Skip to content

Release v0.0.3
Compare
Choose a tag to compare
@SIGHUP-C-3PO SIGHUP-C-3PO released this 14 Mar 09:22
· 32 commits to main since this release
v0.0.3
5137b82
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Auth Module Release v0.0.3

Welcome to the latest release of the Auth module for the Kubernetes Fury Distribution.

This is a maintenance release to update the Pomerium package. This update includes breaking changes in Pomerium.

Included packages

Package Current Version Previous Version
dex v2.35.3 No update
gangway v3.2.0 No update
pomerium v0.21.0 0.15.8

New features 🌟

  • Enabled Pomerium metrics and a ServiceMonitor to configure Prometheus Operator to scrape them automatically.
  • Added 2 Grafana dashboards to visualize Pomerium's metrics, one for Pomerium itself and another one for the underlying Envoy proxy.

Breaking Changes 💔

There are three breaking changes in this version:

  1. Pomerium has deprecated the policy field in the configuration in favour of routes. You'll need to adapt your policy file to the new format.
  2. Value of grpc_address in Pomerium's configuration must be different form address. See the example policy.
  3. Forward mode has been deprecated in Pomerium 0.21.

Continue reading the update guide section to learn more.

Update Guide 🦮

Process

To upgrade this module from v0.0.2 to v0.0.3, you need to download this new version and do the following changes before applying the kustomize project:

  1. Edit your policy configuration file to use routes instead of policy, for example, from:
policy:
  # from and to should be set to the prometheus ingress
  - from: https://prometheus.example.com
    to: https://prometheus.example.com
    allowed_idp_claims:
      groups:
        # ldap groups configured in dex
        - group1
        - group2

to:

routes:
  - from: https://prometheus.example.com
    to: https://prometheus.monitoring.svc  # notice the internal service. See (2.) below.
    policy:
      - allow:
          or:
            - claim/groups: group1
            - claim/groups: group2
            # - email:
               # is: someone@sighup.io
  1. Forward auth mode has been deprecated by Pomerium in v0.21.0 (the one included in this release), you will need to switch to proxy auth.

If you were using forward auth with annotations in your ingresses, you will need to adjust them.

For example, if you had an ingress for Grafana in the monitoring namespace with the following annotations:

    nginx.ingress.kubernetes.io/auth-url: "https://pomerium.example.com/verify?uri=$scheme://$host$request_uri"
    nginx.ingress.kubernetes.io/auth-signin: "https://pomerium.example.com/?uri=$scheme://$host$request_uri"

You will have to:

2.1. Create a new ingress in the pomerium namespace with the hostname for Grafana using the pomerium service and the http as backend configuration.
2.2. In the policy definition file, make sure that the from field matches the hostname and that the to field points to grafana's service (the one same that the ingress in the monitoring namespace).
2.3. Delete the Ingress in the monitoring namespace.
2.4 Repeat for the other ingresses.

  1. Finally, apply the kustomization project:
kustomize build | kubectl apply -f -
Assets 5