Skip to content

Commit

Permalink
Add support for api proxy feature (#130)
Browse files Browse the repository at this point in the history 
Signed-off-by: Travis Groth <[email protected]>
  • Loading branch information
@travisgroth
travisgroth authored Aug 5, 2020
1 parent e719dcd commit 0871013
Show file tree
Hide file tree
Showing 9 changed files with 146 additions and 3 deletions.
2 changes: 1 addition & 1 deletion charts/pomerium/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: pomerium
version: 11.0.0
version: 11.1.0
appVersion: 0.9.5
home: http://www.pomerium.io/
icon: https://www.pomerium.io/logo-long.svg
Expand Down
43 changes: 43 additions & 0 deletions charts/pomerium/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
- [Signing Key](#signing-key)
- [Auto Generation](#auto-generation-1)
- [Self Provisioned](#self-provisioned-1)
- [Kubernetes API Proxy](#kubernetes-api-proxy)
- [Configuration](#configuration)
- [Changelog](#changelog)
- [11.0.0](#1100)
Expand Down Expand Up @@ -137,6 +138,44 @@ If you wish to provide your own signing key in secret, you should:
1. turn `config.generateSigningKey` to `false`
2. specify `config.existingsigningKeySecret` with secret's name

## Kubernetes API Proxy

Starting in `v0.10`, Pomerium supports delegated authentication for the Kubernetes API Server. In this model, Kubernetes delegates authentication to Pomerium, allowing Kubernetes RBAC policies to be applied to users authenticated by Pomerium.

This feature does not require running inside the cluster, but this chart supports setting this up with minimal
configuration.

After setting `apiProxy.enabled`:

1) Add a policy entry (see `apiProxy` values for defaults):

```yaml
- from: https://kubernetes.localhost.pomerium.io
to: https://kubernetes.default.svc
tls_skip_verify: true
allowed_domains:
- [email protected]
```
2) Add role bindings:
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pomerium-admins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: [email protected]
```
See [docs.pomerium.io/docs/topics/data-storage.html#kubectl-auth](https://docs.pomerium.io/docs/topics/kubernetes-auth.html) for more detail and client setup.
## Configuration
A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/reference/reference.html).
Expand All @@ -162,6 +201,10 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `config.extraOpts` | Options Dictionary appended to the config file. May contain any additional config value that doesn't have its dedicated helm value counterpart. | {} |
| `extraEnv` | Set `env` variables on service pods | [] |
| `extraEnvFrom` | Sets `envFrom` on service pods. Can be used to source ENV vars from existing secrets or configmaps. [Reference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#envfromsource-v1-core) | [] |
| `apiProxy.enabled` | Create service account, RBAC and ingress rules to proxy to the kubernetes api server on this cluster | `false` |
| `apiProxy.ingress` | When `apiProxy.enabled` is `true`, inject an entry into the pomerium ingress resource | true |
| `apiProxy.fullNameOverride` | Set the FQDN to the kubernetes api server in the ingress resource | `kubernetes.{{config.rootDomain}}` |
| `apiProxy.name` | non-FQDN of kubernet4es api server in the ingress resource | `kubernetes` |
| `authenticate.nameOverride` | Name of the authenticate service. | `authenticate` |
| `authenticate.fullnameOverride` | Full name of the authenticate service. | `authenticate` |
| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/reference/reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` |
Expand Down
15 changes: 15 additions & 0 deletions charts/pomerium/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,21 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
{{- end -}}
{{- end -}}


{{/*Expand the FQDN of the api proxy endpoint*/}}
{{- define "pomerium.apiProxy.name" -}}
{{- if .Values.apiProxy.fullNameOverride -}}
{{- .Values.apiProxy.fullNameOverride -}}
{{- else -}}
{{- printf "%s.%s" .Values.apiProxy.name .Values.config.rootDomain -}}
{{- end -}}
{{- end -}}

{{/*Expand the serviceAccountName for the authorize service */}}
{{- define "pomerium.authorize.serviceAccountName" -}}
{{- default (printf "%s-authorize" ( include "pomerium.fullname" .) ) .Values.forwardAuth.nameOverride -}}
{{- end -}}

{{/*Expand the serviceAccountName for the operator */}}
{{- define "pomerium.operator.serviceAccountName" -}}
{{- default (printf "%s-operator" ( include "pomerium.fullname" .) ) .Values.forwardAuth.nameOverride -}}
Expand Down
3 changes: 2 additions & 1 deletion charts/pomerium/templates/authorize-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ spec:
{{- $ctx := . }}
{{- $_ := set $ctx "currentServiceName" "authorize" }}
{{ include "pomerium.volumes.service" $ctx | indent 8 }}
serviceAccountName: {{ .Values.authorize.serviceAccount.name }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
Expand All @@ -116,4 +117,4 @@ spec:
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- end }}
33 changes: 33 additions & 0 deletions charts/pomerium/templates/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,4 +37,37 @@ rules:
- get
- list
- watch
{{- end -}}

{{- if and .Values.rbac.create .Values.apiProxy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ printf "%s-api-proxy" ( include "pomerium.fullname" . ) }}
labels:
app.kubernetes.io/name: {{ template "pomerium.name" . }}
helm.sh/chart: {{ template "pomerium.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
annotations:
{{- if .Values.annotations }}
{{- range $key, $value := .Values.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- users
- groups
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- "authorization.k8s.io"
resources:
- selfsubjectaccessreviews
verbs:
- create
{{- end -}}
20 changes: 20 additions & 0 deletions charts/pomerium/templates/clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,24 @@ subjects:
- kind: ServiceAccount
name: {{ template "pomerium.operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

{{- if and .Values.rbac.create .Values.apiProxy.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: {{ template "pomerium.authorize.name" . }}
helm.sh/chart: {{ template "pomerium.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
name: {{ printf "%s-api-proxy" ( include "pomerium.fullname" . ) }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-api-proxy" (include "pomerium.fullname" .) }}
subjects:
- kind: ServiceAccount
name: {{ .Values.authorize.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
{{- end -}}
1 change: 0 additions & 1 deletion charts/pomerium/templates/ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ spec:
tls:
- secretName: {{ default .Values.ingress.secretName .Values.ingress.secret.name}}
hosts:
- {{ printf "authorize.%s" .Values.config.rootDomain | quote }}
- {{ printf "authenticate.%s" .Values.config.rootDomain | quote }}
{{- if and (.Values.forwardAuth.enabled) (not .Values.forwardAuth.internal) }}
- {{ template "pomerium.forwardAuth.name" . }}
Expand Down
22 changes: 22 additions & 0 deletions charts/pomerium/templates/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,25 @@ metadata:
{{- end }}
{{- end -}}

---

apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.authorize.serviceAccount.name }}
labels:
app.kubernetes.io/name: {{ template "pomerium.authorize.name" . }}
helm.sh/chart: {{ template "pomerium.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: authorize
annotations:
{{- if .Values.annotations }}
{{- range $key, $value := .Values.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- else if .Values.authorize.serviceAccount.annotations }}
{{- range $key, $value := .Values.authorize.serviceAccount.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
10 changes: 10 additions & 0 deletions charts/pomerium/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ authorize:
annotations: {}
deployment:
annotations: {}
serviceAccount:
name: pomerium-authorize
annotations: {}


cache:
fullnameOverride: ""
Expand Down Expand Up @@ -131,6 +135,12 @@ proxy:
deployment:
annotations: {}

apiProxy:
enabled: false
ingress: true
fullNameOverride: ""
name: "kubernetes"

operator:
enabled: false
fullnameOverride: ""
Expand Down

0 comments on commit 0871013

Please sign in to comment.