pomerium Changeset - 6bf643829330

Changeset - 6bf643829330

Parent rev.

Child rev.

[Not reviewed]

default

0 0 14

drewp@bigasterisk.com - 2 years ago 2022-09-11 08:24:55
drewp@bigasterisk.com

start

9 files changed:

auth-cert.yaml

kube/00-namespace.yaml

kube/01-crd.yaml

259

kube/02-roles.yaml

125

kube/03-volumes.yaml

kube/04-gen-secrets-job.yaml

kube/05-idp-secret.yaml

kube/10-pomerium.yaml

kube/20-deployment.yaml

123

Changeset was too big and was cut off... Show full diff anyway

0 comments (0 inline, 0 general)

auth-cert.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: pomerium-proxy-tls
   namespace: pomerium
 spec:
   dnsNames:
   - 'authenticate.bigasterisk.com'
   issuerRef:
     kind: Issuer
     name: letsencrypt-prod
   secretName: pomerium-proxy-tls
@@ \ No newline at end of file @@

kube/00-namespace.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: v1
 kind: Namespace
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium

kube/01-crd.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.9.0
   creationTimestamp: null
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium.ingress.pomerium.io
 spec:
   group: ingress.pomerium.io
   names:
     kind: Pomerium
     listKind: PomeriumList
     plural: pomerium
     singular: pomerium
   scope: Cluster
   versions:
   - name: v1
     schema:
       openAPIV3Schema:
         description: Pomerium define runtime-configurable Pomerium settings that do
           not fall into the category of deployment parameters
         properties:
           apiVersion:
             description: 'APIVersion defines the versioned schema of this representation
               of an object. Servers should convert recognized schemas to the latest
               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
             type: string
           kind:
             description: 'Kind is a string value representing the REST resource this
               object represents. Servers may infer this from the endpoint the client
               submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
             type: string
           metadata:
             type: object
           spec:
             description: PomeriumSpec defines the desired state of Settings
             properties:
               authenticate:
                 description: Authenticate sets authenticate service parameters
                 properties:
                   callbackPath:
                     description: CallbackPath see https://www.pomerium.com/reference/#authenticate-callback-path
                     type: string
                   url:
                     description: AuthenticateURL should be publicly accessible URL
                       the non-authenticated persons would be referred to see https://www.pomerium.com/reference/#authenticate-service-url
                     format: uri
                     pattern: ^https://
                     type: string
                 required:
                 - url
                 type: object
               certificates:
                 description: Certificates is a list of secrets of type TLS to use
                 items:
                   type: string
                 type: array
               identityProvider:
                 description: IdentityProvider see https://www.pomerium.com/docs/identity-providers/
                 properties:
                   provider:
                     description: Provider one of accepted providers - see https://www.pomerium.com/reference/#identity-provider-name.
                     enum:
                     - auth0
                     - azure
                     - google
                     - okta
                     - onelogin
                     - oidc
                     - ping
                     - github
                     type: string
                   refreshDirectory:
                     description: RefreshDirectory defines IdP directory refresh options
                     properties:
                       interval:
                         description: interval is the time that pomerium will sync
                           your IDP directory.
                         format: duration
                         type: string
                       timeout:
                         description: timeout is the maximum time allowed each run.
                         format: duration
                         type: string
                     required:
                     - interval
                     - timeout
                     type: object
                   requestParams:
                     additionalProperties:
                       type: string
                     description: RequestParams see https://www.pomerium.com/reference/#identity-provider-request-params
                     type: object
                   requestParamsSecret:
                     description: RequestParamsSecret is a reference to a secret for
                       additional parameters you'd prefer not to provide in plaintext.
                     type: string
                   scopes:
                     description: Scopes see https://www.pomerium.com/reference/#identity-provider-scopes.
                     items:
                       type: string
                     type: array
                   secret:
                     description: Secret containing IdP provider specific parameters
                       and must contain at least client_id and client_secret values,
                       an optional `service_account` field, mapped to https://www.pomerium.com/reference/#identity-provider-service-account
                     minLength: 1
                     type: string
                   serviceAccountFromSecret:
                     description: ServiceAccountFromSecret is a convenience way to
                       build a value for `idp_service_account` from secret map values,
                       see https://www.pomerium.com/docs/identity-providers/
                     type: string
                   url:
                     description: URL is identity provider url, see https://www.pomerium.com/reference/#identity-provider-url.
                     format: uri
                     pattern: ^https://
                     type: string
                 required:
                 - provider
                 - secret
                 type: object
               secrets:
                 description: Secrets references a Secret that must have the following
                   keys - shared_secret - cookie_secret - signing_key
                 minLength: 1
                 type: string
               storage:
                 description: Storage defines persistent storage for sessions and other
                   data it will use in-memory if none specified see https://www.pomerium.com/docs/topics/data-storage
                 properties:
                   postgres:
                     description: Postgres specifies PostgreSQL database connection
                       parameters
                     properties:
                       caSecret:
                         description: CASecret should refer to a k8s secret with key
                           `ca.crt` containing CA certificate that, if specified, would
                           be used to populate `sslrootcert` parameter of the connection
                           string
                         minLength: 1
                         type: string
                       secret:
                         description: Secret specifies a name of a Secret that must
                           contain `connection` key for the connection DSN format and
                           parameters, see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
                           the following keywords are not allowed to be part of the
                           parameters, as they must be populated via `tlsCecret` and
                           `caSecret` fields
                         minLength: 1
                         type: string
                       tlsSecret:
                         description: TLSSecret should refer to a k8s secret of type
                           `kubernetes.io/tls` and allows to specify an optional client
                           certificate and key, by constructing `sslcert` and `sslkey`
                           connection string parameter values see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
                         minLength: 1
                         type: string
                     required:
                     - secret
                     type: object
                   redis:
                     description: Redis defines REDIS connection parameters
                     properties:
                       caSecret:
                         description: CASecret should refer to a k8s secret with key
                           `ca.crt` that must be a PEM-encoded certificate authority
                           to use when connecting to the databroker storage engine
                           see https://www.pomerium.com/docs/reference/data-broker-storage-certificate-authority
                         type: string
                       secret:
                         description: Secret specifies a name of a Secret that must
                           contain `connection` key. see https://www.pomerium.com/docs/reference/data-broker-storage-connection-string
                         minLength: 1
                         type: string
                       tlsSecret:
                         description: TLSSecret should refer to a k8s secret of type
                           `kubernetes.io/tls` and allows to specify an optional databroker
                           storage client certificate and key, see - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-file
                           - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-key-file
                         minLength: 1
                         type: string
                       tlsSkipVerify:
                         description: TLSSkipVerify disables TLS certificate chain
                           validation see https://www.pomerium.com/docs/reference/data-broker-storage-tls-skip-verify
                         type: boolean
                     required:
                     - secret
                     type: object
                 type: object
             required:
             - authenticate
             - identityProvider
             - secrets
             type: object
           status:
             description: PomeriumStatus defines the observed state of Settings
             properties:
               ingress:
                 additionalProperties:
                   description: ResourceStatus represents the outcome of the latest
                     attempt to reconcile it with Pomerium.
                   properties:
                     error:
                       description: Error that prevented latest observedGeneration
                         to be synchronized with Pomerium.
                       type: string
                     observedAt:
                       description: ObservedAt is when last reconciliation attempt
                         was made.
                       format: date-time
                       type: string
                     observedGeneration:
                       description: ObservedGeneration represents the .metadata.generation
                         that was last presented to Pomerium.
                       format: int64
                       type: integer
                     reconciled:
                       description: Reconciled is whether this object generation was
                         successfully synced with pomerium.
                       type: boolean
                   required:
                   - reconciled
                   type: object
                 description: Routes provide per-Ingress status.
                 type: object
               settingsStatus:
                 description: settingsStatus represent most recent main configuration
                   reconciliation status.
                 properties:
                   error:
                     description: Error that prevented latest observedGeneration to
                       be synchronized with Pomerium.
                     type: string
                   observedAt:
                     description: ObservedAt is when last reconciliation attempt was
                       made.
                     format: date-time
                     type: string
                   observedGeneration:
                     description: ObservedGeneration represents the .metadata.generation
                       that was last presented to Pomerium.
                     format: int64
                     type: integer
                   reconciled:
                     description: Reconciled is whether this object generation was
                       successfully synced with pomerium.
                     type: boolean
                 required:
                 - reconciled
                 type: object
             type: object
         type: object
     served: true
     storage: true
     subresources:
       status: {}
@@ \ No newline at end of file @@

kube/02-roles.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-controller
   namespace: pomerium
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-gen-secrets
   namespace: pomerium
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-controller
 rules:
 - apiGroups:
   - ""
   resources:
   - services
   - endpoints
   - secrets
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ""
   resources:
   - services/status
   - secrets/status
   - endpoints/status
   verbs:
   - get
 - apiGroups:
   - networking.k8s.io
   resources:
   - ingresses
   - ingressclasses
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - networking.k8s.io
   resources:
   - ingresses/status
   verbs:
   - get
   - patch
   - update
 - apiGroups:
   - ingress.pomerium.io
   resources:
   - pomerium
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ingress.pomerium.io
   resources:
   - pomerium/status
   verbs:
   - get
   - update
   - patch
 - apiGroups:
   - ""
   resources:
   - events
   verbs:
   - create
   - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-gen-secrets
 rules:
 - apiGroups:
   - ""
   resources:
   - secrets
   verbs:
   - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-controller
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: pomerium-controller
 subjects:
 - kind: ServiceAccount
   name: pomerium-controller
   namespace: pomerium
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-gen-secrets
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: pomerium-gen-secrets
 subjects:
 - kind: ServiceAccount
   name: pomerium-gen-secrets
   namespace: pomerium
@@ \ No newline at end of file @@

kube/03-volumes.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
   name: autocert-data
   labels:
     type: local
 spec:
   storageClassName: manual
   hostPath:
     path: "/opt/pomerium-autocert"
   capacity:
     storage: 5Gi
   accessModes:
     - ReadWriteOnce
   persistentVolumeReclaimPolicy: Retain
   claimRef:
     namespace: pomerium
     name: autocert-data

kube/04-gen-secrets-job.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-gen-secrets
   namespace: pomerium
 spec:
   template:
     metadata:
       labels:
         app.kubernetes.io/name: pomerium
       name: pomerium-gen-secrets
     spec:
       containers:
       - args:
         - gen-secrets
         - --secrets=$(POD_NAMESPACE)/bootstrap
         env:
         - name: POD_NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
         image: pomerium/ingress-controller:main
         imagePullPolicy: IfNotPresent
         name: gen-secrets
         securityContext:
           allowPrivilegeEscalation: false
       nodeSelector:
         kubernetes.io/os: linux
       restartPolicy: OnFailure
       securityContext:
         fsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
       serviceAccountName: pomerium-gen-secrets

kube/05-idp-secret.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: v1
 kind: Secret
 metadata:
   name: idp
   namespace: pomerium
 type: Opaque
 stringData:
@@ \ No newline at end of file @@

kube/10-pomerium.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: ingress.pomerium.io/v1
 kind: Pomerium
 metadata:
   name: global
 spec:
   secrets: pomerium/bootstrap
   authenticate:
     url: https://authenticate.bigasterisk.com
   identityProvider:
     provider: google
     secret: pomerium/idp
     refreshDirectory:
       interval: "10h"
       timeout: "10s"
   certificates:
     - pomerium/pomerium-proxy-tls

kube/20-deployment.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   namespace: pomerium
   name: autocert-data
 spec:
   storageClassName: ""
   volumeName: "autocert-data"
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
       storage: 5Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-metrics
   namespace: pomerium
 spec:
   ports:
     - { name: metrics, port: 9090, protocol: TCP, targetPort: metrics }
   selector: { app.kubernetes.io/name: pomerium }
   type: ClusterIP
 ---
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium-proxy
   namespace: pomerium
 spec:
   ports:
     - { name: https, port: 443, protocol: TCP, targetPort: https }
     - { name: http, port: 80, protocol: TCP, targetPort: http }
   selector: { app.kubernetes.io/name: pomerium }
   type: LoadBalancer
   externalIPs:
   # prime forwards to this
     - 10.5.0.1
   # local dns picks this
     - 10.2.0.1
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels: { app.kubernetes.io/name: pomerium }
   name: pomerium
   namespace: pomerium
 spec:
   replicas: 1
   selector:
     matchLabels: { app.kubernetes.io/name: pomerium }
   template:
     metadata:
       labels: { app.kubernetes.io/name: pomerium }
     spec:
       containers:
         - args:
             - all-in-one
             - --pomerium-config=global
             - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
             - --metrics-bind-address=$(POD_IP):9090
           env:
             - { name: TMPDIR, value: /tmp }
             - { name: XDG_CACHE_HOME, value: /tmp }
             - name: POMERIUM_NAMESPACE
               valueFrom:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: metadata.namespace
             - name: POD_IP
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
           image: pomerium/ingress-controller:sha-5294279
           imagePullPolicy: IfNotPresent
           name: pomerium
           ports:
             - { containerPort: 8443, name: https, protocol: TCP }
             - { containerPort: 8080, name: http, protocol: TCP }
             - { containerPort: 9090, name: metrics, protocol: TCP }
           resources:
             limits: { cpu: 5000m, memory: 1Gi }
             requests: { cpu: 300m, memory: 200Mi }
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
             runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
           volumeMounts:
             - { mountPath: /tmp, name: tmp }
             - { mountPath: /data/autocert, name: autocert }
       nodeSelector:
         kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
       serviceAccountName: pomerium-controller
       terminationGracePeriodSeconds: 10
       volumes:
         - { name: tmp, emptyDir: {} }
         - { name: autocert, persistentVolumeClaim: { claimName: autocert-data } }
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:
                   - key: "kubernetes.io/hostname"
                     operator: In
                     values: ["bang"]
 ---
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
   labels:
     app.kubernetes.io/name: pomerium
   name: pomerium
 spec:
   controller: pomerium.io/ingress-controller

Changeset was too big and was cut off... Show full diff anyway

0 comments (0 inline, 0 general)