Release v0.0.3
Auth Module Release v0.0.3
Welcome to the latest release of the Auth module for the Kubernetes Fury Distribution.
This is a maintenance release to update the Pomerium package. This update includes breaking changes in Pomerium.
Included packages
Package | Current Version | Previous Version |
---|---|---|
dex |
v2.35.3 |
No update |
gangway |
v3.2.0 |
No update |
pomerium |
v0.21.0 |
0.15.8 |
New features 🌟
- Enabled Pomerium metrics and a ServiceMonitor to configure Prometheus Operator to scrape them automatically.
- Added 2 Grafana dashboards to visualize Pomerium's metrics, one for Pomerium itself and another one for the underlying Envoy proxy.
Breaking Changes 💔
There are three breaking changes in this version:
- Pomerium has deprecated the
policy
field in the configuration in favour ofroutes
. You'll need to adapt your policy file to the new format. - Value of
grpc_address
in Pomerium's configuration must be different formaddress
. See the example policy. - Forward mode has been deprecated in Pomerium 0.21.
Continue reading the update guide section to learn more.
Update Guide 🦮
Process
To upgrade this module from v0.0.2
to v0.0.3
, you need to download this new version and do the following changes before applying the kustomize
project:
- Edit your policy configuration file to use
routes
instead ofpolicy
, for example, from:
policy:
# from and to should be set to the prometheus ingress
- from: https://prometheus.example.com
to: https://prometheus.example.com
allowed_idp_claims:
groups:
# ldap groups configured in dex
- group1
- group2
to:
routes:
- from: https://prometheus.example.com
to: https://prometheus.monitoring.svc # notice the internal service. See (2.) below.
policy:
- allow:
or:
- claim/groups: group1
- claim/groups: group2
# - email:
# is: someone@sighup.io
- Forward auth mode has been deprecated by Pomerium in v0.21.0 (the one included in this release), you will need to switch to proxy auth.
If you were using forward auth with annotations in your ingresses, you will need to adjust them.
For example, if you had an ingress for Grafana in the monitoring
namespace with the following annotations:
nginx.ingress.kubernetes.io/auth-url: "https://pomerium.example.com/verify?uri=$scheme://$host$request_uri"
nginx.ingress.kubernetes.io/auth-signin: "https://pomerium.example.com/?uri=$scheme://$host$request_uri"
You will have to:
2.1. Create a new ingress in the pomerium
namespace with the hostname for Grafana using the pomerium
service and the http
as backend configuration.
2.2. In the policy definition file, make sure that the from
field matches the hostname and that the to
field points to grafana's service (the one same that the ingress in the monitoring namespace).
2.3. Delete the Ingress in the monitoring
namespace.
2.4 Repeat for the other ingresses.
- Finally, apply the kustomization project:
kustomize build | kubectl apply -f -