diff --git a/docs/configuration/examples.md b/docs/configuration/examples.md index 44528e4cd..83f8119fa 100644 --- a/docs/configuration/examples.md +++ b/docs/configuration/examples.md @@ -80,6 +80,8 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp - gRPC requests are routed behind the load balancer - Routes default to hosted version of httpbin.org - Includes installer script +- Pomerium serves on HTTPS and your ingress controller may need an annotation to + connect properly ### GKE @@ -87,12 +89,6 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp <<< @/docs/configuration/examples/helm/helm_gke.sh -### AWS ECS - -- Uses Amazon Elastic Container Service - -<<< @/docs/configuration/examples/helm/helm_aws.sh - ### Kubernetes - Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing] @@ -121,6 +117,11 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp <<< @/docs/configuration/examples/kubernetes/pomerium-proxy.yml +#### pomerium-cache.yml + +<<< @/docs/configuration/examples/kubernetes/pomerium-cache.yml + + #### ingress.yml <<< @/docs/configuration/examples/kubernetes/ingress.yml diff --git a/docs/configuration/examples/helm/helm_aws.sh b/docs/configuration/examples/helm/helm_aws.sh deleted file mode 100644 index ad7312742..000000000 --- a/docs/configuration/examples/helm/helm_aws.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash -# PRE-REQ: -# 1) Install Helm : You should verify the content of this script before running. -# curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash -# 2) Install https://eksctl.io/ -# For more information see: -# - https://eksworkshop.com/helm_root/helm_intro/install/ - -echo "=> [AWS] creating cluster" -eksctl create cluster --name=pomerium --nodes=1 --region=us-west-2 - -echo "=> [AWS] get cluster credentials so we can use kubctl locally" -eksctl utils write-kubeconfig --name=pomerium - -echo "=> [AWS] configure Helm access with RBAC" -cat <.helm-rbac.yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tiller - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: tiller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: tiller - namespace: kube-system -EOF - -kubectl apply -f .helm-rbac.yaml -# cleanup -rm .helm-rbac.yaml - -echo "=> initialize Helm to install Tiller in your cluster" -helm init --service-account=tiller -helm repo update - -echo "=> install pomerium with helm substituting configuration values as required; be sure to change these" -helm install $HOME/charts/stable/pomerium/ \ - --name pomerium \ - --set config.sharedSecret=$(head -c32 /dev/urandom | base64) \ - --set config.cookieSecret=$(head -c32 /dev/urandom | base64) \ - --set config.cert=$(base64 -i cert.pem) \ - --set config.key=$(base64 -i privkey.pem) \ - --set config.policy="$(cat policy.example.yaml | base64)" \ - --set authenticate.idp.provider="google" \ - --set authenticate.proxyRootDomains="pomerium.io" \ - --set authenticate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \ - --set authenticate.idp.clientID="REPLACE_ME" \ - --set authenticate.idp.clientSecret="REPLACE_ME" \ - --set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \ - --set proxy.authorizeServiceUrl="https://access.corp.pomerium.io" - -# When done, clean up by deleting the cluster! -# -# helm del $(helm ls --all --short) --purge #!!! DELETES ALL YOUR HELM INSTANCES! \ No newline at end of file diff --git a/docs/configuration/examples/helm/helm_gke.sh b/docs/configuration/examples/helm/helm_gke.sh index 489d54c01..f97a0a96f 100755 --- a/docs/configuration/examples/helm/helm_gke.sh +++ b/docs/configuration/examples/helm/helm_gke.sh @@ -15,15 +15,15 @@ gcloud container clusters get-credentials pomerium --region us-west2 echo "=> add pomerium's helm repo" helm repo add pomerium https://helm.pomerium.io +echo "=> update helm" +helm repo update + echo "=> add bitnami's helm repo" helm repo add bitnami https://charts.bitnami.com/bitnami echo "=> install nginx as a sample hello world app" helm upgrade --install nginx bitnami/nginx --set service.type=ClusterIP -echo "=> update helm" -helm repo update - echo "=> install pomerium with helm" helm install \ pomerium \ diff --git a/docs/configuration/examples/kubernetes/ingress.yml b/docs/configuration/examples/kubernetes/ingress.yml index 961823fba..f6898dd40 100644 --- a/docs/configuration/examples/kubernetes/ingress.yml +++ b/docs/configuration/examples/kubernetes/ingress.yml @@ -20,11 +20,11 @@ spec: - paths: backend: serviceName: pomerium-proxy-service - servicePort: https + servicePort: http - host: "authenticate.corp.beyondperimeter.com" http: paths: - paths: backend: serviceName: pomerium-authenticate-service - servicePort: https + servicePort: http diff --git a/docs/configuration/examples/kubernetes/kubernetes-config.yaml b/docs/configuration/examples/kubernetes/kubernetes-config.yaml index c6a66f7a1..3baddc06a 100644 --- a/docs/configuration/examples/kubernetes/kubernetes-config.yaml +++ b/docs/configuration/examples/kubernetes/kubernetes-config.yaml @@ -1,10 +1,12 @@ # Main configuration flags : https://www.pomerium.io/docs/reference/reference/ insecure_server: true grpc_insecure: true +address: ":80" +grpc_address: ":80" authenticate_service_url: https://authenticate.corp.beyondperimeter.com -authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local -cache_service_url: https://pomerium-cache-service.default.svc.cluster.local +authorize_service_url: http://pomerium-authorize-service.default.svc.cluster.local +cache_service_url: http://pomerium-cache-service.default.svc.cluster.local override_certificate_name: "*.corp.beyondperimeter.com" diff --git a/docs/configuration/examples/kubernetes/pomerium-authenticate.yml b/docs/configuration/examples/kubernetes/pomerium-authenticate.yml index 82b168e0e..fe24d2207 100644 --- a/docs/configuration/examples/kubernetes/pomerium-authenticate.yml +++ b/docs/configuration/examples/kubernetes/pomerium-authenticate.yml @@ -4,8 +4,8 @@ metadata: name: pomerium-authenticate-service spec: ports: - - port: 443 - name: https + - port: 80 + name: http selector: app: pomerium-authenticate type: NodePort @@ -32,8 +32,8 @@ spec: args: - --config=/etc/pomerium/config.yaml ports: - - containerPort: 443 - name: https + - containerPort: 80 + name: http protocol: TCP env: - name: SERVICES @@ -51,12 +51,12 @@ spec: readinessProbe: httpGet: path: /ping - port: 443 + port: 80 scheme: HTTP livenessProbe: httpGet: path: /ping - port: 443 + port: 80 scheme: HTTP initialDelaySeconds: 5 timeoutSeconds: 1 diff --git a/docs/configuration/examples/kubernetes/pomerium-authorize.yml b/docs/configuration/examples/kubernetes/pomerium-authorize.yml index f64f89725..0bde513de 100644 --- a/docs/configuration/examples/kubernetes/pomerium-authorize.yml +++ b/docs/configuration/examples/kubernetes/pomerium-authorize.yml @@ -4,7 +4,7 @@ metadata: name: pomerium-authorize-service spec: ports: - - port: 443 + - port: 80 name: grpc selector: app: pomerium-authorize @@ -32,7 +32,7 @@ spec: args: - --config=/etc/pomerium/config.yaml ports: - - containerPort: 443 + - containerPort: 80 name: grpc protocol: TCP env: @@ -45,12 +45,12 @@ spec: key: shared-secret readinessProbe: tcpSocket: - port: 443 + port: 80 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: tcpSocket: - port: 443 + port: 80 initialDelaySeconds: 15 periodSeconds: 20 diff --git a/docs/configuration/examples/kubernetes/pomerium-cache.yml b/docs/configuration/examples/kubernetes/pomerium-cache.yml index 0ad0e8317..2841b47b8 100644 --- a/docs/configuration/examples/kubernetes/pomerium-cache.yml +++ b/docs/configuration/examples/kubernetes/pomerium-cache.yml @@ -5,7 +5,7 @@ metadata: spec: clusterIP: None # cache is a headless service! ports: - - port: 443 + - port: 80 name: grpc selector: app: pomerium-cache @@ -33,7 +33,7 @@ spec: args: - --config=/etc/pomerium/config.yaml ports: - - containerPort: 443 + - containerPort: 80 name: grpc protocol: TCP env: @@ -46,12 +46,12 @@ spec: key: shared-secret readinessProbe: tcpSocket: - port: 443 + port: 80 initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: tcpSocket: - port: 443 + port: 80 initialDelaySeconds: 15 periodSeconds: 20 diff --git a/docs/configuration/examples/kubernetes/pomerium-proxy.yml b/docs/configuration/examples/kubernetes/pomerium-proxy.yml index 67345ef84..b97a4e55a 100644 --- a/docs/configuration/examples/kubernetes/pomerium-proxy.yml +++ b/docs/configuration/examples/kubernetes/pomerium-proxy.yml @@ -4,10 +4,10 @@ metadata: name: pomerium-proxy-service spec: ports: - - port: 443 + - port: 80 protocol: TCP - name: https - targetPort: https + name: http + targetPort: http selector: app: pomerium-proxy type: NodePort @@ -34,8 +34,8 @@ spec: args: - --config=/etc/pomerium/config.yaml ports: - - containerPort: 443 - name: https + - containerPort: 80 + name: http protocol: TCP env: - name: SERVICES @@ -53,12 +53,12 @@ spec: readinessProbe: httpGet: path: /ping - port: 443 + port: 80 scheme: HTTP livenessProbe: httpGet: path: /ping - port: 443 + port: 80 scheme: HTTP initialDelaySeconds: 10 timeoutSeconds: 1 diff --git a/docs/configuration/examples/kubernetes/values.yaml b/docs/configuration/examples/kubernetes/values.yaml index d781e521e..ba96072dd 100644 --- a/docs/configuration/examples/kubernetes/values.yaml +++ b/docs/configuration/examples/kubernetes/values.yaml @@ -25,4 +25,4 @@ config: ingress: annotations: - kubernetes.io/ingress.allow-http: false \ No newline at end of file + kubernetes.io/ingress.allow-http: "false" \ No newline at end of file