eemoore/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infrastructure/pomerium/templates/proxy-deployment.yaml

148 lines
5.2 KiB
YAML
Raw Permalink Normal View History

Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-23 12:43:06 +00:00
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }}
helm.sh/chart: {{ template "pomerium.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: proxy
name: {{ template "pomerium.proxy.fullname" . }}
{{- if or .Values.proxy.deployment.annotations .Values.annotations }}
annotations:
{{- if .Values.proxy.deployment.annotations }}
{{- range $key, $value := .Values.proxy.deployment.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- else if .Values.annotations }}
{{- range $key, $value := .Values.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
spec:
{{- if (ne .Values.proxy.autoscaling.enabled true) }}
replicas: {{ default .Values.replicaCount .Values.proxy.replicaCount }}
{{- end }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
annotations:
checksum: {{ include "pomerium.static.checksum" . }}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
{{- if .Values.proxy.deployment.podAnnotations }}
{{ toYaml .Values.proxy.deployment.podAnnotations | indent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }}
helm.sh/chart: {{ template "pomerium.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --config=/etc/pomerium/config.yaml
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
env:
- name: INSECURE_SERVER
value: "{{ ternary "true" "false" (eq (include "pomerium.proxy.insecure" .) "true") }}"
{{- if and (not (include "pomerium.proxy.insecure" .)) .Values.proxy.redirectServer }}
- name: HTTP_REDIRECT_ADDR
value: :80
{{- end }}
- name: ADDRESS
value: {{ printf ":%s" (include "pomerium.proxy.trafficPort.number" . ) }}
{{- if or ( and .Values.proxy.tls.cert .Values.proxy.tls.key ) .Values.proxy.existingTLSSecret }}
{{- include "pomerium.tls.internal.envVars" . | indent 8 }}
{{- end }}
- name: SERVICES
value: proxy
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: {{ template "pomerium.signingKeySecret.name" . }}
key: signing-key
{{- include "pomerium.metrics.envVars" . | indent 8}}
{{- range $name, $value := .Values.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
{{- range $name, $value := .Values.proxy.deployment.extraEnv }}
- name: {{ $name }}
value: {{ quote $value }}
{{- end }}
envFrom:
- secretRef:
name: {{ include "pomerium.sharedSecretName" . }}
{{- if .Values.extraEnvFrom }}
{{ toYaml .Values.extraEnvFrom | indent 10 }}
{{- end }}
ports:
- containerPort: {{ template "pomerium.proxy.trafficPort.number" . }}
name: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }}
protocol: TCP
{{- if and .Values.proxy.redirectServer (not (include "pomerium.proxy.insecure" .)) }}
- name: http
containerPort: 80
protocol: TCP
{{- end }}
- containerPort: {{ .Values.metrics.port }}
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /ping
port: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }}
scheme: {{ upper ( include "pomerium.proxy.httpTrafficPort.scheme" . ) }}
readinessProbe:
httpGet:
path: /ping
port: {{ template "pomerium.proxy.httpTrafficPort.scheme" . }}
scheme: {{ upper ( include "pomerium.proxy.httpTrafficPort.scheme" . ) }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
{{ include "pomerium.volumeMounts" . | indent 10 }}
serviceAccountName: {{ template "pomerium.proxy.serviceAccountName" . }}
volumes:
{{ include "pomerium.volumes.shared" . | indent 8 }}
{{- $ctx := . }}
{{- $_ := set $ctx "currentServiceName" "proxy" }}
{{ include "pomerium.volumes.service" $ctx | indent 8 }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
Reference in a new issue Copy permalink