Skip to content

Commit

Permalink
v6.0.0 - Add experimental pomerium-operator support, deprecate legacy…
Browse files Browse the repository at this point in the history 
… TLS Secret support (#61)
  • Loading branch information
@travisgroth
travisgroth authored Feb 19, 2020
1 parent 193e94a commit 9827a7c
Show file tree
Hide file tree
Showing 16 changed files with 425 additions and 150 deletions.
2 changes: 1 addition & 1 deletion charts/pomerium/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: pomerium
version: 5.0.6
version: 6.0.0
appVersion: 0.6.2
home: http://www.pomerium.io/
icon: https://www.pomerium.io/logo-long.svg
Expand Down
28 changes: 27 additions & 1 deletion charts/pomerium/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@
- [TL;DR;](#tldr)
- [Install the chart](#install-the-chart)
- [Uninstalling the Chart](#uninstalling-the-chart)
- [Pomerium Operator (EXPERIMENTAL)](#pomerium-operator-experimental)
- [TLS Certificates](#tls-certificates)
- [Ingress Controller Annotations](#ingress-controller-annotations)
- [Auto Generation](#auto-generation)
- [Self Provisioned](#self-provisioned)
- [Configuration](#configuration)
- [Changelog](#changelog)
- [6.0.0](#600)
- [5.0.0](#500)
- [4.0.0](#400)
- [3.0.0](#300)
Expand Down Expand Up @@ -57,6 +59,16 @@ helm delete --purge my-release

The command removes nearly all the Kubernetes components associated with the chart and deletes the release.

## Pomerium Operator (EXPERIMENTAL)

To provide dynamic pomerium configuration, an [operator](https://github.com/pomerium/pomerium-operator) is being introduced to this chart.

To enable pomerium-operator, set `operator.enabled` to `true`. Your existing values should continue to work as-is. Enabling it will allow you to take advantage of `Service` and `Ingress` annotations to dynamically configure pomerium policies.

See https://github.com/pomerium/pomerium-operator#using for information on how to use these annotations.

Operator based deplyoment is experimental. Please report any issues!

## TLS Certificates

### Ingress Controller Annotations
Expand Down Expand Up @@ -95,7 +107,6 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` |
| `config.existingSecret` | Name of the existing Kubernetes Secret. | |
| `config.existingConfig` | Name of the existing Config Map deployed on Kubernetes. | |
| `config.existingLegacyTLSSecret` | Use a Pre-3.0.0 secret for the service TLS data. Only use if upgrading from <= 2.0.0 | `false` |
| `config.existingCASecret` | Name of the existing CA Secret. | |
| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` |
| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` |
Expand Down Expand Up @@ -157,9 +168,24 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `cache.fullnameOverride` | Full name of the cache service. | `cache` |
| `cache.replicaCount` | Number of cache pods to run | `1` |
| `cache.existingTLSSecret` | Name of existing TLS Secret for authorize service |
| `operator.enabled` | Enable experimental pomerium operator support | false |
| `operator.nameOverride` | Name of the operator | `operator` |
| `operator.fullnameOverride` | Full name of the operator | `operator` |
| `operator.replicaCount` | Number of operator pods to run | `1` |
| `operator.image.repository` | Pomerium Operator image | `pomerium/pomerium-operator` |
| `operator.image.tag` | Pomerium Operator image tag | `v0.0.1-rc1` |
| `operator.config.ingressClass` | `kubernetes.io/ingress.class` for the operator to monitor | `pomerium` |
| `operator.config.serviceClass` | `kubernetes.io/service.class` for the operator to monitor | `pomerium` |
| `operator.config.debug` | Enable Pomerium Operator debug logging | `false` |
| `operator.deployment.annotations` | Annotations for the operator deployment. | `{}` |

## Changelog

### 6.0.0

- Integrate pomerium operator
- Remove legacy TLS config support. See [v3.0.0 Upgrade Notes](#300-1) to migrate

### 5.0.0

- Upgrade to Pomerium v0.6.0
Expand Down
76 changes: 29 additions & 47 deletions charts/pomerium/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@
{{- default (printf "%s-cache" .Chart.Name) .Values.cache.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*Expand the name of the operator .*/}}
{{- define "pomerium.operator.name" -}}
{{- default (printf "%s-operator" .Chart.Name) .Values.operator.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
Expand Down Expand Up @@ -99,6 +104,20 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{- end -}}

{{/* operator fully qualified name. Truncated at 63 chars. */}}
{{- define "pomerium.operator.fullname" -}}
{{- if .Values.operator.fullnameOverride -}}
{{- .Values.operator.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-operator" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s-operator" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*Create chart name and version as used by the chart label.*/}}
{{- define "pomerium.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
Expand Down Expand Up @@ -137,9 +156,6 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
{{- define "pomerium.authenticate.tlsSecret.name" -}}
{{- if .Values.authenticate.existingTLSSecret -}}
{{- .Values.authenticate.existingTLSSecret | trunc 63 | trimSuffix "-" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- else if .Values.config.existingLegacyTLSSecret -}}
{{ template "pomerium.fullname" . }}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
Expand All @@ -154,9 +170,6 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
{{- define "pomerium.authorize.tlsSecret.name" -}}
{{- if .Values.authorize.existingTLSSecret -}}
{{- .Values.authorize.existingTLSSecret | trunc 63 | trimSuffix "-" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- else if .Values.config.existingLegacyTLSSecret -}}
{{ template "pomerium.fullname" . }}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
Expand Down Expand Up @@ -185,9 +198,6 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
{{- define "pomerium.proxy.tlsSecret.name" -}}
{{- if .Values.proxy.existingTLSSecret -}}
{{- .Values.proxy.existingTLSSecret | trunc 63 | trimSuffix "-" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- else if .Values.config.existingLegacyTLSSecret -}}
{{ template "pomerium.fullname" . }}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
Expand All @@ -198,41 +208,9 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
{{- end -}}
{{- end -}}

{{/* Set up secret data field names for each service */}}
{{- define "pomerium.proxy.tlsSecret.certName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.crt" "proxy-cert" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}
{{- define "pomerium.proxy.tlsSecret.keyName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.key" "proxy-key" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}

{{- define "pomerium.authenticate.tlsSecret.certName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.crt" "authenticate-cert" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}
{{- define "pomerium.authenticate.tlsSecret.keyName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.key" "authenticate-key" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}

{{- define "pomerium.authorize.tlsSecret.certName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.crt" "authorize-cert" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}
{{- define "pomerium.authorize.tlsSecret.keyName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.key" "authorize-key" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}


{{- define "pomerium.caSecret.name" -}}
{{if .Values.config.existingCASecret }}
{{- .Values.config.existingCASecret | trunc 63 | trimSuffix "-" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- else if .Values.config.existingLegacyTLSSecret -}}
{{- template "pomerium.fullname" . -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
Expand All @@ -243,13 +221,17 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
{{- end -}}
{{- end -}}

{{- define "pomerium.caSecret.certName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "ca.crt" "ca-cert" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}


{{/*Expand the FQDN of the forward-auth endpoint.*/}}
{{- define "pomerium.forwardAuth.name" -}}
{{- default (printf "forwardauth.%s" .Values.config.rootDomain ) .Values.forwardAuth.nameOverride -}}
{{- end -}}

{{/*Expand the serviceAccountName for the operator */}}
{{- define "pomerium.operator.serviceAccountName" -}}
{{- default (printf "%s-operator" ( include "pomerium.fullname" .) ) .Values.forwardAuth.nameOverride -}}
{{- end -}}

{{/*Expand the configMap for operator election */}}
{{- define "pomerium.operator.electionConfigMap" -}}
{{- printf "%s-election" ( include "pomerium.operator.name" .) -}}
{{- end -}}
20 changes: 10 additions & 10 deletions charts/pomerium/templates/authenticate-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,9 @@ spec:
metadata:
annotations:
{{- /* policy is already covered by hot-reloading */}}
checksum/config: {{ print .Values.config.extraOpts | sha256sum }}
{{- if not .Values.operator.enabled }}
checksum/config: {{ print .Values.config.extraOpts | sha256sum }}
{{- end }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
Expand All @@ -52,9 +54,9 @@ spec:
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- if or .Values.config.existingConfig .Values.config.policy }}
{{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }}
- --config=/etc/pomerium/config.yaml
{{- end }}
{{- end }}
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
Expand Down Expand Up @@ -132,25 +134,23 @@ spec:
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
{{- if or .Values.config.existingConfig .Values.config.policy }}
{{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }}
- mountPath: /etc/pomerium/
name: config
{{- end }}
{{- end }}
- mountPath: /pomerium/cert.pem
name: service-tls
subPath: {{ template "pomerium.authenticate.tlsSecret.certName" . }}
subPath: tls.crt
- mountPath: /pomerium/privkey.pem
name: service-tls
subPath: {{ template "pomerium.authenticate.tlsSecret.keyName" . }}
subPath: tls.key
- mountPath: /pomerium/ca.pem
name: ca-tls
subPath: {{ template "pomerium.caSecret.certName" . }}
subPath: ca.crt
volumes:
{{- if or .Values.config.existingConfig .Values.config.policy }}
- name: config
configMap:
name: {{ $configName }}
{{- end }}
- name: service-tls
secret:
secretName: {{ template "pomerium.authenticate.tlsSecret.name" . }}
Expand Down
Loading

0 comments on commit 9827a7c

Please sign in to comment.