Docs: Ingress Controller (#2667)

* update k8s install for ingress conrtoller * typo correction * prep k8s section * squashme * init Ingress Controller doc Co-authored-by: travisgroth <tgroth@pomerium.com> Co-authored-by: wasaga <dmishin@pomerium.com> * update, organize, annotate * breakout custom from standard annotations * more info links * Update docs/docs/k8s/ingress.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/docs/k8s/ingress.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/docs/k8s/ingress.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * prep k8s section * document YAML policies in Ingress * sort and compress standard annotations * final draft * link cleanup * Create ingress.md * Update docs/docs/k8s/ingress.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Apply suggestions from code review * rm redundant config * fix file reference * update available annotations * Copy Proofread Grammar updates. * discussed copy edit * whitespace cleanup * add redirect for moved k8s docs * fixed malformed links * Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> partial copy edits Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> partial copy edits Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> partial copy edits * One last TLS * Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * clarify namespaces flag * Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: travisgroth <tgroth@pomerium.com> Co-authored-by: wasaga <dmishin@pomerium.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: cmo-pomerium <91488121+cmo-pomerium@users.noreply.github.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2025-04-29 10:26:29 +02:00 · 2021-11-04 12:59:51 -05:00 · 2021-11-04 12:59:51 -05:00 · 4cb3281af7
commit 4cb3281af7
parent ea45ba70c8
14 changed files with 441 additions and 32 deletions
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@ -113,8 +113,8 @@ module.exports = {
          sidebarDepth: 0,
          children: [
            "install/",
+            ["k8s/helm", "Kubernetes"],
            "install/binary",
-            "install/helm",
            "install/from-source",
          ],
        },
@ -156,18 +156,29 @@ module.exports = {
            },
          ],
        },
+        {
+          title: "Kubernetes",
+          collapsable: false,
+          path: "/docs/k8s/",
+          type: "group",
+          sidebarDepth: 0,
+          children: [
+            "k8s/",
+            "k8s/helm",
+            "k8s/ingress",
+          ]
+        },
        {
          title: "Topics",
          collapsable: false,
          path: "/docs/topics/",
          type: "group",
-          sidebarDepth: 1,
+          sidebarDepth: 0,
          children: [
            "topics/certificates",
            "topics/data-storage",
            "topics/getting-users-identity",
            "topics/original-request-context",
-            "topics/kubernetes-integration",
            "topics/production-deployment",
            "topics/programmatic-access",
            "topics/single-sign-out",
--- a/docs/.vuepress/public/_redirects
+++ b/docs/.vuepress/public/_redirects
@ -67,4 +67,6 @@
 /docs/quick-start/synology.html             /docs/guides/synology.html

 /docs/client.html                           /docs/tcp/client.html
-/docs/topics/tcp-support.html               /docs/tcp/
+/docs/topics/tcp-support.html               /docs/tcp/
+/docs/install/helm.html                     /docs/k8s/helm.html
+/docs/topics/kubernetes-integration.html    /docs/k8s/
--- a/docs/docs/install/helm.md
+++ b/docs/docs/install/helm.md
@ -1,12 +1,12 @@
 ---
-title: Kubernetes / Helm
+title: Helm
 lang: en-US
 meta:
  - name: keywords
    content: pomerium identity-access-proxy oidc kubernetes Helm reverse-proxy
 ---

-# Pomerium using Helm
+# Install Pomerium using Helm

 This quick-start will show you how to deploy Pomerium with [Helm] on [Kubernetes].

@ -116,7 +116,7 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol
   <<< @/examples/kubernetes/pomerium-certificates.yaml

   ::: tip
-   If you already have a domain space for Pomerium with a certificate solution, use it in place of `*.localhost.pomerium.io`.
+   If you already have a domain space for Pomerium with a certificate solution, use it in place of `.localhost.pomerium.io`.
   :::

 1. Apply the certificate configuration, and confirm:
@ -148,6 +148,14 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol
   helm repo add pomerium https://helm.pomerium.io
   ```

+1. Install Pomerium to the cluster:
+
+   ```bash
+   helm upgrade --install pomerium pomerium/pomerium --values ./pomerium-values.yaml
+   ```
+
+## Define a Test Service
+
 1. So that we can create a valid test route, add Bitnami's Helm repo to pull nginx from:

   ```bash
@ -166,10 +174,14 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol
   helm upgrade --install nginx bitnami/nginx --set service.type=ClusterIP
   ```

-1. Install Pomerium to the cluster:
+1. Create a new Ingress manifest (`example-ingress.yaml`) for our test service:
+
+   <<< @/examples/kubernetes/example-ingress.yaml
+
+1. Apply the nginx Ingress manifest to the cluster:

   ```bash
-   helm upgrade --install pomerium pomerium/pomerium --values ./pomerium-values.yaml
+   kubectl apply -f example-ingress.yaml
   ```

 ## Navigate
--- a/docs/docs/topics/img/kubernetes-integration.svg
+++ b/docs/docs/topics/img/kubernetes-integration.svg
--- a/docs/docs/k8s/img/logged-in-as.png
+++ b/docs/docs/k8s/img/logged-in-as.png
--- a/docs/docs/k8s/ingress.md
+++ b/docs/docs/k8s/ingress.md
@ -0,0 +1,364 @@
+---
+title: Ingress Controller
+lang: en-US
+sidebarDepth: 1
+meta:
+  - name: keywords
+    content: pomerium identity-access-proxy oidc kubernetes Ingress reverse-proxy
+---
+
+# Kubernetes Ingress Controller
+
+Use Pomerium as a first-class secure-by-default Ingress Controller. The Pomerium Ingress Controller enables workflows more native to Kubernetes environments, such as Git-Ops style actions based on pull requests. Dynamically provision routes from Ingress resources and set policy based on annotations. By defining routes as Ingress resources you can independently create and remove them from Pomerium's configuration.
+
+## Prerequisites
+
+- A certificate management solution. If you do not already have one in place, this article covers using [cert-manager](https://cert-manager.io/).
+- A [Redis](https://redis.io/) backend with high [persistence](https://redis.io/topics/persistence) is highly recommended.
+
+### System Requirements
+
+- Kubernetes v1.19.0+
+- Pomerium [Helm Chart](https://github.com/pomerium/pomerium-helm/tree/master/charts/pomerium) v25.0.0+
+
+### Limitations
+
+::: warning
+
+Only one Ingress Controller instance is supported per Pomerium cluster.
+
+:::
+
+## Installation
+
+### Helm
+
+Our instructions for [Installing Pomerium Using Helm](/docs/k8s/helm.md) includes the Ingress Controller as part of the documented configuration. You can confirm by looking for this line in `pomerium-values.yaml`:
+
+
+```yaml
+ingressController:
+  enabled: true
+```
+
+### Docker Image
+
+You may deploy the Ingress controller from your own manifests by using the `pomerium/ingress-controller` docker image.
+
+## Configuration
+
+|  Flag                          | Description                                                          |
+| ------------------------------ | -------------------------------------------------------------------- |
+| `--databroker-service-url`     | The databroker service url
+| `--databroker-tls-ca`          | `base64` encoded TLS CA
+| `--databroker-tls-ca-file`     | TLS CA file path for the databroker connection connection
+| `--health-probe-bind-address`  | The address the probe endpoint binds to. (default ":8081")
+| `--metrics-bind-address`       | The address the metric endpoint binds to. (default ":8080")
+| `--name`                       | IngressClass controller name (default "pomerium.io/ingress-controller")
+| `--namespaces`                 | Namespaces to watch, omit to watch all namespaces
+| `--prefix`                     | Ingress annotation prefix (default "ingress.pomerium.io")
+| `--shared-secret`              | `base64` encoded shared secret for communicating with databroker
+| `--update-status-from-service` | Update ingress status from given service status (pomerium-proxy)|
+
+The helm chart exposes a subset of these flags for appropriate customization.
+
+## Usage
+
+### Defining Routes
+
+If you've tested Pomerium using the [all-in-one binary](/docs/install/binary.md), you're probably familiar with configuring routes in Pomerium's [`config.yaml`](/docs/install/binary.md#configuration-file). When using the Pomerium Ingress Controller, each route is defined as an Ingress resource in the Kubernetes API.
+
+The Ingress Controller will monitor Ingress resources in the cluster, creating a Pomerium route definition for each one. Policy and other configuration options for the route are set by using annotations starting with `ingress.pomerium.io/`.
+
+Example:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress.pomerium.io/policy: '[{"allow":{"and":[{"email":{"is":"user@yourdomain.com"}}]}}]' # This can also be a yaml block quote
+spec:
+  rules:
+  - host: hello.localhost.pomerium.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: nginx-hello
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+```
+
+Becomes:
+
+```yaml
+routes:
+  - from: https://hello.localhost.pomerium.io
+    to: http://nginx-hello.default.svc.cluster.local
+    policy:
+    - allow:
+        and:
+          - email:
+              is: user@yourdomain.com
+```
+
+::: details Write Policies in YAML
+
+You can also define a route's policies using YAML:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: name
+  annotations:
+    ingress.pomerium.io/policy: |
+      - allow:
+          or:
+            - domain:
+                is: pomerium.com
+```
+
+:::
+
+### Supported Annotations
+
+Most configuration keys in non-Kubernetes deployments can be specified as annotation in an Ingress Resource definition. The format is `ingress.pomerium.io/${OPTION_NAME}`. The expandable list below contains the annotations available, which behave as described in our reference documentation (with links to the appropriate reference documentation).
+
+::: details Pomerium-Standard Annotations
+
+- [`ingress.pomerium.io/allow_any_authenticated_user`]
+- [`ingress.pomerium.io/allow_public_unauthenticated_access`]
+- [`ingress.pomerium.io/allow_websockets`]
+- [`ingress.pomerium.io/allowed_domains`]
+- [`ingress.pomerium.io/allowed_groups`]
+- [`ingress.pomerium.io/allowed_idp_claims`]
+- [`ingress.pomerium.io/allowed_users`]
+- [`ingress.pomerium.io/cors_allow_preflight`]
+- [`ingress.pomerium.io/host_path_regex_rewrite_pattern`]
+- [`ingress.pomerium.io/host_path_regex_rewrite_substitution`]
+- [`ingress.pomerium.io/host_rewrite`]
+- [`ingress.pomerium.io/host_rewrite_header`]
+- [`ingress.pomerium.io/idle_timeout`]
+- [`ingress.pomerium.io/outlier_detection`]
+- [`ingress.pomerium.io/pass_identity_headers`]
+- [`ingress.pomerium.io/policy`]
+- [`ingress.pomerium.io/preserve_host_header`]
+- [`ingress.pomerium.io/remove_request_headers`]
+- [`ingress.pomerium.io/rewrite_response_headers`]
+- [`ingress.pomerium.io/set_request_headers`]
+- [`ingress.pomerium.io/set_response_headers`]
+- [`ingress.pomerium.io/timeout`]
+- [`ingress.pomerium.io/tls_server_name`]
+- [`ingress.pomerium.io/tls_skip_verify`]
+
+:::
+
+The remaining annotations are specific to or behave differently than they do when using Pomerium without the Ingress Controller:
+
+| Annotation                        | Description |
+| --------------------------------- | ------------------------------------------------------------------------------------------- |
+| `ingress.pomerium.io/tls_custom_ca_secret`            | Name of Kubernetes `tls` Secret containing a custom [CA certificate][`tls_custom_ca_secret`] for the upstream. |
+| `ingress.pomerium.io/tls_client_secret`               | Name of Kubernetes `tls` Secret containing a [client certificate][tls_client_certificate] for connecting to the upstream. |
+| `ingress.pomerium.io/tls_downstream_client_ca_secret` | Name of Kubernetes `tls` Secret containing a [Client CA][client-certificate-authority] for validating downstream clients. |
+| `ingress.pomerium.io/secure_upstream`                 | When set to true, use `https` when connecting to the upstream endpoint. |
+
+::: tip
+
+Every value for the annotations above must be in `string` format.
+
+:::
+
+### cert-manager Integration
+
+Pomerium Ingress Controller can use [cert-manager](https://cert-manager.io/) to automatically provision certificates. These may come from the [ingress-shim](https://cert-manager.io/docs/usage/ingress/) or explicitly configured [`Certificate` resources](https://cert-manager.io/docs/usage/certificate/).
+
+To use [HTTP01 Challenges](https://cert-manager.io/docs/configuration/acme/http01/) with your [Issuer](https://cert-manager.io/docs/concepts/issuer/), configure the solver class to match the Ingress Controller. The Ingress Controller will automatically configure policy to facilitate the HTTP01 challenge:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: example-issuer
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: example-issuer-account-key
+    solvers:
+    - http01:
+       ingress:
+         class: pomerium
+```
+
+An example of using the [ingress-shim](https://cert-manager.io/docs/usage/ingress/) with an Ingress resource managed by Pomerium:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/issuer: example-issuer
+    ingress.pomerium.io/policy: '[{"allow":{"and":[{"email":{"is":"user@exampledomain.com"}}]}}]'
+  name: example
+spec:
+  ingressClassName: pomerium
+  rules:
+  - host: example.localhost.pomerium.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: example
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - example.localhost.pomerium.io
+    secretName: example-tls
+```
+
+## HTTPS endpoints
+
+The `Ingress` spec assumes that all communications to the upstream service is sent in plaintext. For more information, see the [TLS](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls) section of the Ingress API documentation. Pomerium supports HTTPS communication with upstream endpoints, including mTLS.
+
+Annotate your `Ingress` with
+
+```yaml
+ingress.pomerium.io/secure_upstream: true
+```
+
+Additional TLS certificates may be supplied by creating a Kubernetes secret(s) in the same namespaces as the `Ingress` resource. Please note that we do not support file paths or embedded secret references.
+
+- [`ingress.pomerium.io/tls_client_secret`](https://pomerium.io/reference/readme.md#tls-client-certificate)
+- [`ingress.pomerium.io/tls_custom_ca_secret`](https://pomerium.io/reference/readme.md#tls-custom-certificate-authority)
+- [`ingress.pomerium.io/tls_downstream_client_ca_secret`](#supported-annotations)
+
+Please note that the referenced `tls_client_secret` must be a [TLS Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets). `tls_custom_ca_secret` and `tls_downstream_client_ca_secret` must contain `ca.crt` containing a .PEM encoded (base64-encoded DER format) public certificate.
+
+
+### External services
+
+You may refer to external services by defining a [Service](https://kubernetes.io/docs/concepts/services-networking/service/) with `externalName`.
+
+I.e. if you have `https://my-existing-service.corp.com`:
+
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: external
+spec:
+  type: ExternalName
+  externalName: "my-existing-service.corp.com"
+  ports:
+    - protocol: TCP
+      name: https
+      port: 443
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: external
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod-http
+    ingress.pomerium.io/secure_upstream: "true"
+    ingress.pomerium.io/policy: |
+      - allow:
+          and:
+            - domain:
+                is: pomerium.com
+spec:
+  ingressClassName: pomerium
+  tls:
+    - hosts:
+        - "external.localhost.pomerium.io"
+      secretName: external-localhost-pomerium.io
+  rules:
+    - host: "external.localhost.pomerium.io"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: external
+                port:
+                  name: https
+```
+
+## Troubleshooting
+
+### View Event History
+
+Pomerium Ingress Controller will add **events** to the Ingress objects as it processes them.
+
+```
+kubectl describe ingress/my-ingress
+```
+
+```log
+Events:
+  Type    Reason   Age   From              Message
+  ----    ------   ----  ----              -------
+  Normal  Updated  18s   pomerium-ingress  updated pomerium configuration
+```
+
+If an error occurs, it may be reflected in the events:
+
+```log
+Events:
+  Type     Reason       Age                 From              Message
+  ----     ------       ----                ----              -------
+  Normal   Updated      5m53s               pomerium-ingress  updated pomerium configuration
+  Warning  UpdateError  3s                  pomerium-ingress  upsert routes: parsing ingress: annotations: applying policy annotations: parsing policy: invalid rules in policy: unsupported conditional "maybe", only and, or, not, nor and action are allowed
+```
+
+### HSTS
+
+If your domain has [HSTS] enabled and you visit an endpoint while Pomerium is using the self-signed bootstrap certificate or a LetsEncrypt staging certificate (before cert-manager has provisioned a production certificate), the untrusted certificate may be pinned in your browser and would need to be reset. See [this article](https://www.ssl2buy.com/wiki/how-to-clear-hsts-settings-on-chrome-firefox-and-ie-browsers) for more information.
+
+## More Information
+
+For more information on the Pomerium Ingress Controller or the Kubernetes concepts discussed, see:
+
+- [Ingress (Kubernetes Docs)](https://kubernetes.io/docs/concepts/services-networking/ingress/)
+- [Pomerium Helm Chart README: Pomerium Ingress Controller](https://github.com/travisgroth/pomerium-helm/tree/master/charts/pomerium#pomerium-ingress-controller)
+- [Pomerium Kubernetes Ingress Controller (code repository)](https://github.com/pomerium/ingress-controller)
+
+[`ingress.pomerium.io/allow_any_authenticated_user`]: /reference/readme.md#allow-any-authenticated-user
+[`ingress.pomerium.io/allow_public_unauthenticated_access`]: /reference/readme.md#public-access
+[`ingress.pomerium.io/allow_websockets`]: /reference/readme.md#websocket-connections
+[`ingress.pomerium.io/allowed_domains`]: /reference/readme.md#allowed-domains
+[`ingress.pomerium.io/allowed_groups`]: /reference/readme.md#allowed-groups
+[`ingress.pomerium.io/allowed_idp_claims`]: /reference/readme.md#allowed-idp-claims
+[`ingress.pomerium.io/allowed_users`]: /reference/readme.md#allowed-users
+[`ingress.pomerium.io/cors_allow_preflight`]: /reference/readme.md#cors-preflight
+[`ingress.pomerium.io/health_checks`]: /reference/readme.md#health-checks
+[`ingress.pomerium.io/host_path_regex_rewrite_pattern`]: /reference/readme.md#host-rewrite
+[`ingress.pomerium.io/host_path_regex_rewrite_substitution`]: /reference/readme.md#host-rewrite
+[`ingress.pomerium.io/host_rewrite`]: /reference/readme.md#host-rewrite
+[`ingress.pomerium.io/host_rewrite_header`]: /reference/readme.md#host-rewrite
+[`ingress.pomerium.io/idle_timeout`]: /reference/readme.md#idle-timeout
+[`ingress.pomerium.io/lb_config`]: /reference/readme.md#load-balancing-policy-config
+[`ingress.pomerium.io/outlier_detection`]: /reference/readme.md#outlier-detection
+[`ingress.pomerium.io/pass_identity_headers`]: /reference/readme.md#pass-identity-headers
+[`ingress.pomerium.io/policy`]: /reference/readme.md#policy
+[`ingress.pomerium.io/preserve_host_header`]: /reference/readme.md#host-rewrite
+[`ingress.pomerium.io/remove_request_headers`]: /reference/readme.md#remove-request-headers
+[`ingress.pomerium.io/rewrite_response_headers`]: /reference/readme.md#rewrite-response-headers
+[`ingress.pomerium.io/set_request_headers`]: /reference/readme.md#set-request-headers
+[`ingress.pomerium.io/set_response_headers`]: /reference/readme.md#set-response-headers
+[`ingress.pomerium.io/timeout`]: /reference/readme.md#route-timeout
+[tls_client_certificate]: /reference/readme.md#tls-client-certificate
+[`tls_custom_ca_secret`]: /reference/readme.md#tls-custom-certificate-authority
+[client-certificate-authority]: /reference/readme.md#client-certificate-authority
+[`ingress.pomerium.io/tls_server_name`]: /reference/readme.md#tls-server-name
+[`ingress.pomerium.io/tls_skip_verify`]: /reference/readme.md#tls-skip-verification
+[HSTS]: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
--- a/docs/docs/topics/kubernetes-integration.md
+++ b/docs/docs/topics/kubernetes-integration.md
--- a/docs/docs/releases.md
+++ b/docs/docs/releases.md
@ -9,7 +9,7 @@ description: This article describes various ways to install pomerium
 Pomerium is shipped in multiple formats and architectures to suit a variety of deployment patterns. There are two binaries:

 - `pomerium` is the primary server component. It is a monolithic binary that can perform the function of any [services mode](/reference/readme.md#service-mode).
- `pomerium-cli` (optional) is a command-line client for working with Pomerium.  Functions include acting as an authentication helper for tools like [kubectl](topics/kubernetes-integration.md).
+- `pomerium-cli` (optional) is a command-line client for working with Pomerium.  Functions include acting as an authentication helper for tools like [kubectl](/docs/k8s/readme.md).


 [[toc]]
@ -101,7 +101,7 @@ See the [README](https://github.com/pomerium/pomerium-helm/blob/master/charts/po

 ::: tip

-Officially supported build platforms are limited by [envoy proxy](https://www.envoyproxy.io/). 
+Officially supported build platforms are limited by [envoy proxy](https://www.envoyproxy.io/).

 :::

--- a/docs/docs/tcp/readme.md
+++ b/docs/docs/tcp/readme.md
@ -75,7 +75,7 @@ localhost:52046>

 You may specify an optional address and port for the `tcp` command to listen on.

-`-` specifies that STDIN and STDOUT should be directly attached to the remote TCP connection.  This is useful for [SSH](#ssh-helper-configuration) or for sending data through a shell pipe.
+`-` specifies that STDIN and STDOUT should be directly attached to the remote TCP connection.  This is useful for [SSH](/docs/tcp/ssh.md#tunnel-and-connect-simultaneously) or for sending data through a shell pipe.

 ### Custom URL

--- a/docs/docs/tcp/redis.md
+++ b/docs/docs/tcp/redis.md
@ -38,7 +38,7 @@ Redis is a popular in-memory data structure store. It can be run locally or conf
    redis-cli -h localhost -p 6379
    ```

-This demonstrates access to a Redis server through Pomerium from the `redis-cli` tool. Pomerium Enterprise users can utilize [Service Accounts](/enterprise/service-accounts.md) to enable secure machine-to-machine communication of Redis services.
+This demonstrates access to a Redis server through Pomerium from the `redis-cli` tool. Pomerium Enterprise users can utilize [Service Accounts](/enterprise/reference/configure.md#service-accounts) to enable secure machine-to-machine communication of Redis services.

 ## More Resources

--- a/docs/enterprise/install/helm.md
+++ b/docs/enterprise/install/helm.md
@ -160,7 +160,7 @@ If, while updating the open-source Pomerium values, you change any block's `serv
 kubectl delete svc pomerium-proxy
 ```

-[Pomerium using Helm]: /docs/install/helm.md
+[Pomerium using Helm]: /docs/k8s/helm.md
 [cert-manager]: https://cert-manager.io/docs/

 ### Generate Recovery Token
--- a/examples/kubernetes/example-ingress.yaml
+++ b/examples/kubernetes/example-ingress.yaml
@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hello
+  annotations:
+    cert-manager.io/issuer: pomerium-issuer
+    ingress.pomerium.io/policy: '[{"allow":{"and":[{"domain":{"is":"example.com"}}]}}]'
+spec:
+  ingressClassName: pomerium
+  rules:
+  - host: hello.localhost.pomerium.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: nginx
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - hello.localhost.pomerium.io
+    secretName: hello.localhost.pomerium.io-tls
--- a/examples/kubernetes/pomerium-certificates.yaml
+++ b/examples/kubernetes/pomerium-certificates.yaml
@ -16,8 +16,9 @@ spec:
    - pomerium-authorize.pomerium.svc.cluster.local
    - pomerium-databroker.pomerium.svc.cluster.local
    - pomerium-authenticate.pomerium.svc.cluster.local
-    # TODO - Replace the following entry with your domain space.
-    - "*.localhost.pomerium.io" # Quotes are required to escape the wildcard
+    - authenticate.localhost.pomerium.io
+    # TODO - If you're not using the Pomerium Ingress controller, you may want a wildcard entry as well.
+    #- "*.localhost.pomerium.io" # Quotes are required to escape the wildcard
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
--- a/examples/kubernetes/pomerium-values.yaml
+++ b/examples/kubernetes/pomerium-values.yaml
@ -9,8 +9,6 @@ authenticate:

 proxy:
  existingTLSSecret: pomerium-tls
-  service:
-    type: LoadBalancer

 databroker:
  existingTLSSecret: pomerium-tls
@ -33,22 +31,19 @@ redis:
  tls:
    certificateSecret: pomerium-redis-tls

-ingress:
-  enabled: false
+ingressController:
+  enabled: true

 config:
-  sharedSecret: YOURSHAREDSECRET # You can use "head -c32 /dev/urandom | base64" to generate.
-  cookieSecret: YOURCOOKIESECRET # You can use "head -c32 /dev/urandom | base64" to generate.
  rootDomain: localhost.pomerium.io
  existingCASecret: pomerium-tls
  generateTLS: false # On by default, disabled when cert-manager or another solution is in place.
-  policy:
-      # This will be our testing app, to confirm that Pomerium is authenticating and routing traffic.
-    - from: https://hello.localhost.pomerium.io
-      to: http://nginx.pomerium.svc.cluster.local:80
-      allowed_domains:
-        - companydomain.com # Use the domain your company email address uses.
-    - from: https://authenticate.localhost.pomerium.io
-      to: https://pomerium-authenticate.pomerium.svc.cluster.local
-      preserve_host_header: true
-      allow_public_unauthenticated_access: true
+# The policy block isn't required when using the Pomerium Ingress Controller, as routes are defined
+# by the addition of Ingress Resources.
+#  routes:
+#      # This will be our testing app, to confirm that Pomerium is authenticating and routing traffic.
+#    - from: https://authenticate.localhost.pomerium.io
+#      to: https://pomerium-authenticate.pomerium.svc.cluster.local
+#      preserve_host_header: true
+#      allow_public_unauthenticated_access: true
+#      policy: