From 9827a7c2f47b35c55cde1206b8f17ce1dbb4fb23 Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Tue, 18 Feb 2020 20:38:53 -0500 Subject: [PATCH] v6.0.0 - Add experimental pomerium-operator support, deprecate legacy TLS Secret support (#61) --- charts/pomerium/Chart.yaml | 2 +- charts/pomerium/README.md | 28 ++++- charts/pomerium/templates/_helpers.tpl | 76 +++++------- .../templates/authenticate-deployment.yaml | 20 ++-- .../templates/authorize-deployment.yaml | 45 ++----- .../pomerium/templates/cache-deployment.yaml | 16 +-- charts/pomerium/templates/clusterrole.yaml | 40 +++++++ .../templates/clusterrolebinding.yaml | 20 ++++ charts/pomerium/templates/configmap.yaml | 34 ++++++ .../templates/operator-deployment.yaml | 113 ++++++++++++++++++ .../pomerium/templates/proxy-deployment.yaml | 45 ++----- charts/pomerium/templates/role.yaml | 52 ++++++++ charts/pomerium/templates/rolebinding.yaml | 20 ++++ charts/pomerium/templates/serviceaccount.yaml | 23 ++++ charts/pomerium/templates/tls-secrets.yaml | 22 ++-- charts/pomerium/values.yaml | 19 ++- 16 files changed, 425 insertions(+), 150 deletions(-) create mode 100644 charts/pomerium/templates/clusterrole.yaml create mode 100644 charts/pomerium/templates/clusterrolebinding.yaml create mode 100644 charts/pomerium/templates/operator-deployment.yaml create mode 100644 charts/pomerium/templates/role.yaml create mode 100644 charts/pomerium/templates/rolebinding.yaml create mode 100644 charts/pomerium/templates/serviceaccount.yaml diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index c607f294..2f3dd5f4 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 5.0.6 +version: 6.0.0 appVersion: 0.6.2 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo-long.svg diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index 3b4655dc..b2545da4 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -6,12 +6,14 @@ - [TL;DR;](#tldr) - [Install the chart](#install-the-chart) - [Uninstalling the Chart](#uninstalling-the-chart) + - [Pomerium Operator (EXPERIMENTAL)](#pomerium-operator-experimental) - [TLS Certificates](#tls-certificates) - [Ingress Controller Annotations](#ingress-controller-annotations) - [Auto Generation](#auto-generation) - [Self Provisioned](#self-provisioned) - [Configuration](#configuration) - [Changelog](#changelog) + - [6.0.0](#600) - [5.0.0](#500) - [4.0.0](#400) - [3.0.0](#300) @@ -57,6 +59,16 @@ helm delete --purge my-release The command removes nearly all the Kubernetes components associated with the chart and deletes the release. +## Pomerium Operator (EXPERIMENTAL) + +To provide dynamic pomerium configuration, an [operator](https://github.com/pomerium/pomerium-operator) is being introduced to this chart. + +To enable pomerium-operator, set `operator.enabled` to `true`. Your existing values should continue to work as-is. Enabling it will allow you to take advantage of `Service` and `Ingress` annotations to dynamically configure pomerium policies. + +See https://github.com/pomerium/pomerium-operator#using for information on how to use these annotations. + +Operator based deplyoment is experimental. Please report any issues! + ## TLS Certificates ### Ingress Controller Annotations @@ -95,7 +107,6 @@ A full listing of Pomerium's configuration variables can be found on the [config | `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` | | `config.existingSecret` | Name of the existing Kubernetes Secret. | | | `config.existingConfig` | Name of the existing Config Map deployed on Kubernetes. | | -| `config.existingLegacyTLSSecret` | Use a Pre-3.0.0 secret for the service TLS data. Only use if upgrading from <= 2.0.0 | `false` | | `config.existingCASecret` | Name of the existing CA Secret. | | | `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | | `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` | @@ -157,9 +168,24 @@ A full listing of Pomerium's configuration variables can be found on the [config | `cache.fullnameOverride` | Full name of the cache service. | `cache` | | `cache.replicaCount` | Number of cache pods to run | `1` | | `cache.existingTLSSecret` | Name of existing TLS Secret for authorize service | +| `operator.enabled` | Enable experimental pomerium operator support | false | +| `operator.nameOverride` | Name of the operator | `operator` | +| `operator.fullnameOverride` | Full name of the operator | `operator` | +| `operator.replicaCount` | Number of operator pods to run | `1` | +| `operator.image.repository` | Pomerium Operator image | `pomerium/pomerium-operator` | +| `operator.image.tag` | Pomerium Operator image tag | `v0.0.1-rc1` | +| `operator.config.ingressClass` | `kubernetes.io/ingress.class` for the operator to monitor | `pomerium` | +| `operator.config.serviceClass` | `kubernetes.io/service.class` for the operator to monitor | `pomerium` | +| `operator.config.debug` | Enable Pomerium Operator debug logging | `false` | +| `operator.deployment.annotations` | Annotations for the operator deployment. | `{}` | ## Changelog +### 6.0.0 + +- Integrate pomerium operator +- Remove legacy TLS config support. See [v3.0.0 Upgrade Notes](#300-1) to migrate + ### 5.0.0 - Upgrade to Pomerium v0.6.0 diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl index c587ddb3..ffc0c07a 100644 --- a/charts/pomerium/templates/_helpers.tpl +++ b/charts/pomerium/templates/_helpers.tpl @@ -25,6 +25,11 @@ {{- default (printf "%s-cache" .Chart.Name) .Values.cache.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/*Expand the name of the operator .*/}} +{{- define "pomerium.operator.name" -}} +{{- default (printf "%s-operator" .Chart.Name) .Values.operator.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -99,6 +104,20 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} +{{/* operator fully qualified name. Truncated at 63 chars. */}} +{{- define "pomerium.operator.fullname" -}} +{{- if .Values.operator.fullnameOverride -}} +{{- .Values.operator.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-operator" .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-operator" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + {{/*Create chart name and version as used by the chart label.*/}} {{- define "pomerium.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} @@ -137,9 +156,6 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{- define "pomerium.authenticate.tlsSecret.name" -}} {{- if .Values.authenticate.existingTLSSecret -}} {{- .Values.authenticate.existingTLSSecret | trunc 63 | trimSuffix "-" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- else if .Values.config.existingLegacyTLSSecret -}} -{{ template "pomerium.fullname" . }} {{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- if contains $name .Release.Name -}} @@ -154,9 +170,6 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{- define "pomerium.authorize.tlsSecret.name" -}} {{- if .Values.authorize.existingTLSSecret -}} {{- .Values.authorize.existingTLSSecret | trunc 63 | trimSuffix "-" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- else if .Values.config.existingLegacyTLSSecret -}} -{{ template "pomerium.fullname" . }} {{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- if contains $name .Release.Name -}} @@ -185,9 +198,6 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{- define "pomerium.proxy.tlsSecret.name" -}} {{- if .Values.proxy.existingTLSSecret -}} {{- .Values.proxy.existingTLSSecret | trunc 63 | trimSuffix "-" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- else if .Values.config.existingLegacyTLSSecret -}} -{{ template "pomerium.fullname" . }} {{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- if contains $name .Release.Name -}} @@ -198,41 +208,9 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{- end -}} {{- end -}} -{{/* Set up secret data field names for each service */}} -{{- define "pomerium.proxy.tlsSecret.certName" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- printf "%s" (ternary "tls.crt" "proxy-cert" (empty .Values.config.existingLegacyTLSSecret)) -}} -{{- end -}} -{{- define "pomerium.proxy.tlsSecret.keyName" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- printf "%s" (ternary "tls.key" "proxy-key" (empty .Values.config.existingLegacyTLSSecret)) -}} -{{- end -}} - -{{- define "pomerium.authenticate.tlsSecret.certName" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- printf "%s" (ternary "tls.crt" "authenticate-cert" (empty .Values.config.existingLegacyTLSSecret)) -}} -{{- end -}} -{{- define "pomerium.authenticate.tlsSecret.keyName" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- printf "%s" (ternary "tls.key" "authenticate-key" (empty .Values.config.existingLegacyTLSSecret)) -}} -{{- end -}} - -{{- define "pomerium.authorize.tlsSecret.certName" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- printf "%s" (ternary "tls.crt" "authorize-cert" (empty .Values.config.existingLegacyTLSSecret)) -}} -{{- end -}} -{{- define "pomerium.authorize.tlsSecret.keyName" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- printf "%s" (ternary "tls.key" "authorize-key" (empty .Values.config.existingLegacyTLSSecret)) -}} -{{- end -}} - - {{- define "pomerium.caSecret.name" -}} {{if .Values.config.existingCASecret }} {{- .Values.config.existingCASecret | trunc 63 | trimSuffix "-" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- else if .Values.config.existingLegacyTLSSecret -}} -{{- template "pomerium.fullname" . -}} {{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- if contains $name .Release.Name -}} @@ -243,13 +221,17 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{- end -}} {{- end -}} -{{- define "pomerium.caSecret.certName" -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- printf "%s" (ternary "ca.crt" "ca-cert" (empty .Values.config.existingLegacyTLSSecret)) -}} -{{- end -}} - - {{/*Expand the FQDN of the forward-auth endpoint.*/}} {{- define "pomerium.forwardAuth.name" -}} {{- default (printf "forwardauth.%s" .Values.config.rootDomain ) .Values.forwardAuth.nameOverride -}} +{{- end -}} + +{{/*Expand the serviceAccountName for the operator */}} +{{- define "pomerium.operator.serviceAccountName" -}} +{{- default (printf "%s-operator" ( include "pomerium.fullname" .) ) .Values.forwardAuth.nameOverride -}} +{{- end -}} + +{{/*Expand the configMap for operator election */}} +{{- define "pomerium.operator.electionConfigMap" -}} +{{- printf "%s-election" ( include "pomerium.operator.name" .) -}} {{- end -}} \ No newline at end of file diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml index 925df0d8..1e21a56d 100644 --- a/charts/pomerium/templates/authenticate-deployment.yaml +++ b/charts/pomerium/templates/authenticate-deployment.yaml @@ -30,7 +30,9 @@ spec: metadata: annotations: {{- /* policy is already covered by hot-reloading */}} - checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + {{- if not .Values.operator.enabled }} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + {{- end }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} @@ -52,9 +54,9 @@ spec: image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: -{{- if or .Values.config.existingConfig .Values.config.policy }} + {{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }} - --config=/etc/pomerium/config.yaml -{{- end }} + {{- end }} {{- range $key, $value := .Values.extraArgs }} {{- if $value }} - --{{ $key }}={{ $value }} @@ -132,25 +134,23 @@ spec: resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: -{{- if or .Values.config.existingConfig .Values.config.policy }} + {{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }} - mountPath: /etc/pomerium/ name: config -{{- end }} + {{- end }} - mountPath: /pomerium/cert.pem name: service-tls - subPath: {{ template "pomerium.authenticate.tlsSecret.certName" . }} + subPath: tls.crt - mountPath: /pomerium/privkey.pem name: service-tls - subPath: {{ template "pomerium.authenticate.tlsSecret.keyName" . }} + subPath: tls.key - mountPath: /pomerium/ca.pem name: ca-tls - subPath: {{ template "pomerium.caSecret.certName" . }} + subPath: ca.crt volumes: -{{- if or .Values.config.existingConfig .Values.config.policy }} - name: config configMap: name: {{ $configName }} -{{- end }} - name: service-tls secret: secretName: {{ template "pomerium.authenticate.tlsSecret.name" . }} diff --git a/charts/pomerium/templates/authorize-deployment.yaml b/charts/pomerium/templates/authorize-deployment.yaml index 4528e68e..a04002b0 100644 --- a/charts/pomerium/templates/authorize-deployment.yaml +++ b/charts/pomerium/templates/authorize-deployment.yaml @@ -32,7 +32,9 @@ spec: metadata: annotations: {{- /* policy is already covered by hot-reloading */}} - checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + {{- if not .Values.operator.enabled }} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + {{- end }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} @@ -54,9 +56,9 @@ spec: image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: -{{- if or .Values.config.existingConfig .Values.config.policy }} + {{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }} - --config=/etc/pomerium/config.yaml -{{- end }} + {{- end }} {{- range $key, $value := .Values.extraArgs }} {{- if $value }} - --{{ $key }}={{ $value }} @@ -72,31 +74,12 @@ spec: secretKeyRef: name: {{ $secretName }} key: shared-secret -{{- /* TODO in future: Remove legacy logic */ -}} -{{- if .Values.config.existingLegacyTLSSecret }} - - name: CERTIFICATE - valueFrom: - secretKeyRef: - name: {{ template "pomerium.authorize.tlsSecret.name" . }} - key: {{ template "pomerium.authorize.tlsSecret.certName" . }} - - name: CERTIFICATE_KEY - valueFrom: - secretKeyRef: - name: {{ template "pomerium.authorize.tlsSecret.name" . }} - key: {{ template "pomerium.authorize.tlsSecret.keyName" . }} - - name: CERTIFICATE_AUTHORITY - valueFrom: - secretKeyRef: - name: {{ template "pomerium.caSecret.name" . }} - key: {{ template "pomerium.caSecret.certName" . }} -{{- else }} - name: CERTIFICATE_FILE value: "/pomerium/cert.pem" - name: CERTIFICATE_KEY_FILE value: "/pomerium/privkey.pem" - name: CERTIFICATE_AUTHORITY_FILE value: "/pomerium/ca.pem" -{{- end }} {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} @@ -118,37 +101,29 @@ spec: resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: -{{- if or .Values.config.existingConfig .Values.config.policy }} + {{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }} - mountPath: /etc/pomerium/ name: config -{{- end }} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- if not .Values.config.existingLegacyTLSSecret }} + {{- end }} - mountPath: /pomerium/cert.pem name: service-tls - subPath: {{ template "pomerium.authorize.tlsSecret.certName" . }} + subPath: tls.crt - mountPath: /pomerium/privkey.pem name: service-tls - subPath: {{ template "pomerium.authorize.tlsSecret.keyName" . }} + subPath: tls.key - mountPath: /pomerium/ca.pem name: ca-tls - subPath: {{ template "pomerium.caSecret.certName" . }} -{{- end }} + subPath: ca.crt volumes: -{{- if or .Values.config.existingConfig .Values.config.policy }} - name: config configMap: name: {{ $configName }} -{{- end }} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- if not .Values.config.existingLegacyTLSSecret }} - name: service-tls secret: secretName: {{ template "pomerium.authorize.tlsSecret.name" . }} - name: ca-tls secret: secretName: {{ template "pomerium.caSecret.name" . }} -{{- end }} {{- if .Values.extraVolumes }} volumes: {{- toYaml .Values.extraVolumes | indent 8 }} diff --git a/charts/pomerium/templates/cache-deployment.yaml b/charts/pomerium/templates/cache-deployment.yaml index 5bb36690..69f64759 100644 --- a/charts/pomerium/templates/cache-deployment.yaml +++ b/charts/pomerium/templates/cache-deployment.yaml @@ -30,7 +30,9 @@ spec: metadata: annotations: {{- /* policy is already covered by hot-reloading */}} - checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + {{- if not .Values.operator.enabled }} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + {{- end }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} @@ -52,9 +54,9 @@ spec: image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: -{{- if or .Values.config.existingConfig .Values.config.policy }} + {{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }} - --config=/etc/pomerium/config.yaml -{{- end }} + {{- end }} {{- range $key, $value := .Values.extraArgs }} {{- if $value }} - --{{ $key }}={{ $value }} @@ -99,10 +101,10 @@ spec: resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: -{{- if or .Values.config.existingConfig .Values.config.policy }} + {{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }} - mountPath: /etc/pomerium/ name: config -{{- end }} + {{- end }} - mountPath: /pomerium/cert.pem name: service-tls subPath: tls.crt @@ -111,13 +113,11 @@ spec: subPath: tls.key - mountPath: /pomerium/ca.pem name: ca-tls - subPath: {{ template "pomerium.caSecret.certName" . }} + subPath: ca.crt volumes: -{{- if or .Values.config.existingConfig .Values.config.policy }} - name: config configMap: name: {{ $configName }} -{{- end }} - name: service-tls secret: secretName: {{ template "pomerium.cache.tlsSecret.name" . }} diff --git a/charts/pomerium/templates/clusterrole.yaml b/charts/pomerium/templates/clusterrole.yaml new file mode 100644 index 00000000..39665273 --- /dev/null +++ b/charts/pomerium/templates/clusterrole.yaml @@ -0,0 +1,40 @@ +{{- if and .Values.rbac.create .Values.operator.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "pomerium.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "pomerium.operator.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator + annotations: + {{- if .Values.operator.deployment.annotations }} + {{- range $key, $value := .Values.operator.deployment.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- else if .Values.annotations }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} +rules: + - apiGroups: + - extensions + - "networking.k8s.io" # k8s 1.14+ + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +{{- end -}} \ No newline at end of file diff --git a/charts/pomerium/templates/clusterrolebinding.yaml b/charts/pomerium/templates/clusterrolebinding.yaml new file mode 100644 index 00000000..8bdb8d87 --- /dev/null +++ b/charts/pomerium/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.rbac.create .Values.operator.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.operator.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator + name: {{ template "pomerium.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "pomerium.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "pomerium.operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/pomerium/templates/configmap.yaml b/charts/pomerium/templates/configmap.yaml index db3531d4..ce1d4624 100644 --- a/charts/pomerium/templates/configmap.yaml +++ b/charts/pomerium/templates/configmap.yaml @@ -1,4 +1,5 @@ {{- if not .Values.config.existingConfig }} +{{- if .Values.operator.enabled }} apiVersion: v1 kind: ConfigMap metadata: @@ -8,6 +9,24 @@ metadata: helm.sh/chart: {{ template "pomerium.chart" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} +data: + config.yaml: "" + +--- +{{- end }} +apiVersion: v1 +kind: ConfigMap +metadata: + {{- if .Values.operator.enabled }} + name: {{ template "pomerium.fullname" . }}-base + {{- else }} + name: {{ template "pomerium.fullname" . }} + {{- end }} + labels: + app.kubernetes.io/name: {{ template "pomerium.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} data: config.yaml: | {{- if and .Values.config.existingPolicy .Values.config.extraOpts }} @@ -40,3 +59,18 @@ data: {{ toYaml .Values.config.policy | indent 6 }} {{- end -}} {{- end }} + +{{- if .Values.operator.enabled }} +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "pomerium.operator.electionConfigMap" . }} + labels: + app.kubernetes.io/name: {{ template "pomerium.operator.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + +{{- end }} \ No newline at end of file diff --git a/charts/pomerium/templates/operator-deployment.yaml b/charts/pomerium/templates/operator-deployment.yaml new file mode 100644 index 00000000..07ba3e2b --- /dev/null +++ b/charts/pomerium/templates/operator-deployment.yaml @@ -0,0 +1,113 @@ +{{- $configName := default (printf "%s-base" (include "pomerium.fullname" .)) .Values.config.existingConfig }} +{{- if .Values.operator.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.operator.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator + name: {{ template "pomerium.operator.fullname" . }} + annotations: + {{- if .Values.operator.deployment.annotations }} + {{- range $key, $value := .Values.operator.deployment.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- else if .Values.annotations }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} +spec: + replicas: {{ default .Values.replicaCount .Values.operator.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "pomerium.operator.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + annotations: + checksum/values: {{ print .Values | sha256sum }} +{{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} +{{- end }} + labels: + app.kubernetes.io/name: {{ template "pomerium.operator.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + spec: +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }} + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + args: + - --base-config-file=/etc/pomerium/config.yaml + - --ingress-class={{ .Values.operator.config.ingressClass }} + - --service-class={{ .Values.operator.config.serviceClass }} + - --metrics-address=:8080 + - --health-address=:8081 + - --pomerium-namespace={{ .Release.Namespace }} + - --pomerium-deployments={{ template "pomerium.authenticate.fullname" . }} + - --pomerium-deployments={{ template "pomerium.authorize.fullname" . }} + - --pomerium-deployments={{ template "pomerium.proxy.fullname" . }} + - --pomerium-deployments={{ template "pomerium.cache.fullname" . }} + - --debug={{ .Values.operator.config.debug }} + - --election-configmap={{ template "pomerium.operator.electionConfigMap" . }} + - --election-namespace={{ .Release.Namespace }} + - --election=true + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 8081 + name: health + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: health + scheme: HTTP + readinessProbe: + httpGet: + path: /readyz + port: health + scheme: HTTP + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: + - mountPath: /etc/pomerium/ + name: config + volumes: + - name: config + configMap: + name: {{ $configName }} + serviceAccountName: {{ template "pomerium.operator.serviceAccountName" . }} +{{- if .Values.extraVolumes }} +{{- toYaml .Values.extraVolumes | indent 8 }} +{{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} +{{- end }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/pomerium/templates/proxy-deployment.yaml b/charts/pomerium/templates/proxy-deployment.yaml index ea1a8f9a..1c8cf3d0 100644 --- a/charts/pomerium/templates/proxy-deployment.yaml +++ b/charts/pomerium/templates/proxy-deployment.yaml @@ -32,7 +32,9 @@ spec: metadata: annotations: {{- /* policy is already covered by hot-reloading */}} - checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + {{- if not .Values.operator.enabled }} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + {{- end }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} @@ -54,9 +56,9 @@ spec: image: {{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: -{{- if or .Values.config.existingConfig .Values.config.policy }} + {{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }} - --config=/etc/pomerium/config.yaml -{{- end }} + {{- end }} {{- range $key, $value := .Values.extraArgs }} {{- if $value }} - --{{ $key }}={{ $value }} @@ -81,31 +83,12 @@ spec: value: {{ default (printf "https://authenticate.%s" .Values.config.rootDomain ) .Values.proxy.authenticateServiceUrl }} - name: AUTHORIZE_SERVICE_URL value: {{ default (printf "https://%s.%s.svc.cluster.local" (include "pomerium.authorize.fullname" .) .Release.Namespace ) .Values.proxy.authorizeInternalUrl}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- if .Values.config.existingLegacyTLSSecret }} - - name: CERTIFICATE - valueFrom: - secretKeyRef: - name: {{ template "pomerium.proxy.tlsSecret.name" . }} - key: {{ template "pomerium.proxy.tlsSecret.certName" . }} - - name: CERTIFICATE_KEY - valueFrom: - secretKeyRef: - name: {{ template "pomerium.proxy.tlsSecret.name" . }} - key: {{ template "pomerium.proxy.tlsSecret.keyName" . }} - - name: CERTIFICATE_AUTHORITY - valueFrom: - secretKeyRef: - name: {{ template "pomerium.caSecret.name" . }} - key: {{ template "pomerium.caSecret.certName" . }} -{{- else }} - name: CERTIFICATE_FILE value: "/pomerium/cert.pem" - name: CERTIFICATE_KEY_FILE value: "/pomerium/privkey.pem" - name: CERTIFICATE_AUTHORITY_FILE value: "/pomerium/ca.pem" -{{- end }} {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} @@ -130,37 +113,29 @@ spec: resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: -{{- if or .Values.config.existingConfig .Values.config.policy }} + {{- if or (or .Values.config.existingConfig .Values.config.policy) .Values.operator.enabled }} - mountPath: /etc/pomerium/ name: config -{{- end }} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- if not .Values.config.existingLegacyTLSSecret }} + {{- end }} - mountPath: /pomerium/cert.pem name: service-tls - subPath: {{ template "pomerium.proxy.tlsSecret.certName" . }} + subPath: tls.crt - mountPath: /pomerium/privkey.pem name: service-tls - subPath: {{ template "pomerium.proxy.tlsSecret.keyName" . }} + subPath: tls.key - mountPath: /pomerium/ca.pem name: ca-tls - subPath: {{ template "pomerium.caSecret.certName" . }} -{{- end }} + subPath: ca.crt volumes: -{{- if or .Values.config.existingConfig .Values.config.policy }} - name: config configMap: name: {{ $configName }} -{{- end }} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- if not .Values.config.existingLegacyTLSSecret }} - name: service-tls secret: secretName: {{ template "pomerium.proxy.tlsSecret.name" . }} - name: ca-tls secret: secretName: {{ template "pomerium.caSecret.name" . }} -{{- end }} {{- if .Values.extraVolumes }} volumes: {{- toYaml .Values.extraVolumes | indent 8 }} diff --git a/charts/pomerium/templates/role.yaml b/charts/pomerium/templates/role.yaml new file mode 100644 index 00000000..e56cdbe5 --- /dev/null +++ b/charts/pomerium/templates/role.yaml @@ -0,0 +1,52 @@ +{{- $configName := default (include "pomerium.fullname" .) .Values.config.existingConfig }} +{{- $baseConfigName := default (printf "%s-base" (include "pomerium.fullname" .)) .Values.config.existingConfig }} + +{{- if and .Values.rbac.create .Values.operator.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "pomerium.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "pomerium.operator.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + - "apps" + resources: + - configmaps + - deployments + resourceNames: + - {{ $configName | quote }} + - {{ template "pomerium.authenticate.fullname" . }} + - {{ template "pomerium.authorize.fullname" . }} + - {{ template "pomerium.proxy.fullname" . }} + - {{ template "pomerium.operator.electionConfigMap" . }} + - {{ template "pomerium.cache.fullname" . }} + verbs: + - get + - list + - watch + - update + - create + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - {{ $baseConfigName | quote }} + verbs: + - get + - list + - watch +{{- end -}} \ No newline at end of file diff --git a/charts/pomerium/templates/rolebinding.yaml b/charts/pomerium/templates/rolebinding.yaml new file mode 100644 index 00000000..3bb0de12 --- /dev/null +++ b/charts/pomerium/templates/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.rbac.create .Values.operator.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.operator.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator + name: {{ template "pomerium.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "pomerium.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "pomerium.operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} \ No newline at end of file diff --git a/charts/pomerium/templates/serviceaccount.yaml b/charts/pomerium/templates/serviceaccount.yaml new file mode 100644 index 00000000..8813f14f --- /dev/null +++ b/charts/pomerium/templates/serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.rbac.create .Values.operator.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "pomerium.operator.serviceAccountName" . }} + labels: + app.kubernetes.io/name: {{ template "pomerium.operator.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: operator + annotations: + {{- if .Values.operator.deployment.annotations }} + {{- range $key, $value := .Values.operator.deployment.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- else if .Values.annotations }} + {{- range $key, $value := .Values.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} +{{- end -}} + diff --git a/charts/pomerium/templates/tls-secrets.yaml b/charts/pomerium/templates/tls-secrets.yaml index e23996d9..ea534b10 100644 --- a/charts/pomerium/templates/tls-secrets.yaml +++ b/charts/pomerium/templates/tls-secrets.yaml @@ -127,9 +127,8 @@ type: Opaque data: {{- end -}} -{{- /* TODO in future: Remove legacy logic */ -}} -{{- if not .Values.config.existingLegacyTLSSecret }} -{{- if and .Values.config.generateTLS (or .Release.IsInstall .Values.config.forceGenerateTLS) }} + +{{- if and .Values.config.generateTLS (or .Release.IsInstall .Values.config.forceGenerateTLS) }} {{- $ca := genCA "default-ca" 3650 }} {{- $authenticateSN:= list (printf "authenticate.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.authenticate.fullname" .) .Release.Namespace )}} {{- $authorizeSN:= list (printf "authorize.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.authorize.fullname" .) .Release.Namespace )}} @@ -137,18 +136,18 @@ data: {{- $cn := default "example.com" .Values.config.rootDomain }} {{ template "pomerium.ca.tlsSecretObject" . }} - {{ template "pomerium.caSecret.certName" . }}: {{ $ca.Cert | b64enc }} + ca.crt: {{ $ca.Cert | b64enc }} ca.key: {{ $ca.Key | b64enc }} --- {{- $kp := genSignedCert $cn ( default nil .Values.authenticate.tls.defaultIPList ) ( default $authenticateSN .Values.authenticate.tls.defaultSANList ) 3650 $ca }} {{ template "pomerium.authenticate.tlsSecretObject" . }} - {{ template "pomerium.authenticate.tlsSecret.certName" . }}: {{ $kp.Cert | b64enc }} - {{ template "pomerium.authenticate.tlsSecret.keyName" . }}: {{ $kp.Key | b64enc }} + tls.crt: {{ $kp.Cert | b64enc }} + tls.key: {{ $kp.Key | b64enc }} --- {{- $kp := genSignedCert $cn ( default nil .Values.authorize.tls.defaultIPList ) ( default $authorizeSN .Values.authorize.tls.defaultSANList ) 3650 $ca }} {{ template "pomerium.authorize.tlsSecretObject" . }} - {{ template "pomerium.authorize.tlsSecret.certName" . }}: {{ $kp.Cert | b64enc }} - {{ template "pomerium.authorize.tlsSecret.keyName" . }}: {{ $kp.Key | b64enc }} + tls.crt: {{ $kp.Cert | b64enc }} + tls.key: {{ $kp.Key | b64enc }} --- {{- $kp := genSignedCert $cn ( default nil .Values.cache.tls.defaultIPList ) ( default $cacheSN .Values.cache.tls.defaultSANList ) 3650 $ca }} {{ template "pomerium.cache.tlsSecretObject" . }} @@ -157,8 +156,8 @@ data: --- {{- $kp := genSignedCert $cn ( default nil .Values.proxy.tls.defaultIPList ) ( default nil .Values.proxy.tls.defaultSANList ) 3650 $ca }} {{ template "pomerium.proxy.tlsSecretObject" . }} - {{ template "pomerium.proxy.tlsSecret.certName" . }}: {{ $kp.Cert | b64enc }} - {{ template "pomerium.proxy.tlsSecret.keyName" . }}: {{ $kp.Key | b64enc }} + tls.crt: {{ $kp.Cert | b64enc }} + tls.key: {{ $kp.Key | b64enc }} {{- else if not .Values.config.generateTLS }} {{- if and (not .Values.config.existingCASecret) .Values.config.ca }} {{ template "pomerium.ca.tlsSecretObject" . }} @@ -188,5 +187,4 @@ data: {{ template "pomerium.proxy.tlsSecret.certName" . }}: {{ .Values.proxy.tls.cert | b64enc }} {{ template "pomerium.proxy.tlsSecret.keyName" . }}: {{ .Values.proxy.tls.key | b64enc }} {{- end }} -{{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index 5deafa28..ae626354 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -10,7 +10,6 @@ config: rootDomain: corp.beyondperimeter.com existingSecret: "" existingConfig: "" - existingLegacyTLSSecret: false existingCASecret: "" sharedSecret: "" cookieSecret: "" @@ -94,6 +93,21 @@ proxy: deployment: annotations: {} +operator: + enabled: false + fullnameOverride: "" + nameOverride: "" + replicaCount: 1 + image: + repository: "pomerium/pomerium-operator" + tag: "v0.0.1-rc1" + config: + ingressClass: pomerium + serviceClass: pomerium + debug: false + deployment: + annotations: {} + forwardAuth: nameOverride: "" enabled: false @@ -188,3 +202,6 @@ serviceMonitor: namespace: "" labels: release: prometheus + +rbac: + create: true