Kubernetes - Ingress - Multiple IDP?

,

What happened?

Hey there,

I’ve gone through the Kubernetes Quickstart document and have been able to successfully setup Pomerium with an integration in place with Okta.

Everything seems to be working as I would expect it to, being able to filter by email/domain/group and so on.

Now, that settles the first use case I have, in the case there’s an application that I needs to auth via one IDP (Okta) at:

The second use case though, is if I have another application running in the same k8s cluster that needs to auth via another IDP (such as Auth0) at:

Is there a way to put this in place? Considering the “global” pomerium resource setup in k8s points to a specific IDP? Would there be some sort of way to creating multiple ones? And have different ingress configs point to differing pomerium configs, depending on the idp that needs to be used, or something along those lines?

What did you expect to happen?

Would, for example, multiple pomerium pods be able to run different IDP configs? And each ingress using a pomerium class would need to specificy which pomerium needs to be used…?

How’d it happen?

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version): pomerium/ingress-controller:sha-5294279
  • Server Operating System/Architecture/Cloud: GKE 1.22

What’s your config.yaml?

N/A

I should note that I’ve also seen this open GH issue that seems to ask about this specific case also: authenticate: support multiple identity providers · Issue #1403 · pomerium/pomerium · GitHub

You need deploy two instances of Pomerium into your cluster.

The following has to be changed compared to vanilla installation. Assuming you name your installations one and i.e. two:

  1. Namespace: pomerium => pomerium-one
  2. Global settings: global => global-one
  3. Databases MUST be distinct.
  4. Controller name: pomerium.io/ingress-controller => pomerium.io/ingress-controller-one
  5. IngressClass: pomerium => pomerium-one
  6. Authenticate URLs should be distinct - i.e. https://authenticate-one.corp.com

You may use kustomize that is part of kubectl to create a variation of the installation: create a folder pomerium-one with the following two files:

kustomization.yaml

namespace: pomerium-one
bases:
  - https://raw.githubusercontent.com/pomerium/ingress-controller/main/deployment.yaml
patchesStrategicMerge:
  - deployment.yaml
patches:
  - target:
      kind: IngressClass
      name: pomerium
    patch: |-
      - op: replace
        path: /metadata/name
        value: pomerium-one
      - op: replace
        path: /spec/controller
        value: pomerium.io/ingress-controller-one

and deployment.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: pomerium
  namespace: pomerium
spec:
  template:
    spec:
      containers:
        - name: pomerium
          args:
            - all-in-one
            - --pomerium-config=pomerium-one
            - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
            - --metrics-bind-address=$(POD_IP):9090
            - --name=pomerium.io/ingress-controller-one

From that directory, run kubectl apply -k . and it should deploy an installation for pomerium-one. Now repeat the same for pomerium-two, and create secrets and appropriate global configurations.

Now you may start assigning spec.ingressClass pomerium-one and pomerium-two to the Ingress objects to make them use different Pomerium installations (and identity providers).

Thank you for these very detailed instructions! This works out exactly as one would expect and each pomerium deployment is handling a different idp.