apiVersion: v1 kind: Namespace metadata: labels: app.kubernetes.io/name: pomerium name: pomerium --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.9.0 creationTimestamp: null labels: app.kubernetes.io/name: pomerium name: pomerium.ingress.pomerium.io spec: group: ingress.pomerium.io names: kind: Pomerium listKind: PomeriumList plural: pomerium singular: pomerium scope: Cluster versions: - name: v1 schema: openAPIV3Schema: description: Pomerium define runtime-configurable Pomerium settings that do not fall into the category of deployment parameters properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: PomeriumSpec defines Pomerium-specific configuration parameters. properties: authenticate: description: Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used. properties: callbackPath: description: "CallbackPath sets the path at which the authenticate service receives callback responses from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client. \n
This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.
Defaults to /oauth2/callback
Ingress
for this virtual
route, as it is handled by Pomerium internally. certificates
.
If you use cert-manager
with HTTP01
challenge, you may use pomerium
ingressClass
to solve it.ca.crt
containing a CA certificate.
items:
type: string
type: array
certificates:
description: Certificates is a list of secrets of type TLS to use
format: namespace/name
items:
type: string
type: array
cookie:
description: Cookie defines Pomerium session cookie options.
properties:
domain:
description: Domain defaults to the same host that set the cookie.
If you specify the domain explicitly, then subdomains would
also be included.
type: string
expire:
description: Expire sets cookie and Pomerium session expiration
time. Once session expires, users would have to re-login. If
you change this parameter, existing sessions are not affected.
See Session Management (Enterprise) for a more fine-grained session controls.
Defaults to 14 hours.
format: duration type: string httpOnly: description: HTTPOnly if set tofalse
, the cookie
would be accessible from within the JavaScript. Defaults to
true
.
type: boolean
name:
description: Name sets the Pomerium session cookie name. Defaults
to _pomerium
type: string
sameSite:
description: SameSite sets the SameSite option for cookies. Defaults
to
.
type: string
secure:
description: Secure if set to false, would make a cookie accessible
over insecure protocols (HTTP). Defaults to true
.
type: boolean
type: object
identityProvider:
description: IdentityProvider configure single-sign-on authentication
and user identity details by integrating with your Identity
Provider
properties:
provider:
description: Provider is the short-hand name of a built-in OpenID
Connect (oidc) identity provider to be used for authentication.
To use a generic provider, set to oidc
.
enum:
- auth0
- azure
- github
- gitlab
- google
- oidc
- okta
- onelogin
- ping
type: string
refreshDirectory:
description: RefreshDirectory is no longer supported, please see
Upgrade
Guide.
properties:
interval:
description: interval is the time that pomerium will sync
your IDP directory.
format: duration
type: string
timeout:
description: timeout is the maximum time allowed each run.
format: duration
type: string
required:
- interval
- timeout
type: object
requestParams:
additionalProperties:
type: string
description: RequestParams to be added as part of a sign-in request
using OAuth2 code flow.
format: namespace/name
type: object
requestParamsSecret:
description: RequestParamsSecret is a reference to a secret for
additional parameters you'd prefer not to provide in plaintext.
format: namespace/name
type: string
scopes:
description: Scopes Identity provider scopes correspond to access
privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749.
items:
type: string
type: array
secret:
description: Secret containing IdP provider specific parameters.
and must contain at least client_id
and client_secret
values.
format: namespace/name
minLength: 1
type: string
serviceAccountFromSecret:
description: ServiceAccountFromSecret is no longer supported,
see Upgrade
Guide.
type: string
url:
description: URL is the base path to an identity provider's OpenID
connect discovery document. See Identity
Providers guides for details.
format: uri
pattern: ^https://
type: string
required:
- provider
- secret
type: object
jwtClaimHeaders:
additionalProperties:
type: string
description: JWTClaimHeaders convert claims from the assertion token
into HTTP headers and adds them into JWT assertion header. Please
make sure to read
Getting User Identity guide.
type: object
programmaticRedirectDomains:
description: ProgrammaticRedirectDomains specifies a list of domains
that can be used for programmatic
redirects.
items:
type: string
type: array
secrets:
description: "Secrets references a Secret with Pomerium bootstrap
parameters. \n
shared_secret
- secures inter-Pomerium service communications. cookie_secret
- encrypts Pomerium session browser cookie. See also other Cookie
parameters. signing_key
signs Pomerium JWT assertion header. See Getting
the user's identity guide. In a default
Pomerium installation manifest, they would be generated via a one-time
job and stored in a pomerium/bootstrap
Secret.
You may re-run the job to rotate the secrets, or update the Secret
values manually.
ca.crt
containing CA certificate that, if specified,
would be used to populate sslrootcert
parameter
of the connection string.
format: namespace/name
minLength: 1
type: string
secret:
description: Secret specifies a name of a Secret that must
contain connection
key. See DSN
Format and Parameters. Do not set sslrootcert
,
sslcert
and sslkey
via connection
string, use tlsSecret
and caSecret
CRD options instead.
format: namespace/name
minLength: 1
type: string
tlsSecret:
description: TLSSecret should refer to a k8s secret of type
kubernetes.io/tls
and allows to specify an
optional client certificate and key, by constructing sslcert
and sslkey
connection string
parameter values.
format: namespace/name
minLength: 1
type: string
required:
- secret
type: object
redis:
description: Redis defines REDIS connection parameters
properties:
caSecret:
description: CASecret should refer to a k8s secret with key
ca.crt
that must be a PEM-encoded certificate
authority to use when connecting to the databroker storage
engine.
format: namespace/name
type: string
secret:
description: Secret specifies a name of a Secret that must
contain connection
key.
format: namespace/name
minLength: 1
type: string
tlsSecret:
description: TLSSecret should refer to a k8s secret of type
kubernetes.io/tls
that would be used to perform
TLS connection to REDIS.
format: namespace/name
minLength: 1
type: string
tlsSkipVerify:
description: TLSSkipVerify disables TLS certificate chain
validation.
type: boolean
required:
- secret
type: object
type: object
required:
- secrets
type: object
status:
description: PomeriumStatus represents configuration and Ingress status.
properties:
ingress:
additionalProperties:
description: ResourceStatus represents the outcome of the latest
attempt to reconcile relevant Kubernetes resource with Pomerium.
properties:
error:
description: Error that prevented latest observedGeneration
to be synchronized with Pomerium.
type: string
observedAt:
description: ObservedAt is when last reconciliation attempt
was made.
format: date-time
type: string
observedGeneration:
description: ObservedGeneration represents the .metadata.generation
that was last presented to Pomerium.
format: int64
type: integer
reconciled:
description: Reconciled is whether this object generation was
successfully synced with pomerium.
type: boolean
warnings:
description: Warnings while parsing the resource.
items:
type: string
type: array
required:
- reconciled
type: object
description: Routes provide per-Ingress status.
type: object
settingsStatus:
description: SettingsStatus represent most recent main configuration
reconciliation status.
properties:
error:
description: Error that prevented latest observedGeneration to
be synchronized with Pomerium.
type: string
observedAt:
description: ObservedAt is when last reconciliation attempt was
made.
format: date-time
type: string
observedGeneration:
description: ObservedGeneration represents the .metadata.generation
that was last presented to Pomerium.
format: int64
type: integer
reconciled:
description: Reconciled is whether this object generation was
successfully synced with pomerium.
type: boolean
warnings:
description: Warnings while parsing the resource.
items:
type: string
type: array
required:
- reconciled
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-controller
namespace: pomerium
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
namespace: pomerium
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services/status
- secrets/status
- endpoints/status
verbs:
- get
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- ingress.pomerium.io
resources:
- pomerium
verbs:
- get
- list
- watch
- apiGroups:
- ingress.pomerium.io
resources:
- pomerium/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pomerium-controller
subjects:
- kind: ServiceAccount
name: pomerium-controller
namespace: pomerium
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pomerium-gen-secrets
subjects:
- kind: ServiceAccount
name: pomerium-gen-secrets
namespace: pomerium
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-metrics
namespace: pomerium
spec:
ports:
- name: metrics
port: 9090
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/name: pomerium
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-proxy
namespace: pomerium
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: https
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/name: pomerium
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium
namespace: pomerium
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: pomerium
template:
metadata:
labels:
app.kubernetes.io/name: pomerium
spec:
containers:
- args:
- all-in-one
- --pomerium-config=global
- --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
- --metrics-bind-address=$(POD_IP):9090
env:
- name: TMPDIR
value: /tmp
- name: XDG_CACHE_HOME
value: /tmp
- name: POMERIUM_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
image: pomerium/ingress-controller:main
imagePullPolicy: Always
name: pomerium
ports:
- containerPort: 8443
name: https
protocol: TCP
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 9090
name: metrics
protocol: TCP
resources:
limits:
cpu: 5000m
memory: 1Gi
requests:
cpu: 300m
memory: 200Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumeMounts:
- mountPath: /tmp
name: tmp
nodeSelector:
kubernetes.io/os: linux
securityContext:
runAsNonRoot: true
serviceAccountName: pomerium-controller
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: tmp
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
namespace: pomerium
spec:
template:
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium-gen-secrets
spec:
containers:
- args:
- gen-secrets
- --secrets=$(POD_NAMESPACE)/bootstrap
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: pomerium/ingress-controller:main
imagePullPolicy: IfNotPresent
name: gen-secrets
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: pomerium-gen-secrets
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/name: pomerium
name: pomerium
spec:
controller: pomerium.io/ingress-controller