From f330b5207660fb24c02c5cdbfade75292b43c761 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Thu, 27 May 2021 13:36:18 -0700 Subject: [PATCH] Update values.yaml to include CredentialIssuer ImpersonationProxy spec. --- deploy/concierge/deployment.yaml | 13 ++++++--- deploy/concierge/values.yaml | 30 ++++++++++++++++++++ site/content/docs/howto/install-concierge.md | 2 ++ 3 files changed, 41 insertions(+), 4 deletions(-) diff --git a/deploy/concierge/deployment.yaml b/deploy/concierge/deployment.yaml index c00ce5e4..31c7fe68 100644 --- a/deploy/concierge/deployment.yaml +++ b/deploy/concierge/deployment.yaml @@ -255,8 +255,13 @@ metadata: labels: #@ labels() spec: impersonationProxy: - mode: auto + mode: #@ data.values.impersonation_proxy_spec.mode + #@ if data.values.impersonation_proxy_spec.external_endpoint: + externalEndpoint: #@ data.values.impersonation_proxy_spec.external_endpoint + #@ end service: - mode: LoadBalancer - annotations: - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000" + mode: #@ data.values.impersonation_proxy_spec.service.mode + #@ if data.values.impersonation_proxy_spec.service.load_balancer_ip: + loadBalancerIP: #@ data.values.impersonation_proxy_spec.service.load_balancer_ip + #@ end + annotations: #@ data.values.impersonation_proxy_spec.service.annotations diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml index 05d550db..0445afb2 100644 --- a/deploy/concierge/values.yaml +++ b/deploy/concierge/values.yaml @@ -63,3 +63,33 @@ run_as_group: 1001 #! run_as_group specifies the group ID that will own the proc #! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then #! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc. api_group_suffix: pinniped.dev + +#! Customize CredentialIssuer.spec.impersonationProxy to change how the concierge +#! handles impersonation. +impersonation_proxy_spec: + #! options are "auto", "disabled" or "enabled". + #! If auto, the impersonation proxy will run only if the cluster signing key is not available + #! and the other strategy does not work. + #! If disabled, the impersonation proxy will never run, which could mean that the concierge + #! doesn't work at all. + #! If enabled, the impersonation proxy will always run regardless of other strategies available. + mode: auto + #! The endpoint which the client should use to connect to the impersonation proxy. + #! If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer + #! endpoint. + external_endpoint: + service: + #! Options are "LoadBalancer", "ClusterIP" and "None". + #! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at + #! the impersonation proxy. Some cloud providers will allocate + #! a public IP address by default even on private clusters. + #! ClusterIP automatically provisions a Service of type ClusterIP pointing at the + #! impersonation proxy. + #! None does not provision either and assumes that you have set the external_endpoint + #! and set up your own ingress to connect to the impersonation proxy. + mode: LoadBalancer + #! The annotations that should be set on the ClusterIP or LoadBalancer Service. + annotations: + {service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"} + #! When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP. + load_balancer_ip: diff --git a/site/content/docs/howto/install-concierge.md b/site/content/docs/howto/install-concierge.md index 7eed25d7..9fd06065 100644 --- a/site/content/docs/howto/install-concierge.md +++ b/site/content/docs/howto/install-concierge.md @@ -17,6 +17,8 @@ You should have a [supported Kubernetes cluster]({{< ref "../reference/supported 1. Install the latest version of the Concierge into the `pinniped-concierge` namespace with default options: - `kubectl apply -f https://get.pinniped.dev/latest/install-pinniped-concierge.yaml` + +Warning: the default configuration may create a public LoadBalancer Service on your cluster. ## With specific version and default options