Skip to content

Commit

Permalink
Adding insecure server boolean to chart. (#83)
Browse files Browse the repository at this point in the history 
Signed-off-by: Bjoern Weidlich <[email protected]>
  • Loading branch information
@bjoernw
bjoernw authored Apr 21, 2020
1 parent 70137bd commit ef518d5
Show file tree
Hide file tree
Showing 7 changed files with 55 additions and 1 deletion.
2 changes: 1 addition & 1 deletion charts/pomerium/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: pomerium
version: 8.3.0
version: 8.4.0
appVersion: 0.7.5
home: http://www.pomerium.io/
icon: https://www.pomerium.io/logo-long.svg
Expand Down
6 changes: 6 additions & 0 deletions charts/pomerium/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
- [Self Provisioned](#self-provisioned-1)
- [Configuration](#configuration)
- [Changelog](#changelog)
- [8.4.0](#840)
- [8.0.0](#800)
- [7.0.0](#700)
- [6.0.0](#600)
Expand Down Expand Up @@ -144,6 +145,7 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `config.forceGenerateSigningKey` | Force recreation of generated signing key. You will need to restart your deployments after running | `false` |
| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` |
| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` |
| `config.insecure` | DANGER, this disables tls between services. Only do this if you know what you are doing. One reason might be that you want to offload tls to a reverse proxy (i.e. istio, traefik) | `false` | | `false` |
| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) |
| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) |
| `config.policy` | Base64 encoded string containing the routes, and their access policies. | |
Expand Down Expand Up @@ -240,6 +242,10 @@ A full listing of Pomerium's configuration variables can be found on the [config

## Changelog

### 8.4.0

- Add `config.insecure` flag in order to support running Pomerium in non-tls mode to play well with reverse proxy's like Istio's envoy

### 8.0.0

- Pomerium `ConfigMap` and `Secret` were combined into a single `Secret`. See [v8.0.0 Upgrade Nodes](#800-1) to migrate
Expand Down
8 changes: 8 additions & 0 deletions charts/pomerium/templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,11 @@ the official documentation:

https://www.pomerium.io/docs/identity-providers.html
{{- end }}

{{- if .Values.config.insecure }}
##############################################################################
#### DANGER: You have disabled TLS!
####
#### Please only do this if you absolutely know what you are doing.
##############################################################################
{{- end }}
14 changes: 14 additions & 0 deletions charts/pomerium/templates/authenticate-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,12 @@ spec:
value: "/pomerium/privkey.pem"
- name: CERTIFICATE_AUTHORITY_FILE
value: "/pomerium/ca.pem"
{{- if .Values.config.insecure }}
- name: INSECURE_SERVER
value: "true"
- name: GRPC_INSECURE
value: "true"
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
Expand All @@ -97,12 +103,20 @@ spec:
httpGet:
path: /ping
port: https
{{- if .Values.config.insecure }}
scheme: HTTP
{{- else }}
scheme: HTTPS
{{- end }}
readinessProbe:
httpGet:
path: /ping
port: https
{{- if .Values.config.insecure }}
scheme: HTTP
{{- else }}
scheme: HTTPS
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
Expand Down
6 changes: 6 additions & 0 deletions charts/pomerium/templates/authorize-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,12 @@ spec:
value: "/pomerium/privkey.pem"
- name: CERTIFICATE_AUTHORITY_FILE
value: "/pomerium/ca.pem"
{{- if .Values.config.insecure }}
- name: INSECURE_SERVER
value: "true"
- name: GRPC_INSECURE
value: "true"
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
Expand Down
6 changes: 6 additions & 0 deletions charts/pomerium/templates/cache-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,12 @@ spec:
value: "/pomerium/privkey.pem"
- name: CERTIFICATE_AUTHORITY_FILE
value: "/pomerium/ca.pem"
{{- if .Values.config.insecure }}
- name: INSECURE_SERVER
value: "true"
- name: GRPC_INSECURE
value: "true"
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
Expand Down
14 changes: 14 additions & 0 deletions charts/pomerium/templates/proxy-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,12 @@ spec:
value: "/pomerium/privkey.pem"
- name: CERTIFICATE_AUTHORITY_FILE
value: "/pomerium/ca.pem"
{{- if .Values.config.insecure }}
- name: INSECURE_SERVER
value: "true"
- name: GRPC_INSECURE
value: "true"
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
Expand All @@ -98,12 +104,20 @@ spec:
httpGet:
path: /ping
port: https
{{- if .Values.config.insecure }}
scheme: HTTP
{{- else }}
scheme: HTTPS
{{- end }}
readinessProbe:
httpGet:
path: /ping
port: https
{{- if .Values.config.insecure }}
scheme: HTTP
{{- else }}
scheme: HTTPS
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
Expand Down

0 comments on commit ef518d5

Please sign in to comment.