Pomerium using Kubernetes

This quickstart will cover how to deploy Pomerium with Kubernetes. Though there are many ways to work with Kubernetes, for the purpose of this guide, we will use Google's Kubernetes Engine. That said, most of the following steps should be very similar using any other provider.

Prerequisites

Download

Retrieve the latest copy of pomerium's source-code by cloning the repository.

git clone https://github.com/pomerium/pomerium.git $HOME/pomerium
cd $HOME/pomerium/docs/docs/reference/examples/kubernetes

Configure

Edit ./kubernetes_gke.sh making sure to change the identity provider secret value to match your identity provider and wild-card tls certificate settings.

#!/bin/bash
# NOTE! This will create real resources on Google GCP. Make sure you clean up any unused
# resources to avoid being billed.
# For reference, this tutorial cost ~10 cents for a couple of hours.
# NOTE! You must change the identity provider client secret setting in your config file!

echo "=> creating cluster"
gcloud container clusters create pomerium --num-nodes 2

echo "=> get cluster credentials so we can use kubctl locally"
gcloud container clusters get-credentials pomerium

echo "=> create config from kubernetes-config.yaml which we will mount"
kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml"

echo "=> create our random shared-secret and cookie-secret keys as envars"
kubectl create secret generic shared-secret --from-literal=shared-secret=$(head -c32 /dev/urandom | base64)
kubectl create secret generic cookie-secret --from-literal=cookie-secret=$(head -c32 /dev/urandom | base64)

echo "=> initiliaze secrets for TLS wild card for service use"
kubectl create secret generic certificate \
	--from-literal=certificate=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer")
kubectl create secret generic certificate-key \
	--from-literal=certificate-key=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key")

echo "=> load TLS to ingress"
kubectl create secret tls pomerium-tls \
	--key "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" \
	--cert "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"

echo "=> deploy pomerium proxy, authorize, and authenticate"
kubectl apply -f pomerium-proxy.yml
kubectl apply -f pomerium-authenticate.yml
kubectl apply -f pomerium-authorize.yml

echo "=> deploy our test app, httpbin"
kubectl apply -f httpbin.yml

echo "=> deploy the GKE specific ingress"
kubectl apply -f ingress.yml

# Alternatively, nginx-ingress can be used
# kubectl apply -f ingress.nginx.yml

# When done, clean up by deleting the cluster!
# gcloud container clusters delete pomerium

Run

Run ./kubernetes_gke.sh which will:

  1. Provision a new cluster.
  2. Create authenticate, authorize, and proxy deployments.
  3. Provision and apply authenticate, authorize, and proxy services.
  4. Configure an ingress load balancer.
cd $HOME/pomerium/docs/docs/reference/examples/kubernetes
sh ./kubernetes_gke.sh

You should see roughly the following in your terminal. Note, provisioning does take a few minutes.

asciicast

And if you check out Google's Kubernetes Engine dashboard you'll see something like:

Google's Kubernetes Engine dashboard

Open a browser and navigate to httpbin.your.domain.example.