From 9d45ddf03bd6971af2e75b1a702c03960c9524ce Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Mon, 25 May 2020 14:57:22 -0400 Subject: [PATCH] Update port names and numbers for insecure mode (#103) Signed-off-by: Travis Groth --- charts/pomerium/Chart.yaml | 2 +- charts/pomerium/README.md | 215 +++++++++--------- charts/pomerium/templates/_helpers.tpl | 31 +++ .../templates/authenticate-deployment.yaml | 8 +- .../templates/authenticate-service.yaml | 6 +- .../templates/authorize-deployment.yaml | 8 +- .../pomerium/templates/authorize-service.yaml | 6 +- .../pomerium/templates/cache-deployment.yaml | 8 +- charts/pomerium/templates/cache-service.yaml | 6 +- charts/pomerium/templates/ingress.yaml | 10 +- .../pomerium/templates/proxy-deployment.yaml | 8 +- charts/pomerium/templates/proxy-service.yaml | 6 +- charts/pomerium/templates/secret.yaml | 1 + charts/pomerium/values.yaml | 4 +- 14 files changed, 177 insertions(+), 142 deletions(-) diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index 32c5fb2a..70a37fc9 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 9.0.0 +version: 9.1.0 appVersion: 0.8.0 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo-long.svg diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index 2104adba..3749544f 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -16,6 +16,7 @@ - [Self Provisioned](#self-provisioned-1) - [Configuration](#configuration) - [Changelog](#changelog) + - [8.5.5](#855) - [8.5.1](#851) - [8.5.0](#850) - [8.4.0](#840) @@ -135,113 +136,113 @@ If you wish to provide your own signing key in secret, you should: A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/reference/reference.html). -| Parameter | Description | Default | -| ------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | -| `nameOverride` | Name of the chart. | `pomerium` | -| `fullnameOverride` | Full name of the chart. | `pomerium` | -| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` | -| `config.administrators` | Comma seperated list of email addresses of administrative users [See more](https://www.pomerium.io/configuration/#administrators). | Optional | -| `config.existingSecret` | Name of the existing Kubernetes Secret. | | -| `config.existingCASecret` | Name of the existing CA Secret. | | -| `config.generateSigningKey` | Generate a signing key to sign jwt in proxy responses. Manual signing key can be set in values. | `true` | -| `config.forceGenerateSigningKey` | Force recreation of generated signing key. You will need to restart your deployments after running | `false` | -| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | -| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` | -| `config.insecure` | DANGER, this disables tls between services. Only do this if you know what you are doing. One reason might be that you want to offload tls to a reverse proxy (i.e. istio, traefik) | `false` | -| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | -| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | -| `config.policy` | Base64 encoded string containing the routes, and their access policies. | | -| `config.extraOpts` | Options Dictionary appended to the config file. May contain any additional config value that doesn't have its dedicated helm value counterpart. | {} | -| `authenticate.nameOverride` | Name of the authenticate service. | `authenticate` | -| `authenticate.fullnameOverride` | Full name of the authenticate service. | `authenticate` | -| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/reference/reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` | -| `authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/reference/reference.html#identity-provider-name). | `google` | -| `authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-id). | Required | -| `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-secret). | Required | -| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/reference/reference.html#identity-provider-url). | Optional | -| `authenticate.idp.scopes` | Identity [Provider Scopes](https://www.pomerium.io/configuration/#identity-provider-scopes). | Optional | -| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account). | Optional | -| `authenticate.replicaCount` | Number of Authenticate pods to run | `1` | -| `authenticate.autoscaling.enabled` | Enable Horizontal Pod Autoscaler for Authenticate pods | false | -| `authenticate.autoscaling.minReplicas` | Minimum number of pods in the Authenticate deployment | `1` | -| `authenticate.autoscaling.maxReplicas` | Maximum number of pods in the Authenticate deployment | `5` | -| `authenticate.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization, averaged across pods (as a percent) | `50` | -| `authenticate.autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization, averaged across pods (as a percent) | `50` | -| `authenticate.pdb.enabled` | Enable PodDisruptionBudget for Authenticate deployment | false | -| `authenticate.pdb.minAvailable` | Number of Authenticate pods that must be available, can be a number or percentage | `1` | -| `authenticate.existingTLSSecret` | Name of existing TLS Secret for authenticate service | | -| `authenticate.deployment.annotations` | Annotations for the authenticate deployment. If none given, then use value of `annotations` | `{}` | -| `authenticate.service.annotations` | Annotations for the authenticate service. If none given, then use value of `service.annotations` | `{}` | -| `authenticate.cacheServiceUrl` | The internally accesible url for the cache service. | `https://{{cache.name}}.{{config.rootDomain}}` | -| `proxy.nameOverride` | Name of the proxy service. | `proxy` | -| `proxy.fullnameOverride` | Full name of the proxy service. | `proxy` | -| `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | -| `proxy.replicaCount` | Number of Proxy pods to run | `1` | -| `proxy.autoscaling.enabled` | Enable Horizontal Pod Autoscaler for Proxy pods | false | -| `proxy.autoscaling.minReplicas` | Minimum number of pods in the Proxy deployment | `1` | -| `proxy.autoscaling.maxReplicas` | Maximum number of pods in the Proxy deployment | `5` | -| `proxy.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization, averaged across pods (as a percent) | `50` | -| `proxy.autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization, averaged across pods (as a percent) | `50` | -| `proxy.pdb.enabled` | Enable PodDisruptionBudget for Proxy deployment | false | -| `proxy.pdb.minAvailable` | Number of Proxy pods that must be available, can be a number or percentage | `1` | -| `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | | -| `proxy.deployment.annotations` | Annotations for the proxy deployment. If none given, then use value of `annotations` | `{}` | -| `proxy.service.annotations` | Annotations for the proxy service. If none given, then use value of `service.annotations` | `{}` | -| `proxy.existingSigningKeySecret` | Name of existing Signing key Secret for proxy requests. | | -| `proxy.signingKey` | Signing key is the base64 encoded key used to sign outbound requests. | | -| `authorize.nameOverride` | Name of the authorize service. | `authorize` | -| `authorize.fullnameOverride` | Full name of the authorize service. | `authorize` | -| `authorize.replicaCount` | Number of Authorize pods to run | `1` | -| `authorize.autoscaling.enabled` | Enable Horizontal Pod Autoscaler for Authorize pods | false | -| `authorize.autoscaling.minReplicas` | Minimum number of pods in the Authorize deployment | `1` | -| `authorize.autoscaling.maxReplicas` | Maximum number of pods in the Authorize deployment | `5` | -| `authorize.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization, averaged across pods (as a percent) | `50` | -| `authorize.autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization, averaged across pods (as a percent) | `50` | -| `authorize.pdb.enabled` | Enable PodDisruptionBudget for Authorize deployment | false | -| `authorize.pdb.minAvailable` | Number of Authorize pods that must be available, can be a number or percentage | `1` | -| `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | | -| `forwardAuth.nameOverride` | External name of the forward-auth endpoint | `forwardauth.${rootDomain}` | -| `forwardAuth.enabled` | Enable forward-auth endpoint for third party ingress controllers to use for auth checks. Setting this disables automatic enumeration of `from` hostnames in the Pomerium Ingress object to prevent conflicts. Use `ingress.hosts` to mix forward-auth and proxy mode on a single Pomerium instance | `false` | -| `forwardAuth.internal` | If enabled no ingress is created for forwardAuth, making forwardAuth ony accessible as internal service. | `false` | -| `authorize.deployment.annotations` | Annotations for the authorize deployment. If none given, then use value of `annotations` | `{}` | -| `authorize.service.annotations` | Annotations for the authorize service. If none given, then use value of `service.annotations` | `{}` | -| `image.repository` | Pomerium image | `pomerium/pomerium` | -| `image.tag` | Pomerium image tag | `v0.6.2` | -| `image.pullPolicy` | Pomerium image pull policy | `IfNotPresent` | -| `service.annotations` | Service annotations | `{}` | -| `service.externalPort` | Pomerium's port | `443` | -| `service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` | -| `service.authorize.headless` | Run Authorize service in Headless mode. Turn off if you **require** NodePort or LoadBalancer access to Authorize | `true` | -| `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` | -| `serviceMonitor.namespace` | Namespace to create the ServiceMonitor resource in | The namespace of the chart | -| `serviceMonitor.labels` | Additional labels to apply to the ServiceMonitor resource | `release: prometheus` | -| `tracing.enabled` | Enable distributed tracing | `false` | -| `tracing.debug` | Set trace sampling to 100%. Use with caution! | `false` | -| `tracing.provider` | Specifies the tracing provider to configure (Valid options: Jaeger) | Required | -| `tracing.jaeger.collector_endpoint` | The jaeger collector endpoint | Required | -| `tracing.jaeger.agent_endpoint` | The jaeger agent endpoint | Required | -| `ingress.enabled` | Enables Ingress for pomerium | `true` | -| `ingress.annotations` | Ingress annotations. Ensure you set appropriate annotations for TLS backend and large URLs if using Azure. | `{}` | -| `ingress.hosts` | Ingress accepted hostnames | `[]` | -| `ingress.secretName` | Ingress TLS certificate secret name | `[]` | -| `metrics.enabled` | Enable prometheus metrics endpoint | `false` | -| `metrics.port` | Prometheus metrics endpoint port | `9090` | -| `cache.nameOverride` | Name of the cache service. | `cache` | -| `cache.fullnameOverride` | Full name of the cache service. | `cache` | -| `cache.replicaCount` | Number of cache pods to run | `1` | -| `cache.pdb.enabled` | Enable PodDisruptionBudget for Cache deployment | false | -| `cache.pdb.minAvailable` | Number of pods that must be available, can be a number or percentage | `1` | -| `cache.existingTLSSecret` | Name of existing TLS Secret for authorize service | | -| `operator.enabled` | Enable experimental pomerium operator support | false | -| `operator.nameOverride` | Name of the operator | `operator` | -| `operator.fullnameOverride` | Full name of the operator | `operator` | -| `operator.replicaCount` | Number of operator pods to run | `1` | -| `operator.image.repository` | Pomerium Operator image | `pomerium/pomerium-operator` | -| `operator.image.tag` | Pomerium Operator image tag | `v0.0.1-rc1` | -| `operator.config.ingressClass` | `kubernetes.io/ingress.class` for the operator to monitor | `pomerium` | -| `operator.config.serviceClass` | `kubernetes.io/service.class` for the operator to monitor | `pomerium` | -| `operator.config.debug` | Enable Pomerium Operator debug logging | `false` | -| `operator.deployment.annotations` | Annotations for the operator deployment. | `{}` | +| Parameter | Description | Default | +| ------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | +| `nameOverride` | Name of the chart. | `pomerium` | +| `fullnameOverride` | Full name of the chart. | `pomerium` | +| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/reference/reference.html#proxy-root-domains). | `corp.pomerium.io` | +| `config.administrators` | Comma seperated list of email addresses of administrative users [See more](https://www.pomerium.io/configuration/#administrators). | Optional | +| `config.existingSecret` | Name of the existing Kubernetes Secret. | | +| `config.existingCASecret` | Name of the existing CA Secret. | | +| `config.generateSigningKey` | Generate a signing key to sign jwt in proxy responses. Manual signing key can be set in values. | `true` | +| `config.forceGenerateSigningKey` | Force recreation of generated signing key. You will need to restart your deployments after running | `false` | +| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | +| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` | +| `config.insecure` | DANGER, this disables tls between services. Only do this if you know what you are doing. One reason might be that you want to offload tls to a reverse proxy (i.e. istio, traefik) | `false` | +| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/reference/reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | +| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | +| `config.policy` | Base64 encoded string containing the routes, and their access policies. | | +| `config.extraOpts` | Options Dictionary appended to the config file. May contain any additional config value that doesn't have its dedicated helm value counterpart. | {} | +| `authenticate.nameOverride` | Name of the authenticate service. | `authenticate` | +| `authenticate.fullnameOverride` | Full name of the authenticate service. | `authenticate` | +| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/reference/reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` | +| `authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/reference/reference.html#identity-provider-name). | `google` | +| `authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-id). | Required | +| `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-secret). | Required | +| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/reference/reference.html#identity-provider-url). | Optional | +| `authenticate.idp.scopes` | Identity [Provider Scopes](https://www.pomerium.io/configuration/#identity-provider-scopes). | Optional | +| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account). | Optional | +| `authenticate.replicaCount` | Number of Authenticate pods to run | `1` | +| `authenticate.autoscaling.enabled` | Enable Horizontal Pod Autoscaler for Authenticate pods | false | +| `authenticate.autoscaling.minReplicas` | Minimum number of pods in the Authenticate deployment | `1` | +| `authenticate.autoscaling.maxReplicas` | Maximum number of pods in the Authenticate deployment | `5` | +| `authenticate.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization, averaged across pods (as a percent) | `50` | +| `authenticate.autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization, averaged across pods (as a percent) | `50` | +| `authenticate.pdb.enabled` | Enable PodDisruptionBudget for Authenticate deployment | false | +| `authenticate.pdb.minAvailable` | Number of Authenticate pods that must be available, can be a number or percentage | `1` | +| `authenticate.existingTLSSecret` | Name of existing TLS Secret for authenticate service | | +| `authenticate.deployment.annotations` | Annotations for the authenticate deployment. If none given, then use value of `annotations` | `{}` | +| `authenticate.service.annotations` | Annotations for the authenticate service. If none given, then use value of `service.annotations` | `{}` | +| `authenticate.cacheServiceUrl` | The internally accesible url for the cache service. | `https://{{cache.name}}.{{config.rootDomain}}` | +| `proxy.nameOverride` | Name of the proxy service. | `proxy` | +| `proxy.fullnameOverride` | Full name of the proxy service. | `proxy` | +| `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | +| `proxy.replicaCount` | Number of Proxy pods to run | `1` | +| `proxy.autoscaling.enabled` | Enable Horizontal Pod Autoscaler for Proxy pods | false | +| `proxy.autoscaling.minReplicas` | Minimum number of pods in the Proxy deployment | `1` | +| `proxy.autoscaling.maxReplicas` | Maximum number of pods in the Proxy deployment | `5` | +| `proxy.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization, averaged across pods (as a percent) | `50` | +| `proxy.autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization, averaged across pods (as a percent) | `50` | +| `proxy.pdb.enabled` | Enable PodDisruptionBudget for Proxy deployment | false | +| `proxy.pdb.minAvailable` | Number of Proxy pods that must be available, can be a number or percentage | `1` | +| `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | | +| `proxy.deployment.annotations` | Annotations for the proxy deployment. If none given, then use value of `annotations` | `{}` | +| `proxy.service.annotations` | Annotations for the proxy service. If none given, then use value of `service.annotations` | `{}` | +| `proxy.existingSigningKeySecret` | Name of existing Signing key Secret for proxy requests. | | +| `proxy.signingKey` | Signing key is the base64 encoded key used to sign outbound requests. | | +| `authorize.nameOverride` | Name of the authorize service. | `authorize` | +| `authorize.fullnameOverride` | Full name of the authorize service. | `authorize` | +| `authorize.replicaCount` | Number of Authorize pods to run | `1` | +| `authorize.autoscaling.enabled` | Enable Horizontal Pod Autoscaler for Authorize pods | false | +| `authorize.autoscaling.minReplicas` | Minimum number of pods in the Authorize deployment | `1` | +| `authorize.autoscaling.maxReplicas` | Maximum number of pods in the Authorize deployment | `5` | +| `authorize.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization, averaged across pods (as a percent) | `50` | +| `authorize.autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization, averaged across pods (as a percent) | `50` | +| `authorize.pdb.enabled` | Enable PodDisruptionBudget for Authorize deployment | false | +| `authorize.pdb.minAvailable` | Number of Authorize pods that must be available, can be a number or percentage | `1` | +| `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | | +| `forwardAuth.nameOverride` | External name of the forward-auth endpoint | `forwardauth.${rootDomain}` | +| `forwardAuth.enabled` | Enable forward-auth endpoint for third party ingress controllers to use for auth checks. Setting this disables automatic enumeration of `from` hostnames in the Pomerium Ingress object to prevent conflicts. Use `ingress.hosts` to mix forward-auth and proxy mode on a single Pomerium instance | `false` | +| `forwardAuth.internal` | If enabled no ingress is created for forwardAuth, making forwardAuth ony accessible as internal service. | `false` | +| `authorize.deployment.annotations` | Annotations for the authorize deployment. If none given, then use value of `annotations` | `{}` | +| `authorize.service.annotations` | Annotations for the authorize service. If none given, then use value of `service.annotations` | `{}` | +| `image.repository` | Pomerium image | `pomerium/pomerium` | +| `image.tag` | Pomerium image tag | `v0.6.2` | +| `image.pullPolicy` | Pomerium image pull policy | `IfNotPresent` | +| `service.annotations` | Service annotations | `{}` | +| `service.externalPort` | Pomerium's port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | +| `service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` | +| `service.authorize.headless` | Run Authorize service in Headless mode. Turn off if you **require** NodePort or LoadBalancer access to Authorize | `true` | +| `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` | +| `serviceMonitor.namespace` | Namespace to create the ServiceMonitor resource in | The namespace of the chart | +| `serviceMonitor.labels` | Additional labels to apply to the ServiceMonitor resource | `release: prometheus` | +| `tracing.enabled` | Enable distributed tracing | `false` | +| `tracing.debug` | Set trace sampling to 100%. Use with caution! | `false` | +| `tracing.provider` | Specifies the tracing provider to configure (Valid options: Jaeger) | Required | +| `tracing.jaeger.collector_endpoint` | The jaeger collector endpoint | Required | +| `tracing.jaeger.agent_endpoint` | The jaeger agent endpoint | Required | +| `ingress.enabled` | Enables Ingress for pomerium | `true` | +| `ingress.annotations` | Ingress annotations. Ensure you set appropriate annotations for TLS backend and large URLs if using Azure. | `{}` | +| `ingress.hosts` | Ingress accepted hostnames | `[]` | +| `ingress.secretName` | Ingress TLS certificate secret name | `[]` | +| `metrics.enabled` | Enable prometheus metrics endpoint | `false` | +| `metrics.port` | Prometheus metrics endpoint port | `9090` | +| `cache.nameOverride` | Name of the cache service. | `cache` | +| `cache.fullnameOverride` | Full name of the cache service. | `cache` | +| `cache.replicaCount` | Number of cache pods to run | `1` | +| `cache.pdb.enabled` | Enable PodDisruptionBudget for Cache deployment | false | +| `cache.pdb.minAvailable` | Number of pods that must be available, can be a number or percentage | `1` | +| `cache.existingTLSSecret` | Name of existing TLS Secret for authorize service | | +| `operator.enabled` | Enable experimental pomerium operator support | false | +| `operator.nameOverride` | Name of the operator | `operator` | +| `operator.fullnameOverride` | Full name of the operator | `operator` | +| `operator.replicaCount` | Number of operator pods to run | `1` | +| `operator.image.repository` | Pomerium Operator image | `pomerium/pomerium-operator` | +| `operator.image.tag` | Pomerium Operator image tag | `v0.0.1-rc1` | +| `operator.config.ingressClass` | `kubernetes.io/ingress.class` for the operator to monitor | `pomerium` | +| `operator.config.serviceClass` | `kubernetes.io/service.class` for the operator to monitor | `pomerium` | +| `operator.config.debug` | Enable Pomerium Operator debug logging | `false` | +| `operator.deployment.annotations` | Annotations for the operator deployment. | `{}` | ## Changelog diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl index 67359a54..8ea493ef 100644 --- a/charts/pomerium/templates/_helpers.tpl +++ b/charts/pomerium/templates/_helpers.tpl @@ -266,4 +266,35 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{- if .Values.operator.enabled -}} {{- default (printf "%s-base" (include "pomerium.fullname" .)) .Values.config.existingSecret -}} {{- end -}} +{{- end -}} + +{{/*Expand the port number for secure or insecure mode */}} +{{- define "pomerium.trafficPort.number" -}} +{{- if .Values.config.insecure -}} +80 +{{- else -}} +443 +{{- end -}} +{{- end -}} + +{{/*Expand the port name for secure or insecure mode */}} +{{- define "pomerium.trafficPort.name" -}} +{{- if .Values.config.insecure -}} +http +{{- else -}} +https +{{- end -}} +{{- end -}} + +{{/*Expand the service port number for secure or insecure mode */}} +{{- define "pomerium.service.externalPort" -}} +{{- if .Values.service.externalPort -}} +{{- .Values.service.externalPort -}} +{{- else -}} +{{- if .Values.config.insecure -}} +80 +{{- else -}} +443 +{{- end -}} +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml index 36f079d3..eb2958ea 100644 --- a/charts/pomerium/templates/authenticate-deployment.yaml +++ b/charts/pomerium/templates/authenticate-deployment.yaml @@ -93,8 +93,8 @@ spec: value: {{ quote $value }} {{- end }} ports: - - containerPort: 443 - name: https + - containerPort: {{ template "pomerium.trafficPort.number" . }} + name: {{ template "pomerium.trafficPort.name" . }} protocol: TCP - containerPort: {{ .Values.metrics.port }} name: metrics @@ -102,7 +102,7 @@ spec: livenessProbe: httpGet: path: /ping - port: https + port: {{ template "pomerium.trafficPort.name" . }} {{- if .Values.config.insecure }} scheme: HTTP {{- else }} @@ -111,7 +111,7 @@ spec: readinessProbe: httpGet: path: /ping - port: https + port: {{ template "pomerium.trafficPort.name" . }} {{- if .Values.config.insecure }} scheme: HTTP {{- else }} diff --git a/charts/pomerium/templates/authenticate-service.yaml b/charts/pomerium/templates/authenticate-service.yaml index 8ebacb3b..bf6293ee 100644 --- a/charts/pomerium/templates/authenticate-service.yaml +++ b/charts/pomerium/templates/authenticate-service.yaml @@ -26,10 +26,10 @@ metadata: spec: type: {{ .Values.service.type }} ports: - - port: {{ .Values.service.externalPort }} - targetPort: https + - port: {{ template "pomerium.service.externalPort" . }} + targetPort: {{ template "pomerium.trafficPort.name" . }} protocol: TCP - name: https + name: {{ template "pomerium.trafficPort.name" . }} - name: metrics port: {{ .Values.metrics.port }} protocol: TCP diff --git a/charts/pomerium/templates/authorize-deployment.yaml b/charts/pomerium/templates/authorize-deployment.yaml index 2b008326..2e975672 100644 --- a/charts/pomerium/templates/authorize-deployment.yaml +++ b/charts/pomerium/templates/authorize-deployment.yaml @@ -85,19 +85,19 @@ spec: value: {{ quote $value }} {{- end }} ports: - - containerPort: 443 - name: https + - containerPort: {{ template "pomerium.trafficPort.number" . }} + name: {{ template "pomerium.trafficPort.name" . }} protocol: TCP - containerPort: {{ .Values.metrics.port }} name: metrics protocol: TCP livenessProbe: tcpSocket: - port: https + port: {{ template "pomerium.trafficPort.name" . }} initialDelaySeconds: 15 readinessProbe: tcpSocket: - port: https + port: {{ template "pomerium.trafficPort.name" . }} resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: diff --git a/charts/pomerium/templates/authorize-service.yaml b/charts/pomerium/templates/authorize-service.yaml index 55600db7..0ee166b8 100644 --- a/charts/pomerium/templates/authorize-service.yaml +++ b/charts/pomerium/templates/authorize-service.yaml @@ -31,10 +31,10 @@ spec: type: {{ .Values.service.type }} {{- end }} ports: - - port: {{ .Values.service.externalPort }} - targetPort: https + - port: {{ template "pomerium.service.externalPort" . }} + targetPort: {{ template "pomerium.trafficPort.name" . }} protocol: TCP - name: https + name: {{ template "pomerium.trafficPort.name" . }} - name: metrics port: {{ .Values.metrics.port }} protocol: TCP diff --git a/charts/pomerium/templates/cache-deployment.yaml b/charts/pomerium/templates/cache-deployment.yaml index beda42c5..3dd4773d 100644 --- a/charts/pomerium/templates/cache-deployment.yaml +++ b/charts/pomerium/templates/cache-deployment.yaml @@ -83,19 +83,19 @@ spec: value: {{ quote $value }} {{- end }} ports: - - containerPort: 443 - name: https + - containerPort: {{ template "pomerium.trafficPort.number" . }} + name: {{ template "pomerium.trafficPort.name" . }} protocol: TCP - containerPort: {{ .Values.metrics.port }} name: metrics protocol: TCP livenessProbe: tcpSocket: - port: https + port: {{ template "pomerium.trafficPort.name" . }} initialDelaySeconds: 15 readinessProbe: tcpSocket: - port: https + port: {{ template "pomerium.trafficPort.name" . }} resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: diff --git a/charts/pomerium/templates/cache-service.yaml b/charts/pomerium/templates/cache-service.yaml index 09cb6cb9..d4010439 100644 --- a/charts/pomerium/templates/cache-service.yaml +++ b/charts/pomerium/templates/cache-service.yaml @@ -31,10 +31,10 @@ spec: type: {{ .Values.service.type }} {{- end }} ports: - - port: {{ .Values.service.externalPort }} - targetPort: https + - port: {{ template "pomerium.service.externalPort" . }} + targetPort: {{ template "pomerium.trafficPort.name" . }} protocol: TCP - name: https + name: {{ template "pomerium.trafficPort.name" . }} - name: metrics port: {{ .Values.metrics.port }} protocol: TCP diff --git a/charts/pomerium/templates/ingress.yaml b/charts/pomerium/templates/ingress.yaml index 18519bb6..56c146f5 100644 --- a/charts/pomerium/templates/ingress.yaml +++ b/charts/pomerium/templates/ingress.yaml @@ -37,7 +37,7 @@ spec: - paths: backend: serviceName: {{ template "pomerium.proxy.fullname" $ }} - servicePort: https + servicePort: {{ template "pomerium.trafficPort.name" $ }} {{- end }} {{- if not (or .Values.ingress.hosts .Values.forwardAuth.enabled) }} {{- range .Values.config.policy }} @@ -47,7 +47,7 @@ spec: - paths: backend: serviceName: {{ template "pomerium.proxy.fullname" $ }} - servicePort: https + servicePort: {{ template "pomerium.trafficPort.name" $ }} {{- end }} {{- end }} {{- if and (.Values.forwardAuth.enabled) (not .Values.forwardAuth.internal)}} @@ -57,7 +57,7 @@ spec: - paths: backend: serviceName: {{ template "pomerium.proxy.fullname" . }} - servicePort: https + servicePort: {{ template "pomerium.trafficPort.name" . }} {{- end }} {{- if not .Values.service.authorize.headless }} - host: {{ printf "authorize.%s" .Values.config.rootDomain }} @@ -66,7 +66,7 @@ spec: - paths: backend: serviceName: {{ template "pomerium.authorize.fullname" . }} - servicePort: https + servicePort: {{ template "pomerium.trafficPort.name" . }} {{- end }} - host: {{ printf "authenticate.%s" .Values.config.rootDomain }} http: @@ -74,5 +74,5 @@ spec: - paths: backend: serviceName: {{ template "pomerium.authenticate.fullname" . }} - servicePort: https + servicePort: {{ template "pomerium.trafficPort.name" . }} {{- end }} \ No newline at end of file diff --git a/charts/pomerium/templates/proxy-deployment.yaml b/charts/pomerium/templates/proxy-deployment.yaml index c39cf25d..edfd9678 100644 --- a/charts/pomerium/templates/proxy-deployment.yaml +++ b/charts/pomerium/templates/proxy-deployment.yaml @@ -94,8 +94,8 @@ spec: value: {{ quote $value }} {{- end }} ports: - - containerPort: 443 - name: https + - containerPort: {{ template "pomerium.trafficPort.number" . }} + name: {{ template "pomerium.trafficPort.name" . }} protocol: TCP - containerPort: {{ .Values.metrics.port }} name: metrics @@ -103,7 +103,7 @@ spec: livenessProbe: httpGet: path: /ping - port: https + port: {{ template "pomerium.trafficPort.name" . }} {{- if .Values.config.insecure }} scheme: HTTP {{- else }} @@ -112,7 +112,7 @@ spec: readinessProbe: httpGet: path: /ping - port: https + port: {{ template "pomerium.trafficPort.name" . }} {{- if .Values.config.insecure }} scheme: HTTP {{- else }} diff --git a/charts/pomerium/templates/proxy-service.yaml b/charts/pomerium/templates/proxy-service.yaml index 179f751b..86b08669 100644 --- a/charts/pomerium/templates/proxy-service.yaml +++ b/charts/pomerium/templates/proxy-service.yaml @@ -26,10 +26,10 @@ metadata: spec: type: {{ .Values.service.type }} ports: - - port: {{ .Values.service.externalPort }} - targetPort: https + - port: {{ template "pomerium.service.externalPort" . }} + targetPort: {{ template "pomerium.trafficPort.name" . }} protocol: TCP - name: https + name: {{ template "pomerium.trafficPort.name" . }} - name: metrics port: {{ .Values.metrics.port }} protocol: TCP diff --git a/charts/pomerium/templates/secret.yaml b/charts/pomerium/templates/secret.yaml index 0f195939..e3ef26df 100644 --- a/charts/pomerium/templates/secret.yaml +++ b/charts/pomerium/templates/secret.yaml @@ -28,6 +28,7 @@ metadata: type: Opaque stringData: config.yaml: | + address: :{{ template "pomerium.trafficPort.number" . }} {{- if and .Values.config.existingPolicy .Values.config.extraOpts }} {{ fail "Cannot use config.extraOpts with config.existingPolicy" }} {{- end }} diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index efb9125b..48901fa6 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -21,6 +21,7 @@ config: forceGenerateSigningKey: false extraOpts: {} existingPolicy: "" + insecure: false administrators: "" policy: [] @@ -158,7 +159,8 @@ service: cache: headless: true type: ClusterIP - externalPort: 443 + # externalPort defaults to 80 or 443 depending on config.insecure + externalPort: "" annotations: {} # === GKE load balancer tweaks; default on until I can figure out