3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-04 04:46:01 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/integration/manifests/lib/pomerium.libsonnet
Caleb Doxsey 70b4497595
databroker: rename cache service (#1790) 
* rename cache folder

* rename cache service everywhere

* skip yaml in examples

* Update docs/docs/topics/data-storage.md

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>

Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
2021-01-21 08:41:22 -07:00

508 lines
14 KiB
Jsonnet
Raw Blame History

local tls = import './tls.libsonnet';
local PomeriumPolicy = function() std.flattenArrays(
[
[
// tls_skip_verify
{
from: 'http://httpdetails.localhost.pomerium.io',
to: 'https://untrusted-httpdetails.default.svc.cluster.local',
path: '/tls-skip-verify-enabled',
tls_skip_verify: true,
allow_public_unauthenticated_access: true,
},
{
from: 'http://httpdetails.localhost.pomerium.io',
to: 'https://untrusted-httpdetails.default.svc.cluster.local',
path: '/tls-skip-verify-disabled',
tls_skip_verify: false,
allow_public_unauthenticated_access: true,
},
// tls_server_name
{
from: 'http://httpdetails.localhost.pomerium.io',
to: 'https://wrongly-named-httpdetails.default.svc.cluster.local',
path: '/tls-server-name-enabled',
tls_server_name: 'httpdetails.localhost.notpomerium.io',
allow_public_unauthenticated_access: true,
},
{
from: 'http://httpdetails.localhost.pomerium.io',
to: 'https://wrongly-named-httpdetails.default.svc.cluster.local',
path: '/tls-server-name-disabled',
allow_public_unauthenticated_access: true,
},
// tls_custom_certificate_authority
{
from: 'http://httpdetails.localhost.pomerium.io',
to: 'https://untrusted-httpdetails.default.svc.cluster.local',
path: '/tls-custom-ca-enabled',
tls_custom_ca: std.base64(tls.untrusted.ca),
tls_server_name: 'httpdetails.localhost.pomerium.io',
allow_public_unauthenticated_access: true,
},
{
from: 'http://httpdetails.localhost.pomerium.io',
to: 'https://untrusted-httpdetails.default.svc.cluster.local',
path: '/tls-custom-ca-disabled',
allow_public_unauthenticated_access: true,
},
// tls_client_cert
{
from: 'http://httpdetails.localhost.pomerium.io',
to: 'https://trusted-mtls-httpdetails.default.svc.cluster.local',
path: '/tls-client-cert-enabled',
tls_client_cert: std.base64(tls.trusted.client.cert),
tls_client_key: std.base64(tls.trusted.client.key),
tls_server_name: 'httpdetails.localhost.pomerium.io',
allow_public_unauthenticated_access: true,
},
{
from: 'http://httpdetails.localhost.pomerium.io',
to: 'https://trusted-mtls-httpdetails.default.svc.cluster.local',
path: '/tls-client-cert-disabled',
allow_public_unauthenticated_access: true,
},
],
] + [
[
{
from: 'http://' + domain + '.localhost.pomerium.io',
prefix: '/by-domain',
to: 'http://' + domain + '.default.svc.cluster.local',
allowed_domains: ['dogs.test'],
pass_identity_headers: false,
},
{
from: 'http://' + domain + '.localhost.pomerium.io',
prefix: '/by-user',
to: 'http://' + domain + '.default.svc.cluster.local',
allowed_users: ['bob@dogs.test'],
pass_identity_headers: true,
},
{
from: 'http://' + domain + '.localhost.pomerium.io',
prefix: '/by-group',
to: 'http://' + domain + '.default.svc.cluster.local',
allowed_groups: ['admin'],
},
// cors_allow_preflight option
{
from: 'http://' + domain + '.localhost.pomerium.io',
to: 'http://' + domain + '.default.svc.cluster.local',
prefix: '/cors-enabled',
cors_allow_preflight: true,
},
{
from: 'http://' + domain + '.localhost.pomerium.io',
to: 'http://' + domain + '.default.svc.cluster.local',
prefix: '/cors-disabled',
cors_allow_preflight: false,
},
// preserve_host_header option
{
from: 'http://' + domain + '.localhost.pomerium.io',
to: 'http://' + domain + '.default.svc.cluster.local',
path: '/preserve-host-header-enabled',
allow_public_unauthenticated_access: true,
preserve_host_header: true,
},
{
from: 'http://' + domain + '.localhost.pomerium.io',
to: 'http://' + domain + '.default.svc.cluster.local',
path: '/preserve-host-header-disabled',
allow_public_unauthenticated_access: true,
preserve_host_header: false,
},
{
from: 'http://' + domain + '.localhost.pomerium.io',
to: 'http://' + domain + '.default.svc.cluster.local',
allow_public_unauthenticated_access: true,
set_request_headers: {
'X-Custom-Request-Header': 'custom-request-header-value',
},
remove_request_headers: ['X-Custom-Request-Header-To-Remove'],
},
{
from: 'http://restricted-' + domain + '.localhost.pomerium.io',
to: 'http://' + domain + '.default.svc.cluster.local',
},
]
for domain in ['httpdetails', 'fa-httpdetails', 'ws-echo']
] + [
[
{
from: 'http://enabled-ws-echo.localhost.pomerium.io',
to: 'http://ws-echo.default.svc.cluster.local',
allow_public_unauthenticated_access: true,
allow_websockets: true,
},
{
from: 'http://disabled-ws-echo.localhost.pomerium.io',
to: 'http://ws-echo.default.svc.cluster.local',
allow_public_unauthenticated_access: true,
},
],
]
);
local PomeriumPolicyHash = std.base64(std.md5(std.manifestJsonEx(PomeriumPolicy(), '')));
local PomeriumTLSSecret = function(name) {
apiVersion: 'v1',
kind: 'Secret',
type: 'kubernetes.io/tls',
metadata: {
namespace: 'default',
name: 'pomerium-' + name + '-tls',
},
data: {
'tls-ca.crt': std.base64(tls[name].ca),
'tls.crt': std.base64(tls[name].cert),
'tls.key': std.base64(tls[name].key),
'tls-client.crt': std.base64(tls[name].client.cert),
'tls-client.key': std.base64(tls[name].client.key),
},
};
local PomeriumConfigMap = function() {
apiVersion: 'v1',
kind: 'ConfigMap',
metadata: {
namespace: 'default',
name: 'pomerium',
labels: {
'app.kubernetes.io/part-of': 'pomerium',
},
},
data: {
ADDRESS: ':443',
GRPC_ADDRESS: ':5443',
DEBUG: 'true',
LOG_LEVEL: 'debug',
AUTHENTICATE_SERVICE_URL: 'https://authenticate.localhost.pomerium.io',
AUTHENTICATE_CALLBACK_PATH: '/oauth2/callback',
AUTHORIZE_SERVICE_URL: 'https://authorize.default.svc.cluster.local:5443',
DATABROKER_SERVICE_URL: 'https://databroker.default.svc.cluster.local:5443',
FORWARD_AUTH_URL: 'https://forward-authenticate.localhost.pomerium.io',
HEADERS: 'X-Frame-Options:SAMEORIGIN',
JWT_CLAIMS_HEADERS: 'email',
SHARED_SECRET: 'Wy+c0uSuIM0yGGXs82MBwTZwRiZ7Ki2T0LANnmzUtkI=',
COOKIE_SECRET: 'eZ91a/j9fhgki9zPDU5zHdQWX4io89pJanChMVa5OoM=',
CERTIFICATE: std.base64(tls.trusted.cert),
CERTIFICATE_KEY: std.base64(tls.trusted.key),
CERTIFICATE_AUTHORITY: std.base64(tls.trusted.ca),
OVERRIDE_CERTIFICATE_NAME: 'pomerium.localhost.pomerium.io',
IDP_PROVIDER: 'oidc',
IDP_PROVIDER_URL: 'https://openid.localhost.pomerium.io',
IDP_CLIENT_ID: 'pomerium-authenticate',
IDP_CLIENT_SECRET: 'pomerium-authenticate-secret',
IDP_SERVICE_ACCOUNT: 'pomerium-service-account',
POLICY: std.base64(std.manifestYamlDoc(PomeriumPolicy())),
},
};
local PomeriumDeployment = function(svc) {
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
namespace: 'default',
name: 'pomerium-' + svc,
labels: {
app: 'pomerium-' + svc,
'app.kubernetes.io/part-of': 'pomerium',
},
},
spec: {
replicas: 1,
selector: {
matchLabels: {
app: 'pomerium-' + svc,
},
},
template: {
metadata: {
labels: {
app: 'pomerium-' + svc,
'app.kubernetes.io/part-of': 'pomerium',
},
annotations: {
'policy-version': PomeriumPolicyHash,
},
},
spec: {
hostAliases: [{
ip: '10.96.1.1',
hostnames: [
'openid.localhost.pomerium.io',
'authenticate.localhost.pomerium.io',
],
}],
initContainers: [
{
name: 'init',
image: 'buildpack-deps:buster-curl',
imagePullPolicy: 'IfNotPresent',
command: ['sh', '-c', |||
cp /incoming-certs/trusted/tls-ca.crt /usr/local/share/ca-certificates/pomerium-trusted.crt
cp /incoming-certs/wrongly-named/tls-ca.crt /usr/local/share/ca-certificates/pomerium-wrongly-named.crt
update-ca-certificates
|||],
volumeMounts: [
{
name: 'trusted-incoming-certs',
mountPath: '/incoming-certs/trusted',
},
{
name: 'wrongly-named-incoming-certs',
mountPath: '/incoming-certs/wrongly-named',
},
{
name: 'outgoing-certs',
mountPath: '/etc/ssl/certs',
},
],
},
] + if svc == 'authenticate' then [
{
name: 'wait-for-openid',
image: 'buildpack-deps:buster-curl',
imagePullPolicy: 'IfNotPresent',
command: ['sh', '-c', |||
while ! curl http://openid.default.svc.cluster.local/.well-known/openid-configuration ; do
sleep 5
done
|||],
},
] else [],
containers: [{
name: 'pomerium-' + svc,
image: 'pomerium/pomerium:dev',
imagePullPolicy: 'IfNotPresent',
envFrom: [{
configMapRef: { name: 'pomerium' },
}],
env: [{
name: 'SERVICES',
value: svc,
}],
ports: [
{ name: 'https', containerPort: 443 },
{ name: 'grpc', containerPort: 5443 },
],
volumeMounts: [
{
name: 'outgoing-certs',
mountPath: '/etc/ssl/certs',
},
],
}],
volumes: [
{
name: 'trusted-incoming-certs',
secret: {
secretName: 'pomerium-trusted-tls',
},
},
{
name: 'wrongly-named-incoming-certs',
secret: {
secretName: 'pomerium-wrongly-named-tls',
},
},
{
name: 'outgoing-certs',
emptyDir: {},
},
],
},
},
},
};
local PomeriumService = function(svc) {
apiVersion: 'v1',
kind: 'Service',
metadata: {
namespace: 'default',
name: svc,
labels: {
app: 'pomerium-' + svc,
'app.kubernetes.io/part-of': 'pomerium',
},
},
spec: {
ports: [
{
name: 'https',
port: 443,
targetPort: 'https',
},
{
name: 'grpc',
port: 5443,
targetPort: 'grpc',
},
],
selector: {
app: 'pomerium-' + svc,
},
},
};
local PomeriumNodePortServce = function() {
apiVersion: 'v1',
kind: 'Service',
metadata: {
namespace: 'default',
name: 'pomerium-proxy-nodeport',
labels: {
app: 'pomerium-proxy',
'app.kubernetes.io/part-of': 'pomerium',
},
},
spec: {
type: 'NodePort',
ports: [
{ name: 'https', port: 443, protocol: 'TCP', targetPort: 'https', nodePort: 31443 },
],
selector: {
app: 'pomerium-proxy',
},
},
};
local PomeriumIngress = function() {
local proxyHosts = [
'forward-authenticate.localhost.pomerium.io',
'httpecho.localhost.pomerium.io',
'httpdetails.localhost.pomerium.io',
'restricted-httpdetails.localhost.pomerium.io',
'enabled-ws-echo.localhost.pomerium.io',
'disabled-ws-echo.localhost.pomerium.io',
],
apiVersion: 'extensions/v1beta1',
kind: 'Ingress',
metadata: {
namespace: 'default',
name: 'pomerium',
annotations: {
'kubernetes.io/ingress.class': 'nginx',
'nginx.ingress.kubernetes.io/backend-protocol': 'HTTPS',
'nginx.ingress.kubernetes.io/proxy-buffer-size': '16k',
},
},
spec: {
tls: [
{
hosts: [
'authenticate.localhost.pomerium.io',
] + proxyHosts,
secretName: 'pomerium-trusted-tls',
},
],
rules: [
{
host: 'authenticate.localhost.pomerium.io',
http: {
paths: [
{
path: '/',
backend: {
serviceName: 'authenticate',
servicePort: 'https',
},
},
],
},
},
] + [{
host: host,
http: {
paths: [{
path: '/',
backend: {
serviceName: 'proxy',
servicePort: 'https',
},
}],
},
} for host in proxyHosts],
},
};
local PomeriumForwardAuthIngress = function() {
apiVersion: 'extensions/v1beta1',
kind: 'Ingress',
metadata: {
namespace: 'default',
name: 'pomerium-fa',
annotations: {
'kubernetes.io/ingress.class': 'nginx',
'nginx.ingress.kubernetes.io/auth-url': 'https://forward-authenticate.localhost.pomerium.io/verify?uri=$scheme://$host$request_uri',
'nginx.ingress.kubernetes.io/auth-signin': 'https://forward-authenticate.localhost.pomerium.io/?uri=$scheme://$host$request_uri',
'nginx.ingress.kubernetes.io/proxy-buffer-size': '16k',
},
},
spec: {
tls: [
{
hosts: [
'fa-httpdetails.localhost.pomerium.io',
],
secretName: 'pomerium-trusted-tls',
},
],
rules: [
{
host: 'fa-httpdetails.localhost.pomerium.io',
http: {
paths: [
{
path: '/.pomerium/',
backend: {
serviceName: 'proxy',
servicePort: 'https',
},
},
{
path: '/',
backend: {
serviceName: 'httpdetails',
servicePort: 'http',
},
},
],
},
},
],
},
};
{
apiVersion: 'v1',
kind: 'List',
items: [
PomeriumConfigMap(),
PomeriumTLSSecret('trusted'),
PomeriumTLSSecret('untrusted'),
PomeriumTLSSecret('wrongly-named'),
PomeriumService('authenticate'),
PomeriumDeployment('authenticate'),
PomeriumService('authorize'),
PomeriumDeployment('authorize'),
PomeriumService('databroker'),
PomeriumDeployment('databroker'),
PomeriumService('proxy'),
PomeriumDeployment('proxy'),
PomeriumNodePortServce(),
PomeriumIngress(),
PomeriumForwardAuthIngress(),
],
}
Reference in a new issue View git blame Copy permalink