Skip to content

Commit

Permalink
add new value, forwardAuth.internal (#90)
Browse files Browse the repository at this point in the history 
Signed-off-by: Vadim Bauer <[email protected]>
  • Loading branch information
@Vad1mo
Vad1mo authored Apr 30, 2020
1 parent ef518d5 commit a9cfbc0
Show file tree
Hide file tree
Showing 5 changed files with 11 additions and 4 deletions.
2 changes: 1 addition & 1 deletion charts/pomerium/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: pomerium
version: 8.4.0
version: 8.5.0
appVersion: 0.7.5
home: http://www.pomerium.io/
icon: https://www.pomerium.io/logo-long.svg
Expand Down
1 change: 1 addition & 0 deletions charts/pomerium/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,7 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | |
| `forwardAuth.nameOverride` | External name of the forward-auth endpoint | `forwardauth.${rootDomain}` |
| `forwardAuth.enabled` | Enable forward-auth endpoint for third party ingress controllers to use for auth checks. Setting this disables automatic enumeration of `from` hostnames in the Pomerium Ingress object to prevent conflicts. Use `ingress.hosts` to mix forward-auth and proxy mode on a single Pomerium instance | `false` |
| `forwardAuth.internal` | If enabled no ingress is created for forwardAuth, making forwardAuth ony accessible as internal service. | `false`
| `authorize.deployment.annotations` | Annotations for the authorize deployment. If none given, then use value of `annotations` | `{}` |
| `authorize.service.annotations` | Annotations for the authorize service. If none given, then use value of `service.annotations` | `{}` |
| `image.repository` | Pomerium image | `pomerium/pomerium` |
Expand Down
4 changes: 3 additions & 1 deletion charts/pomerium/templates/ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ spec:
hosts:
- {{ printf "authorize.%s" .Values.config.rootDomain | quote }}
- {{ printf "authenticate.%s" .Values.config.rootDomain | quote }}
{{- if and (.Values.forwardAuth.enabled) (not .Values.forwardAuth.internal) }}
- {{ template "pomerium.forwardAuth.name" . }}
{{ end }}
{{- if not .Values.ingress.hosts }}
{{- range .Values.config.policy }}
- {{ .from | trimPrefix "https://" | trimPrefix "http://" | quote }}
Expand Down Expand Up @@ -48,7 +50,7 @@ spec:
servicePort: https
{{- end }}
{{- end }}
{{- if .Values.forwardAuth.enabled }}
{{- if and (.Values.forwardAuth.enabled) (not .Values.forwardAuth.internal)}}
- host: {{ template "pomerium.forwardAuth.name" . }}
http:
paths:
Expand Down
6 changes: 4 additions & 2 deletions charts/pomerium/templates/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,11 +56,13 @@ stringData:
{{- end -}}

{{- end -}}
{{- if .Values.forwardAuth.enabled }}
{{- if and .Values.forwardAuth.enabled .Values.forwardAuth.internal }}
forward_auth_url: https://{{ template "pomerium.proxy.fullname" . }}
{{ else }}
forward_auth_url: https://{{ template "pomerium.forwardAuth.name" . }}
{{- end -}}
{{- if .Values.config.policy }}
policy:
policy:
{{ toYaml .Values.config.policy | indent 6 }}
{{- end }}
cookie_secret: {{ default (randAscii 32 | b64enc) .Values.config.cookieSecret }}
Expand Down
2 changes: 2 additions & 0 deletions charts/pomerium/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,8 @@ operator:
forwardAuth:
nameOverride: ""
enabled: false
# Will not create an ingress. ForwardAuth is ony accessible as internal service.
internal: false

service:
# Service type can be set to ClusterIP, NodePort or LoadBalancer.
Expand Down

0 comments on commit a9cfbc0

Please sign in to comment.