pomerium Changeset - 9d3a9e524ad3

Changeset - 9d3a9e524ad3

Parent rev.

Child rev.

[Not reviewed]

default

0 5 2

drewp@bigasterisk.com - 2 years ago 2022-09-14 05:32:50
drewp@bigasterisk.com

fuss with ns and stuff to get it working. forward all (over http) to nginx at first

7 files changed with 51 insertions and 14 deletions:

ingress-default.yaml

kube/10-pomerium.yaml

kube/51-pomerium-production-issuer.yaml

kube/51-pomerium-staging-issuer.yaml

kube/60-auth-cert.yaml

switch_to_nginx.sh

switch_to_pomerium.sh

0 comments (0 inline, 0 general)

ingress-default.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: default
   annotations:
     cert-manager.io/issuer: letsencrypt-prod
     ingress.pomerium.io/allow_public_unauthenticated_access: "true"
     ingress.pomerium.io/pass_identity_headers: "true"
     ingress.pomerium.io/preserve_host_header: "true"
 spec:
   ingressClassName: pomerium
   rules:
     - host: "bigasterisk.com"
       http:
         paths:
           - { pathType: Prefix, path: /, backend: { service: { name: nginx, port: { number: 11444 } } } }
   tls:
     - hosts: [bigasterisk.com]
       secretName: bigasterisk.com-tls

kube/10-pomerium.yaml

➞

Show inline comments

@@ @@ -9,8 +9,9 @@ spec: @@
   identityProvider:
     provider: google
     secret: pomerium/idp
     refreshDirectory:
       interval: "10h"
       timeout: "10s"
   certificates:
     - pomerium/pomerium-proxy-tls
   # Note pom won't start up if this cert doesn't exist, so you have to run once
   # with it commented out, then after cert success, run again with it enabled.
   certificates: [pomerium/pomerium-proxy-tls]

kube/51-pomerium-production-issuer.yaml

➞

Show inline comments

 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: letsencrypt-prod
-  namespace: pomerium
+  namespace: default
 spec:
   acme:
     # The ACME server URL
     server: https://acme-v02.api.letsencrypt.org/directory
     # Email address used for ACME registration
     email: drewp@bigasterisk.com
     # Name of a secret used to store the ACME account private key
     privateKeySecretRef:
       name: letsencrypt-prod
     # Enable the HTTP-01 challenge provider
     solvers:
     - http01:
         ingress:
           class: pomerium
       - http01:
           ingress:
             class: pomerium

kube/51-pomerium-staging-issuer.yaml

➞

Show inline comments

 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: letsencrypt-staging
-  namespace: pomerium
+  namespace: default
 spec:
   acme:
     # The ACME server URL
     server: https://acme-staging-v02.api.letsencrypt.org/directory
     # Email address used for ACME registration
     email: drewp@bigasterisk.com
@@ @@ -13,7 +13,7 @@ spec: @@
     privateKeySecretRef:
       name: letsencrypt-staging
     # Enable the HTTP-01 challenge provider
     solvers:
       - http01:
           ingress:
             class:  pomerium
@@ \ No newline at end of file @@
             class: pomerium

kube/60-auth-cert.yaml

➞

Show inline comments

@@ new file 100644 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: pomerium-proxy-tls
   namespace: pomerium
 spec:
   dnsNames:
   - 'authenticate.bigasterisk.com'
   issuerRef:
     kind: Issuer
     name: letsencrypt-prod
   secretName: pomerium-proxy-tls
@@ \ No newline at end of file @@

switch_to_nginx.sh

➞

Show inline comments

 #!/bin/zsh
 cd /my/serv/pomerium
 kubectl delete -f kube
 # not all this, since it includes Certs and also the ns and CRD for the Certs
 kubectl delete -f kube/10-pomerium.yaml
 kubectl delete -f kube/20-deployment.yaml
 kubectl delete -f kube/03-volumes.yaml
 cd /my/serv/nginx
 /my/proj/release/env/bin/invoke run

switch_to_pomerium.sh

➞

Show inline comments

 #!/bin/zsh
 cd /my/serv/nginx
 skaffold delete -f wrapped_skaffold.yaml
 #cd /my/serv/nginx
 #skaffold delete -f wrapped_skaffold.yaml
 cd /my/serv/pomerium
 kubectl apply -f kube/
 #kubectl create secret tls megasecond-club-tls --namespace=pomerium --cert=./megasecond.club.pem --key=./megasecond.club-key.pem
 #kubectl create secret tls photo-bigasterisk-com-tls --namespace=pomerium --cert=./photo.bigasterisk.com.pem --key=./photo.bigasterisk.com-key.pem
 kubectl apply -f kube/03-volumes.yaml
 kubectl apply -f kube/10-pomerium.yaml
 kubectl apply -f kube/20-deployment.yaml
@@ \ No newline at end of file @@

0 comments (0 inline, 0 general)