v0.5.0 (#375)

docs/configuration/examples/kubernetes/httpbin.yml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: httpbin
+  labels:
+    app: httpbin
+spec:
+  type: NodePort
+  ports:
+    - name: http
+      port: 8000
+      targetPort: 80
+  selector:
+    app: httpbin
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: httpbin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: httpbin
+      version: v1
+  template:
+    metadata:
+      labels:
+        app: httpbin
+        version: v1
+    spec:
+      containers:
+        - image: docker.io/kennethreitz/httpbin
+          imagePullPolicy: IfNotPresent
+          name: httpbin
+          ports:
+            - containerPort: 80

docs/configuration/examples/kubernetes/ingress.nginx.yml

@@ -0,0 +1,37 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: pomerium-ingress
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    # kubernetes.io/tls-acme: "true"
+    # certmanager.k8s.io/issuer: "letsencrypt-prod"
+    # nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+    # to avoid ingress routing, enable
+    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+
+spec:
+  tls:
+    - secretName: pomerium-tls
+      hosts:
+        - "*.corp.beyondperimeter.com"
+        - "authenticate.corp.beyondperimeter.com"
+
+  rules:
+    - host: "*.corp.beyondperimeter.com"
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: pomerium-proxy-service
+              servicePort: http
+
+    - host: "authenticate.corp.beyondperimeter.com"
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: pomerium-authenticate-service
+              servicePort: http

docs/configuration/examples/kubernetes/ingress.yml

@@ -0,0 +1,30 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: pomerium-ingress
+  annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: pomerium
+
+spec:
+  tls:
+    - secretName: pomerium-tls
+      hosts:
+        - "*.corp.beyondperimeter.com"
+        - "authenticate.corp.beyondperimeter.com"
+
+  rules:
+    - host: "*.corp.beyondperimeter.com"
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: pomerium-proxy-service
+              servicePort: https
+    - host: "authenticate.corp.beyondperimeter.com"
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: pomerium-authenticate-service
+              servicePort: https

docs/configuration/examples/kubernetes/kubernetes-config.yaml

@@ -0,0 +1,18 @@
+# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
+address: ":80"
+insecure_server: true
+
+authenticate_service_url: https://authenticate.corp.beyondperimeter.com
+authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
+
+override_certificate_name: "*.corp.beyondperimeter.com"
+
+idp_provider: google
+idp_client_id: REPLACE_ME.apps.googleusercontent.com
+idp_client_secret: "REPLACE_ME"
+
+policy:
+  - from: https://httpbin.corp.beyondperimeter.com
+    to: http://httpbin.default.svc.cluster.local:8000
+    allowed_domains:
+      - gmail.com

docs/configuration/examples/kubernetes/kubernetes_gke.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# NOTE! This will create real resources on Google GCP. Make sure you clean up any unused
+# resources to avoid being billed.
+# For reference, this tutorial cost ~10 cents for a couple of hours.
+# NOTE! You must change the identity provider client secret setting in your config file!
+
+echo "=> creating cluster"
+gcloud container clusters create pomerium --num-nodes 2
+
+echo "=> get cluster credentials so we can use kubctl locally"
+gcloud container clusters get-credentials pomerium
+
+echo "=> create config from kubernetes-config.yaml which we will mount"
+kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml"
+
+echo "=> create our random shared-secret and cookie-secret keys as envars"
+kubectl create secret generic shared-secret --from-literal=shared-secret=$(head -c32 /dev/urandom | base64)
+kubectl create secret generic cookie-secret --from-literal=cookie-secret=$(head -c32 /dev/urandom | base64)
+
+echo "=> initiliaze secrets for TLS wild card for service use"
+kubectl create secret generic certificate \
+	--from-literal=certificate=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer")
+kubectl create secret generic certificate-key \
+	--from-literal=certificate-key=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key")
+
+echo "=> load TLS to ingress"
+kubectl create secret tls pomerium-tls \
+	--key "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" \
+	--cert "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"
+
+echo "=> deploy pomerium proxy, authorize, and authenticate"
+kubectl apply -f pomerium-proxy.yml
+kubectl apply -f pomerium-authenticate.yml
+kubectl apply -f pomerium-authorize.yml
+
+echo "=> deploy our test app, httpbin"
+kubectl apply -f httpbin.yml
+
+echo "=> deploy the GKE specific ingress"
+kubectl apply -f ingress.yml
+
+# Alternatively, nginx-ingress can be used
+# kubectl apply -f ingress.nginx.yml
+
+# When done, clean up by deleting the cluster!
+# gcloud container clusters delete pomerium

docs/configuration/examples/kubernetes/kubernetes_nginx.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+echo "=> create config from kubernetes-config.yaml which we will mount"
+kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml"
+
+echo "=> create our random shared-secret and cookie-secret keys as envars"
+kubectl create secret generic shared-secret --from-literal=shared-secret=$(head -c32 /dev/urandom | base64)
+kubectl create secret generic cookie-secret --from-literal=cookie-secret=$(head -c32 /dev/urandom | base64)
+
+echo "=> deploy pomerium proxy, authorize, and authenticate"
+kubectl apply -f pomerium-proxy.yml
+kubectl apply -f pomerium-authenticate.yml
+kubectl apply -f pomerium-authorize.yml
+
+echo "=> deploy our test app, httpbin"
+kubectl apply -f httpbin.yml
+
+echo "=> deploy nginx-ingress"
+kubectl apply -f ingress.yml

docs/configuration/examples/kubernetes/pomerium-authenticate.yml

@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pomerium-authenticate-service
+spec:
+  ports:
+    - port: 80
+      name: http
+  selector:
+    app: pomerium-authenticate
+  type: NodePort
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium-authenticate
+  labels:
+    app: pomerium-authenticate
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pomerium-authenticate
+  template:
+    metadata:
+      labels:
+        app: pomerium-authenticate
+    spec:
+      containers:
+        - image: pomerium/pomerium:v0.5.0
+          name: pomerium-authenticate
+          args:
+            - --config=/etc/pomerium/config.yaml
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          env:
+            - name: SERVICES
+              value: authenticate
+            - name: SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: shared-secret
+                  key: shared-secret
+            - name: COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: cookie-secret
+                  key: cookie-secret
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+              scheme: HTTP
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+          volumeMounts:
+            - mountPath: /etc/pomerium/
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: config

docs/configuration/examples/kubernetes/pomerium-authorize.yml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pomerium-authorize-service
+spec:
+  ports:
+    - port: 80
+      name: grpc
+  selector:
+    app: pomerium-authorize
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium-authorize
+  labels:
+    app: pomerium-authorize
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pomerium-authorize
+  template:
+    metadata:
+      labels:
+        app: pomerium-authorize
+    spec:
+      containers:
+        - image: pomerium/pomerium:v0.5.0
+          name: pomerium-authorize
+          args:
+            - --config=/etc/pomerium/config.yaml
+          ports:
+            - containerPort: 80
+              name: grpc
+              protocol: TCP
+          env:
+            - name: SERVICES
+              value: authorize
+            - name: SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: shared-secret
+                  key: shared-secret
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 15
+            periodSeconds: 20
+
+          volumeMounts:
+            - mountPath: /etc/pomerium/
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: config

docs/configuration/examples/kubernetes/pomerium-proxy.yml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pomerium-proxy-service
+spec:
+  ports:
+    - port: 80
+      protocol: TCP
+      name: http
+      targetPort: http
+  selector:
+    app: pomerium-proxy
+  type: NodePort
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium-proxy
+  labels:
+    app: pomerium-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pomerium-proxy
+  template:
+    metadata:
+      labels:
+        app: pomerium-proxy
+    spec:
+      containers:
+        - image: pomerium/pomerium:v0.5.0
+          name: pomerium-proxy
+          args:
+            - --config=/etc/pomerium/config.yaml
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          env:
+            - name: SERVICES
+              value: proxy
+            - name: SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: shared-secret
+                  key: shared-secret
+            - name: COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: cookie-secret
+                  key: cookie-secret
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+              scheme: HTTP
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 10
+            timeoutSeconds: 1
+          volumeMounts:
+            - mountPath: /etc/pomerium/
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: config