Skip to content

Commit

Permalink
Authorize signing key environment variable (#101)
Browse files Browse the repository at this point in the history 
* add signing-key ev to authorize
Signed-off-by: Albert Dixon <[email protected]>

* bump chart ver to 8.5.6
Signed-off-by: Albert Dixon <[email protected]>

* charts/pomerium/templates/_helpers: mv signing key to auth

Signed-off-by: Albert Dixon <[email protected]>

* charts/pomerium: mv to auth signing

Signed-off-by: Albert Dixon <[email protected]>

* charts/pomerium/values: mv signingkey to auth

Signed-off-by: Albert Dixon <[email protected]>

* Rebase on master

Signed-off-by: Travis Groth <[email protected]>

* Update changelog/upgrade notes

Signed-off-by: Travis Groth <[email protected]>

* Update signingKey to be shared config option

Signed-off-by: Travis Groth <[email protected]>
  • Loading branch information
@albertrdixon
albertrdixon authored Jul 27, 2020
1 parent 76ef856 commit e719dcd
Show file tree
Hide file tree
Showing 8 changed files with 50 additions and 28 deletions.
2 changes: 1 addition & 1 deletion charts/pomerium/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v1
name: pomerium
version: 10.2.0
version: 11.0.0
appVersion: 0.9.5
home: http://www.pomerium.io/
icon: https://www.pomerium.io/logo-long.svg
Expand Down
29 changes: 23 additions & 6 deletions charts/pomerium/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
- [Self Provisioned](#self-provisioned-1)
- [Configuration](#configuration)
- [Changelog](#changelog)
- [11.0.0](#1100)
- [10.2.0](#1020)
- [10.0.0](#1000)
- [8.5.5](#855)
Expand All @@ -30,6 +31,7 @@
- [3.0.0](#300)
- [2.0.0](#200)
- [Upgrading](#upgrading)
- [11.0.0](#1100-1)
- [10.0.0](#1000-1)
- [8.0.0](#800-1)
- [7.0.0](#700-1)
Expand Down Expand Up @@ -123,7 +125,7 @@ In default configuration, this chart will automatically generate a signing key i
Upon delete, you will need to manually delete the generated secret. Example:

```console
kubectl delete secret pomerium-proxy-signing-key
kubectl delete secret pomerium-signing-key
```

You may force recreation of your signing key by setting `config.forceGenerateSigningKey` to `true`. Delete already existing signing key secret first to prevent errors, and make sure you set back to `false` for your next helm upgrade command or your deployment will fail due to existing Secret.
Expand All @@ -133,7 +135,7 @@ You may force recreation of your signing key by setting `config.forceGenerateSig
If you wish to provide your own signing key in secret, you should:

1. turn `config.generateSigningKey` to `false`
2. specify `proxy.existingSigningKeySecret` with secret's name
2. specify `config.existingsigningKeySecret` with secret's name

## Configuration

Expand All @@ -149,6 +151,8 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `config.existingCASecret` | Name of the existing CA Secret. | |
| `config.generateSigningKey` | Generate a signing key to sign jwt in proxy responses. Manual signing key can be set in values. | `true` |
| `config.forceGenerateSigningKey` | Force recreation of generated signing key. You will need to restart your deployments after running | `false` |
| `config.existingSigningKeySecret` | Name of existing Signing key Secret for proxy requests. | |
| `config.signingKey` | Signing key is the base64 encoded key used to sign outbound requests. | |
| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` |
| `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` |
| `config.insecure` | DANGER, this disables tls between services. Only do this if you know what you are doing. One reason might be that you want to offload tls to a reverse proxy (i.e. istio, traefik) | `false` |
Expand Down Expand Up @@ -193,8 +197,6 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | |
| `proxy.deployment.annotations` | Annotations for the proxy deployment. If none given, then use value of `annotations` | `{}` |
| `proxy.service.annotations` | Annotations for the proxy service. If none given, then use value of `service.annotations` | `{}` |
| `proxy.existingSigningKeySecret` | Name of existing Signing key Secret for proxy requests. | |
| `proxy.signingKey` | Signing key is the base64 encoded key used to sign outbound requests. | |
| `authorize.nameOverride` | Name of the authorize service. | `authorize` |
| `authorize.fullnameOverride` | Full name of the authorize service. | `authorize` |
| `authorize.replicaCount` | Number of Authorize pods to run | `1` |
Expand Down Expand Up @@ -253,6 +255,10 @@ A full listing of Pomerium's configuration variables can be found on the [config

## Changelog

### 11.0.0

- Signing key has been refactored to correspond with Pomerium changes. See [v11.0.0 Upgrade Nodes](#1100-1) to migrate.

### 10.2.0

- Update port names in insecure mode to address Istio protocol detection.
Expand All @@ -263,15 +269,15 @@ A full listing of Pomerium's configuration variables can be found on the [config

### 8.5.5

- Fix: Set not only the service but also the namespace when `forwardAuth.internal == true`
- Fix: Set not only the service but also the namespace when `forwardAuth.internal == true`

### 8.5.1

- Add documentation for `extraOpts` flag, remove `policyFile` flag as it isn't implemented.

### 8.5.0

- Add `forwardAuth.internal` flag to not expose forwardAuth over ingress. Useful for cases where the ingress should not set trustedIPs.
- Add `forwardAuth.internal` flag to not expose forwardAuth over ingress. Useful for cases where the ingress should not set trustedIPs.

### 8.4.0

Expand Down Expand Up @@ -313,6 +319,17 @@ A full listing of Pomerium's configuration variables can be found on the [config

## Upgrading

### 11.0.0

- SigningKey is now under the `authorize` block.
- If you are specifying `proxy.signingKeySecret` or `proxy.existingSigningKeySecret`, please change the values to be `config.signingKeySecret` or `config.existingSigningKeySecret`
- If were relying on automatic signing key generation do one of the following:
1. set `config.forceGenerateSigningKey` to `true` for the upgrade
2. replace [RELEASE NAME] with your release name and run:
```
kubectl get secret [RELEASE NAME]-proxy-signing-key -o json | jq '. | .metadata.name = (.metadata.name | sub("(?<x>\\w+)-proxy-signing-key";"\(.x)-signing-key") )' | k apply -f -
```
### 10.0.0
- All shared configuration has been moved from ENV vars to a configuration file. Users of `config.existingSecret` must specify **all** parameters in their secret or leverage `extraEnv` to pass in overrides.
Expand Down
14 changes: 7 additions & 7 deletions charts/pomerium/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,16 +210,16 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
{{- end -}}
{{- end -}}

{{/* Determine secret name for Proxy signing key */}}
{{- define "pomerium.proxy.signingKeySecret.name" -}}
{{- if .Values.proxy.existingSigningKeySecret -}}
{{- .Values.proxy.existingSigningKeySecret | trunc 63 | trimSuffix "-" -}}
{{/* Determine secret name for signing key */}}
{{- define "pomerium.signingKeySecret.name" -}}
{{- if .Values.config.existingsigningKeySecret -}}
{{- .Values.config.existingsigningKeySecret | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-proxy-signing-key" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- printf "%s-signing-key" .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s-proxy-signing-key" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- printf "%s-%s-signing-key" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
Expand Down Expand Up @@ -419,4 +419,4 @@ policy:
secret:
secretName: {{ include (printf "pomerium.%s.tlsSecret.name" .currentServiceName ) . }}
optional: true
{{- end -}}
{{- end -}}
5 changes: 5 additions & 0 deletions charts/pomerium/templates/authenticate-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,11 @@ spec:
env:
- name: SERVICES
value: authenticate
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.signingKeySecret.name" . }}
key: signing-key
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
Expand Down
5 changes: 5 additions & 0 deletions charts/pomerium/templates/authorize-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@ spec:
env:
- name: SERVICES
value: authorize
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.signingKeySecret.name" . }}
key: signing-key
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
Expand Down
5 changes: 0 additions & 5 deletions charts/pomerium/templates/proxy-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,6 @@ spec:
env:
- name: SERVICES
value: proxy
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.proxy.signingKeySecret.name" . }}
key: signing-key
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
Expand Down
14 changes: 7 additions & 7 deletions charts/pomerium/templates/signing-key-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- define "pomerium.proxy.signingKeySecretObject" -}}
{{- define "pomerium.signingKeySecretObject" -}}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -14,17 +14,17 @@ metadata:
{{- else if .Values.config.generateSigningKey }}
helm.sh/hook: pre-install
{{- end }}
name: {{ template "pomerium.proxy.signingKeySecret.name" . }}
name: {{ template "pomerium.signingKeySecret.name" . }}
type: Opaque
data:
{{- end -}}

{{- if and .Values.config.generateSigningKey (or .Release.IsInstall .Values.config.forceGenerateSigningKey) }}
{{ template "pomerium.proxy.signingKeySecretObject" . }}
{{ template "pomerium.signingKeySecretObject" . }}
signing-key: {{ genPrivateKey "ecdsa" | b64enc | b64enc }}
{{- else if not .Values.config.generateSigningKey }}
{{- if and (not .Values.proxy.existingSigningKeySecret) .Values.proxy.signingKey }}
{{ template "pomerium.proxy.signingKeySecretObject" . }}
signing-key: {{ .Values.proxy.signingKey | b64enc }}
{{- if and (not .Values.authorize.existingsigningKeySecret) .Values.authorize.signingKey }}
{{ template "pomerium.signingKeySecretObject" . }}
signing-key: {{ .Values.config.signingKey | b64enc }}
{{- end }}
{{- end }}
{{- end }}
4 changes: 2 additions & 2 deletions charts/pomerium/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ config:
insecure: false
administrators: ""
policy: []
existingSigningKeySecret: ""
signingKey: ""

authenticate:
fullnameOverride: ""
Expand Down Expand Up @@ -112,8 +114,6 @@ proxy:
key: ""
defaultSANList: []
defaultIPList: []
existingSigningKeySecret: ""
signingKey: ""
replicaCount: 1
autoscaling:
enabled: false
Expand Down

0 comments on commit e719dcd

Please sign in to comment.