Files
@ 9d3a9e524ad3
Branch filter:
Location: pomerium/kube/20-deployment.yaml - annotation
9d3a9e524ad3
3.4 KiB
text/x-yaml
fuss with ns and stuff to get it working. forward all (over http) to nginx at first
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 | 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 6bf643829330 | apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: pomerium
name: autocert-data
spec:
storageClassName: ""
volumeName: "autocert-data"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-metrics
namespace: pomerium
spec:
ports:
- { name: metrics, port: 9090, protocol: TCP, targetPort: metrics }
selector: { app.kubernetes.io/name: pomerium }
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-proxy
namespace: pomerium
spec:
ports:
- { name: https, port: 443, protocol: TCP, targetPort: https }
- { name: http, port: 80, protocol: TCP, targetPort: http }
selector: { app.kubernetes.io/name: pomerium }
type: LoadBalancer
externalIPs:
# prime forwards to this
- 10.5.0.1
# local dns picks this
- 10.2.0.1
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels: { app.kubernetes.io/name: pomerium }
name: pomerium
namespace: pomerium
spec:
replicas: 1
selector:
matchLabels: { app.kubernetes.io/name: pomerium }
template:
metadata:
labels: { app.kubernetes.io/name: pomerium }
spec:
containers:
- args:
- all-in-one
- --pomerium-config=global
- --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
- --metrics-bind-address=$(POD_IP):9090
env:
- { name: TMPDIR, value: /tmp }
- { name: XDG_CACHE_HOME, value: /tmp }
- name: POMERIUM_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: pomerium/ingress-controller:sha-5294279
imagePullPolicy: IfNotPresent
name: pomerium
ports:
- { containerPort: 8443, name: https, protocol: TCP }
- { containerPort: 8080, name: http, protocol: TCP }
- { containerPort: 9090, name: metrics, protocol: TCP }
resources:
limits: { cpu: 5000m, memory: 1Gi }
requests: { cpu: 300m, memory: 200Mi }
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- { mountPath: /tmp, name: tmp }
- { mountPath: /data/autocert, name: autocert }
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: pomerium-controller
terminationGracePeriodSeconds: 10
volumes:
- { name: tmp, emptyDir: {} }
- { name: autocert, persistentVolumeClaim: { claimName: autocert-data } }
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: "kubernetes.io/hostname"
operator: In
values: ["bang"]
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium
spec:
controller: pomerium.io/ingress-controller
|