From a9cfbc0b40b12dbfadfb82e946bf83dbb0d85eb9 Mon Sep 17 00:00:00 2001 From: Vadim Bauer <1492007+Vad1mo@users.noreply.github.com> Date: Thu, 30 Apr 2020 21:25:23 +0200 Subject: [PATCH] add new value, forwardAuth.internal (#90) Signed-off-by: Vadim Bauer --- charts/pomerium/Chart.yaml | 2 +- charts/pomerium/README.md | 1 + charts/pomerium/templates/ingress.yaml | 4 +++- charts/pomerium/templates/secret.yaml | 6 ++++-- charts/pomerium/values.yaml | 2 ++ 5 files changed, 11 insertions(+), 4 deletions(-) diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index 593bd4c5..249c08b3 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 8.4.0 +version: 8.5.0 appVersion: 0.7.5 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo-long.svg diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index 7fec9668..6cb8876b 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -200,6 +200,7 @@ A full listing of Pomerium's configuration variables can be found on the [config | `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | | | `forwardAuth.nameOverride` | External name of the forward-auth endpoint | `forwardauth.${rootDomain}` | | `forwardAuth.enabled` | Enable forward-auth endpoint for third party ingress controllers to use for auth checks. Setting this disables automatic enumeration of `from` hostnames in the Pomerium Ingress object to prevent conflicts. Use `ingress.hosts` to mix forward-auth and proxy mode on a single Pomerium instance | `false` | +| `forwardAuth.internal` | If enabled no ingress is created for forwardAuth, making forwardAuth ony accessible as internal service. | `false` | `authorize.deployment.annotations` | Annotations for the authorize deployment. If none given, then use value of `annotations` | `{}` | | `authorize.service.annotations` | Annotations for the authorize service. If none given, then use value of `service.annotations` | `{}` | | `image.repository` | Pomerium image | `pomerium/pomerium` | diff --git a/charts/pomerium/templates/ingress.yaml b/charts/pomerium/templates/ingress.yaml index 3921c4e3..18519bb6 100644 --- a/charts/pomerium/templates/ingress.yaml +++ b/charts/pomerium/templates/ingress.yaml @@ -18,7 +18,9 @@ spec: hosts: - {{ printf "authorize.%s" .Values.config.rootDomain | quote }} - {{ printf "authenticate.%s" .Values.config.rootDomain | quote }} + {{- if and (.Values.forwardAuth.enabled) (not .Values.forwardAuth.internal) }} - {{ template "pomerium.forwardAuth.name" . }} + {{ end }} {{- if not .Values.ingress.hosts }} {{- range .Values.config.policy }} - {{ .from | trimPrefix "https://" | trimPrefix "http://" | quote }} @@ -48,7 +50,7 @@ spec: servicePort: https {{- end }} {{- end }} - {{- if .Values.forwardAuth.enabled }} + {{- if and (.Values.forwardAuth.enabled) (not .Values.forwardAuth.internal)}} - host: {{ template "pomerium.forwardAuth.name" . }} http: paths: diff --git a/charts/pomerium/templates/secret.yaml b/charts/pomerium/templates/secret.yaml index ec1efebc..855441a6 100644 --- a/charts/pomerium/templates/secret.yaml +++ b/charts/pomerium/templates/secret.yaml @@ -56,11 +56,13 @@ stringData: {{- end -}} {{- end -}} -{{- if .Values.forwardAuth.enabled }} +{{- if and .Values.forwardAuth.enabled .Values.forwardAuth.internal }} + forward_auth_url: https://{{ template "pomerium.proxy.fullname" . }} +{{ else }} forward_auth_url: https://{{ template "pomerium.forwardAuth.name" . }} {{- end -}} {{- if .Values.config.policy }} - policy: + policy: {{ toYaml .Values.config.policy | indent 6 }} {{- end }} cookie_secret: {{ default (randAscii 32 | b64enc) .Values.config.cookieSecret }} diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index 38fac060..7729bf62 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -148,6 +148,8 @@ operator: forwardAuth: nameOverride: "" enabled: false + # Will not create an ingress. ForwardAuth is ony accessible as internal service. + internal: false service: # Service type can be set to ClusterIP, NodePort or LoadBalancer.