Skip to content

Commit

Permalink
Merge pull request #27 from travisgroth/pomerium/3.0.0
Browse files Browse the repository at this point in the history 
Refactor TLS secrets (#17347)
  • Loading branch information
@travisgroth
travisgroth authored Oct 4, 2019
2 parents 7afaec6 + 47a26e5 commit 926c7a5
Show file tree
Hide file tree
Showing 10 changed files with 435 additions and 52 deletions.
2 changes: 1 addition & 1 deletion Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: pomerium
version: 2.0.3
version: 3.0.0
appVersion: 0.3.1
home: http://www.pomerium.io/
icon: https://www.pomerium.io/logo.svg
Expand Down
64 changes: 60 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,15 @@
- [TL;DR;](#tldr)
- [Install the chart](#install-the-chart)
- [Uninstalling the Chart](#uninstalling-the-chart)
- [TLS Certificates](#tls-certificates)
- [Auto Generation](#auto-generation)
- [Self Provisioned](#self-provisioned)
- [Configuration](#configuration)
- [Changelog](#changelog)
- [3.0.0](#300)
- [2.0.0](#200)
- [Upgrading](#upgrading)
- [3.0.0](#300-1)
- [2.0.0](#200-1)
- [Metrics Discovery Configuration](#metrics-discovery-configuration)
- [Prometheus Operator](#prometheus-operator)
Expand Down Expand Up @@ -56,14 +61,38 @@ helm delete --purge my-release

The command removes nearly all the Kubernetes components associated with the chart and deletes the release.

## TLS Certificates

### Auto Generation

In default configuration, this chart will automatically generate TLS certificates in a helm `pre-install` hook for the Pomerium services to communicate with.

Upon delete, you will need to manually delete the generated secrets. Example:

```console
kubectl delete secret -l app.kubernetes.io/name=pomerium
```

You may force recreation of your TLS certificates by setting `config.forceGenerateTLS` to `true`. Delete any existing TLS secrets first to prevent errors, and make sure you set back to `false` for your next helm upgrade command or your deployment will fail due to existing Secrets.

### Self Provisioned
If you wish to provide your own TLS certificates in secrets, you should:
1) turn `generateTLS` to `false`
2) specify `authenticate.existingTLSSecret`, `authorize.existingTLSSecret`, and `proxy.existingTLSSecret`, pointing at the appropriate TLS certificate for each service.

All services can share the secret if appropriate.

## Configuration

A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/config-reference.html).

| Parameter | Description | Default |
| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/config-reference.html#proxy-root-domains). | `corp.pomerium.io` |
| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` |
| Parameter | Description | Default |
| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/config-reference.html#proxy-root-domains). | `corp.pomerium.io` |
| `config.existingLegacyTLSSecret` | Use a Pre-3.0.0 secret for the service TLS data. Only use if upgrading from <= 2.0.0 | `false` |
| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` |
| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` |

| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/config-reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) |
| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) |
| `config.policy` | Base64 encoded string containing the routes, and their access policies. |
Expand All @@ -77,14 +106,17 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/config-reference.html#identity-provider-url). | Optional |
| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/config-reference.html#identity-provider-service-account). | Optional |
| `authenticate.replicaCount` | Number of Authenticate pods to run | | `1` |
| `authenticate.existingTLSSecret` | Name of existing TLS Secret for authenticate service | |
| `proxy.nameOverride` | Name of the proxy service. |
| `proxy.fullnameOverride` | Full name of the proxy service. |
| `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` |
| `proxy.authorizeServiceUrl` | The externally accessible url for the authorize service. | `https://{{authorize.name}}.{{config.rootDomain}}` |
| `proxy.replicaCount` | Number of Proxy pods to run | | `1` |
| `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | |
| `authorize.nameOverride` | Name of the authorize service. |
| `authorize.fullnameOverride` | Full name of the authorize service. |
| `authorize.replicaCount` | Number of Authorize pods to run | | `1` |
| `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | |
| `images.server.repository` | Pomerium image | `pomerium/pomerium` |
| `images.server.tag` | Pomerium image tag | `latest` |
| `images.server.pullPolicy` | Pomerium image pull policy | `Always` |
Expand All @@ -107,8 +139,13 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `metrics.enabled` | Enable prometheus metrics endpoint | `false` |
| `metrics.port` | Prometheus metrics endpoint port | `9090` |


## Changelog

### 3.0.0
- Refactor TLS certificates to use Kubernetes TLS secrets
- Generate TLS certificates in a hook to prevent certificate churn

### 2.0.0

- Expose replica count for individual services
Expand All @@ -117,6 +154,25 @@ A full listing of Pomerium's configuration variables can be found on the [config

## Upgrading

### 3.0.0

- This version moves all certificates to TLS secrets.
- If you have existing generated certificates:
- Let pomerium regenerate your certificates during upgrade
- set `config.forceGenerateTLS` to `true`
- upgrade
- set `config.forceGenerateTLS` to `false`
- **OR:** To retain your certificates
- save your existing pomerium secret
- set `config.existingLegacyTLSSecret` to `true`
- set `config.existingConfig` to point to your configuration secret
- upgrade
- re-create pomerium secret from saved yaml
- If you have externally sourced certificates in your pomerium secret:
- [Move and convert your certificates](scripts/upgrade-v3.0.0.sh) to type TLS Secrets and configure `[service].existingTLSSecret` to point to your secrets
- **OR:** To continue using your certificates from the existing config, set `config.existingLegacyTLSSecret` to `true`

****
### 2.0.0

- You will need to run `helm upgrade --force` to recreate the authorize service correctly
Expand Down
23 changes: 23 additions & 0 deletions scripts/upgrade-v3.0.0.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/bin/bash -e

if [ "${1}" == "" ] || [ "${2}" == "" ]; then
echo "Usage: $0 [secret name] [namespace]"
fi

DIR=$(mktemp -d)
NAME=${1:-pomerium}
NAMESPACE=${2:-default}
for service in authenticate authorize proxy; do
kubectl get secrets "${NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.${service}-key}" | base64 -D | base64 -D >"${DIR}/${service}.key"
kubectl get secrets "${NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.${service}-cert}" | base64 -D | base64 -D >"${DIR}/${service}.crt"

kubectl create secret tls "${NAME}-${service}-tls" \
--cert="${DIR}/${service}.crt" \
--key="${DIR}/${service}.key"
done

kubectl get secrets "${NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.ca-cert}" | base64 -D | base64 -D >"${DIR}/ca.crt"
kubectl create secret generic "${NAME}-ca-tls" \
--from-file=ca.crt="${DIR}/ca.crt"
echo "Please delete ${DIR} to clean up temporary certificate storage"
echo "# rm ${DIR}/*.{key,crt} && rmdir ${DIR}"
102 changes: 102 additions & 0 deletions templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,3 +113,105 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
{{- end -}}
{{- end -}}
{{- end -}}

{{/* Determine secret name for Authenticate TLS Cert */}}
{{- define "pomerium.authenticate.tlsSecret.name" -}}
{{- if .Values.authenticate.existingTLSSecret -}}
{{- .Values.authenticate.existingTLSSecret | trunc 63 | trimSuffix "-" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- else if .Values.config.existingLegacyTLSSecret -}}
{{ template "pomerium.fullname" . }}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-authenticate-tls" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s-authenticate-tls" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/* Determine secret name for Authorize TLS Cert */}}
{{- define "pomerium.authorize.tlsSecret.name" -}}
{{- if .Values.authorize.existingTLSSecret -}}
{{- .Values.authorize.existingTLSSecret | trunc 63 | trimSuffix "-" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- else if .Values.config.existingLegacyTLSSecret -}}
{{ template "pomerium.fullname" . }}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-authorize-tls" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s-authorize-tls" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/* Determine secret name for Proxy TLS Cert */}}
{{- define "pomerium.proxy.tlsSecret.name" -}}
{{- if .Values.proxy.existingTLSSecret -}}
{{- .Values.proxy.existingTLSSecret | trunc 63 | trimSuffix "-" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- else if .Values.config.existingLegacyTLSSecret -}}
{{ template "pomerium.fullname" . }}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-proxy-tls" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s-proxy-tls" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{/* Set up secret data field names for each service */}}
{{- define "pomerium.proxy.tlsSecret.certName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.crt" "proxy-cert" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}
{{- define "pomerium.proxy.tlsSecret.keyName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.key" "proxy-key" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}

{{- define "pomerium.authenticate.tlsSecret.certName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.crt" "authenticate-cert" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}
{{- define "pomerium.authenticate.tlsSecret.keyName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.key" "authenticate-key" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}

{{- define "pomerium.authorize.tlsSecret.certName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.crt" "authorize-cert" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}
{{- define "pomerium.authorize.tlsSecret.keyName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "tls.key" "authorize-key" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}

{{- define "pomerium.caSecret.name" -}}
{{if .Values.config.existingCASecret }}
{{- .Values.proxy.existingCASecret | trunc 63 | trimSuffix "-" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- else if .Values.config.existingLegacyTLSSecret -}}
{{- template "pomerium.fullname" . -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-ca-tls" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s-ca-tls" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

{{- define "pomerium.caSecret.certName" -}}
{{- /* TODO in future: Remove legacy logic */ -}}
{{- printf "%s" (ternary "ca.crt" "ca-cert" (empty .Values.config.existingLegacyTLSSecret)) -}}
{{- end -}}


Loading

0 comments on commit 926c7a5

Please sign in to comment.