3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-02 02:42:57 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #124 from desimone/docs/update-helm-and-aws-script

Browse source 
deployment: remove helm from main repo
This commit is contained in:
Bobby DeSimone 2019-05-26 14:59:32 -07:00 committed by GitHub
commit 2dc88d44ee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 72 additions and 1205 deletions
Download patch file Download diff file Expand all files Collapse all files

9
docs/docs/examples.md
View file

@ -58,7 +58,6 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
## Helm ## Helm
- Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing]
- HTTPS (TLS) between client, load balancer, and services - HTTPS (TLS) between client, load balancer, and services
- gRPC requests are routed behind the load balancer - gRPC requests are routed behind the load balancer
- Routes default to hosted version of httpbin.org - Routes default to hosted version of httpbin.org
@ -66,8 +65,16 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
#### helm_gke.sh #### helm_gke.sh
- Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing]
<<< @/scripts/helm_gke.sh <<< @/scripts/helm_gke.sh
#### helm_aws.sh
- Uses Amazon Elastic Container Service
<<< @/scripts/helm_aws.sh
## Kubernetes ## Kubernetes
- Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing] - Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing]

21
helm/.helmignore
View file

@ -1,21 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

26
helm/Chart.yaml
View file

@ -1,26 +0,0 @@
apiVersion: v1
name: pomerium
version: 1.0.0
appVersion: 0.0.3
home: http://www.pomerium.io/
icon: https://www.pomerium.io/logo.svg
description: Pomerium is an identity-aware access proxy.
keywords:
- proxy
- access-proxy
- reverse-proxy
- sso
- openid connect
- oauth2
- authorization
- authentication
- google
- okta
- azure
sources:
- https://github.com/pomerium/pomerium
engine: gotpl
maintainers:
- name: desimone
email: bobby.desimone@gmail.com

5
helm/OWNERS
View file

@ -1,5 +0,0 @@
approvers:
- desimone
reviewers:
- desimone
- victornoel

71
helm/README.md
View file

@ -1,71 +0,0 @@
# Pomerium
[Pomerium](https://pomerium.io) is an [open-source](https://github.com/pomerium/pomerium) tool for managing secure access to internal applications and resources.
## TL;DR;
```console
helm install --name my-release stable/pomerium
```
> Note: Pomerium depends on being configured with a third party identity providers to function properly. If you run pomerium without specifiying default values, you will need to change those configuration variables following setup.
## Install the chart
An example of a minimal, but complete installation of pomerium with identity provider settings, random secrets, certificates, and external URLs is as follows:
```sh
helm install --name my-release \
--set config.rootDomain="corp.example.com" \
--set ingress.tls.certificate=$(base64 -i "*.corp.example.com.cer") \
--set ingress.tls.key=$(base64 -i "*.corp.example.com.key") \
--set config.policy=$(base64 -i "policy.yaml") \
--set authenticate.idp.provider="google" \
--set authenticate.idp.clientID="REPLACE_ME" \
--set authenticate.idp.clientSecret="REPLACE_ME"
stable/pomerium
```
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
helm delete --purge my-release
```
The command removes nearly all the Kubernetes components associated with the chart and deletes the release.
## Configuration
A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/config-reference.html).
Parameter | Description | Default
--------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------
`config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/config-reference.html#proxy-root-domains). | `corp.pomerium.io`
`config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true`
`config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/config-reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html)
`config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html)
`config.policy` | Base64 encoded string containing the routes, and their access policies. |
`config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/config-reference.html#policy) in values
`authenticate.name` | Name of the authenticate service. | `authenticate`
`authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/config-reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback`
`authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/config-reference.html#identity-provider-name). | `google`
`authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-id). | Required
`authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-secret). | Required
`authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/config-reference.html#identity-provider-url). | Optional
`authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/config-reference.html#identity-provider-service-account). | Optional
`proxy.name` | Name of the proxy service. | `proxy`
`proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}`
`proxy.authorizeServiceUrl` | The externally accessible url for the authorize service. | `https://{{authorize.name}}.{{config.rootDomain}}`
`authorize.name` | Name of the authorize service. | `authorize`
`images.server.repository` | Pomerium image | `pomerium/pomerium`
`images.server.tag` | Pomerium image tag | `latest`
`images.server.pullPolicy` | Pomerium image pull policy | `Always`
`service.annotations` | Service annotations | `{}`
`service.externalPort` | Pomerium's port | `443`
`service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP`
`ingress.enabled` | Enables Ingress for pomerium | `false`
`ingress.annotations` | Ingress annotations | `{}`
`ingress.hosts` | Ingress accepted hostnames | `nil`
`ingress.tls` | Ingress TLS configuration | `[]`

67
helm/templates/NOTES.txt
View file

@ -1,67 +0,0 @@
{{- if eq (include "pomerium.providerOK" .) "true" }}
{{- if .Values.ingress.enabled }}
From outside the cluster, the server URL(s) are:
{{- range .Values.ingress.hosts }}
{{ $.Values.server.protocol }}://{{ . }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
Get the Pomerium URL by running:
export NODE_PORT=$(kubectl get -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "pomerium.fullname" . }})
export NODE_IP=$(kubectl get nodes -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT/
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc -w {{ template "pomerium.fullname" . }}'
Get the Pomerium URL by running:
export SERVICE_IP=$(kubectl get svc {{ template "pomerium.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo http://$SERVICE_IP/
{{- else if contains "ClusterIP" .Values.service.type }}
Get the Pomerium URL by running:
export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "component=server,app={{ template "pomerium.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo http://127.0.0.1:8000/
kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8000:8000
{{- end }}
{{- else -}}
##############################################################################
#### ERROR: You did not set a valid identity provider ####
##############################################################################
This deployment will be incomplete until you configure a valid version
control provider:
helm upgrade {{ .Release.Name }} \
--reuse-values \
--set config.sharedSecret=$(head -c32 /dev/urandom | base64) \
--set config.cookieSecret=$(head -c32 /dev/urandom | base64) \
--set config.cert=$(base64 -i cert.pem) \
--set config.key=$(base64 -i privkey.pem) \
--set config.policy="$(cat policy.example.yaml | base64)" \
--set authenticate.idp.provider="google" \
--set config.rootDomain="corp.pomerium.io" \
--set authenticate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \
--set authenticate.idp.clientID="REPLACE_ME" \
--set authenticate.idp.clientSecret="REPLACE_ME" \
--set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \
--set proxy.authorizeServiceUrl="https://access.corp.pomerium.io"
stable/pomerium
Currently supported providers:
- Okta
- Google
- Azure Active Directory
- OneLogin
See the values.yaml file to see what values are required for each provider.
If you are having trouble with the configuration of a provider please visit
the official documentation:
https://www.pomerium.io/docs/identity-providers.html
{{- end }}

58
helm/templates/_helpers.tpl
View file

@ -1,58 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*Expand the name of the chart.*/}}
{{- define "pomerium.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "pomerium.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*Create chart name and version as used by the chart label.*/}}
{{- define "pomerium.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "pomerium.routestring" -}}
{{- $routes := dict "routes" (list) -}}
{{- range $key, $val := .Values.proxy.routes -}}
{{- $noop := printf "%s=%s" $key $val | append $routes.routes | set $routes "routes" -}}
{{- end -}}
{{- join "," $routes.routes | default "none=none" | quote -}}
{{- end -}}
{{/*
Check if a valid source control provider has been set
Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates/_provider-envs.yaml
*/}}
{{- define "pomerium.providerOK" -}}
{{- if .Values.authenticate.idp -}}
{{- if eq .Values.authenticate.idp.clientID "" -}}
false
{{- else if eq .Values.authenticate.idp.clientSecret "" -}}
false
{{- else if eq .Values.authenticate.idp.clientID "REPLACE_ME" -}}
false
{{- else if eq .Values.authenticate.idp.clientSecret "REPLACE_ME" -}}
false
{{- else -}}
true
{{- end -}}
{{- end -}}
{{- end -}}

167
helm/templates/all-in-one-deployment.yaml
View file

@ -1,167 +0,0 @@
{{- if .Values.omnibusMode -}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
template:
metadata:
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
- name: SERVICES
value: all
- name: COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: cookie-secret
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: shared-secret
- name: AUTHENTICATE_SERVICE_URL
value: {{ .Values.proxy.authenticateServiceUrl }}
- name: AUTHORIZE_SERVICE_URL
value: {{ .Values.proxy.authorizeServiceUrl }}
- name: REDIRECT_URL
value: {{ .Values.authenticate.redirectUrl }}
- name: PROXY_ROOT_DOMAIN
value: {{ .Values.authenticate.proxyRootDomains }}
- name: IDP_PROVIDER
value: {{ .Values.authenticate.idp.provider }}
- name: IDP_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-id
- name: IDP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-secret
{{- if .Values.authenticate.idp.url }}
- name: IDP_PROVIDER_URL
value: {{ .Values.authenticate.idp.url }}
{{- end }}
{{- if .Values.config.policyFile }}
- name: POLICY_FILE
value: /etc/pomerium/policy.yaml
{{- end }}
{{- if .Values.config.policy}}
- name: POLICY
value: {{ .Values.config.policy }}
{{- end }}
{{- if .Values.config.cert }}
- name: CERTIFICATE
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate
{{- end }}
{{- if .Values.config.key }}
- name: CERTIFICATE_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-key
{{- end }}
{{- if .Values.config.ca }}
- name: CERTIFICATE_AUTHORITY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-authority
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
ports:
- containerPort: 443
name: https
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
readinessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
volumeMounts:
- mountPath: /etc/pomerium/
name: {{ template "pomerium.fullname" . }}-policy
volumes:
- name: {{ template "pomerium.fullname" . }}-policy
configMap:
name: {{ template "pomerium.fullname" . }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- end -}}

31
helm/templates/all-in-one-service.yaml
View file

@ -1,31 +0,0 @@
{{- if .Values.omnibusMode -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "pomerium.fullname" . }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: https
protocol: TCP
name: http
{{- if hasKey .Values.service "nodePort" }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
{{- end -}}

141
helm/templates/authenticate-deployment.yaml
View file

@ -1,141 +0,0 @@
{{- $secretName := default (include "pomerium.fullname" .) .Values.config.existingSecret }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}-{{ .Values.authenticate.name }}
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }}
release: {{ .Release.Name }}
template:
metadata:
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
- name: SERVICES
value: authenticate
- name: COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: cookie-secret
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: shared-secret
- name: REDIRECT_URL
value: {{ default (printf "https://%s.%s/oauth2/callback" .Values.authenticate.name .Values.config.rootDomain ) .Values.authenticate.redirectUrl }}
- name: PROXY_ROOT_DOMAIN
value: {{ .Values.config.rootDomain }}
- name: IDP_PROVIDER
value: {{ .Values.authenticate.idp.provider }}
- name: IDP_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: idp-client-id
- name: IDP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: idp-client-secret
- name: IDP_PROVIDER_URL
value: {{ .Values.authenticate.idp.url }}
- name: IDP_SERVICE_ACCOUNT
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: idp-service-account
- name: CERTIFICATE
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: authenticate-cert
- name: CERTIFICATE_KEY
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: authenticate-key
- name: CERTIFICATE_AUTHORITY
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: ca-cert
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
ports:
- containerPort: 443
name: https
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
readinessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}

30
helm/templates/authenticate-service.yaml
View file

@ -1,30 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "pomerium.fullname" . }}-{{ .Values.authenticate.name }}
labels:
app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: https
protocol: TCP
name: https
{{- if hasKey .Values.service "nodePort" }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "pomerium.name" . }}-{{ .Values.authenticate.name }}
release: {{ .Release.Name }}

131
helm/templates/authorize-deployment.yaml
View file

@ -1,131 +0,0 @@
{{- $configName := default (include "pomerium.fullname" .) .Values.config.existingConfig }}
{{- $secretName := default (include "pomerium.fullname" .) .Values.config.existingSecret }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}-{{ .Values.authorize.name }}
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }}
release: {{ .Release.Name }}
template:
metadata:
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
- name: SERVICES
value: authorize
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: shared-secret
{{- if or .Values.config.existingConfig .Values.config.policyFile}}
- name: POLICY_FILE
value: /etc/pomerium/policy.yaml
{{- end }}
{{- if .Values.config.policy}}
- name: POLICY
value: {{ .Values.config.policy }}
{{- end }}
- name: CERTIFICATE
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: authorize-cert
- name: CERTIFICATE_KEY
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: authorize-key
- name: CERTIFICATE_AUTHORITY
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: ca-cert
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
ports:
- containerPort: 443
name: https
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
readinessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
{{- if or .Values.config.existingConfig .Values.config.policyFile}}
volumeMounts:
- mountPath: /etc/pomerium/
name: policy
volumes:
- name: policy
configMap:
name: {{ $configName }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}

30
helm/templates/authorize-service.yaml
View file

@ -1,30 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "pomerium.fullname" . }}-{{ .Values.authorize.name }}
labels:
app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: https
protocol: TCP
name: https
{{- if hasKey .Values.service "nodePort" }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "pomerium.name" . }}-{{ .Values.authorize.name }}
release: {{ .Release.Name }}

13
helm/templates/configmap.yaml
View file

@ -1,13 +0,0 @@
{{- if not .Values.config.existingConfig }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "pomerium.fullname" . }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
policy.yaml: {{toYaml .Values.config.policyFile | indent 4}}
{{- end }}

44
helm/templates/ingress.yaml
View file

@ -1,44 +0,0 @@
{{- if .Values.ingress.enabled -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ include "pomerium.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "pomerium.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "pomerium.chart" . }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
tls:
- secretName: {{ default .Values.ingress.secretName .Values.ingress.secret.name}}
hosts:
- '*.{{ .Values.config.rootDomain }}'
- {{ .Values.authorize.name }}.{{ .Values.config.rootDomain }}
- {{ .Values.authenticate.name }}.{{ .Values.config.rootDomain }}
rules:
- host: '*.{{ .Values.config.rootDomain }}'
http:
paths:
- paths:
backend:
serviceName: {{ include "pomerium.fullname" .}}-{{ .Values.proxy.name }}
servicePort: https
- host: {{ .Values.authorize.name }}.{{ .Values.config.rootDomain }}
http:
paths:
- paths:
backend:
serviceName: {{ include "pomerium.fullname" .}}-{{ .Values.authorize.name }}
servicePort: https
- host: {{ .Values.authenticate.name }}.{{ .Values.config.rootDomain }}
http:
paths:
- paths:
backend:
serviceName: {{ include "pomerium.fullname" .}}-{{ .Values.authenticate.name }}
servicePort: https
{{- end }}

144
helm/templates/proxy-deployment.yaml
View file

@ -1,144 +0,0 @@
{{- $configName := default (include "pomerium.fullname" .) .Values.config.existingConfig }}
{{- $secretName := default (include "pomerium.fullname" .) .Values.config.existingSecret }}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}-{{ .Values.proxy.name }}
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }}
release: {{ .Release.Name }}
template:
metadata:
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
- name: SERVICES
value: proxy
- name: COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: cookie-secret
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: shared-secret
- name: AUTHENTICATE_SERVICE_URL
value: {{ default (printf "https://%s.%s" .Values.authenticate.name .Values.config.rootDomain ) .Values.proxy.authenticateServiceUrl }}
- name: AUTHORIZE_SERVICE_URL
value: {{ default (printf "https://%s.%s" .Values.authorize.name .Values.config.rootDomain ) .Values.proxy.authorizeServiceUrl }}
- name: AUTHENTICATE_INTERNAL_URL
value: {{ default (printf "%s-%s.%s.svc.cluster.local" (include "pomerium.fullname" .) .Values.authenticate.name .Release.Namespace ) .Values.proxy.authenticateInternalUrl}}
- name: AUTHORIZE_INTERNAL_URL
value: {{ default (printf "%s-%s.%s.svc.cluster.local" (include "pomerium.fullname" .) .Values.authorize.name .Release.Namespace ) .Values.proxy.authorizeInternalUrl}}
{{- if or .Values.config.existingConfig .Values.config.policyFile}}
- name: POLICY_FILE
value: /etc/pomerium/policy.yaml
{{- end }}
{{- if .Values.config.policy}}
- name: POLICY
value: {{ .Values.config.policy }}
{{- end }}
- name: CERTIFICATE
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: proxy-cert
- name: CERTIFICATE_KEY
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: proxy-key
- name: CERTIFICATE_AUTHORITY
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: ca-cert
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
ports:
- containerPort: 443
name: https
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
readinessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
{{- if or .Values.config.existingConfig .Values.config.policyFile}}
volumeMounts:
- mountPath: /etc/pomerium/
name: policy
volumes:
- name: policy
configMap:
name: {{ $configName }}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}

30
helm/templates/proxy-service.yaml
View file

@ -1,30 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "pomerium.fullname" . }}-{{ .Values.proxy.name }}
labels:
app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: https
protocol: TCP
name: https
{{- if hasKey .Values.service "nodePort" }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "pomerium.name" . }}-{{ .Values.proxy.name }}
release: {{ .Release.Name }}

44
helm/templates/secret.yaml
View file

@ -1,44 +0,0 @@
{{- if not .Values.config.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}
namespace: {{ .Release.Namespace }}
type: Opaque
data:
cookie-secret: {{ default (randAscii 32 | b64enc | b64enc) (.Values.config.cookieSecret | b64enc )}}
shared-secret: {{ default (randAscii 32 | b64enc | b64enc) (.Values.config.sharedSecret | b64enc )}}
idp-client-id: {{ .Values.authenticate.idp.clientID | b64enc }}
idp-client-secret: {{ .Values.authenticate.idp.clientSecret | b64enc }}
idp-service-account: {{ .Values.authenticate.idp.serviceAccount | b64enc }}
{{- if .Values.config.generateTLS }}
{{- $ca := genCA "default-ca" 3650 }}
{{$authenticateSN:= list (printf "%s.%s" .Values.authenticate.name .Values.config.rootDomain) (printf "%s-%s.%s.svc.cluster.local" (include "pomerium.fullname" .) .Values.authenticate.name .Release.Namespace )}}
{{$authorizeSN:= list (printf "%s.%s" .Values.authorize.name .Values.config.rootDomain) (printf "%s-%s.%s.svc.cluster.local" (include "pomerium.fullname" .) .Values.authorize.name .Release.Namespace )}}
{{- $cn := default "example.com" .Values.config.rootDomain }}
ca-cert: {{ $ca.Cert | b64enc | b64enc }}
ca-key: {{ $ca.Key | b64enc | b64enc }}
{{- $kp := genSignedCert $cn ( default nil .Values.authenticate.tls.defaultIPList ) ( default $authenticateSN .Values.authenticate.tls.defaultSANList ) 3650 $ca }}
authenticate-cert: {{ $kp.Cert | b64enc | b64enc }}
authenticate-key: {{ $kp.Key | b64enc | b64enc }}
{{- $kp := genSignedCert $cn ( default nil .Values.authorize.tls.defaultIPList ) ( default $authorizeSN .Values.authorize.tls.defaultSANList ) 3650 $ca }}
authorize-cert: {{ $kp.Cert | b64enc | b64enc }}
authorize-key: {{ $kp.Key | b64enc | b64enc }}
{{- $kp := genSignedCert $cn ( default nil .Values.proxy.tls.defaultIPList ) ( default nil .Values.proxy.tls.defaultSANList ) 3650 $ca }}
proxy-cert: {{ $kp.Cert | b64enc | b64enc }}
proxy-key: {{ $kp.Key | b64enc | b64enc }}
{{- else -}}
ca-cert: {{ .Values.config.ca | b64enc }}
proxy-cert: {{ .Values.proxy.tls.cert | b64enc }}
proxy-key: {{ .Values.proxy.tls.key | b64enc }}
authenticate-cert: {{ .Values.authenticate.tls.cert | b64enc }}
authenticate-key: {{ .Values.authenticate.tls.key | b64enc }}
authorize-cert: {{ .Values.authorize.tls.cert | b64enc }}
authorize-key: {{ .Values.authorize.tls.key | b64enc }}
{{- end }}
{{- end }}

18
helm/templates/tls-secrets.yaml
View file

@ -1,18 +0,0 @@
{{- if .Values.ingress.enabled }}
{{- if not .Values.ingress.secretName }}
apiVersion: v1
kind: Secret
metadata:
name: {{ default "pomerium-tls" .Values.ingress.secret.name }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
type: kubernetes.io/tls
data:
tls.crt: {{ .Values.ingress.secret.cert }}
tls.key: {{ .Values.ingress.secret.key }}
---
{{- end }}
{{- end }}

133
helm/values.yaml
View file

@ -1,133 +0,0 @@
# For detailed explanation of each of the configuration settings see
# https://www.pomerium.io/docs/config-reference.htmls
# settings that are shared by all services
config:
# routes under this wildcard domain are handled by pomerium
rootDomain: corp.pomerium.io
# existingSecret:
# existingConfig:
sharedSecret: ""
cookieSecret: ""
generateTLS: true
policyFile: |-
- from: httpbin.corp.pomerium.io
to: http://httpbin
allowed_domains:
- pomerium.io
- from: external-httpbin.corp.pomerium.io
to: httpbin.org
allowed_domains:
- gmail.com
- from: weirdlyssl.corp.pomerium.io
to: http://neverssl.com
allowed_users:
- bdd@pomerium.io
allowed_groups:
- admins
- developers
- from: hello.corp.pomerium.io
to: http://hello:8080
allowed_groups:
- admins
authenticate:
name: authenticate
redirectUrl: ""
# see https://www.pomerium.io/docs/identity-providers.html
idp:
provider: google
clientID: "REPLACE_ME"
clientSecret: "REPLACE_ME"
url: ""
serviceAccount: ""
tls:
cert: ""
key: ""
defaultSANList: []
defaultIPList: []
authorize:
name: authorize
tls:
cert: ""
key: ""
defaultSANList: []
defaultIPList: []
proxy:
name: proxy
tls:
cert: ""
key: ""
defaultSANList: []
defaultIPList: []
authenticateServiceUrl: ""
authorizeServiceUrl: ""
authorizeInternalUrl: ""
authenticateInternalUrl: ""
service:
# Service type can be set to ClusterIP, NodePort or LoadBalancer.
type: ClusterIP
externalPort: 443
annotations:
{}
# === GKE load balancer tweaks
# cloud.google.com/app-protocols: '{"https":"HTTPS"}'
# kubernetes.io/ingress.allow-http: "false"
labels: {}
ingress:
secretName: ""
secret:
name: ""
cert: ""
key: ""
enabled: true
annotations:
{}
# === nginx tweaks
# kubernetes.io/ingress.class: nginx
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
# === GKE load balancer tweaks ==
# cloud.google.com/app-protocols: '{"https":"HTTPS"}'
# kubernetes.io/ingress.allow-http: "false"
resources:
{}
# limits:
# cpu: 100m
# memory: 300Mi
# requests:
# cpu: 100m
# memory: 300Mi
priorityClassName: ""
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# affinity: {}
# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
# tolerations: []
# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
# nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicaCount: 1
# For any other settings that are optional. for a complete listing see:
# https://www.pomerium.io/docs/config-reference.html
extraEnv: {}
extraArgs: {}
extraVolumes: {}
image:
repository: "pomerium/pomerium"
tag: "latest"
pullPolicy: "Always"

64
scripts/helm_aws.sh Normal file
View file

@ -0,0 +1,64 @@
#!/bin/bash
# PRE-REQ:
# 1) Install Helm : You should verify the content of this script before running.
# curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
# 2) Install https://eksctl.io/
# For more information see:
# - https://eksworkshop.com/helm_root/helm_intro/install/
echo "=> [AWS] creating cluster"
eksctl create cluster --name=pomerium --nodes=1 --region=us-west-2
echo "=> [AWS] get cluster credentials so we can use kubctl locally"
eksctl utils write-kubeconfig --name=pomerium
echo "=> [AWS] configure Helm access with RBAC"
cat <<EOF >.helm-rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
EOF
kubectl apply -f .helm-rbac.yaml
# cleanup
rm .helm-rbac.yaml
echo "=> initialize Helm to install Tiller in your cluster"
helm init --service-account=tiller
helm repo update
echo "=> install pomerium with helm substituting configuration values as required; be sure to change these"
helm install $HOME/charts/stable/pomerium/ \
--name pomerium \
--set config.sharedSecret=$(head -c32 /dev/urandom | base64) \
--set config.cookieSecret=$(head -c32 /dev/urandom | base64) \
--set config.cert=$(base64 -i cert.pem) \
--set config.key=$(base64 -i privkey.pem) \
--set config.policy="$(cat policy.example.yaml | base64)" \
--set authenticate.idp.provider="google" \
--set authenticate.proxyRootDomains="pomerium.io" \
--set authenticate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \
--set authenticate.idp.clientID="REPLACE_ME" \
--set authenticate.idp.clientSecret="REPLACE_ME" \
--set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \
--set proxy.authorizeServiceUrl="https://access.corp.pomerium.io"
# When done, clean up by deleting the cluster!
#
# helm del $(helm ls --all --short) --purge #!!! DELETES ALL YOUR HELM INSTANCES!