I’ve gone through the Kubernetes Quickstart document and have been able to successfully setup Pomerium with an integration in place with Okta.
Everything seems to be working as I would expect it to, being able to filter by email/domain/group and so on.
Now, that settles the first use case I have, in the case there’s an application that I needs to auth via one IDP (Okta) at:
The second use case though, is if I have another application running in the same k8s cluster that needs to auth via another IDP (such as Auth0) at:
Is there a way to put this in place? Considering the “global” pomerium resource setup in k8s points to a specific IDP? Would there be some sort of way to creating multiple ones? And have different ingress configs point to differing pomerium configs, depending on the idp that needs to be used, or something along those lines?
What did you expect to happen?
Would, for example, multiple pomerium pods be able to run different IDP configs? And each ingress using a pomerium class would need to specificy which pomerium needs to be used…?
How’d it happen?
What’s your environment like?
- Pomerium version (retrieve with
pomerium --version): pomerium/ingress-controller:sha-5294279
- Server Operating System/Architecture/Cloud: GKE 1.22
What’s your config.yaml?
I should note that I’ve also seen this open GH issue that seems to ask about this specific case also: authenticate: support multiple identity providers · Issue #1403 · pomerium/pomerium · GitHub
You need deploy two instances of Pomerium into your cluster.
The following has to be changed compared to vanilla installation. Assuming you name your installations
one and i.e.
- Global settings:
- Databases MUST be distinct.
- Controller name:
- Authenticate URLs should be distinct - i.e.
You may use
kustomize that is part of
kubectl to create a variation of the installation: create a folder
pomerium-one with the following two files:
- op: replace
- op: replace
- name: pomerium
From that directory, run
kubectl apply -k . and it should deploy an installation for
pomerium-one. Now repeat the same for
pomerium-two, and create secrets and appropriate global configurations.
Now you may start assigning
pomerium-two to the
Ingress objects to make them use different Pomerium installations (and identity providers).
Thank you for these very detailed instructions! This works out exactly as one would expect and each pomerium deployment is handling a different idp.