3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-02 16:30:17 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/enterprise/install/helm.md
Alex Fornuto 5332a752d0
Enterprise Docs (#2390) 
* install VuePress Plugin Tabs

https://www.npmjs.com/package/vuepress-plugin-tabs

* init Enterprise documentation section

* replace Vuepress tab plugin

now using https://github.com/superbiger/vuepress-plugin-tabs

* init Enterprise Quickstart

* block of enterprise doc updates

* Helm Quickstart Update (#2380)

* removed/fixed redundant or incorrect config

And some small copy edits

* Update docs/docs/quick-start/helm.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* init console with helm doc

* squash me

* codeblock fix

* init about page

* updates to Enterprise section

* consolidate on Postgres

* WIP helm updates

* update and align OS and Enterprise helm docs

* Enterprise settings docs (#2397)

* init console-specific reference docs files

* remove shortdoc for name

* init Enterprise Reference doc

* expanding Enterprise Reference

* init JS script for reference subpages

When reviewing please remember that I'm not a developer, be kind

* update script and apply

* remove errant dep

* document script and expand for CLI help output

* import pomerium-console_serve.yaml

In future iterations, this file should be sourced at build time as an artifact from the pomerium-console repo

* init new output file

* update script call and output

* fix anchor links

* BROKEN - import content from settings.yaml when dupe is true

* filtering WiP

* fix dupe script, more content

* replace if dupe with if not docs

* squash me

* squash me!

* add docs about PPL (#2404)

* squash meeeeee

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* symlink img dir from docs/reference

* squash mee

* update install reqs

* Fixed links throughout

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/install/quickstart.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* remove internal note

* - format python with black
- format js with prettier

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* optimize images with imageOptim

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* run prettier on config.js

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* concepts.md

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* update concepts

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

* copy edits

* typo

* symlink img dir from docs/reference

* modify TLS section in quick-start

* rm whitespace

* add common links postamble

* block of updates

* block of updates

* updates with @travisgroth

* turtles all the way down

* more content

* import all the things

* fill out reports

* fill out reports

* fix file extension

* fix links

* crosslink PPL ref

* document embedded prometheus

* expand example

* update reqs

* document non-directory users

* typo fix

* update metrics_address

* fix broken links in example configs

* update examples for route syntax

* replaced required with deprecated

Note that I didn't link to the route reference because I'm unsure what link formats are accepted when this file is used elsewhere. The warning block below includes a link.

* update enterprise/about

* Update docs/enterprise/console-settings.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/console-settings.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* remove commented config lines

* update non-domain user section in concepts

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/about.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/enterprise/concepts.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* add console route to OSS conf

* update enterprise settings copy from source file

* Update docs/enterprise/concepts.md

* Update reports reference

* merge conflict resolution

* update sourced doc content, fix whitespace

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2021-08-04 13:55:04 -05:00

4.9 KiB
Raw Blame History

title sidebarDepth description
Helm 1 Install Pomerium Enterprise in Kubernetes with Helm

Install Pomerium Enterprise Console in Helm

This document covers installing Pomerium Enterprise Console into your existing helm-managed Kubernetes cluster. It's designed to work with an existing cluster running Pomerium, as described im Pomerium using Helm. Follow that document before continuing here.

Before You Begin

The Pomerium Enterprise Console requires:

  • An accessible RDBMS. We support PostgreSQL 9+.
    • A database and user with full permissions for it.
  • A certificate management solution. This page will assume a store of certificates using cert-manager as the solution. If you use another certificate solution, adjust the steps accordingly.
  • An existing Pomerium installation. If you don't already have the open-source Pomerium installed in your cluster, see Pomerium using Helm before you continue.

System Requirements

One of the advantages of a Kubernetes deployment is automatic scaling, but if your database or redis solution is outside of your k8s configuration, refer to the requirements below:

  • Each Postgres instance should have at least:
    • 4 vCPUs
    • 8G RAM
    • 20G for data files
  • Each Redis instance should have at least:
    • 2 vCPUs
    • 4G RAM
    • 20G for data files

Issue a Certificate

This setup assumes an existing certificate solution using cert-manager, as described in Pomerium using Helm. If you already have a different certificate solution, create and implement a certificate for pomerium-console.pomerium.svc.cluster.local. Then you can move on to the next stage.

  1. Create a certificate configuration file for Pomerium Enterprise Our example is named pomerium-console-certificate.yaml:

    <<< @/examples/kubernetes/pomerium-console-certificate.yaml

  2. Apply the required certificate configurations, and confirm:

    kubectl apply -f pomerium-console-certificate.yaml

    kubectl get certificate
NAME                    READY   SECRET                 AGE
pomerium-cert           True    pomerium-tls           92m
pomerium-console-cert   True    pomerium-console-tls   6s
pomerium-redis-cert     True    pomerium-redis-tls     92m

Update Pomerium

  1. Set your local context to your Pomerium namespace:

    kubectl config set-context --current --namespace=pomerium

  2. Open your pomerium values file. If you followed Pomerium Using Helm, the file is named pomerium-values.yaml. In the config section, set a list item in the routes block for the Enterprise Console:

      routes:
    - from: https://console.localhost.pomerium.com
      to: https://pomerium-console.pomerium.svc.cluster.local
      policy:
        - allow:
            or:
              - domain:
                  is: companydomain.com
      pass_identity_headers: true

  3. Use Helm to update your Pomerium installation:

    helm upgrade --install pomerium pomerium/pomerium --values=./pomerium-values.yaml

Install Pomerium Enterprise Console

  1. Create pomerium-console-values.yaml as shown below, replacing placeholder values:

    database:
  type: pg
  username: pomeriumDbUser
  password: IAMASTRONGPASSWORDLOOKATME
  host: 198.51.100.53
  name: pomeriumDbName
  sslmode: require
config:
  sharedSecret: #Shared with Pomerium
  databaseEncryptionKey:  #Generate from "head -c32 /dev/urandom | base64"
  administrators: "youruser@yourcompany.com" #This is a hard-coded access, remove once setup is complete
tls:
  existingCASecret: pomerium-tls
  caSecretKey: ca.crt
  existingSecret: pomerium-console-tls
  generate: false
image:
  pullUsername: pomerium/enterprise
  pullPassword: your-access-key

  2. Add the Pomerium Enterprise repository to your Helm configuration:

    helm repo add pomerium-enterprise https://releases.pomerium.com
helm repo update

  3. Install Pomerium Enterprise:

    helm install pomerium-console pomerium-enterprise/pomerium-console --values=pomerium-console-values.yaml

  4. If you haven't configured a public DNS record for your Pomerium domain space, you can use kubectl to generate a local proxy:

    sudo -E kubectl --namespace pomerium port-forward service/pomerium-proxy 443:443

  5. When visiting https://console.localhost.pomerium.io, you should se the Session List page:

    The Session List page after installing Pomerium Enterprise Console

Troubleshooting

Updating Service Types:

If, while updating the open-source Pomerium values, you change any block's service.type you may need to manually delete corresponding service before applying the new configuration. For example:

kubectl delete svc pomerium-proxy