3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 02:16:28 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: update changelog, documentaiton, and helm configurations. (#63)

Browse source 
- Update changelog.
- Update docs to cover authorization support.
- Updates helm to support authorization, and policy file.
This commit is contained in:
Bobby DeSimone 2019-03-19 10:55:41 -07:00 committed by GitHub
parent eb9dff0c48
commit 45e6a8dc57
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
41 changed files with 901 additions and 254 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
CHANGELOG.md
View file

@ -1,33 +1,36 @@
# Pomerium Changelog
## Unreleased
## vUNRELEASED
**FEATURES:**
* **Authorization** : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.
* **Group Support** : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the [updated docs](https://www.pomerium.io/docs/identity-providers.html). A brief summary of the requirements for each IdP are as follows:
- Google requires the [Admin SDK](https://developers.google.com/admin-sdk/directory/) to enabled, a service account with properly delegated access, and `IDP_SERVICE_ACCOUNT` to be set to the base64 encoded value of the service account's key file.
- Okta requires a `groups` claim to be added to both the `id_token` and `access_token`. No additional API calls are made.
- Microsoft Azure Active Directory requires the application be given an [additional API permission](https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0), `Directory.Read.All`.
- Onelogin requires the [groups](https://developers.onelogin.com/openid-connect/scopes) was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the [user-info api endpoint](https://developers.onelogin.com/openid-connect/api/user-info).
* **WebSocket Support** : With [Go 1.12](https://golang.org/doc/go1.12#net/http/httputil) pomerium automatically proxies WebSocket requests.
- **Authorization** : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.
- **Group Support** : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the [updated docs](https://www.pomerium.io/docs/identity-providers.html). A brief summary of the requirements for each IdP are as follows:
- Google requires the [Admin SDK](https://developers.google.com/admin-sdk/directory/) to enabled, a service account with properly delegated access, and `IDP_SERVICE_ACCOUNT` to be set to the base64 encoded value of the service account's key file.
- Okta requires a `groups` claim to be added to both the `id_token` and `access_token`. No additional API calls are made.
- Microsoft Azure Active Directory requires the application be given an [additional API permission](https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0), `Directory.Read.All`.
- Onelogin requires the [groups](https://developers.onelogin.com/openid-connect/scopes) was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the [user-info api endpoint](https://developers.onelogin.com/openid-connect/api/user-info).
- **WebSocket Support** : With [Go 1.12](https://golang.org/doc/go1.12#net/http/httputil) pomerium automatically proxies WebSocket requests.
**CHANGED**:
* Updated `env.example` to include a `POLICY` setting example.
* Added `IDP_SERVICE_ACCOUNT` to `env.example` .
* Removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`.
* Removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files.
* Removed `ROUTES` settings which has been replaced by `POLICY`.
* Add refresh endpoint `${url}/.pomerium/refresh` which forces a token refresh and responds with the json result.
* Group membership added to proxy headers (`x-pomerium-authenticated-user-groups`) and (`x-pomerium-jwt-assertion`).
* Default Cookie lifetime (`COOKIE_EXPIRE`) changed from 7 days to 14 hours ~ roughly one business day.
* Moved identity (`authenticate/providers`) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.
* Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
* Session expiration times are truncated at the second.
* **Removed gitlab provider**. We can't support groups until [this gitlab bug](https://gitlab.com/gitlab-org/gitlab-ce/issues/44435#note_88150387) is fixed.
* Request context is now maintained throughout request-flow via the [context package](https://golang.org/pkg/context/) enabling timeouts, request tracing, and cancellation.
- Updated `generate_wildcard_cert.sh` to generate a elliptic curve 256 cert by default.
- Updated `env.example` to include a `POLICY` setting example.
- Added `IDP_SERVICE_ACCOUNT` to `env.example` .
- Removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`.
- Removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files.
- Removed `ROUTES` settings which has been replaced by `POLICY`.
- Add refresh endpoint `${url}/.pomerium/refresh` which forces a token refresh and responds with the json result.
- Group membership added to proxy headers (`x-pomerium-authenticated-user-groups`) and (`x-pomerium-jwt-assertion`).
- Default Cookie lifetime (`COOKIE_EXPIRE`) changed from 7 days to 14 hours ~ roughly one business day.
- Moved identity (`authenticate/providers`) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.
- Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
- Session expiration times are truncated at the second.
- **Removed gitlab provider**. We can't support groups until [this gitlab bug](https://gitlab.com/gitlab-org/gitlab-ce/issues/44435#note_88150387) is fixed.
- Request context is now maintained throughout request-flow via the [context package](https://golang.org/pkg/context/) enabling timeouts, request tracing, and cancellation.
**FIXED:**
* `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. [GH-58]
- `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. [GH-58]

2
authenticate/authenticate.go
View file

@ -44,7 +44,7 @@ type Options struct {
CookieExpire time.Duration `envconfig:"COOKIE_EXPIRE"`
CookieRefresh time.Duration `envconfig:"COOKIE_REFRESH"`
// IdentityProvider provider configuration variables as specified by RFC6749
// Identity provider configuration variables as specified by RFC6749
// https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749
ClientID string `envconfig:"IDP_CLIENT_ID"`
ClientSecret string `envconfig:"IDP_CLIENT_SECRET"`

4
authenticate/handlers.go
View file

@ -118,11 +118,11 @@ func (a *Authenticate) authenticate(w http.ResponseWriter, r *http.Request) (*se
func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) {
session, err := a.authenticate(w, r)
if err != nil {
log.FromRequest(r).Info().Err(err).Msg("authenticate: authenticate error")
log.FromRequest(r).Warn().Err(err).Msg("authenticate: authenticate error")
a.sessionStore.ClearSession(w, r)
a.OAuthStart(w, r)
}
log.FromRequest(r).Info().Msg("authenticate: user authenticated")
log.FromRequest(r).Debug().Msg("authenticate: user authenticated")
a.ProxyCallback(w, r, session)
}

2
cmd/pomerium/options.go
View file

@ -42,7 +42,7 @@ var defaultOptions = &Options{
Services: "all",
}
// optionsFromEnvConfig builds the IdentityProvider service's configuration
// optionsFromEnvConfig builds the main binary's configuration
// options from provided environmental variables
func optionsFromEnvConfig() (*Options, error) {
o := defaultOptions

4
docs/docs/config-reference.md
View file

@ -62,7 +62,7 @@ Policy contains the routes, and their access policies. For example,
By default, JSON encoded logs are produced. Debug enables colored, human-readable, and more verbose logs to be streamed to [standard out](https://en.wikipedia.org/wiki/Standard_streams#Standard_output_(stdout)). In production, it's recommended to be set to `false`.
For example, if `true`.
For example, if `true`
```
10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124
@ -71,7 +71,7 @@ For example, if `true`.
10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.corp.beyondperimeter.com:443
```
If `false`:
If `false`
```
{"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"}

10
docs/docs/examples.md
View file

@ -61,7 +61,7 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
### Google Kubernetes Engine
- Uses GKE's built-in ingress to do [HTTPS load balancing]
- HTTPS (TLS) between client and load balancer
- HTTPS (TLS) between client, load balancer, and services
- Routes default to hosted version of httpbin.org
- Includes all-in-one script
@ -77,6 +77,14 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
<<< @/docs/docs/examples/kubernetes/authenticate.service.yml
#### authorize.deploy.yml
<<< @/docs/docs/examples/kubernetes/authorize.deploy.yml
#### authorize.service.yml
<<< @/docs/docs/examples/kubernetes/authorize.service.yml
#### proxy.deploy.yml
<<< @/docs/docs/examples/kubernetes/proxy.deploy.yml

1
docs/docs/examples/docker/nginx.docker-compose.yml
View file

@ -1,5 +1,4 @@
version: "3"
services:
nginx:
image: pomerium/nginx-proxy:latest

2
docs/docs/examples/kubernetes/authenticate.deploy.yml
View file

@ -32,7 +32,7 @@ spec:
- name: IDP_PROVIDER_URL
value: https://accounts.google.com
- name: IDP_CLIENT_ID
value: 851877082059-bfgkpj09noog7as3gpc3t7r6n9sjbgs6.apps.googleusercontent.com
value: 851877082059-bfgkpj09noog7as3gpc3t7r6n9sjbgs6.apps.googleusercontent.com
- name: PROXY_ROOT_DOMAIN
value: beyondperimeter.com
- name: SHARED_SECRET

15
env.example
View file

@ -14,8 +14,6 @@ export CERTIFICATE_KEY_FILE="./privkey.pem" # optional, defaults to `./certprivk
# The URL that the identity provider will call back after authenticating the user
export REDIRECT_URL="https://sso-auth.corp.example.com/oauth2/callback"
# Allow users with emails from the following domain post-fix (e.g. example.com)
export ALLOWED_DOMAINS=*
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
export SHARED_SECRET=9wiTZq4qvmS/plYQyvzGKWPlH/UBy0DMYMA2x/zngrM=
export COOKIE_SECRET=uPGHo1ujND/k3B9V6yr52Gweq3RRYfFho98jxDG5Br8=
@ -43,9 +41,8 @@ export IDP_CLIENT_ID="REPLACE-ME.googleusercontent.com"
export IDP_CLIENT_SECRET="REPLACEME"
# IF GSUITE and you want to get user groups you will need to set a service account
# see identity provider docs for gooogle for more info :
# GSUITE_JSON_SERVICE_ACCOUNT='{"impersonate_user": "bdd@pomerium.io"}'
# export IDP_SERVICE_ACCOUNT=$(echo $GSUITE_JSON_SERVICE_ACCOUNT | base64)
# see identity provider docs for gooogle for more info :
# export IDP_SERVICE_ACCOUNT=$(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64)
# OKTA
# export IDP_PROVIDER="okta"
@ -61,7 +58,7 @@ export IDP_CLIENT_SECRET="REPLACEME"
# export SCOPE="openid email" # generally, you want the default OIDC scopes
# Proxied routes and per-route policies are defined in a policy provided either
# directly as a base64 encoded yaml/json file, or as a path pointing to a
# policy file (`POLICY_FILE`)
export POLICY_FILE="./policy.example.yml"
# Proxied routes and per-route policies are defined in a policy provided either
# directly as a base64 encoded yaml/json file, or as a path pointing to a
# policy file (`POLICY_FILE`)
export POLICY_FILE="./policy.example.yml"

4
go.mod
View file

@ -3,16 +3,14 @@ module github.com/pomerium/pomerium
go 1.12
require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/golang/mock v1.2.0
github.com/golang/protobuf v1.3.0
github.com/google/pprof v0.0.0-20190228041337-2ef8d84b2e3c // indirect
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 // indirect
github.com/pomerium/envconfig v1.4.0
github.com/pomerium/go-oidc v2.0.0+incompatible
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
github.com/rs/zerolog v1.12.0
github.com/stretchr/testify v1.3.0 // indirect
golang.org/x/arch v0.0.0-20190226203302-36aee92af9e8 // indirect
golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25
golang.org/x/net v0.0.0-20190228165749-92fc7df08ae7
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421

12
go.sum
View file

@ -7,6 +7,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@ -18,20 +20,12 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
github.com/golang/protobuf v1.3.0 h1:kbxbvI4Un1LUWKxufD+BiE6AEExYYgkQLQmLFqA1LFk=
github.com/golang/protobuf v1.3.0/go.mod h1:Qd/q+1AKNOZr9uGQzbzCmRO6sUih6GTPZv6a1/R87v0=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/pprof v0.0.0-20190228041337-2ef8d84b2e3c h1:hqIMb/MbwYamune8FA5YtFAVzfTE8OXRtg9Nf0rzmqo=
github.com/google/pprof v0.0.0-20190228041337-2ef8d84b2e3c/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pomerium/envconfig v1.3.0 h1:/qJ+JOrWKkd/MgSrBDQ6xYJ7sxzqxiIAB/3qgHwdrHY=
github.com/pomerium/envconfig v1.3.0/go.mod h1:1Kz8Ca8PhJDtLYqgvbDZGn6GsJCvrT52SxQ3sPNJkDc=
github.com/pomerium/envconfig v1.3.1-0.20190112072701-14cbcf832d31 h1:bNqUesLWa+RUxQvSaV3//dEFviXdCSvMF9GKDOopFLU=
github.com/pomerium/envconfig v1.3.1-0.20190112072701-14cbcf832d31/go.mod h1:1Kz8Ca8PhJDtLYqgvbDZGn6GsJCvrT52SxQ3sPNJkDc=
github.com/pomerium/envconfig v1.4.0 h1:o+WY/E/9M4fh0nDX7oJodU7N9p1hcHPsTnNLYjlbQA8=
github.com/pomerium/envconfig v1.4.0/go.mod h1:1Kz8Ca8PhJDtLYqgvbDZGn6GsJCvrT52SxQ3sPNJkDc=
github.com/pomerium/go-oidc v2.0.0+incompatible h1:gVvG/ExWsHQqatV+uceROnGmbVYF44mDNx5nayBhC0o=
@ -48,8 +42,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
golang.org/x/arch v0.0.0-20190226203302-36aee92af9e8 h1:G3kY3WDPiChidkYzLqbniw7jg23paUtzceZorG6YAJw=
golang.org/x/arch v0.0.0-20190226203302-36aee92af9e8/go.mod h1:cYlCBUl1MsqxdiKgmc4uh7TxZfWSFLOGSRR090WDxt8=
golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25 h1:jsG6UpNLt9iAsb0S2AGW28DveNzzgmbXR+ENoPjUeIU=
golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

23
helm/Chart.yaml
View file

@ -1,17 +1,26 @@
name: pomerium
version: 0.0.1
apiVersion: v1
appVersion: 0.0.1
name: pomerium
version: 0.0.3
appVersion: 0.0.3
home: http://www.pomerium.io/
description: A reverse proxy that provides IdentityProvider with Google, Okta, Azure or other providers
icon: https://www.pomerium.io/logo.svg
description: Pomerium is an identity-aware access proxy.
keywords:
- kubernetes
- oauth
- proxy
- access-proxy
- reverse-proxy
- sso
- openid connect
- oauth2
- IdentityProvider
- authorization
- authentication
- google
- okta
- azure
sources:
- https://github.com/pomerium/pomerium
engine: gotpl
maintainers:
- name: bobby desimone
email: bobby.desimone@gmail.com

9
helm/templates/_helpers.tpl
View file

@ -1,7 +1,5 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{/*Expand the name of the chart.*/}}
{{- define "pomerium.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
@ -24,9 +22,8 @@ If release name contains chart name it will be used as a full name.
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{/*Create chart name and version as used by the chart label.*/}}
{{- define "pomerium.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

167
helm/templates/all-in-one-deployment.yaml Normal file
View file

@ -0,0 +1,167 @@
{{- if .Values.omnibusMode -}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
template:
metadata:
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
- name: SERVICES
value: all
- name: COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: cookie-secret
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: shared-secret
- name: AUTHENTICATE_SERVICE_URL
value: {{ .Values.proxy.authenticateServiceUrl }}
- name: AUTHORIZE_SERVICE_URL
value: {{ .Values.proxy.authorizeServiceUrl }}
- name: REDIRECT_URL
value: {{ .Values.authenticate.redirectUrl }}
- name: PROXY_ROOT_DOMAIN
value: {{ .Values.authenticate.proxyRootDomains }}
- name: IDP_PROVIDER
value: {{ .Values.authenticate.idp.provider }}
- name: IDP_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-id
- name: IDP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-secret
{{- if .Values.authenticate.idp.url }}
- name: IDP_PROVIDER_URL
value: {{ .Values.authenticate.idp.url }}
{{- end }}
{{- if .Values.config.policyFile }}
- name: POLICY_FILE
value: /etc/pomerium/policy.yaml
{{- end }}
{{- if .Values.config.policy}}
- name: POLICY
value: {{ .Values.config.policy }}
{{- end }}
{{- if .Values.config.cert }}
- name: CERTIFICATE
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate
{{- end }}
{{- if .Values.config.key }}
- name: CERTIFICATE_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-key
{{- end }}
{{- if .Values.config.ca }}
- name: CERTIFICATE_AUTHORITY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-authority
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
ports:
- containerPort: 443
name: https
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
readinessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
volumeMounts:
- mountPath: /etc/pomerium/
name: {{ template "pomerium.fullname" . }}-policy
volumes:
- name: {{ template "pomerium.fullname" . }}-policy
configMap:
name: {{ template "pomerium.fullname" . }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- end -}}

4
helm/templates/service.yaml → helm/templates/all-in-one-service.yaml
View file

@ -1,6 +1,8 @@
{{- if .Values.omnibusMode -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "pomerium.fullname" . }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
@ -9,7 +11,6 @@ metadata:
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
name: {{ template "pomerium.fullname" . }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
@ -27,3 +28,4 @@ spec:
selector:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
{{- end -}}

68
helm/templates/deployment.yaml → helm/templates/authenticate-deployment.yaml
View file

@ -1,3 +1,4 @@
{{- if not .Values.omnibusMode -}}
apiVersion: apps/v1
kind: Deployment
metadata:
@ -6,7 +7,7 @@ metadata:
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}
name: {{ template "pomerium.fullname" . }}-authenticate
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | indent 4 }}
@ -49,7 +50,7 @@ spec:
{{- end }}
env:
- name: SERVICES
value: {{ .Values.config.services }}
value: authenticate
- name: COOKIE_SECRET
valueFrom:
secretKeyRef:
@ -60,6 +61,27 @@ spec:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: shared-secret
- name: REDIRECT_URL
value: {{ .Values.authenticate.redirectUrl }}
- name: PROXY_ROOT_DOMAIN
value: {{ .Values.authenticate.proxyRootDomains }}
- name: IDP_PROVIDER
value: {{ .Values.authenticate.idp.provider }}
- name: IDP_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-id
- name: IDP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-secret
{{- if .Values.authenticate.idp.url }}
- name: IDP_PROVIDER_URL
value: {{ .Values.authenticate.idp.url }}
{{- end }}
{{- if .Values.config.cert }}
- name: CERTIFICATE
valueFrom:
@ -81,34 +103,6 @@ spec:
name: {{ template "pomerium.fullname" . }}
key: certificate-authority
{{- end }}
{{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }}
- name: REDIRECT_URL
value: {{ .Values.authenticate.redirectUrl }}
- name: ALLOWED_DOMAINS
value: {{ .Values.authenticate.allowedDomains }}
- name: PROXY_ROOT_DOMAIN
value: {{ .Values.authenticate.proxyRootDomains }}
- name: IDP_PROVIDER
value: {{ .Values.authenticate.idp.provider }}
- name: IDP_PROVIDER_URL
value: {{ .Values.authenticate.idp.url }}
- name: IDP_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-id
- name: IDP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-secret
{{- end }}
{{- if or (eq .Values.config.services "proxy") (eq .Values.config.services "all") }}
- name: AUTHENTICATE_SERVICE_URL
value: {{ .Values.proxy.authenticateServiceUrl }}
- name: ROUTES
value: {{ template "pomerium.routestring" . }}
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
@ -127,7 +121,18 @@ spec:
path: /ping
port: https
scheme: HTTPS
resources:
volumeMounts:
- mountPath: /etc/pomerium/
name: {{ template "pomerium.fullname" . }}-policy
volumes:
- name: {{ template "pomerium.fullname" . }}-policy
configMap:
name: {{ template "pomerium.fullname" . }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.extraVolumes }}
volumes:
@ -149,3 +154,4 @@ spec:
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- end -}}

31
helm/templates/authenticate-service.yaml Normal file
View file

@ -0,0 +1,31 @@
{{- if not .Values.omnibusMode -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "pomerium.fullname" . }}-authenticate
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: https
protocol: TCP
name: http
{{- if hasKey .Values.service "nodePort" }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
{{- end -}}

140
helm/templates/authorize-deployment.yaml Normal file
View file

@ -0,0 +1,140 @@
{{- if not .Values.omnibusMode -}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}-authorize
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
template:
metadata:
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
- name: SERVICES
value: authorize
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: shared-secret
{{- if .Values.config.policyFile }}
- name: POLICY_FILE
value: /etc/pomerium/policy.yaml
{{- end }}
{{- if .Values.config.policy}}
- name: POLICY
value: {{ .Values.config.policy }}
{{- end }}
{{- if .Values.config.cert }}
- name: CERTIFICATE
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate
{{- end }}
{{- if .Values.config.key }}
- name: CERTIFICATE_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-key
{{- end }}
{{- if .Values.config.ca }}
- name: CERTIFICATE_AUTHORITY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-authority
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
ports:
- containerPort: 443
name: https
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
readinessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
volumeMounts:
- mountPath: /etc/pomerium/
name: {{ template "pomerium.fullname" . }}-policy
volumes:
- name: {{ template "pomerium.fullname" . }}-policy
configMap:
name: {{ template "pomerium.fullname" . }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- end }}

31
helm/templates/authorize-service.yaml Normal file
View file

@ -0,0 +1,31 @@
{{- if not .Values.omnibusMode -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "pomerium.fullname" . }}-authorize
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: https
protocol: TCP
name: http
{{- if hasKey .Values.service "nodePort" }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
{{- end }}

11
helm/templates/configmap.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "pomerium.fullname" . }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
data:
policy.yaml: {{toYaml .Values.config.policyFile | indent 4}}

11
helm/templates/ingress.yaml
View file

@ -5,24 +5,21 @@
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ template "pomerium.fullname" . }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.ingress.labels }}
{{ toYaml .Values.ingress.labels | indent 4 }}
{{- end }}
name: {{ template "pomerium.fullname" . }}
{{- if .Values.ingress.labels }} {{ toYaml .Values.ingress.labels | indent 4 }} {{- end }}
{{- if .Values.ingress.annotations }}
annotations:
{{ toYaml .Values.ingress.annotations | indent 4 }}
{{- end }}
spec:
rules:
{{- if .Values.ingress.extraRules }}
{{ toYaml .Values.ingress.extraRules | indent 4 }}
{{- end }}
{{- if .Values.ingress.extraRules }}{{ toYaml .Values.ingress.extraRules | indent 4 }}{{- end }}
{{- if .Values.ingress.hosts }}
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}

148
helm/templates/proxy-deployment.yaml Normal file
View file

@ -0,0 +1,148 @@
{{- if not .Values.omnibusMode -}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}-proxy
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
template:
metadata:
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
- name: SERVICES
value: authorize
- name: COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: cookie-secret
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: shared-secret
- name: AUTHENTICATE_SERVICE_URL
value: {{ .Values.proxy.authenticateServiceUrl }}
- name: AUTHORIZE_SERVICE_URL
value: {{ .Values.proxy.authorizeServiceUrl }}
{{- if .Values.config.policyFile }}
- name: POLICY_FILE
value: /etc/pomerium/policy.yaml
{{- end }}
{{- if .Values.config.policy}}
- name: POLICY
value: {{ .Values.config.policy }}
{{- end }}
{{- if .Values.config.cert }}
- name: CERTIFICATE
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate
{{- end }}
{{- if .Values.config.key }}
- name: CERTIFICATE_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-key
{{- end }}
{{- if .Values.config.ca }}
- name: CERTIFICATE_AUTHORITY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-authority
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
ports:
- containerPort: 443
name: https
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
readinessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
volumeMounts:
- mountPath: /etc/pomerium/
name: {{ template "pomerium.fullname" . }}-policy
volumes:
- name: {{ template "pomerium.fullname" . }}-policy
configMap:
name: {{ template "pomerium.fullname" . }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- end }}

31
helm/templates/proxy-service.yaml Normal file
View file

@ -0,0 +1,31 @@
{{- if not .Values.omnibusMode }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "pomerium.fullname" . }}-proxy
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: https
protocol: TCP
name: http
{{- if hasKey .Values.service "nodePort" }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
{{- end }}

18
helm/templates/secret.yaml
View file

@ -10,18 +10,10 @@ metadata:
namespace: {{ .Release.Namespace }}
type: Opaque
data:
{{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }}
idp-client-id: {{ .Values.authenticate.idp.clientID | b64enc | quote }}
idp-client-secret: {{ .Values.authenticate.idp.clientSecret | b64enc | quote }}
{{- end }}
cookie-secret: {{ .Values.config.cookieSecret | b64enc | quote }}
shared-secret: {{ .Values.config.sharedSecret | b64enc | quote }}
{{- if .Values.config.cert }}
certificate: {{ .Values.config.cert | b64enc | quote }}
{{- end }}
{{- if .Values.config.key }}
certificate-key: {{ .Values.config.key | b64enc | quote }}
{{- end }}
{{- if .Values.config.ca }}
certificate-authority: {{ .Values.config.ca | b64enc | quote }}
{{- end }}
idp-client-id: {{ .Values.authenticate.idp.clientID | b64enc | quote }}
idp-client-secret: {{ .Values.authenticate.idp.clientSecret | b64enc | quote }}
certificate: {{- if .Values.config.cert }} {{ .Values.config.cert | b64enc | quote }} {{- end }}
certificate-key: {{- if .Values.config.key }} {{ .Values.config.key | b64enc | quote }} {{- end }}
certificate-authority: {{- if .Values.config.ca }} {{ .Values.config.ca | b64enc | quote }} {{- end }}

18
helm/templates/tls-secrets.yaml Normal file
View file

@ -0,0 +1,18 @@
{{- if .Values.ingress.enabled }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
---
{{- end }}
{{- end }}

101
helm/values.yaml
View file

@ -1,40 +1,63 @@
# All config settings are required. sharedSecret must match between the authenticate
# and proxy deployments.
config:
sharedSecret: "XXXXXXXX"
cookieSecret: "XXXXXXXX"
services: all
cert:
key:
# All below required if config.services is "authenticate" or "all"
authenticate:
redirectUrl: http://example.com/oauth2/callback
allowedDomains: example.com
proxyRootDomains: example.com
idp:
# For detailed explanation of each of the configuration settings see
# https://www.pomerium.io/docs/config-reference.htmls
# run pomerium in "all-in-one" mode where all services are run from a single node
omnibusMode: false
config: # settings that are shared by all services
sharedSecret: "LL3g/NoKkao7mTec2/wYSOZAki1VbR89q+kqbdFj0c4=" # head -c32 /dev/urandom | base64
cookieSecret: "tAhd5A5Y8R/H/msFhkNdt8dCym2SatVbh4UrcDk3+Ms=" # head -c32 /dev/urandom | base64
cert: # base64 -i cert.pem or using a volume
key: # base64 -i privkey.pem or using a volume
policyFile: |-
- from: httpbin.corp.pomerium.io
to: http://httpbin
allowed_domains:
- pomerium.io
- from: external-httpbin.corp.pomerium.io
to: httpbin.org
allowed_domains:
- gmail.com
- from: weirdlyssl.corp.pomerium.io
to: http://neverssl.com
allowed_users:
- bdd@pomerium.io
allowed_groups:
- admins
- developers
- from: hello.corp.pomerium.io
to: http://hello:8080
allowed_groups:
- admins
authenticate: # values specific to the authenticate service
name: authenticate # container name
redirectUrl: https://auth.corp.pomerium.io/oauth2/callback
proxyRootDomains: pomerium.io
idp: # see https://www.pomerium.io/docs/identity-providers.html
provider: okta
url: https://example.oktapreview.com/oauth2/default
clientID: "XXXXXXXX"
clientSecret: "XXXXXXXX"
# All below required if config.serviceModes is "proxy" or "all"
proxy:
authenticateServiceUrl: https://example.com/oauth2/callback
routes: {}
# routes:
# "http.corp.example.com": "httpbin.org"
# For any other settings that are optional
# ADDRESS, POMERIUM_DEBUG, CERTIFICATE_FILE, CERTIFICATE_KEY_FILE, CERTIFICATE_AUTHORITY_FILE,
# PROXY_ROOT_DOMAIN, COOKIE_DOMAIN, COOKIE_EXPIRE, COOKIE_REFRESH, COOKIE_SECURE, COOKIE_HTTP_ONLY, IDP_SCOPES
# AUTHENTICATE_INTERNAL_URL, AUTHENTICATE_SERVICE_PORT, OVERRIDE_CERTIFICATE_NAME, DEFAULT_UPSTREAM_TIMEOUT, COOKIE_LIFETIME,
authorize: # values specific to the authorize service
name: authorize # container name
proxy: # values specific to the proxy service
name: proxy # container name
authenticateServiceUrl: https://auth.corp.pomerium.io
authorizeServiceUrl: https://access.corp.pomerium.io
# For any other settings that are optional. for a complete listing see:
# https://www.pomerium.io/docs/config-reference.html
extraEnv: {}
extraArgs: {}
extraVolumes: {}
image:
repository: "pomerium/pomerium"
tag: "0.0.1"
tag: "latest"
pullPolicy: "IfNotPresent"
service:
@ -46,20 +69,32 @@ service:
ingress:
enabled: false
path: /
# path: /
# Used to create an Ingress record.
# hosts:
# - chart-example.local
# - "*.corp.example.com"
# - "auth.corp.example.com"
# - "access.corp.example.com"
# annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# tls:
# Secrets must be manually created in the namespace.
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# Secrets must be manually created in the namespace.
# - secretName: pomerium-tls
# hosts:
# - chart-example.local
# secrets:
## If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or
## -----BEGIN RSA PRIVATE KEY-----
##
# - name: pomerium-tls
# key:
# certificate:
resources: {}
resources:
{}
# limits:
# cpu: 100m
# memory: 300Mi

9
internal/identity/google.go
View file

@ -194,14 +194,7 @@ func (p *GoogleProvider) Refresh(ctx context.Context, s *sessions.SessionState)
if err != nil {
return nil, fmt.Errorf("identity/google: could not retrieve groups %v", err)
}
log.Info().
Str("refresh-token", s.RefreshToken).
Str("new-access-token", newToken.AccessToken).
Str("new-expiry", time.Until(newToken.Expiry).String()).
Strs("Groups", groups).
Msg("identity: refresh")
s.Groups = groups
return s, nil
}

2
internal/identity/microsoft.go
View file

@ -181,7 +181,7 @@ func (p *AzureProvider) UserGroups(ctx context.Context, accessToken string) ([]s
}
var groups []string
for _, group := range response.Groups {
log.Info().Str("DisplayName", group.DisplayName).Str("ID", group.ID).Msg("identity/microsoft: group")
log.Debug().Str("DisplayName", group.DisplayName).Str("ID", group.ID).Msg("identity/microsoft: group")
groups = append(groups, group.DisplayName)
}
return groups, nil

2
internal/identity/onelogin.go
View file

@ -135,7 +135,7 @@ func (p *OneLoginProvider) UserGroups(ctx context.Context, accessToken string) (
}
var groups []string
for _, group := range response.Groups {
log.Info().Str("ID", group).Msg("identity/onelogin: group")
log.Debug().Str("ID", group).Msg("identity/onelogin: group")
groups = append(groups, group)
}
return groups, nil

2
internal/log/log.go
View file

@ -15,7 +15,7 @@ var Logger = zerolog.New(os.Stdout).With().Timestamp().Logger()
// SetDebugMode tells the logger to use standard out and pretty print output.
func SetDebugMode() {
Logger = Logger.Output(zerolog.ConsoleWriter{Out: os.Stdout})
zerolog.SetGlobalLevel(zerolog.InfoLevel)
// zerolog.SetGlobalLevel(zerolog.InfoLevel)
}
// With creates a child logger with the field added to its context.

3
internal/policy/policy.go
View file

@ -7,8 +7,6 @@ import (
"strings"
"time"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/fileutil"
yaml "gopkg.in/yaml.v2"
)
@ -55,7 +53,6 @@ func FromConfig(confBytes []byte) ([]Policy, error) {
return nil, err
}
}
log.Info().Msgf("from config %+v", f)
return f, nil
}

57
proto/authorize/mock_authorize/mock_authorize.go Normal file
View file

@ -0,0 +1,57 @@
// Code generated by MockGen. DO NOT EDIT.
// Source: github.com/pomerium/pomerium/proto/authorize (interfaces: AuthorizerClient)
// Package mock_authorize is a generated GoMock package.
package mock_authorize
import (
context "context"
reflect "reflect"
gomock "github.com/golang/mock/gomock"
authorize "github.com/pomerium/pomerium/proto/authorize"
grpc "google.golang.org/grpc"
)
// MockAuthorizerClient is a mock of AuthorizerClient interface
type MockAuthorizerClient struct {
ctrl *gomock.Controller
recorder *MockAuthorizerClientMockRecorder
}
// MockAuthorizerClientMockRecorder is the mock recorder for MockAuthorizerClient
type MockAuthorizerClientMockRecorder struct {
mock *MockAuthorizerClient
}
// NewMockAuthorizerClient creates a new mock instance
func NewMockAuthorizerClient(ctrl *gomock.Controller) *MockAuthorizerClient {
mock := &MockAuthorizerClient{ctrl: ctrl}
mock.recorder = &MockAuthorizerClientMockRecorder{mock}
return mock
}
// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockAuthorizerClient) EXPECT() *MockAuthorizerClientMockRecorder {
return m.recorder
}
// Authorize mocks base method
func (m *MockAuthorizerClient) Authorize(arg0 context.Context, arg1 *authorize.AuthorizeRequest, arg2 ...grpc.CallOption) (*authorize.AuthorizeReply, error) {
m.ctrl.T.Helper()
varargs := []interface{}{arg0, arg1}
for _, a := range arg2 {
varargs = append(varargs, a)
}
ret := m.ctrl.Call(m, "Authorize", varargs...)
ret0, _ := ret[0].(*authorize.AuthorizeReply)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// Authorize indicates an expected call of Authorize
func (mr *MockAuthorizerClientMockRecorder) Authorize(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
varargs := append([]interface{}{arg0, arg1}, arg2...)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Authorize", reflect.TypeOf((*MockAuthorizerClient)(nil).Authorize), varargs...)
}

6
proxy/clients/authenticate_client.go
View file

@ -23,9 +23,9 @@ type Authenticator interface {
Close() error
}
// NewAuthenticateClient returns a new authenticate service client.
// NewAuthenticateClient returns a new authenticate service client. Presently,
// only gRPC is supported and is always returned so name is ignored.
func NewAuthenticateClient(name string, opts *Options) (a Authenticator, err error) {
// Only gRPC is supported and is always returned so name is ignored
return NewGRPCAuthenticateClient(opts)
}
@ -112,8 +112,6 @@ func (a *AuthenticateGRPC) Validate(ctx context.Context, idToken string) (bool,
// }
ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
defer cancel()
// todo(bdd): add grpc specific timeouts to main options
// todo(bdd): handle request id (metadata!?) in grpc receiver and add to ctx logger
r, err := a.client.Validate(ctx, &pb.ValidateRequest{IdToken: idToken})
if err != nil {
return false, err

36
proxy/clients/authorize_client_test.go
View file

@ -4,37 +4,35 @@ import (
"context"
"testing"
"github.com/golang/mock/gomock"
"github.com/pomerium/pomerium/internal/sessions"
pb "github.com/pomerium/pomerium/proto/authorize"
"google.golang.org/grpc"
"github.com/pomerium/pomerium/proto/authorize"
mock "github.com/pomerium/pomerium/proto/authorize/mock_authorize"
)
func TestAuthorizeGRPC_Authorize(t *testing.T) {
type fields struct {
Conn *grpc.ClientConn
client pb.AuthorizerClient
}
type args struct {
ctx context.Context
route string
s *sessions.SessionState
}
ctrl := gomock.NewController(t)
defer ctrl.Finish()
client := mock.NewMockAuthorizerClient(ctrl)
client.EXPECT().Authorize(
gomock.Any(),
gomock.Any(),
).Return(&authorize.AuthorizeReply{IsValid: true}, nil).AnyTimes()
tests := []struct {
name string
fields fields
args args
route string
s *sessions.SessionState
want bool
wantErr bool
}{
// TODO: Add test cases.
{"good", "hello.pomerium.io", &sessions.SessionState{User: "admin@pomerium.io", Email: "admin@pomerium.io"}, true, false},
{"session cannot be nil", "hello.pomerium.io", nil, false, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a := &AuthorizeGRPC{
Conn: tt.fields.Conn,
client: tt.fields.client,
}
got, err := a.Authorize(tt.args.ctx, tt.args.route, tt.args.s)
a := &AuthorizeGRPC{client: client}
got, err := a.Authorize(context.Background(), tt.route, tt.s)
if (err != nil) != tt.wantErr {
t.Errorf("AuthorizeGRPC.Authorize() error = %v, wantErr %v", err, tt.wantErr)
return

4
proxy/clients/clients.go
View file

@ -86,9 +86,7 @@ func NewGRPCClientConn(opts *Options) (*grpc.ClientConn, error) {
cp = newCp
}
log.Info().
Str("OverrideCertificateName", opts.OverrideCertificateName).
Str("addr", connAddr).Msgf("proxy/clients: grpc connection")
log.Debug().Str("cert-override-name", opts.OverrideCertificateName).Str("addr", connAddr).Msgf("proxy/clients: grpc connection")
cert := credentials.NewTLS(&tls.Config{RootCAs: cp})
// override allowed certificate name string, typically used when doing behind ingress connection

2
proxy/handlers.go
View file

@ -212,7 +212,7 @@ func (p *Proxy) OAuthCallback(w http.ResponseWriter, r *http.Request) {
return
}
log.FromRequest(r).Info().
log.FromRequest(r).Debug().
Str("code", r.Form.Get("code")).
Str("state", r.Form.Get("state")).
Str("RefreshToken", session.RefreshToken).

2
proxy/proxy.go
View file

@ -79,7 +79,7 @@ var defaultOptions = &Options{
DefaultUpstreamTimeout: time.Duration(30) * time.Second,
}
// OptionsFromEnvConfig builds the IdentityProvider service's configuration
// OptionsFromEnvConfig builds the identity provider service's configuration
// options from provided environmental variables
func OptionsFromEnvConfig() (*Options, error) {
o := defaultOptions

16
scripts/generate_wildcard_cert.sh
View file

@ -1,16 +1,10 @@
#!/bin/bash
# requires acme.sh
# see : https://github.com/Neilpang/acme.sh
# uncomment below to install
# requires acme.sh see : https://github.com/Neilpang/acme.sh
# curl https://get.acme.sh | sh
# assumes cloudflare, but many DNS providers are supported
export CF_Key="x"
export CF_Email="x@x.com"
echo "=> manually issue a wildcard certificate, renewal is up to you!"
$HOME/.acme.sh/acme.sh \
--issue \
-k ec-256 \
-d '*.corp.beyondperimeter.com' \
--dns dns_cf
--dns \
--yes-I-know-dns-manual-mode-enough-go-ahead-please

47
scripts/helm_gke.sh Executable file
View file

@ -0,0 +1,47 @@
#!/bin/bash
# PRE-REQ:
# 1) Install Helm : You should verify the content of this script before running.
# curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
echo "=> [GCE] creating cluster"
gcloud container clusters create pomerium
echo "=> [GCE] get cluster credentials so we can use kubctl locally"
gcloud container clusters get-credentials pomerium
echo "=> [GCE] ensure your user account has the cluster-admin role in your cluster"
kubectl create \
clusterrolebinding \
user-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value account)
echo "=> Create a service account that Tiller, the server side of Helm, can use for deploying your charts."
kubectl create serviceaccount tiller --namespace kube-system
echo "=> Grant the Tiller service account the cluster-admin role in your cluster"
kubectl create clusterrolebinding tiller-admin-binding --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
echo "=> initialize Helm to install Tiller in your cluster"
helm init --service-account=tiller
helm repo update
echo "=> install pomerium with helm substituting configuration values as required; be sure to change these"
helm install helm/. \
--set config.sharedSecret=$(head -c32 /dev/urandom | base64) \
--set config.cookieSecret=$(head -c32 /dev/urandom | base64) \
--set config.cert=$(base64 -i cert.pem) \
--set config.key=$(base64 -i privkey.pem) \
--set config.policy=$(cat policy.example.yaml) \
--set authentiate.idp.provider="google" \
--set authentiate.proxyRootDomains="pomerium.io" \
--set authentiate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \
--set authentiate.idp.clientID="REPLACE_ME" \
--set authentiate.idp.clientSecret="REPLACE_ME" \
--set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \
--set proxy.authorizeServiceUrl="https://access.corp.pomerium.io"
# When done, clean up by deleting the cluster!
#
# helm del $(helm ls --all --short) --purge #!!! DELETES ALL YOUR HELM INSTANCES!
# gcloud container clusters delete pomerium

6
scripts/kubernetes_gke.sh
View file

@ -28,8 +28,8 @@ kubectl create configmap -n pomerium policy --from-literal=policy=$(cat policy.e
echo "=> settingidp-client-secret, you changed this right? :)"
exit 1 # comment out or delete this line once you change the following two settings
# kubectl create secret generic -n pomerium idp-client-secret --from-literal=idp-client-secret=REPLACEME
# kubectl create secret generic -n pomerium idp-service-account --from-literal=idp-service-account=$(base64 -i gsuite.service.account.json)
kubectl create secret generic -n pomerium idp-client-secret --from-literal=idp-client-secret=REPLACE_ME
kubectl create secret generic -n pomerium idp-service-account --from-literal=idp-service-account=$(base64 -i gsuite.service.account.json)
echo "=> apply the proxy, authorize, and authenticate deployment configs"
kubectl apply -f docs/docs/examples/kubernetes/authorize.deploy.yml
@ -48,4 +48,4 @@ kubectl apply -f docs/docs/examples/kubernetes/ingress.yml
# kubectl apply -f docs/docs/examples/kubernetes/ingress.nginx.yml
# When done, clean up by deleting the cluster!
# gcloud container clusters delete pomerium
# gcloud container clusters delete pomerium

47
scripts/self-signed-sign-key.sh
View file

@ -1,47 +0,0 @@
#!/bin/bash
# Thank you @ https://medium.com/@benjamin.black/how-to-obtain-an-ecdsa-wildcard-certificate-from-lets-encrypt-be217c737cfe
# See also:
# https://cloud.google.com/iot/docs/how-tos/credentials/keys#generating_an_es256_key_with_a_self-signed_x509_certificate
# https://community.letsencrypt.org/t/ecc-certificates/46729
#
# Lets Encrypt currently generates RSA certificates, but not yet ECDSA certificates.
# Support for generating ECDSA certificates is on the horizon, but is not here yet.
# However, Lets Encrypt does support *signing* ECDSA certificates when presented with a
# Certificate Signing Request. So we can generate the appropriate CSR on the client,
# and send it to Lets Encrypt using the --csr option of the certbot client for Lets Encrypt to sign.
# The following generates a NIST P-256 (aka secp256r1 aka prime256v1) EC Key Pair
openssl ecparam \
-genkey \
-name prime256v1 \
-noout \
-out ec_private.pem
openssl req -x509 -new \
-key ec_private.pem \
-days 365 \
-out ec_public.pem \
-subj "/CN=unused"
openssl req -new \
-sha512 \
-key privkey.pem \
-nodes \
-subj "/CN=beyondperimeter.com" \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.corp.beyondperimeter.com')) \
-out csr.pem \
-outform pem
openssl req -in csr.pem -noout -text
certbot certonly \
--preferred-challenges dns-01 \
--work-dir le/work \
--config-dir le/config \
--logs-dir le/logs \
--agree-tos \
--email bobbydesimone@gmail.com \
-d *.corp.beyondperimeter.com \
--csr csr.pem