infrastructure/pomerium.yaml

# Pomerium namespace
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: pomerium-namespace
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: Namespace
      metadata:
        name: pomerium
---
# Pomerium Helm release
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: pomerium
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: helm-provider
  forProvider:
    chart:
      name: pomerium
      repository: https://helm.pomerium.io
      version: 34.0.1
    namespace: pomerium
    values:
      config:
        # Pomerium configuration
        rootDomain: nge6.com
        
        # Shared secret for service communication
        sharedSecret: "YWJjZGVmZ2hpams="
        
        # Cookie secret for session management  
        cookieSecret: "bXlzZWNyZXRjb29raWVzZWNyZXQ="
        
        # Routes for protected applications
        routes:
          # Allow public access to all Keycloak for testing
          - from: https://keycloak.nge6.com
            to: http://keycloak-http.auth-system.svc.cluster.local
            preserve_host_header: true
            allow_public_unauthenticated_access: true
          # Forgejo Git service - temporarily allow unauthenticated for setup
          - from: https://git.nge6.com
            to: http://forgejo-http.forgejo.svc.cluster.local:3000
            preserve_host_header: true
            allow_public_unauthenticated_access: true
          # Forgejo Git service - temporarily allow unauthenticated for setup (HTTP)
          - from: http://git.nge6.com
            to: http://forgejo-http.forgejo.svc.cluster.local:3000
            preserve_host_header: true
            allow_public_unauthenticated_access: true
            
      # Authentication service configuration
      authenticate:
        proxied: true
        idp:
          provider: oidc  
          url: https://keycloak.nge6.com/realms/kubernetes-realm
          clientID: pomerium
          clientSecret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x
          # Manual OIDC endpoint configuration to bypass discovery
          scopes: ["openid", "profile", "email"]
          
      # Disable automatic ingress generation
      ingress:
        enabled: false
        
      # Service configuration for proxy
      proxy:
        service:
          type: ClusterIP
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00			`# Pomerium namespace`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: pomerium-namespace`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: pomerium`
			`---`
			`# Pomerium Helm release`
			`apiVersion: helm.crossplane.io/v1beta1`
			`kind: Release`
			`metadata:`
			`name: pomerium`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: helm-provider`
			`forProvider:`
			`chart:`
			`name: pomerium`
			`repository: https://helm.pomerium.io`
			`version: 34.0.1`
			`namespace: pomerium`
			`values:`
			`config:`
			`# Pomerium configuration`
			`rootDomain: nge6.com`

			`# Shared secret for service communication`
			`sharedSecret: "YWJjZGVmZ2hpams="`

			`# Cookie secret for session management`
			`cookieSecret: "bXlzZWNyZXRjb29raWVzZWNyZXQ="`

			`# Routes for protected applications`
			`routes:`
			`# Allow public access to all Keycloak for testing`
			`- from: https://keycloak.nge6.com`
			`to: http://keycloak-http.auth-system.svc.cluster.local`
			`preserve_host_header: true`
			`allow_public_unauthenticated_access: true`
			`# Forgejo Git service - temporarily allow unauthenticated for setup`
			`- from: https://git.nge6.com`
			`to: http://forgejo-http.forgejo.svc.cluster.local:3000`
			`preserve_host_header: true`
			`allow_public_unauthenticated_access: true`
			`# Forgejo Git service - temporarily allow unauthenticated for setup (HTTP)`
			`- from: http://git.nge6.com`
			`to: http://forgejo-http.forgejo.svc.cluster.local:3000`
			`preserve_host_header: true`
			`allow_public_unauthenticated_access: true`

			`# Authentication service configuration`
			`authenticate:`
			`proxied: true`
			`idp:`
			`provider: oidc`
			`url: https://keycloak.nge6.com/realms/kubernetes-realm`
			`clientID: pomerium`
			`clientSecret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x`
			`# Manual OIDC endpoint configuration to bypass discovery`
			`scopes: ["openid", "profile", "email"]`

			`# Disable automatic ingress generation`
			`ingress:`
			`enabled: false`

			`# Service configuration for proxy`
			`proxy:`
			`service:`
			`type: ClusterIP`