Mercurial > code > home > repos > pomerium
annotate 20-kube/20-pom-deploy.yaml @ 22:c2e12ba4d0b2
update past CVE-2023-33189
| author | drewp@bigasterisk.com |
|---|---|
| date | Tue, 06 Jun 2023 10:52:50 -0700 |
| parents | 021ddfa73806 |
| children |
| rev | line source |
|---|---|
| 0 | 1 apiVersion: apps/v1 |
| 2 kind: Deployment | |
| 3 metadata: | |
| 4 labels: { app.kubernetes.io/name: pomerium } | |
| 5 name: pomerium | |
| 6 namespace: pomerium | |
| 7 spec: | |
|
20
021ddfa73806
try things to get sessions that don't quickly expire (fetch requests have CORS errors). these may not be working
drewp@bigasterisk.com
parents:
19
diff
changeset
|
8 replicas: 1 |
| 19 | 9 strategy: { type: RollingUpdate } |
| 0 | 10 selector: |
| 11 matchLabels: { app.kubernetes.io/name: pomerium } | |
| 12 template: | |
| 13 metadata: | |
| 14 labels: { app.kubernetes.io/name: pomerium } | |
| 15 spec: | |
| 16 containers: | |
| 17 - args: | |
| 18 - all-in-one | |
| 19 - --pomerium-config=global | |
| 20 - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy | |
| 21 - --metrics-bind-address=$(POD_IP):9090 | |
| 22 env: | |
| 23 - { name: TMPDIR, value: /tmp } | |
| 24 - { name: XDG_CACHE_HOME, value: /tmp } | |
| 25 - name: POMERIUM_NAMESPACE | |
| 26 valueFrom: | |
| 27 fieldRef: | |
| 28 apiVersion: v1 | |
| 29 fieldPath: metadata.namespace | |
| 30 - name: POD_IP | |
| 31 valueFrom: | |
| 32 fieldRef: | |
| 33 fieldPath: status.podIP | |
| 19 | 34 # see https://hub.docker.com/r/pomerium/ingress-controller/tags but idk how to get the version number! |
| 16 | 35 # It's not even in the startup logs, just this: "pomerium_version":"" |
| 22 | 36 # |
| 16 | 37 # I think sha-2c8038a is v0.21.3 (by date, https://www.pomerium.com/docs/releases/changelog) |
| 22 | 38 # |
| 39 # sha-dd49d67 is 2023-05-30, | |
| 40 # https://github.com/pomerium/ingress-controller/commit/dd49d679ea077930229dff8aa319c58c77a767dc | |
| 41 # including 'current main branch' as of 2023-05-23 per | |
| 42 # https://github.com/pomerium/ingress-controller/commit/f79735129577344cc9fd766ff1b51df324990771 | |
| 43 image: pomerium/ingress-controller:sha-dd49d67 | |
| 0 | 44 imagePullPolicy: IfNotPresent |
| 45 name: pomerium | |
| 46 ports: | |
| 47 - { containerPort: 8443, name: https, protocol: TCP } | |
| 48 - { containerPort: 8080, name: http, protocol: TCP } | |
| 49 - { containerPort: 9090, name: metrics, protocol: TCP } | |
| 50 resources: | |
| 51 limits: { cpu: 5000m, memory: 1Gi } | |
| 52 requests: { cpu: 300m, memory: 200Mi } | |
| 53 securityContext: | |
| 54 allowPrivilegeEscalation: false | |
| 55 readOnlyRootFilesystem: true | |
| 56 runAsGroup: 1000 | |
| 57 runAsNonRoot: true | |
| 58 runAsUser: 1000 | |
| 59 volumeMounts: | |
| 60 - { mountPath: /tmp, name: tmp } | |
| 61 - { mountPath: /data/autocert, name: autocert } | |
| 9 | 62 - { mountPath: /.local, name: autocert } |
| 0 | 63 nodeSelector: |
| 64 kubernetes.io/os: linux | |
| 65 securityContext: | |
| 66 runAsNonRoot: true | |
| 67 serviceAccountName: pomerium-controller | |
| 68 terminationGracePeriodSeconds: 10 | |
| 69 volumes: | |
| 70 - { name: tmp, emptyDir: {} } | |
| 71 - { name: autocert, persistentVolumeClaim: { claimName: autocert-data } } | |
| 72 affinity: | |
| 73 nodeAffinity: | |
| 74 requiredDuringSchedulingIgnoredDuringExecution: | |
| 75 nodeSelectorTerms: | |
| 76 - matchExpressions: | |
| 77 - key: "kubernetes.io/hostname" | |
| 78 operator: In | |
| 14 | 79 values: ["ditto"] |
| 0 | 80 --- |
| 81 apiVersion: networking.k8s.io/v1 | |
| 82 kind: IngressClass | |
| 83 metadata: | |
| 84 labels: | |
| 85 app.kubernetes.io/name: pomerium | |
| 86 name: pomerium | |
| 87 spec: | |
| 88 controller: pomerium.io/ingress-controller |