From 6b3509d31f4c7c0b8a9f513b82f9beb7bb5e3113 Mon Sep 17 00:00:00 2001 From: Mert Acar <25368652+M4C4R@users.noreply.github.com> Date: Wed, 26 Oct 2022 13:59:20 +0100 Subject: [PATCH 1/4] Add control over internal/external ports --- charts/pomerium/templates/_helpers.tpl | 29 ++++++++++++++++--- .../templates/authenticate-deployment.yaml | 2 ++ .../templates/authorize-deployment.yaml | 2 ++ .../templates/databroker-deployment.yaml | 2 ++ charts/pomerium/templates/proxy-service.yaml | 2 +- charts/pomerium/values.yaml | 6 ++++ 6 files changed, 38 insertions(+), 5 deletions(-) diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl index c6ac20b2..4f5b812b 100644 --- a/charts/pomerium/templates/_helpers.tpl +++ b/charts/pomerium/templates/_helpers.tpl @@ -304,10 +304,14 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{/*Expand the port number for secure or insecure mode */}} {{- define "pomerium.trafficPort.number" -}} -{{- if .Values.config.insecure -}} -80 +{{- if .Values.service.internalPort -}} +{{- .Values.service.internalPort -}} {{- else -}} +{{- if .Values.config.insecure -}} +80 +{{- else -}} 443 +{{- end -}} {{- end -}} {{- end -}} @@ -340,10 +344,14 @@ https {{/*Expand the proxy's port number for secure or insecure mode */}} {{- define "pomerium.proxy.trafficPort.number" -}} -{{- if (include "pomerium.proxy.insecure" .) -}} -80 +{{- if .Values.proxy.internalPort -}} +{{- .Values.proxy.internalPort -}} {{- else -}} +{{- if (include "pomerium.proxy.insecure" .) -}} +80 +{{- else -}} 443 +{{- end -}} {{- end -}} {{- end -}} @@ -374,6 +382,19 @@ grpc is used for insecure rather than http for istio compatibility {{- end -}} {{- end -}} +{{/*Expand the proxy's service port number for secure or insecure mode */}} +{{- define "pomerium.proxy.externalPort" -}} +{{- if .Values.proxy.externalPort -}} +{{- .Values.proxy.externalPort -}} +{{- else -}} +{{- if (include "pomerium.proxy.insecure" .) -}} +80 +{{- else -}} +443 +{{- end -}} +{{- end -}} +{{- end -}} + {{/* Expand databroker client tls path */}} {{- define "pomerium.databroker.storage.clientTLS.path" -}} /pomerium/databroker-client-tls diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml index b2096b15..f43e80f6 100644 --- a/charts/pomerium/templates/authenticate-deployment.yaml +++ b/charts/pomerium/templates/authenticate-deployment.yaml @@ -62,6 +62,8 @@ spec: {{- end }} {{- end }} env: + - name: ADDRESS + value: {{ printf ":%s" (include "pomerium.trafficPort.number" . ) }} {{- if or ( or ( and .Values.authenticate.tls.cert .Values.authenticate.tls.key ) .Values.authenticate.existingTLSSecret ) .Values.config.generateTLS }} {{- include "pomerium.tls.internal.envVars" . | indent 8 }} {{- end }} diff --git a/charts/pomerium/templates/authorize-deployment.yaml b/charts/pomerium/templates/authorize-deployment.yaml index 5488c921..7f8c0fde 100644 --- a/charts/pomerium/templates/authorize-deployment.yaml +++ b/charts/pomerium/templates/authorize-deployment.yaml @@ -64,6 +64,8 @@ spec: {{- end }} {{- end }} env: + - name: ADDRESS + value: {{ printf ":%s" (include "pomerium.trafficPort.number" . ) }} {{- if or ( or ( and .Values.authorize.tls.cert .Values.authorize.tls.key ) .Values.authorize.existingTLSSecret ) .Values.config.generateTLS }} {{- include "pomerium.tls.internal.envVars" . | indent 8 }} {{- end }} diff --git a/charts/pomerium/templates/databroker-deployment.yaml b/charts/pomerium/templates/databroker-deployment.yaml index 5811e40f..f9157972 100644 --- a/charts/pomerium/templates/databroker-deployment.yaml +++ b/charts/pomerium/templates/databroker-deployment.yaml @@ -60,6 +60,8 @@ spec: {{- end }} {{- end }} env: + - name: ADDRESS + value: {{ printf ":%s" (include "pomerium.trafficPort.number" . ) }} {{- if or ( or ( and .Values.databroker.tls.cert .Values.databroker.tls.key ) .Values.databroker.existingTLSSecret ) .Values.config.generateTLS }} {{- include "pomerium.tls.internal.envVars" . | indent 8 }} {{- end }} diff --git a/charts/pomerium/templates/proxy-service.yaml b/charts/pomerium/templates/proxy-service.yaml index 95622411..59224030 100644 --- a/charts/pomerium/templates/proxy-service.yaml +++ b/charts/pomerium/templates/proxy-service.yaml @@ -36,7 +36,7 @@ spec: externalTrafficPolicy: {{ .Values.proxy.service.externalTrafficPolicy }} {{- end }} ports: - - port: {{ template "pomerium.proxy.trafficPort.number" . }} + - port: {{ template "pomerium.proxy.externalPort" . }} targetPort: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }} protocol: TCP name: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }} diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index 40d21ada..85e5cd52 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -150,6 +150,10 @@ databroker: ca: '' proxy: + # internalPort defaults to 80 or 443 depending on config.insecure + internalPort: '' + # externalPort defaults to 80 or 443 depending on config.insecure + externalPort: '' fullnameOverride: '' nameOverride: '' existingTLSSecret: '' @@ -228,6 +232,8 @@ forwardAuth: internal: false service: + # internalPort defaults to 80 or 443 depending on config.insecure + internalPort: '' # externalPort defaults to 80 or 443 depending on config.insecure externalPort: '' annotations: From 28515122c0216c561ca8847e796fd3e695d24359 Mon Sep 17 00:00:00 2001 From: Mert Acar <25368652+M4C4R@users.noreply.github.com> Date: Wed, 26 Oct 2022 14:03:55 +0100 Subject: [PATCH 2/4] Clarify comment --- charts/pomerium/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index 85e5cd52..e86f9ca0 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -150,9 +150,9 @@ databroker: ca: '' proxy: - # internalPort defaults to 80 or 443 depending on config.insecure + # internalPort defaults to 80 or 443 depending on config.insecure unless overridden internalPort: '' - # externalPort defaults to 80 or 443 depending on config.insecure + # externalPort defaults to 80 or 443 depending on config.insecure unless overridden externalPort: '' fullnameOverride: '' nameOverride: '' @@ -232,9 +232,9 @@ forwardAuth: internal: false service: - # internalPort defaults to 80 or 443 depending on config.insecure + # internalPort defaults to 80 or 443 depending on config.insecure unless overridden internalPort: '' - # externalPort defaults to 80 or 443 depending on config.insecure + # externalPort defaults to 80 or 443 depending on config.insecure unless overridden externalPort: '' annotations: {} From 78bb517466a9fc7011e7a29e063494ae48192041 Mon Sep 17 00:00:00 2001 From: Mert Acar <25368652+M4C4R@users.noreply.github.com> Date: Wed, 26 Oct 2022 14:12:10 +0100 Subject: [PATCH 3/4] Add new parameters to README.md --- charts/pomerium/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index f8c22a55..4933ed2b 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -321,6 +321,8 @@ A full listing of Pomerium's configuration variables can be found on the [config | `authenticate.tls.cert` | TLS certificate for authenticate service | | | `authenticate.tls.key` | TLS key for authenticate service | | | `authenticate.proxied` | When `ingress.enabled` is false, add a `policy` entry for the authenticate service. This allows the proxy service to route traffic for `authenticate` directly | `true` | +| `proxy.internalPort` | Container port of the proxy | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | +| `proxy.externalPort` | Service port of the proxy | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | | `proxy.nameOverride` | Name of the proxy service. | `proxy` | | `proxy.fullnameOverride` | Full name of the proxy service. | `proxy` | | `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | @@ -374,7 +376,8 @@ A full listing of Pomerium's configuration variables can be found on the [config | `image.tag` | Pomerium image tag | `v0.6.2` | | `image.pullPolicy` | Pomerium image pull policy | `IfNotPresent` | | `service.annotations` | Service annotations | `{}` | -| `service.externalPort` | Pomerium's port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | +| `service.internalPort` | Pomerium's container port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | +| `service.externalPort` | Pomerium's service port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | | `service.grpcTrafficPort.nameOverride` | Override name of grpc port in services. Only use if required for protocol detection by mesh or ingress services | `https`/`grpc` in `secure`/`insecure` mode | | `service.httpTrafficPort.nameOverride` | Override name of http port in services. Only use if required for protocol detection by mesh or ingress services. Set to `http2` for istio when offloading mtls to the mesh. | `https`/`http` in `secure`/`insecure` mode | | `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` | From fc8a67232c60927be646d0f028429953523e2dc6 Mon Sep 17 00:00:00 2001 From: Mert Acar <25368652+M4C4R@users.noreply.github.com> Date: Wed, 26 Oct 2022 14:18:27 +0100 Subject: [PATCH 4/4] Add changelog --- charts/pomerium/Chart.yaml | 2 +- charts/pomerium/README.md | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index b90b2709..0131e5da 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: pomerium -version: 32.1.0 +version: 32.2.0 appVersion: v0.18.0 home: http://www.pomerium.com/ icon: https://www.pomerium.com/img/icon.svg diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index 4933ed2b..e3bf2c8f 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -462,6 +462,11 @@ A full listing of Pomerium's configuration variables can be found on the [config ## Changelog +### 32.2.0 + +- Allow setting internal ports by introducing `proxy.internalPort`, `service.internalPort` +- Allow setting external port of the proxy by introducing `proxy.externalPort` + ### 32.0.0 - Update to v0.18 of Pomerium