infrastructure/pomerium/templates/secret.yaml

{{- if not .Values.config.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "pomerium.secretName" . }}
  labels:
    app.kubernetes.io/name: {{ template "pomerium.name" . }}
    helm.sh/chart: {{ template "pomerium.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.config.extraSecretLabels }}
    {{- range $key, $value := .Values.config.extraSecretLabels }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
{{- end }}
type: Opaque
stringData:
  config.yaml: |
{{ include "pomerium.config.static" . |  indent 4 -}}
{{ include "pomerium.config.dynamic" . | indent 4 -}}
{{- end }}

---
{{- if not .Values.config.existingSharedSecret }}
{{- $sharedSecret := coalesce .Values.config.sharedSecret (randAscii 32 | b64enc) }}
{{- $cookieSecret := coalesce .Values.config.cookieSecret (randAscii 32 | b64enc) }}
{{- $sharedSecretData := (lookup "v1" "Secret" .Release.Namespace (include "pomerium.sharedSecretName" .) ).data }}
{{- if and $sharedSecretData (not .Values.config.forceGenerateServiceSecrets) }}
{{- $sharedSecret = (index $sharedSecretData "SHARED_SECRET" | b64dec) }}
{{- $cookieSecret = (index $sharedSecretData "COOKIE_SECRET" | b64dec) }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "pomerium.sharedSecretName" . }}
  labels:
    app.kubernetes.io/name: {{ template "pomerium.name" . }}
    helm.sh/chart: {{ template "pomerium.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.config.extraSharedSecretLabels }}
    {{- range $key, $value := .Values.config.extraSharedSecretLabels }}
    {{ $key }}: {{ $value | quote }}
    {{- end }}
{{- end }}
type: Opaque
data:
  SHARED_SECRET: {{ $sharedSecret | b64enc }}
  COOKIE_SECRET: {{ $cookieSecret | b64enc }}
{{- end }}
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00			`{{- if not .Values.config.existingSecret }}`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: {{ template "pomerium.secretName" . }}`
			`labels:`
			`app.kubernetes.io/name: {{ template "pomerium.name" . }}`
			`helm.sh/chart: {{ template "pomerium.chart" . }}`
			`app.kubernetes.io/managed-by: {{ .Release.Service }}`
			`app.kubernetes.io/instance: {{ .Release.Name }}`
			`{{- if .Values.config.extraSecretLabels }}`
			`{{- range $key, $value := .Values.config.extraSecretLabels }}`
			`{{ $key }}: {{ $value \| quote }}`
			`{{- end }}`
			`{{- end }}`
			`type: Opaque`
			`stringData:`
			`config.yaml: \|`
			`{{ include "pomerium.config.static" . \| indent 4 -}}`
			`{{ include "pomerium.config.dynamic" . \| indent 4 -}}`
			`{{- end }}`

			`---`
			`{{- if not .Values.config.existingSharedSecret }}`
			`{{- $sharedSecret := coalesce .Values.config.sharedSecret (randAscii 32 \| b64enc) }}`
			`{{- $cookieSecret := coalesce .Values.config.cookieSecret (randAscii 32 \| b64enc) }}`
			`{{- $sharedSecretData := (lookup "v1" "Secret" .Release.Namespace (include "pomerium.sharedSecretName" .) ).data }}`
			`{{- if and $sharedSecretData (not .Values.config.forceGenerateServiceSecrets) }}`
			`{{- $sharedSecret = (index $sharedSecretData "SHARED_SECRET" \| b64dec) }}`
			`{{- $cookieSecret = (index $sharedSecretData "COOKIE_SECRET" \| b64dec) }}`
			`{{- end }}`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: {{ include "pomerium.sharedSecretName" . }}`
			`labels:`
			`app.kubernetes.io/name: {{ template "pomerium.name" . }}`
			`helm.sh/chart: {{ template "pomerium.chart" . }}`
			`app.kubernetes.io/managed-by: {{ .Release.Service }}`
			`app.kubernetes.io/instance: {{ .Release.Name }}`
			`{{- if .Values.config.extraSharedSecretLabels }}`
			`{{- range $key, $value := .Values.config.extraSharedSecretLabels }}`
			`{{ $key }}: {{ $value \| quote }}`
			`{{- end }}`
			`{{- end }}`
			`type: Opaque`
			`data:`
			`SHARED_SECRET: {{ $sharedSecret \| b64enc }}`
			`COOKIE_SECRET: {{ $cookieSecret \| b64enc }}`
			`{{- end }}`