diff --git a/Chart.yaml b/Chart.yaml index 151cb620..3af4c696 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 4.1.1 +version: 4.1.2 appVersion: 0.5.1 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo.svg diff --git a/README.md b/README.md index 3b824543..b1c6840b 100644 --- a/README.md +++ b/README.md @@ -88,57 +88,62 @@ All services can share the secret if appropriate. A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/reference/reference.html). -| Parameter | Description | Default | -| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | -| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` | -| `config.existingLegacyTLSSecret` | Use a Pre-3.0.0 secret for the service TLS data. Only use if upgrading from <= 2.0.0 | `false` | -| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | -| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` | -| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | -| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | -| `config.policy` | Base64 encoded string containing the routes, and their access policies. | -| `config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/reference/reference.html#policy) in values | -| `authenticate.nameOverride` | Name of the authenticate service. | -| `authenticate.fullnameOverride` | Full name of the authenticate service. | -| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/reference/reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` | -| `authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/reference/reference.html#identity-provider-name). | `google` | -| `authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-id). | Required | -| `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-secret). | Required | -| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/reference/reference.html#identity-provider-url). | Optional | -| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account). | Optional | -| `authenticate.replicaCount` | Number of Authenticate pods to run | | `1` | -| `authenticate.existingTLSSecret` | Name of existing TLS Secret for authenticate service | | -| `proxy.nameOverride` | Name of the proxy service. | -| `proxy.fullnameOverride` | Full name of the proxy service. | -| `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | -| `proxy.authorizeServiceUrl` | The externally accessible url for the authorize service. | `https://{{authorize.name}}.{{config.rootDomain}}` | -| `proxy.replicaCount` | Number of Proxy pods to run | | `1` | -| `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | | -| `authorize.nameOverride` | Name of the authorize service. | -| `authorize.fullnameOverride` | Full name of the authorize service. | -| `authorize.replicaCount` | Number of Authorize pods to run | | `1` | -| `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | | -| `images.server.repository` | Pomerium image | `pomerium/pomerium` | -| `images.server.tag` | Pomerium image tag | `v0.4.2` | -| `images.server.pullPolicy` | Pomerium image pull policy | `IfNotPresent` | -| `service.annotations` | Service annotations | `{}` | -| `service.externalPort` | Pomerium's port | `443` | -| `service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` | -| `service.authorize.headless` | Run Authorize service in Headless mode. Turn off if you **require** NodePort or LoadBalancer access to Authorize | `true` | -| `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` | -| `serviceMonitor.namespace` | Namespace to create the ServiceMonitor resource in | The namespace of the chart | -| `serviceMonitor.labels` | Additional labels to apply to the ServiceMonitor resource | `release: prometheus` | -| `tracing.enabled` | Enable distributed tracing | `false` | -| `tracing.debug` | Set trace sampling to 100%. Use with caution! | `false` | -| `tracing.provider` | Specifies the tracing provider to configure (Valid options: Jaeger) | Required | -| `tracing.jaeger.collector_endpoint` | The jaeger collector endpoint | Required | -| `tracing.jaeger.agent_endpoint` | The jaeger agent endpoint | Required | -| `ingress.enabled` | Enables Ingress for pomerium | `false` | -| `ingress.annotations` | Ingress annotations | `{}` | -| `ingress.hosts` | Ingress accepted hostnames | `[]` | -| `ingress.tls` | Ingress TLS configuration | `[]` | -| `metrics.enabled` | Enable prometheus metrics endpoint | `false` | -| `metrics.port` | Prometheus metrics endpoint port | `9090` | +| Parameter | Description | Default | +|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------| +| `nameOverride` | Name of the chart. | `pomerium` | +| `fullnameOverride` | Full name of the chart. | `pomerium` | +| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` | +| `config.existingSecret` | Name of the existing Kubernetes Secret. | | +| `config.existingConfig` | Name of the existing Config Map deployed on Kubernetes. | | +| `config.existingLegacyTLSSecret` | Use a Pre-3.0.0 secret for the service TLS data. Only use if upgrading from <= 2.0.0 | `false` | +| `config.existingCASecret` | Name of the existing CA Secret. | | +| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | +| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` | +| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | +| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | +| `config.policy` | Base64 encoded string containing the routes, and their access policies. | | +| `config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/reference/reference.html#policy) in values | +| `authenticate.nameOverride` | Name of the authenticate service. | `authenticate` | +| `authenticate.fullnameOverride` | Full name of the authenticate service. | `authenticate` | +| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/reference/reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` | +| `authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/reference/reference.html#identity-provider-name). | `google` | +| `authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-id). | Required | +| `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-secret). | Required | +| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/reference/reference.html#identity-provider-url). | Optional | +| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account). | Optional | +| `authenticate.replicaCount` | Number of Authenticate pods to run | `1` | +| `authenticate.existingTLSSecret` | Name of existing TLS Secret for authenticate service | | +| `proxy.nameOverride` | Name of the proxy service. | `proxy` | +| `proxy.fullnameOverride` | Full name of the proxy service. | `proxy` | +| `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | +| `proxy.authorizeServiceUrl` | The externally accessible url for the authorize service. | `https://{{authorize.name}}.{{config.rootDomain}}` | +| `proxy.replicaCount` | Number of Proxy pods to run | `1` | +| `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | | +| `authorize.nameOverride` | Name of the authorize service. | `authorize` | +| `authorize.fullnameOverride` | Full name of the authorize service. | `authorize` | +| `authorize.replicaCount` | Number of Authorize pods to run | `1` | +| `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | | +| `images.server.repository` | Pomerium image | `pomerium/pomerium` | +| `images.server.tag` | Pomerium image tag | `v0.4.2` | +| `images.server.pullPolicy` | Pomerium image pull policy | `IfNotPresent` | +| `service.annotations` | Service annotations | `{}` | +| `service.externalPort` | Pomerium's port | `443` | +| `service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` | +| `service.authorize.headless` | Run Authorize service in Headless mode. Turn off if you **require** NodePort or LoadBalancer access to Authorize | `true` | +| `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` | +| `serviceMonitor.namespace` | Namespace to create the ServiceMonitor resource in | The namespace of the chart | +| `serviceMonitor.labels` | Additional labels to apply to the ServiceMonitor resource | `release: prometheus` | +| `tracing.enabled` | Enable distributed tracing | `false` | +| `tracing.debug` | Set trace sampling to 100%. Use with caution! | `false` | +| `tracing.provider` | Specifies the tracing provider to configure (Valid options: Jaeger) | Required | +| `tracing.jaeger.collector_endpoint` | The jaeger collector endpoint | Required | +| `tracing.jaeger.agent_endpoint` | The jaeger agent endpoint | Required | +| `ingress.enabled` | Enables Ingress for pomerium | `false` | +| `ingress.annotations` | Ingress annotations | `{}` | +| `ingress.hosts` | Ingress accepted hostnames | `[]` | +| `ingress.tls` | Ingress TLS configuration | `[]` | +| `metrics.enabled` | Enable prometheus metrics endpoint | `false` | +| `metrics.port` | Prometheus metrics endpoint port | `9090` | ## Changelog diff --git a/values.yaml b/values.yaml index fafb13f3..75f62039 100644 --- a/values.yaml +++ b/values.yaml @@ -1,13 +1,17 @@ # For detailed explanation of each of the configuration settings see # https://www.pomerium.io/reference/ +nameOverride: "" +fullnameOverride: "" + # settings that are shared by all services config: # routes under this wildcard domain are handled by pomerium rootDomain: corp.beyondperimeter.com - # existingSecret: - # existingConfig: + existingSecret: "" + existingConfig: "" existingLegacyTLSSecret: false + existingCASecret: "" sharedSecret: "" cookieSecret: "" generateTLS: true @@ -17,8 +21,8 @@ config: policy: {} authenticate: - # fullnameOverride: authenticate - # nameOverride: authenticate + fullnameOverride: "" + nameOverride: "" existingTLSSecret: "" redirectUrl: "" # see https://www.pomerium.io/docs/identity-providers.html @@ -33,31 +37,31 @@ authenticate: key: "" defaultSANList: [] defaultIPList: [] - # replicaCount: 1 + replicaCount: 1 authorize: - # fullnameOverride: authorize - # nameOverride: authorize + fullnameOverride: "" + nameOverride: "" existingTLSSecret: "" tls: cert: "" key: "" defaultSANList: [] defaultIPList: [] - # replicaCount: 1 + replicaCount: 1 proxy: - # fullnameOverride: proxy - # nameOverride: proxy + fullnameOverride: "" + nameOverride: "" existingTLSSecret: "" tls: cert: "" key: "" defaultSANList: [] defaultIPList: [] - # replicaCount: 1 + replicaCount: 1 authenticateServiceUrl: "" authorizeServiceUrl: "" authorizeInternalUrl: "" @@ -105,15 +109,15 @@ priorityClassName: "" # Affinity for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -# affinity: {} +affinity: {} # Tolerations for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -# tolerations: [] +tolerations: [] # Node labels for pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ -# nodeSelector: {} +nodeSelector: {} podAnnotations: {} podLabels: {} @@ -125,6 +129,9 @@ extraEnv: {} extraArgs: {} extraVolumes: {} +annotations: {} +imagePullSecrets: "" + image: repository: "pomerium/pomerium" tag: "v0.5.1"