From c4c67de59077265bad220a7000bdc3030501f2a8 Mon Sep 17 00:00:00 2001
From: Travis Groth <travisgroth@users.noreply.github.com>
Date: Tue, 8 Oct 2019 22:55:51 -0400
Subject: [PATCH] Upgrade to Pomerium v0.4.0 (#17778)

Changes for this release:

- Specify all certificate paths
- Update Authorize health check config
- Remove authenticate_internal_url

Signed-off-by: Travis Groth <tgroth@gmail.com>
---
 Chart.yaml                             |  4 ++--
 README.md                              | 10 ++++++++++
 templates/authenticate-deployment.yaml |  4 ++++
 templates/authorize-deployment.yaml    | 13 +++++++------
 templates/proxy-deployment.yaml        |  6 ++++--
 values.yaml                            |  3 +--
 6 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/Chart.yaml b/Chart.yaml
index 02c84f98..5346eccf 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: pomerium
-version: 3.0.1
-appVersion: 0.3.1
+version: 4.0.0
+appVersion: 0.4.0
 home: http://www.pomerium.io/
 icon: https://www.pomerium.io/logo.svg
 description: Pomerium is an identity-aware access proxy.
diff --git a/README.md b/README.md
index ee57e315..eb12cd59 100644
--- a/README.md
+++ b/README.md
@@ -11,9 +11,11 @@
     - [Self Provisioned](#self-provisioned)
   - [Configuration](#configuration)
   - [Changelog](#changelog)
+    - [4.0.0](#400)
     - [3.0.0](#300)
     - [2.0.0](#200)
   - [Upgrading](#upgrading)
+    - [4.0.0](#400-1)
     - [3.0.0](#300-1)
     - [2.0.0](#200-1)
   - [Metrics Discovery Configuration](#metrics-discovery-configuration)
@@ -141,6 +143,10 @@ A full listing of Pomerium's configuration variables can be found on the [config
 
 ## Changelog
 
+### 4.0.0
+- Upgrade to Pomerium v0.4.0
+- Handle breaking changes from Pomerium
+
 ### 3.0.0
 - Refactor TLS certificates to use Kubernetes TLS secrets
 - Generate TLS certificates in a hook to prevent certificate churn
@@ -153,6 +159,10 @@ A full listing of Pomerium's configuration variables can be found on the [config
   
 ## Upgrading
 
+### 4.0.0
+- There are no user facing changes in this chart release
+- See [Pomerium Changelog](https://www.pomerium.io/docs/upgrading.html#since-0-3-0) for internal details
+
 ### 3.0.0
 
 - This version moves all certificates to TLS secrets.  
diff --git a/templates/authenticate-deployment.yaml b/templates/authenticate-deployment.yaml
index a23600d2..c4b9e8c3 100644
--- a/templates/authenticate-deployment.yaml
+++ b/templates/authenticate-deployment.yaml
@@ -110,6 +110,10 @@ spec:
               name:  {{ template "pomerium.caSecret.name" . }}
               key:  {{ template "pomerium.caSecret.certName" . }}
 {{- else }}
+        - name: CERTIFICATE_FILE
+          value: "/pomerium/cert.pem"
+        - name: CERTIFICATE_KEY_FILE
+          value: "/pomerium/privkey.pem"
         - name: CERTIFICATE_AUTHORITY_FILE
           value: "/pomerium/ca.pem"
 {{- end }}
diff --git a/templates/authorize-deployment.yaml b/templates/authorize-deployment.yaml
index d8b5b6c2..5461f93e 100644
--- a/templates/authorize-deployment.yaml
+++ b/templates/authorize-deployment.yaml
@@ -82,6 +82,10 @@ spec:
               name:  {{ template "pomerium.caSecret.name" . }}
               key:  {{ template "pomerium.caSecret.certName" . }}
 {{- else }}
+        - name: CERTIFICATE_FILE
+          value: "/pomerium/cert.pem"
+        - name: CERTIFICATE_KEY_FILE
+          value: "/pomerium/privkey.pem"
         - name: CERTIFICATE_AUTHORITY_FILE
           value: "/pomerium/ca.pem"
 {{- end }}
@@ -97,15 +101,12 @@ spec:
             name: metrics
             protocol: TCP
         livenessProbe:
-          httpGet:
-            path: /ping
+          tcpSocket:
             port: https
-            scheme: HTTPS
+            initialDelaySeconds: 15
         readinessProbe:
-          httpGet:
-            path: /ping
+          tcpSocket:
             port: https
-            scheme: HTTPS
         resources:
 {{ toYaml .Values.resources | indent 10 }}
         volumeMounts:
diff --git a/templates/proxy-deployment.yaml b/templates/proxy-deployment.yaml
index 781e8e49..3f602ea7 100644
--- a/templates/proxy-deployment.yaml
+++ b/templates/proxy-deployment.yaml
@@ -73,8 +73,6 @@ spec:
           value: {{ default (printf "https://authenticate.%s" .Values.config.rootDomain ) .Values.proxy.authenticateServiceUrl }}
         - name: AUTHORIZE_SERVICE_URL
           value: {{ default (printf "https://%s.%s.svc.cluster.local" (include "pomerium.authorize.fullname" .) .Release.Namespace ) .Values.proxy.authorizeInternalUrl}}
-        - name: AUTHENTICATE_INTERNAL_URL
-          value: {{ default (printf "https://%s.%s.svc.cluster.local" (include "pomerium.authenticate.fullname" .) .Release.Namespace ) .Values.proxy.authenticateInternalUrl}}
 {{- /* TODO in future: Remove legacy logic */ -}}
 {{- if .Values.config.existingLegacyTLSSecret }}
         - name: CERTIFICATE
@@ -93,6 +91,10 @@ spec:
               name:  {{ template "pomerium.caSecret.name" . }}
               key:  {{ template "pomerium.caSecret.certName" . }}
 {{- else }}
+        - name: CERTIFICATE_FILE
+          value: "/pomerium/cert.pem"
+        - name: CERTIFICATE_KEY_FILE
+          value: "/pomerium/privkey.pem"
         - name: CERTIFICATE_AUTHORITY_FILE
           value: "/pomerium/ca.pem"
 {{- end }}
diff --git a/values.yaml b/values.yaml
index 59c9edc5..80e9a497 100644
--- a/values.yaml
+++ b/values.yaml
@@ -61,7 +61,6 @@ proxy:
   authenticateServiceUrl: ""
   authorizeServiceUrl: ""
   authorizeInternalUrl: ""
-  authenticateInternalUrl: ""
 
 service:
   # Service type can be set to ClusterIP, NodePort or LoadBalancer.
@@ -127,7 +126,7 @@ extraVolumes: {}
 
 image:
   repository: "pomerium/pomerium"
-  tag: "v0.3.1"
+  tag: "v0.4.0"
   pullPolicy: "IfNotPresent"
 
 metrics: