Add option to configure forward-auth automatically (#41)

pomerium · Jan 9, 2020 · c7206d2 · c7206d2
1 parent 47fd130
commit c7206d2
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 58 deletions.
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: pomerium
-version: 4.1.3
+version: 4.1.4
 appVersion: 0.5.2
 home: http://www.pomerium.io/
 icon: https://www.pomerium.io/logo.svg

diff --git a/README.md b/README.md
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -215,3 +215,7 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
 {{- end -}}
 
 
+{{/*Expand the FQDN of the forward-auth endpoint.*/}}
+{{- define "pomerium.forwardAuth.name" -}}
+{{- default (printf "forwardauth.%s" .Values.config.rootDomain ) .Values.forwardAuth.nameOverride -}}
+{{- end -}}
diff --git a/templates/configmap.yaml b/templates/configmap.yaml
@@ -31,6 +31,9 @@ data:
     tracing_jaeger_agent_endpoint: {{ required "agent_endpoint is required for jaeger tracing" .Values.tracing.jaeger.agent_endpoint }}
 {{- end -}}
 
+{{- end -}}
+{{- if .Values.forwardAuth.enabled }}
+    forward_auth_url: https://{{ template "pomerium.forwardAuth.name" . }}
 {{- end -}}
 {{- if .Values.config.policy }}
     policy: 

diff --git a/templates/ingress.yaml b/templates/ingress.yaml
@@ -18,6 +18,7 @@ spec:
       hosts:
         - {{ printf "authorize.%s" .Values.config.rootDomain | quote }}
         - {{ printf "authenticate.%s" .Values.config.rootDomain | quote }}
+        - {{ template "pomerium.forwardAuth.name" . }}
       {{- if not .Values.ingress.hosts }}
       {{- range .Values.config.policy }}
         - {{ .from | trimPrefix "https://" | trimPrefix "http://" | quote }}
@@ -36,7 +37,7 @@ spec:
               serviceName: {{ template "pomerium.proxy.fullname" $ }}
               servicePort: https
     {{- end }}
-    {{- if not .Values.ingress.hosts }}
+    {{- if not (or .Values.ingress.hosts .Values.forwardAuth.enabled) }}
     {{- range .Values.config.policy }}
     - host: {{ .from | trimPrefix "https://" | trimPrefix "http://" | quote }}
       http:
@@ -47,6 +48,15 @@ spec:
               servicePort: https
     {{- end }}
     {{- end }}
+    {{- if .Values.forwardAuth.enabled }}
+    - host: {{ template "pomerium.forwardAuth.name" . }}
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: {{ template "pomerium.proxy.fullname" . }}
+              servicePort: https
+    {{- end }}
     {{- if not .Values.service.authorize.headless }}
     - host:  {{ printf "authorize.%s" .Values.config.rootDomain }}
       http:

diff --git a/values.yaml b/values.yaml
@@ -66,6 +66,10 @@ proxy:
   authorizeServiceUrl: ""
   authorizeInternalUrl: ""
 
+forwardAuth:
+  nameOverride: ""
+  enabled: false
+
 service:
   # Service type can be set to ClusterIP, NodePort or LoadBalancer.
   authorize: