[pomerium] clean up pomerium-cache and shared secret location (#254)

pomerium · Jan 28, 2022 · e9433c3 · e9433c3
1 parent dea4240
commit e9433c3
Show file tree

Hide file tree

Showing 10 changed files with 22 additions and 82 deletions.
diff --git a/charts/pomerium-console/Chart.yaml b/charts/pomerium-console/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 7.0.1
+version: 7.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/pomerium-console/README.md b/charts/pomerium-console/README.md
@@ -1,6 +1,6 @@
 # pomerium-console
 
-![Version: 7.0.0](https://img.shields.io/badge/Version-7.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+![Version: 7.0.2](https://img.shields.io/badge/Version-7.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.15.3](https://img.shields.io/badge/AppVersion-0.15.3-informational?style=flat-square)
 
 Pomerium Enterprise Console
 
@@ -43,7 +43,7 @@ helm install pomerium-enterprise/pomerium-console \
 | config.audience | string | `""` | **Required** console's external URL.  This should match the `from` in Pomerium Core's config. |
 | config.customerId | string | `""` | Override default customerId |
 | config.databaseEncryptionKey | string | `""` | **Required** encryption key for protecting sensitive data in the database |
-| config.databrokerServiceUrl | string | `https://pomerium-databroker.[release namespace].svc.cluster.local` | Override the URL default to the Pomerium Cache service |
+| config.databrokerServiceUrl | string | `https://pomerium-databroker.[release namespace].svc.cluster.local` | Override the URL default to the Pomerium Databroker service |
 | config.prometheusUrl | string | `""` | Set URL for external prometheus server.  An embedded server is used if left unset. |
 | config.sharedSecret | string | `""` | **Required** Secures communication with the databroker.  Must match Pomerium `shared_secret` parameter. |
 | config.signingKey | string | `""` | **Required** Set the public key for verifying the Pomerium attestation JWT header |

diff --git a/charts/pomerium-console/values.yaml b/charts/pomerium-console/values.yaml
@@ -177,7 +177,7 @@ config:
   administrators: ""
   # config.customerId -- Override default customerId
   customerId: ""
-  # config.databrokerServiceUrl -- Override the URL default to the Pomerium Cache service
+  # config.databrokerServiceUrl -- Override the URL default to the Pomerium Databroker service
   # @default -- `https://pomerium-databroker.[release namespace].svc.cluster.local`
   databrokerServiceUrl: ""
   # config.sharedSecret -- **Required** Secures communication with the databroker.  Must match Pomerium `shared_secret` parameter.

diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pomerium
-version: 27.0.2
+version: 28.0.0
 appVersion: 0.16.1
 home: http://www.pomerium.com/
 icon: https://www.pomerium.com/img/icon.svg

diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md
@@ -20,6 +20,7 @@
   - [Redis Subchart](#redis-subchart)
   - [Configuration](#configuration)
   - [Changelog](#changelog)
+    - [28.0.0](#2800)
     - [27.0.0](#2700)
     - [26.0.0](#2600)
     - [25.0.1](#2501)
@@ -56,6 +57,7 @@
     - [3.0.0](#300)
     - [2.0.0](#200)
   - [Upgrading](#upgrading)
+    - [28.0.0](#2800-1)
     - [27.0.0](#2700-1)
     - [25.0.0](#2500-1)
     - [23.0.0](#2300-1)
@@ -440,6 +442,11 @@ A full listing of Pomerium's configuration variables can be found on the [config
 
 ## Changelog
 
+### 28.0.0
+
+- A previous breaking change from 25.0.0 was fully completed.
+- The deprecated `cache` service has been completely removed.
+
 ### 27.0.0
 
 - Add better support for terminating TLS at the edge of a service mesh via `config.insecureProxy` and additional logic when `config.insecure` is set.
@@ -594,6 +601,15 @@ A full listing of Pomerium's configuration variables can be found on the [config
 
 ## Upgrading
 
+### 28.0.0
+
+- Users should ensure they no longer depend on the `pomerium-cache` service name for telemetry or other operations.  Migrate any configuration referencing the `pomerium-cache` service to consume the `pomerium-databroker` service.  `pomerium-cache` has been deprecated since (#2000-1)
+- Ensure the upgrade steps for (#2500-1) were fully completed.  This chart version includes breaking changes that were unintentionally omitted from 25.0.0.
+
+  Specifically:
+
+  Users of `config.existingSecret` should move `cookie_secret` and `shared_secret` to be explicitly set in your helm values OR put into a secondary secret as `COOKIE_SECRET` and `SHARED_SECRET` and referenced by `config.existingSharedSecret`.  As a third option, you may remove the values from your current secret and let new ones be generated and persisted for you.
+
 ### 27.0.0
 
 - Users of `config.insecure=true` in a service mesh:

diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl
@@ -25,11 +25,6 @@
 {{- default (printf "%s-databroker" .Chart.Name) .Values.databroker.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{/*DEPRECATED Expand the name of the cache-service.*/}}
-{{- define "pomerium.cache.name" -}}
-{{- default (printf "%s-cache" .Chart.Name) .Values.cache.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
 {{/*Expand the name of the ingressController .*/}}
 {{- define "pomerium.ingressController.name" -}}
 {{- default (printf "%s-ingress-controller" .Chart.Name) .Values.ingressController.nameOverride | trunc 63 | trimSuffix "-" -}}
@@ -100,20 +95,6 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
-{{/* DEPRECATED cache services fully qualified name. Truncated at 63 chars. */}}
-{{- define "pomerium.cache.fullname" -}}
-{{- if .Values.cache.fullnameOverride -}}
-{{- .Values.cache.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- printf "%s-cache" .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s-cache" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
 {{/* authenticate services fully qualified name. Truncated at 63 chars. */}}
 {{- define "pomerium.authenticate.fullname" -}}
 {{- if .Values.authenticate.fullnameOverride -}}
@@ -487,8 +468,6 @@ forward_auth_url: {{ printf "%s://%s" ( include "pomerium.httpTrafficPort.name"
 {{- else if .Values.forwardAuth.enabled }}
 forward_auth_url: {{ printf "https://%s" ( include "pomerium.forwardAuth.name" . ) }}
 {{- end }}
-cookie_secret: {{ default (randAscii 32 | b64enc) .Values.config.cookieSecret }}
-shared_secret: {{ default (randAscii 32 | b64enc) .Values.config.sharedSecret }}
 idp_client_id: {{ .Values.authenticate.idp.clientID }}
 idp_client_secret: {{ .Values.authenticate.idp.clientSecret }}
 {{- if or .Values.authenticate.idp.serviceAccount .Values.authenticate.idp.serviceAccountYAML }}

diff --git a/charts/pomerium/templates/cache-service.yaml b/charts/pomerium/templates/cache-service.yaml
diff --git a/charts/pomerium/templates/servicemonitor.yaml b/charts/pomerium/templates/servicemonitor.yaml
@@ -16,12 +16,6 @@ metadata:
 {{- end }}
 spec:
   selector:
-    # TODO remove when pomerium-cache service is removed
-    matchExpressions:
-      - key: app.kubernetes.io/name
-        operator: NotIn
-        values:
-          - pomerium-cache
     matchLabels:
       helm.sh/chart: {{ template "pomerium.chart" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}

diff --git a/charts/pomerium/templates/tls-secrets.yaml b/charts/pomerium/templates/tls-secrets.yaml
@@ -152,7 +152,7 @@ data:
 {{- $ca := genCA "default-ca" 3650 }}
 {{- $authenticateSN:= list (printf "authenticate.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.authenticate.fullname" .) .Release.Namespace )}}
 {{- $authorizeSN:= list (printf "authorize.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.authorize.fullname" .) .Release.Namespace )}}
-{{- $databrokerSN:= list (printf "databroker.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.databroker.fullname" .) .Release.Namespace ) (printf "cache.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.cache.fullname" .) .Release.Namespace )}}
+{{- $databrokerSN:= list (printf "databroker.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.databroker.fullname" .) .Release.Namespace ) }}
 {{- $proxySN:= list (printf "authenticate.%s" .Values.config.rootDomain) }}
 
 {{- $cn := default "example.com" .Values.config.rootDomain }}

diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml
@@ -114,10 +114,6 @@ authorize:
     annotations: {}
     nameOverride: ""
 
-cache:
-  fullnameOverride: ""
-  nameOverride: ""
-
 databroker:
   fullnameOverride: ""
   nameOverride: ""