{{- if or (and .Values.ingress.enabled (not .Values.ingressController.enabled)) (and .Values.ingressController.enabled .Values.ingressController.config.operatorMode) -}} {{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} {{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} {{- $ingressPathType := .Values.ingress.pathType -}} apiVersion: {{ include "ingress.apiVersion" . }} kind: Ingress metadata: name: {{ include "pomerium.fullname" . }} labels: app.kubernetes.io/name: {{ include "pomerium.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "pomerium.chart" . }} {{- with .Values.ingress.annotations }} annotations: {{ toYaml . | indent 4 }} {{- end }} spec: {{- if .Values.ingress.className }} {{- if not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) -}} {{- fail "Kubernetes version >=1.18 required to use className!" -}} {{- end }} ingressClassName: {{ .Values.ingress.className }} {{- end }} {{ if (or .Values.ingress.secret.name .Values.ingress.secretName) }} tls: - secretName: {{ default .Values.ingress.secret.name .Values.ingress.secretName }} hosts: {{ include "pomerium.ingress.tls.hosts" . | indent 8 }} {{- end }} rules: {{- range .Values.ingress.hosts }} - host: {{ . | quote }} http: paths: - backend: {{- if $ingressApiIsStable }} service: name: {{ template "pomerium.proxy.fullname" $ }} port: name: {{ template "pomerium.httpTrafficPort.name" $ }} {{- else }} serviceName: {{ template "pomerium.proxy.fullname" $ }} servicePort: {{ template "pomerium.httpTrafficPort.name" $ }} {{- end }} {{- if $ingressSupportsPathType }} pathType: {{ $ingressPathType }} {{- end }} {{- end }} {{- if not (or .Values.ingress.hosts .Values.forwardAuth.enabled) }} {{- range .Values.config.routes }} {{- if hasPrefix "http" .from }} - host: {{ .from | trimPrefix "https://" | trimPrefix "http://" | quote }} http: paths: - backend: {{- if $ingressApiIsStable }} service: name: {{ template "pomerium.proxy.fullname" $ }} port: name: {{ template "pomerium.httpTrafficPort.name" $ }} {{- else }} serviceName: {{ template "pomerium.proxy.fullname" $ }} servicePort: {{ template "pomerium.httpTrafficPort.name" $ }} {{- end }} {{- if $ingressSupportsPathType }} pathType: {{ $ingressPathType }} {{- end }} {{- end }} {{- end }} {{- end }} {{- if and (.Values.forwardAuth.enabled) (not .Values.forwardAuth.internal)}} - host: {{ template "pomerium.forwardAuth.name" . }} http: paths: - backend: {{- if $ingressApiIsStable }} service: name: {{ template "pomerium.proxy.fullname" $ }} port: name: {{ template "pomerium.httpTrafficPort.name" $ }} {{- else }} serviceName: {{ template "pomerium.proxy.fullname" $ }} servicePort: {{ template "pomerium.httpTrafficPort.name" $ }} {{- end }} {{- if $ingressSupportsPathType }} pathType: {{ $ingressPathType }} {{- end }} {{- end }} {{- if ne .Values.authorize.service.clusterIP "None" }} - host: {{ printf "authorize.%s" .Values.config.rootDomain }} http: paths: - backend: {{- if $ingressApiIsStable }} service: name: {{ template "pomerium.authorize.fullname" $ }} port: name: {{ template "pomerium.httpTrafficPort.name" $ }} {{- else }} serviceName: {{ template "pomerium.authorize.fullname" $ }} servicePort: {{ template "pomerium.httpTrafficPort.name" $ }} {{- end }} {{- if $ingressSupportsPathType }} pathType: {{ $ingressPathType }} {{- end }} {{- end }} - host: {{ template "pomerium.authenticate.hostname" . }} http: paths: - backend: {{- if $ingressApiIsStable }} service: name: {{ template "pomerium.authenticate.fullname" $ }} port: name: {{ template "pomerium.httpTrafficPort.name" $ }} {{- else }} serviceName: {{ template "pomerium.authenticate.fullname" $ }} servicePort: {{ template "pomerium.httpTrafficPort.name" $ }} {{- end }} {{- if $ingressSupportsPathType }} pathType: {{ $ingressPathType }} {{- end }} {{- end }}