From e719dcd6f7f1093313bdab3c90f00477bb9109b0 Mon Sep 17 00:00:00 2001 From: Albert Dixon Date: Mon, 27 Jul 2020 12:52:51 -0700 Subject: [PATCH] Authorize signing key environment variable (#101) * add signing-key ev to authorize Signed-off-by: Albert Dixon * bump chart ver to 8.5.6 Signed-off-by: Albert Dixon * charts/pomerium/templates/_helpers: mv signing key to auth Signed-off-by: Albert Dixon * charts/pomerium: mv to auth signing Signed-off-by: Albert Dixon * charts/pomerium/values: mv signingkey to auth Signed-off-by: Albert Dixon * Rebase on master Signed-off-by: Travis Groth * Update changelog/upgrade notes Signed-off-by: Travis Groth * Update signingKey to be shared config option Signed-off-by: Travis Groth --- charts/pomerium/Chart.yaml | 2 +- charts/pomerium/README.md | 29 +++++++++++++++---- charts/pomerium/templates/_helpers.tpl | 14 ++++----- .../templates/authenticate-deployment.yaml | 5 ++++ .../templates/authorize-deployment.yaml | 5 ++++ .../pomerium/templates/proxy-deployment.yaml | 5 ---- .../templates/signing-key-secret.yaml | 14 ++++----- charts/pomerium/values.yaml | 4 +-- 8 files changed, 50 insertions(+), 28 deletions(-) diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index 3e71e167..6834feb7 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 10.2.0 +version: 11.0.0 appVersion: 0.9.5 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo-long.svg diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index 29c654cd..5d24acd2 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -16,6 +16,7 @@ - [Self Provisioned](#self-provisioned-1) - [Configuration](#configuration) - [Changelog](#changelog) + - [11.0.0](#1100) - [10.2.0](#1020) - [10.0.0](#1000) - [8.5.5](#855) @@ -30,6 +31,7 @@ - [3.0.0](#300) - [2.0.0](#200) - [Upgrading](#upgrading) + - [11.0.0](#1100-1) - [10.0.0](#1000-1) - [8.0.0](#800-1) - [7.0.0](#700-1) @@ -123,7 +125,7 @@ In default configuration, this chart will automatically generate a signing key i Upon delete, you will need to manually delete the generated secret. Example: ```console -kubectl delete secret pomerium-proxy-signing-key +kubectl delete secret pomerium-signing-key ``` You may force recreation of your signing key by setting `config.forceGenerateSigningKey` to `true`. Delete already existing signing key secret first to prevent errors, and make sure you set back to `false` for your next helm upgrade command or your deployment will fail due to existing Secret. @@ -133,7 +135,7 @@ You may force recreation of your signing key by setting `config.forceGenerateSig If you wish to provide your own signing key in secret, you should: 1. turn `config.generateSigningKey` to `false` -2. specify `proxy.existingSigningKeySecret` with secret's name +2. specify `config.existingsigningKeySecret` with secret's name ## Configuration @@ -149,6 +151,8 @@ A full listing of Pomerium's configuration variables can be found on the [config | `config.existingCASecret` | Name of the existing CA Secret. | | | `config.generateSigningKey` | Generate a signing key to sign jwt in proxy responses. Manual signing key can be set in values. | `true` | | `config.forceGenerateSigningKey` | Force recreation of generated signing key. You will need to restart your deployments after running | `false` | +| `config.existingSigningKeySecret` | Name of existing Signing key Secret for proxy requests. | | +| `config.signingKey` | Signing key is the base64 encoded key used to sign outbound requests. | | | `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | | `config.forceGenerateTLS` | Force recreation of generated TLS certificates. You will need to restart your deployments after running | `false` | | `config.insecure` | DANGER, this disables tls between services. Only do this if you know what you are doing. One reason might be that you want to offload tls to a reverse proxy (i.e. istio, traefik) | `false` | @@ -193,8 +197,6 @@ A full listing of Pomerium's configuration variables can be found on the [config | `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | | | `proxy.deployment.annotations` | Annotations for the proxy deployment. If none given, then use value of `annotations` | `{}` | | `proxy.service.annotations` | Annotations for the proxy service. If none given, then use value of `service.annotations` | `{}` | -| `proxy.existingSigningKeySecret` | Name of existing Signing key Secret for proxy requests. | | -| `proxy.signingKey` | Signing key is the base64 encoded key used to sign outbound requests. | | | `authorize.nameOverride` | Name of the authorize service. | `authorize` | | `authorize.fullnameOverride` | Full name of the authorize service. | `authorize` | | `authorize.replicaCount` | Number of Authorize pods to run | `1` | @@ -253,6 +255,10 @@ A full listing of Pomerium's configuration variables can be found on the [config ## Changelog +### 11.0.0 + +- Signing key has been refactored to correspond with Pomerium changes. See [v11.0.0 Upgrade Nodes](#1100-1) to migrate. + ### 10.2.0 - Update port names in insecure mode to address Istio protocol detection. @@ -263,7 +269,7 @@ A full listing of Pomerium's configuration variables can be found on the [config ### 8.5.5 -- Fix: Set not only the service but also the namespace when `forwardAuth.internal == true` +- Fix: Set not only the service but also the namespace when `forwardAuth.internal == true` ### 8.5.1 @@ -271,7 +277,7 @@ A full listing of Pomerium's configuration variables can be found on the [config ### 8.5.0 -- Add `forwardAuth.internal` flag to not expose forwardAuth over ingress. Useful for cases where the ingress should not set trustedIPs. +- Add `forwardAuth.internal` flag to not expose forwardAuth over ingress. Useful for cases where the ingress should not set trustedIPs. ### 8.4.0 @@ -313,6 +319,17 @@ A full listing of Pomerium's configuration variables can be found on the [config ## Upgrading +### 11.0.0 + +- SigningKey is now under the `authorize` block. + - If you are specifying `proxy.signingKeySecret` or `proxy.existingSigningKeySecret`, please change the values to be `config.signingKeySecret` or `config.existingSigningKeySecret` + - If were relying on automatic signing key generation do one of the following: + 1. set `config.forceGenerateSigningKey` to `true` for the upgrade + 2. replace [RELEASE NAME] with your release name and run: + ``` + kubectl get secret [RELEASE NAME]-proxy-signing-key -o json | jq '. | .metadata.name = (.metadata.name | sub("(?\\w+)-proxy-signing-key";"\(.x)-signing-key") )' | k apply -f - + ``` + ### 10.0.0 - All shared configuration has been moved from ENV vars to a configuration file. Users of `config.existingSecret` must specify **all** parameters in their secret or leverage `extraEnv` to pass in overrides. diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl index 8057a472..e399b43d 100644 --- a/charts/pomerium/templates/_helpers.tpl +++ b/charts/pomerium/templates/_helpers.tpl @@ -210,16 +210,16 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{- end -}} {{- end -}} -{{/* Determine secret name for Proxy signing key */}} -{{- define "pomerium.proxy.signingKeySecret.name" -}} -{{- if .Values.proxy.existingSigningKeySecret -}} -{{- .Values.proxy.existingSigningKeySecret | trunc 63 | trimSuffix "-" -}} +{{/* Determine secret name for signing key */}} +{{- define "pomerium.signingKeySecret.name" -}} +{{- if .Values.config.existingsigningKeySecret -}} +{{- .Values.config.existingsigningKeySecret | trunc 63 | trimSuffix "-" -}} {{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} {{- if contains $name .Release.Name -}} -{{- printf "%s-proxy-signing-key" .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-signing-key" .Release.Name | trunc 63 | trimSuffix "-" -}} {{- else -}} -{{- printf "%s-%s-proxy-signing-key" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s-signing-key" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{- end -}} {{- end -}} @@ -419,4 +419,4 @@ policy: secret: secretName: {{ include (printf "pomerium.%s.tlsSecret.name" .currentServiceName ) . }} optional: true -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml index 4db3cec5..eb7af89c 100644 --- a/charts/pomerium/templates/authenticate-deployment.yaml +++ b/charts/pomerium/templates/authenticate-deployment.yaml @@ -63,6 +63,11 @@ spec: env: - name: SERVICES value: authenticate + - name: SIGNING_KEY + valueFrom: + secretKeyRef: + name: {{ template "pomerium.signingKeySecret.name" . }} + key: signing-key {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} diff --git a/charts/pomerium/templates/authorize-deployment.yaml b/charts/pomerium/templates/authorize-deployment.yaml index 1afff089..eabb6a55 100644 --- a/charts/pomerium/templates/authorize-deployment.yaml +++ b/charts/pomerium/templates/authorize-deployment.yaml @@ -65,6 +65,11 @@ spec: env: - name: SERVICES value: authorize + - name: SIGNING_KEY + valueFrom: + secretKeyRef: + name: {{ template "pomerium.signingKeySecret.name" . }} + key: signing-key {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} diff --git a/charts/pomerium/templates/proxy-deployment.yaml b/charts/pomerium/templates/proxy-deployment.yaml index 21670abd..f7ddcdf8 100644 --- a/charts/pomerium/templates/proxy-deployment.yaml +++ b/charts/pomerium/templates/proxy-deployment.yaml @@ -65,11 +65,6 @@ spec: env: - name: SERVICES value: proxy - - name: SIGNING_KEY - valueFrom: - secretKeyRef: - name: {{ template "pomerium.proxy.signingKeySecret.name" . }} - key: signing-key {{- range $name, $value := .Values.extraEnv }} - name: {{ $name }} value: {{ quote $value }} diff --git a/charts/pomerium/templates/signing-key-secret.yaml b/charts/pomerium/templates/signing-key-secret.yaml index 4eb101be..f0d8e52d 100644 --- a/charts/pomerium/templates/signing-key-secret.yaml +++ b/charts/pomerium/templates/signing-key-secret.yaml @@ -1,4 +1,4 @@ -{{- define "pomerium.proxy.signingKeySecretObject" -}} +{{- define "pomerium.signingKeySecretObject" -}} apiVersion: v1 kind: Secret metadata: @@ -14,17 +14,17 @@ metadata: {{- else if .Values.config.generateSigningKey }} helm.sh/hook: pre-install {{- end }} - name: {{ template "pomerium.proxy.signingKeySecret.name" . }} + name: {{ template "pomerium.signingKeySecret.name" . }} type: Opaque data: {{- end -}} {{- if and .Values.config.generateSigningKey (or .Release.IsInstall .Values.config.forceGenerateSigningKey) }} -{{ template "pomerium.proxy.signingKeySecretObject" . }} +{{ template "pomerium.signingKeySecretObject" . }} signing-key: {{ genPrivateKey "ecdsa" | b64enc | b64enc }} {{- else if not .Values.config.generateSigningKey }} -{{- if and (not .Values.proxy.existingSigningKeySecret) .Values.proxy.signingKey }} -{{ template "pomerium.proxy.signingKeySecretObject" . }} - signing-key: {{ .Values.proxy.signingKey | b64enc }} +{{- if and (not .Values.authorize.existingsigningKeySecret) .Values.authorize.signingKey }} +{{ template "pomerium.signingKeySecretObject" . }} + signing-key: {{ .Values.config.signingKey | b64enc }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index 2a62a2b9..0ad6f5d8 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -24,6 +24,8 @@ config: insecure: false administrators: "" policy: [] + existingSigningKeySecret: "" + signingKey: "" authenticate: fullnameOverride: "" @@ -112,8 +114,6 @@ proxy: key: "" defaultSANList: [] defaultIPList: [] - existingSigningKeySecret: "" - signingKey: "" replicaCount: 1 autoscaling: enabled: false