update k8s install for ingress conrtoller

docs/docs/install/helm.md

@@ -116,7 +116,7 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol
    <<< @/examples/kubernetes/pomerium-certificates.yaml
 
    ::: tip
-   If you already have a domain space for Pomerium with a certificate solution, use it in place of `*.localhost.pomerium.io`.
+   If you already have a domain space for Pomerium with a certificate solution, use it in place of `.localhost.pomerium.io`.
    :::
 
 1. Apply the certificate configuration, and confirm:
@@ -148,6 +148,14 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol
    helm repo add pomerium https://helm.pomerium.io
    ```
 
+1. Install Pomerium to the cluster:
+
+   ```bash
+   helm upgrade --install pomerium pomerium/pomerium --values ./pomerium-values.yaml
+   ```
+
+## Define a Test Service
+
 1. So that we can create a valid test route, add Bitnami's Helm repo to pull nginx from:
 
    ```bash
@@ -166,10 +174,14 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol
    helm upgrade --install nginx bitnami/nginx --set service.type=ClusterIP
    ```
 
-1. Install Pomerium to the cluster:
+1. Create a new ingress manifest (`example-ingress.yaml`) for our test service:
+
+   <<< @/examples/kubernetes/example-ingress.yaml
+
+1. Apply the nginx ingress manifest to the cluster:
 
    ```bash
-   helm upgrade --install pomerium pomerium/pomerium --values ./pomerium-values.yaml
+   kubectl apply -f ingress.yaml
    ```
 
 ## Navigate

examples/kubernetes/example-ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hello
+  annotations:
+    cert-manager.io/issuer: pomerium-issuer
+    ingress.pomerium.io/policy: '[{"allow":{"and":[{"domain":{"is":"example.com"}}]}}]'
+spec:
+  ingressClassName: pomerium
+  rules:
+  - host: hello.localhost.pomerium.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: nginx
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - hello.localhost.pomerium.io
+    secretName: hello.localhost.pomerium.io-tls

examples/kubernetes/pomerium-certificates.yaml

@@ -16,8 +16,9 @@ spec:
     - pomerium-authorize.pomerium.svc.cluster.local
     - pomerium-databroker.pomerium.svc.cluster.local
     - pomerium-authenticate.pomerium.svc.cluster.local
-    # TODO - Replace the following entry with your domain space.
+    - authenticate.localhost.pomerium.io
-    - "*.localhost.pomerium.io" # Quotes are required to escape the wildcard
+    # TODO - If you're noy using the Pomerium Ingress controller, you may want a wildcard entry as well.
+    #- "*.localhost.pomerium.io" # Quotes are required to escape the wildcard
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate

examples/kubernetes/pomerium-values.yaml

@@ -36,6 +36,9 @@ redis:
 ingress:
   enabled: false
 
+ingressController:
+  enabled: true
+
 config:
   sharedSecret: YOURSHAREDSECRET # You can use "head -c32 /dev/urandom | base64" to generate.
   cookieSecret: YOURCOOKIESECRET # You can use "head -c32 /dev/urandom | base64" to generate.
@@ -44,10 +47,6 @@ config:
   generateTLS: false # On by default, disabled when cert-manager or another solution is in place.
   policy:
       # This will be our testing app, to confirm that Pomerium is authenticating and routing traffic.
-    - from: https://hello.localhost.pomerium.io
-      to: http://nginx.pomerium.svc.cluster.local:80
-      allowed_domains:
-        - companydomain.com # Use the domain your company email address uses.
     - from: https://authenticate.localhost.pomerium.io
       to: https://pomerium-authenticate.pomerium.svc.cluster.local
       preserve_host_header: true