diff --git a/docs/docs/install/helm.md b/docs/docs/install/helm.md index abd0faace..566b7a800 100644 --- a/docs/docs/install/helm.md +++ b/docs/docs/install/helm.md @@ -116,7 +116,7 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol <<< @/examples/kubernetes/pomerium-certificates.yaml ::: tip - If you already have a domain space for Pomerium with a certificate solution, use it in place of `*.localhost.pomerium.io`. + If you already have a domain space for Pomerium with a certificate solution, use it in place of `.localhost.pomerium.io`. ::: 1. Apply the certificate configuration, and confirm: @@ -148,6 +148,14 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol helm repo add pomerium https://helm.pomerium.io ``` +1. Install Pomerium to the cluster: + + ```bash + helm upgrade --install pomerium pomerium/pomerium --values ./pomerium-values.yaml + ``` + +## Define a Test Service + 1. So that we can create a valid test route, add Bitnami's Helm repo to pull nginx from: ```bash @@ -166,10 +174,14 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol helm upgrade --install nginx bitnami/nginx --set service.type=ClusterIP ``` -1. Install Pomerium to the cluster: +1. Create a new ingress manifest (`example-ingress.yaml`) for our test service: + + <<< @/examples/kubernetes/example-ingress.yaml + +1. Apply the nginx ingress manifest to the cluster: ```bash - helm upgrade --install pomerium pomerium/pomerium --values ./pomerium-values.yaml + kubectl apply -f ingress.yaml ``` ## Navigate diff --git a/examples/kubernetes/example-ingress.yaml b/examples/kubernetes/example-ingress.yaml new file mode 100644 index 000000000..221160949 --- /dev/null +++ b/examples/kubernetes/example-ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: hello + annotations: + cert-manager.io/issuer: pomerium-issuer + ingress.pomerium.io/policy: '[{"allow":{"and":[{"domain":{"is":"example.com"}}]}}]' +spec: + ingressClassName: pomerium + rules: + - host: hello.localhost.pomerium.io + http: + paths: + - backend: + service: + name: nginx + port: + name: http + path: / + pathType: Prefix + tls: + - hosts: + - hello.localhost.pomerium.io + secretName: hello.localhost.pomerium.io-tls \ No newline at end of file diff --git a/examples/kubernetes/pomerium-certificates.yaml b/examples/kubernetes/pomerium-certificates.yaml index 7201753bf..638c8a29c 100644 --- a/examples/kubernetes/pomerium-certificates.yaml +++ b/examples/kubernetes/pomerium-certificates.yaml @@ -16,8 +16,9 @@ spec: - pomerium-authorize.pomerium.svc.cluster.local - pomerium-databroker.pomerium.svc.cluster.local - pomerium-authenticate.pomerium.svc.cluster.local - # TODO - Replace the following entry with your domain space. - - "*.localhost.pomerium.io" # Quotes are required to escape the wildcard + - authenticate.localhost.pomerium.io + # TODO - If you're noy using the Pomerium Ingress controller, you may want a wildcard entry as well. + #- "*.localhost.pomerium.io" # Quotes are required to escape the wildcard --- apiVersion: cert-manager.io/v1 kind: Certificate diff --git a/examples/kubernetes/pomerium-values.yaml b/examples/kubernetes/pomerium-values.yaml index b8e565097..a25aa0145 100644 --- a/examples/kubernetes/pomerium-values.yaml +++ b/examples/kubernetes/pomerium-values.yaml @@ -36,6 +36,9 @@ redis: ingress: enabled: false +ingressController: + enabled: true + config: sharedSecret: YOURSHAREDSECRET # You can use "head -c32 /dev/urandom | base64" to generate. cookieSecret: YOURCOOKIESECRET # You can use "head -c32 /dev/urandom | base64" to generate. @@ -44,10 +47,6 @@ config: generateTLS: false # On by default, disabled when cert-manager or another solution is in place. policy: # This will be our testing app, to confirm that Pomerium is authenticating and routing traffic. - - from: https://hello.localhost.pomerium.io - to: http://nginx.pomerium.svc.cluster.local:80 - allowed_domains: - - companydomain.com # Use the domain your company email address uses. - from: https://authenticate.localhost.pomerium.io to: https://pomerium-authenticate.pomerium.svc.cluster.local preserve_host_header: true