Skip to content

Commit

Permalink
Setting the Hosts explicitly (pomerium#32)
Browse files Browse the repository at this point in the history 
* Setting the Hosts explicitly

The `kubernetes-sigs/external-dns` creates DNS records based on the Hostnames in Ingress objects.
Setting the hostnames explicitly in the Ingress object and not using a wildcard can help to take advantage of this functionality

* Making .policy mutually exclusive with the ingress.hosts

Signed-off-by: Mohsen <[email protected]>
  • Loading branch information
@mohsen0 @travisgroth
mohsen0 authored and travisgroth committed Nov 11, 2019
1 parent 5cfb162 commit 6f4c7cd
Show file tree
Hide file tree
Showing 6 changed files with 51 additions and 29 deletions.
3 changes: 2 additions & 1 deletion Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: pomerium
version: 4.0.1
version: 4.1.0
appVersion: 0.4.2
home: http://www.pomerium.io/
icon: https://www.pomerium.io/logo.svg
Expand All @@ -24,3 +24,4 @@ engine: gotpl
maintainers:
- name: desimone
email: [email protected]
- name: travisgroth
40 changes: 20 additions & 20 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,32 +80,32 @@ You may force recreation of your TLS certificates by setting `config.forceGenera
### Self Provisioned
If you wish to provide your own TLS certificates in secrets, you should:
1) turn `generateTLS` to `false`
2) specify `authenticate.existingTLSSecret`, `authorize.existingTLSSecret`, and `proxy.existingTLSSecret`, pointing at the appropriate TLS certificate for each service.
2) specify `authenticate.existingTLSSecret`, `authorize.existingTLSSecret`, and `proxy.existingTLSSecret`, pointing at the appropriate TLS certificate for each service.

All services can share the secret if appropriate.

## Configuration

A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/config-reference.html).
A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/reference/reference.html).

| Parameter | Description | Default |
| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/config-reference.html#proxy-root-domains). | `corp.pomerium.io` |
| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` |
| `config.existingLegacyTLSSecret` | Use a Pre-3.0.0 secret for the service TLS data. Only use if upgrading from <= 2.0.0 | `false` |
| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` |
| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` |
| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/config-reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) |
| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) |
| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) |
| `config.policy` | Base64 encoded string containing the routes, and their access policies. |
| `config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/config-reference.html#policy) in values |
| `config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/reference/reference.html#policy) in values |
| `authenticate.nameOverride` | Name of the authenticate service. |
| `authenticate.fullnameOverride` | Full name of the authenticate service. |
| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/config-reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` |
| `authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/config-reference.html#identity-provider-name). | `google` |
| `authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-id). | Required |
| `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-secret). | Required |
| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/config-reference.html#identity-provider-url). | Optional |
| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/config-reference.html#identity-provider-service-account). | Optional |
| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/reference/reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` |
| `authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/reference/reference.html#identity-provider-name). | `google` |
| `authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-id). | Required |
| `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-secret). | Required |
| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/reference/reference.html#identity-provider-url). | Optional |
| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account). | Optional |
| `authenticate.replicaCount` | Number of Authenticate pods to run | | `1` |
| `authenticate.existingTLSSecret` | Name of existing TLS Secret for authenticate service | |
| `proxy.nameOverride` | Name of the proxy service. |
Expand All @@ -119,8 +119,8 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `authorize.replicaCount` | Number of Authorize pods to run | | `1` |
| `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | |
| `images.server.repository` | Pomerium image | `pomerium/pomerium` |
| `images.server.tag` | Pomerium image tag | `latest` |
| `images.server.pullPolicy` | Pomerium image pull policy | `Always` |
| `images.server.tag` | Pomerium image tag | `v0.4.2` |
| `images.server.pullPolicy` | Pomerium image pull policy | `IfNotPresent` |
| `service.annotations` | Service annotations | `{}` |
| `service.externalPort` | Pomerium's port | `443` |
| `service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` |
Expand All @@ -135,7 +135,7 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `tracing.jaeger.agent_endpoint` | The jaeger agent endpoint | Required |
| `ingress.enabled` | Enables Ingress for pomerium | `false` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.hosts` | Ingress accepted hostnames | `nil` |
| `ingress.hosts` | Ingress accepted hostnames | `[]` |
| `ingress.tls` | Ingress TLS configuration | `[]` |
| `metrics.enabled` | Enable prometheus metrics endpoint | `false` |
| `metrics.port` | Prometheus metrics endpoint port | `9090` |
Expand All @@ -156,7 +156,7 @@ A full listing of Pomerium's configuration variables can be found on the [config
- Expose replica count for individual services
- Switch Authorize service to CluserIP for client side load balancing
- You must run pomerium v0.3.0+ to support this feature correctly

## Upgrading

### 4.0.0
Expand All @@ -165,22 +165,22 @@ A full listing of Pomerium's configuration variables can be found on the [config

### 3.0.0

- This version moves all certificates to TLS secrets.
- This version moves all certificates to TLS secrets.
- If you have existing generated certificates:
- Let pomerium regenerate your certificates during upgrade
- set `config.forceGenerateTLS` to `true`
- upgrade
- set `config.forceGenerateTLS` to `false`
- **OR:** To retain your certificates
- save your existing pomerium secret
- set `config.existingLegacyTLSSecret` to `true`
- set `config.existingLegacyTLSSecret` to `true`
- set `config.existingConfig` to point to your configuration secret
- upgrade
- re-create pomerium secret from saved yaml
- If you have externally sourced certificates in your pomerium secret:
- [Move and convert your certificates](scripts/upgrade-v3.0.0.sh) to type TLS Secrets and configure `[service].existingTLSSecret` to point to your secrets
- **OR:** To continue using your certificates from the existing config, set `config.existingLegacyTLSSecret` to `true`

****
### 2.0.0

Expand All @@ -190,7 +190,7 @@ A full listing of Pomerium's configuration variables can be found on the [config

This chart provices two ways to surface metrics for discovery. Under normal circumstances, you will only set up one method.

### Prometheus Operator
### Prometheus Operator

This chart assumes you have already installed the Prometheus Operator CRDs.

Expand Down Expand Up @@ -255,4 +255,4 @@ relabel_configs:
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
```
```
4 changes: 2 additions & 2 deletions templates/NOTES.txt
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{{- if eq (include "pomerium.providerOK" .) "true" }}
{{- if .Values.ingress.enabled }}
From outside the cluster, the server URL(s) are:
{{- range .Values.ingress.hosts }}
{{ $.Values.server.protocol }}://{{ . }}
{{- range .Values.config.policy }}
{{ .from | quote}}
{{- end }}

{{- else if contains "NodePort" .Values.service.type }}
Expand Down
2 changes: 1 addition & 1 deletion templates/authorize-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ spec:
livenessProbe:
tcpSocket:
port: https
initialDelaySeconds: 15
initialDelaySeconds: 15
readinessProbe:
tcpSocket:
port: https
Expand Down
Loading

0 comments on commit 6f4c7cd

Please sign in to comment.