add cache service (#50)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
pomerium · Jan 26, 2020 · 67e4478 · 67e4478
1 parent b359ba1
commit 67e4478
Show file tree

Hide file tree

Showing 8 changed files with 368 additions and 99 deletions.
diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml
@@ -1,9 +1,9 @@
 apiVersion: v1
 name: pomerium
-version: 4.2.2
-appVersion: 0.5.2
+version: 5.0.0
+appVersion: 0.6.0
 home: http://www.pomerium.io/
-icon: https://www.pomerium.io/logo.svg
+icon: https://www.pomerium.io/logo-long.svg
 description: Pomerium is an identity-aware access proxy.
 keywords:
 - proxy
@@ -23,5 +23,5 @@ engine: gotpl
 
 maintainers:
 - name: desimone
-  email: bobby.desimone@gmail.com
+  email: bdd@pomerium.io
 - name: travisgroth
diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md
diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl
@@ -20,6 +20,11 @@
 {{- default (printf "%s-authorize" .Chart.Name) .Values.authorize.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*Expand the name of the cache-service.*/}}
+{{- define "pomerium.cache.name" -}}
+{{- default (printf "%s-cache" .Chart.Name) .Values.cache.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -66,6 +71,20 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/* cache services fully qualified name. Truncated at 63 chars. */}}
+{{- define "pomerium.cache.fullname" -}}
+{{- if .Values.cache.fullnameOverride -}}
+{{- .Values.cache.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- printf "%s-cache" .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s-cache" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/* authenticate services fully qualified name. Truncated at 63 chars. */}}
 {{- define "pomerium.authenticate.fullname" -}}
 {{- if .Values.authenticate.fullnameOverride -}}
@@ -148,6 +167,20 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
 {{- end -}}
 {{- end -}}
 
+{{/* Determine secret name for cache TLS Cert */}}
+{{- define "pomerium.cache.tlsSecret.name" -}}
+{{- if .Values.cache.existingTLSSecret -}}
+{{- .Values.cache.existingTLSSecret | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- printf "%s-cache-tls" .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s-cache-tls" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/* Determine secret name for Proxy TLS Cert */}}
 {{- define "pomerium.proxy.tlsSecret.name" -}}
 {{- if .Values.proxy.existingTLSSecret -}}
@@ -193,6 +226,7 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
 {{- printf "%s" (ternary "tls.key" "authorize-key" (empty .Values.config.existingLegacyTLSSecret)) -}}
 {{- end -}}
 
+
 {{- define "pomerium.caSecret.name" -}}
 {{if .Values.config.existingCASecret }}
 {{- .Values.proxy.existingCASecret | trunc 63 | trimSuffix "-" -}}

diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml
@@ -67,6 +67,8 @@ spec:
           value: authenticate
         - name: AUTHENTICATE_SERVICE_URL
           value: {{ default (printf "https://authenticate.%s" .Values.config.rootDomain ) .Values.proxy.authenticateServiceUrl }}
+        - name: CACHE_SERVICE_URL
+          value: {{ default (printf "https://%s.%s.svc.cluster.local" (include "pomerium.cache.fullname" .) .Release.Namespace ) .Values.authenticate.cacheServiceUrl}}
         - name: COOKIE_SECRET
           valueFrom:
             secretKeyRef:
@@ -98,31 +100,12 @@ spec:
               name:  {{ $secretName }}
               key: idp-service-account
 {{- end }}
-{{- /* TODO in future: Remove legacy logic */ -}}
-{{- if .Values.config.existingLegacyTLSSecret }}
-        - name: CERTIFICATE
-          valueFrom:
-            secretKeyRef:
-              name:  {{ template "pomerium.authenticate.tlsSecret.name" . }}
-              key:  {{ template "pomerium.authenticate.tlsSecret.certName" . }}
-        - name: CERTIFICATE_KEY
-          valueFrom:
-            secretKeyRef:
-              name:  {{ template "pomerium.authenticate.tlsSecret.name" . }}
-              key:  {{ template "pomerium.authenticate.tlsSecret.keyName" . }}
-        - name: CERTIFICATE_AUTHORITY
-          valueFrom:
-            secretKeyRef:
-              name:  {{ template "pomerium.caSecret.name" . }}
-              key:  {{ template "pomerium.caSecret.certName" . }}
-{{- else }}
         - name: CERTIFICATE_FILE
           value: "/pomerium/cert.pem"
         - name: CERTIFICATE_KEY_FILE
           value: "/pomerium/privkey.pem"
         - name: CERTIFICATE_AUTHORITY_FILE
           value: "/pomerium/ca.pem"
-{{- end }}
 {{- range $name, $value := .Values.extraEnv }}
         - name: {{ $name }}
           value: {{ quote $value }}
@@ -151,8 +134,6 @@ spec:
         - mountPath: /etc/pomerium/
           name: config
 {{- end }}
-{{- /* TODO in future: Remove legacy logic */ -}}
-{{- if not .Values.config.existingLegacyTLSSecret }}
         - mountPath: /pomerium/cert.pem
           name: service-tls
           subPath: {{ template "pomerium.authenticate.tlsSecret.certName" . }}
@@ -162,22 +143,18 @@ spec:
         - mountPath: /pomerium/ca.pem
           name: ca-tls
           subPath: {{ template "pomerium.caSecret.certName" . }}
-{{- end }}
       volumes:
 {{- if or .Values.config.existingConfig .Values.config.policy }}
       - name: config
         configMap:
           name: {{ $configName }}
 {{- end }}
-{{- /* TODO in future: Remove legacy logic */ -}}
-{{- if not .Values.config.existingLegacyTLSSecret }}
       - name: service-tls
         secret:
           secretName: {{ template "pomerium.authenticate.tlsSecret.name" . }}
       - name: ca-tls
         secret:
           secretName: {{ template "pomerium.caSecret.name" . }}
-{{- end }}
 {{- if .Values.extraVolumes }}
 {{- toYaml .Values.extraVolumes | indent 8 }}
 {{- end }}

diff --git a/charts/pomerium/templates/cache-deployment.yaml b/charts/pomerium/templates/cache-deployment.yaml
@@ -0,0 +1,146 @@
+{{- $configName := default (include "pomerium.fullname" .) .Values.config.existingConfig }}
+{{- $secretName := default (include "pomerium.fullname" .) .Values.config.existingSecret }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+    helm.sh/chart: {{ template "pomerium.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: cache
+  name: {{ template "pomerium.cache.fullname" . }}
+  annotations:
+ {{- if .Values.cache.deployment.annotations }}
+ {{- range $key, $value := .Values.cache.deployment.annotations }}
+   {{ $key }}: {{ $value | quote }}
+ {{- end }}
+{{- else if .Values.annotations }}
+ {{- range $key, $value := .Values.annotations }}
+   {{ $key }}: {{ $value | quote }}
+ {{- end }}
+{{- end }}
+spec:
+  replicas: {{ default .Values.replicaCount .Values.cache.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      annotations:
+        {{- /* policy is already covered by hot-reloading */}}
+        checksum/config: {{ print .Values.config.extraOpts | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+{{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+{{- end }}
+      labels:
+        app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+        helm.sh/chart: {{ template "pomerium.chart" . }}
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+{{- end }}
+    spec:
+{{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+{{- end }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+{{- if or .Values.config.existingConfig .Values.config.policy }}
+          - --config=/etc/pomerium/config.yaml
+{{- end }}
+{{- range $key, $value := .Values.extraArgs }}
+{{- if $value }}
+          - --{{ $key }}={{ $value }}
+{{- else }}
+          - --{{ $key }}
+{{- end }}
+{{- end }}
+        env:
+        - name: SERVICES
+          value: cache
+        - name: CACHE_SERVICE_URL
+          value: {{ default (printf "https://%s.%s.svc.cluster.local" (include "pomerium.cache.fullname" .) .Release.Namespace ) .Values.authenticate.cacheServiceUrl}}
+        - name: SHARED_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ $secretName }}
+              key: shared-secret
+        - name: CERTIFICATE_FILE
+          value: "/pomerium/cert.pem"
+        - name: CERTIFICATE_KEY_FILE
+          value: "/pomerium/privkey.pem"
+        - name: CERTIFICATE_AUTHORITY_FILE
+          value: "/pomerium/ca.pem"
+{{- range $name, $value := .Values.extraEnv }}
+        - name: {{ $name }}
+          value: {{ quote $value }}
+{{- end }}
+        ports:
+          - containerPort: 443
+            name: https
+            protocol: TCP
+          - containerPort: {{ .Values.metrics.port }}
+            name: metrics
+            protocol: TCP
+        livenessProbe:
+          tcpSocket:
+            port: https
+          initialDelaySeconds: 15
+        readinessProbe:
+          tcpSocket:
+            port: https
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+        volumeMounts:
+{{- if or .Values.config.existingConfig .Values.config.policy }}
+        - mountPath: /etc/pomerium/
+          name: config
+{{- end }}
+        - mountPath: /pomerium/cert.pem
+          name: service-tls
+          subPath: tls.crt
+        - mountPath: /pomerium/privkey.pem
+          name: service-tls
+          subPath: tls.key
+        - mountPath: /pomerium/ca.pem
+          name: ca-tls
+          subPath: {{ template "pomerium.caSecret.certName" . }}
+      volumes:
+{{- if or .Values.config.existingConfig .Values.config.policy }}
+      - name: config
+        configMap:
+          name: {{ $configName }}
+{{- end }}
+      - name: service-tls
+        secret:
+          secretName: {{ template "pomerium.cache.tlsSecret.name" . }}
+      - name: ca-tls
+        secret:
+          secretName: {{ template "pomerium.caSecret.name" . }}
+{{- if .Values.extraVolumes }}
+      volumes:
+{{- toYaml .Values.extraVolumes | indent 8 }}
+{{- end }}
+{{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+{{- end }}
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+{{- end }}
diff --git a/charts/pomerium/templates/cache-service.yaml b/charts/pomerium/templates/cache-service.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pomerium.cache.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+    helm.sh/chart: {{ template "pomerium.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: cache
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels | indent 4 }}
+{{- end }}
+annotations:
+{{- if .Values.cache.service.annotations }}
+ {{- range $key, $value := .Values.cache.service.annotations }}
+   {{ $key }}: {{ $value | quote }}
+ {{- end }}
+{{- else if .Values.service.annotations }}
+ {{- range $key, $value := .Values.service.annotations }}
+   {{ $key }}: {{ $value | quote }}
+ {{- end }}
+{{- end }}
+spec:
+{{- if .Values.service.cache.headless }}
+  clusterIP: None
+  type: ClusterIP
+{{- else }}}
+  type: {{ .Values.service.type }}
+{{- end }}
+  ports:
+    - port: {{ .Values.service.externalPort }}
+      targetPort: https
+      protocol: TCP
+      name: https
+    - name: metrics
+      port: {{ .Values.metrics.port }}
+      protocol: TCP
+      targetPort: metrics
+{{- if hasKey .Values.service "nodePort" }}
+    nodePort: {{ .Values.service.nodePort }}
+{{- end }}
+  selector:
+    app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}