mleklund · February 4, 2020 17:24
diff --git a/Yaml Diffs for pomerium b/Yaml Diffs for pomerium
 diff --git a/docs/configuration/examples/kubernetes/httpbin.yml b/docs/configuration/examples/kubernetes/httpbin.yml
 index 51c5c41..4f51c44 100644
 --- a/docs/configuration/examples/kubernetes/httpbin.yml
 +++ b/docs/configuration/examples/kubernetes/httpbin.yml
 @@ -5,11 +5,9 @@ metadata:
   labels:
     app: httpbin
 spec:
 -  type: NodePort
   ports:
     - name: http
 -      port: 8000
 -      targetPort: 80
 +      port: 80
   selector:
     app: httpbin
 ---
 diff --git a/docs/configuration/examples/kubernetes/ingress.nginx.yml b/docs/configuration/examples/kubernetes/ingress.nginx.yml
 index 18669b0..f681ae5 100644
 --- a/docs/configuration/examples/kubernetes/ingress.nginx.yml
 +++ b/docs/configuration/examples/kubernetes/ingress.nginx.yml
 @@ -6,32 +6,32 @@ metadata:
     kubernetes.io/ingress.class: "nginx"
     # kubernetes.io/tls-acme: "true"
     # certmanager.k8s.io/issuer: "letsencrypt-prod"
 -    # nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
 +    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 -    # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
 +    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
     # to avoid ingress routing, enable
     # nginx.ingress.kubernetes.io/ssl-passthrough: "true"

 spec:
   tls:
 -    - secretName: pomerium-tls
 +    - secretName: star.domain.com
       hosts:
 -        - "*.corp.beyondperimeter.com"
 -        - "authenticate.corp.beyondperimeter.com"
 +        - "httpbin.domain.com"
 +        - "authenticate.domain.com"

   rules:
 -    - host: "*.corp.beyondperimeter.com"
 +    - host: "httpbin.domain.com"
       http:
         paths:
           - paths:
             backend:
               serviceName: pomerium-proxy-service
 -              servicePort: http
 +              servicePort: https

 -    - host: "authenticate.corp.beyondperimeter.com"
 +    - host: "authenticate.domain.com"
       http:
         paths:
           - paths:
             backend:
               serviceName: pomerium-authenticate-service
 -              servicePort: http
 +              servicePort: https
 diff --git a/docs/configuration/examples/kubernetes/kubernetes-config.yaml b/docs/configuration/examples/kubernetes/kubernetes-config.yaml
 index c6a66f7..2fadb09 100644
 --- a/docs/configuration/examples/kubernetes/kubernetes-config.yaml
 +++ b/docs/configuration/examples/kubernetes/kubernetes-config.yaml
 @@ -1,19 +1,22 @@
 # Main configuration flags : https://www.pomerium.io/docs/reference/reference/
 insecure_server: true
 grpc_insecure: true
 +pomerium_debug: true

 -authenticate_service_url: https://authenticate.corp.beyondperimeter.com
 +authenticate_service_url: https://authenticate.domain.com
 authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
 cache_service_url: https://pomerium-cache-service.default.svc.cluster.local

 -override_certificate_name: "*.corp.beyondperimeter.com"
 +override_certificate_name: "*.domain.com"

 idp_provider: google
 -idp_client_id: REPLACE_ME.apps.googleusercontent.com
 -idp_client_secret: "REPLACE_ME"
 +idp_provider_url: https://accounts.google.com
 +idp_client_id: XXXXXXXX.apps.googleusercontent.com
 +idp_client_secret: "XXXXXXXX"
 +idp_service_account: BIGHASHHERE

 policy:
 -  - from: https://httpbin.corp.beyondperimeter.com
 -    to: http://httpbin.default.svc.cluster.local:8000
 +  - from: https://httpbin.domain.com
 +    to: http://httpbin.default.svc.cluster.local
     allowed_domains:
 -      - gmail.com
 +      - domain.com
 diff --git a/docs/configuration/examples/kubernetes/pomerium-authenticate.yml b/docs/configuration/examples/kubernetes/pomerium-authenticate.yml
 index 82b168e..d5a52dd 100644
 --- a/docs/configuration/examples/kubernetes/pomerium-authenticate.yml
 +++ b/docs/configuration/examples/kubernetes/pomerium-authenticate.yml
 @@ -8,7 +8,6 @@ spec:
       name: https
   selector:
     app: pomerium-authenticate
 -  type: NodePort
 ---
 apiVersion: apps/v1
 kind: Deployment
 diff --git a/docs/configuration/examples/kubernetes/pomerium-proxy.yml b/docs/configuration/examples/kubernetes/pomerium-proxy.yml
 index 67345ef..18e4980 100644
 --- a/docs/configuration/examples/kubernetes/pomerium-proxy.yml
 +++ b/docs/configuration/examples/kubernetes/pomerium-proxy.yml
 @@ -10,7 +10,6 @@ spec:
       targetPort: https
   selector:
     app: pomerium-proxy
 -  type: NodePort
 ---
 apiVersion: apps/v1
 kind: Deployment
	diff --git a/docs/configuration/examples/kubernetes/httpbin.yml b/docs/configuration/examples/kubernetes/httpbin.yml
	index 51c5c41..4f51c44 100644
	--- a/docs/configuration/examples/kubernetes/httpbin.yml
	+++ b/docs/configuration/examples/kubernetes/httpbin.yml
	@@ -5,11 +5,9 @@ metadata:
	labels:
	app: httpbin
	spec:
	- type: NodePort
	ports:
	- name: http
	- port: 8000
	- targetPort: 80
	+ port: 80
	selector:
	app: httpbin
	---
	diff --git a/docs/configuration/examples/kubernetes/ingress.nginx.yml b/docs/configuration/examples/kubernetes/ingress.nginx.yml
	index 18669b0..f681ae5 100644
	--- a/docs/configuration/examples/kubernetes/ingress.nginx.yml
	+++ b/docs/configuration/examples/kubernetes/ingress.nginx.yml
	@@ -6,32 +6,32 @@ metadata:
	kubernetes.io/ingress.class: "nginx"
	# kubernetes.io/tls-acme: "true"
	# certmanager.k8s.io/issuer: "letsencrypt-prod"
	- # nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
	+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
	# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
	- # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
	+ nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
	# to avoid ingress routing, enable
	# nginx.ingress.kubernetes.io/ssl-passthrough: "true"

	spec:
	tls:
	- - secretName: pomerium-tls
	+ - secretName: star.domain.com
	hosts:
	- - "*.corp.beyondperimeter.com"
	- - "authenticate.corp.beyondperimeter.com"
	+ - "httpbin.domain.com"
	+ - "authenticate.domain.com"

	rules:
	- - host: "*.corp.beyondperimeter.com"
	+ - host: "httpbin.domain.com"
	http:
	paths:
	- paths:
	backend:
	serviceName: pomerium-proxy-service
	- servicePort: http
	+ servicePort: https

	- - host: "authenticate.corp.beyondperimeter.com"
	+ - host: "authenticate.domain.com"
	http:
	paths:
	- paths:
	backend:
	serviceName: pomerium-authenticate-service
	- servicePort: http
	+ servicePort: https
	diff --git a/docs/configuration/examples/kubernetes/kubernetes-config.yaml b/docs/configuration/examples/kubernetes/kubernetes-config.yaml
	index c6a66f7..2fadb09 100644
	--- a/docs/configuration/examples/kubernetes/kubernetes-config.yaml
	+++ b/docs/configuration/examples/kubernetes/kubernetes-config.yaml
	@@ -1,19 +1,22 @@
	# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
	insecure_server: true
	grpc_insecure: true
	+pomerium_debug: true

	-authenticate_service_url: https://authenticate.corp.beyondperimeter.com
	+authenticate_service_url: https://authenticate.domain.com
	authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
	cache_service_url: https://pomerium-cache-service.default.svc.cluster.local

	-override_certificate_name: "*.corp.beyondperimeter.com"
	+override_certificate_name: "*.domain.com"

	idp_provider: google
	-idp_client_id: REPLACE_ME.apps.googleusercontent.com
	-idp_client_secret: "REPLACE_ME"
	+idp_provider_url: https://accounts.google.com
	+idp_client_id: XXXXXXXX.apps.googleusercontent.com
	+idp_client_secret: "XXXXXXXX"
	+idp_service_account: BIGHASHHERE

	policy:
	- - from: https://httpbin.corp.beyondperimeter.com
	- to: http://httpbin.default.svc.cluster.local:8000
	+ - from: https://httpbin.domain.com
	+ to: http://httpbin.default.svc.cluster.local
	allowed_domains:
	- - gmail.com
	+ - domain.com
	diff --git a/docs/configuration/examples/kubernetes/pomerium-authenticate.yml b/docs/configuration/examples/kubernetes/pomerium-authenticate.yml
	index 82b168e..d5a52dd 100644
	--- a/docs/configuration/examples/kubernetes/pomerium-authenticate.yml
	+++ b/docs/configuration/examples/kubernetes/pomerium-authenticate.yml
	@@ -8,7 +8,6 @@ spec:
	name: https
	selector:
	app: pomerium-authenticate
	- type: NodePort
	---
	apiVersion: apps/v1
	kind: Deployment
	diff --git a/docs/configuration/examples/kubernetes/pomerium-proxy.yml b/docs/configuration/examples/kubernetes/pomerium-proxy.yml
	index 67345ef..18e4980 100644
	--- a/docs/configuration/examples/kubernetes/pomerium-proxy.yml
	+++ b/docs/configuration/examples/kubernetes/pomerium-proxy.yml
	@@ -10,7 +10,6 @@ spec:
	targetPort: https
	selector:
	app: pomerium-proxy
	- type: NodePort
	---
	apiVersion: apps/v1
	kind: Deployment