diff --git a/upstream/pomerium-ingress-controller.yaml b/upstream/pomerium-ingress-controller.yaml new file mode 100644 --- /dev/null +++ b/upstream/pomerium-ingress-controller.yaml @@ -0,0 +1,671 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + labels: + app.kubernetes.io/name: pomerium + name: pomerium.ingress.pomerium.io +spec: + group: ingress.pomerium.io + names: + kind: Pomerium + listKind: PomeriumList + plural: pomerium + singular: pomerium + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Pomerium define runtime-configurable Pomerium settings that do + not fall into the category of deployment parameters + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PomeriumSpec defines Pomerium-specific configuration parameters. + properties: + authenticate: + description: Authenticate sets authenticate service parameters. If + not specified, a Pomerium-hosted authenticate service would be used. + properties: + callbackPath: + description: "CallbackPath sets the path at which the authenticate + service receives callback responses from your identity provider. + The value must exactly match one of the authorized redirect + URIs for the OAuth 2.0 client. \n
This value is referred + to as the redirect_url in the OpenIDConnect and OAuth2 specs.
+Defaults to /oauth2/callback
Ingress
for this virtual
+ route, as it is handled by Pomerium internally. certificates
.
+ If you use cert-manager
with HTTP01
+ challenge, you may use pomerium
ingressClass
+ to solve it.ca.crt
+ containing a CA certificate.
+ items:
+ type: string
+ type: array
+ certificates:
+ description: Certificates is a list of secrets of type TLS to use
+ format: namespace/name
+ items:
+ type: string
+ type: array
+ cookie:
+ description: Cookie defines Pomerium session cookie options.
+ properties:
+ domain:
+ description: Domain defaults to the same host that set the cookie.
+ If you specify the domain explicitly, then subdomains would
+ also be included.
+ type: string
+ expire:
+ description: Expire sets cookie and Pomerium session expiration
+ time. Once session expires, users would have to re-login. If
+ you change this parameter, existing sessions are not affected.
+ See Session + Management (Enterprise) for a more fine-grained session + controls.
Defaults to 14 hours.
+ format: duration + type: string + httpOnly: + description: HTTPOnly if set tofalse
, the cookie
+ would be accessible from within the JavaScript. Defaults to
+ true
.
+ type: boolean
+ name:
+ description: Name sets the Pomerium session cookie name. Defaults
+ to _pomerium
+ type: string
+ sameSite:
+ description: SameSite sets the SameSite option for cookies. Defaults
+ to
.
+ type: string
+ secure:
+ description: Secure if set to false, would make a cookie accessible
+ over insecure protocols (HTTP). Defaults to true
.
+ type: boolean
+ type: object
+ identityProvider:
+ description: IdentityProvider configure single-sign-on authentication
+ and user identity details by integrating with your Identity
+ Provider
+ properties:
+ provider:
+ description: Provider is the short-hand name of a built-in OpenID
+ Connect (oidc) identity provider to be used for authentication.
+ To use a generic provider, set to oidc
.
+ enum:
+ - auth0
+ - azure
+ - github
+ - gitlab
+ - google
+ - oidc
+ - okta
+ - onelogin
+ - ping
+ type: string
+ refreshDirectory:
+ description: RefreshDirectory is no longer supported, please see
+ Upgrade
+ Guide.
+ properties:
+ interval:
+ description: interval is the time that pomerium will sync
+ your IDP directory.
+ format: duration
+ type: string
+ timeout:
+ description: timeout is the maximum time allowed each run.
+ format: duration
+ type: string
+ required:
+ - interval
+ - timeout
+ type: object
+ requestParams:
+ additionalProperties:
+ type: string
+ description: RequestParams to be added as part of a sign-in request
+ using OAuth2 code flow.
+ format: namespace/name
+ type: object
+ requestParamsSecret:
+ description: RequestParamsSecret is a reference to a secret for
+ additional parameters you'd prefer not to provide in plaintext.
+ format: namespace/name
+ type: string
+ scopes:
+ description: Scopes Identity provider scopes correspond to access
+ privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749.
+ items:
+ type: string
+ type: array
+ secret:
+ description: Secret containing IdP provider specific parameters.
+ and must contain at least client_id
and client_secret
+ values.
+ format: namespace/name
+ minLength: 1
+ type: string
+ serviceAccountFromSecret:
+ description: ServiceAccountFromSecret is no longer supported,
+ see Upgrade
+ Guide.
+ type: string
+ url:
+ description: URL is the base path to an identity provider's OpenID
+ connect discovery document. See Identity
+ Providers guides for details.
+ format: uri
+ pattern: ^https://
+ type: string
+ required:
+ - provider
+ - secret
+ type: object
+ jwtClaimHeaders:
+ additionalProperties:
+ type: string
+ description: JWTClaimHeaders convert claims from the assertion token
+ into HTTP headers and adds them into JWT assertion header. Please
+ make sure to read
+ Getting User Identity guide.
+ type: object
+ programmaticRedirectDomains:
+ description: ProgrammaticRedirectDomains specifies a list of domains
+ that can be used for programmatic
+ redirects.
+ items:
+ type: string
+ type: array
+ secrets:
+ description: "Secrets references a Secret with Pomerium bootstrap
+ parameters. \n
shared_secret
+ - secures inter-Pomerium service communications. cookie_secret
+ - encrypts Pomerium session browser cookie. See also other Cookie
+ parameters. signing_key
+ signs Pomerium JWT assertion header. See Getting
+ the user's identity guide. In a default
+ Pomerium installation manifest, they would be generated via a one-time
+ job and stored in a pomerium/bootstrap
Secret.
+ You may re-run the job to rotate the secrets, or update the Secret
+ values manually.
ca.crt
containing CA certificate that, if specified,
+ would be used to populate sslrootcert
parameter
+ of the connection string.
+ format: namespace/name
+ minLength: 1
+ type: string
+ secret:
+ description: Secret specifies a name of a Secret that must
+ contain connection
key. See DSN
+ Format and Parameters. Do not set sslrootcert
,
+ sslcert
and sslkey
via connection
+ string, use tlsSecret
and caSecret
+ CRD options instead.
+ format: namespace/name
+ minLength: 1
+ type: string
+ tlsSecret:
+ description: TLSSecret should refer to a k8s secret of type
+ kubernetes.io/tls
and allows to specify an
+ optional client certificate and key, by constructing sslcert
+ and sslkey
connection string
+ parameter values.
+ format: namespace/name
+ minLength: 1
+ type: string
+ required:
+ - secret
+ type: object
+ redis:
+ description: Redis defines REDIS connection parameters
+ properties:
+ caSecret:
+ description: CASecret should refer to a k8s secret with key
+ ca.crt
that must be a PEM-encoded certificate
+ authority to use when connecting to the databroker storage
+ engine.
+ format: namespace/name
+ type: string
+ secret:
+ description: Secret specifies a name of a Secret that must
+ contain connection
key.
+ format: namespace/name
+ minLength: 1
+ type: string
+ tlsSecret:
+ description: TLSSecret should refer to a k8s secret of type
+ kubernetes.io/tls
that would be used to perform
+ TLS connection to REDIS.
+ format: namespace/name
+ minLength: 1
+ type: string
+ tlsSkipVerify:
+ description: TLSSkipVerify disables TLS certificate chain
+ validation.
+ type: boolean
+ required:
+ - secret
+ type: object
+ type: object
+ required:
+ - secrets
+ type: object
+ status:
+ description: PomeriumStatus represents configuration and Ingress status.
+ properties:
+ ingress:
+ additionalProperties:
+ description: ResourceStatus represents the outcome of the latest
+ attempt to reconcile relevant Kubernetes resource with Pomerium.
+ properties:
+ error:
+ description: Error that prevented latest observedGeneration
+ to be synchronized with Pomerium.
+ type: string
+ observedAt:
+ description: ObservedAt is when last reconciliation attempt
+ was made.
+ format: date-time
+ type: string
+ observedGeneration:
+ description: ObservedGeneration represents the .metadata.generation
+ that was last presented to Pomerium.
+ format: int64
+ type: integer
+ reconciled:
+ description: Reconciled is whether this object generation was
+ successfully synced with pomerium.
+ type: boolean
+ warnings:
+ description: Warnings while parsing the resource.
+ items:
+ type: string
+ type: array
+ required:
+ - reconciled
+ type: object
+ description: Routes provide per-Ingress status.
+ type: object
+ settingsStatus:
+ description: SettingsStatus represent most recent main configuration
+ reconciliation status.
+ properties:
+ error:
+ description: Error that prevented latest observedGeneration to
+ be synchronized with Pomerium.
+ type: string
+ observedAt:
+ description: ObservedAt is when last reconciliation attempt was
+ made.
+ format: date-time
+ type: string
+ observedGeneration:
+ description: ObservedGeneration represents the .metadata.generation
+ that was last presented to Pomerium.
+ format: int64
+ type: integer
+ reconciled:
+ description: Reconciled is whether this object generation was
+ successfully synced with pomerium.
+ type: boolean
+ warnings:
+ description: Warnings while parsing the resource.
+ items:
+ type: string
+ type: array
+ required:
+ - reconciled
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-controller
+ namespace: pomerium
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-gen-secrets
+ namespace: pomerium
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-controller
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - services
+ - endpoints
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - services/status
+ - secrets/status
+ - endpoints/status
+ verbs:
+ - get
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - get
+ - patch
+ - update
+- apiGroups:
+ - ingress.pomerium.io
+ resources:
+ - pomerium
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ingress.pomerium.io
+ resources:
+ - pomerium/status
+ verbs:
+ - get
+ - update
+ - patch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-gen-secrets
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-controller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: pomerium-controller
+subjects:
+- kind: ServiceAccount
+ name: pomerium-controller
+ namespace: pomerium
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-gen-secrets
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: pomerium-gen-secrets
+subjects:
+- kind: ServiceAccount
+ name: pomerium-gen-secrets
+ namespace: pomerium
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-metrics
+ namespace: pomerium
+spec:
+ ports:
+ - name: metrics
+ port: 9090
+ protocol: TCP
+ targetPort: metrics
+ selector:
+ app.kubernetes.io/name: pomerium
+ type: ClusterIP
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-proxy
+ namespace: pomerium
+spec:
+ ports:
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: https
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: http
+ selector:
+ app.kubernetes.io/name: pomerium
+ type: LoadBalancer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium
+ namespace: pomerium
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: pomerium
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ spec:
+ containers:
+ - args:
+ - all-in-one
+ - --pomerium-config=global
+ - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
+ - --metrics-bind-address=$(POD_IP):9090
+ env:
+ - name: TMPDIR
+ value: /tmp
+ - name: XDG_CACHE_HOME
+ value: /tmp
+ - name: POMERIUM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ image: pomerium/ingress-controller:main
+ imagePullPolicy: Always
+ name: pomerium
+ ports:
+ - containerPort: 8443
+ name: https
+ protocol: TCP
+ - containerPort: 8080
+ name: http
+ protocol: TCP
+ - containerPort: 9090
+ name: metrics
+ protocol: TCP
+ resources:
+ limits:
+ cpu: 5000m
+ memory: 1Gi
+ requests:
+ cpu: 300m
+ memory: 200Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp
+ nodeSelector:
+ kubernetes.io/os: linux
+ securityContext:
+ runAsNonRoot: true
+ serviceAccountName: pomerium-controller
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - emptyDir: {}
+ name: tmp
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-gen-secrets
+ namespace: pomerium
+spec:
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium-gen-secrets
+ spec:
+ containers:
+ - args:
+ - gen-secrets
+ - --secrets=$(POD_NAMESPACE)/bootstrap
+ env:
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ image: pomerium/ingress-controller:main
+ imagePullPolicy: IfNotPresent
+ name: gen-secrets
+ securityContext:
+ allowPrivilegeEscalation: false
+ nodeSelector:
+ kubernetes.io/os: linux
+ restartPolicy: OnFailure
+ securityContext:
+ fsGroup: 1000
+ runAsNonRoot: true
+ runAsUser: 1000
+ serviceAccountName: pomerium-gen-secrets
+---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+ labels:
+ app.kubernetes.io/name: pomerium
+ name: pomerium
+spec:
+ controller: pomerium.io/ingress-controller