Documentation around Pomerium/Istio/Grafana (#675)

* Added an example of how to protect Grafana with Pomerium inside of an Istio mesh
* Added relevant documentation links

docs/configuration/examples/kubernetes/istio/gateway.yml

@@ -0,0 +1,41 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: internal-gateway
+  namespace: istio-system
+spec:
+  selector:
+    istio: ingressgateway
+  servers:
+  - port:
+      number: 443
+      protocol: HTTPS
+      name: https-default
+    tls:
+      mode: SIMPLE
+      serverCertificate: "sds"
+      privateKey: "sds"
+      credentialName: internal-cert
+    hosts:
+    - *.yourcompany.com
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: internal-cert
+  namespace: istio-system
+spec:
+  secretName: internal-cert
+  issuerRef:
+    name: self-signed-issuer
+    kind: ClusterIssuer
+  commonName: *.yourcompany.com
+  dnsNames:
+    - *.yourcompany.com
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: self-signed-issuer
+spec:
+  selfSigned: {}

docs/configuration/examples/kubernetes/istio/grafana.ini.yml

@@ -0,0 +1,12 @@
+grafana.ini:
+  users:
+    allow_sign_up: false
+    auto_assign_org: true
+    auto_assign_org_role: Editor
+  auth.proxy:
+    enabled: true
+    header_name: X-Pomerium-Claim-Email
+    header_property: username
+    auto_sign_up: true
+    sync_ttl: 60
+    enable_login_token: false

docs/configuration/examples/kubernetes/istio/pomerium-helm-values.yml

@@ -0,0 +1,13 @@
+config:
+  insecure: true
+  policy:
+    - from: https://grafana.yourcompany.com
+      to: "http://prometheus-grafana.monitoring.svc.cluster.local"
+      timeout: 30s
+      allowed_domains:
+        - yourcompany.com
+ingress:
+  enabled: false
+
+extraEnv:
+  JWT_CLAIMS_HEADERS: email

docs/configuration/examples/kubernetes/istio/service-entry.yml

@@ -0,0 +1,14 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: external-idp
+  namespace: pomerium
+spec:
+  hosts:
+    - yourcompany.okta.com
+  location: MESH_EXTERNAL
+  ports:
+    - number: 443
+      name: https
+      protocol: TLS
+  resolution: DNS

docs/configuration/examples/kubernetes/istio/virtual-services.yml

@@ -0,0 +1,30 @@
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: grafana-virtual-service
+  namespace: pomerium
+spec:
+  gateways:
+    - istio-system/internal-gateway
+  hosts:
+    - grafana.yourcompany.com
+  http:
+    - route:
+        - destination:
+            host: pomerium-proxy
+---
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: authenticate-virtual-service
+  namespace: pomerium
+spec:
+  gateways:
+    - istio-system/internal-gateway
+  hosts:
+    - authenticate.yourcompany.com
+  http:
+    - route:
+        - destination:
+            host: pomerium-authenticate
+---