Pomerium v0.20.0 (#336)

pomerium · Nov 16, 2022 · f0aed04 · f0aed04
1 parent eaf166e
commit f0aed04
Show file tree

Hide file tree

Showing 11 changed files with 193 additions and 136 deletions.
diff --git a/charts/pomerium-console/Chart.yaml b/charts/pomerium-console/Chart.yaml
@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 10.0.0
+version: 11.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.19.0
+appVersion: 0.20.0
 
 maintainers:
   - name: Pomerium Developers

diff --git a/charts/pomerium-console/README.md b/charts/pomerium-console/README.md
diff --git a/charts/pomerium-console/templates/_helpers.tpl b/charts/pomerium-console/templates/_helpers.tpl
@@ -199,3 +199,15 @@ imagePullSecrets:
 {{- define "pomerium-console.pullSecret.data" -}}
 {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" "docker.cloudsmith.io" .Values.image.pullUsername .Values.image.pullPassword (printf "%s:%s" .Values.image.pullUsername .Values.image.pullPassword | b64enc) | b64enc }}
 {{- end }}
+
+{{/* Return metrics env var block */}}
+{{- define "pomerium-console.metrics.envVars" }}
+{{- if .Values.metrics.enabled }}
+- name: POD_IP
+  valueFrom:
+    fieldRef:
+      fieldPath: status.podIP
+- name: METRICS_ADDR
+  value: "$(POD_IP):{{.Values.metrics.port}}"
+{{- end }}
+{{- end }}
diff --git a/charts/pomerium-console/templates/deployment.yaml b/charts/pomerium-console/templates/deployment.yaml
@@ -41,6 +41,9 @@ spec:
             - name: {{ include "pomerium-console.grpc.name" . }}
               containerPort: 8702
               protocol: TCP
+            - name: metrics
+              containerPort: 9092
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /
@@ -63,6 +66,7 @@ spec:
           envFrom:
 {{-          toYaml .Values.extraEnvFrom | nindent 12 }}
 {{-       end }}
+{{- include "pomerium-console.metrics.envVars" . | indent 10 }}
           volumeMounts:
             - mountPath: /etc/pomerium/
               name: config

diff --git a/charts/pomerium-console/templates/service.yaml b/charts/pomerium-console/templates/service.yaml
@@ -15,5 +15,11 @@ spec:
       targetPort: {{ include "pomerium-console.grpc.name" . }}
       protocol: TCP
       name: {{ include "pomerium-console.grpc.name" . }}
+{{- if .Values.metrics.enabled }}
+    - name: metrics
+      port: {{ .Values.metrics.port }}
+      protocol: TCP
+      targetPort: metrics
+{{- end }}
   selector:
     {{- include "pomerium-console.selectorLabels" . | nindent 4 }}
diff --git a/charts/pomerium-console/templates/servicemonitor.yaml b/charts/pomerium-console/templates/servicemonitor.yaml
@@ -0,0 +1,24 @@
+{{ if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "pomerium-console.fullname" . }}
+{{- if .Values.serviceMonitor.namespace }}
+  namespace: {{ .Values.serviceMonitor.namespace }}
+{{- end }}
+  labels:
+    helm.sh/chart: {{ template "pomerium-console.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/name: {{ template "pomerium-console.name" . }}
+{{- if .Values.serviceMonitor.labels }}
+{{ toYaml .Values.serviceMonitor.labels | indent 4 }}
+{{- end }}
+spec:
+  selector:
+    matchLabels:
+      helm.sh/chart: {{ template "pomerium-console.chart" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  endpoints:
+  - port: metrics
+{{ end }}
diff --git a/charts/pomerium-console/values.yaml b/charts/pomerium-console/values.yaml
@@ -7,15 +7,15 @@ replicaCount: 1
 
 image:
   # -- Set to automatically generate an image pull secret
-  pullUsername: ""
+  pullUsername: ''
   # -- Set to automatically generate an image pull secret
-  pullPassword: ""
+  pullPassword: ''
   # -- The image repository source
   repository: docker.cloudsmith.io/pomerium/enterprise/pomerium-console
   # -- The iamge pull policy
   pullPolicy: IfNotPresent
   # -- Override the image tag from the chart appVersion
-  tag: ""
+  tag: ''
 
 serviceAccount:
   # -- Specifies whether a service account should be created
@@ -24,14 +24,14 @@ serviceAccount:
   annotations: {}
   # -- The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: ""
+  name: ''
 
 # -- Reference a list secrets containing image pull credentials for the deployment
 imagePullSecrets: []
 # -- Override the name of the chart
-nameOverride: ""
+nameOverride: ''
 # -- Override full release name
-fullnameOverride: ""
+fullnameOverride: ''
 
 # -- Set annotations on all pods
 podAnnotations: {}
@@ -113,17 +113,17 @@ tls:
   # want to enable `tls.generate` after the chart has already been installed.
   forceGenerate: false
   # -- Use an existing secret for TLS certificates
-  existingSecret: ""
+  existingSecret: ''
   # -- Use an existing secret for a CA certificate when communicating with Pomerium Core
-  existingCASecret: ""
+  existingCASecret: ''
   # -- Set the key name containing the CA certificate in the existingCASecret
   caSecretKey: tls.crt
   # -- A custom CA certificate when communicating with Pomerium Core
-  ca: ""
+  ca: ''
   # -- TLS server key
-  key: ""
+  key: ''
   # -- TLS server cert
-  cert: ""
+  cert: ''
 
 # -- FOR TESTING ONLY.  There is no migration path from embedded (sqlite) to an external RDBMS.
 persistence:
@@ -140,67 +140,77 @@ persistence:
 
 database:
   # -- **Required** Set database driver type.  This can be `pg`, `my` or sqlite for postgres, mysql or sqlite respectively
-  type: ""
+  type: ''
   # -- Set the database username
-  username: ""
+  username: ''
   # -- Set the database password
-  password: ""
+  password: ''
   # -- Set the database hostname
-  host: ""
+  host: ''
   # -- Set the name of the database or schema
-  name: ""
+  name: ''
   # -- Set appropriately for your database driver
-  sslmode: ""
+  sslmode: ''
   # -- Set custom DSN connection options
-  additionalDSNOptions: ""
+  additionalDSNOptions: ''
   tls:
     # -- Use an existing secret containing the client TLS keypair for the database connection
-    existingSecret: ""
+    existingSecret: ''
     # -- Use an existing secret containing the CA certificate for the database connection
-    existingCASecret: ""
+    existingCASecret: ''
     # -- Set the key name containing the CA certificate in the existingCASecret
     caSecretKey: tls.crt
     # -- A custom CA certificate when communicating with the database
-    ca: ""
+    ca: ''
     # -- Set a TLS client key for the database connection
-    key: ""
+    key: ''
     # -- Set a TLS client certificate for the database connection
-    cert: ""
+    cert: ''
 
 config:
   # -- Set to boostrap permissions to the console or recover from a misconfiguration.  Overrides permissions
   # in the database.
-  administrators: ""
+  administrators: ''
   # -- Override default customerId
-  customerId: ""
+  customerId: ''
   # -- Override the URL default to the Pomerium Cache service
   # @default -- `https://pomerium-databroker.[release namespace].svc.cluster.local`
-  databrokerServiceUrl: ""
+  databrokerServiceUrl: ''
   # -- **Required** Secures communication with the databroker.  Must match Pomerium `shared_secret` parameter.
-  sharedSecret: ""
+  sharedSecret: ''
   # -- **Required** if `config.authenticateServiceUrl` is unset.  Set the public key for verifying the Pomerium attestation JWT header
-  signingKey: ""
+  signingKey: ''
   # -- **Required** encryption key for protecting sensitive data in the database
-  databaseEncryptionKey: ""
+  databaseEncryptionKey: ''
   # -- Set URL for external prometheus server.  An embedded server is used if left unset.
-  prometheusUrl: ""
+  prometheusUrl: ''
   # -- **Required** console's external URL.  This should match the `from` in Pomerium Core's config.
-  audience: ""
+  audience: ''
   # -- **Required** for device identity enrollment.  If set, you do not need to set signingKey.
-  authenticateServiceUrl: ""
+  authenticateServiceUrl: ''
   # -- **Required** license key for your Pomerium Enterprise install.
-  licenseKey: ""
+  licenseKey: ''
 prometheus:
   # -- Enable using an embedded prometheus service if no external URL is provided
   enabled: true
   persistence:
     # -- Enable storage persistence for embedded prometheus
     enabled: false
-    storageClassName: ""
+    storageClassName: ''
     accessModes:
       - ReadWriteOnce
     size: 10Gi
     annotations: {}
     finalizers:
       - kubernetes.io/pvc-protection
-    existingClaim: ""
+    existingClaim: ''
+
+serviceMonitor:
+  enabled: false
+  namespace: ''
+  labels:
+    release: prometheus-console
+
+metrics:
+  enabled: true
+  port: 9092
diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: pomerium
-version: 32.1.0
-appVersion: v0.18.0
+version: 33.0.0
+appVersion: v0.20.0
 home: http://www.pomerium.com/
 icon: https://www.pomerium.com/img/icon.svg
 description: Pomerium is an identity-aware access proxy.

diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md
@@ -3,11 +3,12 @@
 [Pomerium](https://pomerium.io) is an [open-source](https://github.com/pomerium/pomerium) tool for managing secure access to internal applications and resources.
 
 - [Pomerium](#pomerium)
+  - [DEPRECATION](#deprecation)
   - [TL;DR;](#tldr)
   - [Install the chart](#install-the-chart)
   - [Uninstalling the Chart](#uninstalling-the-chart)
   - [Pomerium Operator (DEPRECATED)](#pomerium-operator-deprecated)
-    - [Pomerium operator has been replaced by Pomerium Ingress Controller. See `ingressController.config.operatorMode` for similar functionality.](#pomerium-operator-has-been-replaced-by-pomerium-ingress-controller--see-ingresscontrollerconfigoperatormode-for-similar-functionality)
+    - [Pomerium operator has been replaced by Pomerium Ingress Controller. See `ingressController.config.operatorMode` for similar functionality.](#pomerium-operator-has-been-replaced-by-pomerium-ingress-controller-see-ingresscontrollerconfigoperatormode-for-similar-functionality)
   - [Pomerium Ingress Controller](#pomerium-ingress-controller)
   - [TLS Certificates](#tls-certificates)
     - [Ingress Controller Annotations](#ingress-controller-annotations)
@@ -20,7 +21,9 @@
   - [Redis Subchart](#redis-subchart)
   - [Configuration](#configuration)
   - [Changelog](#changelog)
+    - [33.0.0](#3300)
     - [32.0.0](#3200)
+    - [31.2.0](#3120)
     - [31.0.0](#3100)
     - [30.0.0](#3000)
     - [29.0.0](#2900)
@@ -88,9 +91,11 @@
     - [Prometheus Operator](#prometheus-operator)
     - [Prometheus kubernetes_sd_configs](#prometheus-kubernetes_sd_configs)
 
-## TL;DR;
+## DEPRECATION
+
+Helm installation is no longer recommended for new deployments, please use [Manifests based deployment instead](https://www.pomerium.com/docs/k8s/quickstart).
 
-Helm installation is no longer recommended for new deployments, please see https://github.com/pomerium/ingress-controller
+## TL;DR;
 
 ```console
 helm install my-release pomerium/pomerium
@@ -295,8 +300,6 @@ A full listing of Pomerium's configuration variables can be found on the [config
 | `authenticate.idp.clientSecret`                              | Identity Provider oauth [client secret](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-secret).                                                                                                                                                                                                                                     | Required                                                                   |
 | `authenticate.idp.url`                                       | Identity [Provider URL](https://www.pomerium.io/docs/reference/reference.html#identity-provider-url).                                                                                                                                                                                                                                                               | Optional                                                                   |
 | `authenticate.idp.scopes`                                    | Identity [Provider Scopes](https://www.pomerium.io/configuration/#identity-provider-scopes).                                                                                                                                                                                                                                                                        | Optional                                                                   |
-| `authenticate.idp.serviceAccount`                            | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account) base64 encoded.                                                                                                                                                                                                                        | Optional                                                                   |
-| `authenticate.idp.serviceAccountYAML`                        | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account) as inline YAML or JSON. <br><br>`authenticate.idp.serviceAccount` takes precedence.                                                                                                                                                    | Optional                                                                   |
 | `authenticate.ingress.tls.secretName`                        | When using Pomerium Ingress Controller, the name of the TLS secret for the `authenticate` Ingress resource. If left unset, you may receive a non-deterministic certificate for requests to `authenticate.${rootDomain}`. This may become [pinned](https://www.ssl2buy.com/wiki/how-to-clear-hsts-settings-on-chrome-firefox-and-ie-browsers) if you are using HSTS. | `{}`                                                                       |
 | `authenticate.ingress.annotations`                           | When using Pomerium Ingress Controller, set the annotations on the `authenticate` Ingress resource. Example: `cert-manager.io/cluster-issuer: letsencrypt-prod-http`                                                                                                                                                                                                | `{}`                                                                       |
 | `authenticate.replicaCount`                                  | Number of Authenticate pods to run                                                                                                                                                                                                                                                                                                                                  | `1`                                                                        |
@@ -459,6 +462,12 @@ A full listing of Pomerium's configuration variables can be found on the [config
 
 ## Changelog
 
+### 33.0.0
+
+- `idp.serviceAccount` is removed. Please see the [Upgrade Guide](https://www.pomerium.com/docs/overview/upgrading#since-0200)
+- Update to v0.20.0 of Pomerium
+
+
 ### 32.0.0
 
 - Update to v0.18 of Pomerium

diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl
@@ -470,9 +470,6 @@ forward_auth_url: {{ printf "https://%s" ( include "pomerium.forwardAuth.name" .
 {{- end }}
 idp_client_id: {{ .Values.authenticate.idp.clientID }}
 idp_client_secret: {{ .Values.authenticate.idp.clientSecret }}
-{{- if or .Values.authenticate.idp.serviceAccount .Values.authenticate.idp.serviceAccountYAML }}
-idp_service_account: {{ include "pomerium.idp.serviceAccount" . }}
-{{- end }}
 {{- if ne (include "pomerium.databroker.storage.type" . ) "memory" }}
 databroker_storage_tls_skip_verify: {{ .Values.databroker.storage.tlsSkipVerify }}
 {{- end  }}
@@ -558,15 +555,6 @@ routes:
 {{- end -}}
 {{- end -}}
 
-{{/* Render idp_service_account */}}
-{{- define "pomerium.idp.serviceAccount" -}}
-{{- if .Values.authenticate.idp.serviceAccount -}}
-{{- .Values.authenticate.idp.serviceAccount -}}
-{{- else -}}
-{{- .Values.authenticate.idp.serviceAccountYAML | toJson | b64enc -}}
-{{- end -}}
-{{- end -}}
-
 {{/* Expand databroker storage type */}}
 {{- define "pomerium.databroker.storage.type" -}}
 {{- if .Values.redis.enabled -}}

diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml
@@ -203,7 +203,7 @@ ingressController:
   nameOverride: ''
   image:
     repository: 'pomerium/ingress-controller'
-    tag: 'sha-5294279'
+    tag: 'sha-5623bd8'
     pullPolicy: IfNotPresent
   deployment:
     annotations: {}