config.insecure doesn't behave as expected (or does it ?)

Question

config.insecure doesn't behave as expected (or does it ?)

rguichard opened this issue 2 years ago · comments

What happened?

With Pomerium-helm 27.0.0, when requesting authenticate endpoint, the certificate received by the client is the certificate provided by authenticate Pods and not the certificate owned by the Ingress. As if it was a TLS passthrough.

If I use the value config.insecure: true, Ingress certificate is correctly exposed.

What did you expect to happen?

For me, config.insecure would mean that there is no true TLS (self signed certs, unverified TLS connections etc) traffic between components. Not that the Pod terminates the TLS connection instead of the Ingress.

If this is the correct intended behavior, I would suggest to update the documentation because it actually not very clear.

Steps to reproduce

Pomerium-helm chart >27.0.0

values.yaml

config:
  insecure: true
authenticate:
  ingress:
    tls:
      secretName: pomerium-authenticate-cert
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-dns

What's your environment like?

Chart version: > 27.0.0
Container image: 0.16.2
Kubernetes version: 1.20
Cloud provider: aws

What are the contents of your config secret?

kubectl get secret pomerium -o=jsonpath="{.data['config\.yaml']}" | base64 -D

# Paste here
# Be sure to scrub any sensitive values

What did you see in the logs?

# Paste your logs here.
# Be sure to scrub any sensitive values

Additional context

Add any other context about the problem here.

Romain Guichard · Answer 1 · Tue Feb 15 2022 03:00:34 GMT+0800 (China Standard Time)

I think the issue is ingress-controller related so I reopened it there pomerium/ingress-controller#142