mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-29 22:48:15 +02:00
authenticate: support kubernetes (#62)
- cmd/pomerium: made ping a toplevel route for all services. - docs: updated kubernetes script and corresponding configuration yaml's
This commit is contained in:
Bobby DeSimone
GitHub
parent
c13459bb88
commit
0a501b61ed
11 changed files with 115 additions and 202 deletions
|
|
@ -1,64 +1,47 @@
|
|||
#!/bin/bash
|
||||
# NOTE! This will create real resources on Google's cloud. Make sure you clean up any unused
|
||||
# resources to avoid being billed. For reference, this tutorial cost me <10 cents for a couple of hours.
|
||||
# NOTE! You must change the identity provider client secret setting, and service account setting!
|
||||
|
||||
# create a cluster
|
||||
echo "=> creating cluster"
|
||||
gcloud container clusters create pomerium --num-nodes 1
|
||||
# get cluster credentials os we can use kubctl locally
|
||||
|
||||
echo "=> get cluster credentials os we can use kubctl locally"
|
||||
gcloud container clusters get-credentials pomerium
|
||||
# create `pomerium` namespace
|
||||
|
||||
echo "=> create pomerium namespace"
|
||||
kubectl create ns pomerium
|
||||
|
||||
######################################################################
|
||||
#### UNCOMMENT to use helm to install cert-manager & nginx-ingress####
|
||||
######################################################################
|
||||
# setup service account for tiller used by helm
|
||||
# kubectl create serviceaccount --namespace kube-system tiller
|
||||
# kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
|
||||
# helm init --service-account tiller
|
||||
# # update helm
|
||||
# helm repo update
|
||||
# kubectl get deployments -n kube-system
|
||||
# # create nginx-ingress
|
||||
# helm install --name nginx-ingress stable/nginx-ingress --set rbac.create=true
|
||||
# # install cert-manager to auto grab lets encrypt certificates
|
||||
# kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/00-crds.yaml
|
||||
# helm repo update
|
||||
# helm install --name cert-manager --namespace cert-manager stable/cert-manager
|
||||
# configure Let’s Encrypt Issuer
|
||||
# kubectl apply -f docs/docs/examples/kubernetes/issuer.le.prod.yml
|
||||
# kubectl apply -f docs/docs/examples/kubernetes/issuer.le.stage.yml
|
||||
# kubectl get certificate
|
||||
|
||||
# add our policy
|
||||
kubectl create configmap -n pomerium policy --from-literal=POLICY=$(cat policy.example.yaml | base64)
|
||||
|
||||
# create our cryptographically random keys
|
||||
echo "=> create our cryptographically random keys for $(shared-secret) and $(cookie-secret) from urandom"
|
||||
kubectl create secret generic -n pomerium shared-secret --from-literal=shared-secret=$(head -c32 /dev/urandom | base64)
|
||||
kubectl create secret generic -n pomerium cookie-secret --from-literal=cookie-secret=$(head -c32 /dev/urandom | base64)
|
||||
|
||||
# load TLS for pomerium services
|
||||
echo "=> initiliaze secrets for TLS wild card certificates $(certificate) and $(certificate-key)"
|
||||
kubectl create secret generic -n pomerium certificate --from-literal=certificate=$(base64 -i cert.pem)
|
||||
kubectl create secret generic -n pomerium certificate-key --from-literal=certificate-key=$(base64 -i privkey.pem)
|
||||
|
||||
# load TLS to ingress
|
||||
echo "=> load TLS to ingress"
|
||||
kubectl create secret tls -n pomerium pomerium-tls --key privkey.pem --cert cert.pem
|
||||
|
||||
# !!! IMPORTANT !!!
|
||||
# YOU MUST CHANGE THE Identity Provider Client Secret
|
||||
# !!! IMPORTANT !!!
|
||||
# kubectl create secret generic -n pomerium idp-client-secret --from-literal=REPLACE_ME
|
||||
echo "=> initiliaze a configmap setting for POLICY from $(policy.example.yaml)"
|
||||
kubectl create configmap -n pomerium policy --from-literal=policy=$(cat policy.example.yaml | base64)
|
||||
|
||||
# Create the proxy & authenticate deployment
|
||||
echo "=> setting $(idp-client-secret), you changed this right? :)"
|
||||
exit 1 # comment out or delete this line once you change the following two settings
|
||||
# kubectl create secret generic -n pomerium idp-client-secret --from-literal=idp-client-secret=REPLACEME
|
||||
# kubectl create secret generic -n pomerium idp-service-account --from-literal=idp-service-account=$(base64 -i gsuite.service.account.json)
|
||||
|
||||
echo "=> apply the proxy, authorize, and authenticate deployment configs"
|
||||
kubectl apply -f docs/docs/examples/kubernetes/authorize.deploy.yml
|
||||
kubectl apply -f docs/docs/examples/kubernetes/authenticate.deploy.yml
|
||||
kubectl apply -f docs/docs/examples/kubernetes/proxy.deploy.yml
|
||||
# Create the proxy & authenticate services
|
||||
|
||||
echo "=> apply the proxy, authorize, and authenticate service configs"
|
||||
kubectl apply -f docs/docs/examples/kubernetes/proxy.service.yml
|
||||
kubectl apply -f docs/docs/examples/kubernetes/authenticate.service.yml
|
||||
kubectl apply -f docs/docs/examples/kubernetes/authorize.service.yml
|
||||
|
||||
# Create and apply the Ingress; this is GKE specific
|
||||
echo "=> create and apply the Ingress; this is GKE specific"
|
||||
kubectl apply -f docs/docs/examples/kubernetes/ingress.yml
|
||||
|
||||
# Alternatively, nginx-ingress can be used
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue