ingress-controller
ingress-controller copied to clipboard
pomerium
Support enable_google_cloud_serverless_authentication in Ingress annotation
Is your feature request related to a problem? Please describe.
Pomerium perfectly supports serverless backends in the standalone setup (docker). For some reason option enable_google_cloud_serverless_authentication is not allowed Ingress controller specification. This limits the ability of using Pomerium gateway operated in Kubernetes cluster to server serverless backends. The unique value proposition of the gateway to support serverless backends is therefore not realized through this limitation.
Describe the solution you'd like
I'd like to be able to enable passing over the serverless JWT token to configured destinations like I can do it in the standalone Pomerium. ingress.pomerium.io/enable_google_cloud_serverless_authentication: 'true'
This can be realized by allowing the annotation ingress.pomerium.io/enable_google_cloud_serverless_authentication in the Ingress context:
apiVersion: v1
kind: Service
metadata:
name: verify
namespace: prod
spec:
type: ExternalName
externalName: verify-jigroeji-eq.run.app
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: verify
annotations:
ingress.pomerium.io/pass_identity_headers: 'true'
ingress.pomerium.io/enable_google_cloud_serverless_authentication: 'true'
spec:
ingressClassName: pomerium
rules:
- host: 'verify.localhost.pomerium.io'
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: verify
port:
number: 443
Describe alternatives you've considered
Re-implementing Envoy custom path filter, which injects the serverless Bearer token in conjuction with other products, like Istio.
Explain any additional use-cases
Passing over Google JWT Bearer token enables wide set of hybrid backend scenaries / microservice architectures with the strong RBAC backend authentication/authorization. Not supporting authenticated backend calls forces leaving them unprotected, leading to worse security profiles.
Related to this.
