infrastructure/pomerium/scripts/upgrade-v3.0.0.sh

#!/bin/bash -e

if [ "${1}" == "" ] || [ "${2}" == "" ]; then
    echo "Usage: $0 [secret name] [namespace]"
fi

DIR=$(mktemp -d)
NAME=${1:-pomerium}
NAMESPACE=${2:-default}
for service in authenticate authorize proxy; do
    kubectl get secrets "${NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.${service}-key}" | base64 -D | base64 -D >"${DIR}/${service}.key"
    kubectl get secrets "${NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.${service}-cert}" | base64 -D | base64 -D >"${DIR}/${service}.crt"

    kubectl create secret tls "${NAME}-${service}-tls" \
        --cert="${DIR}/${service}.crt" \
        --key="${DIR}/${service}.key"
done

kubectl get secrets "${NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.ca-cert}" | base64 -D | base64 -D >"${DIR}/ca.crt"
kubectl create secret generic "${NAME}-ca-tls" \
    --from-file=ca.crt="${DIR}/ca.crt"
echo "Please delete ${DIR} to clean up temporary certificate storage"
echo "# rm ${DIR}/*.{key,crt} && rmdir ${DIR}"
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00			`#!/bin/bash -e`

			`if [ "${1}" == "" ] \|\| [ "${2}" == "" ]; then`
			`echo "Usage: $0 [secret name] [namespace]"`
			`fi`

			`DIR=$(mktemp -d)`
			`NAME=${1:-pomerium}`
			`NAMESPACE=${2:-default}`
			`for service in authenticate authorize proxy; do`
			`kubectl get secrets "${NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.${service}-key}" \| base64 -D \| base64 -D >"${DIR}/${service}.key"`
			`kubectl get secrets "${NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.${service}-cert}" \| base64 -D \| base64 -D >"${DIR}/${service}.crt"`

			`kubectl create secret tls "${NAME}-${service}-tls" \`
			`--cert="${DIR}/${service}.crt" \`
			`--key="${DIR}/${service}.key"`
			`done`

			`kubectl get secrets "${NAME}" -n "${NAMESPACE}" -o jsonpath="{.data.ca-cert}" \| base64 -D \| base64 -D >"${DIR}/ca.crt"`
			`kubectl create secret generic "${NAME}-ca-tls" \`
			`--from-file=ca.crt="${DIR}/ca.crt"`
			`echo "Please delete ${DIR} to clean up temporary certificate storage"`
			`echo "# rm ${DIR}/*.{key,crt} && rmdir ${DIR}"`