update k8s install for ingress conrtoller

2025-06-14 00:33:09 +02:00 · 2021-09-30 16:16:28 -05:00 · 2021-09-30 16:16:28 -05:00 · 2e0cbccc15
commit 2e0cbccc15
parent 84f79d8639
4 changed files with 45 additions and 9 deletions
--- a/examples/kubernetes/example-ingress.yaml
+++ b/examples/kubernetes/example-ingress.yaml
@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hello
+  annotations:
+    cert-manager.io/issuer: pomerium-issuer
+    ingress.pomerium.io/policy: '[{"allow":{"and":[{"domain":{"is":"example.com"}}]}}]'
+spec:
+  ingressClassName: pomerium
+  rules:
+  - host: hello.localhost.pomerium.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: nginx
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - hello.localhost.pomerium.io
+    secretName: hello.localhost.pomerium.io-tls
--- a/examples/kubernetes/pomerium-certificates.yaml
+++ b/examples/kubernetes/pomerium-certificates.yaml
@ -16,8 +16,9 @@ spec:
    - pomerium-authorize.pomerium.svc.cluster.local
    - pomerium-databroker.pomerium.svc.cluster.local
    - pomerium-authenticate.pomerium.svc.cluster.local
-    # TODO - Replace the following entry with your domain space.
-    - "*.localhost.pomerium.io" # Quotes are required to escape the wildcard
+    - authenticate.localhost.pomerium.io
+    # TODO - If you're noy using the Pomerium Ingress controller, you may want a wildcard entry as well.
+    #- "*.localhost.pomerium.io" # Quotes are required to escape the wildcard
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
--- a/examples/kubernetes/pomerium-values.yaml
+++ b/examples/kubernetes/pomerium-values.yaml
@ -36,6 +36,9 @@ redis:
 ingress:
  enabled: false

+ingressController:
+  enabled: true
+
 config:
  sharedSecret: YOURSHAREDSECRET # You can use "head -c32 /dev/urandom | base64" to generate.
  cookieSecret: YOURCOOKIESECRET # You can use "head -c32 /dev/urandom | base64" to generate.
@ -44,10 +47,6 @@ config:
  generateTLS: false # On by default, disabled when cert-manager or another solution is in place.
  policy:
      # This will be our testing app, to confirm that Pomerium is authenticating and routing traffic.
-    - from: https://hello.localhost.pomerium.io
-      to: http://nginx.pomerium.svc.cluster.local:80
-      allowed_domains:
-        - companydomain.com # Use the domain your company email address uses.
    - from: https://authenticate.localhost.pomerium.io
      to: https://pomerium-authenticate.pomerium.svc.cluster.local
      preserve_host_header: true