3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-10 15:47:36 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: Update examples (#796)

Browse source
This commit is contained in:
Travis Groth 2020-05-28 10:29:10 -04:00 committed by GitHub
parent c77b2c6876
commit 14432daf26
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 38 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

13
docs/configuration/examples.md
View file

@ -80,6 +80,8 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
- gRPC requests are routed behind the load balancer
- Routes default to hosted version of httpbin.org
- Includes installer script
- Pomerium serves on HTTPS and your ingress controller may need an annotation to
connect properly
### GKE
@ -87,12 +89,6 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
<<< @/docs/configuration/examples/helm/helm_gke.sh
### AWS ECS
- Uses Amazon Elastic Container Service
<<< @/docs/configuration/examples/helm/helm_aws.sh
### Kubernetes
- Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing]
@ -121,6 +117,11 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
<<< @/docs/configuration/examples/kubernetes/pomerium-proxy.yml
#### pomerium-cache.yml
<<< @/docs/configuration/examples/kubernetes/pomerium-cache.yml
#### ingress.yml
<<< @/docs/configuration/examples/kubernetes/ingress.yml

64
docs/configuration/examples/helm/helm_aws.sh
View file

@ -1,64 +0,0 @@
#!/bin/bash
# PRE-REQ:
# 1) Install Helm : You should verify the content of this script before running.
# curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
# 2) Install https://eksctl.io/
# For more information see:
# - https://eksworkshop.com/helm_root/helm_intro/install/
echo "=> [AWS] creating cluster"
eksctl create cluster --name=pomerium --nodes=1 --region=us-west-2
echo "=> [AWS] get cluster credentials so we can use kubctl locally"
eksctl utils write-kubeconfig --name=pomerium
echo "=> [AWS] configure Helm access with RBAC"
cat <<EOF >.helm-rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
EOF
kubectl apply -f .helm-rbac.yaml
# cleanup
rm .helm-rbac.yaml
echo "=> initialize Helm to install Tiller in your cluster"
helm init --service-account=tiller
helm repo update
echo "=> install pomerium with helm substituting configuration values as required; be sure to change these"
helm install $HOME/charts/stable/pomerium/ \
--name pomerium \
--set config.sharedSecret=$(head -c32 /dev/urandom | base64) \
--set config.cookieSecret=$(head -c32 /dev/urandom | base64) \
--set config.cert=$(base64 -i cert.pem) \
--set config.key=$(base64 -i privkey.pem) \
--set config.policy="$(cat policy.example.yaml | base64)" \
--set authenticate.idp.provider="google" \
--set authenticate.proxyRootDomains="pomerium.io" \
--set authenticate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \
--set authenticate.idp.clientID="REPLACE_ME" \
--set authenticate.idp.clientSecret="REPLACE_ME" \
--set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \
--set proxy.authorizeServiceUrl="https://access.corp.pomerium.io"
# When done, clean up by deleting the cluster!
#
# helm del $(helm ls --all --short) --purge #!!! DELETES ALL YOUR HELM INSTANCES!

6
docs/configuration/examples/helm/helm_gke.sh
View file

@ -15,15 +15,15 @@ gcloud container clusters get-credentials pomerium --region us-west2
echo "=> add pomerium's helm repo"
helm repo add pomerium https://helm.pomerium.io
echo "=> update helm"
helm repo update
echo "=> add bitnami's helm repo"
helm repo add bitnami https://charts.bitnami.com/bitnami
echo "=> install nginx as a sample hello world app"
helm upgrade --install nginx bitnami/nginx --set service.type=ClusterIP
echo "=> update helm"
helm repo update
echo "=> install pomerium with helm"
helm install \
pomerium \

4
docs/configuration/examples/kubernetes/ingress.yml
View file

@ -20,11 +20,11 @@ spec:
- paths:
backend:
serviceName: pomerium-proxy-service
servicePort: https
servicePort: http
- host: "authenticate.corp.beyondperimeter.com"
http:
paths:
- paths:
backend:
serviceName: pomerium-authenticate-service
servicePort: https
servicePort: http

6
docs/configuration/examples/kubernetes/kubernetes-config.yaml
View file

@ -1,10 +1,12 @@
# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
insecure_server: true
grpc_insecure: true
address: ":80"
grpc_address: ":80"
authenticate_service_url: https://authenticate.corp.beyondperimeter.com
authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
cache_service_url: https://pomerium-cache-service.default.svc.cluster.local
authorize_service_url: http://pomerium-authorize-service.default.svc.cluster.local
cache_service_url: http://pomerium-cache-service.default.svc.cluster.local
override_certificate_name: "*.corp.beyondperimeter.com"

12
docs/configuration/examples/kubernetes/pomerium-authenticate.yml
View file

@ -4,8 +4,8 @@ metadata:
name: pomerium-authenticate-service
spec:
ports:
- port: 443
name: https
- port: 80
name: http
selector:
app: pomerium-authenticate
type: NodePort
@ -32,8 +32,8 @@ spec:
args:
- --config=/etc/pomerium/config.yaml
ports:
- containerPort: 443
name: https
- containerPort: 80
name: http
protocol: TCP
env:
- name: SERVICES
@ -51,12 +51,12 @@ spec:
readinessProbe:
httpGet:
path: /ping
port: 443
port: 80
scheme: HTTP
livenessProbe:
httpGet:
path: /ping
port: 443
port: 80
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 1

8
docs/configuration/examples/kubernetes/pomerium-authorize.yml
View file

@ -4,7 +4,7 @@ metadata:
name: pomerium-authorize-service
spec:
ports:
- port: 443
- port: 80
name: grpc
selector:
app: pomerium-authorize
@ -32,7 +32,7 @@ spec:
args:
- --config=/etc/pomerium/config.yaml
ports:
- containerPort: 443
- containerPort: 80
name: grpc
protocol: TCP
env:
@ -45,12 +45,12 @@ spec:
key: shared-secret
readinessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 15
periodSeconds: 20

8
docs/configuration/examples/kubernetes/pomerium-cache.yml
View file

@ -5,7 +5,7 @@ metadata:
spec:
clusterIP: None # cache is a headless service!
ports:
- port: 443
- port: 80
name: grpc
selector:
app: pomerium-cache
@ -33,7 +33,7 @@ spec:
args:
- --config=/etc/pomerium/config.yaml
ports:
- containerPort: 443
- containerPort: 80
name: grpc
protocol: TCP
env:
@ -46,12 +46,12 @@ spec:
key: shared-secret
readinessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 443
port: 80
initialDelaySeconds: 15
periodSeconds: 20

14
docs/configuration/examples/kubernetes/pomerium-proxy.yml
View file

@ -4,10 +4,10 @@ metadata:
name: pomerium-proxy-service
spec:
ports:
- port: 443
- port: 80
protocol: TCP
name: https
targetPort: https
name: http
targetPort: http
selector:
app: pomerium-proxy
type: NodePort
@ -34,8 +34,8 @@ spec:
args:
- --config=/etc/pomerium/config.yaml
ports:
- containerPort: 443
name: https
- containerPort: 80
name: http
protocol: TCP
env:
- name: SERVICES
@ -53,12 +53,12 @@ spec:
readinessProbe:
httpGet:
path: /ping
port: 443
port: 80
scheme: HTTP
livenessProbe:
httpGet:
path: /ping
port: 443
port: 80
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 1

2
docs/configuration/examples/kubernetes/values.yaml
View file

@ -25,4 +25,4 @@ config:
ingress:
annotations:
kubernetes.io/ingress.allow-http: false
kubernetes.io/ingress.allow-http: "false"