From e162eac5453a941822e8bfed80c1c9377d2cc11d Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Mon, 8 Jul 2019 18:43:10 -0400 Subject: [PATCH 1/4] [stable/pomerium] bugfixes fix config checksum: based on file and only for pods deployment: fix missing resources field Signed-off-by: Travis Groth --- stable/pomerium/templates/authenticate-deployment.yaml | 6 +++++- stable/pomerium/templates/authorize-deployment.yaml | 7 +++++-- stable/pomerium/templates/proxy-deployment.yaml | 7 +++++-- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/stable/pomerium/templates/authenticate-deployment.yaml b/stable/pomerium/templates/authenticate-deployment.yaml index 83628189b76d..dbc195e2c534 100644 --- a/stable/pomerium/templates/authenticate-deployment.yaml +++ b/stable/pomerium/templates/authenticate-deployment.yaml @@ -23,7 +23,9 @@ spec: template: metadata: annotations: - config/checksum: {{ print .Values.config.extraOpts | sha256sum }} + {{- /* policy is already covered by hot-reloading */}} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} {{- end }} @@ -132,6 +134,8 @@ spec: configMap: name: {{ $configName }} {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} {{- if .Values.extraVolumes }} volumes: {{- toYaml .Values.extraVolumes | indent 8 }} diff --git a/stable/pomerium/templates/authorize-deployment.yaml b/stable/pomerium/templates/authorize-deployment.yaml index fa4002044ce3..4c146392d28b 100644 --- a/stable/pomerium/templates/authorize-deployment.yaml +++ b/stable/pomerium/templates/authorize-deployment.yaml @@ -12,7 +12,6 @@ metadata: name: {{ template "pomerium.authorize.fullname" . }} {{- if .Values.annotations }} annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} {{ toYaml .Values.annotations | indent 4 }} {{- end }} spec: @@ -24,7 +23,9 @@ spec: template: metadata: annotations: - config/checksum: {{ print .Values.config.extraOpts | sha256sum }} + {{- /* policy is already covered by hot-reloading */}} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} {{- end }} @@ -105,6 +106,8 @@ spec: configMap: name: {{ $configName }} {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} {{- if .Values.extraVolumes }} volumes: {{- toYaml .Values.extraVolumes | indent 8 }} diff --git a/stable/pomerium/templates/proxy-deployment.yaml b/stable/pomerium/templates/proxy-deployment.yaml index 8caa9f0c0dd5..14d5dda025da 100644 --- a/stable/pomerium/templates/proxy-deployment.yaml +++ b/stable/pomerium/templates/proxy-deployment.yaml @@ -12,7 +12,6 @@ metadata: name: {{ template "pomerium.proxy.fullname" . }} {{- if .Values.annotations }} annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} {{ toYaml .Values.annotations | indent 4 }} {{- end }} spec: @@ -24,7 +23,9 @@ spec: template: metadata: annotations: - config/checksum: {{ print .Values.config.extraOpts | sha256sum }} + {{- /* policy is already covered by hot-reloading */}} + checksum/config: {{ print .Values.config.extraOpts | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- if .Values.podAnnotations }} {{ toYaml .Values.podAnnotations | indent 8 }} {{- end }} @@ -116,6 +117,8 @@ spec: configMap: name: {{ $configName }} {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} {{- if .Values.extraVolumes }} volumes: {{- toYaml .Values.extraVolumes | indent 8 }} From 5e358e92ad0375de3802272169b8f6f7a028ff06 Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Sun, 7 Jul 2019 19:25:48 -0400 Subject: [PATCH 2/4] [stable/pomerium] v0.1.0 release - Expose metrics port and update documentation - Bump chart and app version for v0.1.0 release Signed-off-by: Travis Groth --- stable/pomerium/Chart.yaml | 4 +- stable/pomerium/README.md | 47 +++++++++++++++++++ .../templates/authenticate-deployment.yaml | 3 ++ .../templates/authorize-deployment.yaml | 3 ++ stable/pomerium/templates/configmap.yaml | 3 ++ .../pomerium/templates/proxy-deployment.yaml | 3 ++ stable/pomerium/values.yaml | 6 ++- 7 files changed, 66 insertions(+), 3 deletions(-) diff --git a/stable/pomerium/Chart.yaml b/stable/pomerium/Chart.yaml index 6d2e7495c30f..8746a817bc5a 100644 --- a/stable/pomerium/Chart.yaml +++ b/stable/pomerium/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: pomerium -version: 1.1.0 -appVersion: 0.0.5 +version: 1.2.0 +appVersion: 0.1.0 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo.svg description: Pomerium is an identity-aware access proxy. diff --git a/stable/pomerium/README.md b/stable/pomerium/README.md index f53448abdb4c..24d9da664f4b 100644 --- a/stable/pomerium/README.md +++ b/stable/pomerium/README.md @@ -79,3 +79,50 @@ Parameter | Description `ingress.annotations` | Ingress annotations | `{}` `ingress.hosts` | Ingress accepted hostnames | `nil` `ingress.tls` | Ingress TLS configuration | `[]` +`metrics.enabled` | Enable prometheus metrics endpoint | `false` +`metrics.port` | Prometheus metrics endpoint port | `9090` + +## Metrics Discovery Configuration + + +### Prometheus kubernetes_sd_configs + +Example chart values: + +```yaml +metrics: + enabled: true + port: 9090 # default +service: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9090" +``` + +Example prometheus discovery config: +```yaml +- job_name: 'pomerium' +metrics_path: /metrics +kubernetes_sd_configs: +- role: endpoints +relabel_configs: +- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true +- source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance] + action: keep + regex: pomerium +- action: labelmap + regex: __meta_kubernetes_service_label_(.+) +- source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace +- source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name +- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ +``` diff --git a/stable/pomerium/templates/authenticate-deployment.yaml b/stable/pomerium/templates/authenticate-deployment.yaml index dbc195e2c534..6e045d53b6c8 100644 --- a/stable/pomerium/templates/authenticate-deployment.yaml +++ b/stable/pomerium/templates/authenticate-deployment.yaml @@ -115,6 +115,9 @@ spec: - containerPort: 443 name: https protocol: TCP + - containerPort: {{ .Values.metrics.port }} + name: metrics + protocol: TCP livenessProbe: httpGet: path: /ping diff --git a/stable/pomerium/templates/authorize-deployment.yaml b/stable/pomerium/templates/authorize-deployment.yaml index 4c146392d28b..9a25c3dcc836 100644 --- a/stable/pomerium/templates/authorize-deployment.yaml +++ b/stable/pomerium/templates/authorize-deployment.yaml @@ -87,6 +87,9 @@ spec: - containerPort: 443 name: https protocol: TCP + - containerPort: {{ .Values.metrics.port }} + name: metrics + protocol: TCP livenessProbe: httpGet: path: /ping diff --git a/stable/pomerium/templates/configmap.yaml b/stable/pomerium/templates/configmap.yaml index 09facb326faf..7f47e9b0b577 100644 --- a/stable/pomerium/templates/configmap.yaml +++ b/stable/pomerium/templates/configmap.yaml @@ -19,6 +19,9 @@ data: {{- if .Values.config.extraOpts }} {{ toYaml .Values.config.extraOpts | indent 4 -}} {{- end -}} +{{- if .Values.metrics.enabled }} + metrics_address: :{{ .Values.metrics.port }} +{{- end -}} {{- if .Values.config.policy }} policy: {{ toYaml .Values.config.policy | indent 6 }} diff --git a/stable/pomerium/templates/proxy-deployment.yaml b/stable/pomerium/templates/proxy-deployment.yaml index 14d5dda025da..edb875c152c2 100644 --- a/stable/pomerium/templates/proxy-deployment.yaml +++ b/stable/pomerium/templates/proxy-deployment.yaml @@ -98,6 +98,9 @@ spec: - containerPort: 443 name: https protocol: TCP + - containerPort: {{ .Values.metrics.port }} + name: metrics + protocol: TCP livenessProbe: httpGet: path: /ping diff --git a/stable/pomerium/values.yaml b/stable/pomerium/values.yaml index 5e8a581387ca..502c28e09d2f 100644 --- a/stable/pomerium/values.yaml +++ b/stable/pomerium/values.yaml @@ -115,5 +115,9 @@ extraVolumes: {} image: repository: "pomerium/pomerium" - tag: "v0.0.5" + tag: "v0.1.0" pullPolicy: "IfNotPresent" + +metrics: + enabled: false + port: 9090 \ No newline at end of file From 8f633d9ff0c2ff7c19f437de921b74f35a3f20f5 Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Mon, 8 Jul 2019 08:53:49 -0400 Subject: [PATCH 3/4] Fix lint error Signed-off-by: Travis Groth --- stable/pomerium/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/pomerium/values.yaml b/stable/pomerium/values.yaml index 502c28e09d2f..2edf79d8e6c7 100644 --- a/stable/pomerium/values.yaml +++ b/stable/pomerium/values.yaml @@ -120,4 +120,4 @@ image: metrics: enabled: false - port: 9090 \ No newline at end of file + port: 9090 From 0663ea4aa086e4db49db39ae4e55c77c8855a555 Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Mon, 8 Jul 2019 18:04:17 -0400 Subject: [PATCH 4/4] Fix CI test policy Signed-off-by: Travis Groth --- stable/pomerium/ci/default-values.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/stable/pomerium/ci/default-values.yaml b/stable/pomerium/ci/default-values.yaml index b303ba820a6d..0953a75b02c9 100644 --- a/stable/pomerium/ci/default-values.yaml +++ b/stable/pomerium/ci/default-values.yaml @@ -1,21 +1,21 @@ config: policy: - - from: httpbin.corp.pomerium.io + - from: https://httpbin.corp.pomerium.io to: http://httpbin allowed_domains: - pomerium.io - - from: external-httpbin.corp.pomerium.io - to: httpbin.org + - from: https://external-httpbin.corp.pomerium.io + to: https://httpbin.org allowed_domains: - gmail.com - - from: weirdlyssl.corp.pomerium.io + - from: https://weirdlyssl.corp.pomerium.io to: http://neverssl.com allowed_users: - bdd@pomerium.io allowed_groups: - admins - developers - - from: hello.corp.pomerium.io + - from: https://hello.corp.pomerium.io to: http://hello:8080 allowed_groups: - admins