apiVersion: v1 kind: Namespace metadata: labels: app.kubernetes.io/name: pomerium name: pomerium --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 labels: app.kubernetes.io/name: pomerium name: pomerium.ingress.pomerium.io spec: group: ingress.pomerium.io names: kind: Pomerium listKind: PomeriumList plural: pomerium singular: pomerium scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: |- Pomerium define runtime-configurable Pomerium settings that do not fall into the category of deployment parameters properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: PomeriumSpec defines Pomerium-specific configuration parameters. properties: accessLogFields: description: AccessLogFields sets the access fields to log. items: type: string type: array authenticate: description: |- Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used. properties: callbackPath: description: |- CallbackPath sets the path at which the authenticate service receives callback responses from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client.

This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.

Defaults to /oauth2/callback

type: string url: description: "AuthenticateURL is a dedicated domain URL\nthe non-authenticated persons would be referred to.\n\n\n

You do not need to create a dedicated Ingress for this\n\t\tvirtual route, as it is handled by Pomerium internally.
You do need create a secret with corresponding TLS certificate for this route\n\t\tand reference it via certificates.\n\t\tIf you use cert-manager with HTTP01 challenge,\n\t\tyou may use pomerium ingressClass to solve it.

" format: uri pattern: ^https:// type: string required: - url type: object authorizeLogFields: description: AuthorizeLogFields sets the authorize fields to log. items: type: string type: array caSecrets: description: CASecret should refer to k8s secrets with key ca.crt containing a CA certificate. items: type: string type: array certificates: description: Certificates is a list of secrets of type TLS to use format: namespace/name items: type: string type: array cookie: description: Cookie defines Pomerium session cookie options. properties: domain: description: |- Domain defaults to the same host that set the cookie. If you specify the domain explicitly, then subdomains would also be included. type: string expire: description: |- Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected.

See Session Management (Enterprise) for a more fine-grained session controls.

Defaults to 14 hours.

format: duration type: string httpOnly: description: |- HTTPOnly if set to false, the cookie would be accessible from within the JavaScript. Defaults to true. type: boolean name: description: |- Name sets the Pomerium session cookie name. Defaults to _pomerium type: string sameSite: description: |- SameSite sets the SameSite option for cookies. Defaults to . enum: - strict - lax - none type: string type: object identityProvider: description: |- IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider properties: provider: description: |- Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. To use a generic provider, set to oidc. enum: - auth0 - azure - github - gitlab - google - oidc - okta - onelogin - ping type: string refreshDirectory: description: |- RefreshDirectory is no longer supported, please see Upgrade Guide. properties: interval: description: interval is the time that pomerium will sync your IDP directory. format: duration type: string timeout: description: timeout is the maximum time allowed each run. format: duration type: string required: - interval - timeout type: object requestParams: additionalProperties: type: string description: RequestParams to be added as part of a sign-in request using OAuth2 code flow. format: namespace/name type: object requestParamsSecret: description: RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext. format: namespace/name type: string scopes: description: |- Scopes Identity provider scopes correspond to access privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749. items: type: string type: array secret: description: |- Secret containing IdP provider specific parameters. and must contain at least client_id and client_secret values. format: namespace/name minLength: 1 type: string serviceAccountFromSecret: description: |- ServiceAccountFromSecret is no longer supported, see Upgrade Guide. type: string url: description: |- URL is the base path to an identity provider's OpenID connect discovery document. See Identity Providers guides for details. format: uri pattern: ^https:// type: string required: - provider - secret type: object jwtClaimHeaders: additionalProperties: type: string description: |- JWTClaimHeaders convert claims from the assertion token into HTTP headers and adds them into JWT assertion header. Please make sure to read Getting User Identity guide. type: object passIdentityHeaders: description: PassIdentityHeaders sets the pass identity headers option. type: boolean programmaticRedirectDomains: description: |- ProgrammaticRedirectDomains specifies a list of domains that can be used for programmatic redirects. items: type: string type: array secrets: description: "Secrets references a Secret with Pomerium bootstrap parameters.\n\n\n

shared_secret\n\t\t- secures inter-Pomerium service communications.\n\t
cookie_secret\n\t\t- encrypts Pomerium session browser cookie.\n\t\tSee also other Cookie parameters.\n\t
signing_key\n\t\tsigns Pomerium JWT assertion header. See\n\t\tGetting the user's identity\n\t\tguide.\n\t

\nIn a default Pomerium installation manifest, they would be generated via a\none-time job\nand stored in a pomerium/bootstrap Secret.\nYou may re-run the job to rotate the secrets, or update the Secret values manually.\n

" format: namespace/name minLength: 1 type: string setResponseHeaders: additionalProperties: type: string description: |- SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service. See Set Response Headers type: object storage: description: |- Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production). properties: postgres: description: Postgres specifies PostgreSQL database connection parameters properties: caSecret: description: |- CASecret should refer to a k8s secret with key ca.crt containing CA certificate that, if specified, would be used to populate sslrootcert parameter of the connection string. format: namespace/name minLength: 1 type: string secret: description: |- Secret specifies a name of a Secret that must contain connection key. See DSN Format and Parameters. Do not set sslrootcert, sslcert and sslkey via connection string, use tlsSecret and caSecret CRD options instead. format: namespace/name minLength: 1 type: string tlsSecret: description: |- TLSSecret should refer to a k8s secret of type kubernetes.io/tls and allows to specify an optional client certificate and key, by constructing sslcert and sslkey connection string parameter values. format: namespace/name minLength: 1 type: string required: - secret type: object type: object timeouts: description: Timeout specifies the global timeouts for all routes. properties: idle: description: Idle specifies the time at which a downstream or upstream connection will be terminated if there are no active streams. format: duration type: string read: description: Read specifies the amount of time for the entire request stream to be received from the client. format: duration type: string write: description: |- Write specifies max stream duration is the maximum time that a stream’s lifetime will span. An HTTP request/response exchange fully consumes a single stream. Therefore, this value must be greater than read_timeout as it covers both request and response time. format: duration type: string type: object useProxyProtocol: description: UseProxyProtocol enables Proxy Protocol support. type: boolean required: - secrets type: object status: description: PomeriumStatus represents configuration and Ingress status. properties: ingress: additionalProperties: description: |- ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium. properties: error: description: Error that prevented latest observedGeneration to be synchronized with Pomerium. type: string observedAt: description: ObservedAt is when last reconciliation attempt was made. format: date-time type: string observedGeneration: description: ObservedGeneration represents the .metadata.generation that was last presented to Pomerium. format: int64 type: integer reconciled: description: Reconciled is whether this object generation was successfully synced with pomerium. type: boolean warnings: description: Warnings while parsing the resource. items: type: string type: array required: - reconciled type: object description: Routes provide per-Ingress status. type: object settingsStatus: description: SettingsStatus represent most recent main configuration reconciliation status. properties: error: description: Error that prevented latest observedGeneration to be synchronized with Pomerium. type: string observedAt: description: ObservedAt is when last reconciliation attempt was made. format: date-time type: string observedGeneration: description: ObservedGeneration represents the .metadata.generation that was last presented to Pomerium. format: int64 type: integer reconciled: description: Reconciled is whether this object generation was successfully synced with pomerium. type: boolean warnings: description: Warnings while parsing the resource. items: type: string type: array required: - reconciled type: object type: object type: object served: true storage: true subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-controller namespace: pomerium --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets namespace: pomerium --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - "" resources: - services/status - secrets/status - endpoints/status verbs: - get - apiGroups: - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - get - patch - update - apiGroups: - ingress.pomerium.io resources: - pomerium verbs: - get - list - watch - apiGroups: - ingress.pomerium.io resources: - pomerium/status verbs: - get - update - patch - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets rules: - apiGroups: - "" resources: - secrets verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pomerium-controller subjects: - kind: ServiceAccount name: pomerium-controller namespace: pomerium --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pomerium-gen-secrets subjects: - kind: ServiceAccount name: pomerium-gen-secrets namespace: pomerium --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-metrics namespace: pomerium spec: ports: - name: metrics port: 9090 protocol: TCP targetPort: metrics selector: app.kubernetes.io/name: pomerium type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-proxy namespace: pomerium spec: ports: - name: https port: 443 protocol: TCP targetPort: https - name: http port: 80 protocol: TCP targetPort: http selector: app.kubernetes.io/name: pomerium type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/name: pomerium name: pomerium namespace: pomerium spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: pomerium template: metadata: labels: app.kubernetes.io/name: pomerium spec: containers: - args: - all-in-one - --pomerium-config=global - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy - --metrics-bind-address=$(POD_IP):9090 env: - name: TMPDIR value: /tmp - name: XDG_CACHE_HOME value: /tmp - name: POMERIUM_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP image: pomerium/ingress-controller:main imagePullPolicy: Always name: pomerium ports: - containerPort: 8443 name: https protocol: TCP - containerPort: 8080 name: http protocol: TCP - containerPort: 9090 name: metrics protocol: TCP resources: limits: cpu: 5000m memory: 1Gi requests: cpu: 300m memory: 200Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 volumeMounts: - mountPath: /tmp name: tmp nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true serviceAccountName: pomerium-controller terminationGracePeriodSeconds: 10 volumes: - emptyDir: {} name: tmp --- apiVersion: batch/v1 kind: Job metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets namespace: pomerium spec: template: metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets spec: containers: - args: - gen-secrets - --secrets=$(POD_NAMESPACE)/bootstrap env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: pomerium/ingress-controller:main imagePullPolicy: IfNotPresent name: gen-secrets securityContext: allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure securityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 serviceAccountName: pomerium-gen-secrets --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: app.kubernetes.io/name: pomerium name: pomerium spec: controller: pomerium.io/ingress-controller