apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  namespace: pomerium
  name: autocert-data
spec:
  storageClassName: ""
  volumeName: "autocert-data"
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: pomerium
  name: pomerium-metrics
  namespace: pomerium
spec:
  ports:
    - { name: metrics, port: 9090, protocol: TCP, targetPort: metrics }
  selector: { app.kubernetes.io/name: pomerium }
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: pomerium
  name: pomerium-proxy
  namespace: pomerium
spec:
  ports:
    - { name: https, port: 443, protocol: TCP, targetPort: https }
    - { name: http, port: 80, protocol: TCP, targetPort: http }
  selector: { app.kubernetes.io/name: pomerium }
  type: LoadBalancer
  externalIPs:
  # prime forwards to this
    - 10.5.0.1
  # local dns picks this
    - 10.2.0.1
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels: { app.kubernetes.io/name: pomerium }
  name: pomerium
  namespace: pomerium
spec:
  replicas: 1
  selector:
    matchLabels: { app.kubernetes.io/name: pomerium }
  template:
    metadata:
      labels: { app.kubernetes.io/name: pomerium }
    spec:
      containers:
        - args:
            - all-in-one
            - --pomerium-config=global
            - --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
            - --metrics-bind-address=$(POD_IP):9090
          env:
            - { name: TMPDIR, value: /tmp }
            - { name: XDG_CACHE_HOME, value: /tmp }
            - name: POMERIUM_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
          image: pomerium/ingress-controller:sha-5294279
          imagePullPolicy: IfNotPresent
          name: pomerium
          ports:
            - { containerPort: 8443, name: https, protocol: TCP }
            - { containerPort: 8080, name: http, protocol: TCP }
            - { containerPort: 9090, name: metrics, protocol: TCP }
          resources:
            limits: { cpu: 5000m, memory: 1Gi }
            requests: { cpu: 300m, memory: 200Mi }
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000
          volumeMounts:
            - { mountPath: /tmp, name: tmp }
            - { mountPath: /data/autocert, name: autocert }
      nodeSelector:
        kubernetes.io/os: linux
      securityContext:
        runAsNonRoot: true
      serviceAccountName: pomerium-controller
      terminationGracePeriodSeconds: 10
      volumes:
        - { name: tmp, emptyDir: {} }
        - { name: autocert, persistentVolumeClaim: { claimName: autocert-data } }
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: "kubernetes.io/hostname"
                    operator: In
                    values: ["bang"]
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    app.kubernetes.io/name: pomerium
  name: pomerium
spec:
  controller: pomerium.io/ingress-controller