Install Pomerium Enterprise in Kubernetes with Kustomize
This document covers installing Pomerium Enterprise into your existing Kubernetes cluster. It's designed to work with an existing cluster running Pomerium, as described in Pomerium Kustomize. Follow that document before continuing here.
The assumption is that Pomerium is installed into the pomerium
namespace, and Enterprise would be installed into the pomerium-enterprise
namespace.
Prepare Core
The below command will expose the Pomerium Core Databroker gRPC interface.
kubectl apply -k github.com/pomerium/documentation/k8s/core\?ref=0-22-0
Deploy Enterprise Console
kubectl apply -k github.com/pomerium/documentation/k8s/console\?ref=0-22-0
The Enterprise Console need be configured before it becomes fully operational.
Create Cloudsmith Directory Secret
kubectl create secret docker-registry pomerium-enterprise-docker \
--namespace pomerium-enterprise \
--docker-server=docker.cloudsmith.io \
--docker-username=pomerium/enterprise \
--docker-password="your password provided by Pomerium Sales"
Configure Enterprise Console
Create a config
directory, and fill in the configuration parameters for the following template files:
kustomization.yaml
resources:
- config.yaml
- ingress-console.yaml
- secret.yaml
namespace: pomerium-enterprise
See Environment Variables for Config and Secret keys description.
config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: enterprise
data:
# should match authenticate service URL from Pomerium Settings CRD
authenticate_service_url: https://authenticate.domain.com/
# audience should correspond to the name in the ingress you created for the console
# without the protocol part
audience: console.domain.com
# administrators is a comma separated list of emails that would be granted admin privileges
# only use it for bootstrapping, and grant explicit permissions via the UI to the Global namespace
administrators: me@domain.com
# databroker service URL allows Console to communicate to Pomerium Core
databroker_service_url: https://pomerium-databroker.pomerium.svc.cluster.local
# external Prometheus service URL, to enable metrics.
# see https://www.pomerium.com/docs/deploy/k8s/install#metrics
# prometheus_url: ""
secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: enterprise
type: Opaque
stringData:
database_url: postgres://user:password@host/database
database_encryption_key: ''
license_key: ''
# shared_secret must match a base64 encrypted key from the Pomerium Core secret - i.e.
# kubectl get secret bootstrap -n pomerium -o jsonpath="{.data.shared_secret}"
shared_secret: ''
Create Ingress for Console.
ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pomerium-console
annotations:
cert-manager.io/cluster-issuer: your-cluster-issuer
external-dns.alpha.kubernetes.io/hostname: 'console.domain.com'
# console requires user identity headers
ingress.pomerium.io/pass_identity_headers: 'true'
# console has internal access control. alternatively, use PPL
ingress.pomerium.io/allow_any_authenticated_user: 'true'
# since v0.21.0, console is using TLS by default
ingress.pomerium.io/secure_upstream: 'true'
spec:
ingressClassName: pomerium
tls:
- secretName: console-domain-com
hosts:
- console.domain.com
rules:
- host: 'console.domain.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pomerium-console
port:
name: app
kubectl apply -k ./config