infrastructure/pomerium.yaml

# Pomerium Helm release
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: pomerium
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: helm-provider
  forProvider:
    chart:
      name: pomerium
      repository: https://helm.pomerium.io
      version: 34.0.1
    namespace: pomerium
    values:
      config:
        # Pomerium configuration
        rootDomain: nge6.com
        
        # Shared secret for service communication
        sharedSecret: "YWJjZGVmZ2hpams="
        
        # Cookie secret for session management  
        cookieSecret: "bXlzZWNyZXRjb29raWVzZWNyZXQ="
        
        # Routes for protected applications
        routes:
          # Allow public access to all Keycloak for testing
          - from: https://keycloak.nge6.com
            to: http://keycloak-http.auth-system.svc.cluster.local
            preserve_host_header: true
            allow_public_unauthenticated_access: true
          # Forgejo Git service - require authentication
          - from: https://git.nge6.com
            to: http://forgejo-http.forgejo.svc.cluster.local:3000
            preserve_host_header: true
            allow_any_authenticated_user: true
          # Forgejo Git service - require authentication (HTTP)
          - from: http://git.nge6.com
            to: http://forgejo-http.forgejo.svc.cluster.local:3000
            preserve_host_header: true
            allow_any_authenticated_user: true
          # Vaultwarden password manager - require authentication
          - from: https://vault.nge6.com
            to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080
            preserve_host_header: true
            allow_any_authenticated_user: true
            
      # Authentication service configuration
      authenticate:
        proxied: true
        idp:
          provider: oidc  
          url: https://keycloak.nge6.com/realms/kubernetes-realm
          clientID: pomerium
          clientSecret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x
          # Manual OIDC endpoint configuration to bypass discovery
          scopes: ["openid", "profile", "email"]
          
      # Disable automatic ingress generation
      ingress:
        enabled: false
        
      # Service configuration for proxy
      proxy:
        service:
          type: ClusterIP
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00			`# Pomerium Helm release`
			`apiVersion: helm.crossplane.io/v1beta1`
			`kind: Release`
			`metadata:`
			`name: pomerium`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: helm-provider`
			`forProvider:`
			`chart:`
			`name: pomerium`
			`repository: https://helm.pomerium.io`
			`version: 34.0.1`
			`namespace: pomerium`
			`values:`
			`config:`
			`# Pomerium configuration`
			`rootDomain: nge6.com`

			`# Shared secret for service communication`
			`sharedSecret: "YWJjZGVmZ2hpams="`

			`# Cookie secret for session management`
			`cookieSecret: "bXlzZWNyZXRjb29raWVzZWNyZXQ="`

			`# Routes for protected applications`
			`routes:`
			`# Allow public access to all Keycloak for testing`
			`- from: https://keycloak.nge6.com`
			`to: http://keycloak-http.auth-system.svc.cluster.local`
			`preserve_host_header: true`
			`allow_public_unauthenticated_access: true`
Complete GitOps infrastructure setup Added to kustomization.yaml: - namespaces.yaml: Centralized namespace management - auth/: Keycloak authentication system - keycloak-config.yaml: Identity provider configuration - sealed-secrets.yaml: Secret encryption system Fixed namespace conflicts: - Removed duplicate pomerium-namespace from pomerium.yaml - Removed duplicate external-dns-namespace from external-dns.yaml - All namespaces now managed centrally via namespaces.yaml Now managing 72 Kubernetes resources via GitOps: ✅ Infrastructure: Crossplane providers, external-dns ✅ Certificates: cert-manager, Let's Encrypt, Gandi webhook ✅ Authentication: Keycloak, RBAC configs ✅ Applications: Forgejo, Pomerium, Vaultwarden ✅ Security: Sealed secrets, proper RBAC 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-28 06:43:00 +00:00			`# Forgejo Git service - require authentication`
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00			`- from: https://git.nge6.com`
			`to: http://forgejo-http.forgejo.svc.cluster.local:3000`
			`preserve_host_header: true`
Complete GitOps infrastructure setup Added to kustomization.yaml: - namespaces.yaml: Centralized namespace management - auth/: Keycloak authentication system - keycloak-config.yaml: Identity provider configuration - sealed-secrets.yaml: Secret encryption system Fixed namespace conflicts: - Removed duplicate pomerium-namespace from pomerium.yaml - Removed duplicate external-dns-namespace from external-dns.yaml - All namespaces now managed centrally via namespaces.yaml Now managing 72 Kubernetes resources via GitOps: ✅ Infrastructure: Crossplane providers, external-dns ✅ Certificates: cert-manager, Let's Encrypt, Gandi webhook ✅ Authentication: Keycloak, RBAC configs ✅ Applications: Forgejo, Pomerium, Vaultwarden ✅ Security: Sealed secrets, proper RBAC 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-28 06:43:00 +00:00			`allow_any_authenticated_user: true`
			`# Forgejo Git service - require authentication (HTTP)`
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00			`- from: http://git.nge6.com`
			`to: http://forgejo-http.forgejo.svc.cluster.local:3000`
			`preserve_host_header: true`
Complete GitOps infrastructure setup Added to kustomization.yaml: - namespaces.yaml: Centralized namespace management - auth/: Keycloak authentication system - keycloak-config.yaml: Identity provider configuration - sealed-secrets.yaml: Secret encryption system Fixed namespace conflicts: - Removed duplicate pomerium-namespace from pomerium.yaml - Removed duplicate external-dns-namespace from external-dns.yaml - All namespaces now managed centrally via namespaces.yaml Now managing 72 Kubernetes resources via GitOps: ✅ Infrastructure: Crossplane providers, external-dns ✅ Certificates: cert-manager, Let's Encrypt, Gandi webhook ✅ Authentication: Keycloak, RBAC configs ✅ Applications: Forgejo, Pomerium, Vaultwarden ✅ Security: Sealed secrets, proper RBAC 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-28 06:43:00 +00:00			`allow_any_authenticated_user: true`
Add Argo Workflows, mTLS container registry, and fix infrastructure - Move Keycloak off Helm to plain Crossplane Object manifests (PostgreSQL + Keycloak deployment) - Add Vaultwarden SSO/OIDC config with Keycloak, fix Recreate deployment strategy for RWO volumes - Switch routing from Helm-based Pomerium to pomerium-allinone with all service routes - Deploy Argo Workflows (controller, server, CRDs, RBAC) with KEDA queue-depth autoscaling - Add Civo cluster autoscaler with pool-scaler for zero-to-one scale-up via Civo API - Add node-labeler to auto-tag nodes by pool membership for nodeSelector scheduling - Set up mTLS container registry at registry.nge6.com (Forgejo built-in, client cert required) - Add internal registry route (registry-internal.nge6.com) for in-cluster image pulls - Fix DNS records for new Emissary LB IP (212.2.241.28) - Fix CoreDNS crash from invalid custom config - Fix Emissary apiext expired webhook CA certificate Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-08 01:23:12 +00:00			`# Vaultwarden password manager - require authentication`
			`- from: https://vault.nge6.com`
			`to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080`
			`preserve_host_header: true`
			`allow_any_authenticated_user: true`
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00
			`# Authentication service configuration`
			`authenticate:`
			`proxied: true`
			`idp:`
			`provider: oidc`
			`url: https://keycloak.nge6.com/realms/kubernetes-realm`
			`clientID: pomerium`
			`clientSecret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x`
			`# Manual OIDC endpoint configuration to bypass discovery`
			`scopes: ["openid", "profile", "email"]`

			`# Disable automatic ingress generation`
			`ingress:`
			`enabled: false`

			`# Service configuration for proxy`
			`proxy:`
			`service:`
			`type: ClusterIP`