mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-28 23:48:30 +02:00
envoy: Initial changes
This commit is contained in:
parent
8f78497e99
commit
99e788a9b4
107 changed files with 2542 additions and 3322 deletions
|
@ -15,12 +15,10 @@ export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
|
|||
|
||||
# Certificates can be loaded as files or base64 encoded bytes.
|
||||
# See : https://www.pomerium.io/docs/reference/certificates
|
||||
export AUTOCERT=TRUE # Use Let's Encrypt to fetch certs. Port 80/443 must be internet accessible.
|
||||
# export AUTOCERT_DIR="./certs" # The path where you want to place your certificates
|
||||
# export CERTIFICATE_FILE="xxxx" # optional, defaults to `./cert.pem`
|
||||
# export CERTIFICATE_KEY_FILE="xxx" # optional, defaults to `./certprivkey.pem`
|
||||
# export CERTIFICATE="xxx" # base64 encoded cert, eg. `base64 -i cert.pem`
|
||||
# export CERTIFICATE_KEY="xxx" # base64 encoded key, eg. `base64 -i privkey.pem`
|
||||
export CERTIFICATE_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer" # optional, defaults to `./cert.pem`
|
||||
export CERTIFICATE_KEY_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" # optional, defaults to `./certprivkey.pem`
|
||||
# export CERTIFICATE="xxxxxx" # base64 encoded cert, eg. `base64 -i cert.pem`
|
||||
# export CERTIFICATE_KEY="xxxx" # base64 encoded key, eg. `base64 -i privkey.pem`
|
||||
|
||||
# Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64`
|
||||
export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
#!/bin/bash
|
||||
|
||||
# See : https://www.pomerium.io/docs/reference/certificates
|
||||
export AUTOCERT=TRUE # Use Let's Encrypt to fetch certs. Port 80/443 must be internet accessible.
|
||||
export CERTIFICATE_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer" # optional, defaults to `./cert.pem`
|
||||
export CERTIFICATE_KEY_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" # optional, defaults to `./certprivkey.pem`
|
||||
|
||||
# 256 bit random keys
|
||||
export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"
|
||||
|
|
|
@ -4,10 +4,8 @@
|
|||
authenticate_service_url: https://authenticate.localhost.pomerium.io
|
||||
|
||||
# certificate settings: https://www.pomerium.io/docs/reference/certificates.html
|
||||
autocert: true
|
||||
|
||||
# REMOVE FOR PRODUCTION
|
||||
autocert_use_staging: true
|
||||
certificate_file: "./_wildcard.localhost.pomerium.io.pem"
|
||||
certificate_key_file: "./_wildcard.localhost.pomerium.io-key.pem"
|
||||
|
||||
# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
|
||||
idp_provider: google
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
version: "3"
|
||||
services:
|
||||
pomerium:
|
||||
image: pomerium/pomerium:v0.8.0
|
||||
environment:
|
||||
# Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
|
||||
- COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
|
||||
volumes:
|
||||
# Use a volume to store ACME certificates
|
||||
- pomerium:/data:rw
|
||||
ports:
|
||||
- 443:443
|
||||
|
||||
# https://httpbin.corp.beyondperimeter.com --> Pomerium --> http://httpbin
|
||||
httpbin:
|
||||
image: kennethreitz/httpbin:latest
|
||||
expose:
|
||||
- 80
|
|
@ -1,7 +1,7 @@
|
|||
version: "3"
|
||||
services:
|
||||
pomerium:
|
||||
image: pomerium/pomerium:v0.8.0
|
||||
image: pomerium/pomerium:v0.7.0
|
||||
environment:
|
||||
# Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
|
||||
- COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
|
||||
|
|
|
@ -12,7 +12,7 @@ services:
|
|||
- /var/run/docker.sock:/tmp/docker.sock:ro
|
||||
|
||||
pomerium-authenticate:
|
||||
image: pomerium/pomerium:v0.8.0 # or `build: .` to build from source
|
||||
image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
|
||||
restart: always
|
||||
environment:
|
||||
- SERVICES=authenticate
|
||||
|
@ -39,7 +39,7 @@ services:
|
|||
- 443
|
||||
|
||||
pomerium-proxy:
|
||||
image: pomerium/pomerium:v0.8.0 # or `build: .` to build from source
|
||||
image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
|
||||
restart: always
|
||||
environment:
|
||||
- SERVICES=proxy
|
||||
|
@ -61,7 +61,7 @@ services:
|
|||
- 443
|
||||
|
||||
pomerium-authorize:
|
||||
image: pomerium/pomerium:v0.8.0 # or `build: .` to build from source
|
||||
image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
|
||||
restart: always
|
||||
environment:
|
||||
- SERVICES=authorize
|
||||
|
@ -77,7 +77,7 @@ services:
|
|||
- 443
|
||||
|
||||
pomerium-cache:
|
||||
image: pomerium/pomerium:v0.8.0 # or `build: .` to build from source
|
||||
image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
|
||||
restart: always
|
||||
environment:
|
||||
- SERVICES=cache
|
||||
|
|
|
@ -1,64 +0,0 @@
|
|||
#!/bin/bash
|
||||
# PRE-REQ:
|
||||
# 1) Install Helm : You should verify the content of this script before running.
|
||||
# curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
|
||||
# 2) Install https://eksctl.io/
|
||||
# For more information see:
|
||||
# - https://eksworkshop.com/helm_root/helm_intro/install/
|
||||
|
||||
echo "=> [AWS] creating cluster"
|
||||
eksctl create cluster --name=pomerium --nodes=1 --region=us-west-2
|
||||
|
||||
echo "=> [AWS] get cluster credentials so we can use kubctl locally"
|
||||
eksctl utils write-kubeconfig --name=pomerium
|
||||
|
||||
echo "=> [AWS] configure Helm access with RBAC"
|
||||
cat <<EOF >.helm-rbac.yaml
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: tiller
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: tiller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: tiller
|
||||
namespace: kube-system
|
||||
EOF
|
||||
|
||||
kubectl apply -f .helm-rbac.yaml
|
||||
# cleanup
|
||||
rm .helm-rbac.yaml
|
||||
|
||||
echo "=> initialize Helm to install Tiller in your cluster"
|
||||
helm init --service-account=tiller
|
||||
helm repo update
|
||||
|
||||
echo "=> install pomerium with helm substituting configuration values as required; be sure to change these"
|
||||
helm install $HOME/charts/stable/pomerium/ \
|
||||
--name pomerium \
|
||||
--set config.sharedSecret=$(head -c32 /dev/urandom | base64) \
|
||||
--set config.cookieSecret=$(head -c32 /dev/urandom | base64) \
|
||||
--set config.cert=$(base64 -i cert.pem) \
|
||||
--set config.key=$(base64 -i privkey.pem) \
|
||||
--set config.policy="$(cat policy.example.yaml | base64)" \
|
||||
--set authenticate.idp.provider="google" \
|
||||
--set authenticate.proxyRootDomains="pomerium.io" \
|
||||
--set authenticate.redirectUrl="https://auth.corp.pomerium.io/oauth2/callback" \
|
||||
--set authenticate.idp.clientID="REPLACE_ME" \
|
||||
--set authenticate.idp.clientSecret="REPLACE_ME" \
|
||||
--set proxy.authenticateServiceUrl="https://auth.corp.pomerium.io" \
|
||||
--set proxy.authorizeServiceUrl="https://access.corp.pomerium.io"
|
||||
|
||||
# When done, clean up by deleting the cluster!
|
||||
#
|
||||
# helm del $(helm ls --all --short) --purge #!!! DELETES ALL YOUR HELM INSTANCES!
|
|
@ -1,41 +0,0 @@
|
|||
#!/bin/bash
|
||||
# PRE-REQ: Install Helm : You should verify the content of this script before running.
|
||||
# curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash
|
||||
# NOTE! This will create real resources on Google's cloud. Make sure you clean up any unused
|
||||
# resources to avoid being billed. For reference, this tutorial cost me <10 cents for a couple of hours.
|
||||
# NOTE! You must change the identity provider client secret setting, and service account setting!
|
||||
# NOTE! If you are using gsuite, you should also set `authenticate.idp.serviceAccount`, see docs !
|
||||
|
||||
echo "=> [GCE] creating cluster"
|
||||
gcloud container clusters create pomerium --region us-west2 --num-nodes 1
|
||||
|
||||
echo "=> [GCE] get cluster credentials so we can use kubctl locally"
|
||||
gcloud container clusters get-credentials pomerium --region us-west2
|
||||
|
||||
echo "=> add pomerium's helm repo"
|
||||
helm repo add pomerium https://helm.pomerium.io
|
||||
|
||||
echo "=> add bitnami's helm repo"
|
||||
helm repo add bitnami https://charts.bitnami.com/bitnami
|
||||
|
||||
echo "=> install nginx as a sample hello world app"
|
||||
helm upgrade --install nginx bitnami/nginx --set service.type=ClusterIP
|
||||
|
||||
echo "=> update helm"
|
||||
helm repo update
|
||||
|
||||
echo "=> install pomerium with helm"
|
||||
helm install \
|
||||
pomerium \
|
||||
pomerium/pomerium \
|
||||
--set service.type="NodePort" \
|
||||
--set config.sharedSecret=$(head -c32 /dev/urandom | base64) \
|
||||
--set config.cookieSecret=$(head -c32 /dev/urandom | base64) \
|
||||
--set ingress.secret.name="pomerium-tls" \
|
||||
--set ingress.secret.cert=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer") \
|
||||
--set ingress.secret.key=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key") \
|
||||
--values docs/configuration/examples/kubernetes/values.yaml
|
||||
|
||||
# When done, clean up by deleting the cluster!
|
||||
# helm del $(helm ls --all --short) --purge # deletes all your helm instances
|
||||
# gcloud container clusters delete pomerium # deletes your cluster
|
|
@ -1,41 +0,0 @@
|
|||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: internal-gateway
|
||||
namespace: istio-system
|
||||
spec:
|
||||
selector:
|
||||
istio: ingressgateway
|
||||
servers:
|
||||
- port:
|
||||
number: 443
|
||||
protocol: HTTPS
|
||||
name: https-default
|
||||
tls:
|
||||
mode: SIMPLE
|
||||
serverCertificate: "sds"
|
||||
privateKey: "sds"
|
||||
credentialName: internal-cert
|
||||
hosts:
|
||||
- *.yourcompany.com
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: internal-cert
|
||||
namespace: istio-system
|
||||
spec:
|
||||
secretName: internal-cert
|
||||
issuerRef:
|
||||
name: self-signed-issuer
|
||||
kind: ClusterIssuer
|
||||
commonName: *.yourcompany.com
|
||||
dnsNames:
|
||||
- *.yourcompany.com
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: self-signed-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
|
@ -1,12 +0,0 @@
|
|||
grafana.ini:
|
||||
users:
|
||||
allow_sign_up: false
|
||||
auto_assign_org: true
|
||||
auto_assign_org_role: Editor
|
||||
auth.proxy:
|
||||
enabled: true
|
||||
header_name: X-Pomerium-Claim-Email
|
||||
header_property: username
|
||||
auto_sign_up: true
|
||||
sync_ttl: 60
|
||||
enable_login_token: false
|
|
@ -1,13 +0,0 @@
|
|||
config:
|
||||
insecure: true
|
||||
policy:
|
||||
- from: https://grafana.yourcompany.com
|
||||
to: "http://prometheus-grafana.monitoring.svc.cluster.local"
|
||||
timeout: 30s
|
||||
allowed_domains:
|
||||
- yourcompany.com
|
||||
ingress:
|
||||
enabled: false
|
||||
|
||||
extraEnv:
|
||||
JWT_CLAIMS_HEADERS: email
|
|
@ -1,14 +0,0 @@
|
|||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: ServiceEntry
|
||||
metadata:
|
||||
name: external-idp
|
||||
namespace: pomerium
|
||||
spec:
|
||||
hosts:
|
||||
- yourcompany.okta.com
|
||||
location: MESH_EXTERNAL
|
||||
ports:
|
||||
- number: 443
|
||||
name: https
|
||||
protocol: TLS
|
||||
resolution: DNS
|
|
@ -1,30 +0,0 @@
|
|||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: grafana-virtual-service
|
||||
namespace: pomerium
|
||||
spec:
|
||||
gateways:
|
||||
- istio-system/internal-gateway
|
||||
hosts:
|
||||
- grafana.yourcompany.com
|
||||
http:
|
||||
- route:
|
||||
- destination:
|
||||
host: pomerium-proxy
|
||||
---
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: authenticate-virtual-service
|
||||
namespace: pomerium
|
||||
spec:
|
||||
gateways:
|
||||
- istio-system/internal-gateway
|
||||
hosts:
|
||||
- authenticate.yourcompany.com
|
||||
http:
|
||||
- route:
|
||||
- destination:
|
||||
host: pomerium-authenticate
|
||||
---
|
|
@ -1,28 +0,0 @@
|
|||
authenticate:
|
||||
idp:
|
||||
provider: "google"
|
||||
clientID: YOUR_CLIENT_ID
|
||||
clientSecret: YOUR_SECRET
|
||||
service:
|
||||
annotations:
|
||||
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
|
||||
|
||||
proxy:
|
||||
service:
|
||||
annotations:
|
||||
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
|
||||
|
||||
service:
|
||||
type: NodePort
|
||||
|
||||
config:
|
||||
rootDomain: corp.beyondperimeter.com
|
||||
policy:
|
||||
- from: https://hello.corp.beyondperimeter.com
|
||||
to: http://nginx.default.svc.cluster.local:80
|
||||
allowed_domains:
|
||||
- gmail.com
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
kubernetes.io/ingress.allow-http: false
|
Loading…
Add table
Add a link
Reference in a new issue