Pomerium is an open-source tool for managing secure access to internal applications and resources.
helm install --name my-release stable/pomeriumNote: Pomerium depends on being configured with a third party identity providers to function properly. If you run pomerium without specifiying default values, you will need to change those configuration variables following setup.
An example of a minimal, but complete installation of pomerium with identity provider settings, random secrets, certificates, and external URLs is as follows:
helm install --name my-release \
--set config.rootDomain="corp.example.com" \
--set ingress.tls.certificate=$(base64 -i "*.corp.example.com.cer") \
--set ingress.tls.key=$(base64 -i "*.corp.example.com.key") \
--set config.policy=$(base64 -i "policy.yaml") \
--set authenticate.idp.provider="google" \
--set authenticate.idp.clientID="REPLACE_ME" \
--set authenticate.idp.clientSecret="REPLACE_ME"
stable/pomeriumTo uninstall/delete the my-release deployment:
helm delete --purge my-releaseThe command removes nearly all the Kubernetes components associated with the chart and deletes the release.
A full listing of Pomerium's configuration variables can be found on the config reference page.
| Parameter | Description | Default |
|---|---|---|
config.rootDomain |
Root Domain specifies the sub-domain handled by pomerium. See more. | corp.pomerium.io |
config.generateTLS |
Generate a dummy Certificate Authority and certs for service communication. Manual CA and certs can be set in values. | true |
config.sharedSecret |
256 bit key to secure service communication. See more. | 32 random ascii chars |
config.cookieSecret |
Cookie secret is a 32 byte key used to encrypt user sessions. | 32 random ascii chars |
config.policy |
Base64 encoded string containing the routes, and their access policies. | |
config.policyFile |
Relative file location of the policy file which contains the routes, and their access policies. | See example in values |
authenticate.nameOverride |
Name of the authenticate service. | |
authenticate.fullnameOverride |
Full name of the authenticate service. | |
authenticate.redirectUrl |
Redirect URL is the url the user will be redirected to following authentication with the third-party identity provider (IdP). See more. | https://{{authenticate.name}}.{{config.rootDomain}}/oauth2/callback |
authenticate.idp.provider |
Identity Provider Name. | google |
authenticate.idp.clientID |
Identity Provider oauth client ID. | Required |
authenticate.idp.clientSecret |
Identity Provider oauth client secret. | Required |
authenticate.idp.url |
Identity Provider URL. | Optional |
authenticate.idp.serviceAccount |
Identity Provider service account. | Optional |
proxy.nameOverride |
Name of the proxy service. | |
proxy.fullnameOverride |
Full name of the proxy service. | |
proxy.authenticateServiceUrl |
The externally accessible url for the authenticate service. | https://{{authenticate.name}}.{{config.rootDomain}} |
proxy.authorizeServiceUrl |
The externally accessible url for the authorize service. | https://{{authorize.name}}.{{config.rootDomain}} |
authorize.nameOverride |
Name of the authorize service. | |
authorize.fullnameOverride |
Full name of the authorize service. | |
images.server.repository |
Pomerium image | pomerium/pomerium |
images.server.tag |
Pomerium image tag | latest |
images.server.pullPolicy |
Pomerium image pull policy | Always |
service.annotations |
Service annotations | {} |
service.externalPort |
Pomerium's port | 443 |
service.type |
Service type (ClusterIP, NodePort or LoadBalancer) | ClusterIP |
ingress.enabled |
Enables Ingress for pomerium | false |
ingress.annotations |
Ingress annotations | {} |
ingress.hosts |
Ingress accepted hostnames | nil |
ingress.tls |
Ingress TLS configuration | [] |