Add tpl support for ingress.labels, ingress.extraPaths and nodeSelector

[treydock]

Description

Add deploymentLabels

Allow templated ingress labels, ingress extraPaths and nodeSelector

If you had previously used literal {{ or }} in ingress.labels, ingress.extraPaths, or nodeSelector then those literals must now be escaped. Example:

Before:

ingress:
  enabled: true
  labels:
    test-literal: '{{ not-a-function }}'

After:

ingress:
  enabled: true
  labels:
    test-literal: '{{ "{{" }} not-a-function {{ "}}" }}'

Checklist:

• I have bumped the version in the Chart.yaml according to Semantic Versioning.
• I have updated the documentation/CHANGELOG at the bottom of the Chart.yaml
• I have signed off all my commits.
• (Optional) I have updated the Chart.lock for dependency updates
• (Optional) I have implemented helm tests for new feature flags

[Copilot]

Pull request overview

This PR extends the helm/oauth2-proxy chart’s Ingress templating capabilities by allowing Helm tpl evaluation within ingress.labels and ingress.extraPaths, and updates CI values and chart metadata accordingly.

Changes:

• Add tpl rendering for ingress.labels and ingress.extraPaths in the Ingress template.
• Extend the CI tpl-values.yaml to cover templated ingress.labels and ingress.extraPaths.
• Bump chart version and update the ArtifactHub changelog entry/link.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
helm/oauth2-proxy/templates/ingress.yaml	Wraps ingress.labels and ingress.extraPaths YAML rendering with tpl to support templated values.
helm/oauth2-proxy/ci/tpl-values.yaml	Adds CI coverage values for the new templated Ingress fields.
helm/oauth2-proxy/Chart.yaml	Version bump and ArtifactHub changelog update referencing this PR.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pierluigilenoci]

@treydock, can you check the Copilot conversation?

[treydock]

@pierluigilenoci I think some of the Copilot suggestions were incorrect but one suggestion was made to use nindent and strip leading spaces so made that change to both places I modified.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[treydock]

@pierluigilenoci Let me know if any additional changes are required

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tuunit]

Could we stop opening a single PRs for each next element we want to add tpl to? Could we please just open one large PR for this?

[treydock]

There was one large PR, but I missed a few things as I had intended to only open 1 PR. I can expand this PR to use tpl in more places but that becomes a challenge if every tpl usage requires some kind of testing values change as likely not all things can be tested with simple chart testing deployments on Github Actions.

[treydock]

@tuunit Let me know if you'd like me to update this PR to template most/all values with tpl.

[treydock]

@pierluigilenoci @tuunit Let me know if you'd like me to expand more values to use tpl or if this can be merged as-is.

[pierluigilenoci]

Hi @treydock, thanks for this PR! The idea of adding tpl support to these fields is solid and aligns with how ingress.annotations and deploymentAnnotations already work.

However, after testing locally, this is a breaking change for existing users. Wrapping toYaml with tpl() means that any existing values containing literal {{ }} sequences (which previously rendered verbatim) will now be evaluated as Go template expressions and fail with a parse error if they are not valid template functions.

Reproduction:

nodeSelector:
  custom-label: "value-with-{{ literal }}-braces"

• Before (main): renders as custom-label: value-with-{{ literal }}-braces ✅
• After (this PR): fails with error calling tpl: cannot parse template [...]: function "literal" not defined ❌

Same behavior confirmed for ingress.labels and ingress.extraPaths.

Required changes

1. Version bump must be a major version (11.0.0 instead of 10.5.0) — this is a behavioral breaking change per SemVer. Users with literal {{ }} in these fields will get errors on upgrade.

2. Changelog must reflect the breaking change:

   - kind: changed
     description: |
       BREAKING: ingress.labels, ingress.extraPaths, and nodeSelector are now
       evaluated as Go templates via tpl(). Values containing literal {{ }}
       sequences must be escaped (e.g., use {{ "{{" }} or quote the value).

3. Add migration docs in the PR description explaining how users should escape literal {{ }} (using {{ "{{" }} and {{ "}}" }}).

4. Add a CI test value file that explicitly tests the escaping pattern to prevent regressions — something like:

   # ci/tpl-escape-values.yaml
   nodeSelector:
     test-literal: '{{ "{{" }} not-a-function {{ "}}" }}'
   ingress:
     enabled: true
     labels:
       test-literal: '{{ "{{" }} not-a-function {{ "}}" }}'
     hosts:
       - example.local
     paths:
       - /

5. The deploymentLabels addition is fine (new field, non-breaking). But since it's bundled with a breaking change, the major version bump covers both.

Let me know if you need help with any of these changes!

[treydock]

@pierluigilenoci I made the requested changes. However this test I don't believe will work:

nodeSelector:
  test-literal: '{{ "{{" }} not-a-function {{ "}}" }}'

During the automated Helm testing, the nodeSelector would not be a valid node label and prevent the pod from starting during the Helm tests. I did the other tests but left off the nodeSelector part.

[treydock]

@pierluigilenoci The Helm testing failed because { and } are not valid characters for labels. Maybe the breaking change really isn't breaking since Kubernetes doesn't allow those characters.

	* Ingress.networking.k8s.io "oauth2-proxy-kln9lw335p" is invalid: metadata.labels: Invalid value: "{{ not-a-function }}": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')

https://github.com/oauth2-proxy/manifests/actions/runs/25811007946/job/75826967750?pr=400

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[pierluigilenoci]

@treydock You're absolutely right — I verified this against a live cluster and the Kubernetes API server rejects {{ }} in all the fields this PR touches:

• nodeSelector values → label values, regex (([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?
• ingress.labels values → same label value regex
• ingress.extraPaths fields → path (URL), service name (DNS label), port name (IANA)

None of these accept { or } as valid characters, so nobody could have had literal {{ }} in these fields and had a working deployment. The "breaking change" is theoretical, not practical.

My apologies for the noise — the major version bump to 11.0.0 is not needed. A minor bump (10.5.0) is the correct choice here since this adds new functionality without actually breaking any real-world configuration.

CI is green, the changes look good. 👍

[treydock]

@pierluigilenoci I put the change back to 10.5.0.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.