add cache service

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
pomerium · Jan 22, 2020 · ca5da86 · ca5da86
1 parent b359ba1
commit ca5da86
Show file tree

Hide file tree

Showing 8 changed files with 304 additions and 1 deletion.
diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md
@@ -157,6 +157,9 @@ A full listing of Pomerium's configuration variables can be found on the [config
 
 
 ## Changelog
+### 5.0.0
+- Upgrade to Pomerium v0.6.0
+- Add cache service support
 
 ### 4.0.0
 

diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl
@@ -20,6 +20,11 @@
 {{- default (printf "%s-authorize" .Chart.Name) .Values.authorize.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*Expand the name of the cache-service.*/}}
+{{- define "pomerium.cache.name" -}}
+{{- default (printf "%s-cache" .Chart.Name) .Values.cache.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -66,6 +71,20 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/* cache services fully qualified name. Truncated at 63 chars. */}}
+{{- define "pomerium.cache.fullname" -}}
+{{- if .Values.cache.fullnameOverride -}}
+{{- .Values.cache.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- printf "%s-cache" .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s-cache" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/* authenticate services fully qualified name. Truncated at 63 chars. */}}
 {{- define "pomerium.authenticate.fullname" -}}
 {{- if .Values.authenticate.fullnameOverride -}}
@@ -148,6 +167,23 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
 {{- end -}}
 {{- end -}}
 
+{{/* Determine secret name for cache TLS Cert */}}
+{{- define "pomerium.cache.tlsSecret.name" -}}
+{{- if .Values.cache.existingTLSSecret -}}
+{{- .Values.cache.existingTLSSecret | trunc 63 | trimSuffix "-" -}}
+{{- /* TODO in future: Remove legacy logic */ -}}
+{{- else if .Values.config.existingLegacyTLSSecret -}}
+{{ template "pomerium.fullname" . }}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- printf "%s-cache-tls" .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s-cache-tls" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
 {{/* Determine secret name for Proxy TLS Cert */}}
 {{- define "pomerium.proxy.tlsSecret.name" -}}
 {{- if .Values.proxy.existingTLSSecret -}}
@@ -193,6 +229,15 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates
 {{- printf "%s" (ternary "tls.key" "authorize-key" (empty .Values.config.existingLegacyTLSSecret)) -}}
 {{- end -}}
 
+{{- define "pomerium.cache.tlsSecret.certName" -}}
+{{- /* TODO in future: Remove legacy logic */ -}}
+{{- printf "%s" (ternary "tls.crt" "cache-cert" (empty .Values.config.existingLegacyTLSSecret)) -}}
+{{- end -}}
+{{- define "pomerium.cache.tlsSecret.keyName" -}}
+{{- /* TODO in future: Remove legacy logic */ -}}
+{{- printf "%s" (ternary "tls.key" "cache-key" (empty .Values.config.existingLegacyTLSSecret)) -}}
+{{- end -}}
+
 {{- define "pomerium.caSecret.name" -}}
 {{if .Values.config.existingCASecret }}
 {{- .Values.proxy.existingCASecret | trunc 63 | trimSuffix "-" -}}

diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml
@@ -66,7 +66,9 @@ spec:
         - name: SERVICES
           value: authenticate
         - name: AUTHENTICATE_SERVICE_URL
-          value: {{ default (printf "https://authenticate.%s" .Values.config.rootDomain ) .Values.proxy.authenticateServiceUrl }}
+          value: {{ default (printf "https://authenticate.%s" .Values.config.rootDomain ) .Values.proxy.cacheServiceUrl }}
+        - name: CACHE_SERVICE_URL
+          value: {{ default (printf "https://%s.%s.svc.cluster.local" (include "pomerium.cache.fullname" .) .Release.Namespace ) .Values.proxy.cacheInternalUrl}}
         - name: COOKIE_SECRET
           valueFrom:
             secretKeyRef:

diff --git a/charts/pomerium/templates/cache-deployment.yaml b/charts/pomerium/templates/cache-deployment.yaml
@@ -0,0 +1,169 @@
+{{- $configName := default (include "pomerium.fullname" .) .Values.config.existingConfig }}
+{{- $secretName := default (include "pomerium.fullname" .) .Values.config.existingSecret }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+    helm.sh/chart: {{ template "pomerium.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: cache
+  name: {{ template "pomerium.cache.fullname" . }}
+  annotations:
+ {{- if .Values.cache.deployment.annotations }}
+ {{- range $key, $value := .Values.cache.deployment.annotations }}
+   {{ $key }}: {{ $value | quote }}
+ {{- end }}
+{{- else if .Values.annotations }}
+ {{- range $key, $value := .Values.annotations }}
+   {{ $key }}: {{ $value | quote }}
+ {{- end }}
+{{- end }}
+spec:
+  replicas: {{ default .Values.replicaCount .Values.cache.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      annotations:
+        {{- /* policy is already covered by hot-reloading */}}
+        checksum/config: {{ print .Values.config.extraOpts | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+{{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+{{- end }}
+      labels:
+        app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+        helm.sh/chart: {{ template "pomerium.chart" . }}
+        app.kubernetes.io/managed-by: {{ .Release.Service }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+{{- end }}
+    spec:
+{{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+{{- end }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+{{- if or .Values.config.existingConfig .Values.config.policy }}
+          - --config=/etc/pomerium/config.yaml
+{{- end }}
+{{- range $key, $value := .Values.extraArgs }}
+{{- if $value }}
+          - --{{ $key }}={{ $value }}
+{{- else }}
+          - --{{ $key }}
+{{- end }}
+{{- end }}
+        env:
+        - name: SERVICES
+          value: cache
+        - name: SHARED_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: {{ $secretName }}
+              key: shared-secret
+{{- /* TODO in future: Remove legacy logic */ -}}
+{{- if .Values.config.existingLegacyTLSSecret }}
+        - name: CERTIFICATE
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "pomerium.cache.tlsSecret.name" . }}
+              key:  {{ template "pomerium.cache.tlsSecret.certName" . }}
+        - name: CERTIFICATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "pomerium.cache.tlsSecret.name" . }}
+              key:  {{ template "pomerium.cache.tlsSecret.keyName" . }}
+        - name: CERTIFICATE_AUTHORITY
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "pomerium.caSecret.name" . }}
+              key:  {{ template "pomerium.caSecret.certName" . }}
+{{- else }}
+        - name: CERTIFICATE_FILE
+          value: "/pomerium/cert.pem"
+        - name: CERTIFICATE_KEY_FILE
+          value: "/pomerium/privkey.pem"
+        - name: CERTIFICATE_AUTHORITY_FILE
+          value: "/pomerium/ca.pem"
+{{- end }}
+{{- range $name, $value := .Values.extraEnv }}
+        - name: {{ $name }}
+          value: {{ quote $value }}
+{{- end }}
+        ports:
+          - containerPort: 443
+            name: https
+            protocol: TCP
+          - containerPort: {{ .Values.metrics.port }}
+            name: metrics
+            protocol: TCP
+        livenessProbe:
+          tcpSocket:
+            port: https
+          initialDelaySeconds: 15
+        readinessProbe:
+          tcpSocket:
+            port: https
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+        volumeMounts:
+{{- if or .Values.config.existingConfig .Values.config.policy }}
+        - mountPath: /etc/pomerium/
+          name: config
+{{- end }}
+{{- /* TODO in future: Remove legacy logic */ -}}
+{{- if not .Values.config.existingLegacyTLSSecret }}
+        - mountPath: /pomerium/cert.pem
+          name: service-tls
+          subPath: {{ template "pomerium.cache.tlsSecret.certName" . }}
+        - mountPath: /pomerium/privkey.pem
+          name: service-tls
+          subPath: {{ template "pomerium.cache.tlsSecret.keyName" . }}
+        - mountPath: /pomerium/ca.pem
+          name: ca-tls
+          subPath: {{ template "pomerium.caSecret.certName" . }}
+{{- end }}
+      volumes:
+{{- if or .Values.config.existingConfig .Values.config.policy }}
+      - name: config
+        configMap:
+          name: {{ $configName }}
+{{- end }}
+{{- /* TODO in future: Remove legacy logic */ -}}
+{{- if not .Values.config.existingLegacyTLSSecret }}
+      - name: service-tls
+        secret:
+          secretName: {{ template "pomerium.cache.tlsSecret.name" . }}
+      - name: ca-tls
+        secret:
+          secretName: {{ template "pomerium.caSecret.name" . }}
+{{- end }}
+{{- if .Values.extraVolumes }}
+      volumes:
+{{- toYaml .Values.extraVolumes | indent 8 }}
+{{- end }}
+{{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+{{- end }}
+{{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+{{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+{{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+{{- end }}
diff --git a/charts/pomerium/templates/cache-service.yaml b/charts/pomerium/templates/cache-service.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "pomerium.cache.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+    helm.sh/chart: {{ template "pomerium.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/component: cache
+{{- if .Values.service.labels }}
+{{ toYaml .Values.service.labels | indent 4 }}
+{{- end }}
+annotations:
+{{- if .Values.cache.service.annotations }}
+ {{- range $key, $value := .Values.cache.service.annotations }}
+   {{ $key }}: {{ $value | quote }}
+ {{- end }}
+{{- else if .Values.service.annotations }}
+ {{- range $key, $value := .Values.service.annotations }}
+   {{ $key }}: {{ $value | quote }}
+ {{- end }}
+{{- end }}
+spec:
+{{- if .Values.service.cache.headless }}
+  clusterIP: None
+  type: ClusterIP
+{{- else }}}
+  type: {{ .Values.service.type }}
+{{- end }}
+  ports:
+    - port: {{ .Values.service.externalPort }}
+      targetPort: https
+      protocol: TCP
+      name: https
+    - name: metrics
+      port: {{ .Values.metrics.port }}
+      protocol: TCP
+      targetPort: metrics
+{{- if hasKey .Values.service "nodePort" }}
+    nodePort: {{ .Values.service.nodePort }}
+{{- end }}
+  selector:
+    app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/charts/pomerium/templates/ingress.yaml b/charts/pomerium/templates/ingress.yaml
@@ -17,6 +17,7 @@ spec:
     - secretName: {{ default .Values.ingress.secretName .Values.ingress.secret.name}}
       hosts:
         - {{ printf "authorize.%s" .Values.config.rootDomain | quote }}
+        - {{ printf "cache.%s" .Values.config.rootDomain | quote }}
         - {{ printf "authenticate.%s" .Values.config.rootDomain | quote }}
         - {{ template "pomerium.forwardAuth.name" . }}
       {{- if not .Values.ingress.hosts }}
@@ -66,6 +67,15 @@ spec:
               serviceName: {{ template "pomerium.authorize.fullname" . }}
               servicePort: https
     {{- end }}
+    {{- if not .Values.service.cache.headless }}
+    - host:  {{ printf "cache.%s" .Values.config.rootDomain }}
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: {{ template "pomerium.cache.fullname" . }}
+              servicePort: https
+    {{- end }}
     - host: {{ printf "authenticate.%s" .Values.config.rootDomain }}
       http:
         paths:

diff --git a/charts/pomerium/templates/tls-secrets.yaml b/charts/pomerium/templates/tls-secrets.yaml
@@ -107,6 +107,8 @@ data:
 {{- $ca := genCA "default-ca" 3650 }}
 {{- $authenticateSN:= list (printf "authenticate.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.authenticate.fullname" .) .Release.Namespace )}}
 {{- $authorizeSN:= list (printf "authorize.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.authorize.fullname" .) .Release.Namespace )}}
+{{- $cacheSN:= list (printf "cache.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.cache.fullname" .) .Release.Namespace )}}
+
 {{- $cn := default "example.com" .Values.config.rootDomain }}
 {{ template "pomerium.ca.tlsSecretObject" . }}
   {{ template "pomerium.caSecret.certName" . }}: {{ $ca.Cert | b64enc }}
@@ -122,6 +124,11 @@ data:
   {{ template "pomerium.authorize.tlsSecret.certName" . }}: {{ $kp.Cert | b64enc }}
   {{ template "pomerium.authorize.tlsSecret.keyName" . }}: {{ $kp.Key | b64enc }}
 ---
+{{- $kp := genSignedCert $cn ( default nil .Values.cache.tls.defaultIPList ) ( default $cacheSN .Values.cache.tls.defaultSANList ) 3650 $ca }}
+{{ template "pomerium.cache.tlsSecretObject" . }}
+  {{ template "pomerium.cache.tlsSecret.certName" . }}: {{ $kp.Cert | b64enc }}
+  {{ template "pomerium.cache.tlsSecret.keyName" . }}: {{ $kp.Key | b64enc }}
+---
 {{- $kp := genSignedCert $cn ( default nil .Values.proxy.tls.defaultIPList ) ( default nil .Values.proxy.tls.defaultSANList ) 3650 $ca }}
 {{ template "pomerium.proxy.tlsSecretObject" . }}
   {{ template "pomerium.proxy.tlsSecret.certName" . }}: {{ $kp.Cert | b64enc }}
@@ -143,6 +150,12 @@ data:
   {{ template "pomerium.authorize.tlsSecret.certName" . }}: {{ .Values.authorize.tls.cert | b64enc }}
   {{ template "pomerium.authorize.tlsSecret.keyName" . }}: {{ .Values.authorize.tls.key | b64enc }}
 {{-     end }}
+{{-     if and (not .Values.cache.existingTLSSecret) .Values.cache.tls.cert .Values.cache.tls.key }}
+---
+{{ template "pomerium.cache.tlsSecretObject" . }}
+  {{ template "pomerium.cache.tlsSecret.certName" . }}: {{ .Values.cache.tls.cert | b64enc }}
+  {{ template "pomerium.cache.tlsSecret.keyName" . }}: {{ .Values.cache.tls.key | b64enc }}
+{{-     end }}
 {{-     if and (not .Values.proxy.existingTLSSecret) .Values.proxy.tls.cert .Values.proxy.tls.key }}
 ---
 {{ template "pomerium.proxy.tlsSecretObject" . }}

diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml
@@ -25,6 +25,7 @@ authenticate:
   nameOverride: ""
   existingTLSSecret: ""
   redirectUrl: ""
+  cacheServiceUrl: ""
   # see https://www.pomerium.io/docs/identity-providers.html
   idp:
     provider: google
@@ -59,6 +60,21 @@ authorize:
   deployment:
     annotations: {}
 
+cache:
+  fullnameOverride: ""
+  nameOverride: ""
+  existingTLSSecret: ""
+  tls:
+    cert: ""
+    key: ""
+    defaultSANList: []
+    defaultIPList: []
+  replicaCount: 1
+  service:
+    annotations: {}
+  deployment:
+    annotations: {}
+
 
 proxy:
   fullnameOverride: ""