From 562317dbf67713a31af5cdba27d115e940f8f627 Mon Sep 17 00:00:00 2001 From: Bobby DeSimone Date: Thu, 16 May 2019 21:35:02 -0700 Subject: [PATCH 1/2] deployment: remove helm from main repo - docs: add helm deployment script for aws --- helm/.helmignore | 21 --- helm/Chart.yaml | 26 --- helm/OWNERS | 5 - helm/README.md | 71 --------- helm/templates/NOTES.txt | 67 -------- helm/templates/_helpers.tpl | 58 ------- helm/templates/all-in-one-deployment.yaml | 167 -------------------- helm/templates/all-in-one-service.yaml | 31 ---- helm/templates/authenticate-deployment.yaml | 141 ----------------- helm/templates/authenticate-service.yaml | 30 ---- helm/templates/authorize-deployment.yaml | 131 --------------- helm/templates/authorize-service.yaml | 30 ---- helm/templates/configmap.yaml | 13 -- helm/templates/ingress.yaml | 44 ------ helm/templates/proxy-deployment.yaml | 144 ----------------- helm/templates/proxy-service.yaml | 30 ---- helm/templates/secret.yaml | 44 ------ helm/templates/tls-secrets.yaml | 18 --- helm/values.yaml | 133 ---------------- scripts/helm_aws.sh | 64 ++++++++ 20 files changed, 64 insertions(+), 1204 deletions(-) delete mode 100644 helm/.helmignore delete mode 100644 helm/Chart.yaml delete mode 100644 helm/OWNERS delete mode 100644 helm/README.md delete mode 100644 helm/templates/NOTES.txt delete mode 100644 helm/templates/_helpers.tpl delete mode 100644 helm/templates/all-in-one-deployment.yaml delete mode 100644 helm/templates/all-in-one-service.yaml delete mode 100644 helm/templates/authenticate-deployment.yaml delete mode 100644 helm/templates/authenticate-service.yaml delete mode 100644 helm/templates/authorize-deployment.yaml delete mode 100644 helm/templates/authorize-service.yaml delete mode 100644 helm/templates/configmap.yaml delete mode 100644 helm/templates/ingress.yaml delete mode 100644 helm/templates/proxy-deployment.yaml delete mode 100644 helm/templates/proxy-service.yaml delete mode 100644 helm/templates/secret.yaml delete mode 100644 helm/templates/tls-secrets.yaml delete mode 100644 helm/values.yaml create mode 100644 scripts/helm_aws.sh diff --git a/helm/.helmignore b/helm/.helmignore deleted file mode 100644 index f0c131944..000000000 --- a/helm/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/helm/Chart.yaml b/helm/Chart.yaml deleted file mode 100644 index 7206738c3..000000000 --- a/helm/Chart.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: v1 -name: pomerium -version: 1.0.0 -appVersion: 0.0.3 -home: http://www.pomerium.io/ -icon: https://www.pomerium.io/logo.svg -description: Pomerium is an identity-aware access proxy. -keywords: -- proxy -- access-proxy -- reverse-proxy -- sso -- openid connect -- oauth2 -- authorization -- authentication -- google -- okta -- azure -sources: -- https://github.com/pomerium/pomerium -engine: gotpl - -maintainers: -- name: desimone - email: bobby.desimone@gmail.com diff --git a/helm/OWNERS b/helm/OWNERS deleted file mode 100644 index 5f53cd62f..000000000 --- a/helm/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -approvers: -- desimone -reviewers: -- desimone -- victornoel \ No newline at end of file diff --git a/helm/README.md b/helm/README.md deleted file mode 100644 index 049b336c3..000000000 --- a/helm/README.md +++ /dev/null @@ -1,71 +0,0 @@ -# Pomerium - -[Pomerium](https://pomerium.io) is an [open-source](https://github.com/pomerium/pomerium) tool for managing secure access to internal applications and resources. - -## TL;DR; - -```console -helm install --name my-release stable/pomerium -``` - -> Note: Pomerium depends on being configured with a third party identity providers to function properly. If you run pomerium without specifiying default values, you will need to change those configuration variables following setup. - -## Install the chart - -An example of a minimal, but complete installation of pomerium with identity provider settings, random secrets, certificates, and external URLs is as follows: - -```sh -helm install --name my-release \ - --set config.rootDomain="corp.example.com" \ - --set ingress.tls.certificate=$(base64 -i "*.corp.example.com.cer") \ - --set ingress.tls.key=$(base64 -i "*.corp.example.com.key") \ - --set config.policy=$(base64 -i "policy.yaml") \ - --set authenticate.idp.provider="google" \ - --set authenticate.idp.clientID="REPLACE_ME" \ - --set authenticate.idp.clientSecret="REPLACE_ME" - stable/pomerium -``` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -helm delete --purge my-release -``` - -The command removes nearly all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/config-reference.html). - -Parameter | Description | Default ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- -`config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/config-reference.html#proxy-root-domains). | `corp.pomerium.io` -`config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` -`config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/config-reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) -`config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) -`config.policy` | Base64 encoded string containing the routes, and their access policies. | -`config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/config-reference.html#policy) in values -`authenticate.name` | Name of the authenticate service. | `authenticate` -`authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/config-reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` -`authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/config-reference.html#identity-provider-name). | `google` -`authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-id). | Required -`authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-secret). | Required -`authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/config-reference.html#identity-provider-url). | Optional -`authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/config-reference.html#identity-provider-service-account). | Optional -`proxy.name` | Name of the proxy service. | `proxy` -`proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` -`proxy.authorizeServiceUrl` | The externally accessible url for the authorize service. | `https://{{authorize.name}}.{{config.rootDomain}}` -`authorize.name` | Name of the authorize service. | `authorize` -`images.server.repository` | Pomerium image | `pomerium/pomerium` -`images.server.tag` | Pomerium image tag | `latest` -`images.server.pullPolicy` | Pomerium image pull policy | `Always` -`service.annotations` | Service annotations | `{}` -`service.externalPort` | Pomerium's port | `443` -`service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` -`ingress.enabled` | Enables Ingress for pomerium | `false` -`ingress.annotations` | Ingress annotations | `{}` -`ingress.hosts` | Ingress accepted hostnames | `nil` -`ingress.tls` | Ingress TLS configuration | `[]` diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt deleted file mode 100644 index 80ac288d7..000000000 --- a/helm/templates/NOTES.txt +++ /dev/null @@ -1,67 +0,0 @@ -{{- if eq (include "pomerium.providerOK" .) "true" }} -{{- if .Values.ingress.enabled }} -From outside the cluster, the server URL(s) are: -{{- range .Values.ingress.hosts }} - {{ $.Values.server.protocol }}://{{ . }} -{{- end }} - -{{- else if contains "NodePort" .Values.service.type }} - -Get the Pomerium URL by running: - export NODE_PORT=$(kubectl get -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "pomerium.fullname" . }}) - export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT/ - -{{- else if contains "LoadBalancer" .Values.service.type }} - - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc -w {{ template "pomerium.fullname" . }}' - -Get the Pomerium URL by running: - export SERVICE_IP=$(kubectl get svc {{ template "pomerium.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP/ -{{- else if contains "ClusterIP" .Values.service.type }} - -Get the Pomerium URL by running: - export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "component=server,app={{ template "pomerium.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo http://127.0.0.1:8000/ - kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8000:8000 -{{- end }} -{{- else -}} -############################################################################## -#### ERROR: You did not set a valid identity provider #### -############################################################################## - -This deployment will be incomplete until you configure a valid version -control provider: - - helm upgrade {{ .Release.Name }} \ - --reuse-values \ - --set config.sharedSecret=$(head -c32 /dev/urandom | base64) \ - --set config.cookieSecret=$(head -c32 /dev/urandom | base64) \ - --set config.cert=$(base64 -i cert.pem) \ - --set config.key=$(base64 -i privkey.pem) \ - --set config.policy="$(cat policy.example.yaml | base64)" \ - --set authenticate.idp.provider="google" \ - --set config.rootDomain="corp.pomerium.io" \ - --set authenticate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \ - --set authenticate.idp.clientID="REPLACE_ME" \ - --set authenticate.idp.clientSecret="REPLACE_ME" \ - --set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \ - --set proxy.authorizeServiceUrl="https://access.corp.pomerium.io" - stable/pomerium - -Currently supported providers: - - - Okta - - Google - - Azure Active Directory - - OneLogin - -See the values.yaml file to see what values are required for each provider. - -If you are having trouble with the configuration of a provider please visit -the official documentation: - - https://www.pomerium.io/docs/identity-providers.html -{{- end }} diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl deleted file mode 100644 index acf5a6051..000000000 --- a/helm/templates/_helpers.tpl +++ /dev/null @@ -1,58 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/*Expand the name of the chart.*/}} -{{- define "pomerium.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "pomerium.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - - -{{/*Create chart name and version as used by the chart label.*/}} -{{- define "pomerium.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- define "pomerium.routestring" -}} -{{- $routes := dict "routes" (list) -}} -{{- range $key, $val := .Values.proxy.routes -}} -{{- $noop := printf "%s=%s" $key $val | append $routes.routes | set $routes "routes" -}} -{{- end -}} -{{- join "," $routes.routes | default "none=none" | quote -}} -{{- end -}} - - -{{/* -Check if a valid source control provider has been set -Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates/_provider-envs.yaml -*/}} -{{- define "pomerium.providerOK" -}} -{{- if .Values.authenticate.idp -}} - {{- if eq .Values.authenticate.idp.clientID "" -}} - false - {{- else if eq .Values.authenticate.idp.clientSecret "" -}} - false - {{- else if eq .Values.authenticate.idp.clientID "REPLACE_ME" -}} - false - {{- else if eq .Values.authenticate.idp.clientSecret "REPLACE_ME" -}} - false - {{- else -}} - true - {{- end -}} -{{- end -}} -{{- end -}} diff --git a/helm/templates/all-in-one-deployment.yaml b/helm/templates/all-in-one-deployment.yaml deleted file mode 100644 index f14e828e1..000000000 --- a/helm/templates/all-in-one-deployment.yaml +++ /dev/null @@ -1,167 +0,0 @@ -{{- if .Values.omnibusMode -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ template "pomerium.name" . }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "pomerium.fullname" . }} -{{- if .Values.annotations }} - annotations: -{{ toYaml .Values.annotations | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ template "pomerium.name" . }} - release: {{ .Release.Name }} - template: - metadata: -{{- if .Values.podAnnotations }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} - labels: - app: {{ template "pomerium.name" . }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} -{{- end }} - spec: -{{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} -{{- end }} - containers: - - name: {{ .Chart.Name }} - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: -{{- range $key, $value := .Values.extraArgs }} -{{- if $value }} - - --{{ $key }}={{ $value }} -{{- else }} - - --{{ $key }} -{{- end }} -{{- end }} - env: - - name: SERVICES - value: all - - name: COOKIE_SECRET - valueFrom: - secretKeyRef: - name: {{ template "pomerium.fullname" . }} - key: cookie-secret - - name: SHARED_SECRET - valueFrom: - secretKeyRef: - name: {{ template "pomerium.fullname" . }} - key: shared-secret - - name: AUTHENTICATE_SERVICE_URL - value: {{ .Values.proxy.authenticateServiceUrl }} - - name: AUTHORIZE_SERVICE_URL - value: {{ .Values.proxy.authorizeServiceUrl }} - - name: REDIRECT_URL - value: {{ .Values.authenticate.redirectUrl }} - - name: PROXY_ROOT_DOMAIN - value: {{ .Values.authenticate.proxyRootDomains }} - - name: IDP_PROVIDER - value: {{ .Values.authenticate.idp.provider }} - - name: IDP_CLIENT_ID - valueFrom: - secretKeyRef: - name: {{ template "pomerium.fullname" . }} - key: idp-client-id - - name: IDP_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ template "pomerium.fullname" . }} - key: idp-client-secret -{{- if .Values.authenticate.idp.url }} - - name: IDP_PROVIDER_URL - value: {{ .Values.authenticate.idp.url }} -{{- end }} -{{- if .Values.config.policyFile }} - - name: POLICY_FILE - value: /etc/pomerium/policy.yaml -{{- end }} -{{- if .Values.config.policy}} - - name: POLICY - value: {{ .Values.config.policy }} -{{- end }} -{{- if .Values.config.cert }} - - name: CERTIFICATE - valueFrom: - secretKeyRef: - name: {{ template "pomerium.fullname" . }} - key: certificate -{{- end }} -{{- if .Values.config.key }} - - name: CERTIFICATE_KEY - valueFrom: - secretKeyRef: - name: {{ template "pomerium.fullname" . }} - key: certificate-key -{{- end }} -{{- if .Values.config.ca }} - - name: CERTIFICATE_AUTHORITY - valueFrom: - secretKeyRef: - name: {{ template "pomerium.fullname" . }} - key: certificate-authority -{{- end }} -{{- range $name, $value := .Values.extraEnv }} - - name: {{ $name }} - value: {{ quote $value }} -{{- end }} - ports: - - containerPort: 443 - name: https - protocol: TCP - livenessProbe: - httpGet: - path: /ping - port: https - scheme: HTTPS - readinessProbe: - httpGet: - path: /ping - port: https - scheme: HTTPS - - volumeMounts: - - mountPath: /etc/pomerium/ - name: {{ template "pomerium.fullname" . }}-policy - - volumes: - - name: {{ template "pomerium.fullname" . }}-policy - configMap: - name: {{ template "pomerium.fullname" . }} - - resources: -{{ toYaml .Values.resources | indent 10 }} -{{- if .Values.extraVolumes }} - volumes: -{{- toYaml .Values.extraVolumes | indent 8 }} -{{- end }} -{{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} -{{- end }} -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} -{{- end -}} \ No newline at end of file diff --git a/helm/templates/all-in-one-service.yaml b/helm/templates/all-in-one-service.yaml deleted file mode 100644 index 1292e0670..000000000 --- a/helm/templates/all-in-one-service.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.omnibusMode -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "pomerium.fullname" . }} - labels: - app: {{ template "pomerium.name" . }} - chart: {{ template "pomerium.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.service.labels }} -{{ toYaml .Values.service.labels | indent 4 }} -{{- end }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: https - protocol: TCP - name: http -{{- if hasKey .Values.service "nodePort" }} - nodePort: {{ .Values.service.nodePort }} -{{- end }} - selector: - app: {{ template "pomerium.name" . }} - release: {{ .Release.Name }} -{{- end -}} diff --git a/helm/templates/authenticate-deployment.yaml b/helm/templates/authenticate-deployment.yaml deleted file mode 100644 index df85ca2ad..000000000 --- a/helm/templates/authenticate-deployment.yaml +++ /dev/null @@ -1,141 +0,0 @@ -{{- $secretName := default (include "pomerium.fullname" .) .Values.config.existingSecret }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "pomerium.fullname" . }}-{{ .Values.authenticate.name }} -{{- if .Values.annotations }} - annotations: -{{ toYaml .Values.annotations | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }} - release: {{ .Release.Name }} - template: - metadata: -{{- if .Values.podAnnotations }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} - labels: - app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} -{{- end }} - spec: -{{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} -{{- end }} - containers: - - name: {{ .Chart.Name }} - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: -{{- range $key, $value := .Values.extraArgs }} -{{- if $value }} - - --{{ $key }}={{ $value }} -{{- else }} - - --{{ $key }} -{{- end }} -{{- end }} - env: - - name: SERVICES - value: authenticate - - name: COOKIE_SECRET - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: cookie-secret - - name: SHARED_SECRET - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: shared-secret - - name: REDIRECT_URL - value: {{ default (printf "https://%s.%s/oauth2/callback" .Values.authenticate.name .Values.config.rootDomain ) .Values.authenticate.redirectUrl }} - - name: PROXY_ROOT_DOMAIN - value: {{ .Values.config.rootDomain }} - - name: IDP_PROVIDER - value: {{ .Values.authenticate.idp.provider }} - - name: IDP_CLIENT_ID - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: idp-client-id - - name: IDP_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: idp-client-secret - - name: IDP_PROVIDER_URL - value: {{ .Values.authenticate.idp.url }} - - name: IDP_SERVICE_ACCOUNT - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: idp-service-account - - name: CERTIFICATE - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: authenticate-cert - - name: CERTIFICATE_KEY - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: authenticate-key - - name: CERTIFICATE_AUTHORITY - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: ca-cert -{{- range $name, $value := .Values.extraEnv }} - - name: {{ $name }} - value: {{ quote $value }} -{{- end }} - ports: - - containerPort: 443 - name: https - protocol: TCP - livenessProbe: - httpGet: - path: /ping - port: https - scheme: HTTPS - readinessProbe: - httpGet: - path: /ping - port: https - scheme: HTTPS - resources: -{{ toYaml .Values.resources | indent 10 }} -{{- if .Values.extraVolumes }} - volumes: -{{- toYaml .Values.extraVolumes | indent 8 }} -{{- end }} -{{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} -{{- end }} -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} \ No newline at end of file diff --git a/helm/templates/authenticate-service.yaml b/helm/templates/authenticate-service.yaml deleted file mode 100644 index 5670b55ab..000000000 --- a/helm/templates/authenticate-service.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "pomerium.fullname" . }}-{{ .Values.authenticate.name }} - labels: - app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }} - chart: {{ template "pomerium.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.service.labels }} -{{ toYaml .Values.service.labels | indent 4 }} -{{- end }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: https - protocol: TCP - name: https - -{{- if hasKey .Values.service "nodePort" }} - nodePort: {{ .Values.service.nodePort }} -{{- end }} - selector: - app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }} - release: {{ .Release.Name }} diff --git a/helm/templates/authorize-deployment.yaml b/helm/templates/authorize-deployment.yaml deleted file mode 100644 index 086394bfb..000000000 --- a/helm/templates/authorize-deployment.yaml +++ /dev/null @@ -1,131 +0,0 @@ -{{- $configName := default (include "pomerium.fullname" .) .Values.config.existingConfig }} -{{- $secretName := default (include "pomerium.fullname" .) .Values.config.existingSecret }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "pomerium.fullname" . }}-{{ .Values.authorize.name }} -{{- if .Values.annotations }} - annotations: -{{ toYaml .Values.annotations | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }} - release: {{ .Release.Name }} - template: - metadata: -{{- if .Values.podAnnotations }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} - labels: - app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} -{{- end }} - spec: -{{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} -{{- end }} - containers: - - name: {{ .Chart.Name }} - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: -{{- range $key, $value := .Values.extraArgs }} -{{- if $value }} - - --{{ $key }}={{ $value }} -{{- else }} - - --{{ $key }} -{{- end }} -{{- end }} - env: - - name: SERVICES - value: authorize - - name: SHARED_SECRET - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: shared-secret -{{- if or .Values.config.existingConfig .Values.config.policyFile}} - - name: POLICY_FILE - value: /etc/pomerium/policy.yaml -{{- end }} -{{- if .Values.config.policy}} - - name: POLICY - value: {{ .Values.config.policy }} -{{- end }} - - name: CERTIFICATE - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: authorize-cert - - name: CERTIFICATE_KEY - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: authorize-key - - name: CERTIFICATE_AUTHORITY - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: ca-cert -{{- range $name, $value := .Values.extraEnv }} - - name: {{ $name }} - value: {{ quote $value }} -{{- end }} - ports: - - containerPort: 443 - name: https - protocol: TCP - livenessProbe: - httpGet: - path: /ping - port: https - scheme: HTTPS - readinessProbe: - httpGet: - path: /ping - port: https - scheme: HTTPS -{{- if or .Values.config.existingConfig .Values.config.policyFile}} - volumeMounts: - - mountPath: /etc/pomerium/ - name: policy - volumes: - - name: policy - configMap: - name: {{ $configName }} -{{- end }} - resources: -{{ toYaml .Values.resources | indent 10 }} -{{- if .Values.extraVolumes }} - volumes: -{{- toYaml .Values.extraVolumes | indent 8 }} -{{- end }} -{{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} -{{- end }} -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} diff --git a/helm/templates/authorize-service.yaml b/helm/templates/authorize-service.yaml deleted file mode 100644 index c92075b96..000000000 --- a/helm/templates/authorize-service.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "pomerium.fullname" . }}-{{ .Values.authorize.name }} - labels: - app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }} - chart: {{ template "pomerium.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.service.labels }} -{{ toYaml .Values.service.labels | indent 4 }} -{{- end }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: https - protocol: TCP - name: https - -{{- if hasKey .Values.service "nodePort" }} - nodePort: {{ .Values.service.nodePort }} -{{- end }} - selector: - app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }} - release: {{ .Release.Name }} diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml deleted file mode 100644 index 75e6dacd7..000000000 --- a/helm/templates/configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if not .Values.config.existingConfig }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "pomerium.fullname" . }} - labels: - app: {{ template "pomerium.name" . }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -data: - policy.yaml: {{toYaml .Values.config.policyFile | indent 4}} -{{- end }} diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml deleted file mode 100644 index 4a5787002..000000000 --- a/helm/templates/ingress.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if .Values.ingress.enabled -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ include "pomerium.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "pomerium.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "pomerium.chart" . }} -{{- with .Values.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: - tls: - - secretName: {{ default .Values.ingress.secretName .Values.ingress.secret.name}} - hosts: - - '*.{{ .Values.config.rootDomain }}' - - {{ .Values.authorize.name }}.{{ .Values.config.rootDomain }} - - {{ .Values.authenticate.name }}.{{ .Values.config.rootDomain }} - rules: - - host: '*.{{ .Values.config.rootDomain }}' - http: - paths: - - paths: - backend: - serviceName: {{ include "pomerium.fullname" .}}-{{ .Values.proxy.name }} - servicePort: https - - host: {{ .Values.authorize.name }}.{{ .Values.config.rootDomain }} - http: - paths: - - paths: - backend: - serviceName: {{ include "pomerium.fullname" .}}-{{ .Values.authorize.name }} - servicePort: https - - host: {{ .Values.authenticate.name }}.{{ .Values.config.rootDomain }} - http: - paths: - - paths: - backend: - serviceName: {{ include "pomerium.fullname" .}}-{{ .Values.authenticate.name }} - servicePort: https -{{- end }} \ No newline at end of file diff --git a/helm/templates/proxy-deployment.yaml b/helm/templates/proxy-deployment.yaml deleted file mode 100644 index 3b8f38a26..000000000 --- a/helm/templates/proxy-deployment.yaml +++ /dev/null @@ -1,144 +0,0 @@ -{{- $configName := default (include "pomerium.fullname" .) .Values.config.existingConfig }} -{{- $secretName := default (include "pomerium.fullname" .) .Values.config.existingSecret }} -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "pomerium.fullname" . }}-{{ .Values.proxy.name }} -{{- if .Values.annotations }} - annotations: -{{ toYaml .Values.annotations | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }} - release: {{ .Release.Name }} - template: - metadata: -{{- if .Values.podAnnotations }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} - labels: - app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} -{{- end }} - spec: -{{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} -{{- end }} - containers: - - name: {{ .Chart.Name }} - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: -{{- range $key, $value := .Values.extraArgs }} -{{- if $value }} - - --{{ $key }}={{ $value }} -{{- else }} - - --{{ $key }} -{{- end }} -{{- end }} - env: - - name: SERVICES - value: proxy - - name: COOKIE_SECRET - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: cookie-secret - - name: SHARED_SECRET - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: shared-secret - - name: AUTHENTICATE_SERVICE_URL - value: {{ default (printf "https://%s.%s" .Values.authenticate.name .Values.config.rootDomain ) .Values.proxy.authenticateServiceUrl }} - - name: AUTHORIZE_SERVICE_URL - value: {{ default (printf "https://%s.%s" .Values.authorize.name .Values.config.rootDomain ) .Values.proxy.authorizeServiceUrl }} - - name: AUTHENTICATE_INTERNAL_URL - value: {{ default (printf "%s-%s.%s.svc.cluster.local" (include "pomerium.fullname" .) .Values.authenticate.name .Release.Namespace ) .Values.proxy.authenticateInternalUrl}} - - name: AUTHORIZE_INTERNAL_URL - value: {{ default (printf "%s-%s.%s.svc.cluster.local" (include "pomerium.fullname" .) .Values.authorize.name .Release.Namespace ) .Values.proxy.authorizeInternalUrl}} -{{- if or .Values.config.existingConfig .Values.config.policyFile}} - - name: POLICY_FILE - value: /etc/pomerium/policy.yaml -{{- end }} -{{- if .Values.config.policy}} - - name: POLICY - value: {{ .Values.config.policy }} -{{- end }} - - name: CERTIFICATE - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: proxy-cert - - name: CERTIFICATE_KEY - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: proxy-key - - name: CERTIFICATE_AUTHORITY - valueFrom: - secretKeyRef: - name: {{ $secretName }} - key: ca-cert -{{- range $name, $value := .Values.extraEnv }} - - name: {{ $name }} - value: {{ quote $value }} -{{- end }} - ports: - - containerPort: 443 - name: https - protocol: TCP - livenessProbe: - httpGet: - path: /ping - port: https - scheme: HTTPS - readinessProbe: - httpGet: - path: /ping - port: https - scheme: HTTPS -{{- if or .Values.config.existingConfig .Values.config.policyFile}} - volumeMounts: - - mountPath: /etc/pomerium/ - name: policy - volumes: - - name: policy - configMap: - name: {{ $configName }} -{{- end }} - resources: -{{ toYaml .Values.resources | indent 10 }} -{{- if .Values.extraVolumes }} - volumes: -{{- toYaml .Values.extraVolumes | indent 8 }} -{{- end }} -{{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} -{{- end }} -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} \ No newline at end of file diff --git a/helm/templates/proxy-service.yaml b/helm/templates/proxy-service.yaml deleted file mode 100644 index 5fbcaef30..000000000 --- a/helm/templates/proxy-service.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "pomerium.fullname" . }}-{{ .Values.proxy.name }} - labels: - app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }} - chart: {{ template "pomerium.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.service.labels }} -{{ toYaml .Values.service.labels | indent 4 }} -{{- end }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: https - protocol: TCP - name: https - -{{- if hasKey .Values.service "nodePort" }} - nodePort: {{ .Values.service.nodePort }} -{{- end }} - selector: - app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }} - release: {{ .Release.Name }} diff --git a/helm/templates/secret.yaml b/helm/templates/secret.yaml deleted file mode 100644 index a6e276615..000000000 --- a/helm/templates/secret.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{- if not .Values.config.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - labels: - app: {{ template "pomerium.name" . }} - chart: {{ template "pomerium.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - name: {{ template "pomerium.fullname" . }} - namespace: {{ .Release.Namespace }} -type: Opaque -data: - cookie-secret: {{ default (randAscii 32 | b64enc | b64enc) (.Values.config.cookieSecret | b64enc )}} - shared-secret: {{ default (randAscii 32 | b64enc | b64enc) (.Values.config.sharedSecret | b64enc )}} - idp-client-id: {{ .Values.authenticate.idp.clientID | b64enc }} - idp-client-secret: {{ .Values.authenticate.idp.clientSecret | b64enc }} - idp-service-account: {{ .Values.authenticate.idp.serviceAccount | b64enc }} -{{- if .Values.config.generateTLS }} -{{- $ca := genCA "default-ca" 3650 }} -{{$authenticateSN:= list (printf "%s.%s" .Values.authenticate.name .Values.config.rootDomain) (printf "%s-%s.%s.svc.cluster.local" (include "pomerium.fullname" .) .Values.authenticate.name .Release.Namespace )}} -{{$authorizeSN:= list (printf "%s.%s" .Values.authorize.name .Values.config.rootDomain) (printf "%s-%s.%s.svc.cluster.local" (include "pomerium.fullname" .) .Values.authorize.name .Release.Namespace )}} -{{- $cn := default "example.com" .Values.config.rootDomain }} - ca-cert: {{ $ca.Cert | b64enc | b64enc }} - ca-key: {{ $ca.Key | b64enc | b64enc }} -{{- $kp := genSignedCert $cn ( default nil .Values.authenticate.tls.defaultIPList ) ( default $authenticateSN .Values.authenticate.tls.defaultSANList ) 3650 $ca }} - authenticate-cert: {{ $kp.Cert | b64enc | b64enc }} - authenticate-key: {{ $kp.Key | b64enc | b64enc }} -{{- $kp := genSignedCert $cn ( default nil .Values.authorize.tls.defaultIPList ) ( default $authorizeSN .Values.authorize.tls.defaultSANList ) 3650 $ca }} - authorize-cert: {{ $kp.Cert | b64enc | b64enc }} - authorize-key: {{ $kp.Key | b64enc | b64enc }} -{{- $kp := genSignedCert $cn ( default nil .Values.proxy.tls.defaultIPList ) ( default nil .Values.proxy.tls.defaultSANList ) 3650 $ca }} - proxy-cert: {{ $kp.Cert | b64enc | b64enc }} - proxy-key: {{ $kp.Key | b64enc | b64enc }} -{{- else -}} - ca-cert: {{ .Values.config.ca | b64enc }} - proxy-cert: {{ .Values.proxy.tls.cert | b64enc }} - proxy-key: {{ .Values.proxy.tls.key | b64enc }} - authenticate-cert: {{ .Values.authenticate.tls.cert | b64enc }} - authenticate-key: {{ .Values.authenticate.tls.key | b64enc }} - authorize-cert: {{ .Values.authorize.tls.cert | b64enc }} - authorize-key: {{ .Values.authorize.tls.key | b64enc }} -{{- end }} -{{- end }} diff --git a/helm/templates/tls-secrets.yaml b/helm/templates/tls-secrets.yaml deleted file mode 100644 index 4df9c8b1c..000000000 --- a/helm/templates/tls-secrets.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.ingress.enabled }} -{{- if not .Values.ingress.secretName }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ default "pomerium-tls" .Values.ingress.secret.name }} - labels: - app: {{ template "pomerium.name" . }} - chart: {{ template "pomerium.chart" . }} - release: {{ .Release.Name | quote }} - heritage: {{ .Release.Service | quote }} -type: kubernetes.io/tls -data: - tls.crt: {{ .Values.ingress.secret.cert }} - tls.key: {{ .Values.ingress.secret.key }} ---- -{{- end }} -{{- end }} diff --git a/helm/values.yaml b/helm/values.yaml deleted file mode 100644 index d06bb9bb2..000000000 --- a/helm/values.yaml +++ /dev/null @@ -1,133 +0,0 @@ -# For detailed explanation of each of the configuration settings see -# https://www.pomerium.io/docs/config-reference.htmls - -# settings that are shared by all services -config: - # routes under this wildcard domain are handled by pomerium - rootDomain: corp.pomerium.io - # existingSecret: - # existingConfig: - sharedSecret: "" - cookieSecret: "" - generateTLS: true - policyFile: |- - - from: httpbin.corp.pomerium.io - to: http://httpbin - allowed_domains: - - pomerium.io - - from: external-httpbin.corp.pomerium.io - to: httpbin.org - allowed_domains: - - gmail.com - - from: weirdlyssl.corp.pomerium.io - to: http://neverssl.com - allowed_users: - - bdd@pomerium.io - allowed_groups: - - admins - - developers - - from: hello.corp.pomerium.io - to: http://hello:8080 - allowed_groups: - - admins - -authenticate: - name: authenticate - redirectUrl: "" - # see https://www.pomerium.io/docs/identity-providers.html - idp: - provider: google - clientID: "REPLACE_ME" - clientSecret: "REPLACE_ME" - url: "" - serviceAccount: "" - tls: - cert: "" - key: "" - defaultSANList: [] - defaultIPList: [] - -authorize: - name: authorize - tls: - cert: "" - key: "" - defaultSANList: [] - defaultIPList: [] - -proxy: - name: proxy - tls: - cert: "" - key: "" - defaultSANList: [] - defaultIPList: [] - authenticateServiceUrl: "" - authorizeServiceUrl: "" - authorizeInternalUrl: "" - authenticateInternalUrl: "" - -service: - # Service type can be set to ClusterIP, NodePort or LoadBalancer. - type: ClusterIP - externalPort: 443 - annotations: - {} - # === GKE load balancer tweaks - # cloud.google.com/app-protocols: '{"https":"HTTPS"}' - # kubernetes.io/ingress.allow-http: "false" - labels: {} - -ingress: - secretName: "" - secret: - name: "" - cert: "" - key: "" - enabled: true - annotations: - {} - # === nginx tweaks - # kubernetes.io/ingress.class: nginx - # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" - # === GKE load balancer tweaks == - # cloud.google.com/app-protocols: '{"https":"HTTPS"}' - # kubernetes.io/ingress.allow-http: "false" -resources: - {} - # limits: - # cpu: 100m - # memory: 300Mi - # requests: - # cpu: 100m - # memory: 300Mi - -priorityClassName: "" - -# Affinity for pod assignment -# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -# affinity: {} - -# Tolerations for pod assignment -# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -# tolerations: [] - -# Node labels for pod assignment -# Ref: https://kubernetes.io/docs/user-guide/node-selection/ -# nodeSelector: {} - -podAnnotations: {} -podLabels: {} -replicaCount: 1 - -# For any other settings that are optional. for a complete listing see: -# https://www.pomerium.io/docs/config-reference.html -extraEnv: {} -extraArgs: {} -extraVolumes: {} - -image: - repository: "pomerium/pomerium" - tag: "latest" - pullPolicy: "Always" diff --git a/scripts/helm_aws.sh b/scripts/helm_aws.sh new file mode 100644 index 000000000..ad7312742 --- /dev/null +++ b/scripts/helm_aws.sh @@ -0,0 +1,64 @@ +#!/bin/bash +# PRE-REQ: +# 1) Install Helm : You should verify the content of this script before running. +# curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash +# 2) Install https://eksctl.io/ +# For more information see: +# - https://eksworkshop.com/helm_root/helm_intro/install/ + +echo "=> [AWS] creating cluster" +eksctl create cluster --name=pomerium --nodes=1 --region=us-west-2 + +echo "=> [AWS] get cluster credentials so we can use kubctl locally" +eksctl utils write-kubeconfig --name=pomerium + +echo "=> [AWS] configure Helm access with RBAC" +cat <.helm-rbac.yaml +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tiller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tiller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: tiller + namespace: kube-system +EOF + +kubectl apply -f .helm-rbac.yaml +# cleanup +rm .helm-rbac.yaml + +echo "=> initialize Helm to install Tiller in your cluster" +helm init --service-account=tiller +helm repo update + +echo "=> install pomerium with helm substituting configuration values as required; be sure to change these" +helm install $HOME/charts/stable/pomerium/ \ + --name pomerium \ + --set config.sharedSecret=$(head -c32 /dev/urandom | base64) \ + --set config.cookieSecret=$(head -c32 /dev/urandom | base64) \ + --set config.cert=$(base64 -i cert.pem) \ + --set config.key=$(base64 -i privkey.pem) \ + --set config.policy="$(cat policy.example.yaml | base64)" \ + --set authenticate.idp.provider="google" \ + --set authenticate.proxyRootDomains="pomerium.io" \ + --set authenticate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \ + --set authenticate.idp.clientID="REPLACE_ME" \ + --set authenticate.idp.clientSecret="REPLACE_ME" \ + --set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \ + --set proxy.authorizeServiceUrl="https://access.corp.pomerium.io" + +# When done, clean up by deleting the cluster! +# +# helm del $(helm ls --all --short) --purge #!!! DELETES ALL YOUR HELM INSTANCES! \ No newline at end of file From 950f7206604dd8c60bb5b4db700693b2ae84a064 Mon Sep 17 00:00:00 2001 From: Bobby DeSimone Date: Thu, 16 May 2019 21:44:33 -0700 Subject: [PATCH 2/2] docs: add amazon helm script to examples --- docs/docs/examples.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/docs/examples.md b/docs/docs/examples.md index f6a1de4ce..b7a92cd6c 100644 --- a/docs/docs/examples.md +++ b/docs/docs/examples.md @@ -58,7 +58,6 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp ## Helm -- Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing] - HTTPS (TLS) between client, load balancer, and services - gRPC requests are routed behind the load balancer - Routes default to hosted version of httpbin.org @@ -66,8 +65,16 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp #### helm_gke.sh +- Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing] + <<< @/scripts/helm_gke.sh +#### helm_aws.sh + +- Uses Amazon Elastic Container Service + +<<< @/scripts/helm_aws.sh + ## Kubernetes - Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing]