eemoore/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infrastructure/pomerium/templates/ingress.yaml

125 lines
4.9 KiB
YAML
Raw Normal View History

Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-23 12:43:06 +00:00
{{- if or (and .Values.ingress.enabled (not .Values.ingressController.enabled)) (and .Values.ingressController.enabled .Values.ingressController.config.operatorMode) -}}
{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}}
{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}}
{{- $ingressPathType := .Values.ingress.pathType -}}
apiVersion: {{ include "ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ include "pomerium.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "pomerium.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "pomerium.chart" . }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
{{- if not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) -}}
{{- fail "Kubernetes version >=1.18 required to use className!" -}}
{{- end }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{ if (or .Values.ingress.secret.name .Values.ingress.secretName) }}
tls:
- secretName: {{ default .Values.ingress.secret.name .Values.ingress.secretName }}
hosts:
{{ include "pomerium.ingress.tls.hosts" . | indent 8 }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . | quote }}
http:
paths:
- backend:
{{- if $ingressApiIsStable }}
service:
name: {{ template "pomerium.proxy.fullname" $ }}
port:
name: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- else }}
serviceName: {{ template "pomerium.proxy.fullname" $ }}
servicePort: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- end }}
{{- if $ingressSupportsPathType }}
pathType: {{ $ingressPathType }}
{{- end }}
{{- end }}
{{- if not (or .Values.ingress.hosts .Values.forwardAuth.enabled) }}
{{- range .Values.config.routes }}
{{- if hasPrefix "http" .from }}
- host: {{ .from | trimPrefix "https://" | trimPrefix "http://" | quote }}
http:
paths:
- backend:
{{- if $ingressApiIsStable }}
service:
name: {{ template "pomerium.proxy.fullname" $ }}
port:
name: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- else }}
serviceName: {{ template "pomerium.proxy.fullname" $ }}
servicePort: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- end }}
{{- if $ingressSupportsPathType }}
pathType: {{ $ingressPathType }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if and (.Values.forwardAuth.enabled) (not .Values.forwardAuth.internal)}}
- host: {{ template "pomerium.forwardAuth.name" . }}
http:
paths:
- backend:
{{- if $ingressApiIsStable }}
service:
name: {{ template "pomerium.proxy.fullname" $ }}
port:
name: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- else }}
serviceName: {{ template "pomerium.proxy.fullname" $ }}
servicePort: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- end }}
{{- if $ingressSupportsPathType }}
pathType: {{ $ingressPathType }}
{{- end }}
{{- end }}
{{- if ne .Values.authorize.service.clusterIP "None" }}
- host: {{ printf "authorize.%s" .Values.config.rootDomain }}
http:
paths:
- backend:
{{- if $ingressApiIsStable }}
service:
name: {{ template "pomerium.authorize.fullname" $ }}
port:
name: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- else }}
serviceName: {{ template "pomerium.authorize.fullname" $ }}
servicePort: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- end }}
{{- if $ingressSupportsPathType }}
pathType: {{ $ingressPathType }}
{{- end }}
{{- end }}
- host: {{ template "pomerium.authenticate.hostname" . }}
http:
paths:
- backend:
{{- if $ingressApiIsStable }}
service:
name: {{ template "pomerium.authenticate.fullname" $ }}
port:
name: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- else }}
serviceName: {{ template "pomerium.authenticate.fullname" $ }}
servicePort: {{ template "pomerium.httpTrafficPort.name" $ }}
{{- end }}
{{- if $ingressSupportsPathType }}
pathType: {{ $ingressPathType }}
{{- end }}
{{- end }}
Reference in a new issue Copy permalink