apiVersion: v1 kind: Namespace metadata: labels: app.kubernetes.io/name: pomerium name: pomerium --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app.kubernetes.io/name: pomerium name: policyfilters.gateway.pomerium.io spec: group: gateway.pomerium.io names: kind: PolicyFilter listKind: PolicyFilterList plural: policyfilters singular: policyfilter scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: |- PolicyFilter represents a Pomerium policy that can be attached to a particular route defined via the Kubernetes Gateway API. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: Spec defines the content of the policy. properties: ppl: description: |- Policy rules in Pomerium Policy Language (PPL) syntax. May be expressed in either YAML or JSON format. type: string type: object status: description: Status contains the status of the policy (e.g. is the policy valid). properties: conditions: description: Conditions describe the current state of the PolicyFilter. items: description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t \ // other fields\n\t}" properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: |- type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map type: object type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.18.0 labels: app.kubernetes.io/name: pomerium name: pomerium.ingress.pomerium.io spec: group: ingress.pomerium.io names: kind: Pomerium listKind: PomeriumList plural: pomerium singular: pomerium scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: |- Pomerium define runtime-configurable Pomerium settings that do not fall into the category of deployment parameters properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: PomeriumSpec defines Pomerium-specific configuration parameters. properties: accessLogFields: description: AccessLogFields sets the access fields to log. items: type: string type: array authenticate: description: |- Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used. properties: url: description: "AuthenticateURL is a dedicated domain URL\nthe non-authenticated persons would be referred to.\n\n

" format: uri pattern: ^https:// type: string required: - url type: object authorizeLogFields: description: AuthorizeLogFields sets the authorize fields to log. items: type: string type: array bearerTokenFormat: description: BearerTokenFormat sets the Bearer Token Format. enum: - default - idp_access_token - idp_identity_token type: string caSecrets: description: CASecret should refer to k8s secrets with key ca.crt containing a CA certificate. items: type: string type: array certificates: description: Certificates is a list of secrets of type TLS to use format: namespace/name items: type: string type: array circuitBreakerThresholds: description: CircuitBreakerThresholds sets the circuit breaker thresholds settings. properties: maxConnectionPools: description: |- MaxConnectionPools sets the maximum number of connection pools per cluster that Envoy will concurrently support at once. If not specified, the default is unlimited. Set this for clusters which create a large number of connection pools. format: int32 type: integer maxConnections: description: |- MaxConnections sets the maximum number of connections that Envoy will make to the upstream cluster. If not specified, the default is 1024. format: int32 type: integer maxPendingRequests: description: |- MaxPendingRequests sets the maximum number of pending requests that Envoy will allow to the upstream cluster. If not specified, the default is 1024. This limit is applied as a connection limit for non-HTTP traffic. format: int32 type: integer maxRequests: description: |- MaxRequests sets the maximum number of parallel requests that Envoy will make to the upstream cluster. If not specified, the default is 1024. This limit does not apply to non-HTTP traffic. format: int32 type: integer maxRetries: description: |- MaxRetries sets the maximum number of parallel retries that Envoy will allow to the upstream cluster. If not specified, the default is 3. format: int32 type: integer type: object codecType: description: CodecType sets the Codec Type. enum: - auto - http1 - http2 - http3 type: string cookie: description: Cookie defines Pomerium session cookie options. properties: domain: description: |- Domain defaults to the same host that set the cookie. If you specify the domain explicitly, then subdomains would also be included. type: string expire: description: |- Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected.

See Session Management (Enterprise) for a more fine-grained session controls.

Defaults to 14 hours.

format: duration type: string httpOnly: description: |- HTTPOnly if set to false, the cookie would be accessible from within the JavaScript. Defaults to true. type: boolean name: description: |- Name sets the Pomerium session cookie name. Defaults to _pomerium type: string sameSite: description: |- SameSite sets the SameSite option for cookies. Defaults to . enum: - strict - lax - none type: string type: object dataBroker: description: DataBroker sets the databroker settings. properties: clusterLeaderId: description: ClusterLeaderID defines the cluster leader in a clustered databroker. type: string type: object dns: description: DNS sets the dns settings. properties: failureRefreshRate: description: FailureRefreshRate is the rate at which DNS lookups are refreshed when requests are failing. format: duration type: string lookupFamily: description: LookupFamily is the DNS IP address resolution policy. enum: - auto - v4_only - v6_only - v4_preferred - all type: string queryTimeout: description: QueryTimeout is the amount of time each name server is given to respond to a query on the first try of any given server. format: duration type: string queryTries: description: QueryTries is the maximum number of query attempts the resolver will make before giving up. Each attempt may use a different name server. format: int32 type: integer refreshRate: description: RefreshRate is the rate at which DNS lookups are refreshed. format: duration type: string udpMaxQueries: description: UDPMaxQueries caps the number of UDP based DNS queries on a single port. format: int32 type: integer useTcp: description: UseTCP uses TCP for all DNS queries instead of the default protocol UDP. type: boolean type: object downstreamMtls: description: DownstreamMTLS sets the Downstream MTLS Settings. properties: ca: description: CA is a bundle of PEM-encoded X.509 certificates that will be treated as trust anchors when verifying client certificates. format: byte type: string crl: description: CRL is a bundle of PEM-encoded certificate revocation lists to be consulted during certificate validation. format: byte type: string enforcement: description: Enforcement controls Pomerium's behavior when a client does not present a trusted client certificate. enum: - policy_with_default_deny - policy - reject_connection type: string matchSubjectAltNames: description: Match Subject Alt Names can be used to add an additional constraint when validating client certificates. properties: dns: type: string email: type: string ipAddress: type: string uri: type: string userPrincipalName: type: string type: object maxVerifyDepth: description: MaxVerifyDepth sets a limit on the depth of a certificate chain presented by the client. format: int32 type: integer type: object identityProvider: description: |- IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider properties: provider: description: |- Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. To use a generic provider, set to oidc. enum: - auth0 - azure - github - gitlab - google - oidc - okta - onelogin - ping type: string refreshDirectory: description: |- RefreshDirectory is no longer supported, please see Upgrade Guide. properties: interval: description: interval is the time that pomerium will sync your IDP directory. format: duration type: string timeout: description: timeout is the maximum time allowed each run. format: duration type: string required: - interval - timeout type: object requestParams: additionalProperties: type: string description: RequestParams to be added as part of a sign-in request using OAuth2 code flow. format: namespace/name type: object requestParamsSecret: description: RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext. format: namespace/name type: string scopes: description: |- Scopes Identity provider scopes correspond to access privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749. items: type: string type: array secret: description: |- Secret containing IdP provider specific parameters. and must contain at least client_id and client_secret values. format: namespace/name minLength: 1 type: string serviceAccountFromSecret: description: |- ServiceAccountFromSecret is no longer supported, see Upgrade Guide. type: string url: description: |- URL is the base path to an identity provider's OpenID connect discovery document. See Identity Providers guides for details. format: uri pattern: ^https:// type: string required: - provider - secret type: object idpAccessTokenAllowedAudiences: description: |- IDPAccessTokenAllowedAudiences specifies the idp access token allowed audiences list. items: type: string type: array jwtClaimHeaders: additionalProperties: type: string description: |- JWTClaimHeaders convert claims from the assertion token into HTTP headers and adds them into JWT assertion header. Please make sure to read Getting User Identity guide. type: object mcpAllowedClientIdDomains: description: |- MCPAllowedClientIDDomains specifies the allowed domains for MCP client ID metadata URLs. This is required when MCP is enabled. See MCP Settings. items: type: string type: array otel: description: OTEL sets the OpenTelemetry Tracing. properties: bspMaxExportBatchSize: description: BSPMaxExportBatchSize sets the maximum number of spans to export in a single batch format: int32 type: integer bspScheduleDelay: description: BSPScheduleDelay sets interval between two consecutive exports format: duration type: string endpoint: description: 'An OTLP/gRPC or OTLP/HTTP base endpoint URL with optional port.
Example: `http://localhost:4318`' type: string headers: additionalProperties: type: string description: Extra headers type: object logLevel: description: LogLevel sets the log level for the OpenTelemetry SDK. enum: - trace - debug - info - warn - error type: string protocol: description: Valid values are `"grpc"` or `"http/protobuf"`. enum: - grpc - http/protobuf type: string resourceAttributes: additionalProperties: type: string description: ResourceAttributes sets the additional attributes to be added to the trace. type: object sampling: description: Sampling sets sampling probability between [0, 1]. format: number type: string timeout: description: Export request timeout duration format: duration type: string required: - endpoint - protocol type: object passIdentityHeaders: description: PassIdentityHeaders sets the pass identity headers option. type: boolean programmaticRedirectDomains: description: |- ProgrammaticRedirectDomains specifies a list of domains that can be used for programmatic redirects. items: type: string type: array runtimeFlags: additionalProperties: type: boolean description: RuntimeFlags sets the runtime flags to enable/disable certain features. type: object secrets: description: "Secrets references a Secret with Pomerium bootstrap parameters.\n\n

\n

\n

\n

\nIn a default Pomerium installation manifest, they would be generated via a\none-time job\nand stored in a pomerium/bootstrap Secret.\nYou may re-run the job to rotate the secrets, or update the Secret values manually.\n

\n

\nWhen defining the Secret in a manifest, put raw values in stringData so\nKubernetes base64-encodes them. Use data only when values are already\nbase64-encoded.\n

\n

\nExample: stringData.shared_secret and stringData.cookie_secret are\nraw strings, while data.signing_key is base64-encoded.\n

" format: namespace/name minLength: 1 type: string setResponseHeaders: additionalProperties: type: string description: |- SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service. See Set Response Headers type: object ssh: description: SSH sets the ssh settings. properties: hostKeySecrets: items: type: string type: array userCaKeySecret: type: string type: object storage: description: |- Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production). properties: file: description: File specifies file storage options. properties: path: description: Path defines the local file system path to store data. minLength: 1 type: string required: - path type: object postgres: description: Postgres specifies PostgreSQL database connection parameters properties: caSecret: description: |- CASecret should refer to a k8s secret with key ca.crt containing CA certificate that, if specified, would be used to populate sslrootcert parameter of the connection string. format: namespace/name minLength: 1 type: string secret: description: |- Secret specifies a name of a Secret that must contain connection key. See DSN Format and Parameters. Do not set sslrootcert, sslcert and sslkey via connection string, use tlsSecret and caSecret CRD options instead. format: namespace/name minLength: 1 type: string tlsSecret: description: |- TLSSecret should refer to a k8s secret of type kubernetes.io/tls and allows to specify an optional client certificate and key, by constructing sslcert and sslkey connection string parameter values. format: namespace/name minLength: 1 type: string required: - secret type: object type: object timeouts: description: Timeout specifies the global timeouts for all routes. properties: idle: description: Idle specifies the time at which a downstream or upstream connection will be terminated if there are no active streams. format: duration type: string read: description: Read specifies the amount of time for the entire request stream to be received from the client. format: duration type: string write: description: |- Write specifies max stream duration is the maximum time that a stream’s lifetime will span. An HTTP request/response exchange fully consumes a single stream. Therefore, this value must be greater than read_timeout as it covers both request and response time. format: duration type: string type: object useProxyProtocol: description: UseProxyProtocol enables Proxy Protocol support. type: boolean required: - secrets type: object status: description: PomeriumStatus represents configuration and Ingress status. properties: ingress: additionalProperties: description: |- ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium. properties: error: description: Error that prevented latest observedGeneration to be synchronized with Pomerium. type: string observedAt: description: ObservedAt is when last reconciliation attempt was made. format: date-time type: string observedGeneration: description: ObservedGeneration represents the .metadata.generation that was last presented to Pomerium. format: int64 type: integer reconciled: description: Reconciled is whether this object generation was successfully synced with pomerium. type: boolean warnings: description: Warnings while parsing the resource. items: type: string type: array required: - reconciled type: object description: Routes provide per-Ingress status. type: object settingsStatus: description: SettingsStatus represent most recent main configuration reconciliation status. properties: error: description: Error that prevented latest observedGeneration to be synchronized with Pomerium. type: string observedAt: description: ObservedAt is when last reconciliation attempt was made. format: date-time type: string observedGeneration: description: ObservedGeneration represents the .metadata.generation that was last presented to Pomerium. format: int64 type: integer reconciled: description: Reconciled is whether this object generation was successfully synced with pomerium. type: boolean warnings: description: Warnings while parsing the resource. items: type: string type: array required: - reconciled type: object type: object type: object served: true storage: true subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-controller namespace: pomerium --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets namespace: pomerium --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - "" resources: - services/status - secrets/status - endpoints/status verbs: - get - apiGroups: - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - get - patch - update - apiGroups: - ingress.pomerium.io resources: - pomerium verbs: - get - list - watch - apiGroups: - ingress.pomerium.io resources: - pomerium/status verbs: - get - update - patch - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets rules: - apiGroups: - "" resources: - secrets verbs: - create - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pomerium-controller subjects: - kind: ServiceAccount name: pomerium-controller namespace: pomerium --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pomerium-gen-secrets subjects: - kind: ServiceAccount name: pomerium-gen-secrets namespace: pomerium --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-metrics namespace: pomerium spec: ports: - name: metrics port: 9090 protocol: TCP targetPort: metrics selector: app.kubernetes.io/name: pomerium type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: proxy app.kubernetes.io/name: pomerium name: pomerium-proxy namespace: pomerium spec: ports: - name: https port: 443 protocol: TCP targetPort: https - name: quic port: 443 protocol: UDP targetPort: quic - name: http port: 80 protocol: TCP targetPort: http selector: app.kubernetes.io/component: proxy app.kubernetes.io/name: pomerium type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/component: proxy app.kubernetes.io/name: pomerium name: pomerium namespace: pomerium spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: pomerium template: metadata: labels: app.kubernetes.io/component: proxy app.kubernetes.io/name: pomerium spec: containers: - args: - all-in-one - --pomerium-config=global - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy - --metrics-bind-address=$(POD_IP):9090 - --health-probe-bind-address=$(POD_IP):28080 env: - name: TMPDIR value: /tmp - name: XDG_CACHE_HOME value: /tmp - name: POMERIUM_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP image: pomerium/ingress-controller:main imagePullPolicy: Always livenessProbe: failureThreshold: 10 httpGet: path: /healthz port: 28080 initialDelaySeconds: 15 periodSeconds: 60 name: pomerium ports: - containerPort: 8443 name: https protocol: TCP - containerPort: 443 name: quic protocol: UDP - containerPort: 8080 name: http protocol: TCP - containerPort: 9090 name: metrics protocol: TCP readinessProbe: failureThreshold: 5 httpGet: path: /readyz port: 28080 initialDelaySeconds: 15 periodSeconds: 60 resources: limits: cpu: 5000m memory: 1Gi requests: cpu: 300m memory: 200Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 startupProbe: failureThreshold: 40 httpGet: path: /startupz port: 28080 periodSeconds: 15 volumeMounts: - mountPath: /tmp name: tmp nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true serviceAccountName: pomerium-controller terminationGracePeriodSeconds: 10 volumes: - emptyDir: {} name: tmp --- apiVersion: batch/v1 kind: Job metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets namespace: pomerium spec: template: metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets spec: containers: - args: - gen-secrets - --secrets=$(POD_NAMESPACE)/bootstrap env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: pomerium/ingress-controller:main imagePullPolicy: IfNotPresent name: gen-secrets securityContext: allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure securityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 serviceAccountName: pomerium-gen-secrets --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: app.kubernetes.io/name: pomerium name: pomerium spec: controller: pomerium.io/ingress-controller