Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add control over internal/external ports #335

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add control over internal/external ports #335

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6b3509d
Add control over internal/external ports
M4C4R Oct 26, 2022
2851512
Clarify comment
M4C4R Oct 26, 2022
78bb517
Add new parameters to README.md
M4C4R Oct 26, 2022
fc8a672
Add changelog
M4C4R Oct 26, 2022
5f69489
Merge main
M4C4R Nov 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/pomerium/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: pomerium
version: 33.0.1
version: 33.1.0
appVersion: v0.20.0
home: http://www.pomerium.com/
icon: https://www.pomerium.com/img/icon.svg
Expand Down
11 changes: 9 additions & 2 deletions charts/pomerium/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,8 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `authenticate.tls.cert` | TLS certificate for authenticate service | |
| `authenticate.tls.key` | TLS key for authenticate service | |
| `authenticate.proxied` | When `ingress.enabled` is false, add a `policy` entry for the authenticate service. This allows the proxy service to route traffic for `authenticate` directly | `true` |
| `proxy.internalPort` | Container port of the proxy | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` |
| `proxy.externalPort` | Service port of the proxy | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` |
| `proxy.nameOverride` | Name of the proxy service. | `proxy` |
| `proxy.fullnameOverride` | Full name of the proxy service. | `proxy` |
| `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` |
Expand Down Expand Up @@ -377,7 +379,8 @@ A full listing of Pomerium's configuration variables can be found on the [config
| `image.tag` | Pomerium image tag | `v0.6.2` |
| `image.pullPolicy` | Pomerium image pull policy | `IfNotPresent` |
| `service.annotations` | Service annotations | `{}` |
| `service.externalPort` | Pomerium's port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` |
| `service.internalPort` | Pomerium's container port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` |
| `service.externalPort` | Pomerium's service port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` |
| `service.grpcTrafficPort.nameOverride` | Override name of grpc port in services. Only use if required for protocol detection by mesh or ingress services | `https`/`grpc` in `secure`/`insecure` mode |
| `service.httpTrafficPort.nameOverride` | Override name of http port in services. Only use if required for protocol detection by mesh or ingress services. Set to `http2` for istio when offloading mtls to the mesh. | `https`/`http` in `secure`/`insecure` mode |
| `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` |
Expand Down Expand Up @@ -462,12 +465,16 @@ A full listing of Pomerium's configuration variables can be found on the [config

## Changelog

### 33.1.0

- Allow setting internal ports by introducing `proxy.internalPort`, `service.internalPort`
- Allow setting external port of the proxy by introducing `proxy.externalPort`

### 33.0.0

- `idp.serviceAccount` is removed. Please see the [Upgrade Guide](https://www.pomerium.com/docs/overview/upgrading#since-0200)
- Update to v0.20.0 of Pomerium


### 32.0.0

- Update to v0.18 of Pomerium
Expand Down
29 changes: 25 additions & 4 deletions charts/pomerium/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,10 +304,14 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates

{{/*Expand the port number for secure or insecure mode */}}
{{- define "pomerium.trafficPort.number" -}}
{{- if .Values.config.insecure -}}
80
{{- if .Values.service.internalPort -}}
{{- .Values.service.internalPort -}}
{{- else -}}
{{- if .Values.config.insecure -}}
80
{{- else -}}
443
{{- end -}}
{{- end -}}
{{- end -}}

Expand Down Expand Up @@ -340,10 +344,14 @@ https

{{/*Expand the proxy's port number for secure or insecure mode */}}
{{- define "pomerium.proxy.trafficPort.number" -}}
{{- if (include "pomerium.proxy.insecure" .) -}}
80
{{- if .Values.proxy.internalPort -}}
{{- .Values.proxy.internalPort -}}
{{- else -}}
{{- if (include "pomerium.proxy.insecure" .) -}}
80
{{- else -}}
443
{{- end -}}
{{- end -}}
{{- end -}}

Expand Down Expand Up @@ -374,6 +382,19 @@ grpc is used for insecure rather than http for istio compatibility
{{- end -}}
{{- end -}}

{{/*Expand the proxy's service port number for secure or insecure mode */}}
{{- define "pomerium.proxy.externalPort" -}}
{{- if .Values.proxy.externalPort -}}
{{- .Values.proxy.externalPort -}}
{{- else -}}
{{- if (include "pomerium.proxy.insecure" .) -}}
80
{{- else -}}
443
{{- end -}}
{{- end -}}
{{- end -}}

{{/* Expand databroker client tls path */}}
{{- define "pomerium.databroker.storage.clientTLS.path" -}}
/pomerium/databroker-client-tls
Expand Down
2 changes: 2 additions & 0 deletions charts/pomerium/templates/authenticate-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ spec:
{{- end }}
{{- end }}
env:
- name: ADDRESS
value: {{ printf ":%s" (include "pomerium.trafficPort.number" . ) }}
{{- if or ( or ( and .Values.authenticate.tls.cert .Values.authenticate.tls.key ) .Values.authenticate.existingTLSSecret ) .Values.config.generateTLS }}
{{- include "pomerium.tls.internal.envVars" . | indent 8 }}
{{- end }}
Expand Down
2 changes: 2 additions & 0 deletions charts/pomerium/templates/authorize-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ spec:
{{- end }}
{{- end }}
env:
- name: ADDRESS
value: {{ printf ":%s" (include "pomerium.trafficPort.number" . ) }}
{{- if or ( or ( and .Values.authorize.tls.cert .Values.authorize.tls.key ) .Values.authorize.existingTLSSecret ) .Values.config.generateTLS }}
{{- include "pomerium.tls.internal.envVars" . | indent 8 }}
{{- end }}
Expand Down
2 changes: 2 additions & 0 deletions charts/pomerium/templates/databroker-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ spec:
{{- end }}
{{- end }}
env:
- name: ADDRESS
value: {{ printf ":%s" (include "pomerium.trafficPort.number" . ) }}
{{- if or ( or ( and .Values.databroker.tls.cert .Values.databroker.tls.key ) .Values.databroker.existingTLSSecret ) .Values.config.generateTLS }}
{{- include "pomerium.tls.internal.envVars" . | indent 8 }}
{{- end }}
Expand Down
2 changes: 1 addition & 1 deletion charts/pomerium/templates/proxy-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ spec:
externalTrafficPolicy: {{ .Values.proxy.service.externalTrafficPolicy }}
{{- end }}
ports:
- port: {{ template "pomerium.proxy.trafficPort.number" . }}
- port: {{ template "pomerium.proxy.externalPort" . }}
targetPort: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }}
protocol: TCP
name: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }}
Expand Down
8 changes: 7 additions & 1 deletion charts/pomerium/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,10 @@ databroker:
ca: ''

proxy:
# internalPort defaults to 80 or 443 depending on config.insecure unless overridden
internalPort: ''
# externalPort defaults to 80 or 443 depending on config.insecure unless overridden
externalPort: ''
fullnameOverride: ''
nameOverride: ''
existingTLSSecret: ''
Expand Down Expand Up @@ -228,7 +232,9 @@ forwardAuth:
internal: false

service:
# externalPort defaults to 80 or 443 depending on config.insecure
# internalPort defaults to 80 or 443 depending on config.insecure unless overridden
internalPort: ''
# externalPort defaults to 80 or 443 depending on config.insecure unless overridden
externalPort: ''
annotations:
{}
Expand Down