apiVersion: v1 kind: Namespace metadata: labels: app.kubernetes.io/name: pomerium name: pomerium --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 creationTimestamp: null labels: app.kubernetes.io/name: pomerium name: pomerium.ingress.pomerium.io spec: group: ingress.pomerium.io names: kind: Pomerium listKind: PomeriumList plural: pomerium singular: pomerium scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: Pomerium define runtime-configurable Pomerium settings that do not fall into the category of deployment parameters properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: PomeriumSpec defines Pomerium-specific configuration parameters. properties: authenticate: description: Authenticate sets authenticate service parameters properties: callbackPath: description: "CallbackPath sets the path at which the authenticate service receives callback responses from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client. \n

This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.

Defaults to /oauth2/callback

" type: string url: description: "AuthenticateURL is a dedicated domain URL the non-authenticated persons would be referred to. \n

" format: uri pattern: ^https:// type: string required: - url type: object certificates: description: Certificates is a list of secrets of type TLS to use format: namespace/name items: type: string type: array cookie: description: Cookie defines Pomerium session cookie options. properties: domain: description: Domain defaults to the same host that set the cookie. If you specify the domain explicitly, then subdomains would also be included. type: string expire: description: Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected.

See Session Management (Enterprise) for a more fine-grained session controls.

Defaults to 14 hours.

format: duration type: string httpOnly: description: HTTPOnly if set to false, the cookie would be accessible from within the JavaScript. Defaults to true. type: boolean name: description: Name sets the Pomerium session cookie name. Defaults to _pomerium type: string secure: description: Secure if set to false, would make a cookie accessible over insecure protocols (HTTP). Defaults to true. type: boolean type: object identityProvider: description: IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider properties: provider: description: Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. To use a generic provider, set to oidc. enum: - auth0 - azure - google - okta - onelogin - oidc - ping - github type: string refreshDirectory: description: RefreshDirectory is no longer supported, please see Upgrade Guide. properties: interval: description: interval is the time that pomerium will sync your IDP directory. format: duration type: string timeout: description: timeout is the maximum time allowed each run. format: duration type: string required: - interval - timeout type: object requestParams: additionalProperties: type: string description: RequestParams to be added as part of a signin request using OAuth2 code flow. format: namespace/name type: object requestParamsSecret: description: RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext. format: namespace/name type: string scopes: description: Scopes Identity provider scopes correspond to access privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749. items: type: string type: array secret: description: Secret containing IdP provider specific parameters. and must contain at least client_id and client_secret values. format: namespace/name minLength: 1 type: string serviceAccountFromSecret: description: ServiceAccountFromSecret is no longer supported, see Upgrade Guide. type: string url: description: URL is the base path to an identity provider's OpenID connect discovery document. See Identity Providers guides for details. format: uri pattern: ^https:// type: string required: - provider - secret type: object jwtClaimHeaders: additionalProperties: type: string description: JWTClaimHeaders convert claims from the assertion token into HTTP headers and adds them into JWT assertion header. Please make sure to read Getting User Identity guide. type: object secrets: description: "Secrets references a Secret with Pomerium bootstrap parameters. \n

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

" format: namespace/name minLength: 1 type: string storage: description: Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production). properties: postgres: description: Postgres specifies PostgreSQL database connection parameters properties: caSecret: description: CASecret should refer to a k8s secret with key ca.crt containing CA certificate that, if specified, would be used to populate sslrootcert parameter of the connection string. format: namespace/name minLength: 1 type: string secret: description: Secret specifies a name of a Secret that must contain connection key. See DSN Format and Parameters. Do not set sslrootcert, sslcert and sslkey via connection string, use tlsCecret and caSecret CRD options instead. format: namespace/name minLength: 1 type: string tlsSecret: description: TLSSecret should refer to a k8s secret of type kubernetes.io/tls and allows to specify an optional client certificate and key, by constructing sslcert and sslkey connection string parameter values. format: namespace/name minLength: 1 type: string required: - secret type: object redis: description: Redis defines REDIS connection parameters properties: caSecret: description: CASecret should refer to a k8s secret with key ca.crt that must be a PEM-encoded certificate authority to use when connecting to the databroker storage engine. format: namespace/name type: string secret: description: Secret specifies a name of a Secret that must contain connection key. format: namespace/name minLength: 1 type: string tlsSecret: description: TLSSecret should refer to a k8s secret of type kubernetes.io/tls that would be used to perform TLS connection to REDIS. format: namespace/name minLength: 1 type: string tlsSkipVerify: description: TLSSkipVerify disables TLS certificate chain validation. type: boolean required: - secret type: object type: object required: - authenticate - identityProvider - secrets type: object status: description: PomeriumStatus represents configuration and Ingress status. properties: ingress: additionalProperties: description: ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium. properties: error: description: Error that prevented latest observedGeneration to be synchronized with Pomerium. type: string observedAt: description: ObservedAt is when last reconciliation attempt was made. format: date-time type: string observedGeneration: description: ObservedGeneration represents the .metadata.generation that was last presented to Pomerium. format: int64 type: integer reconciled: description: Reconciled is whether this object generation was successfully synced with pomerium. type: boolean warnings: description: Warnings while parsing the resource. items: type: string type: array required: - reconciled type: object description: Routes provide per-Ingress status. type: object settingsStatus: description: SettingsStatus represent most recent main configuration reconciliation status. properties: error: description: Error that prevented latest observedGeneration to be synchronized with Pomerium. type: string observedAt: description: ObservedAt is when last reconciliation attempt was made. format: date-time type: string observedGeneration: description: ObservedGeneration represents the .metadata.generation that was last presented to Pomerium. format: int64 type: integer reconciled: description: Reconciled is whether this object generation was successfully synced with pomerium. type: boolean warnings: description: Warnings while parsing the resource. items: type: string type: array required: - reconciled type: object type: object type: object served: true storage: true subresources: status: {} --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-controller namespace: pomerium --- apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets namespace: pomerium --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-controller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - "" resources: - services/status - secrets/status - endpoints/status verbs: - get - apiGroups: - networking.k8s.io resources: - ingresses - ingressclasses verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - get - patch - update - apiGroups: - ingress.pomerium.io resources: - pomerium verbs: - get - list - watch - apiGroups: - ingress.pomerium.io resources: - pomerium/status verbs: - get - update - patch - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets rules: - apiGroups: - "" resources: - secrets verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pomerium-controller subjects: - kind: ServiceAccount name: pomerium-controller namespace: pomerium --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pomerium-gen-secrets subjects: - kind: ServiceAccount name: pomerium-gen-secrets namespace: pomerium --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-metrics namespace: pomerium spec: ports: - name: metrics port: 9090 protocol: TCP targetPort: metrics selector: app.kubernetes.io/name: pomerium type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-proxy namespace: pomerium spec: ports: - name: https port: 443 protocol: TCP targetPort: https - name: http port: 80 protocol: TCP targetPort: http selector: app.kubernetes.io/name: pomerium type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/name: pomerium name: pomerium namespace: pomerium spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: pomerium template: metadata: labels: app.kubernetes.io/name: pomerium spec: containers: - args: - all-in-one - --pomerium-config=global - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy - --metrics-bind-address=$(POD_IP):9090 env: - name: TMPDIR value: /tmp - name: XDG_CACHE_HOME value: /tmp - name: POMERIUM_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP image: pomerium/ingress-controller:sha-cdc389c imagePullPolicy: IfNotPresent name: pomerium ports: - containerPort: 8443 name: https protocol: TCP - containerPort: 8080 name: http protocol: TCP - containerPort: 9090 name: metrics protocol: TCP resources: limits: cpu: 5000m memory: 1Gi requests: cpu: 300m memory: 200Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsGroup: 1000 runAsNonRoot: true runAsUser: 1000 volumeMounts: - mountPath: /tmp name: tmp nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true serviceAccountName: pomerium-controller terminationGracePeriodSeconds: 10 volumes: - emptyDir: {} name: tmp --- apiVersion: batch/v1 kind: Job metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets namespace: pomerium spec: template: metadata: labels: app.kubernetes.io/name: pomerium name: pomerium-gen-secrets spec: containers: - args: - gen-secrets - --secrets=$(POD_NAMESPACE)/bootstrap env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: pomerium/ingress-controller:main imagePullPolicy: IfNotPresent name: gen-secrets securityContext: allowPrivilegeEscalation: false nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure securityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 serviceAccountName: pomerium-gen-secrets --- apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: labels: app.kubernetes.io/name: pomerium name: pomerium spec: controller: pomerium.io/ingress-controller