Skip to content

Commit

Permalink
Signing key in secret (#66)
Browse files Browse the repository at this point in the history 
* Add proxy.signingKey parameter

Signed-off-by: Thomas Sontheimer <[email protected]>

* Remove namespace from secrets templates

Signed-off-by: Thomas Sontheimer <[email protected]>
  • Loading branch information
@tgomas
tgomas authored Mar 28, 2020
1 parent 75541b6 commit 80ae533
Show file tree
Hide file tree
Showing 8 changed files with 85 additions and 9 deletions.
2 changes: 1 addition & 1 deletion charts/pomerium/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: pomerium
version: 6.0.4
version: 6.0.5
appVersion: 0.6.2
home: http://www.pomerium.io/
icon: https://www.pomerium.io/logo-long.svg
Expand Down
33 changes: 31 additions & 2 deletions charts/pomerium/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,11 @@ In default configuration, this chart will automatically generate TLS certificate
Upon delete, you will need to manually delete the generated secrets. Example:

```console
kubectl delete secret -l app.kubernetes.io/name=pomerium
kubectl delete secret pomerium-authenticate-tls
kubectl delete secret pomerium-authorize-tls
kubectl delete secret pomerium-ca-tls
kubectl delete secret pomerium-cache-tls
kubectl delete secret pomerium-proxy-tls
```

You may force recreation of your TLS certificates by setting `config.forceGenerateTLS` to `true`. Delete any existing TLS secrets first to prevent errors, and make sure you set back to `false` for your next helm upgrade command or your deployment will fail due to existing Secrets.
Expand All @@ -91,11 +95,32 @@ You may force recreation of your TLS certificates by setting `config.forceGenera

If you wish to provide your own TLS certificates in secrets, you should:

1. turn `generateTLS` to `false`
1. turn `config.generateTLS` to `false`
2. specify `authenticate.existingTLSSecret`, `authorize.existingTLSSecret`, and `proxy.existingTLSSecret`, pointing at the appropriate TLS certificate for each service.

All services can share the secret if appropriate.

## Signing Key

### Auto Generation

In default configuration, this chart will automatically generate a signing key in a helm `pre-install` hook for the Pomerium proxy to sign jwt sent in responses.

Upon delete, you will need to manually delete the generated secret. Example:

```console
kubectl delete secret pomerium-proxy-signing-key
```

You may force recreation of your signing key by setting `config.forceGenerateSigningKey` to `true`. Delete already existing signing key secret first to prevent errors, and make sure you set back to `false` for your next helm upgrade command or your deployment will fail due to existing Secret.

### Self Provisioned

If you wish to provide your own signing key in secret, you should:

1. turn `config.generateSigningKey` to `false`
2. specify `proxy.existingSigningKeySecret` with secret's name

## Configuration

A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/reference/reference.html).
Expand All @@ -109,6 +134,8 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `config.existingSecret` | Name of the existing Kubernetes Secret. | |
| `config.existingConfig` | Name of the existing Config Map deployed on Kubernetes. | |
| `config.existingCASecret` | Name of the existing CA Secret. | |
| `config.generateSigningKey` | Generate a signing key to sign jwt in proxy responses. Manual signing key can be set in values. | `true` |
| `config.forceGenerateSigningKey` | Force recreation of generated signing key. You will need to restart your deployments after running | `false` |
| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` |
| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` |
| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) |
Expand Down Expand Up @@ -136,6 +163,8 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | |
| `proxy.deployment.annotations` | Annotations for the proxy deployment. If none given, then use value of `annotations` | `{}` |
| `proxy.service.annotations` | Annotations for the proxy service. If none given, then use value of `service.annotations` | `{}` |
| `proxy.existingSigningKeySecret` | Name of existing Signing key Secret for proxy requests. | |
| `proxy.signingKey` | Signing key is the base64 encoded key used to sign outbound requests. | |
| `authorize.nameOverride` | Name of the authorize service. | `authorize` |
| `authorize.fullnameOverride` | Full name of the authorize service. | `authorize` |
| `authorize.replicaCount` | Number of Authorize pods to run | `1` |
Expand Down
14 changes: 14 additions & 0 deletions charts/pomerium/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,20 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
{{- end -}}
{{- end -}}

{{/* Determine secret name for Proxy signing key */}}
{{- define "pomerium.proxy.signingKeySecret.name" -}}
{{- if .Values.proxy.existingSigningKeySecret -}}
{{- .Values.proxy.existingSigningKeySecret | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-proxy-signing-key" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s-proxy-signing-key" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{- define "pomerium.caSecret.name" -}}
{{if .Values.config.existingCASecret }}
{{- .Values.config.existingCASecret | trunc 63 | trimSuffix "-" -}}
Expand Down
5 changes: 5 additions & 0 deletions charts/pomerium/templates/proxy-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,11 @@ spec:
secretKeyRef:
name: {{ $secretName }}
key: shared-secret
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.proxy.signingKeySecret.name" . }}
key: signing-key
- name: AUTHENTICATE_SERVICE_URL
value: {{ default (printf "https://authenticate.%s" .Values.config.rootDomain ) .Values.proxy.authenticateServiceUrl }}
- name: AUTHORIZE_SERVICE_URL
Expand Down
1 change: 0 additions & 1 deletion charts/pomerium/templates/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}
namespace: {{ .Release.Namespace }}
type: Opaque
data:
cookie-secret: {{ default (randAscii 32 | b64enc | b64enc) (.Values.config.cookieSecret | b64enc )}}
Expand Down
30 changes: 30 additions & 0 deletions charts/pomerium/templates/signing-key-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{{- define "pomerium.proxy.signingKeySecretObject" -}}
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/name: {{ template "pomerium.name" . }}
helm.sh/chart: {{ template "pomerium.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
annotations:
helm.sh/hook-delete-policy: before-hook-creation
{{- if .Values.config.forceGenerateSigningKey }}
helm.sh/hook: pre-upgrade
{{- else if .Values.config.generateSigningKey }}
helm.sh/hook: pre-install
{{- end }}
name: {{ template "pomerium.proxy.signingKeySecret.name" . }}
type: Opaque
data:
{{- end -}}

{{- if and .Values.config.generateSigningKey (or .Release.IsInstall .Values.config.forceGenerateSigningKey) }}
{{ template "pomerium.proxy.signingKeySecretObject" . }}
signing-key: {{ genPrivateKey "ecdsa" | b64enc | b64enc }}
{{- else if not .Values.config.generateSigningKey }}
{{- if and (not .Values.proxy.existingSigningKeySecret) .Values.proxy.signingKey }}
{{ template "pomerium.proxy.signingKeySecretObject" . }}
signing-key: {{ .Values.proxy.signingKey | b64enc }}
{{- end }}
{{- end }}
5 changes: 0 additions & 5 deletions charts/pomerium/templates/tls-secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ metadata:
helm.sh/hook: pre-install
{{- end }}
name: {{ template "pomerium.authenticate.tlsSecret.name" . }}
namespace: {{ .Release.Namespace }}
type: kubernetes.io/tls
data:
{{- end -}}
Expand All @@ -56,7 +55,6 @@ metadata:
helm.sh/hook: pre-install
{{- end }}
name: {{ template "pomerium.authorize.tlsSecret.name" . }}
namespace: {{ .Release.Namespace }}
type: kubernetes.io/tls
data:
{{- end -}}
Expand All @@ -78,7 +76,6 @@ metadata:
helm.sh/hook: pre-install
{{- end }}
name: {{ template "pomerium.cache.tlsSecret.name" . }}
namespace: {{ .Release.Namespace }}
type: kubernetes.io/tls
data:
{{- end -}}
Expand All @@ -100,7 +97,6 @@ metadata:
helm.sh/hook: pre-install
{{- end }}
name: {{ template "pomerium.proxy.tlsSecret.name" . }}
namespace: {{ .Release.Namespace }}
type: kubernetes.io/tls
data:
{{- end -}}
Expand All @@ -122,7 +118,6 @@ metadata:
helm.sh/hook: pre-install
{{- end }}
name: {{ template "pomerium.caSecret.name" . }}
namespace: {{ .Release.Namespace }}
type: Opaque
data:
{{- end -}}
Expand Down
4 changes: 4 additions & 0 deletions charts/pomerium/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ config:
cookieSecret: ""
generateTLS: true
forceGenerateTLS: false
generateSigningKey: true
forceGenerateSigningKey: false
extraOpts: {}
existingPolicy: ""
administrators: ""
Expand Down Expand Up @@ -89,6 +91,8 @@ proxy:
key: ""
defaultSANList: []
defaultIPList: []
existingSigningKeySecret: ""
signingKey: ""
replicaCount: 1
authenticateServiceUrl: ""
authorizeInternalUrl: ""
Expand Down

0 comments on commit 80ae533

Please sign in to comment.