connection key.
- // +kubebuilder:validation:Required
- // +kubebuilder:validation:Type=string
- // +kubebuilder:validation:MinLength=1
- // +kubebuilder:validation:Format="namespace/name"
- Secret string `json:"secret"`
- // TLSSecret should refer to a k8s secret of type kubernetes.io/tls
- // that would be used to perform TLS connection to REDIS.
- // +kubebuilder:validation:Optional
- // +kubebuilder:validation:Type=string
- // +kubebuilder:validation:MinLength=1
- // +kubebuilder:validation:Format="namespace/name"
- TLSSecret *string `json:"tlsSecret"`
- // CASecret should refer to a k8s secret with key ca.crt that must be a PEM-encoded
- // certificate authority to use when connecting to the databroker storage engine.
- // +kubebuilder:validation:Optional
- // +kubebuilder:validation:Type=string
- // +kubebuilder:validation:Format="namespace/name"
- CASecret *string `json:"caSecret"`
- // TLSSkipVerify disables TLS certificate chain validation.
- // +kubebuilder:validation:Optional
- // +kubebuilder:validation:Type=boolean
- TLSSkipVerify bool `json:"tlsSkipVerify"`
-}
-
// PostgresStorage defines Postgres connection parameters.
type PostgresStorage struct {
// Secret specifies a name of a Secret that must contain
@@ -144,13 +115,9 @@ type PostgresStorage struct {
// Storage defines persistent storage option for the databroker
// and is only applied for all-in-one pomerium bootstrap,
// and has no effect for the split-mode deployment.
-// If Storage is specified, either `redis` or `postgresql` parameter should be set.
-// Omit setting storage to use in-memory storage implementation.
+// If Storage is specified, the `postgresql` parameter should be set.
+// Omit setting storage to use the in-memory storage implementation.
type Storage struct {
- // Redis defines REDIS connection parameters
- // +kubebuilder:validation:Optional
- Redis *RedisStorage `json:"redis" deprecated:"redis"`
-
// Postgres specifies PostgreSQL database connection parameters
// +kubebuilder:validation:Optional
Postgres *PostgresStorage `json:"postgres"`
diff --git a/apis/ingress/v1/zz_generated.deepcopy.go b/apis/ingress/v1/zz_generated.deepcopy.go
index 16d6a469..80f8b001 100644
--- a/apis/ingress/v1/zz_generated.deepcopy.go
+++ b/apis/ingress/v1/zz_generated.deepcopy.go
@@ -330,31 +330,6 @@ func (in *PostgresStorage) DeepCopy() *PostgresStorage {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RedisStorage) DeepCopyInto(out *RedisStorage) {
- *out = *in
- if in.TLSSecret != nil {
- in, out := &in.TLSSecret, &out.TLSSecret
- *out = new(string)
- **out = **in
- }
- if in.CASecret != nil {
- in, out := &in.CASecret, &out.CASecret
- *out = new(string)
- **out = **in
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisStorage.
-func (in *RedisStorage) DeepCopy() *RedisStorage {
- if in == nil {
- return nil
- }
- out := new(RedisStorage)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RefreshDirectorySettings) DeepCopyInto(out *RefreshDirectorySettings) {
*out = *in
@@ -401,11 +376,6 @@ func (in *ResourceStatus) DeepCopy() *ResourceStatus {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Storage) DeepCopyInto(out *Storage) {
*out = *in
- if in.Redis != nil {
- in, out := &in.Redis, &out.Redis
- *out = new(RedisStorage)
- (*in).DeepCopyInto(*out)
- }
if in.Postgres != nil {
in, out := &in.Postgres, &out.Postgres
*out = new(PostgresStorage)
diff --git a/config/crd/bases/ingress.pomerium.io_pomerium.yaml b/config/crd/bases/ingress.pomerium.io_pomerium.yaml
index 1e5a813e..ce27932e 100644
--- a/config/crd/bases/ingress.pomerium.io_pomerium.yaml
+++ b/config/crd/bases/ingress.pomerium.io_pomerium.yaml
@@ -289,36 +289,6 @@ spec:
required:
- secret
type: object
- redis:
- description: Redis defines REDIS connection parameters
- properties:
- caSecret:
- description: CASecret should refer to a k8s secret with key
- ca.crt that must be a PEM-encoded certificate
- authority to use when connecting to the databroker storage
- engine.
- format: namespace/name
- type: string
- secret:
- description: Secret specifies a name of a Secret that must
- contain connection key.
- format: namespace/name
- minLength: 1
- type: string
- tlsSecret:
- description: TLSSecret should refer to a k8s secret of type
- kubernetes.io/tls that would be used to perform
- TLS connection to REDIS.
- format: namespace/name
- minLength: 1
- type: string
- tlsSkipVerify:
- description: TLSSkipVerify disables TLS certificate chain
- validation.
- type: boolean
- required:
- - secret
- type: object
type: object
timeouts:
description: Timeout specifies the global
diff --git a/controllers/settings/fetch.go b/controllers/settings/fetch.go
index d88ef0b3..1bb1b950 100644
--- a/controllers/settings/fetch.go
+++ b/controllers/settings/fetch.go
@@ -126,15 +126,7 @@ func fetchConfigSecrets(ctx context.Context, client client.Client, cfg *model.Co
return nil
}
- if r := s.Storage.Redis; r != nil {
- if err := applyAll(
- apply("connection", required(&r.Secret), &cfg.StorageSecrets.Secret),
- apply("tls", optional(r.TLSSecret), &cfg.StorageSecrets.TLS),
- apply("ca", optional(r.CASecret), &cfg.StorageSecrets.CA),
- ); err != nil {
- return fmt.Errorf("redis: %w", err)
- }
- } else if p := s.Storage.Postgres; p != nil {
+ if p := s.Storage.Postgres; p != nil {
if err := applyAll(
apply("connection", required(&p.Secret), &cfg.StorageSecrets.Secret),
apply("tls", optional(p.TLSSecret), &cfg.StorageSecrets.TLS),
@@ -143,7 +135,7 @@ func fetchConfigSecrets(ctx context.Context, client client.Client, cfg *model.Co
return fmt.Errorf("postgresql: %w", err)
}
} else {
- return fmt.Errorf("if storage is specified, either redis or postgres storage should be provided")
+ return fmt.Errorf("if storage is specified, postgres storage should be provided")
}
return cfg.StorageSecrets.Validate()
diff --git a/controllers/settings/fetch_test.go b/controllers/settings/fetch_test.go
index 59b74979..6b33978b 100644
--- a/controllers/settings/fetch_test.go
+++ b/controllers/settings/fetch_test.go
@@ -42,25 +42,6 @@ func TestFetchConstraints(t *testing.T) {
}{
"idp-secrets": {},
"bootstrap-secrets": {},
- "redis": {
- corev1.SecretTypeOpaque,
- map[string][]byte{
- model.StorageConnectionStringKey: []byte("redis://"),
- },
- },
- "redis-ca": {
- corev1.SecretTypeOpaque,
- map[string][]byte{
- model.CAKey: []byte("ca-data"),
- },
- },
- "redis-tls": {
- corev1.SecretTypeTLS,
- map[string][]byte{
- corev1.TLSCertKey: []byte("cert-data"),
- corev1.TLSPrivateKeyKey: []byte("key-data"),
- },
- },
"postgres": {
corev1.SecretTypeOpaque,
map[string][]byte{
@@ -119,31 +100,6 @@ func TestFetchConstraints(t *testing.T) {
Secrets: "pomerium/bootstrap-secrets",
Storage: &icsv1.Storage{},
}, assert.Error},
- {"redis: secret missing", icsv1.PomeriumSpec{
- Authenticate: new(icsv1.Authenticate),
- IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"},
- Certificates: []string{},
- Secrets: "pomerium/bootstrap-secrets",
- Storage: &icsv1.Storage{Redis: &icsv1.RedisStorage{}},
- }, assert.Error},
- {"redis: secret present", icsv1.PomeriumSpec{
- Authenticate: new(icsv1.Authenticate),
- IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"},
- Certificates: []string{},
- Secrets: "pomerium/bootstrap-secrets",
- Storage: &icsv1.Storage{Redis: &icsv1.RedisStorage{Secret: "pomerium/redis"}},
- }, assert.NoError},
- {"redis: ca + tls", icsv1.PomeriumSpec{
- Authenticate: new(icsv1.Authenticate),
- IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"},
- Certificates: []string{},
- Secrets: "pomerium/bootstrap-secrets",
- Storage: &icsv1.Storage{Redis: &icsv1.RedisStorage{
- Secret: "pomerium/redis",
- CASecret: proto.String("pomerium/redis-ca"),
- TLSSecret: proto.String("pomerium/redis-tls"),
- }},
- }, assert.NoError},
{"postgres: secret missing", icsv1.PomeriumSpec{
Authenticate: new(icsv1.Authenticate),
IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"},
diff --git a/deployment.yaml b/deployment.yaml
index 89712b38..5cd12594 100644
--- a/deployment.yaml
+++ b/deployment.yaml
@@ -297,36 +297,6 @@ spec:
required:
- secret
type: object
- redis:
- description: Redis defines REDIS connection parameters
- properties:
- caSecret:
- description: CASecret should refer to a k8s secret with key
- ca.crt that must be a PEM-encoded certificate
- authority to use when connecting to the databroker storage
- engine.
- format: namespace/name
- type: string
- secret:
- description: Secret specifies a name of a Secret that must
- contain connection key.
- format: namespace/name
- minLength: 1
- type: string
- tlsSecret:
- description: TLSSecret should refer to a k8s secret of type
- kubernetes.io/tls that would be used to perform
- TLS connection to REDIS.
- format: namespace/name
- minLength: 1
- type: string
- tlsSkipVerify:
- description: TLSSkipVerify disables TLS certificate chain
- validation.
- type: boolean
- required:
- - secret
- type: object
type: object
timeouts:
description: Timeout specifies the global
diff --git a/pomerium/config.go b/pomerium/config.go
index 86514c51..c719b2f6 100644
--- a/pomerium/config.go
+++ b/pomerium/config.go
@@ -61,7 +61,7 @@ func applyConfig(ctx context.Context, p *pb.Config, c *model.Config) error {
}
func checkForWarnings(ctx context.Context, _ *pb.Config, c *model.Config) error {
- if c.Spec.Storage == nil || (c.Spec.Storage.Redis == nil && c.Spec.Storage.Postgres == nil) {
+ if c.Spec.Storage == nil || c.Spec.Storage.Postgres == nil {
util.Add(ctx, config.FieldMsg{
Key: "storage",
DocsURL: "https://www.pomerium.com/docs/topics/data-storage#persistence",
diff --git a/pomerium/ctrl/bootstrap.go b/pomerium/ctrl/bootstrap.go
index c790ce6b..ae30dc62 100644
--- a/pomerium/ctrl/bootstrap.go
+++ b/pomerium/ctrl/bootstrap.go
@@ -82,42 +82,8 @@ func applyStorage(ctx context.Context, dst *config.Options, src *model.Config) e
if src.Spec.Storage.Postgres != nil {
return applyStoragePostgres(dst, src)
}
- if src.Spec.Storage.Redis != nil {
- return applyStorageRedis(dst, src)
- }
-
- return fmt.Errorf("if storage is specified, it must contain either redis or postgresql config. omit storage key for in-memory")
-}
-
-func applyStorageRedis(dst *config.Options, src *model.Config) error {
- conn, ok := src.StorageSecrets.Secret.Data[model.StorageConnectionStringKey]
- if !ok {
- return fmt.Errorf("storage secret must have %s key", model.StorageConnectionStringKey)
- }
-
- dst.DataBrokerStorageConnectionString = string(conn)
- dst.DataBrokerStorageCertSkipVerify = src.Spec.Storage.Redis.TLSSkipVerify
- if src.StorageSecrets.CA != nil {
- ca, err := storageFiles.CreateFile("ca.pem", src.StorageSecrets.Secret.Data[model.CAKey])
- if err != nil {
- return fmt.Errorf("ca: %w", err)
- }
- dst.DataBrokerStorageCAFile = ca
- }
- if src.StorageSecrets.TLS != nil {
- cert, err := storageFiles.CreateFile("cert.pem", src.StorageSecrets.TLS.Data[corev1.TLSCertKey])
- if err != nil {
- return fmt.Errorf("tls cert: %w", err)
- }
- key, err := storageFiles.CreateFile("key.pem", src.StorageSecrets.TLS.Data[corev1.TLSPrivateKeyKey])
- if err != nil {
- return fmt.Errorf("tls key: %w", err)
- }
- dst.DataBrokerStorageCertFile = cert
- dst.DataBrokerStorageCertKeyFile = key
- }
- return nil
+ return fmt.Errorf("if storage is specified, it must contain postgresql config. omit storage key for in-memory")
}
func applyStoragePostgres(dst *config.Options, src *model.Config) error {
diff --git a/reference.md b/reference.md
index f3a157ac..c86e1b38 100644
--- a/reference.md
+++ b/reference.md
@@ -23,6 +23,22 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
+
+ accessLogFields
+
+ []string
+
+
+ + AccessLogFields sets the access fields to log. +
+ +@@ -40,6 +56,22 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
+ authorizeLogFields
+
+ []string
+
+
+ + AuthorizeLogFields sets the authorize fields to log. +
+ +@@ -125,6 +157,22 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
+ passIdentityHeaders
+
+ boolean
+
+
+ + PassIdentityHeaders sets the pass identity headers option. +
+ +@@ -194,6 +242,39 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
+ timeouts
+
+ object
+ (timeouts)
+
+
+ + Timeout specifies the global timeouts for all routes. +
+ +
+ useProxyProtocol
+
+ boolean
+
+
+ + UseProxyProtocol enables Proxy Protocol support. +
+ +|
-
-
- CASecret should refer to a k8s secret with key namespace/name format.
+ Format: a duration string like "22s" as parsed by Golang time.ParseDuration.
|
|
-
Required.
- Secret specifies a name of a Secret that must contain namespace/name format.
+ Format: a duration string like "22s" as parsed by Golang time.ParseDuration.
|
|
-
- |
- TLSSecret should refer to a k8s secret of type kubernetes.io/tls that would be used to perform TLS connection to REDIS.
-
namespace/name format.
+Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).
-
-
+|
- - TLSSkipVerify disables TLS certificate chain validation. + Postgres specifies PostgreSQL database connection parameters |
@@ -673,9 +750,9 @@ Redis defines REDIS connection parameters
-### `refreshDirectory`
+### `timeouts`
-RefreshDirectory is no longer supported, please see Upgrade Guide.
+Timeout specifies the global timeouts for all routes.
|
- - Postgres specifies PostgreSQL database connection parameters + Write specifies max stream duration is the maximum time that a stream’s lifetime will span. An HTTP request/response exchange fully consumes a single stream. Therefore, this value must be greater than read_timeout as it covers both request and response time. - |
-
|
-
- - - Redis defines REDIS connection parameters - + Format: a duration string like "22s" as parsed by Golang time.ParseDuration. |