diff --git a/Chart.yaml b/Chart.yaml index 3c4db64e..3a0c159f 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 4.1.3 +version: 4.1.4 appVersion: 0.5.2 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo.svg diff --git a/README.md b/README.md index 0c331620..b46cdd68 100644 --- a/README.md +++ b/README.md @@ -88,62 +88,64 @@ All services can share the secret if appropriate. A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/reference/reference.html). -| Parameter | Description | Default | -| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | -| `nameOverride` | Name of the chart. | `pomerium` | -| `fullnameOverride` | Full name of the chart. | `pomerium` | -| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` | -| `config.existingSecret` | Name of the existing Kubernetes Secret. | | -| `config.existingConfig` | Name of the existing Config Map deployed on Kubernetes. | | -| `config.existingLegacyTLSSecret` | Use a Pre-3.0.0 secret for the service TLS data. Only use if upgrading from <= 2.0.0 | `false` | -| `config.existingCASecret` | Name of the existing CA Secret. | | -| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | -| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` | -| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | -| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | -| `config.policy` | Base64 encoded string containing the routes, and their access policies. | | -| `config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/reference/reference.html#policy) in values | -| `authenticate.nameOverride` | Name of the authenticate service. | `authenticate` | -| `authenticate.fullnameOverride` | Full name of the authenticate service. | `authenticate` | -| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/reference/reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` | -| `authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/reference/reference.html#identity-provider-name). | `google` | -| `authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-id). | Required | -| `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-secret). | Required | -| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/reference/reference.html#identity-provider-url). | Optional | -| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account). | Optional | -| `authenticate.replicaCount` | Number of Authenticate pods to run | `1` | -| `authenticate.existingTLSSecret` | Name of existing TLS Secret for authenticate service | | -| `proxy.nameOverride` | Name of the proxy service. | `proxy` | -| `proxy.fullnameOverride` | Full name of the proxy service. | `proxy` | -| `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | -| `proxy.authorizeServiceUrl` | The externally accessible url for the authorize service. | `https://{{authorize.name}}.{{config.rootDomain}}` | -| `proxy.replicaCount` | Number of Proxy pods to run | `1` | -| `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | | -| `authorize.nameOverride` | Name of the authorize service. | `authorize` | -| `authorize.fullnameOverride` | Full name of the authorize service. | `authorize` | -| `authorize.replicaCount` | Number of Authorize pods to run | `1` | -| `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | | -| `images.server.repository` | Pomerium image | `pomerium/pomerium` | -| `images.server.tag` | Pomerium image tag | `v0.5.2` | -| `images.server.pullPolicy` | Pomerium image pull policy | `IfNotPresent` | -| `service.annotations` | Service annotations | `{}` | -| `service.externalPort` | Pomerium's port | `443` | -| `service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` | -| `service.authorize.headless` | Run Authorize service in Headless mode. Turn off if you **require** NodePort or LoadBalancer access to Authorize | `true` | -| `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` | -| `serviceMonitor.namespace` | Namespace to create the ServiceMonitor resource in | The namespace of the chart | -| `serviceMonitor.labels` | Additional labels to apply to the ServiceMonitor resource | `release: prometheus` | -| `tracing.enabled` | Enable distributed tracing | `false` | -| `tracing.debug` | Set trace sampling to 100%. Use with caution! | `false` | -| `tracing.provider` | Specifies the tracing provider to configure (Valid options: Jaeger) | Required | -| `tracing.jaeger.collector_endpoint` | The jaeger collector endpoint | Required | -| `tracing.jaeger.agent_endpoint` | The jaeger agent endpoint | Required | -| `ingress.enabled` | Enables Ingress for pomerium | `false` | -| `ingress.annotations` | Ingress annotations | `{}` | -| `ingress.hosts` | Ingress accepted hostnames | `[]` | -| `ingress.tls` | Ingress TLS configuration | `[]` | -| `metrics.enabled` | Enable prometheus metrics endpoint | `false` | -| `metrics.port` | Prometheus metrics endpoint port | `9090` | +| Parameter | Description | Default | +| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | +| `nameOverride` | Name of the chart. | `pomerium` | +| `fullnameOverride` | Full name of the chart. | `pomerium` | +| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` | +| `config.existingSecret` | Name of the existing Kubernetes Secret. | | +| `config.existingConfig` | Name of the existing Config Map deployed on Kubernetes. | | +| `config.existingLegacyTLSSecret` | Use a Pre-3.0.0 secret for the service TLS data. Only use if upgrading from <= 2.0.0 | `false` | +| `config.existingCASecret` | Name of the existing CA Secret. | | +| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | +| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` | +| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | +| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | +| `config.policy` | Base64 encoded string containing the routes, and their access policies. | | +| `config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/reference/reference.html#policy) in values | +| `authenticate.nameOverride` | Name of the authenticate service. | `authenticate` | +| `authenticate.fullnameOverride` | Full name of the authenticate service. | `authenticate` | +| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/reference/reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` | +| `authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/reference/reference.html#identity-provider-name). | `google` | +| `authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-id). | Required | +| `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-secret). | Required | +| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/reference/reference.html#identity-provider-url). | Optional | +| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account). | Optional | +| `authenticate.replicaCount` | Number of Authenticate pods to run | `1` | +| `authenticate.existingTLSSecret` | Name of existing TLS Secret for authenticate service | | +| `proxy.nameOverride` | Name of the proxy service. | `proxy` | +| `proxy.fullnameOverride` | Full name of the proxy service. | `proxy` | +| `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | +| `proxy.authorizeServiceUrl` | The externally accessible url for the authorize service. | `https://{{authorize.name}}.{{config.rootDomain}}` | +| `proxy.replicaCount` | Number of Proxy pods to run | `1` | +| `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | | +| `authorize.nameOverride` | Name of the authorize service. | `authorize` | +| `authorize.fullnameOverride` | Full name of the authorize service. | `authorize` | +| `authorize.replicaCount` | Number of Authorize pods to run | `1` | +| `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | | +| `forwardAuth.nameOverride` | External name of the forward-auth endpoint | `forwardauth.${rootDomain}` | +| `forwardAuth.enabled` | Enable forward-auth endpoint for third party ingress controllers to use for auth checks. Setting this disables automatic enumeration of `from` hostnames in the Pomerium Ingress object to prevent conflicts. Use `ingress.hosts` to mix forward-auth and proxy mode on a single Pomerium instance | `false` | +| `images.server.repository` | Pomerium image | `pomerium/pomerium` | +| `images.server.tag` | Pomerium image tag | `v0.5.2` | +| `images.server.pullPolicy` | Pomerium image pull policy | `IfNotPresent` | +| `service.annotations` | Service annotations | `{}` | +| `service.externalPort` | Pomerium's port | `443` | +| `service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` | +| `service.authorize.headless` | Run Authorize service in Headless mode. Turn off if you **require** NodePort or LoadBalancer access to Authorize | `true` | +| `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` | +| `serviceMonitor.namespace` | Namespace to create the ServiceMonitor resource in | The namespace of the chart | +| `serviceMonitor.labels` | Additional labels to apply to the ServiceMonitor resource | `release: prometheus` | +| `tracing.enabled` | Enable distributed tracing | `false` | +| `tracing.debug` | Set trace sampling to 100%. Use with caution! | `false` | +| `tracing.provider` | Specifies the tracing provider to configure (Valid options: Jaeger) | Required | +| `tracing.jaeger.collector_endpoint` | The jaeger collector endpoint | Required | +| `tracing.jaeger.agent_endpoint` | The jaeger agent endpoint | Required | +| `ingress.enabled` | Enables Ingress for pomerium | `false` | +| `ingress.annotations` | Ingress annotations | `{}` | +| `ingress.hosts` | Ingress accepted hostnames | `[]` | +| `ingress.tls` | Ingress TLS configuration | `[]` | +| `metrics.enabled` | Enable prometheus metrics endpoint | `false` | +| `metrics.port` | Prometheus metrics endpoint port | `9090` | ## Changelog diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 51a0e24a..cbe01cc0 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -215,3 +215,7 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{- end -}} +{{/*Expand the FQDN of the forward-auth endpoint.*/}} +{{- define "pomerium.forwardAuth.name" -}} +{{- default (printf "forwardauth.%s" .Values.config.rootDomain ) .Values.forwardAuth.nameOverride -}} +{{- end -}} \ No newline at end of file diff --git a/templates/configmap.yaml b/templates/configmap.yaml index 77f71b12..db3531d4 100644 --- a/templates/configmap.yaml +++ b/templates/configmap.yaml @@ -31,6 +31,9 @@ data: tracing_jaeger_agent_endpoint: {{ required "agent_endpoint is required for jaeger tracing" .Values.tracing.jaeger.agent_endpoint }} {{- end -}} +{{- end -}} +{{- if .Values.forwardAuth.enabled }} + forward_auth_url: https://{{ template "pomerium.forwardAuth.name" . }} {{- end -}} {{- if .Values.config.policy }} policy: diff --git a/templates/ingress.yaml b/templates/ingress.yaml index 763fcfe2..3921c4e3 100644 --- a/templates/ingress.yaml +++ b/templates/ingress.yaml @@ -18,6 +18,7 @@ spec: hosts: - {{ printf "authorize.%s" .Values.config.rootDomain | quote }} - {{ printf "authenticate.%s" .Values.config.rootDomain | quote }} + - {{ template "pomerium.forwardAuth.name" . }} {{- if not .Values.ingress.hosts }} {{- range .Values.config.policy }} - {{ .from | trimPrefix "https://" | trimPrefix "http://" | quote }} @@ -36,7 +37,7 @@ spec: serviceName: {{ template "pomerium.proxy.fullname" $ }} servicePort: https {{- end }} - {{- if not .Values.ingress.hosts }} + {{- if not (or .Values.ingress.hosts .Values.forwardAuth.enabled) }} {{- range .Values.config.policy }} - host: {{ .from | trimPrefix "https://" | trimPrefix "http://" | quote }} http: @@ -47,6 +48,15 @@ spec: servicePort: https {{- end }} {{- end }} + {{- if .Values.forwardAuth.enabled }} + - host: {{ template "pomerium.forwardAuth.name" . }} + http: + paths: + - paths: + backend: + serviceName: {{ template "pomerium.proxy.fullname" . }} + servicePort: https + {{- end }} {{- if not .Values.service.authorize.headless }} - host: {{ printf "authorize.%s" .Values.config.rootDomain }} http: diff --git a/values.yaml b/values.yaml index 92703785..c4f199e1 100644 --- a/values.yaml +++ b/values.yaml @@ -66,6 +66,10 @@ proxy: authorizeServiceUrl: "" authorizeInternalUrl: "" +forwardAuth: + nameOverride: "" + enabled: false + service: # Service type can be set to ClusterIP, NodePort or LoadBalancer. authorize: