From 232111f21b5d4b0b3be248f1ef30082fff13b4f6 Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Wed, 14 Aug 2019 18:52:14 -0400 Subject: [PATCH] [stable/pomerium] Scale out and docs improvements - Switch to a headless Authorize service to support client side load balancing - Allow independent replicaCount scaling of the different services - Add upgrading/changelog documentation and ToC Signed-off-by: Travis Groth --- stable/pomerium/Chart.yaml | 2 +- stable/pomerium/README.md | 114 +++++++++++------- .../templates/authenticate-deployment.yaml | 2 +- .../templates/authorize-deployment.yaml | 2 +- .../pomerium/templates/authorize-service.yaml | 1 + .../pomerium/templates/proxy-deployment.yaml | 2 +- stable/pomerium/values.yaml | 5 + 7 files changed, 82 insertions(+), 46 deletions(-) diff --git a/stable/pomerium/Chart.yaml b/stable/pomerium/Chart.yaml index 5de8a81b4246..19f80eb6c82c 100644 --- a/stable/pomerium/Chart.yaml +++ b/stable/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 1.3.2 +version: 2.0.0 appVersion: 0.3.0 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo.svg diff --git a/stable/pomerium/README.md b/stable/pomerium/README.md index 3cbfb9650ed5..cbea2eefc867 100644 --- a/stable/pomerium/README.md +++ b/stable/pomerium/README.md @@ -2,6 +2,19 @@ [Pomerium](https://pomerium.io) is an [open-source](https://github.com/pomerium/pomerium) tool for managing secure access to internal applications and resources. +- [Pomerium](#pomerium) + - [TL;DR;](#tldr) + - [Install the chart](#install-the-chart) + - [Uninstalling the Chart](#uninstalling-the-chart) + - [Configuration](#configuration) + - [Changelog](#changelog) + - [2.0.0](#200) + - [Upgrading](#upgrading) + - [2.0.0](#200-1) + - [Metrics Discovery Configuration](#metrics-discovery-configuration) + - [Prometheus Operator](#prometheus-operator) + - [Prometheus kubernetes_sd_configs](#prometheus-kubernetessdconfigs) + ## TL;DR; ```console @@ -47,48 +60,65 @@ The command removes nearly all the Kubernetes components associated with the cha A full listing of Pomerium's configuration variables can be found on the [config reference page](https://www.pomerium.io/docs/config-reference.html). -Parameter | Description | Default ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- -`config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/config-reference.html#proxy-root-domains). | `corp.pomerium.io` -`config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` -`config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/config-reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) -`config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) -`config.policy` | Base64 encoded string containing the routes, and their access policies. | -`config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/config-reference.html#policy) in values -`authenticate.nameOverride` | Name of the authenticate service. | -`authenticate.fullnameOverride` | Full name of the authenticate service. | -`authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/config-reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` -`authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/config-reference.html#identity-provider-name). | `google` -`authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-id). | Required -`authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-secret). | Required -`authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/config-reference.html#identity-provider-url). | Optional -`authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/config-reference.html#identity-provider-service-account). | Optional -`proxy.nameOverride` | Name of the proxy service. | -`proxy.fullnameOverride` | Full name of the proxy service. | -`proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` -`proxy.authorizeServiceUrl` | The externally accessible url for the authorize service. | `https://{{authorize.name}}.{{config.rootDomain}}` -`authorize.nameOverride` | Name of the authorize service. | -`authorize.fullnameOverride` | Full name of the authorize service. | -`images.server.repository` | Pomerium image | `pomerium/pomerium` -`images.server.tag` | Pomerium image tag | `latest` -`images.server.pullPolicy` | Pomerium image pull policy | `Always` -`service.annotations` | Service annotations | `{}` -`service.externalPort` | Pomerium's port | `443` -`service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` -`serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` -`serviceMonitor.namespace` | Namespace to create the ServiceMonitor resource in | The namespace of the chart -`serviceMonitor.labels` | Additional labels to apply to the ServiceMonitor resource | `release: prometheus` -`tracing.enabled` | Enable distributed tracing | `false` -`tracing.debug` | Set trace sampling to 100%. Use with caution! | `false` -`tracing.provider` | Specifies the tracing provider to configure (Valid options: Jaeger) | Required -`tracing.jaeger.collector_endpoint` | The jaeger collector endpoint | Required -`tracing.jaeger.agent_endpoint` | The jaeger agent endpoint | Required -`ingress.enabled` | Enables Ingress for pomerium | `false` -`ingress.annotations` | Ingress annotations | `{}` -`ingress.hosts` | Ingress accepted hostnames | `nil` -`ingress.tls` | Ingress TLS configuration | `[]` -`metrics.enabled` | Enable prometheus metrics endpoint | `false` -`metrics.port` | Prometheus metrics endpoint port | `9090` +| Parameter | Description | Default | +| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | +| `config.rootDomain` | Root Domain specifies the sub-domain handled by pomerium. [See more](https://www.pomerium.io/docs/config-reference.html#proxy-root-domains). | `corp.pomerium.io` | +| `config.generateTLS` | Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | `true` | +| `config.sharedSecret` | 256 bit key to secure service communication. [See more](https://www.pomerium.io/docs/config-reference.html#shared-secret). | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | +| `config.cookieSecret` | Cookie secret is a 32 byte key used to encrypt user sessions. | 32 [random ascii chars](http://masterminds.github.io/sprig/strings.html) | +| `config.policy` | Base64 encoded string containing the routes, and their access policies. | +| `config.policyFile` | Relative file location of the policy file which contains the routes, and their access policies. | [See example](https://www.pomerium.io/docs/config-reference.html#policy) in values | +| `authenticate.nameOverride` | Name of the authenticate service. | +| `authenticate.fullnameOverride` | Full name of the authenticate service. | +| `authenticate.redirectUrl` | Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). [See more](https://www.pomerium.io/docs/config-reference.html#redirect-url). | `https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback` | +| `authenticate.idp.provider` | Identity [Provider Name](https://www.pomerium.io/docs/config-reference.html#identity-provider-name). | `google` | +| `authenticate.idp.clientID` | Identity Provider oauth [client ID](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-id). | Required | +| `authenticate.idp.clientSecret` | Identity Provider oauth [client secret](https://www.pomerium.io/docs/config-reference.html#identity-provider-client-secret). | Required | +| `authenticate.idp.url` | Identity [Provider URL](https://www.pomerium.io/docs/config-reference.html#identity-provider-url). | Optional | +| `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/config-reference.html#identity-provider-service-account). | Optional | +| `authenticate.replicaCount` | Number of Authenticate pods to run | | `1` | +| `proxy.nameOverride` | Name of the proxy service. | +| `proxy.fullnameOverride` | Full name of the proxy service. | +| `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | +| `proxy.authorizeServiceUrl` | The externally accessible url for the authorize service. | `https://{{authorize.name}}.{{config.rootDomain}}` | +| `proxy.replicaCount` | Number of Proxy pods to run | | `1` | +| `authorize.nameOverride` | Name of the authorize service. | +| `authorize.fullnameOverride` | Full name of the authorize service. | +| `authorize.replicaCount` | Number of Authorize pods to run | | `1` | +| `images.server.repository` | Pomerium image | `pomerium/pomerium` | +| `images.server.tag` | Pomerium image tag | `latest` | +| `images.server.pullPolicy` | Pomerium image pull policy | `Always` | +| `service.annotations` | Service annotations | `{}` | +| `service.externalPort` | Pomerium's port | `443` | +| `service.type` | Service type (ClusterIP, NodePort or LoadBalancer) | `ClusterIP` | +| `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` | +| `serviceMonitor.namespace` | Namespace to create the ServiceMonitor resource in | The namespace of the chart | +| `serviceMonitor.labels` | Additional labels to apply to the ServiceMonitor resource | `release: prometheus` | +| `tracing.enabled` | Enable distributed tracing | `false` | +| `tracing.debug` | Set trace sampling to 100%. Use with caution! | `false` | +| `tracing.provider` | Specifies the tracing provider to configure (Valid options: Jaeger) | Required | +| `tracing.jaeger.collector_endpoint` | The jaeger collector endpoint | Required | +| `tracing.jaeger.agent_endpoint` | The jaeger agent endpoint | Required | +| `ingress.enabled` | Enables Ingress for pomerium | `false` | +| `ingress.annotations` | Ingress annotations | `{}` | +| `ingress.hosts` | Ingress accepted hostnames | `nil` | +| `ingress.tls` | Ingress TLS configuration | `[]` | +| `metrics.enabled` | Enable prometheus metrics endpoint | `false` | +| `metrics.port` | Prometheus metrics endpoint port | `9090` | + +## Changelog + +### 2.0.0 + +- Expose replica count for individual services +- Switch Authorize service to CluserIP for client side load balancing + - You must run pomerium v0.3.0+ to support this feature correctly + +## Upgrading + +### 2.0.0 + +- You will need to run `helm upgrade --force` to recreate the authorize service correctly ## Metrics Discovery Configuration diff --git a/stable/pomerium/templates/authenticate-deployment.yaml b/stable/pomerium/templates/authenticate-deployment.yaml index 6d47a9f808fe..9d4cec61b0a7 100644 --- a/stable/pomerium/templates/authenticate-deployment.yaml +++ b/stable/pomerium/templates/authenticate-deployment.yaml @@ -15,7 +15,7 @@ metadata: {{ toYaml .Values.annotations | indent 4 }} {{- end }} spec: - replicas: {{ .Values.replicaCount }} + replicas: {{ default .Values.replicaCount .Values.authenticate.replicaCount }} selector: matchLabels: app.kubernetes.io/name: {{ template "pomerium.authenticate.name" . }} diff --git a/stable/pomerium/templates/authorize-deployment.yaml b/stable/pomerium/templates/authorize-deployment.yaml index f4490c43ec41..f4889f636c20 100644 --- a/stable/pomerium/templates/authorize-deployment.yaml +++ b/stable/pomerium/templates/authorize-deployment.yaml @@ -15,7 +15,7 @@ metadata: {{ toYaml .Values.annotations | indent 4 }} {{- end }} spec: - replicas: {{ .Values.replicaCount }} + replicas: {{ default .Values.replicaCount .Values.authorize.replicaCount }} selector: matchLabels: app.kubernetes.io/name: {{ template "pomerium.authorize.name" . }} diff --git a/stable/pomerium/templates/authorize-service.yaml b/stable/pomerium/templates/authorize-service.yaml index b28bd1b9144a..399a868411fe 100644 --- a/stable/pomerium/templates/authorize-service.yaml +++ b/stable/pomerium/templates/authorize-service.yaml @@ -16,6 +16,7 @@ metadata: {{ toYaml .Values.service.annotations | indent 4 }} {{- end }} spec: + clusterIP: None type: {{ .Values.service.type }} ports: - port: {{ .Values.service.externalPort }} diff --git a/stable/pomerium/templates/proxy-deployment.yaml b/stable/pomerium/templates/proxy-deployment.yaml index 804de8469d18..a5165a7aaa33 100644 --- a/stable/pomerium/templates/proxy-deployment.yaml +++ b/stable/pomerium/templates/proxy-deployment.yaml @@ -15,7 +15,7 @@ metadata: {{ toYaml .Values.annotations | indent 4 }} {{- end }} spec: - replicas: {{ .Values.replicaCount }} + replicas: {{ default .Values.replicaCount .Values.proxy.replicaCount }} selector: matchLabels: app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }} diff --git a/stable/pomerium/values.yaml b/stable/pomerium/values.yaml index cb020b7201ea..a1765237c41d 100644 --- a/stable/pomerium/values.yaml +++ b/stable/pomerium/values.yaml @@ -30,6 +30,8 @@ authenticate: key: "" defaultSANList: [] defaultIPList: [] + # replicaCount: 1 + authorize: # fullnameOverride: authorize @@ -39,6 +41,8 @@ authorize: key: "" defaultSANList: [] defaultIPList: [] + # replicaCount: 1 + proxy: # fullnameOverride: proxy @@ -48,6 +52,7 @@ proxy: key: "" defaultSANList: [] defaultIPList: [] + # replicaCount: 1 authenticateServiceUrl: "" authorizeServiceUrl: "" authorizeInternalUrl: ""