Moved pomerium from ingress module

Author: Simone Bruzzese

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2022, SIGHUP
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,99 @@
+<h1>
+    <img src="https://github.com/sighupio/fury-distribution/blob/master/docs/assets/fury-epta-white.png?raw=true" align="left" width="90" style="margin-right: 15px"/>
+    Kubernetes Fury Auth
+</h1>
+
+![Release](https://img.shields.io/github/v/release/sighupio/fury-kubernetes-auth?label=Latest%20Release)
+![License](https://img.shields.io/github/license/sighupio/fury-kubernetes-auth?label=License)
+![Slack](https://img.shields.io/badge/slack-@kubernetes/fury-yellow.svg?logo=slack&label=Slack)
+
+<!-- <KFD-DOCS> -->
+**Kubernetes Fury Auth** provides Authentication Management for [Kubernetes Fury Distribution (KFD)][kfd-repo].
+
+If you are new to KFD please refer to the [official documentation][kfd-docs] on how to get started with KFD.
+
+## Overview
+
+**Kubernetes Fury Auth** use CNCF recommended, Cloud Native projects, such as [Pomerium][pomerium-repo], an identity-aware proxy that enables secure access to internal applications.
+
+## Packages
+
+Kubernetes Fury Auth provides the following packages:
+
+| Package                                    | Version   | Description                                                                                                                   |
+|--------------------------------------------|-----------|-------------------------------------------------------------------------------------------------------------------------------|
+| [pomerium](katalog/pomerium)                     | `v0.15.8`  | Identity-aware proxy that enables secure access to internal applications.                         |
+
+## Compatibility
+
+| Kubernetes Version |   Compatibility    |                        Notes                        |
+| ------------------ | :----------------: | --------------------------------------------------- |
+| `1.20.x`           | :white_check_mark: | No known issues                                     |
+| `1.21.x`           | :white_check_mark: | No known issues                                     |
+| `1.22.x`           | :white_check_mark: | No known issues                                     |
+| `1.23.x`           |     :warning:      | Conformance tests passed. Not officially supported. |
+
+Check the [compatibility matrix][compatibility-matrix] for additional informations about previous releases of the modules.
+
+## Usage
+
+### Prerequisites
+
+| Tool                                    | Version    | Description                                                                                                                                                    |
+|-----------------------------------------|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [furyctl][furyctl-repo]                 | `>=0.6.0`  | The recommended tool to download and manage KFD modules and their packages. To learn more about `furyctl` read the [official documentation][furyctl-repo].     |
+| [kustomize][kustomize-repo]             | `>=3.5.0`  | Packages are customized using `kustomize`. To learn how to create your customization layer with `kustomize`, please refer to the [repository][kustomize-repo]. |
+
+### Deployment
+
+1. List the packages you want to deploy and their version in a `Furyfile.yml`:
+
+```yaml
+bases:
+  - name: auth/pomerium
+    version: "v0.15.8"
+```
+
+
+> See `furyctl` [documentation][furyctl-repo] for additional details about `Furyfile.yml` format.
+
+2. Execute `furyctl vendor -H` to download the packages
+
+3. Inspect the download packages under `./vendor/katalog/auth/`.
+
+4. Define a `kustomization.yaml` that includes the `./vendor/katalog/auth` directory as resource.
+
+```yaml
+resources:
+- ./vendor/katalog/auth
+```
+
+5. To deploy the packages to your cluster, execute:
+
+```bash
+kustomize build . | kubectl apply -f -
+```
+
+<!-- Links -->
+[furyctl-repo]: https://github.com/sighupio/furyctl
+[sighup-page]: https://sighup.io
+[kfd-repo]: https://github.com/sighupio/fury-distribution
+[kustomize-repo]: https://github.com/kubernetes-sigs/kustomize
+[kfd-docs]: https://docs.kubernetesfury.com/docs/distribution/
+[compatibility-matrix]: https://github.com/sighupio/fury-kubernetes-auth/blob/master/docs/COMPATIBILITY_MATRIX.md
+[pomerium-repo]: https://github.com/pomerium/pomerium
+<!-- </KFD-DOCS> -->
+
+<!-- <FOOTER> -->
+## Contributing
+
+Before contributing, please read first the [Contributing Guidelines](docs/CONTRIBUTING.md).
+
+### Reporting Issues
+
+In case you experience any problem with the module, please [open a new issue](https://github.com/sighupio/fury-kubernetes-auth/issues/new/choose).
+
+## License
+
+This module is open-source and it's released under the following [LICENSE](LICENSE)
+<!-- </FOOTER> -->

katalog/pomerium/README.md

@@ -0,0 +1,97 @@
+# Pomerium
+
+<!-- <KFD-DOCS> -->
+
+Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium provides a standardized interface to add access control to applications regardless of whether the application itself has authorization or authentication baked-in
+
+## Pomerium Setup
+
+This document is intended to give a brief overview on how Pomerium can be implemented, for further details, please look at the [official documentation][pomerium-docs].
+
+## Deploy
+
+The base kustomization file present [here](./kustomization.yaml) allows to quickly integrate this service with an existing Dex service, that could, for example, be connected to LDAP.
+
+> See [Dex official documentation][dex-docs] for more details.
+
+In order to do so, you will need to edit your Dex configuration, adding a static client to be used by Pomerium, like in the example below:
+
+```yaml
+>>staticClients:
+    - id: "pomerium-auth-client"
+      secret: "your-super-secret"
+      name: "Pomerium"
+      redirectURIs:
+       - "https://pomerium.example.com/oauth2/callback"
+```
+
+Configure the `redirectURIs` section accordingly to the hosts used for the pomerium ingress.
+
+Once dex is configured correctly, you will need to ovverride the configuration example ([policy](./config/policy.example.yaml) and environment variables via a [configmap](./config/config.example.env) and [secret](secrets/pomerium.example.env)) like in the example below:
+
+```yaml
+configMapGenerator:
+  - name: pomerium-policy
+    behavior: replace
+    files:
+      - policy.yml=config/pomerium-policy.yml
+  - name: pomerium
+    behavior: replace
+    envs:
+      - config/pomerium-config.env
+
+secretGenerator:
+  - name: pomerium-env
+    behavior: replace
+    envs:
+      - secrets/pomerium.env
+```
+
+Just copy the examples in the module and override them according to your settings.
+
+**⚠ WARNING: in the policy file, you'll need to set up a policy for each ingress you want to protect with Pomerium authorization service.**
+
+## Ingresses
+
+Once Pomerium and Dex are correctly configured, the last step is to add annotations to the ingresses you've added previously in the policy yaml file:
+
+```yaml
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    forecastle.stakater.com/expose: "true"
+    forecastle.stakater.com/appName: "Prometheus"
+    forecastle.stakater.com/icon: "https://github.com/stakater/ForecastleIcons/raw/master/prometheus.png"
+    kubernetes.io/ingress.class: "internal"
+    kubernetes.io/tls-acme: "true"
+    # authentication annotations
+    nginx.ingress.kubernetes.io/auth-url: "https://pomerium.example.com/verify?uri=$scheme://$host$request_uri"
+    nginx.ingress.kubernetes.io/auth-signin: "https://pomerium.example.com/?uri=$scheme://$host$request_uri"
+  name: prometheus
+  namespace: monitoring
+spec:
+  rules:
+    - host: prometheus.example.com
+      http:
+        paths:
+          - path: /
+            backend:
+              service:
+                name: prometheus-k8s
+                port:
+                  name: web
+  tls:
+    - hosts:
+        - prometheus.example.com
+      secretName: prometheus-tls
+```
+
+Now if you'll try to reach the `prometheus.example.com` you'll be forwarded to the dex login page accordingly with the rules set in your policy. Enjoy!
+
+<!-- Links -->
+[pomerium-docs]: https://www.pomerium.io/docs/
+[dex-docs]: https://dexidp.io/docs/kubernetes/
+
+<!-- </KFD-DOCS> -->

katalog/pomerium/config/config.example.env

@@ -0,0 +1,12 @@
+AUTHENTICATE_SERVICE_HOST=pomerium.example.com
+AUTHENTICATE_SERVICE_URL=https://$(AUTHENTICATE_SERVICE_HOST)
+FORWARD_AUTH_HOST=pomerium.example.com
+FORWARD_AUTH_URL=https://$(FORWARD_AUTH_HOST)
+# IDP_CLIENT_ID is the name of the staticClient in Dex
+IDP_CLIENT_ID=pomerium-auth-client
+# See https://docs.pomerium.io/configuration/#identity-provider-name
+IDP_PROVIDER=oidc
+# IDP_PROVIDER_URL is the url of dex ingress
+IDP_PROVIDER_URL=https://dex.example.com/
+IDP_SCOPES=openid profile email offline_access groups
+# used by `ingress.yaml` by default.

katalog/pomerium/config/policy.example.yaml

@@ -0,0 +1,21 @@
+# Copyright (c) 2021 SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+address: ":8080"
+metrics_address: ":9090"
+grcp_address: ":8080"
+
+# this is set because the service is behind an ssl ingress
+insecure_server: true
+autocert: false
+
+policy:
+  # from and to should be set to the prometheus ingress
+  - from: https://prometheus.example.com
+    to: https://prometheus.example.com
+    allowed_idp_claims:
+      groups:
+        # ldap groups configured in dex
+        - group1
+        - group2

katalog/pomerium/deploy.yml

@@ -0,0 +1,69 @@
+# Copyright (c) 2021 SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium
+
+spec:
+  replicas: 1
+  template:
+    spec:
+      containers:
+        - name: pomerium
+          image: pomerium/pomerium
+          ports:
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+          args:
+            - -config
+            - /etc/pomerium/policy.yml
+          envFrom:
+            - secretRef:
+                name: pomerium-env
+            - configMapRef:
+                name: pomerium
+          env:
+            - name: SERVICES
+              value: all
+            - name: INSECURE_SERVER
+              value: "TRUE"
+            - name: JWT_CLAIMS_HEADERS
+              value: "email"
+            - name: LOG_LEVEL
+              value: "debug"
+            - name: PROXY_LOG_LEVEL
+              value: "debug"
+            - name: POMERIUM_DEBUG
+              value: "true"
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /ping
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 10
+            timeoutSeconds: 1
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 8080
+              scheme: HTTP
+          resources:
+            limits:
+              cpu: 500m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+          volumeMounts:
+            - mountPath: /etc/pomerium/
+              name: pomerium-policy
+      volumes:
+        - configMap:
+            defaultMode: 420
+            name: pomerium-policy
+          name: pomerium-policy

katalog/pomerium/ingress.yml

@@ -0,0 +1,32 @@
+# Copyright (c) 2021 SIGHUP s.r.l All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pomerium
+  annotations:
+    forecastle.stakater.com/expose: "true"
+    forecastle.stakater.com/appName: "Pomerium"
+    forecastle.stakater.com/icon: "https://pbs.twimg.com/profile_images/1161448498849390592/fJZaKEGR.png"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+    kubernetes.io/tls-acme: "true"
+spec:
+  ingressClassName: internal
+  rules:
+    - host: $(AUTHENTICATE_SERVICE_HOST)
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: pomerium
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - $(AUTHENTICATE_SERVICE_HOST)
+      secretName: pomerium-tls