diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index 499099d..c9512b8 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: pomerium -version: 33.0.1 +version: 33.1.0 appVersion: v0.20.0 home: http://www.pomerium.com/ icon: https://www.pomerium.com/img/icon.svg diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index 9eb84d7..02519cb 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -324,6 +324,8 @@ A full listing of Pomerium's configuration variables can be found on the [config | `authenticate.tls.cert` | TLS certificate for authenticate service | | | `authenticate.tls.key` | TLS key for authenticate service | | | `authenticate.proxied` | When `ingress.enabled` is false, add a `policy` entry for the authenticate service. This allows the proxy service to route traffic for `authenticate` directly | `true` | +| `proxy.internalPort` | Container port of the proxy | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | +| `proxy.externalPort` | Service port of the proxy | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | | `proxy.nameOverride` | Name of the proxy service. | `proxy` | | `proxy.fullnameOverride` | Full name of the proxy service. | `proxy` | | `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | @@ -377,7 +379,8 @@ A full listing of Pomerium's configuration variables can be found on the [config | `image.tag` | Pomerium image tag | `v0.6.2` | | `image.pullPolicy` | Pomerium image pull policy | `IfNotPresent` | | `service.annotations` | Service annotations | `{}` | -| `service.externalPort` | Pomerium's port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | +| `service.internalPort` | Pomerium's container port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | +| `service.externalPort` | Pomerium's service port | `443` if `config.insecure` is `false`. `80` if `config.insecure` is `true` | | `service.grpcTrafficPort.nameOverride` | Override name of grpc port in services. Only use if required for protocol detection by mesh or ingress services | `https`/`grpc` in `secure`/`insecure` mode | | `service.httpTrafficPort.nameOverride` | Override name of http port in services. Only use if required for protocol detection by mesh or ingress services. Set to `http2` for istio when offloading mtls to the mesh. | `https`/`http` in `secure`/`insecure` mode | | `serviceMonitor.enabled` | Create Prometheus Operator ServiceMonitor | `false` | @@ -462,12 +465,16 @@ A full listing of Pomerium's configuration variables can be found on the [config ## Changelog +### 33.1.0 + +- Allow setting internal ports by introducing `proxy.internalPort`, `service.internalPort` +- Allow setting external port of the proxy by introducing `proxy.externalPort` + ### 33.0.0 - `idp.serviceAccount` is removed. Please see the [Upgrade Guide](https://www.pomerium.com/docs/overview/upgrading#since-0200) - Update to v0.20.0 of Pomerium - ### 32.0.0 - Update to v0.18 of Pomerium diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl index b13071b..115293e 100644 --- a/charts/pomerium/templates/_helpers.tpl +++ b/charts/pomerium/templates/_helpers.tpl @@ -304,10 +304,14 @@ Adapted from : https://github.com/helm/charts/blob/master/stable/drone/templates {{/*Expand the port number for secure or insecure mode */}} {{- define "pomerium.trafficPort.number" -}} -{{- if .Values.config.insecure -}} -80 +{{- if .Values.service.internalPort -}} +{{- .Values.service.internalPort -}} {{- else -}} +{{- if .Values.config.insecure -}} +80 +{{- else -}} 443 +{{- end -}} {{- end -}} {{- end -}} @@ -340,10 +344,14 @@ https {{/*Expand the proxy's port number for secure or insecure mode */}} {{- define "pomerium.proxy.trafficPort.number" -}} -{{- if (include "pomerium.proxy.insecure" .) -}} -80 +{{- if .Values.proxy.internalPort -}} +{{- .Values.proxy.internalPort -}} {{- else -}} +{{- if (include "pomerium.proxy.insecure" .) -}} +80 +{{- else -}} 443 +{{- end -}} {{- end -}} {{- end -}} @@ -374,6 +382,19 @@ grpc is used for insecure rather than http for istio compatibility {{- end -}} {{- end -}} +{{/*Expand the proxy's service port number for secure or insecure mode */}} +{{- define "pomerium.proxy.externalPort" -}} +{{- if .Values.proxy.externalPort -}} +{{- .Values.proxy.externalPort -}} +{{- else -}} +{{- if (include "pomerium.proxy.insecure" .) -}} +80 +{{- else -}} +443 +{{- end -}} +{{- end -}} +{{- end -}} + {{/* Expand databroker client tls path */}} {{- define "pomerium.databroker.storage.clientTLS.path" -}} /pomerium/databroker-client-tls diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml index b2096b1..f43e80f 100644 --- a/charts/pomerium/templates/authenticate-deployment.yaml +++ b/charts/pomerium/templates/authenticate-deployment.yaml @@ -62,6 +62,8 @@ spec: {{- end }} {{- end }} env: + - name: ADDRESS + value: {{ printf ":%s" (include "pomerium.trafficPort.number" . ) }} {{- if or ( or ( and .Values.authenticate.tls.cert .Values.authenticate.tls.key ) .Values.authenticate.existingTLSSecret ) .Values.config.generateTLS }} {{- include "pomerium.tls.internal.envVars" . | indent 8 }} {{- end }} diff --git a/charts/pomerium/templates/authorize-deployment.yaml b/charts/pomerium/templates/authorize-deployment.yaml index 5488c92..7f8c0fd 100644 --- a/charts/pomerium/templates/authorize-deployment.yaml +++ b/charts/pomerium/templates/authorize-deployment.yaml @@ -64,6 +64,8 @@ spec: {{- end }} {{- end }} env: + - name: ADDRESS + value: {{ printf ":%s" (include "pomerium.trafficPort.number" . ) }} {{- if or ( or ( and .Values.authorize.tls.cert .Values.authorize.tls.key ) .Values.authorize.existingTLSSecret ) .Values.config.generateTLS }} {{- include "pomerium.tls.internal.envVars" . | indent 8 }} {{- end }} diff --git a/charts/pomerium/templates/databroker-deployment.yaml b/charts/pomerium/templates/databroker-deployment.yaml index 5811e40..f915797 100644 --- a/charts/pomerium/templates/databroker-deployment.yaml +++ b/charts/pomerium/templates/databroker-deployment.yaml @@ -60,6 +60,8 @@ spec: {{- end }} {{- end }} env: + - name: ADDRESS + value: {{ printf ":%s" (include "pomerium.trafficPort.number" . ) }} {{- if or ( or ( and .Values.databroker.tls.cert .Values.databroker.tls.key ) .Values.databroker.existingTLSSecret ) .Values.config.generateTLS }} {{- include "pomerium.tls.internal.envVars" . | indent 8 }} {{- end }} diff --git a/charts/pomerium/templates/proxy-service.yaml b/charts/pomerium/templates/proxy-service.yaml index 9562241..5922403 100644 --- a/charts/pomerium/templates/proxy-service.yaml +++ b/charts/pomerium/templates/proxy-service.yaml @@ -36,7 +36,7 @@ spec: externalTrafficPolicy: {{ .Values.proxy.service.externalTrafficPolicy }} {{- end }} ports: - - port: {{ template "pomerium.proxy.trafficPort.number" . }} + - port: {{ template "pomerium.proxy.externalPort" . }} targetPort: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }} protocol: TCP name: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }} diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index 0abd67e..9c02fea 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -150,6 +150,10 @@ databroker: ca: '' proxy: + # internalPort defaults to 80 or 443 depending on config.insecure unless overridden + internalPort: '' + # externalPort defaults to 80 or 443 depending on config.insecure unless overridden + externalPort: '' fullnameOverride: '' nameOverride: '' existingTLSSecret: '' @@ -228,7 +232,9 @@ forwardAuth: internal: false service: - # externalPort defaults to 80 or 443 depending on config.insecure + # internalPort defaults to 80 or 443 depending on config.insecure unless overridden + internalPort: '' + # externalPort defaults to 80 or 443 depending on config.insecure unless overridden externalPort: '' annotations: {}