[stable/pomerium] Chart updates for pomerium v0.1.0

stable/pomerium/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: pomerium
-version: 1.1.0
-appVersion: 0.0.5
+version: 1.2.0
+appVersion: 0.1.0
 home: http://www.pomerium.io/
 icon: https://www.pomerium.io/logo.svg
 description: Pomerium is an identity-aware access proxy.

stable/pomerium/README.md

@@ -79,3 +79,50 @@ Parameter                         | Description
 `ingress.annotations`             | Ingress annotations                                                                                                                                                                                        | `{}`
 `ingress.hosts`                   | Ingress accepted hostnames                                                                                                                                                                                 | `nil`
 `ingress.tls`                     | Ingress TLS configuration                                                                                                                                                                                  | `[]`
+`metrics.enabled`                     | Enable prometheus metrics endpoint                                                                                                                                                                                  | `false`
+`metrics.port`                     | Prometheus metrics endpoint port                                                                                                                                                                                  | `9090`
+
+## Metrics Discovery Configuration
+
+
+### Prometheus kubernetes_sd_configs
+
+Example chart values:
+
+```yaml
+metrics:
+  enabled: true
+  port: 9090 # default
+service:
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9090"
+```
+
+Example prometheus discovery config:
+```yaml
+- job_name: 'pomerium'
+metrics_path: /metrics
+kubernetes_sd_configs:
+- role: endpoints
+relabel_configs:
+- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
+  action: keep
+  regex: true
+- source_labels: [__meta_kubernetes_service_label_app_kubernetes_io_instance]
+  action: keep
+  regex: pomerium
+- action: labelmap
+  regex: __meta_kubernetes_service_label_(.+)
+- source_labels: [__meta_kubernetes_namespace]
+  action: replace
+  target_label: kubernetes_namespace
+- source_labels: [__meta_kubernetes_service_name]
+  action: replace
+  target_label: kubernetes_name
+- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
+  action: replace
+  regex: ([^:]+)(?::\d+)?;(\d+)
+  replacement: $1:$2
+  target_label: __address__
+```

stable/pomerium/ci/default-values.yaml

@@ -1,21 +1,21 @@
 config:
   policy:
-    - from: httpbin.corp.pomerium.io
+    - from: https://httpbin.corp.pomerium.io
       to: http://httpbin
       allowed_domains:
       - pomerium.io
-    - from: external-httpbin.corp.pomerium.io
-      to: httpbin.org
+    - from: https://external-httpbin.corp.pomerium.io
+      to: https://httpbin.org
       allowed_domains:
       - gmail.com
-    - from: weirdlyssl.corp.pomerium.io
+    - from: https://weirdlyssl.corp.pomerium.io
       to: http://neverssl.com
       allowed_users:
       - [email protected]
       allowed_groups:
       - admins
       - developers
-    - from: hello.corp.pomerium.io
+    - from: https://hello.corp.pomerium.io
       to: http://hello:8080
       allowed_groups:
       - admins

stable/pomerium/templates/authenticate-deployment.yaml

@@ -23,7 +23,9 @@ spec:
   template:
     metadata:
       annotations:
-        config/checksum: {{ print .Values.config.extraOpts | sha256sum }}
+        {{- /* policy is already covered by hot-reloading */}}
+        checksum/config: {{ print .Values.config.extraOpts | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
 {{- if .Values.podAnnotations }}
 {{ toYaml .Values.podAnnotations | indent 8 }}
 {{- end }}
@@ -113,6 +115,9 @@ spec:
           - containerPort: 443
             name: https
             protocol: TCP
+          - containerPort: {{ .Values.metrics.port }}
+            name: metrics
+            protocol: TCP
         livenessProbe:
           httpGet:
             path: /ping
@@ -132,6 +137,8 @@ spec:
         configMap:
           name: {{ $configName }}
 {{- end }}
+      resources:
+{{ toYaml .Values.resources | indent 10 }}
 {{- if .Values.extraVolumes }}
       volumes:
 {{- toYaml .Values.extraVolumes | indent 8 }}

stable/pomerium/templates/authorize-deployment.yaml

@@ -12,7 +12,6 @@ metadata:
   name: {{ template "pomerium.authorize.fullname" . }}
 {{- if .Values.annotations }}
   annotations:
-    checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
 {{ toYaml .Values.annotations | indent 4 }}
 {{- end }}
 spec:
@@ -24,7 +23,9 @@ spec:
   template:
     metadata:
       annotations:
-        config/checksum: {{ print .Values.config.extraOpts | sha256sum }}
+        {{- /* policy is already covered by hot-reloading */}}
+        checksum/config: {{ print .Values.config.extraOpts | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
 {{- if .Values.podAnnotations }}
 {{ toYaml .Values.podAnnotations | indent 8 }}
 {{- end }}
@@ -86,6 +87,9 @@ spec:
           - containerPort: 443
             name: https
             protocol: TCP
+          - containerPort: {{ .Values.metrics.port }}
+            name: metrics
+            protocol: TCP
         livenessProbe:
           httpGet:
             path: /ping
@@ -105,6 +109,8 @@ spec:
         configMap:
           name: {{ $configName }}
 {{- end }}
+      resources:
+{{ toYaml .Values.resources | indent 10 }}
 {{- if .Values.extraVolumes }}
       volumes:
 {{- toYaml .Values.extraVolumes | indent 8 }}

stable/pomerium/templates/configmap.yaml

@@ -19,6 +19,9 @@ data:
 {{- if .Values.config.extraOpts }}
 {{ toYaml .Values.config.extraOpts | indent 4 -}}
 {{- end -}}
+{{- if .Values.metrics.enabled }}
+    metrics_address: :{{ .Values.metrics.port }}
+{{- end -}}
 {{- if .Values.config.policy }}
     policy: 
 {{ toYaml .Values.config.policy | indent 6 }}

stable/pomerium/templates/proxy-deployment.yaml

@@ -12,7 +12,6 @@ metadata:
   name: {{ template "pomerium.proxy.fullname" . }}
 {{- if .Values.annotations }}
   annotations:
-    checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
 {{ toYaml .Values.annotations | indent 4 }}
 {{- end }}
 spec:
@@ -24,7 +23,9 @@ spec:
   template:
     metadata:
       annotations:
-        config/checksum: {{ print .Values.config.extraOpts | sha256sum }}
+        {{- /* policy is already covered by hot-reloading */}}
+        checksum/config: {{ print .Values.config.extraOpts | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
 {{- if .Values.podAnnotations }}
 {{ toYaml .Values.podAnnotations | indent 8 }}
 {{- end }}
@@ -97,6 +98,9 @@ spec:
           - containerPort: 443
             name: https
             protocol: TCP
+          - containerPort: {{ .Values.metrics.port }}
+            name: metrics
+            protocol: TCP
         livenessProbe:
           httpGet:
             path: /ping
@@ -116,6 +120,8 @@ spec:
         configMap:
           name: {{ $configName }}
 {{- end }}
+      resources:
+{{ toYaml .Values.resources | indent 10 }}
 {{- if .Values.extraVolumes }}
       volumes:
 {{- toYaml .Values.extraVolumes | indent 8 }}

stable/pomerium/values.yaml

@@ -115,5 +115,9 @@ extraVolumes: {}
 
 image:
   repository: "pomerium/pomerium"
-  tag: "v0.0.5"
+  tag: "v0.1.0"
   pullPolicy: "IfNotPresent"
+
+metrics:
+  enabled: false
+  port: 9090