From f0aed046c4d29a3b08902e44eb828a3513ddac7f Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Wed, 16 Nov 2022 16:39:15 -0500 Subject: [PATCH] Pomerium v0.20.0 (#336) --- charts/pomerium-console/Chart.yaml | 4 +- charts/pomerium-console/README.md | 162 +++++++++--------- .../pomerium-console/templates/_helpers.tpl | 12 ++ .../templates/deployment.yaml | 4 + .../pomerium-console/templates/service.yaml | 6 + .../templates/servicemonitor.yaml | 24 +++ charts/pomerium-console/values.yaml | 80 +++++---- charts/pomerium/Chart.yaml | 4 +- charts/pomerium/README.md | 19 +- charts/pomerium/templates/_helpers.tpl | 12 -- charts/pomerium/values.yaml | 2 +- 11 files changed, 193 insertions(+), 136 deletions(-) create mode 100644 charts/pomerium-console/templates/servicemonitor.yaml diff --git a/charts/pomerium-console/Chart.yaml b/charts/pomerium-console/Chart.yaml index c0a43daa..1ef2e311 100644 --- a/charts/pomerium-console/Chart.yaml +++ b/charts/pomerium-console/Chart.yaml @@ -15,12 +15,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 10.0.0 +version: 11.0.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.19.0 +appVersion: 0.20.0 maintainers: - name: Pomerium Developers diff --git a/charts/pomerium-console/README.md b/charts/pomerium-console/README.md index 077371db..d7f30757 100644 --- a/charts/pomerium-console/README.md +++ b/charts/pomerium-console/README.md @@ -1,6 +1,6 @@ # pomerium-console -![Version: 8.0.0](https://img.shields.io/badge/Version-8.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.17.0](https://img.shields.io/badge/AppVersion-0.17.0-informational?style=flat-square) +![Version: 11.0.0](https://img.shields.io/badge/Version-11.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.20.0](https://img.shields.io/badge/AppVersion-0.20.0-informational?style=flat-square) Pomerium Enterprise Console @@ -8,12 +8,11 @@ Pomerium Enterprise Console ## Maintainers -| Name | Email | Url | -| ---- | ------ | --- | -| Pomerium Developers | | https://www.pomerium.com | +| Name | Email | Url | +| ------------------- | ----- | ------------------------ | +| Pomerium Developers | | https://www.pomerium.com | -Installation -------------- +## Installation pomerium-console requires the shared secret of your existing databroker and a supported RDBMS backend to install. @@ -33,76 +32,81 @@ helm install pomerium-enterprise/pomerium-console \ ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | Specify node `affinity` for the deployment | -| autoscaling.enabled | bool | `false` | Enable horizontal pod autoscaler | -| autoscaling.maxReplicas | int | `3` | | -| autoscaling.minReplicas | int | `1` | | -| autoscaling.targetCPUUtilizationPercentage | int | `80` | | -| config.administrators | string | `""` | Set to boostrap permissions to the console or recover from a misconfiguration. Overrides permissions in the database. | -| config.audience | string | `""` | **Required** console's external URL. This should match the `from` in Pomerium Core's config. | -| config.authenticateServiceUrl | string | `""` | **Required** for device identity enrollment. If set, you do not need to set signingKey. | -| config.customerId | string | `""` | Override default customerId | -| config.databaseEncryptionKey | string | `""` | **Required** encryption key for protecting sensitive data in the database | -| config.databrokerServiceUrl | string | `https://pomerium-databroker.[release namespace].svc.cluster.local` | Override the URL default to the Pomerium Cache service | -| config.licenseKey | string | `""` | **Required** license key for your Pomerium Enterprise install. | -| config.prometheusUrl | string | `""` | Set URL for external prometheus server. An embedded server is used if left unset. | -| config.sharedSecret | string | `""` | **Required** Secures communication with the databroker. Must match Pomerium `shared_secret` parameter. | -| config.signingKey | string | `""` | **Required** if `config.authenticateServiceUrl` is unset. Set the public key for verifying the Pomerium attestation JWT header | -| database.additionalDSNOptions | string | `""` | Set custom DSN connection options | -| database.host | string | `""` | Set the database hostname | -| database.name | string | `""` | Set the name of the database or schema | -| database.password | string | `""` | Set the database password | -| database.sslmode | string | `""` | Set appropriately for your database driver | -| database.tls.ca | string | `""` | A custom CA certificate when communicating with the database | -| database.tls.caSecretKey | string | `"tls.crt"` | Set the key name containing the CA certificate in the existingCASecret | -| database.tls.cert | string | `""` | Set a TLS client certificate for the database connection | -| database.tls.existingCASecret | string | `""` | Use an existing secret containing the CA certificate for the database connection | -| database.tls.existingSecret | string | `""` | Use an existing secret containing the client TLS keypair for the database connection | -| database.tls.key | string | `""` | Set a TLS client key for the database connection | -| database.type | string | `""` | **Required** Set database driver type. This can be `pg`, `my` or sqlite for postgres, mysql or sqlite respectively | -| database.username | string | `""` | Set the database username | -| fullnameOverride | string | `""` | Override full release name | -| image.pullPassword | string | `""` | Set to automatically generate an image pull secret | -| image.pullPolicy | string | `"IfNotPresent"` | The iamge pull policy | -| image.pullUsername | string | `""` | Set to automatically generate an image pull secret | -| image.repository | string | `"docker.cloudsmith.io/pomerium/enterprise/pomerium-console"` | The image repository source | -| image.tag | string | `""` | Override the image tag from the chart appVersion | -| imagePullSecrets | list | `[]` | Reference a list secrets containing image pull credentials for the deployment | -| ingress.annotations | object | `{}` | Set custom annoations on the Ingress resource | -| ingress.enabled | bool | `false` | Enable an Ingress resource for the deployment. This should be disabled unless your Pomerium core deployment is running outside the cluster. | -| ingress.hosts[0].host | string | `"chart-example.local"` | | -| ingress.hosts[0].paths | list | `[]` | | -| ingress.tls | list | `[]` | Set a list of Ingress TLS secrets | -| nameOverride | string | `""` | Override the name of the chart | -| nodeSelector | object | `{}` | Specify node `selector` parameters for the deployment | -| persistence | object | `{"accessModes":["ReadWriteOnce"],"enabled":false,"finalizers":["kubernetes.io/pvc-protection"],"size":"1Gi"}` | FOR TESTING ONLY. There is no migration path from embedded (sqlite) to an external RDBMS. | -| persistence.enabled | bool | `false` | Enable a PVC for the embedded database engine | -| podAnnotations | object | `{}` | Set annotations on all pods | -| podSecurityContext | object | `{}` | Set security context on all pods | -| prometheus.enabled | bool | `true` | Enable using an embedded prometheus service if no external URL is provided | -| prometheus.persistence.accessModes[0] | string | `"ReadWriteOnce"` | | -| prometheus.persistence.annotations | object | `{}` | | -| prometheus.persistence.enabled | bool | `false` | Enable storage persistence for embedded prometheus | -| prometheus.persistence.existingClaim | string | `""` | | -| prometheus.persistence.finalizers[0] | string | `"kubernetes.io/pvc-protection"` | | -| prometheus.persistence.size | string | `"10Gi"` | | -| prometheus.persistence.storageClassName | string | `""` | | -| replicaCount | int | `1` | Sets the number of pod replicas deployed | -| resources | object | `{"requests":{"cpu":"500m","memory":"500Mi"}}` | Specify the kubernetes resources for the pods. Minimal `requests` have been set and should be adjusted for your environment. | -| securityContext | object | `{}` | Set security context on all containers | -| service.type | string | `"ClusterIP"` | Set service type. This should be ClusterIP unless your Pomerium Core deployment is running on a separate cluster. | -| serviceAccount.annotations | object | `{}` | | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| tls.ca | string | `""` | A custom CA certificate when communicating with Pomerium Core | -| tls.caSecretKey | string | `"tls.crt"` | Set the key name containing the CA certificate in the existingCASecret | -| tls.cert | string | `""` | TLS server cert | -| tls.enabled | bool | `true` | Enable TLS server support (strongly recommended) | -| tls.existingCASecret | string | `""` | Use an existing secret for a CA certificate when communicating with Pomerium Core | -| tls.existingSecret | string | `""` | Use an existing secret for TLS certificates | -| tls.forceGenerate | bool | `false` | Regenerate certificates. Enable if you need to recreate your certificates after initial chart install, or want to enable `tls.generate` after the chart has already been installed. | -| tls.generate | bool | `true` | Automatically generate a CA and certificates for TLS termination when chart is initially installed. | -| tls.key | string | `""` | TLS server key | -| tolerations | list | `[]` | Specify node `tolerations` for the deployment | +| Key | Type | Default | Description | +| ------------------------------------------ | ------ | -------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| affinity | object | `{}` | Specify node `affinity` for the deployment | +| autoscaling.enabled | bool | `false` | Enable horizontal pod autoscaler | +| autoscaling.maxReplicas | int | `3` | | +| autoscaling.minReplicas | int | `1` | | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| config.administrators | string | `""` | Set to boostrap permissions to the console or recover from a misconfiguration. Overrides permissions in the database. | +| config.audience | string | `""` | **Required** console's external URL. This should match the `from` in Pomerium Core's config. | +| config.authenticateServiceUrl | string | `""` | **Required** for device identity enrollment. If set, you do not need to set signingKey. | +| config.customerId | string | `""` | Override default customerId | +| config.databaseEncryptionKey | string | `""` | **Required** encryption key for protecting sensitive data in the database | +| config.databrokerServiceUrl | string | `https://pomerium-databroker.[release namespace].svc.cluster.local` | Override the URL default to the Pomerium Cache service | +| config.licenseKey | string | `""` | **Required** license key for your Pomerium Enterprise install. | +| config.prometheusUrl | string | `""` | Set URL for external prometheus server. An embedded server is used if left unset. | +| config.sharedSecret | string | `""` | **Required** Secures communication with the databroker. Must match Pomerium `shared_secret` parameter. | +| config.signingKey | string | `""` | **Required** if `config.authenticateServiceUrl` is unset. Set the public key for verifying the Pomerium attestation JWT header | +| database.additionalDSNOptions | string | `""` | Set custom DSN connection options | +| database.host | string | `""` | Set the database hostname | +| database.name | string | `""` | Set the name of the database or schema | +| database.password | string | `""` | Set the database password | +| database.sslmode | string | `""` | Set appropriately for your database driver | +| database.tls.ca | string | `""` | A custom CA certificate when communicating with the database | +| database.tls.caSecretKey | string | `"tls.crt"` | Set the key name containing the CA certificate in the existingCASecret | +| database.tls.cert | string | `""` | Set a TLS client certificate for the database connection | +| database.tls.existingCASecret | string | `""` | Use an existing secret containing the CA certificate for the database connection | +| database.tls.existingSecret | string | `""` | Use an existing secret containing the client TLS keypair for the database connection | +| database.tls.key | string | `""` | Set a TLS client key for the database connection | +| database.type | string | `""` | **Required** Set database driver type. This can be `pg`, `my` or sqlite for postgres, mysql or sqlite respectively | +| database.username | string | `""` | Set the database username | +| fullnameOverride | string | `""` | Override full release name | +| image.pullPassword | string | `""` | Set to automatically generate an image pull secret | +| image.pullPolicy | string | `"IfNotPresent"` | The iamge pull policy | +| image.pullUsername | string | `""` | Set to automatically generate an image pull secret | +| image.repository | string | `"docker.cloudsmith.io/pomerium/enterprise/pomerium-console"` | The image repository source | +| image.tag | string | `""` | Override the image tag from the chart appVersion | +| imagePullSecrets | list | `[]` | Reference a list secrets containing image pull credentials for the deployment | +| ingress.annotations | object | `{}` | Set custom annoations on the Ingress resource | +| ingress.enabled | bool | `false` | Enable an Ingress resource for the deployment. This should be disabled unless your Pomerium core deployment is running outside the cluster. | +| ingress.hosts[0].host | string | `"chart-example.local"` | | +| ingress.hosts[0].paths | list | `[]` | | +| ingress.tls | list | `[]` | Set a list of Ingress TLS secrets | +| metrics.enabled | bool | true | Enable prometheus metrics endpoint | +| metrics.port | string | `9091` | Prometheus metrics endpoint port | +| nameOverride | string | `""` | Override the name of the chart | +| nodeSelector | object | `{}` | Specify node `selector` parameters for the deployment | +| persistence | object | `{"accessModes":["ReadWriteOnce"],"enabled":false,"finalizers":["kubernetes.io/pvc-protection"],"size":"1Gi"}` | FOR TESTING ONLY. There is no migration path from embedded (sqlite) to an external RDBMS. | +| persistence.enabled | bool | `false` | Enable a PVC for the embedded database engine | +| podAnnotations | object | `{}` | Set annotations on all pods | +| podSecurityContext | object | `{}` | Set security context on all pods | +| prometheus.enabled | bool | `true` | Enable using an embedded prometheus service if no external URL is provided | +| prometheus.persistence.accessModes[0] | string | `"ReadWriteOnce"` | | +| prometheus.persistence.annotations | object | `{}` | | +| prometheus.persistence.enabled | bool | `false` | Enable storage persistence for embedded prometheus | +| prometheus.persistence.existingClaim | string | `""` | | +| prometheus.persistence.finalizers[0] | string | `"kubernetes.io/pvc-protection"` | | +| prometheus.persistence.size | string | `"10Gi"` | | +| prometheus.persistence.storageClassName | string | `""` | | +| replicaCount | int | `1` | Sets the number of pod replicas deployed | +| resources | object | `{"requests":{"cpu":"500m","memory":"500Mi"}}` | Specify the kubernetes resources for the pods. Minimal `requests` have been set and should be adjusted for your environment. | +| securityContext | object | `{}` | Set security context on all containers | +| service.type | string | `"ClusterIP"` | Set service type. This should be ClusterIP unless your Pomerium Core deployment is running on a separate cluster. | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| serviceMonitor.enabled | bool | `false` | Create Prometheus Operator ServiceMonitor | +| serviceMonitor.namespace | string | chart namespace | Namespace to create the ServiceMonitor resource in | +| serviceMonitor.labels | list | `{release: prometheus}` | Additional labels to apply to the ServiceMonitor resource | +| tls.ca | string | `""` | A custom CA certificate when communicating with Pomerium Core | +| tls.caSecretKey | string | `"tls.crt"` | Set the key name containing the CA certificate in the existingCASecret | +| tls.cert | string | `""` | TLS server cert | +| tls.enabled | bool | `true` | Enable TLS server support (strongly recommended) | +| tls.existingCASecret | string | `""` | Use an existing secret for a CA certificate when communicating with Pomerium Core | +| tls.existingSecret | string | `""` | Use an existing secret for TLS certificates | +| tls.forceGenerate | bool | `false` | Regenerate certificates. Enable if you need to recreate your certificates after initial chart install, or want to enable `tls.generate` after the chart has already been installed. | +| tls.generate | bool | `true` | Automatically generate a CA and certificates for TLS termination when chart is initially installed. | +| tls.key | string | `""` | TLS server key | +| tolerations | list | `[]` | Specify node `tolerations` for the deployment | diff --git a/charts/pomerium-console/templates/_helpers.tpl b/charts/pomerium-console/templates/_helpers.tpl index 2460c8a3..288118e4 100644 --- a/charts/pomerium-console/templates/_helpers.tpl +++ b/charts/pomerium-console/templates/_helpers.tpl @@ -199,3 +199,15 @@ imagePullSecrets: {{- define "pomerium-console.pullSecret.data" -}} {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" "docker.cloudsmith.io" .Values.image.pullUsername .Values.image.pullPassword (printf "%s:%s" .Values.image.pullUsername .Values.image.pullPassword | b64enc) | b64enc }} {{- end }} + +{{/* Return metrics env var block */}} +{{- define "pomerium-console.metrics.envVars" }} +{{- if .Values.metrics.enabled }} +- name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP +- name: METRICS_ADDR + value: "$(POD_IP):{{.Values.metrics.port}}" +{{- end }} +{{- end }} diff --git a/charts/pomerium-console/templates/deployment.yaml b/charts/pomerium-console/templates/deployment.yaml index a4d2f076..6adc07db 100644 --- a/charts/pomerium-console/templates/deployment.yaml +++ b/charts/pomerium-console/templates/deployment.yaml @@ -41,6 +41,9 @@ spec: - name: {{ include "pomerium-console.grpc.name" . }} containerPort: 8702 protocol: TCP + - name: metrics + containerPort: 9092 + protocol: TCP livenessProbe: httpGet: path: / @@ -63,6 +66,7 @@ spec: envFrom: {{- toYaml .Values.extraEnvFrom | nindent 12 }} {{- end }} +{{- include "pomerium-console.metrics.envVars" . | indent 10 }} volumeMounts: - mountPath: /etc/pomerium/ name: config diff --git a/charts/pomerium-console/templates/service.yaml b/charts/pomerium-console/templates/service.yaml index 30cd54da..562d06dc 100644 --- a/charts/pomerium-console/templates/service.yaml +++ b/charts/pomerium-console/templates/service.yaml @@ -15,5 +15,11 @@ spec: targetPort: {{ include "pomerium-console.grpc.name" . }} protocol: TCP name: {{ include "pomerium-console.grpc.name" . }} +{{- if .Values.metrics.enabled }} + - name: metrics + port: {{ .Values.metrics.port }} + protocol: TCP + targetPort: metrics +{{- end }} selector: {{- include "pomerium-console.selectorLabels" . | nindent 4 }} diff --git a/charts/pomerium-console/templates/servicemonitor.yaml b/charts/pomerium-console/templates/servicemonitor.yaml new file mode 100644 index 00000000..ef903597 --- /dev/null +++ b/charts/pomerium-console/templates/servicemonitor.yaml @@ -0,0 +1,24 @@ +{{ if .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "pomerium-console.fullname" . }} +{{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} +{{- end }} + labels: + helm.sh/chart: {{ template "pomerium-console.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "pomerium-console.name" . }} +{{- if .Values.serviceMonitor.labels }} +{{ toYaml .Values.serviceMonitor.labels | indent 4 }} +{{- end }} +spec: + selector: + matchLabels: + helm.sh/chart: {{ template "pomerium-console.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + endpoints: + - port: metrics +{{ end }} \ No newline at end of file diff --git a/charts/pomerium-console/values.yaml b/charts/pomerium-console/values.yaml index 7eb4e6d1..707a9406 100644 --- a/charts/pomerium-console/values.yaml +++ b/charts/pomerium-console/values.yaml @@ -7,15 +7,15 @@ replicaCount: 1 image: # -- Set to automatically generate an image pull secret - pullUsername: "" + pullUsername: '' # -- Set to automatically generate an image pull secret - pullPassword: "" + pullPassword: '' # -- The image repository source repository: docker.cloudsmith.io/pomerium/enterprise/pomerium-console # -- The iamge pull policy pullPolicy: IfNotPresent # -- Override the image tag from the chart appVersion - tag: "" + tag: '' serviceAccount: # -- Specifies whether a service account should be created @@ -24,14 +24,14 @@ serviceAccount: annotations: {} # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template - name: "" + name: '' # -- Reference a list secrets containing image pull credentials for the deployment imagePullSecrets: [] # -- Override the name of the chart -nameOverride: "" +nameOverride: '' # -- Override full release name -fullnameOverride: "" +fullnameOverride: '' # -- Set annotations on all pods podAnnotations: {} @@ -113,17 +113,17 @@ tls: # want to enable `tls.generate` after the chart has already been installed. forceGenerate: false # -- Use an existing secret for TLS certificates - existingSecret: "" + existingSecret: '' # -- Use an existing secret for a CA certificate when communicating with Pomerium Core - existingCASecret: "" + existingCASecret: '' # -- Set the key name containing the CA certificate in the existingCASecret caSecretKey: tls.crt # -- A custom CA certificate when communicating with Pomerium Core - ca: "" + ca: '' # -- TLS server key - key: "" + key: '' # -- TLS server cert - cert: "" + cert: '' # -- FOR TESTING ONLY. There is no migration path from embedded (sqlite) to an external RDBMS. persistence: @@ -140,67 +140,77 @@ persistence: database: # -- **Required** Set database driver type. This can be `pg`, `my` or sqlite for postgres, mysql or sqlite respectively - type: "" + type: '' # -- Set the database username - username: "" + username: '' # -- Set the database password - password: "" + password: '' # -- Set the database hostname - host: "" + host: '' # -- Set the name of the database or schema - name: "" + name: '' # -- Set appropriately for your database driver - sslmode: "" + sslmode: '' # -- Set custom DSN connection options - additionalDSNOptions: "" + additionalDSNOptions: '' tls: # -- Use an existing secret containing the client TLS keypair for the database connection - existingSecret: "" + existingSecret: '' # -- Use an existing secret containing the CA certificate for the database connection - existingCASecret: "" + existingCASecret: '' # -- Set the key name containing the CA certificate in the existingCASecret caSecretKey: tls.crt # -- A custom CA certificate when communicating with the database - ca: "" + ca: '' # -- Set a TLS client key for the database connection - key: "" + key: '' # -- Set a TLS client certificate for the database connection - cert: "" + cert: '' config: # -- Set to boostrap permissions to the console or recover from a misconfiguration. Overrides permissions # in the database. - administrators: "" + administrators: '' # -- Override default customerId - customerId: "" + customerId: '' # -- Override the URL default to the Pomerium Cache service # @default -- `https://pomerium-databroker.[release namespace].svc.cluster.local` - databrokerServiceUrl: "" + databrokerServiceUrl: '' # -- **Required** Secures communication with the databroker. Must match Pomerium `shared_secret` parameter. - sharedSecret: "" + sharedSecret: '' # -- **Required** if `config.authenticateServiceUrl` is unset. Set the public key for verifying the Pomerium attestation JWT header - signingKey: "" + signingKey: '' # -- **Required** encryption key for protecting sensitive data in the database - databaseEncryptionKey: "" + databaseEncryptionKey: '' # -- Set URL for external prometheus server. An embedded server is used if left unset. - prometheusUrl: "" + prometheusUrl: '' # -- **Required** console's external URL. This should match the `from` in Pomerium Core's config. - audience: "" + audience: '' # -- **Required** for device identity enrollment. If set, you do not need to set signingKey. - authenticateServiceUrl: "" + authenticateServiceUrl: '' # -- **Required** license key for your Pomerium Enterprise install. - licenseKey: "" + licenseKey: '' prometheus: # -- Enable using an embedded prometheus service if no external URL is provided enabled: true persistence: # -- Enable storage persistence for embedded prometheus enabled: false - storageClassName: "" + storageClassName: '' accessModes: - ReadWriteOnce size: 10Gi annotations: {} finalizers: - kubernetes.io/pvc-protection - existingClaim: "" + existingClaim: '' + +serviceMonitor: + enabled: false + namespace: '' + labels: + release: prometheus-console + +metrics: + enabled: true + port: 9092 diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index b90b2709..5cb15319 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: pomerium -version: 32.1.0 -appVersion: v0.18.0 +version: 33.0.0 +appVersion: v0.20.0 home: http://www.pomerium.com/ icon: https://www.pomerium.com/img/icon.svg description: Pomerium is an identity-aware access proxy. diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index f8c22a55..9eb84d77 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -3,11 +3,12 @@ [Pomerium](https://pomerium.io) is an [open-source](https://github.com/pomerium/pomerium) tool for managing secure access to internal applications and resources. - [Pomerium](#pomerium) + - [DEPRECATION](#deprecation) - [TL;DR;](#tldr) - [Install the chart](#install-the-chart) - [Uninstalling the Chart](#uninstalling-the-chart) - [Pomerium Operator (DEPRECATED)](#pomerium-operator-deprecated) - - [Pomerium operator has been replaced by Pomerium Ingress Controller. See `ingressController.config.operatorMode` for similar functionality.](#pomerium-operator-has-been-replaced-by-pomerium-ingress-controller--see-ingresscontrollerconfigoperatormode-for-similar-functionality) + - [Pomerium operator has been replaced by Pomerium Ingress Controller. See `ingressController.config.operatorMode` for similar functionality.](#pomerium-operator-has-been-replaced-by-pomerium-ingress-controller-see-ingresscontrollerconfigoperatormode-for-similar-functionality) - [Pomerium Ingress Controller](#pomerium-ingress-controller) - [TLS Certificates](#tls-certificates) - [Ingress Controller Annotations](#ingress-controller-annotations) @@ -20,7 +21,9 @@ - [Redis Subchart](#redis-subchart) - [Configuration](#configuration) - [Changelog](#changelog) + - [33.0.0](#3300) - [32.0.0](#3200) + - [31.2.0](#3120) - [31.0.0](#3100) - [30.0.0](#3000) - [29.0.0](#2900) @@ -88,9 +91,11 @@ - [Prometheus Operator](#prometheus-operator) - [Prometheus kubernetes_sd_configs](#prometheus-kubernetes_sd_configs) -## TL;DR; +## DEPRECATION + +Helm installation is no longer recommended for new deployments, please use [Manifests based deployment instead](https://www.pomerium.com/docs/k8s/quickstart). -Helm installation is no longer recommended for new deployments, please see https://github.com/pomerium/ingress-controller +## TL;DR; ```console helm install my-release pomerium/pomerium @@ -295,8 +300,6 @@ A full listing of Pomerium's configuration variables can be found on the [config | `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/reference/reference.html#identity-provider-client-secret). | Required | | `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/reference/reference.html#identity-provider-url). | Optional | | `authenticate.idp.scopes` | Identity [Provider Scopes](https://www.pomerium.io/configuration/#identity-provider-scopes). | Optional | -| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account) base64 encoded. | Optional | -| `authenticate.idp.serviceAccountYAML` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account) as inline YAML or JSON.

`authenticate.idp.serviceAccount` takes precedence. | Optional | | `authenticate.ingress.tls.secretName` | When using Pomerium Ingress Controller, the name of the TLS secret for the `authenticate` Ingress resource. If left unset, you may receive a non-deterministic certificate for requests to `authenticate.${rootDomain}`. This may become [pinned](https://www.ssl2buy.com/wiki/how-to-clear-hsts-settings-on-chrome-firefox-and-ie-browsers) if you are using HSTS. | `{}` | | `authenticate.ingress.annotations` | When using Pomerium Ingress Controller, set the annotations on the `authenticate` Ingress resource. Example: `cert-manager.io/cluster-issuer: letsencrypt-prod-http` | `{}` | | `authenticate.replicaCount` | Number of Authenticate pods to run | `1` | @@ -459,6 +462,12 @@ A full listing of Pomerium's configuration variables can be found on the [config ## Changelog +### 33.0.0 + +- `idp.serviceAccount` is removed. Please see the [Upgrade Guide](https://www.pomerium.com/docs/overview/upgrading#since-0200) +- Update to v0.20.0 of Pomerium + + ### 32.0.0 - Update to v0.18 of Pomerium diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl index c6ac20b2..b13071b5 100644 --- a/charts/pomerium/templates/_helpers.tpl +++ b/charts/pomerium/templates/_helpers.tpl @@ -470,9 +470,6 @@ forward_auth_url: {{ printf "https://%s" ( include "pomerium.forwardAuth.name" . {{- end }} idp_client_id: {{ .Values.authenticate.idp.clientID }} idp_client_secret: {{ .Values.authenticate.idp.clientSecret }} -{{- if or .Values.authenticate.idp.serviceAccount .Values.authenticate.idp.serviceAccountYAML }} -idp_service_account: {{ include "pomerium.idp.serviceAccount" . }} -{{- end }} {{- if ne (include "pomerium.databroker.storage.type" . ) "memory" }} databroker_storage_tls_skip_verify: {{ .Values.databroker.storage.tlsSkipVerify }} {{- end }} @@ -558,15 +555,6 @@ routes: {{- end -}} {{- end -}} -{{/* Render idp_service_account */}} -{{- define "pomerium.idp.serviceAccount" -}} -{{- if .Values.authenticate.idp.serviceAccount -}} -{{- .Values.authenticate.idp.serviceAccount -}} -{{- else -}} -{{- .Values.authenticate.idp.serviceAccountYAML | toJson | b64enc -}} -{{- end -}} -{{- end -}} - {{/* Expand databroker storage type */}} {{- define "pomerium.databroker.storage.type" -}} {{- if .Values.redis.enabled -}} diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index 40d21ada..3b05e546 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -203,7 +203,7 @@ ingressController: nameOverride: '' image: repository: 'pomerium/ingress-controller' - tag: 'sha-5294279' + tag: 'sha-5623bd8' pullPolicy: IfNotPresent deployment: annotations: {}