Mercurial > code > home > repos > pomerium

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ingress-default.yaml	Tue Sep 13 22:32:50 2022 -0700
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: default
+  annotations:
+    cert-manager.io/issuer: letsencrypt-prod
+    ingress.pomerium.io/allow_public_unauthenticated_access: "true"
+    ingress.pomerium.io/pass_identity_headers: "true"
+    ingress.pomerium.io/preserve_host_header: "true"
+spec:
+  ingressClassName: pomerium
+  rules:
+    - host: "bigasterisk.com"
+      http:
+        paths:
+          - { pathType: Prefix, path: /, backend: { service: { name: nginx, port: { number: 11444 } } } }
+  tls:
+    - hosts: [bigasterisk.com]
+      secretName: bigasterisk.com-tls
--- a/kube/10-pomerium.yaml	Sun Sep 11 01:24:55 2022 -0700
+++ b/kube/10-pomerium.yaml	Tue Sep 13 22:32:50 2022 -0700
@@ -12,5 +12,6 @@
     refreshDirectory:
       interval: "10h"
       timeout: "10s"
-  certificates:
-    - pomerium/pomerium-proxy-tls
+  # Note pom won't start up if this cert doesn't exist, so you have to run once
+  # with it commented out, then after cert success, run again with it enabled.
+  certificates: [pomerium/pomerium-proxy-tls]
--- a/kube/51-pomerium-production-issuer.yaml	Sun Sep 11 01:24:55 2022 -0700
+++ b/kube/51-pomerium-production-issuer.yaml	Tue Sep 13 22:32:50 2022 -0700
@@ -2,7 +2,7 @@
 kind: Issuer
 metadata:
   name: letsencrypt-prod
-  namespace: pomerium
+  namespace: default
 spec:
   acme:
     # The ACME server URL
@@ -14,6 +14,6 @@
       name: letsencrypt-prod
     # Enable the HTTP-01 challenge provider
     solvers:
-    - http01:
-        ingress:
-          class: pomerium
+      - http01:
+          ingress:
+            class: pomerium
--- a/kube/51-pomerium-staging-issuer.yaml	Sun Sep 11 01:24:55 2022 -0700
+++ b/kube/51-pomerium-staging-issuer.yaml	Tue Sep 13 22:32:50 2022 -0700
@@ -2,7 +2,7 @@
 kind: Issuer
 metadata:
   name: letsencrypt-staging
-  namespace: pomerium
+  namespace: default
 spec:
   acme:
     # The ACME server URL
@@ -16,4 +16,4 @@
     solvers:
       - http01:
           ingress:
-            class:  pomerium
\ No newline at end of file
+            class: pomerium
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/kube/60-auth-cert.yaml	Tue Sep 13 22:32:50 2022 -0700
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pomerium-proxy-tls
+  namespace: pomerium
+spec:
+  dnsNames:
+  - 'authenticate.bigasterisk.com'
+  issuerRef:
+    kind: Issuer
+    name: letsencrypt-prod
+  secretName: pomerium-proxy-tls
\ No newline at end of file
--- a/switch_to_nginx.sh	Sun Sep 11 01:24:55 2022 -0700
+++ b/switch_to_nginx.sh	Tue Sep 13 22:32:50 2022 -0700
@@ -1,7 +1,11 @@
 #!/bin/zsh

 cd /my/serv/pomerium
-kubectl delete -f kube
+
+# not all this, since it includes Certs and also the ns and CRD for the Certs
+kubectl delete -f kube/10-pomerium.yaml
+kubectl delete -f kube/20-deployment.yaml
+kubectl delete -f kube/03-volumes.yaml

 cd /my/serv/nginx
 /my/proj/release/env/bin/invoke run
--- a/switch_to_pomerium.sh	Sun Sep 11 01:24:55 2022 -0700
+++ b/switch_to_pomerium.sh	Tue Sep 13 22:32:50 2022 -0700
@@ -1,9 +1,10 @@
 #!/bin/zsh

-cd /my/serv/nginx
-skaffold delete -f wrapped_skaffold.yaml
+#cd /my/serv/nginx
+#skaffold delete -f wrapped_skaffold.yaml
+

 cd /my/serv/pomerium
-kubectl apply -f kube/
-#kubectl create secret tls megasecond-club-tls --namespace=pomerium --cert=./megasecond.club.pem --key=./megasecond.club-key.pem
-#kubectl create secret tls photo-bigasterisk-com-tls --namespace=pomerium --cert=./photo.bigasterisk.com.pem --key=./photo.bigasterisk.com-key.pem
+kubectl apply -f kube/03-volumes.yaml
+kubectl apply -f kube/10-pomerium.yaml
+kubectl apply -f kube/20-deployment.yaml
\ No newline at end of file