apiVersion: ingress.pomerium.io/v1

kind: Pomerium

metadata:

  name: global

spec:

  secrets: pomerium/bootstrap

  authenticate:

    url: https://authenticate.bigasterisk.com

  identityProvider:

    provider: oidc

    url: https://accounts.google.com

    scopes:

      - openid

      - email

      # adds name+locale to user details

      - profile

    secret: pomerium/idp

  # Note pom won't start up if this cert doesn't exist, so you have to run once

  # with it commented out, then after cert success, run again with it enabled.

  certificates: [pomerium/pomerium-proxy-tls]

apiVersion: apps/v1

kind: Deployment

metadata:

  labels: { app.kubernetes.io/name: pomerium }

  name: pomerium

  namespace: pomerium

spec:

  strategy: { type: RollingUpdate }

  selector:

    matchLabels: { app.kubernetes.io/name: pomerium }

  template:

    metadata:

      labels: { app.kubernetes.io/name: pomerium }

    spec:

      containers:

        - args:

            - all-in-one

            - --pomerium-config=global

            - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy

            - --metrics-bind-address=$(POD_IP):9090

          env:

            - { name: TMPDIR, value: /tmp }

            - { name: XDG_CACHE_HOME, value: /tmp }

            - name: POMERIUM_NAMESPACE

              valueFrom:

                fieldRef:

                  apiVersion: v1

                  fieldPath: metadata.namespace

            - name: POD_IP

              valueFrom:

                fieldRef: