Update values.yaml to include CredentialIssuer ImpersonationProxy spec.

deploy/concierge/deployment.yaml

@@ -255,8 +255,13 @@ metadata:
   labels: #@ labels()
 spec:
   impersonationProxy:
-    mode: auto
+    mode: #@ data.values.impersonation_proxy_spec.mode
+    #@ if data.values.impersonation_proxy_spec.external_endpoint:
+    externalEndpoint: #@ data.values.impersonation_proxy_spec.external_endpoint
+    #@ end
     service:
-      mode: LoadBalancer
+      mode: #@ data.values.impersonation_proxy_spec.service.mode
-      annotations:
+      #@ if data.values.impersonation_proxy_spec.service.load_balancer_ip:
-        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"
+      loadBalancerIP: #@ data.values.impersonation_proxy_spec.service.load_balancer_ip
+      #@ end
+      annotations: #@ data.values.impersonation_proxy_spec.service.annotations

deploy/concierge/values.yaml

@@ -63,3 +63,33 @@ run_as_group: 1001 #! run_as_group specifies the group ID that will own the proc
 #! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
 #! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
 api_group_suffix: pinniped.dev
+
+#! Customize CredentialIssuer.spec.impersonationProxy to change how the concierge
+#! handles impersonation.
+impersonation_proxy_spec:
+  #! options are "auto", "disabled" or "enabled".
+  #! If auto, the impersonation proxy will run only if the cluster signing key is not available
+  #! and the other strategy does not work.
+  #! If disabled, the impersonation proxy will never run, which could mean that the concierge
+  #! doesn't work at all.
+  #! If enabled, the impersonation proxy will always run regardless of other strategies available.
+  mode: auto
+  #! The endpoint which the client should use to connect to the impersonation proxy.
+  #! If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer
+  #! endpoint.
+  external_endpoint:
+  service:
+    #! Options are "LoadBalancer", "ClusterIP" and "None".
+    #! LoadBalancer automatically provisions a Service of type LoadBalancer pointing at
+    #! the impersonation proxy. Some cloud providers will allocate
+    #! a public IP address by default even on private clusters.
+    #! ClusterIP automatically provisions a Service of type ClusterIP pointing at the
+    #! impersonation proxy.
+    #! None does not provision either and assumes that you have set the external_endpoint
+    #! and set up your own ingress to connect to the impersonation proxy.
+    mode: LoadBalancer
+    #! The annotations that should be set on the ClusterIP or LoadBalancer Service.
+    annotations:
+      {service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"}
+    #! When mode LoadBalancer is set, this will set the LoadBalancer Service's Spec.LoadBalancerIP.
+    load_balancer_ip:

site/content/docs/howto/install-concierge.md

@@ -17,6 +17,8 @@ You should have a [supported Kubernetes cluster]({{< ref "../reference/supported
 1. Install the latest version of the Concierge into the `pinniped-concierge` namespace with default options:
 
    - `kubectl apply -f https://get.pinniped.dev/latest/install-pinniped-concierge.yaml`
+    
+Warning: the default configuration may create a public LoadBalancer Service on your cluster.
 
 ## With specific version and default options