docs: update changelog, documentaiton, and helm configurations. (#63)

- Update changelog.
- Update docs to cover authorization support.
- Updates helm to support authorization, and policy file.

CHANGELOG.md

@@ -1,33 +1,36 @@
 # Pomerium Changelog
 
-## Unreleased
+## vUNRELEASED
 
 **FEATURES:**
 
- * **Authorization** : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. 
+- **Authorization** : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.
- * **Group Support** : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the [updated docs](https://www.pomerium.io/docs/identity-providers.html). A brief summary of the requirements for each IdP are as follows:
+- **Group Support** : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the [updated docs](https://www.pomerium.io/docs/identity-providers.html). A brief summary of the requirements for each IdP are as follows:
+
   - Google requires the [Admin SDK](https://developers.google.com/admin-sdk/directory/) to enabled, a service account with properly delegated access, and `IDP_SERVICE_ACCOUNT` to be set to the base64 encoded value of the service account's key file.
   - Okta requires a `groups` claim to be added to both the `id_token` and `access_token`. No additional API calls are made.
   - Microsoft Azure Active Directory requires the application be given an [additional API permission](https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0), `Directory.Read.All`.
   - Onelogin requires the [groups](https://developers.onelogin.com/openid-connect/scopes) was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the [user-info api endpoint](https://developers.onelogin.com/openid-connect/api/user-info).
- * **WebSocket Support** : With [Go 1.12](https://golang.org/doc/go1.12#net/http/httputil) pomerium automatically proxies WebSocket requests.
+
+- **WebSocket Support** : With [Go 1.12](https://golang.org/doc/go1.12#net/http/httputil) pomerium automatically proxies WebSocket requests.
 
 **CHANGED**:
 
- * Updated `env.example` to include a `POLICY` setting example. 
+- Updated `generate_wildcard_cert.sh` to generate a elliptic curve 256 cert by default.
- * Added `IDP_SERVICE_ACCOUNT` to  `env.example` . 
+- Updated `env.example` to include a `POLICY` setting example.
- * Removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. 
+- Added `IDP_SERVICE_ACCOUNT` to `env.example` .
- * Removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files.
+- Removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`.
- * Removed `ROUTES` settings which has been replaced by `POLICY`. 
+- Removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files.
- * Add refresh endpoint `${url}/.pomerium/refresh` which forces a token refresh and responds with the json result. 
+- Removed `ROUTES` settings which has been replaced by `POLICY`.
- * Group membership added to proxy headers (`x-pomerium-authenticated-user-groups`) and (`x-pomerium-jwt-assertion`).
+- Add refresh endpoint `${url}/.pomerium/refresh` which forces a token refresh and responds with the json result.
- * Default Cookie lifetime (`COOKIE_EXPIRE`) changed from 7 days to 14 hours ~ roughly one business day. 
+- Group membership added to proxy headers (`x-pomerium-authenticated-user-groups`) and (`x-pomerium-jwt-assertion`).
- * Moved identity (`authenticate/providers`) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes. 
+- Default Cookie lifetime (`COOKIE_EXPIRE`) changed from 7 days to 14 hours ~ roughly one business day.
- * Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts. 
+- Moved identity (`authenticate/providers`) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes.
- * Session expiration times are truncated at the second. 
+- Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
- * **Removed gitlab provider**. We can't support groups until [this gitlab bug](https://gitlab.com/gitlab-org/gitlab-ce/issues/44435#note_88150387) is fixed.
+- Session expiration times are truncated at the second.
- * Request context is now maintained throughout request-flow via the [context package](https://golang.org/pkg/context/) enabling timeouts, request tracing, and cancellation. 
+- **Removed gitlab provider**. We can't support groups until [this gitlab bug](https://gitlab.com/gitlab-org/gitlab-ce/issues/44435#note_88150387) is fixed.
+- Request context is now maintained throughout request-flow via the [context package](https://golang.org/pkg/context/) enabling timeouts, request tracing, and cancellation.
 
 **FIXED:**
 
-* `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one.  [GH-58]
+- `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. [GH-58]

authenticate/authenticate.go

@@ -44,7 +44,7 @@ type Options struct {
 	CookieExpire   time.Duration `envconfig:"COOKIE_EXPIRE"`
 	CookieRefresh  time.Duration `envconfig:"COOKIE_REFRESH"`
 
-	// IdentityProvider provider configuration variables as specified by RFC6749
+	// Identity provider configuration variables as specified by RFC6749
 	// https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749
 	ClientID       string   `envconfig:"IDP_CLIENT_ID"`
 	ClientSecret   string   `envconfig:"IDP_CLIENT_SECRET"`

authenticate/handlers.go

@@ -118,11 +118,11 @@ func (a *Authenticate) authenticate(w http.ResponseWriter, r *http.Request) (*se
 func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) {
 	session, err := a.authenticate(w, r)
 	if err != nil {
-		log.FromRequest(r).Info().Err(err).Msg("authenticate: authenticate error")
+		log.FromRequest(r).Warn().Err(err).Msg("authenticate: authenticate error")
 		a.sessionStore.ClearSession(w, r)
 		a.OAuthStart(w, r)
 	}
-	log.FromRequest(r).Info().Msg("authenticate: user authenticated")
+	log.FromRequest(r).Debug().Msg("authenticate: user authenticated")
 	a.ProxyCallback(w, r, session)
 }
 

cmd/pomerium/options.go

@@ -42,7 +42,7 @@ var defaultOptions = &Options{
 	Services: "all",
 }
 
-// optionsFromEnvConfig builds the IdentityProvider service's configuration
+// optionsFromEnvConfig builds the main binary's configuration
 // options from provided environmental variables
 func optionsFromEnvConfig() (*Options, error) {
 	o := defaultOptions

docs/docs/config-reference.md

@@ -62,7 +62,7 @@ Policy contains the routes, and their access policies. For example,
 
 By default, JSON encoded logs are produced. Debug enables colored, human-readable, and more verbose logs to be streamed to [standard out](https://en.wikipedia.org/wiki/Standard_streams#Standard_output_(stdout)). In production, it's recommended to be set to `false`.
 
-For example, if `true`.
+For example, if `true`
 
 ```
 10:37AM INF cmd/pomerium version=v0.0.1-dirty+ede4124
@@ -71,7 +71,7 @@ For example, if `true`.
 10:37AM INF proxy/authenticator: grpc connection OverrideCertificateName= addr=auth.corp.beyondperimeter.com:443
 ```
 
-If `false`:
+If `false`
 
 ```
 {"level":"info","version":"v0.0.1-dirty+ede4124","time":"2019-02-18T10:41:03-08:00","message":"cmd/pomerium"}

docs/docs/examples.md

@@ -61,7 +61,7 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
 ### Google Kubernetes Engine
 
 - Uses GKE's built-in ingress to do [HTTPS load balancing]
-- HTTPS (TLS) between client and load balancer
+- HTTPS (TLS) between client, load balancer, and services
 - Routes default to hosted version of httpbin.org
 - Includes all-in-one script
 
@@ -77,6 +77,14 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
 
 <<< @/docs/docs/examples/kubernetes/authenticate.service.yml
 
+#### authorize.deploy.yml
+
+<<< @/docs/docs/examples/kubernetes/authorize.deploy.yml
+
+#### authorize.service.yml
+
+<<< @/docs/docs/examples/kubernetes/authorize.service.yml
+
 #### proxy.deploy.yml
 
 <<< @/docs/docs/examples/kubernetes/proxy.deploy.yml

docs/docs/examples/docker/nginx.docker-compose.yml

@@ -1,5 +1,4 @@
 version: "3"
-
 services:
   nginx:
     image: pomerium/nginx-proxy:latest

env.example

@@ -14,8 +14,6 @@ export CERTIFICATE_KEY_FILE="./privkey.pem" # optional, defaults to `./certprivk
 
 # The URL that the identity provider will call back after authenticating the user
 export REDIRECT_URL="https://sso-auth.corp.example.com/oauth2/callback"
-# Allow users with emails from the following domain post-fix (e.g. example.com)
-export ALLOWED_DOMAINS=*
 # Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
 export SHARED_SECRET=9wiTZq4qvmS/plYQyvzGKWPlH/UBy0DMYMA2x/zngrM=
 export COOKIE_SECRET=uPGHo1ujND/k3B9V6yr52Gweq3RRYfFho98jxDG5Br8=
@@ -44,8 +42,7 @@ export IDP_CLIENT_SECRET="REPLACEME"
 
 # IF GSUITE and you want to get user groups you will need to set a service account
 # see identity provider docs for gooogle for more info :
-# GSUITE_JSON_SERVICE_ACCOUNT='{"impersonate_user": "bdd@pomerium.io"}'
+# export IDP_SERVICE_ACCOUNT=$(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64)
-# export IDP_SERVICE_ACCOUNT=$(echo $GSUITE_JSON_SERVICE_ACCOUNT | base64)
 
 # OKTA
 # export IDP_PROVIDER="okta"

go.mod

@@ -3,16 +3,14 @@ module github.com/pomerium/pomerium
 go 1.12
 
 require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/golang/mock v1.2.0
 	github.com/golang/protobuf v1.3.0
-	github.com/google/pprof v0.0.0-20190228041337-2ef8d84b2e3c // indirect
-	github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 // indirect
 	github.com/pomerium/envconfig v1.4.0
 	github.com/pomerium/go-oidc v2.0.0+incompatible
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/rs/zerolog v1.12.0
 	github.com/stretchr/testify v1.3.0 // indirect
-	golang.org/x/arch v0.0.0-20190226203302-36aee92af9e8 // indirect
 	golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25
 	golang.org/x/net v0.0.0-20190228165749-92fc7df08ae7
 	golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421

go.sum

@@ -7,6 +7,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -18,20 +20,12 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.0 h1:kbxbvI4Un1LUWKxufD+BiE6AEExYYgkQLQmLFqA1LFk=
 github.com/golang/protobuf v1.3.0/go.mod h1:Qd/q+1AKNOZr9uGQzbzCmRO6sUih6GTPZv6a1/R87v0=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/pprof v0.0.0-20190228041337-2ef8d84b2e3c h1:hqIMb/MbwYamune8FA5YtFAVzfTE8OXRtg9Nf0rzmqo=
-github.com/google/pprof v0.0.0-20190228041337-2ef8d84b2e3c/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pomerium/envconfig v1.3.0 h1:/qJ+JOrWKkd/MgSrBDQ6xYJ7sxzqxiIAB/3qgHwdrHY=
-github.com/pomerium/envconfig v1.3.0/go.mod h1:1Kz8Ca8PhJDtLYqgvbDZGn6GsJCvrT52SxQ3sPNJkDc=
-github.com/pomerium/envconfig v1.3.1-0.20190112072701-14cbcf832d31 h1:bNqUesLWa+RUxQvSaV3//dEFviXdCSvMF9GKDOopFLU=
-github.com/pomerium/envconfig v1.3.1-0.20190112072701-14cbcf832d31/go.mod h1:1Kz8Ca8PhJDtLYqgvbDZGn6GsJCvrT52SxQ3sPNJkDc=
 github.com/pomerium/envconfig v1.4.0 h1:o+WY/E/9M4fh0nDX7oJodU7N9p1hcHPsTnNLYjlbQA8=
 github.com/pomerium/envconfig v1.4.0/go.mod h1:1Kz8Ca8PhJDtLYqgvbDZGn6GsJCvrT52SxQ3sPNJkDc=
 github.com/pomerium/go-oidc v2.0.0+incompatible h1:gVvG/ExWsHQqatV+uceROnGmbVYF44mDNx5nayBhC0o=
@@ -48,8 +42,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
-golang.org/x/arch v0.0.0-20190226203302-36aee92af9e8 h1:G3kY3WDPiChidkYzLqbniw7jg23paUtzceZorG6YAJw=
-golang.org/x/arch v0.0.0-20190226203302-36aee92af9e8/go.mod h1:cYlCBUl1MsqxdiKgmc4uh7TxZfWSFLOGSRR090WDxt8=
 golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25 h1:jsG6UpNLt9iAsb0S2AGW28DveNzzgmbXR+ENoPjUeIU=
 golang.org/x/crypto v0.0.0-20190228161510-8dd112bcdc25/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

helm/Chart.yaml

@@ -1,17 +1,26 @@
-name: pomerium
-version: 0.0.1
 apiVersion: v1
-appVersion: 0.0.1
+name: pomerium
+version: 0.0.3
+appVersion: 0.0.3
 home: http://www.pomerium.io/
-description: A reverse proxy that provides IdentityProvider with Google, Okta, Azure or other providers
+icon: https://www.pomerium.io/logo.svg
+description: Pomerium is an identity-aware access proxy.
 keywords:
-- kubernetes
+- proxy
-- oauth
+- access-proxy
+- reverse-proxy
+- sso
+- openid connect
 - oauth2
-- IdentityProvider
+- authorization
+- authentication
 - google
 - okta
 - azure
 sources:
 - https://github.com/pomerium/pomerium
 engine: gotpl
+
+maintainers:
+- name: bobby desimone
+  email: bobby.desimone@gmail.com

helm/templates/_helpers.tpl

@@ -1,7 +1,5 @@
 {{/* vim: set filetype=mustache: */}}
-{{/*
+{{/*Expand the name of the chart.*/}}
-Expand the name of the chart.
-*/}}
 {{- define "pomerium.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@@ -24,9 +22,8 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
-{{/*
+
-Create chart name and version as used by the chart label.
+{{/*Create chart name and version as used by the chart label.*/}}
-*/}}
 {{- define "pomerium.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

helm/templates/all-in-one-deployment.yaml

@@ -0,0 +1,167 @@
+{{- if .Values.omnibusMode -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ template "pomerium.name" . }}
+    chart: {{ template "pomerium.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "pomerium.fullname" . }}
+{{- if .Values.annotations }}
+  annotations:
+{{ toYaml .Values.annotations | indent 4 }}
+{{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "pomerium.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+{{- if .Values.podAnnotations }}
+      annotations:
+{{ toYaml .Values.podAnnotations | indent 8 }}
+{{- end }}
+      labels:
+        app: {{ template "pomerium.name" . }}
+        chart: {{ template "pomerium.chart" . }}
+        heritage: {{ .Release.Service }}
+        release: {{ .Release.Name }}
+{{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+{{- end }}
+    spec:
+{{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+{{- end }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+{{- range $key, $value := .Values.extraArgs }}
+{{- if $value }}
+          - --{{ $key }}={{ $value }}
+{{- else }}
+          - --{{ $key }}
+{{- end }}
+{{- end }}
+        env:
+        - name: SERVICES
+          value: all
+        - name: COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: cookie-secret
+        - name: SHARED_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: shared-secret
+        - name: AUTHENTICATE_SERVICE_URL
+          value: {{ .Values.proxy.authenticateServiceUrl }}
+        - name: AUTHORIZE_SERVICE_URL
+          value: {{ .Values.proxy.authorizeServiceUrl }}
+        - name: REDIRECT_URL
+          value: {{ .Values.authenticate.redirectUrl }}
+        - name: PROXY_ROOT_DOMAIN
+          value: {{ .Values.authenticate.proxyRootDomains }}
+        - name: IDP_PROVIDER
+          value: {{ .Values.authenticate.idp.provider }}
+        - name: IDP_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "pomerium.fullname" . }}
+              key: idp-client-id
+        - name: IDP_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "pomerium.fullname" . }}
+              key: idp-client-secret
+{{- if .Values.authenticate.idp.url }}
+        - name: IDP_PROVIDER_URL
+          value: {{ .Values.authenticate.idp.url }}
+{{- end }}
+{{- if .Values.config.policyFile }}
+        - name: POLICY_FILE
+          value: /etc/pomerium/policy.yaml
+{{- end }}
+{{- if .Values.config.policy}}
+        - name: POLICY
+          value: {{ .Values.config.policy }}
+{{- end }}
+{{- if .Values.config.cert }}
+        - name: CERTIFICATE
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: certificate
+{{- end }}
+{{- if .Values.config.key }}
+        - name: CERTIFICATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: certificate-key
+{{- end }}
+{{- if .Values.config.ca }}
+        - name: CERTIFICATE_AUTHORITY
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: certificate-authority
+{{- end }}
+{{- range $name, $value := .Values.extraEnv }}
+        - name: {{ $name }}
+          value: {{ quote $value }}
+{{- end }}
+        ports:
+          - containerPort: 443
+            name: https
+            protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: https
+            scheme: HTTPS
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: https
+            scheme: HTTPS
+      
+        volumeMounts:
+        - mountPath: /etc/pomerium/
+          name: {{ template "pomerium.fullname" . }}-policy
+     
+      volumes:
+      - name: {{ template "pomerium.fullname" . }}-policy
+        configMap:
+          name: {{ template "pomerium.fullname" . }}
+      
+      resources:
+{{ toYaml .Values.resources | indent 10 }}
+{{- if .Values.extraVolumes }}
+      volumes:
+{{- toYaml .Values.extraVolumes | indent 8 }}
+{{- end }}
+{{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+{{- end }}
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+{{- end }}
+{{- end -}}

helm/templates/all-in-one-service.yaml

@@ -1,6 +1,8 @@
+{{- if .Values.omnibusMode -}}
 apiVersion: v1
 kind: Service
 metadata:
+  name: {{ template "pomerium.fullname" . }}
   labels:
     app: {{ template "pomerium.name" . }}
     chart: {{ template "pomerium.chart" . }}
@@ -9,7 +11,6 @@ metadata:
 {{- if .Values.service.labels }}
 {{ toYaml .Values.service.labels | indent 4 }}
 {{- end }}
-  name: {{ template "pomerium.fullname" . }}
 {{- if .Values.service.annotations }}
   annotations:
 {{ toYaml .Values.service.annotations | indent 4 }}
@@ -27,3 +28,4 @@ spec:
   selector:
     app: {{ template "pomerium.name" . }}
     release: {{ .Release.Name }}
+{{- end -}}

helm/templates/authenticate-deployment.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.omnibusMode -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -6,7 +7,7 @@ metadata:
     chart: {{ template "pomerium.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
-  name: {{ template "pomerium.fullname" . }}
+  name: {{ template "pomerium.fullname" . }}-authenticate
 {{- if .Values.annotations }}
   annotations:
 {{ toYaml .Values.annotations | indent 4 }}
@@ -49,7 +50,7 @@ spec:
 {{- end }}
         env:
         - name: SERVICES
-          value: {{ .Values.config.services }}
+          value: authenticate
         - name: COOKIE_SECRET
           valueFrom:
             secretKeyRef:
@@ -60,6 +61,27 @@ spec:
             secretKeyRef:
               name: {{ template "pomerium.fullname" . }}
               key: shared-secret
+        - name: REDIRECT_URL
+          value: {{ .Values.authenticate.redirectUrl }}
+        - name: PROXY_ROOT_DOMAIN
+          value: {{ .Values.authenticate.proxyRootDomains }}
+        - name: IDP_PROVIDER
+          value: {{ .Values.authenticate.idp.provider }}
+        - name: IDP_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "pomerium.fullname" . }}
+              key: idp-client-id
+        - name: IDP_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "pomerium.fullname" . }}
+              key: idp-client-secret
+{{- if .Values.authenticate.idp.url }}
+        - name: IDP_PROVIDER_URL
+          value: {{ .Values.authenticate.idp.url }}
+{{- end }}
+
 {{- if .Values.config.cert }}
         - name: CERTIFICATE
           valueFrom:
@@ -81,34 +103,6 @@ spec:
               name: {{ template "pomerium.fullname" . }}
               key: certificate-authority
 {{- end }}
-{{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }}
-        - name: REDIRECT_URL
-          value: {{ .Values.authenticate.redirectUrl }}
-        - name: ALLOWED_DOMAINS
-          value: {{ .Values.authenticate.allowedDomains }}
-        - name: PROXY_ROOT_DOMAIN
-          value: {{ .Values.authenticate.proxyRootDomains }}
-        - name: IDP_PROVIDER
-          value: {{ .Values.authenticate.idp.provider }}
-        - name: IDP_PROVIDER_URL
-          value: {{ .Values.authenticate.idp.url }}
-        - name: IDP_CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              name:  {{ template "pomerium.fullname" . }}
-              key: idp-client-id
-        - name: IDP_CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              name:  {{ template "pomerium.fullname" . }}
-              key: idp-client-secret
-{{- end }}
-{{- if or (eq .Values.config.services "proxy") (eq .Values.config.services "all") }}
-        - name: AUTHENTICATE_SERVICE_URL
-          value: {{ .Values.proxy.authenticateServiceUrl }}
-        - name: ROUTES
-          value: {{ template "pomerium.routestring" . }}
-{{- end }}
 {{- range $name, $value := .Values.extraEnv }}
         - name: {{ $name }}
           value: {{ quote $value }}
@@ -127,6 +121,17 @@ spec:
             path: /ping
             port: https
             scheme: HTTPS
+        
+        
+        volumeMounts:
+        - mountPath: /etc/pomerium/
+          name: {{ template "pomerium.fullname" . }}-policy
+     
+      volumes:
+      - name: {{ template "pomerium.fullname" . }}-policy
+        configMap:
+          name: {{ template "pomerium.fullname" . }}
+      
       resources:
 {{ toYaml .Values.resources | indent 10 }}
 {{- if .Values.extraVolumes }}
@@ -149,3 +154,4 @@ spec:
       affinity:
 {{ toYaml .Values.affinity | indent 8 }}
 {{- end }}
+{{- end -}}

helm/templates/authenticate-service.yaml

@@ -0,0 +1,31 @@
+{{- if not .Values.omnibusMode -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pomerium.fullname" . }}-authenticate
+  labels:
+    app: {{ template "pomerium.name" . }}
+    chart: {{ template "pomerium.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels | indent 4 }}
+{{- end }}
+{{- if .Values.service.annotations }}
+  annotations:
+{{ toYaml .Values.service.annotations | indent 4 }}
+{{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.externalPort }}
+      targetPort: https
+      protocol: TCP
+      name: http
+{{- if hasKey .Values.service "nodePort" }}
+    nodePort: {{ .Values.service.nodePort }}
+{{- end }}
+  selector:
+    app: {{ template "pomerium.name" . }}
+    release: {{ .Release.Name }}
+{{- end -}}

helm/templates/authorize-deployment.yaml

@@ -0,0 +1,140 @@
+{{- if not .Values.omnibusMode -}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ template "pomerium.name" . }}
+    chart: {{ template "pomerium.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "pomerium.fullname" . }}-authorize
+{{- if .Values.annotations }}
+  annotations:
+{{ toYaml .Values.annotations | indent 4 }}
+{{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "pomerium.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+{{- if .Values.podAnnotations }}
+      annotations:
+{{ toYaml .Values.podAnnotations | indent 8 }}
+{{- end }}
+      labels:
+        app: {{ template "pomerium.name" . }}
+        chart: {{ template "pomerium.chart" . }}
+        heritage: {{ .Release.Service }}
+        release: {{ .Release.Name }}
+{{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+{{- end }}
+    spec:
+{{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+{{- end }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+{{- range $key, $value := .Values.extraArgs }}
+{{- if $value }}
+          - --{{ $key }}={{ $value }}
+{{- else }}
+          - --{{ $key }}
+{{- end }}
+{{- end }}
+        env:
+        - name: SERVICES
+          value: authorize
+        - name: SHARED_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: shared-secret
+{{- if .Values.config.policyFile }}
+        - name: POLICY_FILE
+          value: /etc/pomerium/policy.yaml
+{{- end }}
+{{- if .Values.config.policy}}
+        - name: POLICY
+          value: {{ .Values.config.policy }}
+{{- end }}
+{{- if .Values.config.cert }}
+        - name: CERTIFICATE
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: certificate
+{{- end }}
+{{- if .Values.config.key }}
+        - name: CERTIFICATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: certificate-key
+{{- end }}
+{{- if .Values.config.ca }}
+        - name: CERTIFICATE_AUTHORITY
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: certificate-authority
+{{- end }}
+{{- range $name, $value := .Values.extraEnv }}
+        - name: {{ $name }}
+          value: {{ quote $value }}
+{{- end }}
+        ports:
+          - containerPort: 443
+            name: https
+            protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: https
+            scheme: HTTPS
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: https
+            scheme: HTTPS
+        
+        
+        volumeMounts:
+        - mountPath: /etc/pomerium/
+          name: {{ template "pomerium.fullname" . }}-policy
+     
+      volumes:
+      - name: {{ template "pomerium.fullname" . }}-policy
+        configMap:
+          name: {{ template "pomerium.fullname" . }}
+      
+      resources:
+{{ toYaml .Values.resources | indent 10 }}
+{{- if .Values.extraVolumes }}
+      volumes:
+{{- toYaml .Values.extraVolumes | indent 8 }}
+{{- end }}
+{{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+{{- end }}
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+{{- end }}
+{{- end }}

helm/templates/authorize-service.yaml

@@ -0,0 +1,31 @@
+{{- if not .Values.omnibusMode -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pomerium.fullname" . }}-authorize
+  labels:
+    app: {{ template "pomerium.name" . }}
+    chart: {{ template "pomerium.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels | indent 4 }}
+{{- end }}
+{{- if .Values.service.annotations }}
+  annotations:
+{{ toYaml .Values.service.annotations | indent 4 }}
+{{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.externalPort }}
+      targetPort: https
+      protocol: TCP
+      name: http
+{{- if hasKey .Values.service "nodePort" }}
+    nodePort: {{ .Values.service.nodePort }}
+{{- end }}
+  selector:
+    app: {{ template "pomerium.name" . }}
+    release: {{ .Release.Name }}
+{{- end }}

helm/templates/configmap.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "pomerium.fullname" . }}
+  labels:
+    app: {{ template "pomerium.name" . }}
+    chart: {{ template "pomerium.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+data:
+  policy.yaml: {{toYaml .Values.config.policyFile | indent 4}}

helm/templates/ingress.yaml

@@ -5,24 +5,21 @@
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
+  name: {{ template "pomerium.fullname" . }}
   labels:
     app: {{ template "pomerium.name" . }}
     chart: {{ template "pomerium.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
-{{- if .Values.ingress.labels }}
+{{- if .Values.ingress.labels }} {{ toYaml .Values.ingress.labels | indent 4 }} {{- end }}
-{{ toYaml .Values.ingress.labels | indent 4 }}
-{{- end }}
-  name: {{ template "pomerium.fullname" . }}
 {{- if .Values.ingress.annotations }}
   annotations:
 {{ toYaml .Values.ingress.annotations | indent 4 }}
 {{- end }}
+
 spec:
   rules:
-{{- if .Values.ingress.extraRules }}
+{{- if .Values.ingress.extraRules }}{{ toYaml .Values.ingress.extraRules | indent 4 }}{{- end }}
-{{ toYaml .Values.ingress.extraRules | indent 4 }}
-{{- end }}
 {{- if .Values.ingress.hosts }}
 {{- range $host := .Values.ingress.hosts }}
     - host: {{ $host }}

helm/templates/proxy-deployment.yaml

@@ -0,0 +1,148 @@
+{{- if not .Values.omnibusMode -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ template "pomerium.name" . }}
+    chart: {{ template "pomerium.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "pomerium.fullname" . }}-proxy
+{{- if .Values.annotations }}
+  annotations:
+{{ toYaml .Values.annotations | indent 4 }}
+{{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "pomerium.name" . }}
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+{{- if .Values.podAnnotations }}
+      annotations:
+{{ toYaml .Values.podAnnotations | indent 8 }}
+{{- end }}
+      labels:
+        app: {{ template "pomerium.name" . }}
+        chart: {{ template "pomerium.chart" . }}
+        heritage: {{ .Release.Service }}
+        release: {{ .Release.Name }}
+{{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+{{- end }}
+    spec:
+{{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+{{- end }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+{{- range $key, $value := .Values.extraArgs }}
+{{- if $value }}
+          - --{{ $key }}={{ $value }}
+{{- else }}
+          - --{{ $key }}
+{{- end }}
+{{- end }}
+        env:
+        - name: SERVICES
+          value: authorize
+        - name: COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: cookie-secret
+        - name: SHARED_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: shared-secret             
+        - name: AUTHENTICATE_SERVICE_URL
+          value: {{ .Values.proxy.authenticateServiceUrl }}
+        - name: AUTHORIZE_SERVICE_URL
+          value: {{ .Values.proxy.authorizeServiceUrl }}
+{{- if .Values.config.policyFile }}
+        - name: POLICY_FILE
+          value: /etc/pomerium/policy.yaml
+{{- end }}
+{{- if .Values.config.policy}}
+        - name: POLICY
+          value: {{ .Values.config.policy }}
+{{- end }}
+{{- if .Values.config.cert }}
+        - name: CERTIFICATE
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: certificate
+{{- end }}
+{{- if .Values.config.key }}
+        - name: CERTIFICATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: certificate-key
+{{- end }}
+{{- if .Values.config.ca }}
+        - name: CERTIFICATE_AUTHORITY
+          valueFrom:
+            secretKeyRef:
+              name: {{ template "pomerium.fullname" . }}
+              key: certificate-authority
+{{- end }}
+{{- range $name, $value := .Values.extraEnv }}
+        - name: {{ $name }}
+          value: {{ quote $value }}
+{{- end }}
+        ports:
+          - containerPort: 443
+            name: https
+            protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: https
+            scheme: HTTPS
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: https
+            scheme: HTTPS
+        
+        
+        volumeMounts:
+        - mountPath: /etc/pomerium/
+          name: {{ template "pomerium.fullname" . }}-policy
+     
+      volumes:
+      - name: {{ template "pomerium.fullname" . }}-policy
+        configMap:
+          name: {{ template "pomerium.fullname" . }}
+      
+      resources:
+{{ toYaml .Values.resources | indent 10 }}
+{{- if .Values.extraVolumes }}
+      volumes:
+{{- toYaml .Values.extraVolumes | indent 8 }}
+{{- end }}
+{{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+{{- end }}
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+{{- end }}
+{{- end }}

helm/templates/proxy-service.yaml

@@ -0,0 +1,31 @@
+{{- if not .Values.omnibusMode }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pomerium.fullname" . }}-proxy
+  labels:
+    app: {{ template "pomerium.name" . }}
+    chart: {{ template "pomerium.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels | indent 4 }}
+{{- end }}
+{{- if .Values.service.annotations }}
+  annotations:
+{{ toYaml .Values.service.annotations | indent 4 }}
+{{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.externalPort }}
+      targetPort: https
+      protocol: TCP
+      name: http
+{{- if hasKey .Values.service "nodePort" }}
+    nodePort: {{ .Values.service.nodePort }}
+{{- end }}
+  selector:
+    app: {{ template "pomerium.name" . }}
+    release: {{ .Release.Name }}
+{{- end }}

helm/templates/secret.yaml

@@ -10,18 +10,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-{{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }}
-  idp-client-id: {{ .Values.authenticate.idp.clientID | b64enc | quote }}
-  idp-client-secret: {{ .Values.authenticate.idp.clientSecret | b64enc | quote }}
-{{- end }}
   cookie-secret: {{ .Values.config.cookieSecret | b64enc | quote }}
   shared-secret: {{ .Values.config.sharedSecret | b64enc | quote }}
-{{- if .Values.config.cert }}
+  idp-client-id: {{ .Values.authenticate.idp.clientID | b64enc | quote }}
-  certificate: {{ .Values.config.cert | b64enc | quote }}
+  idp-client-secret: {{ .Values.authenticate.idp.clientSecret | b64enc | quote }}
-{{- end }}
+  certificate: {{- if .Values.config.cert }} {{ .Values.config.cert | b64enc | quote }} {{- end }}
-{{- if .Values.config.key }}
+  certificate-key: {{- if .Values.config.key }} {{ .Values.config.key | b64enc | quote }} {{- end }}
-  certificate-key: {{ .Values.config.key | b64enc | quote }}
+  certificate-authority: {{- if .Values.config.ca }} {{ .Values.config.ca | b64enc | quote }} {{- end }}
-{{- end }}
-{{- if .Values.config.ca }}
-  certificate-authority: {{ .Values.config.ca | b64enc | quote }}
-{{- end }}

helm/templates/tls-secrets.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.ingress.enabled }}
+{{- range .Values.ingress.secrets }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .name }}
+  labels:
+    app: {{ template "pomerium.name" . }}
+    chart: {{ template "pomerium.chart" . }}
+    release: {{ .Release.Name | quote }}
+    heritage: {{ .Release.Service | quote }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .certificate | b64enc }}
+  tls.key: {{ .key | b64enc }}
+---
+{{- end }}
+{{- end }}

helm/values.yaml

@@ -1,40 +1,63 @@
-# All config settings are required. sharedSecret must match between the authenticate
+# For detailed explanation of each of the configuration settings see
-# and proxy deployments.
+# https://www.pomerium.io/docs/config-reference.htmls
-config:
+
-  sharedSecret: "XXXXXXXX"
+# run pomerium in "all-in-one" mode where all services are run from a single node
-  cookieSecret: "XXXXXXXX"
+omnibusMode: false 
-  services: all
+
-  cert:
+config: # settings that are shared by all services
-  key:
+  sharedSecret: "LL3g/NoKkao7mTec2/wYSOZAki1VbR89q+kqbdFj0c4=" # head -c32 /dev/urandom | base64
-# All below required if config.services is "authenticate" or "all"
+  cookieSecret: "tAhd5A5Y8R/H/msFhkNdt8dCym2SatVbh4UrcDk3+Ms=" # head -c32 /dev/urandom | base64
-authenticate:
+  cert: # base64 -i cert.pem or using a volume
-  redirectUrl: http://example.com/oauth2/callback
+  key:  # base64 -i privkey.pem or using a volume
-  allowedDomains: example.com
+  policyFile: |-
-  proxyRootDomains: example.com
+    - from: httpbin.corp.pomerium.io
-  idp:
+      to: http://httpbin
+      allowed_domains:
+      - pomerium.io
+    - from: external-httpbin.corp.pomerium.io
+      to: httpbin.org
+      allowed_domains:
+      - gmail.com
+    - from: weirdlyssl.corp.pomerium.io
+      to: http://neverssl.com
+      allowed_users:
+      - bdd@pomerium.io
+      allowed_groups:
+      - admins
+      - developers
+    - from: hello.corp.pomerium.io
+      to: http://hello:8080
+      allowed_groups:
+      - admins
+
+
+authenticate: # values specific to the authenticate service
+  name: authenticate # container name
+  redirectUrl: https://auth.corp.pomerium.io/oauth2/callback
+  proxyRootDomains: pomerium.io
+  idp: # see https://www.pomerium.io/docs/identity-providers.html 
     provider: okta
     url: https://example.oktapreview.com/oauth2/default
     clientID: "XXXXXXXX"
     clientSecret: "XXXXXXXX"
-# All below required if config.serviceModes is "proxy" or "all"
-proxy:
-  authenticateServiceUrl: https://example.com/oauth2/callback
-  routes: {}
-  # routes:
-  #   "http.corp.example.com": "httpbin.org"
 
-# For any other settings that are optional
+authorize: # values specific to the authorize service
-# ADDRESS, POMERIUM_DEBUG, CERTIFICATE_FILE, CERTIFICATE_KEY_FILE, CERTIFICATE_AUTHORITY_FILE,
+  name: authorize # container name
-# PROXY_ROOT_DOMAIN, COOKIE_DOMAIN, COOKIE_EXPIRE, COOKIE_REFRESH, COOKIE_SECURE, COOKIE_HTTP_ONLY, IDP_SCOPES
+
-# AUTHENTICATE_INTERNAL_URL, AUTHENTICATE_SERVICE_PORT, OVERRIDE_CERTIFICATE_NAME, DEFAULT_UPSTREAM_TIMEOUT, COOKIE_LIFETIME,
+proxy: # values specific to the proxy service
+  name: proxy # container name
+  authenticateServiceUrl: https://auth.corp.pomerium.io
+  authorizeServiceUrl: https://access.corp.pomerium.io
+
+# For any other settings that are optional. for a complete listing see:
+# https://www.pomerium.io/docs/config-reference.html
 extraEnv: {}
-
 extraArgs: {}
 extraVolumes: {}
 
 image:
   repository: "pomerium/pomerium"
-  tag: "0.0.1"
+  tag: "latest"
   pullPolicy: "IfNotPresent"
 
 service:
@@ -46,20 +69,32 @@ service:
 
 ingress:
   enabled: false
-  path: /
+  # path: /
   # Used to create an Ingress record.
   # hosts:
-    # - chart-example.local
+  #   - "*.corp.example.com"
+  #   - "auth.corp.example.com"
+  #   - "access.corp.example.com"
   # annotations:
   #   kubernetes.io/ingress.class: nginx
   #   kubernetes.io/tls-acme: "true"
+  
   # tls:
   # Secrets must be manually created in the namespace.
-    # - secretName: chart-example-tls
+  # - secretName: pomerium-tls
   #   hosts:
   #     - chart-example.local
+  # secrets:
+  ## If you're providing your own certificates, please use this to add the certificates as secrets
+  ## key and certificate should start with -----BEGIN CERTIFICATE----- or
+  ## -----BEGIN RSA PRIVATE KEY-----
+  ## 
+  # - name: pomerium-tls
+  #   key:
+  #   certificate:
 
-resources: {}
+resources:
+  {}
   # limits:
   #   cpu: 100m
   #   memory: 300Mi

internal/identity/google.go

@@ -194,14 +194,7 @@ func (p *GoogleProvider) Refresh(ctx context.Context, s *sessions.SessionState)
 	if err != nil {
 		return nil, fmt.Errorf("identity/google: could not retrieve groups %v", err)
 	}
-
+	s.Groups = groups
-	log.Info().
-		Str("refresh-token", s.RefreshToken).
-		Str("new-access-token", newToken.AccessToken).
-		Str("new-expiry", time.Until(newToken.Expiry).String()).
-		Strs("Groups", groups).
-		Msg("identity: refresh")
-
 	return s, nil
 }
 

internal/identity/microsoft.go

@@ -181,7 +181,7 @@ func (p *AzureProvider) UserGroups(ctx context.Context, accessToken string) ([]s
 	}
 	var groups []string
 	for _, group := range response.Groups {
-		log.Info().Str("DisplayName", group.DisplayName).Str("ID", group.ID).Msg("identity/microsoft: group")
+		log.Debug().Str("DisplayName", group.DisplayName).Str("ID", group.ID).Msg("identity/microsoft: group")
 		groups = append(groups, group.DisplayName)
 	}
 	return groups, nil

internal/identity/onelogin.go

@@ -135,7 +135,7 @@ func (p *OneLoginProvider) UserGroups(ctx context.Context, accessToken string) (
 	}
 	var groups []string
 	for _, group := range response.Groups {
-		log.Info().Str("ID", group).Msg("identity/onelogin: group")
+		log.Debug().Str("ID", group).Msg("identity/onelogin: group")
 		groups = append(groups, group)
 	}
 	return groups, nil

internal/log/log.go

@@ -15,7 +15,7 @@ var Logger = zerolog.New(os.Stdout).With().Timestamp().Logger()
 // SetDebugMode tells the logger to use standard out and pretty print output.
 func SetDebugMode() {
 	Logger = Logger.Output(zerolog.ConsoleWriter{Out: os.Stdout})
-	zerolog.SetGlobalLevel(zerolog.InfoLevel)
+	// zerolog.SetGlobalLevel(zerolog.InfoLevel)
 }
 
 // With creates a child logger with the field added to its context.

internal/policy/policy.go

@@ -7,8 +7,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/pomerium/pomerium/internal/log"
-
 	"github.com/pomerium/pomerium/internal/fileutil"
 	yaml "gopkg.in/yaml.v2"
 )
@@ -55,7 +53,6 @@ func FromConfig(confBytes []byte) ([]Policy, error) {
 			return nil, err
 		}
 	}
-	log.Info().Msgf("from config %+v", f)
 	return f, nil
 }
 

proto/authorize/mock_authorize/mock_authorize.go

@@ -0,0 +1,57 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/pomerium/pomerium/proto/authorize (interfaces: AuthorizerClient)
+
+// Package mock_authorize is a generated GoMock package.
+package mock_authorize
+
+import (
+	context "context"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+	authorize "github.com/pomerium/pomerium/proto/authorize"
+	grpc "google.golang.org/grpc"
+)
+
+// MockAuthorizerClient is a mock of AuthorizerClient interface
+type MockAuthorizerClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockAuthorizerClientMockRecorder
+}
+
+// MockAuthorizerClientMockRecorder is the mock recorder for MockAuthorizerClient
+type MockAuthorizerClientMockRecorder struct {
+	mock *MockAuthorizerClient
+}
+
+// NewMockAuthorizerClient creates a new mock instance
+func NewMockAuthorizerClient(ctrl *gomock.Controller) *MockAuthorizerClient {
+	mock := &MockAuthorizerClient{ctrl: ctrl}
+	mock.recorder = &MockAuthorizerClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockAuthorizerClient) EXPECT() *MockAuthorizerClientMockRecorder {
+	return m.recorder
+}
+
+// Authorize mocks base method
+func (m *MockAuthorizerClient) Authorize(arg0 context.Context, arg1 *authorize.AuthorizeRequest, arg2 ...grpc.CallOption) (*authorize.AuthorizeReply, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "Authorize", varargs...)
+	ret0, _ := ret[0].(*authorize.AuthorizeReply)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Authorize indicates an expected call of Authorize
+func (mr *MockAuthorizerClientMockRecorder) Authorize(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Authorize", reflect.TypeOf((*MockAuthorizerClient)(nil).Authorize), varargs...)
+}

proxy/clients/authenticate_client.go

@@ -23,9 +23,9 @@ type Authenticator interface {
 	Close() error
 }
 
-// NewAuthenticateClient returns a new authenticate service client.
+// NewAuthenticateClient returns a new authenticate service client. Presently,
+// only gRPC is supported and is always returned so name is ignored.
 func NewAuthenticateClient(name string, opts *Options) (a Authenticator, err error) {
-	// Only gRPC is supported and is always returned so name is ignored
 	return NewGRPCAuthenticateClient(opts)
 }
 
@@ -112,8 +112,6 @@ func (a *AuthenticateGRPC) Validate(ctx context.Context, idToken string) (bool,
 	// }
 	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
 	defer cancel()
-	// todo(bdd): add grpc specific timeouts to main options
-	// todo(bdd): handle request id (metadata!?) in grpc receiver and add to ctx logger
 	r, err := a.client.Validate(ctx, &pb.ValidateRequest{IdToken: idToken})
 	if err != nil {
 		return false, err

proxy/clients/authorize_client_test.go

@@ -4,37 +4,35 @@ import (
 	"context"
 	"testing"
 
+	"github.com/golang/mock/gomock"
 	"github.com/pomerium/pomerium/internal/sessions"
-	pb "github.com/pomerium/pomerium/proto/authorize"
+	"github.com/pomerium/pomerium/proto/authorize"
-	"google.golang.org/grpc"
+	mock "github.com/pomerium/pomerium/proto/authorize/mock_authorize"
 )
 
 func TestAuthorizeGRPC_Authorize(t *testing.T) {
-	type fields struct {
+	ctrl := gomock.NewController(t)
-		Conn   *grpc.ClientConn
+	defer ctrl.Finish()
-		client pb.AuthorizerClient
+	client := mock.NewMockAuthorizerClient(ctrl)
-	}
+	client.EXPECT().Authorize(
-	type args struct {
+		gomock.Any(),
-		ctx   context.Context
+		gomock.Any(),
-		route string
+	).Return(&authorize.AuthorizeReply{IsValid: true}, nil).AnyTimes()
-		s     *sessions.SessionState
+
-	}
 	tests := []struct {
 		name    string
-		fields  fields
+		route   string
-		args    args
+		s       *sessions.SessionState
 		want    bool
 		wantErr bool
 	}{
-		// TODO: Add test cases.
+		{"good", "hello.pomerium.io", &sessions.SessionState{User: "admin@pomerium.io", Email: "admin@pomerium.io"}, true, false},
+		{"session cannot be nil", "hello.pomerium.io", nil, false, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			a := &AuthorizeGRPC{
+			a := &AuthorizeGRPC{client: client}
-				Conn:   tt.fields.Conn,
+			got, err := a.Authorize(context.Background(), tt.route, tt.s)
-				client: tt.fields.client,
-			}
-			got, err := a.Authorize(tt.args.ctx, tt.args.route, tt.args.s)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("AuthorizeGRPC.Authorize() error = %v, wantErr %v", err, tt.wantErr)
 				return

proxy/clients/clients.go

@@ -86,9 +86,7 @@ func NewGRPCClientConn(opts *Options) (*grpc.ClientConn, error) {
 		cp = newCp
 	}
 
-	log.Info().
+	log.Debug().Str("cert-override-name", opts.OverrideCertificateName).Str("addr", connAddr).Msgf("proxy/clients: grpc connection")
-		Str("OverrideCertificateName", opts.OverrideCertificateName).
-		Str("addr", connAddr).Msgf("proxy/clients: grpc connection")
 	cert := credentials.NewTLS(&tls.Config{RootCAs: cp})
 
 	// override allowed certificate name string, typically used when doing behind ingress connection

proxy/handlers.go

@@ -212,7 +212,7 @@ func (p *Proxy) OAuthCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	log.FromRequest(r).Info().
+	log.FromRequest(r).Debug().
 		Str("code", r.Form.Get("code")).
 		Str("state", r.Form.Get("state")).
 		Str("RefreshToken", session.RefreshToken).

proxy/proxy.go

@@ -79,7 +79,7 @@ var defaultOptions = &Options{
 	DefaultUpstreamTimeout: time.Duration(30) * time.Second,
 }
 
-// OptionsFromEnvConfig builds the IdentityProvider service's configuration
+// OptionsFromEnvConfig builds the identity provider service's configuration
 // options from provided environmental variables
 func OptionsFromEnvConfig() (*Options, error) {
 	o := defaultOptions

scripts/generate_wildcard_cert.sh

@@ -1,16 +1,10 @@
 #!/bin/bash
-
+# requires acme.sh see : https://github.com/Neilpang/acme.sh
-# requires acme.sh
-# see : https://github.com/Neilpang/acme.sh
-# uncomment below to install
 # curl https://get.acme.sh | sh
-
+echo "=> manually issue a wildcard certificate, renewal is up to you!"
-# assumes cloudflare, but many DNS providers are supported
-
-export CF_Key="x"
-export CF_Email="x@x.com"
-
 $HOME/.acme.sh/acme.sh \
 	--issue \
+	-k ec-256 \
 	-d '*.corp.beyondperimeter.com' \
-	--dns dns_cf
+	--dns \
+	--yes-I-know-dns-manual-mode-enough-go-ahead-please

scripts/helm_gke.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+# PRE-REQ:
+# 1) Install Helm : You should verify the content of this script before running.
+# curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
+
+echo "=> [GCE] creating cluster"
+gcloud container clusters create pomerium
+
+echo "=> [GCE] get cluster credentials so we can use kubctl locally"
+gcloud container clusters get-credentials pomerium
+
+echo "=> [GCE] ensure your user account has the cluster-admin role in your cluster"
+kubectl create \
+	clusterrolebinding \
+	user-admin-binding \
+	--clusterrole=cluster-admin \
+	--user=$(gcloud config get-value account)
+
+echo "=> Create a service account that Tiller, the server side of Helm, can use for deploying your charts."
+kubectl create serviceaccount tiller --namespace kube-system
+
+echo "=> Grant the Tiller service account the cluster-admin role in your cluster"
+kubectl create clusterrolebinding tiller-admin-binding --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
+
+echo "=> initialize Helm to install Tiller in your cluster"
+helm init --service-account=tiller
+helm repo update
+
+echo "=> install pomerium with helm substituting configuration values as required; be sure to change these"
+helm install helm/. \
+	--set config.sharedSecret=$(head -c32 /dev/urandom | base64) \
+	--set config.cookieSecret=$(head -c32 /dev/urandom | base64) \
+	--set config.cert=$(base64 -i cert.pem) \
+	--set config.key=$(base64 -i privkey.pem) \
+	--set config.policy=$(cat policy.example.yaml) \
+	--set authentiate.idp.provider="google" \
+	--set authentiate.proxyRootDomains="pomerium.io" \
+	--set authentiate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \
+	--set authentiate.idp.clientID="REPLACE_ME" \
+	--set authentiate.idp.clientSecret="REPLACE_ME" \
+	--set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \
+	--set proxy.authorizeServiceUrl="https://access.corp.pomerium.io"
+
+# When done, clean up by deleting the cluster!
+#
+# helm del $(helm ls --all --short) --purge #!!! DELETES ALL YOUR HELM INSTANCES!
+# gcloud container clusters delete pomerium

scripts/kubernetes_gke.sh

@@ -28,8 +28,8 @@ kubectl create configmap -n pomerium policy --from-literal=policy=$(cat policy.e
 
 echo "=> settingidp-client-secret, you changed this right? :)"
 exit 1 # comment out or delete this line once you change the following two settings
-# kubectl create secret generic -n pomerium idp-client-secret --from-literal=idp-client-secret=REPLACEME
+kubectl create secret generic -n pomerium idp-client-secret --from-literal=idp-client-secret=REPLACE_ME
-# kubectl create secret generic -n pomerium idp-service-account --from-literal=idp-service-account=$(base64 -i gsuite.service.account.json)
+kubectl create secret generic -n pomerium idp-service-account --from-literal=idp-service-account=$(base64 -i gsuite.service.account.json)
 
 echo "=> apply the proxy, authorize, and authenticate deployment configs"
 kubectl apply -f docs/docs/examples/kubernetes/authorize.deploy.yml

scripts/self-signed-sign-key.sh

@@ -1,47 +0,0 @@
-#!/bin/bash
-# Thank you @ https://medium.com/@benjamin.black/how-to-obtain-an-ecdsa-wildcard-certificate-from-lets-encrypt-be217c737cfe
-# See also:
-#   https://cloud.google.com/iot/docs/how-tos/credentials/keys#generating_an_es256_key_with_a_self-signed_x509_certificate
-#   https://community.letsencrypt.org/t/ecc-certificates/46729
-#
-# Let’s Encrypt currently generates RSA certificates, but not yet ECDSA certificates.
-# Support for generating ECDSA certificates is on the horizon, but is not here yet.
-# However, Let’s Encrypt does support *signing* ECDSA certificates when presented with a
-# Certificate Signing Request. So we can generate the appropriate CSR on the client,
-# and send it to Let’s Encrypt using the --csr option of the certbot client for Let’s Encrypt to sign.
-
-# The following generates a NIST P-256 (aka secp256r1 aka prime256v1) EC Key Pair
-openssl ecparam \
-	-genkey \
-	-name prime256v1 \
-	-noout \
-	-out ec_private.pem
-
-openssl req -x509 -new \
-	-key ec_private.pem \
-	-days 365 \
-	-out ec_public.pem \
-	-subj "/CN=unused"
-
-openssl req -new \
-	-sha512 \
-	-key privkey.pem \
-	-nodes \
-	-subj "/CN=beyondperimeter.com" \
-	-reqexts SAN \
-	-extensions SAN \
-	-config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.corp.beyondperimeter.com')) \
-	-out csr.pem \
-	-outform pem
-
-openssl req -in csr.pem -noout -text
-
-certbot certonly \
-	--preferred-challenges dns-01 \
-	--work-dir le/work \
-	--config-dir le/config \
-	--logs-dir le/logs \
-	--agree-tos \
-	--email bobbydesimone@gmail.com \
-	-d *.corp.beyondperimeter.com \
-	--csr csr.pem