diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index 48d20356..593bd4c5 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 8.3.0 +version: 8.4.0 appVersion: 0.7.5 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo-long.svg diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index d3dda521..7fec9668 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -16,6 +16,7 @@ - [Self Provisioned](#self-provisioned-1) - [Configuration](#configuration) - [Changelog](#changelog) + - [8.4.0](#840) - [8.0.0](#800) - [7.0.0](#700) - [6.0.0](#600) @@ -144,6 +145,7 @@ A full listing of Pomerium's configuration variables can be found on the [config | `config.forceGenerateSigningKey` | Force recreation of generated signing key. You will need to restart your deployments after running | `false` | | `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | | `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` | +| `config.insecure` | DANGER, this disables tls between services. Only do this if you know what you are doing. One reason might be that you want to offload tls to a reverse proxy (i.e. istio, traefik) | `false` | | `false` | | `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | | `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | | `config.policy` | Base64 encoded string containing the routes, and their access policies. | | @@ -240,6 +242,10 @@ A full listing of Pomerium's configuration variables can be found on the [config ## Changelog +### 8.4.0 + +- Add `config.insecure` flag in order to support running Pomerium in non-tls mode to play well with reverse proxy's like Istio's envoy + ### 8.0.0 - Pomerium `ConfigMap` and `Secret` were combined into a single `Secret`. See [v8.0.0 Upgrade Nodes](#800-1) to migrate diff --git a/charts/pomerium/templates/NOTES.txt b/charts/pomerium/templates/NOTES.txt index 126ab7c2..8717c355 100644 --- a/charts/pomerium/templates/NOTES.txt +++ b/charts/pomerium/templates/NOTES.txt @@ -48,3 +48,11 @@ the official documentation: https://www.pomerium.io/docs/identity-providers.html {{- end }} + +{{- if .Values.config.insecure }} +############################################################################## +#### DANGER: You have disabled TLS! +#### +#### Please only do this if you absolutely know what you are doing. +############################################################################## +{{- end }} diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml index 28907704..36f079d3 100644 --- a/charts/pomerium/templates/authenticate-deployment.yaml +++ b/charts/pomerium/templates/authenticate-deployment.yaml @@ -82,6 +82,12 @@ spec: value: "/pomerium/privkey.pem" - name: CERTIFICATE_AUTHORITY_FILE value: "/pomerium/ca.pem" +{{- if .Values.config.insecure }} + - name: INSECURE_SERVER + value: "true" + - name: GRPC_INSECURE + value: "true" +{{- end }} {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} @@ -97,12 +103,20 @@ spec: httpGet: path: /ping port: https +{{- if .Values.config.insecure }} + scheme: HTTP +{{- else }} scheme: HTTPS +{{- end }} readinessProbe: httpGet: path: /ping port: https +{{- if .Values.config.insecure }} + scheme: HTTP +{{- else }} scheme: HTTPS +{{- end }} resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: diff --git a/charts/pomerium/templates/authorize-deployment.yaml b/charts/pomerium/templates/authorize-deployment.yaml index 7e6381d8..2b008326 100644 --- a/charts/pomerium/templates/authorize-deployment.yaml +++ b/charts/pomerium/templates/authorize-deployment.yaml @@ -74,6 +74,12 @@ spec: value: "/pomerium/privkey.pem" - name: CERTIFICATE_AUTHORITY_FILE value: "/pomerium/ca.pem" +{{- if .Values.config.insecure }} + - name: INSECURE_SERVER + value: "true" + - name: GRPC_INSECURE + value: "true" +{{- end }} {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} diff --git a/charts/pomerium/templates/cache-deployment.yaml b/charts/pomerium/templates/cache-deployment.yaml index 65581214..beda42c5 100644 --- a/charts/pomerium/templates/cache-deployment.yaml +++ b/charts/pomerium/templates/cache-deployment.yaml @@ -72,6 +72,12 @@ spec: value: "/pomerium/privkey.pem" - name: CERTIFICATE_AUTHORITY_FILE value: "/pomerium/ca.pem" +{{- if .Values.config.insecure }} + - name: INSECURE_SERVER + value: "true" + - name: GRPC_INSECURE + value: "true" +{{- end }} {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} diff --git a/charts/pomerium/templates/proxy-deployment.yaml b/charts/pomerium/templates/proxy-deployment.yaml index 01787dfb..c39cf25d 100644 --- a/charts/pomerium/templates/proxy-deployment.yaml +++ b/charts/pomerium/templates/proxy-deployment.yaml @@ -83,6 +83,12 @@ spec: value: "/pomerium/privkey.pem" - name: CERTIFICATE_AUTHORITY_FILE value: "/pomerium/ca.pem" +{{- if .Values.config.insecure }} + - name: INSECURE_SERVER + value: "true" + - name: GRPC_INSECURE + value: "true" +{{- end }} {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} @@ -98,12 +104,20 @@ spec: httpGet: path: /ping port: https +{{- if .Values.config.insecure }} + scheme: HTTP +{{- else }} scheme: HTTPS +{{- end }} readinessProbe: httpGet: path: /ping port: https +{{- if .Values.config.insecure }} + scheme: HTTP +{{- else }} scheme: HTTPS +{{- end }} resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: