refactor: rename secretKeys to requiredSecretKeys with explicit defaults

Address maintainer feedback from PR review:
- Renamed config.secretKeys to config.requiredSecretKeys for clarity
- Moved default values from template to values.yaml as suggested
- Removed the '| default' logic from templates

Changes:
- values.yaml: Define requiredSecretKeys with explicit defaults:
  [client-id, client-secret, cookie-secret]
- _helpers.tpl: Use requiredSecretKeys directly without fallback
- deployment.yaml: Use requiredSecretKeys directly without fallback

This makes the configuration more explicit and easier to understand,
following Helm best practices of defining defaults in values.yaml
rather than in templates.

Addresses: #384 (review comments)
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>

Author: pierluigilenoci

helm/oauth2-proxy/templates/_helpers.tpl

@@ -164,14 +164,13 @@ metricsServer:
 {{- end -}}
 
 {{- define "oauth2-proxy.secrets" -}}
-{{- $secretKeys := .Values.config.secretKeys | default (list "client-id" "client-secret" "cookie-secret") -}}
-{{- if has "cookie-secret" $secretKeys }}
+{{- if has "cookie-secret" .Values.config.requiredSecretKeys }}
 cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }}
 {{- end }}
-{{- if has "client-secret" $secretKeys }}
+{{- if has "client-secret" .Values.config.requiredSecretKeys }}
 client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }}
 {{- end }}
-{{- if has "client-id" $secretKeys }}
+{{- if has "client-id" .Values.config.requiredSecretKeys }}
 client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }}
 {{- end }}
 {{- end -}}

helm/oauth2-proxy/templates/deployment.yaml

@@ -182,22 +182,21 @@ spec:
 {{- end }}
         env:
         {{- if .Values.proxyVarsAsSecrets }}
-        {{- $secretKeys := .Values.config.secretKeys | default (list "client-id" "client-secret" "cookie-secret") }}
-        {{- if has "client-id" $secretKeys }}
+        {{- if has "client-id" .Values.config.requiredSecretKeys }}
         - name: OAUTH2_PROXY_CLIENT_ID
           valueFrom:
             secretKeyRef:
               name:  {{ template "oauth2-proxy.secretName" . }}
               key: client-id
         {{- end }}
-        {{- if has "client-secret" $secretKeys }}
+        {{- if has "client-secret" .Values.config.requiredSecretKeys }}
         - name: OAUTH2_PROXY_CLIENT_SECRET
           valueFrom:
             secretKeyRef:
               name:  {{ template "oauth2-proxy.secretName" . }}
               key: client-secret
         {{- end }}
-        {{- if has "cookie-secret" $secretKeys }}
+        {{- if has "cookie-secret" .Values.config.requiredSecretKeys }}
         - name: OAUTH2_PROXY_COOKIE_SECRET
           valueFrom:
             secretKeyRef:

helm/oauth2-proxy/values.yaml

@@ -23,15 +23,17 @@ config:
   clientID: "XXXXXXX"
   # OAuth client secret
   clientSecret: "XXXXXXXX"
-  # List of secret keys to include in the secret and expose as environment variables
-  # If not set, defaults to all three secrets: ["client-id", "client-secret", "cookie-secret"]
-  # Useful for authentication methods that don't require a client secret
-  # (e.g., Azure Entra ID federated token authentication)
+  # List of secret keys to include in the secret and expose as environment variables.
+  # By default, all three secrets are required. To exclude certain secrets
+  # (e.g., when using federated token authentication), remove them from this list.
   # Example to exclude client-secret:
-  # secretKeys:
+  # requiredSecretKeys:
   #   - client-id
   #   - cookie-secret
-  secretKeys: []
+  requiredSecretKeys:
+    - client-id
+    - client-secret
+    - cookie-secret
   # Create a new secret with the following command
   # openssl rand -base64 32 | head -c 32 | base64
   # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)