diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index b3818a60..c0b8d004 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 6.0.3 +version: 6.0.4 appVersion: 0.6.2 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo-long.svg diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index e61a058c..dd7b5c21 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -61,7 +61,7 @@ The command removes nearly all the Kubernetes components associated with the cha ## Pomerium Operator (EXPERIMENTAL) -To provide dynamic pomerium configuration, an [operator](https://github.com/pomerium/pomerium-operator) is being introduced to this chart. +To provide dynamic pomerium configuration, an [operator](https://github.com/pomerium/pomerium-operator) is being introduced to this chart. To enable pomerium-operator, set `operator.enabled` to `true`. Your existing values should continue to work as-is. Enabling it will allow you to take advantage of `Service` and `Ingress` annotations to dynamically configure pomerium policies. @@ -105,6 +105,7 @@ A full listing of Pomerium's configuration variables can be found on the [config | `nameOverride` | Name of the chart. | `pomerium` | | `fullnameOverride` | Full name of the chart. | `pomerium` | | `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` | +| `config.administrators` | Comma seperated list of email addresses of administrative users [See more](https://www.pomerium.io/configuration/#administrators). | Optional | | `config.existingSecret` | Name of the existing Kubernetes Secret. | | | `config.existingConfig` | Name of the existing Config Map deployed on Kubernetes. | | | `config.existingCASecret` | Name of the existing CA Secret. | | diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml index 1e21a56d..15b63b5a 100644 --- a/charts/pomerium/templates/authenticate-deployment.yaml +++ b/charts/pomerium/templates/authenticate-deployment.yaml @@ -31,7 +31,7 @@ spec: annotations: {{- /* policy is already covered by hot-reloading */}} {{- if not .Values.operator.enabled }} - checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} {{- end }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} diff --git a/charts/pomerium/templates/authorize-deployment.yaml b/charts/pomerium/templates/authorize-deployment.yaml index a04002b0..9843ec04 100644 --- a/charts/pomerium/templates/authorize-deployment.yaml +++ b/charts/pomerium/templates/authorize-deployment.yaml @@ -33,7 +33,7 @@ spec: annotations: {{- /* policy is already covered by hot-reloading */}} {{- if not .Values.operator.enabled }} - checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} {{- end }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} diff --git a/charts/pomerium/templates/cache-deployment.yaml b/charts/pomerium/templates/cache-deployment.yaml index 69f64759..a2f5a2f4 100644 --- a/charts/pomerium/templates/cache-deployment.yaml +++ b/charts/pomerium/templates/cache-deployment.yaml @@ -31,7 +31,7 @@ spec: annotations: {{- /* policy is already covered by hot-reloading */}} {{- if not .Values.operator.enabled }} - checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} {{- end }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} diff --git a/charts/pomerium/templates/configmap.yaml b/charts/pomerium/templates/configmap.yaml index ce1d4624..320c8be2 100644 --- a/charts/pomerium/templates/configmap.yaml +++ b/charts/pomerium/templates/configmap.yaml @@ -35,6 +35,9 @@ data: {{- if and .Values.config.existingPolicy .Values.config.policy }} {{ fail "Cannot use config.policy with config.existingPolicy" }} {{- end }} +{{- if .Values.config.administrators }} + administrators: {{ .Values.config.administrators | quote }} +{{- end -}} {{- if .Values.config.extraOpts }} {{ toYaml .Values.config.extraOpts | indent 4 -}} {{- end -}} @@ -55,7 +58,7 @@ data: forward_auth_url: https://{{ template "pomerium.forwardAuth.name" . }} {{- end -}} {{- if .Values.config.policy }} - policy: + policy: {{ toYaml .Values.config.policy | indent 6 }} {{- end -}} {{- end }} @@ -73,4 +76,4 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/pomerium/templates/proxy-deployment.yaml b/charts/pomerium/templates/proxy-deployment.yaml index 1c8cf3d0..fa2ea08e 100644 --- a/charts/pomerium/templates/proxy-deployment.yaml +++ b/charts/pomerium/templates/proxy-deployment.yaml @@ -25,7 +25,7 @@ metadata: spec: replicas: {{ default .Values.replicaCount .Values.proxy.replicaCount }} selector: - matchLabels: + matchLabels: app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} template: @@ -33,7 +33,7 @@ spec: annotations: {{- /* policy is already covered by hot-reloading */}} {{- if not .Values.operator.enabled }} - checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} {{- end }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} diff --git a/charts/pomerium/templates/secret.yaml b/charts/pomerium/templates/secret.yaml index 0800f172..251e84b2 100644 --- a/charts/pomerium/templates/secret.yaml +++ b/charts/pomerium/templates/secret.yaml @@ -19,4 +19,3 @@ data: idp-service-account: {{ .Values.authenticate.idp.serviceAccount | b64enc }} {{- end }} {{- end }} - diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index 7daa5ed6..80f7d946 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -20,6 +20,7 @@ config: forceGenerateTLS: false extraOpts: {} existingPolicy: "" + administrators: "" policy: [] authenticate: