From 45e6a8dc574e6f528dfb32795e725ea1c4fa88fa Mon Sep 17 00:00:00 2001 From: Bobby DeSimone Date: Tue, 19 Mar 2019 10:55:41 -0700 Subject: [PATCH] docs: update changelog, documentaiton, and helm configurations. (#63) - Update changelog. - Update docs to cover authorization support. - Updates helm to support authorization, and policy file. --- CHANGELOG.md | 47 ++--- authenticate/authenticate.go | 2 +- authenticate/handlers.go | 4 +- cmd/pomerium/options.go | 2 +- docs/docs/config-reference.md | 4 +- docs/docs/examples.md | 10 +- .../examples/docker/nginx.docker-compose.yml | 1 - .../kubernetes/authenticate.deploy.yml | 2 +- env.example | 15 +- go.mod | 4 +- go.sum | 12 +- helm/Chart.yaml | 23 ++- helm/templates/_helpers.tpl | 9 +- helm/templates/all-in-one-deployment.yaml | 167 ++++++++++++++++++ .../{service.yaml => all-in-one-service.yaml} | 4 +- ...ment.yaml => authenticate-deployment.yaml} | 68 +++---- helm/templates/authenticate-service.yaml | 31 ++++ helm/templates/authorize-deployment.yaml | 140 +++++++++++++++ helm/templates/authorize-service.yaml | 31 ++++ helm/templates/configmap.yaml | 11 ++ helm/templates/ingress.yaml | 11 +- helm/templates/proxy-deployment.yaml | 148 ++++++++++++++++ helm/templates/proxy-service.yaml | 31 ++++ helm/templates/secret.yaml | 18 +- helm/templates/tls-secrets.yaml | 18 ++ helm/values.yaml | 101 +++++++---- internal/identity/google.go | 9 +- internal/identity/microsoft.go | 2 +- internal/identity/onelogin.go | 2 +- internal/log/log.go | 2 +- internal/policy/policy.go | 3 - .../mock_authorize/mock_authorize.go | 57 ++++++ proxy/clients/authenticate_client.go | 6 +- proxy/clients/authorize_client_test.go | 36 ++-- proxy/clients/clients.go | 4 +- proxy/handlers.go | 2 +- proxy/proxy.go | 2 +- scripts/generate_wildcard_cert.sh | 16 +- scripts/helm_gke.sh | 47 +++++ scripts/kubernetes_gke.sh | 6 +- scripts/self-signed-sign-key.sh | 47 ----- 41 files changed, 901 insertions(+), 254 deletions(-) create mode 100644 helm/templates/all-in-one-deployment.yaml rename helm/templates/{service.yaml => all-in-one-service.yaml} (94%) rename helm/templates/{deployment.yaml => authenticate-deployment.yaml} (87%) create mode 100644 helm/templates/authenticate-service.yaml create mode 100644 helm/templates/authorize-deployment.yaml create mode 100644 helm/templates/authorize-service.yaml create mode 100644 helm/templates/configmap.yaml create mode 100644 helm/templates/proxy-deployment.yaml create mode 100644 helm/templates/proxy-service.yaml create mode 100644 helm/templates/tls-secrets.yaml create mode 100644 proto/authorize/mock_authorize/mock_authorize.go create mode 100755 scripts/helm_gke.sh delete mode 100755 scripts/self-signed-sign-key.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 774356d81..2099fb8fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,33 +1,36 @@ # Pomerium Changelog -## Unreleased +## vUNRELEASED **FEATURES:** - * **Authorization** : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. - * **Group Support** : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the [updated docs](https://www.pomerium.io/docs/identity-providers.html). A brief summary of the requirements for each IdP are as follows: - - Google requires the [Admin SDK](https://developers.google.com/admin-sdk/directory/) to enabled, a service account with properly delegated access, and `IDP_SERVICE_ACCOUNT` to be set to the base64 encoded value of the service account's key file. - - Okta requires a `groups` claim to be added to both the `id_token` and `access_token`. No additional API calls are made. - - Microsoft Azure Active Directory requires the application be given an [additional API permission](https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0), `Directory.Read.All`. - - Onelogin requires the [groups](https://developers.onelogin.com/openid-connect/scopes) was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the [user-info api endpoint](https://developers.onelogin.com/openid-connect/api/user-info). - * **WebSocket Support** : With [Go 1.12](https://golang.org/doc/go1.12#net/http/httputil) pomerium automatically proxies WebSocket requests. +- **Authorization** : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. +- **Group Support** : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the [updated docs](https://www.pomerium.io/docs/identity-providers.html). A brief summary of the requirements for each IdP are as follows: + + - Google requires the [Admin SDK](https://developers.google.com/admin-sdk/directory/) to enabled, a service account with properly delegated access, and `IDP_SERVICE_ACCOUNT` to be set to the base64 encoded value of the service account's key file. + - Okta requires a `groups` claim to be added to both the `id_token` and `access_token`. No additional API calls are made. + - Microsoft Azure Active Directory requires the application be given an [additional API permission](https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0), `Directory.Read.All`. + - Onelogin requires the [groups](https://developers.onelogin.com/openid-connect/scopes) was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the [user-info api endpoint](https://developers.onelogin.com/openid-connect/api/user-info). + +- **WebSocket Support** : With [Go 1.12](https://golang.org/doc/go1.12#net/http/httputil) pomerium automatically proxies WebSocket requests. **CHANGED**: - * Updated `env.example` to include a `POLICY` setting example. - * Added `IDP_SERVICE_ACCOUNT` to `env.example` . - * Removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. - * Removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. - * Removed `ROUTES` settings which has been replaced by `POLICY`. - * Add refresh endpoint `${url}/.pomerium/refresh` which forces a token refresh and responds with the json result. - * Group membership added to proxy headers (`x-pomerium-authenticated-user-groups`) and (`x-pomerium-jwt-assertion`). - * Default Cookie lifetime (`COOKIE_EXPIRE`) changed from 7 days to 14 hours ~ roughly one business day. - * Moved identity (`authenticate/providers`) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes. - * Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts. - * Session expiration times are truncated at the second. - * **Removed gitlab provider**. We can't support groups until [this gitlab bug](https://gitlab.com/gitlab-org/gitlab-ce/issues/44435#note_88150387) is fixed. - * Request context is now maintained throughout request-flow via the [context package](https://golang.org/pkg/context/) enabling timeouts, request tracing, and cancellation. +- Updated `generate_wildcard_cert.sh` to generate a elliptic curve 256 cert by default. +- Updated `env.example` to include a `POLICY` setting example. +- Added `IDP_SERVICE_ACCOUNT` to `env.example` . +- Removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. +- Removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. +- Removed `ROUTES` settings which has been replaced by `POLICY`. +- Add refresh endpoint `${url}/.pomerium/refresh` which forces a token refresh and responds with the json result. +- Group membership added to proxy headers (`x-pomerium-authenticated-user-groups`) and (`x-pomerium-jwt-assertion`). +- Default Cookie lifetime (`COOKIE_EXPIRE`) changed from 7 days to 14 hours ~ roughly one business day. +- Moved identity (`authenticate/providers`) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes. +- Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts. +- Session expiration times are truncated at the second. +- **Removed gitlab provider**. We can't support groups until [this gitlab bug](https://gitlab.com/gitlab-org/gitlab-ce/issues/44435#note_88150387) is fixed. +- Request context is now maintained throughout request-flow via the [context package](https://golang.org/pkg/context/) enabling timeouts, request tracing, and cancellation. **FIXED:** -* `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. [GH-58] +- `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. [GH-58] diff --git a/authenticate/authenticate.go b/authenticate/authenticate.go index 7717ebfa2..d10a8465b 100644 --- a/authenticate/authenticate.go +++ b/authenticate/authenticate.go @@ -44,7 +44,7 @@ type Options struct { CookieExpire time.Duration `envconfig:"COOKIE_EXPIRE"` CookieRefresh time.Duration `envconfig:"COOKIE_REFRESH"` - // IdentityProvider provider configuration variables as specified by RFC6749 + // Identity provider configuration variables as specified by RFC6749 // https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749 ClientID string `envconfig:"IDP_CLIENT_ID"` ClientSecret string `envconfig:"IDP_CLIENT_SECRET"` diff --git a/authenticate/handlers.go b/authenticate/handlers.go index 70b41ef7a..dc0372468 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -118,11 +118,11 @@ func (a *Authenticate) authenticate(w http.ResponseWriter, r *http.Request) (*se func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) { session, err := a.authenticate(w, r) if err != nil { - log.FromRequest(r).Info().Err(err).Msg("authenticate: authenticate error") + log.FromRequest(r).Warn().Err(err).Msg("authenticate: authenticate error") a.sessionStore.ClearSession(w, r) a.OAuthStart(w, r) } - log.FromRequest(r).Info().Msg("authenticate: user authenticated") + log.FromRequest(r).Debug().Msg("authenticate: user authenticated") a.ProxyCallback(w, r, session) } diff --git a/cmd/pomerium/options.go b/cmd/pomerium/options.go index d3fdb27a0..867ce124b 100644 --- a/cmd/pomerium/options.go +++ b/cmd/pomerium/options.go @@ -42,7 +42,7 @@ var defaultOptions = &Options{ Services: "all", } -// optionsFromEnvConfig builds the IdentityProvider service's configuration +// optionsFromEnvConfig builds the main binary's configuration // options from provided environmental variables func optionsFromEnvConfig() (*Options, error) { o := defaultOptions diff --git a/docs/docs/config-reference.md b/docs/docs/config-reference.md index ccffd04fa..d5c565269 100644 --- a/docs/docs/config-reference.md +++ b/docs/docs/config-reference.md @@ -62,7 +62,7 @@ Policy contains the routes, and their access policies. For example, By default, JSON encoded logs are produced. Debug enables colored, human-readable, and more verbose logs to be streamed to [standard out](https://en.wikipedia.org/wiki/Standard_streams#Standard_output_(stdout)). In production, it's recommended to be set to `false`. -For example, if `true`. +For example, if `true` ``` 10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124 @@ -71,7 +71,7 @@ For example, if `true`. 10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.corp.beyondperimeter.com:443 ``` -If `false`: +If `false` ``` {"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"} diff --git a/docs/docs/examples.md b/docs/docs/examples.md index 91eb0dfce..778fd3eb3 100644 --- a/docs/docs/examples.md +++ b/docs/docs/examples.md @@ -61,7 +61,7 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp ### Google Kubernetes Engine - Uses GKE's built-in ingress to do [HTTPS load balancing] -- HTTPS (TLS) between client and load balancer +- HTTPS (TLS) between client, load balancer, and services - Routes default to hosted version of httpbin.org - Includes all-in-one script @@ -77,6 +77,14 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp <<< @/docs/docs/examples/kubernetes/authenticate.service.yml +#### authorize.deploy.yml + +<<< @/docs/docs/examples/kubernetes/authorize.deploy.yml + +#### authorize.service.yml + +<<< @/docs/docs/examples/kubernetes/authorize.service.yml + #### proxy.deploy.yml <<< @/docs/docs/examples/kubernetes/proxy.deploy.yml diff --git a/docs/docs/examples/docker/nginx.docker-compose.yml b/docs/docs/examples/docker/nginx.docker-compose.yml index f00df1057..8a116275e 100644 --- a/docs/docs/examples/docker/nginx.docker-compose.yml +++ b/docs/docs/examples/docker/nginx.docker-compose.yml @@ -1,5 +1,4 @@ version: "3" - services: nginx: image: pomerium/nginx-proxy:latest diff --git a/docs/docs/examples/kubernetes/authenticate.deploy.yml b/docs/docs/examples/kubernetes/authenticate.deploy.yml index 135a39e32..d6b4f4acc 100644 --- a/docs/docs/examples/kubernetes/authenticate.deploy.yml +++ b/docs/docs/examples/kubernetes/authenticate.deploy.yml @@ -32,7 +32,7 @@ spec: - name: IDP_PROVIDER_URL value: https://accounts.google.com - name: IDP_CLIENT_ID - value: 851877082059-bfgkpj09noog7as3gpc3t7r6n9sjbgs6.apps.googleusercontent.com + value: 851877082059-bfgkpj09noog7as3gpc3t7r6n9sjbgs6.apps.googleusercontent.com - name: PROXY_ROOT_DOMAIN value: beyondperimeter.com - name: SHARED_SECRET diff --git a/env.example b/env.example index 0c320ec88..cd56cbd6b 100644 --- a/env.example +++ b/env.example @@ -14,8 +14,6 @@ export CERTIFICATE_KEY_FILE="./privkey.pem" # optional, defaults to `./certprivk # The URL that the identity provider will call back after authenticating the user export REDIRECT_URL="https://sso-auth.corp.example.com/oauth2/callback" -# Allow users with emails from the following domain post-fix (e.g. example.com) -export ALLOWED_DOMAINS=* # Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64` export SHARED_SECRET=9wiTZq4qvmS/plYQyvzGKWPlH/UBy0DMYMA2x/zngrM= export COOKIE_SECRET=uPGHo1ujND/k3B9V6yr52Gweq3RRYfFho98jxDG5Br8= @@ -43,9 +41,8 @@ export IDP_CLIENT_ID="REPLACE-ME.googleusercontent.com" export IDP_CLIENT_SECRET="REPLACEME" # IF GSUITE and you want to get user groups you will need to set a service account -# see identity provider docs for gooogle for more info : -# GSUITE_JSON_SERVICE_ACCOUNT='{"impersonate_user": "bdd@pomerium.io"}' -# export IDP_SERVICE_ACCOUNT=$(echo $GSUITE_JSON_SERVICE_ACCOUNT | base64) +# see identity provider docs for gooogle for more info : +# export IDP_SERVICE_ACCOUNT=$(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64) # OKTA # export IDP_PROVIDER="okta" @@ -61,7 +58,7 @@ export IDP_CLIENT_SECRET="REPLACEME" # export SCOPE="openid email" # generally, you want the default OIDC scopes -# Proxied routes and per-route policies are defined in a policy provided either -# directly as a base64 encoded yaml/json file, or as a path pointing to a -# policy file (`POLICY_FILE`) - export POLICY_FILE="./policy.example.yml" +# Proxied routes and per-route policies are defined in a policy provided either +# directly as a base64 encoded yaml/json file, or as a path pointing to a +# policy file (`POLICY_FILE`) +export POLICY_FILE="./policy.example.yml" diff --git a/go.mod b/go.mod index 15dec5ba0..a2459c461 100644 --- a/go.mod +++ b/go.mod @@ -3,16 +3,14 @@ module github.com/pomerium/pomerium go 1.12 require ( + github.com/davecgh/go-spew v1.1.1 // indirect github.com/golang/mock v1.2.0 github.com/golang/protobuf v1.3.0 - github.com/google/pprof v0.0.0-20190228041337-2ef8d84b2e3c // indirect - github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 // indirect github.com/pomerium/envconfig v1.4.0 github.com/pomerium/go-oidc v2.0.0+incompatible github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect github.com/rs/zerolog v1.12.0 github.com/stretchr/testify v1.3.0 // indirect - golang.org/x/arch v0.0.0-20190226203302-36aee92af9e8 // indirect golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25 golang.org/x/net v0.0.0-20190228165749-92fc7df08ae7 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 diff --git a/go.sum b/go.sum index 414616a68..dbabb219c 100644 --- a/go.sum +++ b/go.sum @@ -7,6 +7,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -18,20 +20,12 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y github.com/golang/protobuf v1.3.0 h1:kbxbvI4Un1LUWKxufD+BiE6AEExYYgkQLQmLFqA1LFk= github.com/golang/protobuf v1.3.0/go.mod h1:Qd/q+1AKNOZr9uGQzbzCmRO6sUih6GTPZv6a1/R87v0= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/pprof v0.0.0-20190228041337-2ef8d84b2e3c h1:hqIMb/MbwYamune8FA5YtFAVzfTE8OXRtg9Nf0rzmqo= -github.com/google/pprof v0.0.0-20190228041337-2ef8d84b2e3c/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c= -github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/pomerium/envconfig v1.3.0 h1:/qJ+JOrWKkd/MgSrBDQ6xYJ7sxzqxiIAB/3qgHwdrHY= -github.com/pomerium/envconfig v1.3.0/go.mod h1:1Kz8Ca8PhJDtLYqgvbDZGn6GsJCvrT52SxQ3sPNJkDc= -github.com/pomerium/envconfig v1.3.1-0.20190112072701-14cbcf832d31 h1:bNqUesLWa+RUxQvSaV3//dEFviXdCSvMF9GKDOopFLU= -github.com/pomerium/envconfig v1.3.1-0.20190112072701-14cbcf832d31/go.mod h1:1Kz8Ca8PhJDtLYqgvbDZGn6GsJCvrT52SxQ3sPNJkDc= github.com/pomerium/envconfig v1.4.0 h1:o+WY/E/9M4fh0nDX7oJodU7N9p1hcHPsTnNLYjlbQA8= github.com/pomerium/envconfig v1.4.0/go.mod h1:1Kz8Ca8PhJDtLYqgvbDZGn6GsJCvrT52SxQ3sPNJkDc= github.com/pomerium/go-oidc v2.0.0+incompatible h1:gVvG/ExWsHQqatV+uceROnGmbVYF44mDNx5nayBhC0o= @@ -48,8 +42,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= -golang.org/x/arch v0.0.0-20190226203302-36aee92af9e8 h1:G3kY3WDPiChidkYzLqbniw7jg23paUtzceZorG6YAJw= -golang.org/x/arch v0.0.0-20190226203302-36aee92af9e8/go.mod h1:cYlCBUl1MsqxdiKgmc4uh7TxZfWSFLOGSRR090WDxt8= golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25 h1:jsG6UpNLt9iAsb0S2AGW28DveNzzgmbXR+ENoPjUeIU= golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= diff --git a/helm/Chart.yaml b/helm/Chart.yaml index f03ba2654..d07d22f94 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -1,17 +1,26 @@ -name: pomerium -version: 0.0.1 apiVersion: v1 -appVersion: 0.0.1 +name: pomerium +version: 0.0.3 +appVersion: 0.0.3 home: http://www.pomerium.io/ -description: A reverse proxy that provides IdentityProvider with Google, Okta, Azure or other providers +icon: https://www.pomerium.io/logo.svg +description: Pomerium is an identity-aware access proxy. keywords: -- kubernetes -- oauth +- proxy +- access-proxy +- reverse-proxy +- sso +- openid connect - oauth2 -- IdentityProvider +- authorization +- authentication - google - okta - azure sources: - https://github.com/pomerium/pomerium engine: gotpl + +maintainers: +- name: bobby desimone + email: bobby.desimone@gmail.com diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 00b69501e..527f08e9a 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -1,7 +1,5 @@ {{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} +{{/*Expand the name of the chart.*/}} {{- define "pomerium.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -24,9 +22,8 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} -{{/* -Create chart name and version as used by the chart label. -*/}} + +{{/*Create chart name and version as used by the chart label.*/}} {{- define "pomerium.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} diff --git a/helm/templates/all-in-one-deployment.yaml b/helm/templates/all-in-one-deployment.yaml new file mode 100644 index 000000000..f14e828e1 --- /dev/null +++ b/helm/templates/all-in-one-deployment.yaml @@ -0,0 +1,167 @@ +{{- if .Values.omnibusMode -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "pomerium.fullname" . }} +{{- if .Values.annotations }} + annotations: +{{ toYaml .Values.annotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ template "pomerium.name" . }} + release: {{ .Release.Name }} + template: + metadata: +{{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + spec: +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: +{{- range $key, $value := .Values.extraArgs }} +{{- if $value }} + - --{{ $key }}={{ $value }} +{{- else }} + - --{{ $key }} +{{- end }} +{{- end }} + env: + - name: SERVICES + value: all + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: cookie-secret + - name: SHARED_SECRET + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: shared-secret + - name: AUTHENTICATE_SERVICE_URL + value: {{ .Values.proxy.authenticateServiceUrl }} + - name: AUTHORIZE_SERVICE_URL + value: {{ .Values.proxy.authorizeServiceUrl }} + - name: REDIRECT_URL + value: {{ .Values.authenticate.redirectUrl }} + - name: PROXY_ROOT_DOMAIN + value: {{ .Values.authenticate.proxyRootDomains }} + - name: IDP_PROVIDER + value: {{ .Values.authenticate.idp.provider }} + - name: IDP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: idp-client-id + - name: IDP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: idp-client-secret +{{- if .Values.authenticate.idp.url }} + - name: IDP_PROVIDER_URL + value: {{ .Values.authenticate.idp.url }} +{{- end }} +{{- if .Values.config.policyFile }} + - name: POLICY_FILE + value: /etc/pomerium/policy.yaml +{{- end }} +{{- if .Values.config.policy}} + - name: POLICY + value: {{ .Values.config.policy }} +{{- end }} +{{- if .Values.config.cert }} + - name: CERTIFICATE + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: certificate +{{- end }} +{{- if .Values.config.key }} + - name: CERTIFICATE_KEY + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: certificate-key +{{- end }} +{{- if .Values.config.ca }} + - name: CERTIFICATE_AUTHORITY + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: certificate-authority +{{- end }} +{{- range $name, $value := .Values.extraEnv }} + - name: {{ $name }} + value: {{ quote $value }} +{{- end }} + ports: + - containerPort: 443 + name: https + protocol: TCP + livenessProbe: + httpGet: + path: /ping + port: https + scheme: HTTPS + readinessProbe: + httpGet: + path: /ping + port: https + scheme: HTTPS + + volumeMounts: + - mountPath: /etc/pomerium/ + name: {{ template "pomerium.fullname" . }}-policy + + volumes: + - name: {{ template "pomerium.fullname" . }}-policy + configMap: + name: {{ template "pomerium.fullname" . }} + + resources: +{{ toYaml .Values.resources | indent 10 }} +{{- if .Values.extraVolumes }} + volumes: +{{- toYaml .Values.extraVolumes | indent 8 }} +{{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} +{{- end }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/helm/templates/service.yaml b/helm/templates/all-in-one-service.yaml similarity index 94% rename from helm/templates/service.yaml rename to helm/templates/all-in-one-service.yaml index 9c0f09d80..1292e0670 100644 --- a/helm/templates/service.yaml +++ b/helm/templates/all-in-one-service.yaml @@ -1,6 +1,8 @@ +{{- if .Values.omnibusMode -}} apiVersion: v1 kind: Service metadata: + name: {{ template "pomerium.fullname" . }} labels: app: {{ template "pomerium.name" . }} chart: {{ template "pomerium.chart" . }} @@ -9,7 +11,6 @@ metadata: {{- if .Values.service.labels }} {{ toYaml .Values.service.labels | indent 4 }} {{- end }} - name: {{ template "pomerium.fullname" . }} {{- if .Values.service.annotations }} annotations: {{ toYaml .Values.service.annotations | indent 4 }} @@ -27,3 +28,4 @@ spec: selector: app: {{ template "pomerium.name" . }} release: {{ .Release.Name }} +{{- end -}} diff --git a/helm/templates/deployment.yaml b/helm/templates/authenticate-deployment.yaml similarity index 87% rename from helm/templates/deployment.yaml rename to helm/templates/authenticate-deployment.yaml index 0c8f62c73..b9aaeb4a9 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/authenticate-deployment.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.omnibusMode -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -6,7 +7,7 @@ metadata: chart: {{ template "pomerium.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} - name: {{ template "pomerium.fullname" . }} + name: {{ template "pomerium.fullname" . }}-authenticate {{- if .Values.annotations }} annotations: {{ toYaml .Values.annotations | indent 4 }} @@ -49,7 +50,7 @@ spec: {{- end }} env: - name: SERVICES - value: {{ .Values.config.services }} + value: authenticate - name: COOKIE_SECRET valueFrom: secretKeyRef: @@ -60,6 +61,27 @@ spec: secretKeyRef: name: {{ template "pomerium.fullname" . }} key: shared-secret + - name: REDIRECT_URL + value: {{ .Values.authenticate.redirectUrl }} + - name: PROXY_ROOT_DOMAIN + value: {{ .Values.authenticate.proxyRootDomains }} + - name: IDP_PROVIDER + value: {{ .Values.authenticate.idp.provider }} + - name: IDP_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: idp-client-id + - name: IDP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: idp-client-secret +{{- if .Values.authenticate.idp.url }} + - name: IDP_PROVIDER_URL + value: {{ .Values.authenticate.idp.url }} +{{- end }} + {{- if .Values.config.cert }} - name: CERTIFICATE valueFrom: @@ -81,34 +103,6 @@ spec: name: {{ template "pomerium.fullname" . }} key: certificate-authority {{- end }} -{{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }} - - name: REDIRECT_URL - value: {{ .Values.authenticate.redirectUrl }} - - name: ALLOWED_DOMAINS - value: {{ .Values.authenticate.allowedDomains }} - - name: PROXY_ROOT_DOMAIN - value: {{ .Values.authenticate.proxyRootDomains }} - - name: IDP_PROVIDER - value: {{ .Values.authenticate.idp.provider }} - - name: IDP_PROVIDER_URL - value: {{ .Values.authenticate.idp.url }} - - name: IDP_CLIENT_ID - valueFrom: - secretKeyRef: - name: {{ template "pomerium.fullname" . }} - key: idp-client-id - - name: IDP_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ template "pomerium.fullname" . }} - key: idp-client-secret -{{- end }} -{{- if or (eq .Values.config.services "proxy") (eq .Values.config.services "all") }} - - name: AUTHENTICATE_SERVICE_URL - value: {{ .Values.proxy.authenticateServiceUrl }} - - name: ROUTES - value: {{ template "pomerium.routestring" . }} -{{- end }} {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} @@ -127,7 +121,18 @@ spec: path: /ping port: https scheme: HTTPS - resources: + + + volumeMounts: + - mountPath: /etc/pomerium/ + name: {{ template "pomerium.fullname" . }}-policy + + volumes: + - name: {{ template "pomerium.fullname" . }}-policy + configMap: + name: {{ template "pomerium.fullname" . }} + + resources: {{ toYaml .Values.resources | indent 10 }} {{- if .Values.extraVolumes }} volumes: @@ -149,3 +154,4 @@ spec: affinity: {{ toYaml .Values.affinity | indent 8 }} {{- end }} +{{- end -}} \ No newline at end of file diff --git a/helm/templates/authenticate-service.yaml b/helm/templates/authenticate-service.yaml new file mode 100644 index 000000000..acf63edb8 --- /dev/null +++ b/helm/templates/authenticate-service.yaml @@ -0,0 +1,31 @@ +{{- if not .Values.omnibusMode -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "pomerium.fullname" . }}-authenticate + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4 }} +{{- end }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: https + protocol: TCP + name: http +{{- if hasKey .Values.service "nodePort" }} + nodePort: {{ .Values.service.nodePort }} +{{- end }} + selector: + app: {{ template "pomerium.name" . }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/helm/templates/authorize-deployment.yaml b/helm/templates/authorize-deployment.yaml new file mode 100644 index 000000000..728fa30b3 --- /dev/null +++ b/helm/templates/authorize-deployment.yaml @@ -0,0 +1,140 @@ +{{- if not .Values.omnibusMode -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "pomerium.fullname" . }}-authorize +{{- if .Values.annotations }} + annotations: +{{ toYaml .Values.annotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ template "pomerium.name" . }} + release: {{ .Release.Name }} + template: + metadata: +{{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + spec: +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: +{{- range $key, $value := .Values.extraArgs }} +{{- if $value }} + - --{{ $key }}={{ $value }} +{{- else }} + - --{{ $key }} +{{- end }} +{{- end }} + env: + - name: SERVICES + value: authorize + - name: SHARED_SECRET + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: shared-secret +{{- if .Values.config.policyFile }} + - name: POLICY_FILE + value: /etc/pomerium/policy.yaml +{{- end }} +{{- if .Values.config.policy}} + - name: POLICY + value: {{ .Values.config.policy }} +{{- end }} +{{- if .Values.config.cert }} + - name: CERTIFICATE + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: certificate +{{- end }} +{{- if .Values.config.key }} + - name: CERTIFICATE_KEY + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: certificate-key +{{- end }} +{{- if .Values.config.ca }} + - name: CERTIFICATE_AUTHORITY + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: certificate-authority +{{- end }} +{{- range $name, $value := .Values.extraEnv }} + - name: {{ $name }} + value: {{ quote $value }} +{{- end }} + ports: + - containerPort: 443 + name: https + protocol: TCP + livenessProbe: + httpGet: + path: /ping + port: https + scheme: HTTPS + readinessProbe: + httpGet: + path: /ping + port: https + scheme: HTTPS + + + volumeMounts: + - mountPath: /etc/pomerium/ + name: {{ template "pomerium.fullname" . }}-policy + + volumes: + - name: {{ template "pomerium.fullname" . }}-policy + configMap: + name: {{ template "pomerium.fullname" . }} + + resources: +{{ toYaml .Values.resources | indent 10 }} +{{- if .Values.extraVolumes }} + volumes: +{{- toYaml .Values.extraVolumes | indent 8 }} +{{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} +{{- end }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} +{{- end }} +{{- end }} diff --git a/helm/templates/authorize-service.yaml b/helm/templates/authorize-service.yaml new file mode 100644 index 000000000..e864ce6b2 --- /dev/null +++ b/helm/templates/authorize-service.yaml @@ -0,0 +1,31 @@ +{{- if not .Values.omnibusMode -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "pomerium.fullname" . }}-authorize + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4 }} +{{- end }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: https + protocol: TCP + name: http +{{- if hasKey .Values.service "nodePort" }} + nodePort: {{ .Values.service.nodePort }} +{{- end }} + selector: + app: {{ template "pomerium.name" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml new file mode 100644 index 000000000..c08478cb9 --- /dev/null +++ b/helm/templates/configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "pomerium.fullname" . }} + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + policy.yaml: {{toYaml .Values.config.policyFile | indent 4}} diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml index 40853d4c3..83b48c9a8 100644 --- a/helm/templates/ingress.yaml +++ b/helm/templates/ingress.yaml @@ -5,24 +5,21 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: + name: {{ template "pomerium.fullname" . }} labels: app: {{ template "pomerium.name" . }} chart: {{ template "pomerium.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} -{{- if .Values.ingress.labels }} -{{ toYaml .Values.ingress.labels | indent 4 }} -{{- end }} - name: {{ template "pomerium.fullname" . }} +{{- if .Values.ingress.labels }} {{ toYaml .Values.ingress.labels | indent 4 }} {{- end }} {{- if .Values.ingress.annotations }} annotations: {{ toYaml .Values.ingress.annotations | indent 4 }} {{- end }} + spec: rules: -{{- if .Values.ingress.extraRules }} -{{ toYaml .Values.ingress.extraRules | indent 4 }} -{{- end }} +{{- if .Values.ingress.extraRules }}{{ toYaml .Values.ingress.extraRules | indent 4 }}{{- end }} {{- if .Values.ingress.hosts }} {{- range $host := .Values.ingress.hosts }} - host: {{ $host }} diff --git a/helm/templates/proxy-deployment.yaml b/helm/templates/proxy-deployment.yaml new file mode 100644 index 000000000..53fe48328 --- /dev/null +++ b/helm/templates/proxy-deployment.yaml @@ -0,0 +1,148 @@ +{{- if not .Values.omnibusMode -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "pomerium.fullname" . }}-proxy +{{- if .Values.annotations }} + annotations: +{{ toYaml .Values.annotations | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ template "pomerium.name" . }} + release: {{ .Release.Name }} + template: + metadata: +{{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} +{{- end }} + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + spec: +{{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: +{{- range $key, $value := .Values.extraArgs }} +{{- if $value }} + - --{{ $key }}={{ $value }} +{{- else }} + - --{{ $key }} +{{- end }} +{{- end }} + env: + - name: SERVICES + value: authorize + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: cookie-secret + - name: SHARED_SECRET + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: shared-secret + - name: AUTHENTICATE_SERVICE_URL + value: {{ .Values.proxy.authenticateServiceUrl }} + - name: AUTHORIZE_SERVICE_URL + value: {{ .Values.proxy.authorizeServiceUrl }} +{{- if .Values.config.policyFile }} + - name: POLICY_FILE + value: /etc/pomerium/policy.yaml +{{- end }} +{{- if .Values.config.policy}} + - name: POLICY + value: {{ .Values.config.policy }} +{{- end }} +{{- if .Values.config.cert }} + - name: CERTIFICATE + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: certificate +{{- end }} +{{- if .Values.config.key }} + - name: CERTIFICATE_KEY + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: certificate-key +{{- end }} +{{- if .Values.config.ca }} + - name: CERTIFICATE_AUTHORITY + valueFrom: + secretKeyRef: + name: {{ template "pomerium.fullname" . }} + key: certificate-authority +{{- end }} +{{- range $name, $value := .Values.extraEnv }} + - name: {{ $name }} + value: {{ quote $value }} +{{- end }} + ports: + - containerPort: 443 + name: https + protocol: TCP + livenessProbe: + httpGet: + path: /ping + port: https + scheme: HTTPS + readinessProbe: + httpGet: + path: /ping + port: https + scheme: HTTPS + + + volumeMounts: + - mountPath: /etc/pomerium/ + name: {{ template "pomerium.fullname" . }}-policy + + volumes: + - name: {{ template "pomerium.fullname" . }}-policy + configMap: + name: {{ template "pomerium.fullname" . }} + + resources: +{{ toYaml .Values.resources | indent 10 }} +{{- if .Values.extraVolumes }} + volumes: +{{- toYaml .Values.extraVolumes | indent 8 }} +{{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} +{{- end }} +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} +{{- end }} +{{- end }} diff --git a/helm/templates/proxy-service.yaml b/helm/templates/proxy-service.yaml new file mode 100644 index 000000000..4dce33263 --- /dev/null +++ b/helm/templates/proxy-service.yaml @@ -0,0 +1,31 @@ +{{- if not .Values.omnibusMode }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "pomerium.fullname" . }}-proxy + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4 }} +{{- end }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: https + protocol: TCP + name: http +{{- if hasKey .Values.service "nodePort" }} + nodePort: {{ .Values.service.nodePort }} +{{- end }} + selector: + app: {{ template "pomerium.name" . }} + release: {{ .Release.Name }} +{{- end }} \ No newline at end of file diff --git a/helm/templates/secret.yaml b/helm/templates/secret.yaml index 0182d662d..2fccc3d43 100644 --- a/helm/templates/secret.yaml +++ b/helm/templates/secret.yaml @@ -10,18 +10,10 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque data: -{{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }} - idp-client-id: {{ .Values.authenticate.idp.clientID | b64enc | quote }} - idp-client-secret: {{ .Values.authenticate.idp.clientSecret | b64enc | quote }} -{{- end }} cookie-secret: {{ .Values.config.cookieSecret | b64enc | quote }} shared-secret: {{ .Values.config.sharedSecret | b64enc | quote }} -{{- if .Values.config.cert }} - certificate: {{ .Values.config.cert | b64enc | quote }} -{{- end }} -{{- if .Values.config.key }} - certificate-key: {{ .Values.config.key | b64enc | quote }} -{{- end }} -{{- if .Values.config.ca }} - certificate-authority: {{ .Values.config.ca | b64enc | quote }} -{{- end }} + idp-client-id: {{ .Values.authenticate.idp.clientID | b64enc | quote }} + idp-client-secret: {{ .Values.authenticate.idp.clientSecret | b64enc | quote }} + certificate: {{- if .Values.config.cert }} {{ .Values.config.cert | b64enc | quote }} {{- end }} + certificate-key: {{- if .Values.config.key }} {{ .Values.config.key | b64enc | quote }} {{- end }} + certificate-authority: {{- if .Values.config.ca }} {{ .Values.config.ca | b64enc | quote }} {{- end }} diff --git a/helm/templates/tls-secrets.yaml b/helm/templates/tls-secrets.yaml new file mode 100644 index 000000000..cd27011a5 --- /dev/null +++ b/helm/templates/tls-secrets.yaml @@ -0,0 +1,18 @@ +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }} + labels: + app: {{ template "pomerium.name" . }} + chart: {{ template "pomerium.chart" . }} + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} +type: kubernetes.io/tls +data: + tls.crt: {{ .certificate | b64enc }} + tls.key: {{ .key | b64enc }} +--- +{{- end }} +{{- end }} diff --git a/helm/values.yaml b/helm/values.yaml index e06396bea..a8391ee96 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -1,40 +1,63 @@ -# All config settings are required. sharedSecret must match between the authenticate -# and proxy deployments. -config: - sharedSecret: "XXXXXXXX" - cookieSecret: "XXXXXXXX" - services: all - cert: - key: -# All below required if config.services is "authenticate" or "all" -authenticate: - redirectUrl: http://example.com/oauth2/callback - allowedDomains: example.com - proxyRootDomains: example.com - idp: +# For detailed explanation of each of the configuration settings see +# https://www.pomerium.io/docs/config-reference.htmls + +# run pomerium in "all-in-one" mode where all services are run from a single node +omnibusMode: false + +config: # settings that are shared by all services + sharedSecret: "LL3g/NoKkao7mTec2/wYSOZAki1VbR89q+kqbdFj0c4=" # head -c32 /dev/urandom | base64 + cookieSecret: "tAhd5A5Y8R/H/msFhkNdt8dCym2SatVbh4UrcDk3+Ms=" # head -c32 /dev/urandom | base64 + cert: # base64 -i cert.pem or using a volume + key: # base64 -i privkey.pem or using a volume + policyFile: |- + - from: httpbin.corp.pomerium.io + to: http://httpbin + allowed_domains: + - pomerium.io + - from: external-httpbin.corp.pomerium.io + to: httpbin.org + allowed_domains: + - gmail.com + - from: weirdlyssl.corp.pomerium.io + to: http://neverssl.com + allowed_users: + - bdd@pomerium.io + allowed_groups: + - admins + - developers + - from: hello.corp.pomerium.io + to: http://hello:8080 + allowed_groups: + - admins + + +authenticate: # values specific to the authenticate service + name: authenticate # container name + redirectUrl: https://auth.corp.pomerium.io/oauth2/callback + proxyRootDomains: pomerium.io + idp: # see https://www.pomerium.io/docs/identity-providers.html provider: okta url: https://example.oktapreview.com/oauth2/default clientID: "XXXXXXXX" clientSecret: "XXXXXXXX" -# All below required if config.serviceModes is "proxy" or "all" -proxy: - authenticateServiceUrl: https://example.com/oauth2/callback - routes: {} - # routes: - # "http.corp.example.com": "httpbin.org" -# For any other settings that are optional -# ADDRESS, POMERIUM_DEBUG, CERTIFICATE_FILE, CERTIFICATE_KEY_FILE, CERTIFICATE_AUTHORITY_FILE, -# PROXY_ROOT_DOMAIN, COOKIE_DOMAIN, COOKIE_EXPIRE, COOKIE_REFRESH, COOKIE_SECURE, COOKIE_HTTP_ONLY, IDP_SCOPES -# AUTHENTICATE_INTERNAL_URL, AUTHENTICATE_SERVICE_PORT, OVERRIDE_CERTIFICATE_NAME, DEFAULT_UPSTREAM_TIMEOUT, COOKIE_LIFETIME, +authorize: # values specific to the authorize service + name: authorize # container name + +proxy: # values specific to the proxy service + name: proxy # container name + authenticateServiceUrl: https://auth.corp.pomerium.io + authorizeServiceUrl: https://access.corp.pomerium.io + +# For any other settings that are optional. for a complete listing see: +# https://www.pomerium.io/docs/config-reference.html extraEnv: {} - extraArgs: {} extraVolumes: {} image: repository: "pomerium/pomerium" - tag: "0.0.1" + tag: "latest" pullPolicy: "IfNotPresent" service: @@ -46,20 +69,32 @@ service: ingress: enabled: false - path: / + # path: / # Used to create an Ingress record. # hosts: - # - chart-example.local + # - "*.corp.example.com" + # - "auth.corp.example.com" + # - "access.corp.example.com" # annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" + # tls: - # Secrets must be manually created in the namespace. - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + # Secrets must be manually created in the namespace. + # - secretName: pomerium-tls + # hosts: + # - chart-example.local + # secrets: + ## If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + # - name: pomerium-tls + # key: + # certificate: -resources: {} +resources: + {} # limits: # cpu: 100m # memory: 300Mi diff --git a/internal/identity/google.go b/internal/identity/google.go index 44ed1a45b..0bd80eecb 100644 --- a/internal/identity/google.go +++ b/internal/identity/google.go @@ -194,14 +194,7 @@ func (p *GoogleProvider) Refresh(ctx context.Context, s *sessions.SessionState) if err != nil { return nil, fmt.Errorf("identity/google: could not retrieve groups %v", err) } - - log.Info(). - Str("refresh-token", s.RefreshToken). - Str("new-access-token", newToken.AccessToken). - Str("new-expiry", time.Until(newToken.Expiry).String()). - Strs("Groups", groups). - Msg("identity: refresh") - + s.Groups = groups return s, nil } diff --git a/internal/identity/microsoft.go b/internal/identity/microsoft.go index 9184f6f29..e29a413d6 100644 --- a/internal/identity/microsoft.go +++ b/internal/identity/microsoft.go @@ -181,7 +181,7 @@ func (p *AzureProvider) UserGroups(ctx context.Context, accessToken string) ([]s } var groups []string for _, group := range response.Groups { - log.Info().Str("DisplayName", group.DisplayName).Str("ID", group.ID).Msg("identity/microsoft: group") + log.Debug().Str("DisplayName", group.DisplayName).Str("ID", group.ID).Msg("identity/microsoft: group") groups = append(groups, group.DisplayName) } return groups, nil diff --git a/internal/identity/onelogin.go b/internal/identity/onelogin.go index 7b11a0500..a5dac69f6 100644 --- a/internal/identity/onelogin.go +++ b/internal/identity/onelogin.go @@ -135,7 +135,7 @@ func (p *OneLoginProvider) UserGroups(ctx context.Context, accessToken string) ( } var groups []string for _, group := range response.Groups { - log.Info().Str("ID", group).Msg("identity/onelogin: group") + log.Debug().Str("ID", group).Msg("identity/onelogin: group") groups = append(groups, group) } return groups, nil diff --git a/internal/log/log.go b/internal/log/log.go index a8ce53687..47e8925f1 100644 --- a/internal/log/log.go +++ b/internal/log/log.go @@ -15,7 +15,7 @@ var Logger = zerolog.New(os.Stdout).With().Timestamp().Logger() // SetDebugMode tells the logger to use standard out and pretty print output. func SetDebugMode() { Logger = Logger.Output(zerolog.ConsoleWriter{Out: os.Stdout}) - zerolog.SetGlobalLevel(zerolog.InfoLevel) + // zerolog.SetGlobalLevel(zerolog.InfoLevel) } // With creates a child logger with the field added to its context. diff --git a/internal/policy/policy.go b/internal/policy/policy.go index 2b66dbf59..b5f16e5d1 100644 --- a/internal/policy/policy.go +++ b/internal/policy/policy.go @@ -7,8 +7,6 @@ import ( "strings" "time" - "github.com/pomerium/pomerium/internal/log" - "github.com/pomerium/pomerium/internal/fileutil" yaml "gopkg.in/yaml.v2" ) @@ -55,7 +53,6 @@ func FromConfig(confBytes []byte) ([]Policy, error) { return nil, err } } - log.Info().Msgf("from config %+v", f) return f, nil } diff --git a/proto/authorize/mock_authorize/mock_authorize.go b/proto/authorize/mock_authorize/mock_authorize.go new file mode 100644 index 000000000..0df77e0b5 --- /dev/null +++ b/proto/authorize/mock_authorize/mock_authorize.go @@ -0,0 +1,57 @@ +// Code generated by MockGen. DO NOT EDIT. +// Source: github.com/pomerium/pomerium/proto/authorize (interfaces: AuthorizerClient) + +// Package mock_authorize is a generated GoMock package. +package mock_authorize + +import ( + context "context" + reflect "reflect" + + gomock "github.com/golang/mock/gomock" + authorize "github.com/pomerium/pomerium/proto/authorize" + grpc "google.golang.org/grpc" +) + +// MockAuthorizerClient is a mock of AuthorizerClient interface +type MockAuthorizerClient struct { + ctrl *gomock.Controller + recorder *MockAuthorizerClientMockRecorder +} + +// MockAuthorizerClientMockRecorder is the mock recorder for MockAuthorizerClient +type MockAuthorizerClientMockRecorder struct { + mock *MockAuthorizerClient +} + +// NewMockAuthorizerClient creates a new mock instance +func NewMockAuthorizerClient(ctrl *gomock.Controller) *MockAuthorizerClient { + mock := &MockAuthorizerClient{ctrl: ctrl} + mock.recorder = &MockAuthorizerClientMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use +func (m *MockAuthorizerClient) EXPECT() *MockAuthorizerClientMockRecorder { + return m.recorder +} + +// Authorize mocks base method +func (m *MockAuthorizerClient) Authorize(arg0 context.Context, arg1 *authorize.AuthorizeRequest, arg2 ...grpc.CallOption) (*authorize.AuthorizeReply, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "Authorize", varargs...) + ret0, _ := ret[0].(*authorize.AuthorizeReply) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// Authorize indicates an expected call of Authorize +func (mr *MockAuthorizerClientMockRecorder) Authorize(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Authorize", reflect.TypeOf((*MockAuthorizerClient)(nil).Authorize), varargs...) +} diff --git a/proxy/clients/authenticate_client.go b/proxy/clients/authenticate_client.go index 6e6e1cc1b..a807b792a 100644 --- a/proxy/clients/authenticate_client.go +++ b/proxy/clients/authenticate_client.go @@ -23,9 +23,9 @@ type Authenticator interface { Close() error } -// NewAuthenticateClient returns a new authenticate service client. +// NewAuthenticateClient returns a new authenticate service client. Presently, +// only gRPC is supported and is always returned so name is ignored. func NewAuthenticateClient(name string, opts *Options) (a Authenticator, err error) { - // Only gRPC is supported and is always returned so name is ignored return NewGRPCAuthenticateClient(opts) } @@ -112,8 +112,6 @@ func (a *AuthenticateGRPC) Validate(ctx context.Context, idToken string) (bool, // } ctx, cancel := context.WithTimeout(ctx, 5*time.Second) defer cancel() - // todo(bdd): add grpc specific timeouts to main options - // todo(bdd): handle request id (metadata!?) in grpc receiver and add to ctx logger r, err := a.client.Validate(ctx, &pb.ValidateRequest{IdToken: idToken}) if err != nil { return false, err diff --git a/proxy/clients/authorize_client_test.go b/proxy/clients/authorize_client_test.go index 55751b22c..8a1538deb 100644 --- a/proxy/clients/authorize_client_test.go +++ b/proxy/clients/authorize_client_test.go @@ -4,37 +4,35 @@ import ( "context" "testing" + "github.com/golang/mock/gomock" "github.com/pomerium/pomerium/internal/sessions" - pb "github.com/pomerium/pomerium/proto/authorize" - "google.golang.org/grpc" + "github.com/pomerium/pomerium/proto/authorize" + mock "github.com/pomerium/pomerium/proto/authorize/mock_authorize" ) func TestAuthorizeGRPC_Authorize(t *testing.T) { - type fields struct { - Conn *grpc.ClientConn - client pb.AuthorizerClient - } - type args struct { - ctx context.Context - route string - s *sessions.SessionState - } + ctrl := gomock.NewController(t) + defer ctrl.Finish() + client := mock.NewMockAuthorizerClient(ctrl) + client.EXPECT().Authorize( + gomock.Any(), + gomock.Any(), + ).Return(&authorize.AuthorizeReply{IsValid: true}, nil).AnyTimes() + tests := []struct { name string - fields fields - args args + route string + s *sessions.SessionState want bool wantErr bool }{ - // TODO: Add test cases. + {"good", "hello.pomerium.io", &sessions.SessionState{User: "admin@pomerium.io", Email: "admin@pomerium.io"}, true, false}, + {"session cannot be nil", "hello.pomerium.io", nil, false, true}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - a := &AuthorizeGRPC{ - Conn: tt.fields.Conn, - client: tt.fields.client, - } - got, err := a.Authorize(tt.args.ctx, tt.args.route, tt.args.s) + a := &AuthorizeGRPC{client: client} + got, err := a.Authorize(context.Background(), tt.route, tt.s) if (err != nil) != tt.wantErr { t.Errorf("AuthorizeGRPC.Authorize() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/proxy/clients/clients.go b/proxy/clients/clients.go index eba75c5e8..ec18934da 100644 --- a/proxy/clients/clients.go +++ b/proxy/clients/clients.go @@ -86,9 +86,7 @@ func NewGRPCClientConn(opts *Options) (*grpc.ClientConn, error) { cp = newCp } - log.Info(). - Str("OverrideCertificateName", opts.OverrideCertificateName). - Str("addr", connAddr).Msgf("proxy/clients: grpc connection") + log.Debug().Str("cert-override-name", opts.OverrideCertificateName).Str("addr", connAddr).Msgf("proxy/clients: grpc connection") cert := credentials.NewTLS(&tls.Config{RootCAs: cp}) // override allowed certificate name string, typically used when doing behind ingress connection diff --git a/proxy/handlers.go b/proxy/handlers.go index 1391100a3..f1c764d9a 100644 --- a/proxy/handlers.go +++ b/proxy/handlers.go @@ -212,7 +212,7 @@ func (p *Proxy) OAuthCallback(w http.ResponseWriter, r *http.Request) { return } - log.FromRequest(r).Info(). + log.FromRequest(r).Debug(). Str("code", r.Form.Get("code")). Str("state", r.Form.Get("state")). Str("RefreshToken", session.RefreshToken). diff --git a/proxy/proxy.go b/proxy/proxy.go index cef060bc9..66d4b112a 100755 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -79,7 +79,7 @@ var defaultOptions = &Options{ DefaultUpstreamTimeout: time.Duration(30) * time.Second, } -// OptionsFromEnvConfig builds the IdentityProvider service's configuration +// OptionsFromEnvConfig builds the identity provider service's configuration // options from provided environmental variables func OptionsFromEnvConfig() (*Options, error) { o := defaultOptions diff --git a/scripts/generate_wildcard_cert.sh b/scripts/generate_wildcard_cert.sh index ed0530513..c5f8038b0 100755 --- a/scripts/generate_wildcard_cert.sh +++ b/scripts/generate_wildcard_cert.sh @@ -1,16 +1,10 @@ #!/bin/bash - -# requires acme.sh -# see : https://github.com/Neilpang/acme.sh -# uncomment below to install +# requires acme.sh see : https://github.com/Neilpang/acme.sh # curl https://get.acme.sh | sh - -# assumes cloudflare, but many DNS providers are supported - -export CF_Key="x" -export CF_Email="x@x.com" - +echo "=> manually issue a wildcard certificate, renewal is up to you!" $HOME/.acme.sh/acme.sh \ --issue \ + -k ec-256 \ -d '*.corp.beyondperimeter.com' \ - --dns dns_cf + --dns \ + --yes-I-know-dns-manual-mode-enough-go-ahead-please diff --git a/scripts/helm_gke.sh b/scripts/helm_gke.sh new file mode 100755 index 000000000..7819847d2 --- /dev/null +++ b/scripts/helm_gke.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# PRE-REQ: +# 1) Install Helm : You should verify the content of this script before running. +# curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash + +echo "=> [GCE] creating cluster" +gcloud container clusters create pomerium + +echo "=> [GCE] get cluster credentials so we can use kubctl locally" +gcloud container clusters get-credentials pomerium + +echo "=> [GCE] ensure your user account has the cluster-admin role in your cluster" +kubectl create \ + clusterrolebinding \ + user-admin-binding \ + --clusterrole=cluster-admin \ + --user=$(gcloud config get-value account) + +echo "=> Create a service account that Tiller, the server side of Helm, can use for deploying your charts." +kubectl create serviceaccount tiller --namespace kube-system + +echo "=> Grant the Tiller service account the cluster-admin role in your cluster" +kubectl create clusterrolebinding tiller-admin-binding --clusterrole=cluster-admin --serviceaccount=kube-system:tiller + +echo "=> initialize Helm to install Tiller in your cluster" +helm init --service-account=tiller +helm repo update + +echo "=> install pomerium with helm substituting configuration values as required; be sure to change these" +helm install helm/. \ + --set config.sharedSecret=$(head -c32 /dev/urandom | base64) \ + --set config.cookieSecret=$(head -c32 /dev/urandom | base64) \ + --set config.cert=$(base64 -i cert.pem) \ + --set config.key=$(base64 -i privkey.pem) \ + --set config.policy=$(cat policy.example.yaml) \ + --set authentiate.idp.provider="google" \ + --set authentiate.proxyRootDomains="pomerium.io" \ + --set authentiate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \ + --set authentiate.idp.clientID="REPLACE_ME" \ + --set authentiate.idp.clientSecret="REPLACE_ME" \ + --set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \ + --set proxy.authorizeServiceUrl="https://access.corp.pomerium.io" + +# When done, clean up by deleting the cluster! +# +# helm del $(helm ls --all --short) --purge #!!! DELETES ALL YOUR HELM INSTANCES! +# gcloud container clusters delete pomerium diff --git a/scripts/kubernetes_gke.sh b/scripts/kubernetes_gke.sh index 2d2f4136d..18ab3115c 100755 --- a/scripts/kubernetes_gke.sh +++ b/scripts/kubernetes_gke.sh @@ -28,8 +28,8 @@ kubectl create configmap -n pomerium policy --from-literal=policy=$(cat policy.e echo "=> settingidp-client-secret, you changed this right? :)" exit 1 # comment out or delete this line once you change the following two settings -# kubectl create secret generic -n pomerium idp-client-secret --from-literal=idp-client-secret=REPLACEME -# kubectl create secret generic -n pomerium idp-service-account --from-literal=idp-service-account=$(base64 -i gsuite.service.account.json) +kubectl create secret generic -n pomerium idp-client-secret --from-literal=idp-client-secret=REPLACE_ME +kubectl create secret generic -n pomerium idp-service-account --from-literal=idp-service-account=$(base64 -i gsuite.service.account.json) echo "=> apply the proxy, authorize, and authenticate deployment configs" kubectl apply -f docs/docs/examples/kubernetes/authorize.deploy.yml @@ -48,4 +48,4 @@ kubectl apply -f docs/docs/examples/kubernetes/ingress.yml # kubectl apply -f docs/docs/examples/kubernetes/ingress.nginx.yml # When done, clean up by deleting the cluster! -# gcloud container clusters delete pomerium +# gcloud container clusters delete pomerium \ No newline at end of file diff --git a/scripts/self-signed-sign-key.sh b/scripts/self-signed-sign-key.sh deleted file mode 100755 index 4fa401cf8..000000000 --- a/scripts/self-signed-sign-key.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash -# Thank you @ https://medium.com/@benjamin.black/how-to-obtain-an-ecdsa-wildcard-certificate-from-lets-encrypt-be217c737cfe -# See also: -# https://cloud.google.com/iot/docs/how-tos/credentials/keys#generating_an_es256_key_with_a_self-signed_x509_certificate -# https://community.letsencrypt.org/t/ecc-certificates/46729 -# -# Let’s Encrypt currently generates RSA certificates, but not yet ECDSA certificates. -# Support for generating ECDSA certificates is on the horizon, but is not here yet. -# However, Let’s Encrypt does support *signing* ECDSA certificates when presented with a -# Certificate Signing Request. So we can generate the appropriate CSR on the client, -# and send it to Let’s Encrypt using the --csr option of the certbot client for Let’s Encrypt to sign. - -# The following generates a NIST P-256 (aka secp256r1 aka prime256v1) EC Key Pair -openssl ecparam \ - -genkey \ - -name prime256v1 \ - -noout \ - -out ec_private.pem - -openssl req -x509 -new \ - -key ec_private.pem \ - -days 365 \ - -out ec_public.pem \ - -subj "/CN=unused" - -openssl req -new \ - -sha512 \ - -key privkey.pem \ - -nodes \ - -subj "/CN=beyondperimeter.com" \ - -reqexts SAN \ - -extensions SAN \ - -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.corp.beyondperimeter.com')) \ - -out csr.pem \ - -outform pem - -openssl req -in csr.pem -noout -text - -certbot certonly \ - --preferred-challenges dns-01 \ - --work-dir le/work \ - --config-dir le/config \ - --logs-dir le/logs \ - --agree-tos \ - --email bobbydesimone@gmail.com \ - -d *.corp.beyondperimeter.com \ - --csr csr.pem