Found it! By default ingress enabled is set to true, and this seems to set the authenticate internal service url incorrectly. By setting ingress enabled to false I get the redirect and everything works as intended.
Working Helm configs
authenticate:
idp:
provider: "google"
clientID: ${client_id}
clientSecret: ${client_secret}
existingTLSSecret: pomerium-tls
ingress:
annotations:
cert-manager.io/issuer: letsencrypt-staging
ingress.pomerium.io/service_proxy_upstream: "true"
tls:
secretName: authenticate-tools-tls
forwardAuth:
enabled: false
ingress:
enabled: false
ingressController:
enabled: true
# config:
# operatorMode: true
# image:
# tag: "v0.15.3"
#image:
# repository: "pomerium/pomerium"
# tag: "v0.15.8"
# pullPolicy: "IfNotPresent"
config:
# routes under this wildcard domain are handled by pomerium
rootDomain: tools.dev.sw.io
existingCASecret: pomerium-tls
generateTLS: false
insecure: false
# routes:
# - from: https://verify.dev.sw.io
# to: https://verify:80
# allowed_domains:
# - sw.com
# - sw.io
proxy:
existingTLSSecret: pomerium-tls
# service:
# type: LoadBalancer
#
extraEnv:
AUTOCERT: false
# LOG_LEVEL: debug
# POMERIUM_DEBUG: true
databroker:
existingTLSSecret: pomerium-tls
storage:
# connectionString: rediss://pomerium-redis-master.pomerium.svc.cluster.local
type: memory
clientTLS:
existingSecretName: pomerium-tls
existingCASecretKey: ca.crt
authorize:
existingTLSSecret: pomerium-tls
redis:
enabled: false
auth:
enabled: false
usePassword: false
generateTLS: false
tls:
certificateSecret: pomerium-redis-tls
I still get a 500 error when redirected from the authentication page when using redis, but we can use the in memory type for now. Thanks!
