3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-15 15:56:38 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: add helm charts (#10)

Browse source
This commit is contained in:
Michael Barrientos 2019-01-26 20:51:24 -08:00 committed by Bobby DeSimone
parent 4a52835baa
commit 6b6e79aced
9 changed files with 412 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

21
helm/.helmignore Normal file
View file

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

17
helm/Chart.yaml Normal file
View file

@ -0,0 +1,17 @@
name: pomerium
version: 0.0.1
apiVersion: v1
appVersion: 0.0.1
home: http://www.pomerium.io/
description: A reverse proxy that provides authentication with Google, Okta, Azure or other providers
keywords:
- kubernetes
- oauth
- oauth2
- authentication
- google
- okta
- azure
sources:
- https://github.com/pomerium/pomerium
engine: gotpl

9
helm/README.md Normal file
View file

@ -0,0 +1,9 @@
# Pomerium
[Pomerium](https://github.com/pomerium/pomerium) is a tool for managing secure access to internal applications and resources.
## TL;DR;
```console
$ helm install pomerium/pomerium
```

40
helm/templates/_helpers.tpl Normal file
View file

@ -0,0 +1,40 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "pomerium.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "pomerium.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "pomerium.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- define "pomerium.routestring" -}}
{{- $routes := dict "routes" (list) -}}
{{- range $key, $val := .Values.proxy.routes -}}
{{- $noop := printf "%s=%s" $key $val | append $routes.routes | set $routes "routes" -}}
{{- end -}}
{{- join "," $routes.routes | default "none=none" | quote -}}
{{- end -}}

144
helm/templates/deployment.yaml Normal file
View file

@ -0,0 +1,144 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}
{{- if .Values.annotations }}
annotations:
{{ toYaml .Values.annotations | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}
template:
metadata:
{{- if .Values.podAnnotations }}
annotations:
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
- name: SERVICES
value: {{ .Values.config.services }}
- name: COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: cookie-secret
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: shared-secret
{{- if .Values.config.cert }}
- name: CERTIFICATE
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate
{{- end }}
{{- if .Values.config.key }}
- name: CERTIFICATE_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: certificate-key
{{- end }}
{{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }}
- name: REDIRECT_URL
value: {{ .Values.authenticate.redirectUrl }}
- name: ALLOWED_DOMAINS
value: {{ .Values.authenticate.allowedDomains }}
- name: PROXY_ROOT_DOMAIN
value: {{ .Values.authenticate.proxyRootDomains }}
- name: IDP_PROVIDER
value: {{ .Values.authenticate.idp.provider }}
- name: IDP_PROVIDER_URL
value: {{ .Values.authenticate.idp.url }}
- name: IDP_CLIENT_ID
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-id
- name: IDP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ template "pomerium.fullname" . }}
key: idp-client-secret
{{- end }}
{{- if or (eq .Values.config.services "proxy") (eq .Values.config.services "all") }}
- name: AUTHENTICATE_SERVICE_URL
value: {{ .Values.proxy.authenticateServiceUrl }}
- name: ROUTES
value: {{ template "pomerium.routestring" . }}
{{- end }}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
ports:
- containerPort: 443
name: https
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
readinessProbe:
httpGet:
path: /ping
port: https
scheme: HTTPS
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}

43
helm/templates/ingress.yaml Normal file
View file

@ -0,0 +1,43 @@
{{- if .Values.ingress.enabled -}}
{{- $serviceName := include "pomerium.fullname" . -}}
{{- $servicePort := .Values.service.externalPort -}}
{{- $paths := .Values.ingress.paths -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- if .Values.ingress.labels }}
{{ toYaml .Values.ingress.labels | indent 4 }}
{{- end }}
name: {{ template "pomerium.fullname" . }}
{{- if .Values.ingress.annotations }}
annotations:
{{ toYaml .Values.ingress.annotations | indent 4 }}
{{- end }}
spec:
rules:
{{- if .Values.ingress.extraRules }}
{{ toYaml .Values.ingress.extraRules | indent 4 }}
{{- end }}
{{- if .Values.ingress.hosts }}
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
{{- range $p := $paths }}
- path: {{ $p }}
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end }}
{{- end }}

24
helm/templates/secret.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: v1
kind: Secret
metadata:
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
name: {{ template "pomerium.fullname" . }}
namespace: {{ .Release.Namespace }}
type: Opaque
data:
{{- if or (eq .Values.config.services "authenticate") (eq .Values.config.services "all") }}
idp-client-id: {{ .Values.authenticate.idp.clientID | b64enc | quote }}
idp-client-secret: {{ .Values.authenticate.idp.clientSecret | b64enc | quote }}
{{- end }}
cookie-secret: {{ .Values.config.cookieSecret | b64enc | quote }}
shared-secret: {{ .Values.config.sharedSecret | b64enc | quote }}
{{- if .Values.config.cert }}
certificate: {{ .Values.config.cert | b64enc | quote }}
{{- end }}
{{- if .Values.config.key }}
certificate-key: {{ .Values.config.key | b64enc | quote }}
{{- end }}

29
helm/templates/service.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: {{ template "pomerium.name" . }}
chart: {{ template "pomerium.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
name: {{ template "pomerium.fullname" . }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.externalPort }}
targetPort: https
protocol: TCP
name: http
{{- if hasKey .Values.service "nodePort" }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
selector:
app: {{ template "pomerium.name" . }}
release: {{ .Release.Name }}

85
helm/values.yaml Normal file
View file

@ -0,0 +1,85 @@
# All config settings are required. sharedSecret must match between the authenticate
# and proxy deployments.
config:
sharedSecret: "XXXXXXXX"
cookieSecret: "XXXXXXXX"
services: all
cert:
key:
# All below required if config.services is "authenticate" or "all"
authenticate:
redirectUrl: http://example.com/oauth2/callback
allowedDomains: example.com
proxyRootDomains: example.com
idp:
provider: okta
url: https://example.oktapreview.com/oauth2/default
clientID: "XXXXXXXX"
clientSecret: "XXXXXXXX"
# All below required if config.serviceModes is "proxy" or "all"
proxy:
authenticateServiceUrl: https://example.com/oauth2/callback
routes:
"http.corp.example.com": "httpbin.org"
# For any other settings that are optional
# ADDRESS, POMERIUM_DEBUG, CERTIFICATE_FILE, CERTIFICATE_KEY_FILE
# PROXY_ROOT_DOMAIN, COOKIE_DOMAIN, COOKIE_EXPIRE, COOKIE_REFRESH, COOKIE_SECURE, COOKIE_HTTP_ONLY, IDP_SCOPE
# DEFAULT_UPSTREAM_TIMEOUT, PASS_ACCESS_TOKEN, SESSION_VALID_TTL, SESSION_LIFETIME_TTL, GRACE_PERIOD_TTL
extraEnv: {}
extraArgs: {}
extraVolumes: {}
image:
repository: "pomerium/pomerium"
tag: "0.0.1"
pullPolicy: "IfNotPresent"
service:
type: ClusterIP
externalPort: 443
annotations: {}
# foo.io/bar: "true"
labels: {}
ingress:
enabled: false
path: /
# Used to create an Ingress record.
# hosts:
# - chart-example.local
# annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# tls:
# Secrets must be manually created in the namespace.
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# limits:
# cpu: 100m
# memory: 300Mi
# requests:
# cpu: 100m
# memory: 300Mi
priorityClassName: ""
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# affinity: {}
# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
# tolerations: []
# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
# nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicaCount: 1