# Pomerium Helm release apiVersion: helm.crossplane.io/v1beta1 kind: Release metadata: name: pomerium namespace: crossplane-system spec: providerConfigRef: name: helm-provider forProvider: chart: name: pomerium repository: https://helm.pomerium.io version: 34.0.1 namespace: pomerium values: config: # Pomerium configuration rootDomain: nge6.com # Shared secret for service communication sharedSecret: "YWJjZGVmZ2hpams=" # Cookie secret for session management cookieSecret: "bXlzZWNyZXRjb29raWVzZWNyZXQ=" # Routes for protected applications routes: # Allow public access to all Keycloak for testing - from: https://keycloak.nge6.com to: http://keycloak-http.auth-system.svc.cluster.local preserve_host_header: true allow_public_unauthenticated_access: true # Forgejo Git service - require authentication - from: https://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 preserve_host_header: true allow_any_authenticated_user: true # Forgejo Git service - require authentication (HTTP) - from: http://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 preserve_host_header: true allow_any_authenticated_user: true # Authentication service configuration authenticate: proxied: true idp: provider: oidc url: https://keycloak.nge6.com/realms/kubernetes-realm clientID: pomerium clientSecret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x # Manual OIDC endpoint configuration to bypass discovery scopes: ["openid", "profile", "email"] # Disable automatic ingress generation ingress: enabled: false # Service configuration for proxy proxy: service: type: ClusterIP