Merge pull request #3 from pomerium/desimone/helm-zero-poc

Add Pomerium Zero Helm chart

.github/workflows/helm.yaml

@@ -0,0 +1,23 @@
+name: Publish Helm Chart
+on:
+  release:
+    types:
+      - published
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+      - name: Install Helm CLI
+        run: |
+          curl -fsSL https://git.io/get_helm.sh | bash
+      - name: Login
+        run: |
+          helm registry login registry-1.docker.io --username="${{ secrets.DOCKERHUB_USER }}" --password="${{ secrets.DOCKERHUB_TOKEN }} "
+      - name: Package Chart
+        run: |
+          helm package ./zero/helm
+      - name: Push Chart
+        run: |
+          find ./zero/helm -type f -name "*.tgz" -exec helm push {} oci://registry-1.docker.io/pomerium \;

.prettierignore

@@ -0,0 +1,3 @@
+# Ignore Helm templates
+templates/
+charts/

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2024 Pomerium Inc
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

zero/helm/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: pomerium-zero
+description: A Helm chart for deploying Pomerium Zero
+type: application
+version: 0.27.2
+appVersion: "v0.27.2"
+home: https://www.pomerium.com/
+icon: https://www.pomerium.com/static-img/favicon.svg
+sources:
+  - https://github.com/pomerium/pomerium
+maintainers:
+  - name: Pomerium Team
+    email: support@pomerium.com
+keywords:
+  - pomerium
+  - zero
+  - identity-aware proxy
+  - access proxy

zero/helm/README.md

@@ -0,0 +1,76 @@
+# Pomerium Zero Helm Chart
+
+This Helm chart deploys Pomerium Zero, an identity-aware access proxy, on a Kubernetes cluster.
+
+## Prerequisites
+
+- Kubernetes 1.28+
+- Helm 3.8.0+
+- A valid Pomerium Zero token
+
+## Installing the Chart
+
+`helm install my-release oci://docker.io/pomerium/pomerium-zero --set pomeriumZeroToken=your-pomerium-zero-token`
+
+**Note:** Replace `your-pomerium-zero-token` with your actual Pomerium Zero token.
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+`helm uninstall my-release`
+
+## Configuration
+
+The following table lists the configurable parameters of the Pomerium Zero chart and their default values.
+
+| Parameter           | Description                         | Default             |
+| ------------------- | ----------------------------------- | ------------------- |
+| `pomeriumZeroToken` | Pomerium Zero token (required)      | `""`                |
+| `image.repository`  | Image repository                    | `pomerium/pomerium` |
+| `image.tag`         | Image tag                           | `v0.27.2`           |
+| `image.pullPolicy`  | Image pull policy                   | `IfNotPresent`      |
+| `replicaCount`      | Number of replicas                  | `1`                 |
+| `resources`         | CPU/Memory resource requests/limits | `{}`                |
+| `service.type`      | Service type                        | `ClusterIP`         |
+| `service.port`      | Service port                        | `443`               |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
+
+`helm install my-release oci://docker.io/pomerium/pomerium-zero --set pomeriumZeroToken=your-pomerium-zero-token,replicaCount=2`
+
+Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example:
+
+`helm install my-release oci://docker.io/pomerium/pomerium-zero -f values.yaml`
+
+## Upgrading the Chart
+
+To upgrade the `my-release` deployment:
+
+`helm upgrade my-release oci://docker.io/pomerium/pomerium-zero --set pomeriumZeroToken=your-pomerium-zero-token`
+
+## Exposing Pomerium Zero
+
+This Helm chart deploys Pomerium Zero with a LoadBalancer service type, making it externally accessible. This configuration is suitable for cloud environments that support LoadBalancer services.
+
+### Important Notes:
+
+1. **LoadBalancer IP**: After deployment, it may take a few minutes for the LoadBalancer IP to be assigned. You can check the status using:
+
+   ```
+   kubectl get svc -n <namespace> <release-name>
+   ```
+
+2. **Firewall Rules**: Depending on your environment, you may need to configure firewall rules or security groups to allow traffic to the LoadBalancer.
+
+3. **Costs**: Be aware that using a LoadBalancer service may incur additional costs in cloud environments.
+
+Remember to properly secure your Pomerium Zero instance to ensure the safety of your applications and data.
+
+## Support
+
+For support, please refer to the [Pomerium documentation](https://www.pomerium.com/docs/) or open an issue on the [Pomerium GitHub repository](https://github.com/pomerium/pomerium).
+
+## License
+
+This Helm chart is available under the [Apache 2.0 License](https://www.apache.org/licenses/LICENSE-2.0).

zero/helm/templates/NOTES.txt

@@ -0,0 +1,17 @@
+Thank you for installing {{ .Chart.Name }}.
+
+Your release is named {{ .Release.Name }}.
+
+1. Important Notes:
+   - The 'pomeriumZeroToken' is required for this chart. Ensure it's set in your values.yaml file or provided via the --set flag during installation.
+   - If 'pomeriumZeroToken' is not set, the installation will fail.
+
+2. Verify the deployment:
+   kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "pomerium-zero.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
+
+4. Learn more about the release:
+   helm status {{ .Release.Name }}
+   helm get all {{ .Release.Name }}
+
+5. For more information on configuring Pomerium Zero, visit:
+   https://www.pomerium.com/docs/

zero/helm/templates/_helpers.tpl

@@ -0,0 +1,60 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "pomerium-zero.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "pomerium-zero.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "pomerium-zero.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "pomerium-zero.labels" -}}
+helm.sh/chart: {{ include "pomerium-zero.chart" . }}
+{{ include "pomerium-zero.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "pomerium-zero.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "pomerium-zero.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Validate required values
+*/}}
+{{- define "pomerium-zero.validateValues" -}}
+{{- if not .Values.pomeriumZeroToken -}}
+{{- fail "pomeriumZeroToken is required. Please set it in your values.yaml or provide it via --set flag." -}}
+{{- end -}}
+{{- end -}}

zero/helm/templates/deployment.yaml

@@ -0,0 +1,139 @@
+{{- include "pomerium-zero.validateValues" . -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "pomerium-zero.fullname" . }}
+  labels:
+    {{- include "pomerium-zero.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "pomerium-zero.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "pomerium-zero.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccountName: pomerium-zero
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: POMERIUM_ZERO_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "pomerium-zero.fullname" . }}
+                  key: pomerium_zero_token
+            - name: POMERIUM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: BOOTSTRAP_CONFIG_FILE
+              value: "/var/run/secrets/pomerium/bootstrap.dat"
+            - name: BOOTSTRAP_CONFIG_WRITEBACK_URI
+              value: "secret://$(POMERIUM_NAMESPACE)/{{ include "pomerium-zero.fullname" . }}/bootstrap"
+            - name: XDG_CACHE_HOME
+              value: /tmp/pomerium/cache
+            - name: XDG_DATA_HOME
+              value: /tmp/pomerium/cache
+            {{- with .Values.extraEnvVars }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          ports:
+            - containerPort: 443
+              name: https
+              protocol: TCP
+            - containerPort: 9090
+              name: metrics
+              protocol: TCP
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+            - name: bootstrap
+              mountPath: /var/run/secrets/pomerium
+              readOnly: true
+            {{- with .Values.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: https
+              scheme: HTTPS
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          startupProbe:
+            httpGet:
+              path: /healthz
+              port: https
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+            periodSeconds: 5
+            successThreshold: 1
+            failureThreshold: 60
+        {{- with .Values.extraContainers }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.initContainers }}
+      initContainers:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podDisruptionBudget }}
+      podDisruptionBudget:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.runtimeClassName }}
+      runtimeClassName: {{ .Values.runtimeClassName | quote }}
+      {{- end }}
+      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: bootstrap
+          secret:
+            items:
+            - key: bootstrap
+              path: bootstrap.dat
+            optional: true
+            secretName: {{ include "pomerium-zero.fullname" . }}
+        {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}

zero/helm/templates/rbac.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    {{- include "pomerium-zero.labels" . | nindent 4 }}
+  name: pomerium-zero
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    {{- include "pomerium-zero.labels" . | nindent 4 }}
+  name: pomerium-zero
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - patch
+  resourceNames:
+  - {{ include "pomerium-zero.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    {{- include "pomerium-zero.labels" . | nindent 4 }}
+  name: pomerium-zero
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: pomerium-zero
+subjects:
+- kind: ServiceAccount
+  name: pomerium-zero
+  namespace: {{ .Release.Namespace }}