apiVersion: v1 kind: Namespace metadata: labels: app.kubernetes.io/name: pomerium name: pomerium --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app.kubernetes.io/name: pomerium name: pomerium.ingress.pomerium.io spec: group: ingress.pomerium.io names: kind: Pomerium listKind: PomeriumList plural: pomerium singular: pomerium scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: |- Pomerium define runtime-configurable Pomerium settings that do not fall into the category of deployment parameters properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: PomeriumSpec defines Pomerium-specific configuration parameters. properties: accessLogFields: description: AccessLogFields sets the access fields to log. items: type: string type: array authenticate: description: |- Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used. properties: callbackPath: description: |- CallbackPath sets the path at which the authenticate service receives callback responses from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client.
This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.
Defaults to /oauth2/callback
Ingress
for this\n\t\tvirtual
route, as it is handled by Pomerium internally. certificates
.\n\t\tIf
you use cert-manager
with HTTP01
challenge,\n\t\tyou
may use pomerium
ingressClass
to solve
it.ca.crt
containing a CA certificate.
items:
type: string
type: array
certificates:
description: Certificates is a list of secrets of type TLS to use
format: namespace/name
items:
type: string
type: array
cookie:
description: Cookie defines Pomerium session cookie options.
properties:
domain:
description: |-
Domain defaults to the same host that set the cookie.
If you specify the domain explicitly, then subdomains would also be included.
type: string
expire:
description: |-
Expire sets cookie and Pomerium session expiration time.
Once session expires, users would have to re-login.
If you change this parameter, existing sessions are not affected.
See Session Management (Enterprise) for a more fine-grained session controls.
Defaults to 14 hours.
format: duration type: string httpOnly: description: |- HTTPOnly if set tofalse
, the cookie would be accessible from within the JavaScript.
Defaults to true
.
type: boolean
name:
description: |-
Name sets the Pomerium session cookie name.
Defaults to _pomerium
type: string
sameSite:
description: |-
SameSite sets the SameSite option for cookies.
Defaults to
.
enum:
- strict
- lax
- none
type: string
type: object
identityProvider:
description: |-
IdentityProvider configure single-sign-on authentication and user identity details
by integrating with your Identity Provider
properties:
provider:
description: |-
Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication.
To use a generic provider, set to oidc
.
enum:
- auth0
- azure
- github
- gitlab
- google
- oidc
- okta
- onelogin
- ping
type: string
refreshDirectory:
description: |-
RefreshDirectory is no longer supported,
please see Upgrade Guide.
properties:
interval:
description: interval is the time that pomerium will sync
your IDP directory.
format: duration
type: string
timeout:
description: timeout is the maximum time allowed each run.
format: duration
type: string
required:
- interval
- timeout
type: object
requestParams:
additionalProperties:
type: string
description: RequestParams to be added as part of a sign-in request
using OAuth2 code flow.
format: namespace/name
type: object
requestParamsSecret:
description: RequestParamsSecret is a reference to a secret for
additional parameters you'd prefer not to provide in plaintext.
format: namespace/name
type: string
scopes:
description: |-
Scopes Identity provider scopes correspond to access privilege scopes
as defined in Section 3.3 of OAuth 2.0 RFC6749.
items:
type: string
type: array
secret:
description: |-
Secret containing IdP provider specific parameters.
and must contain at least client_id
and client_secret
values.
format: namespace/name
minLength: 1
type: string
serviceAccountFromSecret:
description: |-
ServiceAccountFromSecret is no longer supported,
see Upgrade Guide.
type: string
url:
description: |-
URL is the base path to an identity provider's OpenID connect discovery document.
See Identity Providers guides for details.
format: uri
pattern: ^https://
type: string
required:
- provider
- secret
type: object
jwtClaimHeaders:
additionalProperties:
type: string
description: |-
JWTClaimHeaders convert claims from the assertion token
into HTTP headers and adds them into JWT assertion header.
Please make sure to read
Getting User Identity guide.
type: object
passIdentityHeaders:
description: PassIdentityHeaders sets the pass
identity headers option.
type: boolean
programmaticRedirectDomains:
description: |-
ProgrammaticRedirectDomains specifies a list of domains that can be used for
programmatic redirects.
items:
type: string
type: array
runtimeFlags:
additionalProperties:
type: boolean
description: RuntimeFlags sets the runtime
flags to enable/disable certain features.
type: object
secrets:
description: "Secrets references a Secret with Pomerium bootstrap
parameters.\n\n\n\n
shared_secret
\n\t\t-
secures inter-Pomerium service communications.\n\tcookie_secret
\n\t\t-
encrypts Pomerium session browser cookie.\n\t\tSee also other Cookie parameters.\n\tsigning_key
\n\t\tsigns
Pomerium JWT assertion header. See\n\t\tGetting
the user's identity\n\t\tguide.\n\t\nIn
a default Pomerium installation manifest, they would be generated
via a\none-time
job\nand stored in a pomerium/bootstrap
Secret.\nYou
may re-run the job to rotate the secrets, or update the Secret values
manually.\n
ca.crt
containing CA certificate
that, if specified, would be used to populate sslrootcert
parameter of the connection string.
format: namespace/name
minLength: 1
type: string
secret:
description: |-
Secret specifies a name of a Secret that must contain
connection
key. See
DSN Format and Parameters.
Do not set sslrootcert
, sslcert
and sslkey
via connection string,
use tlsSecret
and caSecret
CRD options instead.
format: namespace/name
minLength: 1
type: string
tlsSecret:
description: |-
TLSSecret should refer to a k8s secret of type kubernetes.io/tls
and allows to specify an optional client certificate and key,
by constructing sslcert
and sslkey
connection string
parameter values.
format: namespace/name
minLength: 1
type: string
required:
- secret
type: object
type: object
timeouts:
description: Timeout specifies the global
timeouts for all routes.
properties:
idle:
description: Idle specifies the time at which a downstream or
upstream connection will be terminated if there are no active
streams.
format: duration
type: string
read:
description: Read specifies the amount of time for the entire
request stream to be received from the client.
format: duration
type: string
write:
description: |-
Write specifies max stream duration is the maximum time that a stream’s lifetime will span.
An HTTP request/response exchange fully consumes a single stream.
Therefore, this value must be greater than read_timeout as it covers both request and response time.
format: duration
type: string
type: object
useProxyProtocol:
description: UseProxyProtocol enables Proxy
Protocol support.
type: boolean
required:
- secrets
type: object
status:
description: PomeriumStatus represents configuration and Ingress status.
properties:
ingress:
additionalProperties:
description: |-
ResourceStatus represents the outcome of the latest attempt to reconcile
relevant Kubernetes resource with Pomerium.
properties:
error:
description: Error that prevented latest observedGeneration
to be synchronized with Pomerium.
type: string
observedAt:
description: ObservedAt is when last reconciliation attempt
was made.
format: date-time
type: string
observedGeneration:
description: ObservedGeneration represents the .metadata.generation
that was last presented to Pomerium.
format: int64
type: integer
reconciled:
description: Reconciled is whether this object generation was
successfully synced with pomerium.
type: boolean
warnings:
description: Warnings while parsing the resource.
items:
type: string
type: array
required:
- reconciled
type: object
description: Routes provide per-Ingress status.
type: object
settingsStatus:
description: SettingsStatus represent most recent main configuration
reconciliation status.
properties:
error:
description: Error that prevented latest observedGeneration to
be synchronized with Pomerium.
type: string
observedAt:
description: ObservedAt is when last reconciliation attempt was
made.
format: date-time
type: string
observedGeneration:
description: ObservedGeneration represents the .metadata.generation
that was last presented to Pomerium.
format: int64
type: integer
reconciled:
description: Reconciled is whether this object generation was
successfully synced with pomerium.
type: boolean
warnings:
description: Warnings while parsing the resource.
items:
type: string
type: array
required:
- reconciled
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-controller
namespace: pomerium
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
namespace: pomerium
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services/status
- secrets/status
- endpoints/status
verbs:
- get
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- ingress.pomerium.io
resources:
- pomerium
verbs:
- get
- list
- watch
- apiGroups:
- ingress.pomerium.io
resources:
- pomerium/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pomerium-controller
subjects:
- kind: ServiceAccount
name: pomerium-controller
namespace: pomerium
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pomerium-gen-secrets
subjects:
- kind: ServiceAccount
name: pomerium-gen-secrets
namespace: pomerium
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-metrics
namespace: pomerium
spec:
ports:
- name: metrics
port: 9090
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/name: pomerium
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-proxy
namespace: pomerium
spec:
externalTrafficPolicy: Local
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/name: pomerium
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium
namespace: pomerium
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: pomerium
template:
metadata:
labels:
app.kubernetes.io/name: pomerium
spec:
containers:
- args:
- all-in-one
- --pomerium-config=global
- --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
- --metrics-bind-address=$(POD_IP):9090
env:
- name: TMPDIR
value: /tmp
- name: XDG_CACHE_HOME
value: /tmp
- name: POMERIUM_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: pomerium/ingress-controller:main
imagePullPolicy: Always
name: pomerium
ports:
- containerPort: 8443
name: https
protocol: TCP
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 9090
name: metrics
protocol: TCP
resources:
limits:
cpu: 5000m
memory: 1Gi
requests:
cpu: 300m
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
volumeMounts:
- mountPath: /tmp
name: tmp
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: pomerium-controller
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: tmp
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
namespace: pomerium
spec:
template:
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
spec:
containers:
- args:
- gen-secrets
- --secrets=$(POD_NAMESPACE)/bootstrap
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: pomerium/ingress-controller:main
imagePullPolicy: IfNotPresent
name: gen-secrets
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: pomerium-gen-secrets
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium
spec:
controller: pomerium.io/ingress-controller