diff --git a/upstream/pomerium-ingress-controller.yaml b/upstream/pomerium-ingress-controller.yaml new file mode 100644 --- /dev/null +++ b/upstream/pomerium-ingress-controller.yaml @@ -0,0 +1,671 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.9.0 + creationTimestamp: null + labels: + app.kubernetes.io/name: pomerium + name: pomerium.ingress.pomerium.io +spec: + group: ingress.pomerium.io + names: + kind: Pomerium + listKind: PomeriumList + plural: pomerium + singular: pomerium + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Pomerium define runtime-configurable Pomerium settings that do + not fall into the category of deployment parameters + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PomeriumSpec defines Pomerium-specific configuration parameters. + properties: + authenticate: + description: Authenticate sets authenticate service parameters. If + not specified, a Pomerium-hosted authenticate service would be used. + properties: + callbackPath: + description: "CallbackPath sets the path at which the authenticate + service receives callback responses from your identity provider. + The value must exactly match one of the authorized redirect + URIs for the OAuth 2.0 client. \n

This value is referred + to as the redirect_url in the OpenIDConnect and OAuth2 specs.

+

Defaults to /oauth2/callback

" + type: string + url: + description: "AuthenticateURL is a dedicated domain URL the non-authenticated + persons would be referred to. \n

" + format: uri + pattern: ^https:// + type: string + required: + - url + type: object + caSecrets: + description: CASecret should refer to k8s secrets with key ca.crt + containing a CA certificate. + items: + type: string + type: array + certificates: + description: Certificates is a list of secrets of type TLS to use + format: namespace/name + items: + type: string + type: array + cookie: + description: Cookie defines Pomerium session cookie options. + properties: + domain: + description: Domain defaults to the same host that set the cookie. + If you specify the domain explicitly, then subdomains would + also be included. + type: string + expire: + description: Expire sets cookie and Pomerium session expiration + time. Once session expires, users would have to re-login. If + you change this parameter, existing sessions are not affected. +

See Session + Management (Enterprise) for a more fine-grained session + controls.

Defaults to 14 hours.

+ format: duration + type: string + httpOnly: + description: HTTPOnly if set to false, the cookie + would be accessible from within the JavaScript. Defaults to + true. + type: boolean + name: + description: Name sets the Pomerium session cookie name. Defaults + to _pomerium + type: string + sameSite: + description: SameSite sets the SameSite option for cookies. Defaults + to . + type: string + secure: + description: Secure if set to false, would make a cookie accessible + over insecure protocols (HTTP). Defaults to true. + type: boolean + type: object + identityProvider: + description: IdentityProvider configure single-sign-on authentication + and user identity details by integrating with your Identity + Provider + properties: + provider: + description: Provider is the short-hand name of a built-in OpenID + Connect (oidc) identity provider to be used for authentication. + To use a generic provider, set to oidc. + enum: + - auth0 + - azure + - github + - gitlab + - google + - oidc + - okta + - onelogin + - ping + type: string + refreshDirectory: + description: RefreshDirectory is no longer supported, please see + Upgrade + Guide. + properties: + interval: + description: interval is the time that pomerium will sync + your IDP directory. + format: duration + type: string + timeout: + description: timeout is the maximum time allowed each run. + format: duration + type: string + required: + - interval + - timeout + type: object + requestParams: + additionalProperties: + type: string + description: RequestParams to be added as part of a sign-in request + using OAuth2 code flow. + format: namespace/name + type: object + requestParamsSecret: + description: RequestParamsSecret is a reference to a secret for + additional parameters you'd prefer not to provide in plaintext. + format: namespace/name + type: string + scopes: + description: Scopes Identity provider scopes correspond to access + privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749. + items: + type: string + type: array + secret: + description: Secret containing IdP provider specific parameters. + and must contain at least client_id and client_secret + values. + format: namespace/name + minLength: 1 + type: string + serviceAccountFromSecret: + description: ServiceAccountFromSecret is no longer supported, + see Upgrade + Guide. + type: string + url: + description: URL is the base path to an identity provider's OpenID + connect discovery document. See Identity + Providers guides for details. + format: uri + pattern: ^https:// + type: string + required: + - provider + - secret + type: object + jwtClaimHeaders: + additionalProperties: + type: string + description: JWTClaimHeaders convert claims from the assertion token + into HTTP headers and adds them into JWT assertion header. Please + make sure to read + Getting User Identity guide. + type: object + programmaticRedirectDomains: + description: ProgrammaticRedirectDomains specifies a list of domains + that can be used for programmatic + redirects. + items: + type: string + type: array + secrets: + description: "Secrets references a Secret with Pomerium bootstrap + parameters. \n

In a default + Pomerium installation manifest, they would be generated via a one-time + job and stored in a pomerium/bootstrap Secret. + You may re-run the job to rotate the secrets, or update the Secret + values manually.

" + format: namespace/name + minLength: 1 + type: string + setResponseHeaders: + additionalProperties: + type: string + description: SetResponseHeaders specifies a mapping of HTTP Header + to be added globally to all managed routes and pomerium's authenticate + service. See Set + Response Headers + type: object + storage: + description: Storage defines persistent storage for sessions and other + data. See Storage + for details. If no storage is specified, Pomerium would use a transient + in-memory storage (not recommended for production). + properties: + postgres: + description: Postgres specifies PostgreSQL database connection + parameters + properties: + caSecret: + description: CASecret should refer to a k8s secret with key + ca.crt containing CA certificate that, if specified, + would be used to populate sslrootcert parameter + of the connection string. + format: namespace/name + minLength: 1 + type: string + secret: + description: Secret specifies a name of a Secret that must + contain connection key. See DSN + Format and Parameters. Do not set sslrootcert, + sslcert and sslkey via connection + string, use tlsSecret and caSecret + CRD options instead. + format: namespace/name + minLength: 1 + type: string + tlsSecret: + description: TLSSecret should refer to a k8s secret of type + kubernetes.io/tls and allows to specify an + optional client certificate and key, by constructing sslcert + and sslkey connection string + parameter values. + format: namespace/name + minLength: 1 + type: string + required: + - secret + type: object + redis: + description: Redis defines REDIS connection parameters + properties: + caSecret: + description: CASecret should refer to a k8s secret with key + ca.crt that must be a PEM-encoded certificate + authority to use when connecting to the databroker storage + engine. + format: namespace/name + type: string + secret: + description: Secret specifies a name of a Secret that must + contain connection key. + format: namespace/name + minLength: 1 + type: string + tlsSecret: + description: TLSSecret should refer to a k8s secret of type + kubernetes.io/tls that would be used to perform + TLS connection to REDIS. + format: namespace/name + minLength: 1 + type: string + tlsSkipVerify: + description: TLSSkipVerify disables TLS certificate chain + validation. + type: boolean + required: + - secret + type: object + type: object + required: + - secrets + type: object + status: + description: PomeriumStatus represents configuration and Ingress status. + properties: + ingress: + additionalProperties: + description: ResourceStatus represents the outcome of the latest + attempt to reconcile relevant Kubernetes resource with Pomerium. + properties: + error: + description: Error that prevented latest observedGeneration + to be synchronized with Pomerium. + type: string + observedAt: + description: ObservedAt is when last reconciliation attempt + was made. + format: date-time + type: string + observedGeneration: + description: ObservedGeneration represents the .metadata.generation + that was last presented to Pomerium. + format: int64 + type: integer + reconciled: + description: Reconciled is whether this object generation was + successfully synced with pomerium. + type: boolean + warnings: + description: Warnings while parsing the resource. + items: + type: string + type: array + required: + - reconciled + type: object + description: Routes provide per-Ingress status. + type: object + settingsStatus: + description: SettingsStatus represent most recent main configuration + reconciliation status. + properties: + error: + description: Error that prevented latest observedGeneration to + be synchronized with Pomerium. + type: string + observedAt: + description: ObservedAt is when last reconciliation attempt was + made. + format: date-time + type: string + observedGeneration: + description: ObservedGeneration represents the .metadata.generation + that was last presented to Pomerium. + format: int64 + type: integer + reconciled: + description: Reconciled is whether this object generation was + successfully synced with pomerium. + type: boolean + warnings: + description: Warnings while parsing the resource. + items: + type: string + type: array + required: + - reconciled + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-controller + namespace: pomerium +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-gen-secrets + namespace: pomerium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-controller +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services/status + - secrets/status + - endpoints/status + verbs: + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - ingress.pomerium.io + resources: + - pomerium + verbs: + - get + - list + - watch +- apiGroups: + - ingress.pomerium.io + resources: + - pomerium/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-gen-secrets +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pomerium-controller +subjects: +- kind: ServiceAccount + name: pomerium-controller + namespace: pomerium +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-gen-secrets +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pomerium-gen-secrets +subjects: +- kind: ServiceAccount + name: pomerium-gen-secrets + namespace: pomerium +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-metrics + namespace: pomerium +spec: + ports: + - name: metrics + port: 9090 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/name: pomerium + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-proxy + namespace: pomerium +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: pomerium + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium + namespace: pomerium +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: pomerium + template: + metadata: + labels: + app.kubernetes.io/name: pomerium + spec: + containers: + - args: + - all-in-one + - --pomerium-config=global + - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy + - --metrics-bind-address=$(POD_IP):9090 + env: + - name: TMPDIR + value: /tmp + - name: XDG_CACHE_HOME + value: /tmp + - name: POMERIUM_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: pomerium/ingress-controller:main + imagePullPolicy: Always + name: pomerium + ports: + - containerPort: 8443 + name: https + protocol: TCP + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 9090 + name: metrics + protocol: TCP + resources: + limits: + cpu: 5000m + memory: 1Gi + requests: + cpu: 300m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - mountPath: /tmp + name: tmp + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + serviceAccountName: pomerium-controller + terminationGracePeriodSeconds: 10 + volumes: + - emptyDir: {} + name: tmp +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-gen-secrets + namespace: pomerium +spec: + template: + metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium-gen-secrets + spec: + containers: + - args: + - gen-secrets + - --secrets=$(POD_NAMESPACE)/bootstrap + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: pomerium/ingress-controller:main + imagePullPolicy: IfNotPresent + name: gen-secrets + securityContext: + allowPrivilegeEscalation: false + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + securityContext: + fsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + serviceAccountName: pomerium-gen-secrets +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/name: pomerium + name: pomerium +spec: + controller: pomerium.io/ingress-controller