a/experimental/helm/charts/oauth2-proxy/values.yaml b/experimental/helm/charts/oauth2-proxy/values.yaml
@@ -1,13 +1,5 @@
 # Default values for the Kubeflow oauth2-proxy chart.
 
-global:
-  # -- Namespace for oauth2-proxy workloads.
-  oauth2ProxyNamespace: oauth2-proxy
-  # -- Namespace for Istio ingress gateway and auth resources.
-  istioNamespace: istio-system
-  # -- Namespace containing the Kubeflow gateway.
-  kubeflowNamespace: kubeflow
-
 credentials:
   # -- OAuth client ID used by oauth2-proxy.
   clientID: kubeflow-oidc-authservice
