Docs: Ingress Controller (#2667)

* update k8s install for ingress conrtoller * typo correction * prep k8s section * squashme * init Ingress Controller doc Co-authored-by: travisgroth <tgroth@pomerium.com> Co-authored-by: wasaga <dmishin@pomerium.com> * update, organize, annotate * breakout custom from standard annotations * more info links * Update docs/docs/k8s/ingress.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/docs/k8s/ingress.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/docs/k8s/ingress.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * prep k8s section * document YAML policies in Ingress * sort and compress standard annotations * final draft * link cleanup * Create ingress.md * Update docs/docs/k8s/ingress.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Apply suggestions from code review * rm redundant config * fix file reference * update available annotations * Copy Proofread Grammar updates. * discussed copy edit * whitespace cleanup * add redirect for moved k8s docs * fixed malformed links * Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> partial copy edits Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> partial copy edits Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> partial copy edits * One last TLS * Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * clarify namespaces flag * Update docs/docs/k8s/ingress.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: travisgroth <tgroth@pomerium.com> Co-authored-by: wasaga <dmishin@pomerium.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: cmo-pomerium <91488121+cmo-pomerium@users.noreply.github.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2025-08-03 16:59:22 +02:00 · 2021-11-04 12:59:51 -05:00 · 2021-11-04 12:59:51 -05:00 · 4cb3281af7
commit 4cb3281af7
parent ea45ba70c8
14 changed files with 441 additions and 32 deletions
--- a/examples/kubernetes/example-ingress.yaml
+++ b/examples/kubernetes/example-ingress.yaml
@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hello
+  annotations:
+    cert-manager.io/issuer: pomerium-issuer
+    ingress.pomerium.io/policy: '[{"allow":{"and":[{"domain":{"is":"example.com"}}]}}]'
+spec:
+  ingressClassName: pomerium
+  rules:
+  - host: hello.localhost.pomerium.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: nginx
+            port:
+              name: http
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - hello.localhost.pomerium.io
+    secretName: hello.localhost.pomerium.io-tls
--- a/examples/kubernetes/pomerium-certificates.yaml
+++ b/examples/kubernetes/pomerium-certificates.yaml
@ -16,8 +16,9 @@ spec:
    - pomerium-authorize.pomerium.svc.cluster.local
    - pomerium-databroker.pomerium.svc.cluster.local
    - pomerium-authenticate.pomerium.svc.cluster.local
-    # TODO - Replace the following entry with your domain space.
-    - "*.localhost.pomerium.io" # Quotes are required to escape the wildcard
+    - authenticate.localhost.pomerium.io
+    # TODO - If you're not using the Pomerium Ingress controller, you may want a wildcard entry as well.
+    #- "*.localhost.pomerium.io" # Quotes are required to escape the wildcard
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
--- a/examples/kubernetes/pomerium-values.yaml
+++ b/examples/kubernetes/pomerium-values.yaml
@ -9,8 +9,6 @@ authenticate:

 proxy:
  existingTLSSecret: pomerium-tls
-  service:
-    type: LoadBalancer

 databroker:
  existingTLSSecret: pomerium-tls
@ -33,22 +31,19 @@ redis:
  tls:
    certificateSecret: pomerium-redis-tls

-ingress:
-  enabled: false
+ingressController:
+  enabled: true

 config:
-  sharedSecret: YOURSHAREDSECRET # You can use "head -c32 /dev/urandom | base64" to generate.
-  cookieSecret: YOURCOOKIESECRET # You can use "head -c32 /dev/urandom | base64" to generate.
  rootDomain: localhost.pomerium.io
  existingCASecret: pomerium-tls
  generateTLS: false # On by default, disabled when cert-manager or another solution is in place.
-  policy:
-      # This will be our testing app, to confirm that Pomerium is authenticating and routing traffic.
-    - from: https://hello.localhost.pomerium.io
-      to: http://nginx.pomerium.svc.cluster.local:80
-      allowed_domains:
-        - companydomain.com # Use the domain your company email address uses.
-    - from: https://authenticate.localhost.pomerium.io
-      to: https://pomerium-authenticate.pomerium.svc.cluster.local
-      preserve_host_header: true
-      allow_public_unauthenticated_access: true
+# The policy block isn't required when using the Pomerium Ingress Controller, as routes are defined
+# by the addition of Ingress Resources.
+#  routes:
+#      # This will be our testing app, to confirm that Pomerium is authenticating and routing traffic.
+#    - from: https://authenticate.localhost.pomerium.io
+#      to: https://pomerium-authenticate.pomerium.svc.cluster.local
+#      preserve_host_header: true
+#      allow_public_unauthenticated_access: true
+#      policy: