Pomerium Ingress Tutorial

.spelling

@@ -79,6 +79,7 @@ HTTPRoute
 HashiCorp
 Helmfile
 IAM
+IdP
 INWX
 IPs
 IPv6
@@ -94,6 +95,7 @@ KUARD
 Kirill-Garbar
 Knative
 Krew
+kuard
 KubeCon
 Kubernetes
 Kyverno
@@ -116,9 +118,11 @@ OperatorHub.io
 PEM
 PKCS#12
 PKCS#8
+Pomerium
 PowerShell
 Prometheus
 RBAC
+Redis
 RFC2136
 RFC8555
 RR
@@ -257,6 +261,7 @@ namespace
 namespaced
 namespaces
 ndegory
+oauth2
 openshift-supported-versions
 powershell
 pre

content/en/docs/tutorials/_index.md

@@ -10,7 +10,8 @@ for you to learn from. Take a look!
 
 - [Backup and Restore Resources](./backup/): Backup the cert-manager resources
   in your cluster and then restore them.
-- [Securing Ingresses with NGINX-Ingress and cert-manager](./acme/ingress/): Tutorial for deploying NGINX into your
+- [Pomerium Ingress](./acme/pomerium-ingress/): Tutorial on using the Pomerium Ingress Controller with cert-manager.
+- [Securing Ingresses with NGINX-Ingress and cert-manager](./acme/nginx-ingress/): Tutorial for deploying NGINX into your
   cluster and securing incoming connections with a certificate from Let's Encrypt.
 - [Issuing an ACME Certificate using DNS Validation](./acme/dns-validation/):
   Tutorial on how to resolve DNS ownership validation using DNS01 challenges.

content/en/docs/tutorials/acme/example/pomerium-certificates.yaml

@@ -0,0 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pomerium-cert
+  namespace: pomerium
+spec:
+  secretName: pomerium-tls
+  issuerRef:
+    name: pomerium-issuer
+    kind: Issuer
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - pomerium-proxy.pomerium.svc.cluster.local
+    - pomerium-authorize.pomerium.svc.cluster.local
+    - pomerium-databroker.pomerium.svc.cluster.local
+    - pomerium-authenticate.pomerium.svc.cluster.local
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pomerium-redis-cert
+  namespace: pomerium
+spec:
+  secretName: pomerium-redis-tls
+  issuerRef:
+    name: pomerium-issuer
+    kind: Issuer
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - pomerium-redis-master.pomerium.svc.cluster.local
+    - pomerium-redis-headless.pomerium.svc.cluster.local
+    - pomerium-redis-replicas.pomerium.svc.cluster.local

content/en/docs/tutorials/acme/example/pomerium-production-issuer.yaml

@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: user@example.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class: pomerium

content/en/docs/tutorials/acme/example/pomerium-staging-issuer.yaml

@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: user@example.com
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            class:  pomerium

content/en/docs/tutorials/acme/example/pomerium-values.yaml

@@ -0,0 +1,39 @@
+authenticate:
+  existingTLSSecret: pomerium-tls
+  idp:
+    provider: "google"
+    clientID: YOUR_CLIENT_ID
+    clientSecret: YOUR_SECRET
+    serviceAccount: YOUR_SERVICE_ACCOUNT
+  ingress:
+    annotations:
+      cert-manager.io/issuer: letsencrypt-staging
+    tls:
+      secretName: authenticate.localhost.pomerium.io-tls 
+
+proxy:
+  existingTLSSecret: pomerium-tls
+
+databroker:
+  existingTLSSecret: pomerium-tls
+  storage:
+    clientTLS:
+      existingSecretName: pomerium-redis-tls
+      existingCASecretKey: ca.crt
+
+authorize:
+  existingTLSSecret: pomerium-tls
+
+redis:
+  enabled: true
+  generateTLS: false
+  tls:
+    certificateSecret: pomerium-redis-tls
+
+ingressController:
+  enabled: true
+
+config:
+  rootDomain: localhost.pomerium.io #Change this to your reserved domain space.
+  existingCASecret: pomerium-tls
+  generateTLS: false # On by default, disabled when cert-manager or another solution is in place.