3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 09:56:31 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/integration/tpl/backends/pomerium.libsonnet
Caleb Doxsey 48cd10d46b
integration: add single-cluster integration tests (#2516) 
* integration: add single-cluster integration tests

* remove kind load
2021-08-24 15:35:05 -06:00

215 lines
6.4 KiB
Jsonnet
Raw Blame History

local utils = import '../utils.libsonnet';
local Routes = (import './routes.libsonnet').Routes;
local GoogleCloudServerlessAuthenticationServiceAccount(dns_suffix='') =
{
type: 'service_account',
project_id: 'pomerium-redacted',
private_key_id: 'e07f7c93870c7e03f883560ecd8fd0f4d27b0081',
private_key: importstr '../files/trusted-key.pem',
client_email: 'redacted@pomerium-redacted.iam.gserviceaccount.com',
client_id: '101215990458000334387',
auth_uri: 'http://mock-idp' + dns_suffix + ':8024',
token_uri: 'http://mock-idp' + dns_suffix + ':8024/token',
auth_provider_x509_cert_url: 'http://mock-idp' + dns_suffix + ':8024',
client_x509_cert_url: 'http://mock-idp' + dns_suffix + ':8024',
};
local KubernetesDeployment(name, image, environment) =
{
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
namespace: 'default',
name: name,
},
spec: {
replicas: 1,
selector: { matchLabels: { app: name } },
template: {
metadata: {
labels: { app: name },
},
spec: {
containers: [{
name: name,
image: image,
imagePullPolicy: 'IfNotPresent',
ports: [
{ name: 'http', containerPort: 80 },
{ name: 'https', containerPort: 443 },
{ name: 'grpc', containerPort: 5443 },
],
env: [
{
name: k,
value: environment[k],
}
for k in std.objectFields(environment)
],
}],
},
},
},
};
local KubernetesService(name) =
{
apiVersion: 'v1',
kind: 'Service',
metadata: {
namespace: 'default',
name: name,
labels: { app: name },
},
spec: {
type: 'NodePort',
selector: { app: name },
ports: [
{ name: 'http', port: 80, targetPort: 'http', nodePort: 80 },
{ name: 'https', port: 443, targetPort: 'https', nodePort: 443 },
{ name: 'grpc', port: 5443, targetPort: 'grpc', nodePort: 5443 },
],
},
};
local Environment(mode, idp, dns_suffix) =
{
AUTHENTICATE_SERVICE_URL: 'https://authenticate.localhost.pomerium.io',
CERTIFICATE: std.base64(importstr '../files/trusted.pem'),
CERTIFICATE_KEY: std.base64(importstr '../files/trusted-key.pem'),
CERTIFICATE_AUTHORITY: std.base64(importstr '../files/ca.pem'),
COOKIE_SECRET: 'UYgnt8bxxK5G2sFaNzyqi5Z+OgF8m2akNc0xdQx718w=',
DATABROKER_STORAGE_TYPE: 'redis',
DATABROKER_STORAGE_CONNECTION_STRING: 'redis://redis:6379',
ENVOY_ADMIN_ADDRESS: '0.0.0.0:9901',
GOOGLE_CLOUD_SERVERLESS_AUTHENTICATION_SERVICE_ACCOUNT: std.base64(std.manifestJsonEx(
GoogleCloudServerlessAuthenticationServiceAccount(dns_suffix), ''
)),
IDP_PROVIDER: idp,
IDP_PROVIDER_URL: 'https://mock-idp.localhost.pomerium.io/',
IDP_CLIENT_ID: 'CLIENT_ID',
IDP_CLIENT_SECRET: 'CLIENT_SECRET',
JWT_CLAIMS_HEADERS: 'email,groups,user',
LOG_LEVEL: 'info',
POLICY: std.base64(std.manifestJsonEx(Routes(mode, idp, dns_suffix), '')),
SHARED_SECRET: 'UYgnt8bxxK5G2sFaNzyqi5Z+OgF8m2akNc0xdQx718w=',
SIGNING_KEY: std.base64(importstr '../files/signing-key.pem'),
SIGNING_KEY_ALGORITHM: 'ES256',
} + if mode == 'multi' then {
AUTHORIZE_SERVICE_URL: 'https://pomerium-authorize:5443',
DATABROKER_SERVICE_URL: 'https://pomerium-databroker:5443',
GRPC_ADDRESS: ':5443',
GRPC_INSECURE: 'false',
OVERRIDE_CERTIFICATE_NAME: '*.localhost.pomerium.io',
} else if mode == 'traefik' then {
FORWARD_AUTH_URL: 'https://forward-authenticate.localhost.pomerium.io',
} else if mode == 'nginx' then {
ADDRESS: ':80',
INSECURE_SERVER: 'true',
FORWARD_AUTH_URL: 'https://forward-authenticate.localhost.pomerium.io',
} else {};
local ComposeService(name, definition, additionalAliases=[]) =
utils.ComposeService(name, definition {
depends_on: {
[name + '-ready']: {
condition: 'service_completed_successfully',
}
for name in [
'fortio',
'mock-idp',
'redis',
'trusted-httpdetails',
'untrusted-httpdetails',
'verify',
'websocket-echo',
'wrongly-named-httpdetails',
]
},
}, additionalAliases);
function(mode, idp, dns_suffix='') {
local name = 'pomerium',
local image = 'pomerium/pomerium:${POMERIUM_TAG:-master}',
local environment = Environment(mode, idp, dns_suffix),
compose: {
services: if mode == 'multi' then
ComposeService(name + '-authorize', {
image: image,
environment: environment {
SERVICES: 'authorize',
},
ports: [
'9904:9901/tcp',
'5446:5443/tcp',
],
}) +
ComposeService(name + '-authenticate', {
image: image,
environment: environment {
SERVICES: 'authenticate',
},
ports: [
'9903:9901/tcp',
'5445:5443/tcp',
],
}, ['authenticate.localhost.pomerium.io']) +
ComposeService(name + '-databroker', {
image: image,
environment: environment {
SERVICES: 'databroker',
},
ports: [
'9902:9901/tcp',
'5444:5443/tcp',
],
}) +
ComposeService(name + '-proxy', {
image: image,
environment: environment {
SERVICES: 'proxy',
},
ports: [
'80:80/tcp',
'443:443/tcp',
'5443:5443/tcp',
'9901:9901/tcp',
],
}, ['mock-idp.localhost.pomerium.io'])
else if mode == 'traefik' || mode == 'nginx' then
ComposeService(name, {
image: image,
environment: environment,
}, ['authenticate.localhost.pomerium.io', 'forward-authenticate.localhost.pomerium.io']) +
ComposeService(name + '-ready', {
image: 'jwilder/dockerize:0.6.1',
command: [
'-wait',
if mode == 'nginx' then
'http://' + name + ':80/healthz'
else
'https://' + name + ':443/healthz',
'-timeout',
'10m',
],
})
else
ComposeService(name, {
image: image,
environment: environment,
ports: [
'80:80/tcp',
'443:443/tcp',
'9901:9901/tcp',
],
}, ['authenticate.localhost.pomerium.io']),
volumes: {},
},
kubernetes: [
KubernetesService(name),
KubernetesDeployment(name, image, environment),
],
}
Reference in a new issue View git blame Copy permalink