crd: add runtimeFlags (#1010)

apis/ingress/v1/pomerium_types.go

@@ -186,16 +186,16 @@ type Cookie struct {
 
 // PomeriumSpec defines Pomerium-specific configuration parameters.
 type PomeriumSpec struct {
+	// AccessLogFields sets the <a href="https://www.pomerium.com/docs/reference/access-log-fields">access fields</a> to log.
+	AccessLogFields *[]string `json:"accessLogFields,omitempty"`
+
 	// Authenticate sets authenticate service parameters.
 	// If not specified, a Pomerium-hosted authenticate service would be used.
 	// +kubebuilder:validation:Optional
 	Authenticate *Authenticate `json:"authenticate"`
 
-	// IdentityProvider configure single-sign-on authentication and user identity details
-	// by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity Provider</a>
-	//
-	// +kubebuilder:validation:Optional
-	IdentityProvider *IdentityProvider `json:"identityProvider"`
+	// AuthorizeLogFields sets the <a href="https://www.pomerium.com/docs/reference/authorize-log-fields">authorize fields</a> to log.
+	AuthorizeLogFields *[]string `json:"authorizeLogFields,omitempty"`
 
 	// Certificates is a list of secrets of type TLS to use
 	// +kubebuilder:validation:Format="namespace/name"
@@ -206,6 +206,35 @@ type PomeriumSpec struct {
 	// +optional
 	CASecrets []string `json:"caSecrets"`
 
+	// Cookie defines Pomerium session cookie options.
+	// +optional
+	Cookie *Cookie `json:"cookie,omitempty"`
+
+	// IdentityProvider configure single-sign-on authentication and user identity details
+	// by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity Provider</a>
+	//
+	// +kubebuilder:validation:Optional
+	IdentityProvider *IdentityProvider `json:"identityProvider"`
+
+	// JWTClaimHeaders convert claims from the assertion token
+	// into HTTP headers and adds them into JWT assertion header.
+	// Please make sure to read
+	// <a href="https://www.pomerium.com/docs/topics/getting-users-identity">
+	// Getting User Identity</a> guide.
+	//
+	// +optional
+	JWTClaimHeaders map[string]string `json:"jwtClaimHeaders,omitempty"`
+
+	// PassIdentityHeaders sets the <a href="https://www.pomerium.com/docs/reference/pass-identity-headers">pass identity headers</a> option.
+	PassIdentityHeaders *bool `json:"passIdentityHeaders,omitempty"`
+
+	// ProgrammaticRedirectDomains specifies a list of domains that can be used for
+	// <a href="https://www.pomerium.com/docs/capabilities/programmatic-access">programmatic redirects</a>.
+	ProgrammaticRedirectDomains []string `json:"programmaticRedirectDomains,omitempty"`
+
+	// RuntimeFlags sets the <a href="https://www.pomerium.com/docs/reference/runtime-flags">runtime flags</a> to enable/disable certain features.
+	RuntimeFlags map[string]bool `json:"runtimeFlags,omitempty"`
+
 	// Secrets references a Secret with Pomerium bootstrap parameters.
 	//
 	// <p>
@@ -237,49 +266,23 @@ type PomeriumSpec struct {
 	// +kubebuilder:validation:Format="namespace/name"
 	Secrets string `json:"secrets"`
 
+	// SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service.
+	// +optional
+	// See <a href="https://www.pomerium.com/docs/reference/set-response-headers">Set Response Headers</a>
+	SetResponseHeaders map[string]string `json:"setResponseHeaders,omitempty"`
+
 	// Storage defines persistent storage for sessions and other data.
 	// See <a href="https://www.pomerium.com/docs/topics/data-storage">Storage</a> for details.
 	// If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).
 	//
 	// +kubebuilder:validation:Optional
 	Storage *Storage `json:"storage,omitempty"`
 
-	// Cookie defines Pomerium session cookie options.
-	// +optional
-	Cookie *Cookie `json:"cookie,omitempty"`
-
-	// JWTClaimHeaders convert claims from the assertion token
-	// into HTTP headers and adds them into JWT assertion header.
-	// Please make sure to read
-	// <a href="https://www.pomerium.com/docs/topics/getting-users-identity">
-	// Getting User Identity</a> guide.
-	//
-	// +optional
-	JWTClaimHeaders map[string]string `json:"jwtClaimHeaders,omitempty"`
-
-	// SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service.
-	// +optional
-	// See <a href="https://www.pomerium.com/docs/reference/set-response-headers">Set Response Headers</a>
-	SetResponseHeaders map[string]string `json:"setResponseHeaders,omitempty"`
-
-	// ProgrammaticRedirectDomains specifies a list of domains that can be used for
-	// <a href="https://www.pomerium.com/docs/capabilities/programmatic-access">programmatic redirects</a>.
-	ProgrammaticRedirectDomains []string `json:"programmaticRedirectDomains,omitempty"`
-
 	// Timeout specifies the <a href="https://www.pomerium.com/docs/reference/global-timeouts">global timeouts</a> for all routes.
 	Timeouts *Timeouts `json:"timeouts,omitempty"`
 
 	// UseProxyProtocol enables <a href="https://www.pomerium.com/docs/reference/use-proxy-protocol">Proxy Protocol</a> support.
 	UseProxyProtocol *bool `json:"useProxyProtocol,omitempty"`
-
-	// AccessLogFields sets the <a href="https://www.pomerium.com/docs/reference/access-log-fields">access fields</a> to log.
-	AccessLogFields *[]string `json:"accessLogFields,omitempty"`
-
-	// AuthorizeLogFields sets the <a href="https://www.pomerium.com/docs/reference/authorize-log-fields">authorize fields</a> to log.
-	AuthorizeLogFields *[]string `json:"authorizeLogFields,omitempty"`
-
-	// PassIdentityHeaders sets the <a href="https://www.pomerium.com/docs/reference/pass-identity-headers">pass identity headers</a> option.
-	PassIdentityHeaders *bool `json:"passIdentityHeaders,omitempty"`
 }
 
 // Timeouts allows to configure global timeouts for all routes.

config/crd/bases/ingress.pomerium.io_pomerium.yaml

@@ -234,6 +234,12 @@ spec:
                 items:
                   type: string
                 type: array
+              runtimeFlags:
+                additionalProperties:
+                  type: boolean
+                description: RuntimeFlags sets the <a href="https://www.pomerium.com/docs/reference/runtime-flags">runtime
+                  flags</a> to enable/disable certain features.
+                type: object
               secrets:
                 description: "Secrets references a Secret with Pomerium bootstrap
                   parameters.\n\n\n<p>\n<ul>\n\t<li><a href=\"https://pomerium.com/docs/reference/shared-secret\"><code>shared_secret</code></a>\n\t\t-

deployment.yaml

@@ -242,6 +242,12 @@ spec:
                 items:
                   type: string
                 type: array
+              runtimeFlags:
+                additionalProperties:
+                  type: boolean
+                description: RuntimeFlags sets the <a href="https://www.pomerium.com/docs/reference/runtime-flags">runtime
+                  flags</a> to enable/disable certain features.
+                type: object
               secrets:
                 description: "Secrets references a Secret with Pomerium bootstrap
                   parameters.\n\n\n<p>\n<ul>\n\t<li><a href=\"https://pomerium.com/docs/reference/shared-secret\"><code>shared_secret</code></a>\n\t\t-

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/iancoleman/strcase v0.3.0
 	github.com/martinlindhe/base36 v1.1.1
 	github.com/open-policy-agent/opa v0.64.1
+	github.com/pomerium/csrf v1.7.0
 	github.com/pomerium/pomerium v0.26.1
 	github.com/rs/zerolog v1.32.0
 	github.com/sergi/go-diff v1.3.1
@@ -154,7 +155,6 @@ require (
 	github.com/philhofer/fwd v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/pomerium/csrf v1.7.0 // indirect
 	github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 // indirect
 	github.com/pomerium/webauthn v0.0.0-20240603205124-0428df511172 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect

pomerium/ctrl/bootstrap.go

@@ -29,6 +29,7 @@ func Apply(ctx context.Context, dst *config.Options, src *model.Config) error {
 		{"authenticate", applyAuthenticate},
 		{"secrets", applySecrets},
 		{"storage", applyStorage},
+		{"runtime flags", applyRuntimeFlags},
 	} {
 		if err := apply.fn(ctx, dst, src); err != nil {
 			return fmt.Errorf("%s: %w", apply.name, err)
@@ -66,6 +67,16 @@ func applyAuthenticate(_ context.Context, dst *config.Options, src *model.Config
 	return nil
 }
 
+func applyRuntimeFlags(_ context.Context, dst *config.Options, src *model.Config) error {
+	dst.RuntimeFlags = config.DefaultRuntimeFlags()
+
+	for k, v := range src.Spec.RuntimeFlags {
+		dst.RuntimeFlags[config.RuntimeFlag(k)] = v
+	}
+
+	return nil
+}
+
 func applyStorage(ctx context.Context, dst *config.Options, src *model.Config) error {
 	if err := storageFiles.DeleteFiles(); err != nil {
 		log.FromContext(ctx).V(1).Error(err, "failed to delete existing files")