Pomerium is not working

Support
1

What happened?

I installed Pomerium following these steps:

  1. I deployed this https://raw.githubusercontent.com/pomerium/ingress-controller/main/deployment.yaml
  2. I created idp-secret
  3. I created global pomerium
apiVersion: ingress.pomerium.io/v1
kind: Pomerium
metadata:
  name: global
  namespace: sys-security
spec:
  secrets: sys-security/bootstrap
  authenticate:
      url: https://auth-pre.example.team
  identityProvider:
      provider: google
      secret: sys-security/idp
  certificates:
      - sys-security/pomerium-proxy-tls
  1. I created Cert-manager Issuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
  namespace: sys-security
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: myemail@gmail.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
       - http01:
            ingress:
               class: pomerium
  1. I created the Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pomerium-proxy-tls
  namespace: sys-security
spec:
  secretName: pomerium-proxy-tls
  issuerRef:
    name: letsencrypt-staging
    kind: Issuer
    group: cert-manager.io
  commonName: "*.example.team"
  dnsNames:
    - "example.team"
    - "*.example.team"
    - "auth-pre.example.team"
  duration: 2160h
  renewBefore: 1440h

What did you expect to happen?

Pomerium should now be installed and running in my cluster by verifying by going to https://auth-pre.example.team in my browser.

What’s your environment like?

  • pomerium/ingress-controller:main
  • Kubernetes: 1.21.14-gke.14100

What’s your config.yaml?

address: ":80"
grpc_address: ":80"
grpc_insecure: true
insecure_server: true
authenticate_service_url: https://auth-pre.example.team

idp_provider: 'google'
idp_client_id: '********'
idp_client_secret: '******'

What did you see in the logs ?

{Pomerium: {…}, controller: bootstrap pod/pomerium-78c886b45f-khcvj, controllerGroup: ingress.pomerium.io, controllerKind: Pomerium,
error: certs: get sys-security/pomerium-proxy-tls: Secret "pomerium-proxy-tls" not found, level: error, msg: config rejected, name: global...

Additional context

I created a configmap based on config.yaml and then I mounted it in Pomerium’s Deployment.

2

You cannot issue LetsEncrypt wildcard certificates using HTTP01 issuer. You must use a DNS challenge instead.

Next, you created a recursive problem: Pomerium would not start if the global configuration is invalid - in your case, the referenced certificates are not available.

If you want to use HTTP01 challenge:

  • omit certificates key in the global config
  • make sure Pomerium starts
  • use annotations on individual Ingress objects with HTTP01 challenge issuer, in order for cert-manager and Pomerium to cooperate and issue individual certificates per-host. See the following guide Ingress Configuration | Pomerium (TLS Certificates > cert-manager integration)