diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index 9920339..13943cd 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: pomerium -version: 30.1.2 -appVersion: 0.16.4 +version: 31.0.0 +appVersion: 0.17.0 home: http://www.pomerium.com/ icon: https://www.pomerium.com/img/icon.svg description: Pomerium is an identity-aware access proxy. diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index 87c8817..4ff8ccc 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -20,6 +20,7 @@ - [Redis Subchart](#redis-subchart) - [Configuration](#configuration) - [Changelog](#changelog) + - [31.0.0](#3100) - [30.0.0](#3000) - [29.0.0](#2900) - [28.0.0](#2800) @@ -59,6 +60,7 @@ - [3.0.0](#300) - [2.0.0](#200) - [Upgrading](#upgrading) + - [31.0.0](#3100-1) - [30.0.0](#3000-1) - [29.0.0](#2900-1) - [28.0.0](#2800-1) @@ -435,6 +437,12 @@ A full listing of Pomerium's configuration variables can be found on the [config | `ingressController.replicaCount` | Number of ingressController pods to run | `1` | | `ingressController.image.repository` | Pomerium ingressController image | `pomerium/ingress-controller` | | `ingressController.image.tag` | Pomerium ingressController image tag | `v0.15.0` | +| `ingressController.ingressClassResource.enabled` | Create a IngressClass resource for the Ingress Controller | `true` | +| `ingressController.ingressClassResource.default` | Set the IngressClass resource as default | `false` | +| `ingressController.ingressClassResource.name` | Name of the IngressClass resource | `pomerium` | +| `ingressController.ingressClassResource.controllerName` | IngressClass controller name | `pomerium.io/ingress-controller` | +| `ingressController.ingressClassResource.parameters` | Additional parameters for the IngressClass | `{}` | +| `ingressController.ingressClassResource.defaultCertSecret` | Specify a default TLS certificate for Ingress resources that do not specify their own. Format: [namespace]/[name] | | | `ingressController.config.ingressClass` | `kubernetes.io/ingress.class` for the ingressController to monitor | `pomerium.io/ingress-controller` | | `ingressController.config.namespaces` | List of namespaces to monitor for `Ingress` resources. Defaults to all. | `[]` | | `ingressController.config.operatorMode` | Run Ingress Controller as a replacement for the Pomerium Operator. This implies using Forward-Auth and a third party Proxy. | @@ -447,6 +455,9 @@ A full listing of Pomerium's configuration variables can be found on the [config ## Changelog +### 31.0.0 +- Update to v0.17 of Pomerium +- Require `authenticate.ingress.tls.secretName` if `config.generateTLS` is not enabled ### 30.0.0 - Revert breaking config changes in 29.0.0 - Add `redis.auth.createSecret` flag @@ -614,6 +625,9 @@ A full listing of Pomerium's configuration variables can be found on the [config ## Upgrading +### 31.0.0 +- See [v0.17 upgrade guide](https://www.pomerium.com/docs/upgrading.html#since-0-16-0) +- If you have set `config.generateTLS=false` and are using the Ingress Controller, be sure you have provied a proper external certificate via `authenticate.ingress.tls.secretName` ### 30.0.0 - Rename `redis.auth.secret` to `redis.auth.existingSecret` in your values file diff --git a/charts/pomerium/templates/authenticate-ingress.yaml b/charts/pomerium/templates/authenticate-ingress.yaml index ca3860d..71d2f99 100644 --- a/charts/pomerium/templates/authenticate-ingress.yaml +++ b/charts/pomerium/templates/authenticate-ingress.yaml @@ -18,12 +18,10 @@ metadata: {{- end }} spec: ingressClassName: {{ .Values.ingressController.ingressClassResource.name }} -{{- if .Values.authenticate.ingress.tls.secretName }} tls: - - secretName: {{ .Values.authenticate.ingress.tls.secretName }} + - secretName: {{ default (include "pomerium.authenticate.tlsSecret.name" .) .Values.authenticate.ingress.tls.secretName }} hosts: - {{ include "pomerium.authenticate.hostname" . }} -{{- end }} rules: - host: {{ template "pomerium.authenticate.hostname" . }} http: diff --git a/charts/pomerium/templates/ingressclass.yaml b/charts/pomerium/templates/ingressclass.yaml index 9402869..1903480 100644 --- a/charts/pomerium/templates/ingressclass.yaml +++ b/charts/pomerium/templates/ingressclass.yaml @@ -9,10 +9,13 @@ metadata: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: ingressController -{{- if .Values.ingressController.ingressClassResource.default }} annotations: +{{- if .Values.ingressController.ingressClassResource.default }} ingressclass.kubernetes.io/is-default-class: "true" {{- end }} +{{- with .Values.ingressController.ingressClassResource.defaultCertSecret }} + ingress.pomerium.io/default-cert-secret: {{ . }} +{{- end }} spec: controller: {{ .Values.ingressController.ingressClassResource.controllerName }} {{- if .Values.ingressController.ingressClassResource.parameters -}} diff --git a/charts/pomerium/templates/validation.yaml b/charts/pomerium/templates/validation.yaml index 3e37efa..5e26194 100644 --- a/charts/pomerium/templates/validation.yaml +++ b/charts/pomerium/templates/validation.yaml @@ -1,3 +1,6 @@ {{- if and (and .Values.ingressController.enabled (not .Values.ingressController.operatorMode)) .Values.config.insecureProxy -}} {{ fail "`ingressController.enabled` is not compatible with `config.insecureProxy`" }} -{{- end -}} \ No newline at end of file +{{- end -}} +{{- if and .Values.ingressController.enabled (not (or .Values.config.generateTLS .Values.authenticate.ingress.tls.secretName )) -}} +{{ fail "A TLS certificate must be available for Authenticate when using the ingress controller. Please set `config.generateTLS` or `authenticate.ingress.tls.secretName"}} +{{- end -}} diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index 6c550ea..556a471 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -197,11 +197,12 @@ ingressController: name: pomerium controllerName: pomerium.io/ingress-controller parameters: {} + defaultCertSecret: "" fullnameOverride: "" nameOverride: "" image: repository: "pomerium/ingress-controller" - tag: "v0.16.1" + tag: "v0.17.0" deployment: annotations: {} extraEnv: {} @@ -303,7 +304,7 @@ imagePullSecrets: "" image: repository: "pomerium/pomerium" - tag: "v0.16.4" + tag: "v0.17.0" pullPolicy: "IfNotPresent" metrics: