pomerium Changeset - 0071c165e990

Changeset - 0071c165e990

Parent rev.

Child rev.

[Not reviewed]

default

3 1 1

drewp@bigasterisk.com - 22 months ago 2022-12-13 07:18:39
drewp@bigasterisk.com

more file moves

4 files changed with 1 insertions and 67 deletions:

00-defs/02-roles.yaml

20-kube/20-pom-deploy.yaml

kube/05-idp-secret.yaml

kube/60-auth-cert.yaml

0 comments (0 inline, 0 general)

00-defs/02-roles.yaml

➞

Show inline comments

@@ file renamed from kube/02-roles.yaml to 00-defs/02-roles.yaml @@
@@ @@ -29,97 +29,97 @@ rules: @@
   - secrets
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ""
   resources:
   - services/status
   - secrets/status
   - endpoints/status
   verbs:
   - get
 - apiGroups:
   - networking.k8s.io
   resources:
   - ingresses
   - ingressclasses
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - networking.k8s.io
   resources:
   - ingresses/status
   verbs:
   - get
   - patch
   - update
 - apiGroups:
   - ingress.pomerium.io
   resources:
   - pomerium
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ingress.pomerium.io
   resources:
   - pomerium/status
   verbs:
   - get
   - update
   - patch
 - apiGroups:
   - ""
   resources:
   - events
   verbs:
   - create
   - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-gen-secrets
 rules:
 - apiGroups:
   - ""
   resources:
   - secrets
   verbs:
   - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-controller
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: pomerium-controller
 subjects:
 - kind: ServiceAccount
   name: pomerium-controller
   namespace: pomerium
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-gen-secrets
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: pomerium-gen-secrets
 subjects:
 - kind: ServiceAccount
   name: pomerium-gen-secrets
   namespace: pomerium
@@ \ No newline at end of file @@
   namespace: pomerium

20-kube/20-pom-deploy.yaml

➞

Show inline comments

 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   namespace: pomerium
   name: autocert-data
 spec:
   storageClassName: ""
   volumeName: "autocert-data"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: 5Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-metrics
   namespace: pomerium
 spec:
   ports:
     - { name: metrics, port: 9090, protocol: TCP, targetPort: metrics }
   selector: { app.kubernetes.io/name: pomerium }
   type: ClusterIP
 ---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-proxy
   namespace: pomerium
 spec:
   ports:
     - { name: https, port: 443, protocol: TCP, targetPort: https }
     - { name: http, port: 80, protocol: TCP, targetPort: http }
   selector: { app.kubernetes.io/name: pomerium }
   type: LoadBalancer
   externalIPs:
   # prime forwards to this
     - 10.5.0.1
   # local dns picks this
     - 10.2.0.1
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels: { app.kubernetes.io/name: pomerium }
   name: pomerium
   namespace: pomerium
 spec:
   replicas: 1
   selector:
     matchLabels: { app.kubernetes.io/name: pomerium }
   template:
     metadata:
       labels: { app.kubernetes.io/name: pomerium }
     spec:
       containers:
         - args:
             - all-in-one
             - --pomerium-config=global
             - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
             - --metrics-bind-address=$(POD_IP):9090
           env:
             - { name: TMPDIR, value: /tmp }
             - { name: XDG_CACHE_HOME, value: /tmp }
             - name: POMERIUM_NAMESPACE
               valueFrom:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: metadata.namespace
             - name: POD_IP
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
           image: pomerium/ingress-controller:sha-5294279
           imagePullPolicy: IfNotPresent
           name: pomerium
           ports:
             - { containerPort: 8443, name: https, protocol: TCP }
             - { containerPort: 8080, name: http, protocol: TCP }
             - { containerPort: 9090, name: metrics, protocol: TCP }
           resources:
             limits: { cpu: 5000m, memory: 1Gi }
             requests: { cpu: 300m, memory: 200Mi }
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
           volumeMounts:
             - { mountPath: /tmp, name: tmp }
             - { mountPath: /data/autocert, name: autocert }
       nodeSelector:
         kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
       serviceAccountName: pomerium-controller
       terminationGracePeriodSeconds: 10
       volumes:
         - { name: tmp, emptyDir: {} }
         - { name: autocert, persistentVolumeClaim: { claimName: autocert-data } }
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:
                   - key: "kubernetes.io/hostname"
                     operator: In
                     values: ["bang"]
 ---
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium
 spec:
   controller: pomerium.io/ingress-controller

kube/05-idp-secret.yaml

➞

Show inline comments

deleted file

kube/60-auth-cert.yaml

➞

Show inline comments

deleted file

0 comments (0 inline, 0 general)