# Pomerium Native Kubernetes Deployment (No Helm!) # Namespace already exists from previous deployment # ConfigMap for Pomerium configuration apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-config namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: v1 kind: ConfigMap metadata: name: pomerium namespace: pomerium data: config.yaml: | # Core configuration address: :443 grpc_address: :5443 # Security keys shared_secret: 5Cz7gj71G5ujzH9HIc1XgwabUXCdJ3st9649gNlknrI= cookie_secret: SXzBgU9L72OI+QCD9lEOxXcjApyE+4oIbetqtveNcjc= # Service URLs authenticate_service_url: https://authenticate.nge6.com authorize_service_url: http://pomerium-authorize.pomerium.svc.cluster.local:5443 databroker_service_url: http://pomerium-databroker.pomerium.svc.cluster.local:5443 # Run in insecure mode for internal cluster communication insecure_server: true # Identity provider idp_provider: oidc idp_provider_url: https://keycloak.nge6.com/realms/kubernetes-realm idp_client_id: pomerium idp_client_secret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x idp_scopes: - openid - profile - email # Routes routes: # Keycloak admin (public for initial setup) - from: https://keycloak.nge6.com to: http://keycloak-http.auth-system.svc.cluster.local preserve_host_header: true allow_public_unauthenticated_access: true # Vaultwarden - requires authentication - from: https://vault.nge6.com to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080 preserve_host_header: true allow_any_authenticated_user: true # Forgejo Git - requires authentication - from: https://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 preserve_host_header: true allow_any_authenticated_user: true # Authentication endpoint - from: https://authenticate.nge6.com to: http://pomerium-authenticate.pomerium.svc.cluster.local allow_public_unauthenticated_access: true --- # Pomerium Authenticate Deployment apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-authenticate-deployment namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: apps/v1 kind: Deployment metadata: name: pomerium-authenticate namespace: pomerium spec: replicas: 1 selector: matchLabels: app: pomerium-authenticate template: metadata: labels: app: pomerium-authenticate spec: containers: - name: pomerium image: pomerium/pomerium:v0.25.0 args: - --config=/etc/pomerium/config.yaml env: - name: SERVICES value: authenticate - name: INSECURE_SERVER value: "true" - name: ADDRESS value: :80 - name: GRPC_ADDRESS value: :5443 - name: GRPC_INSECURE value: "true" ports: - containerPort: 80 name: http - containerPort: 5443 name: grpc volumeMounts: - name: config mountPath: /etc/pomerium volumes: - name: config configMap: name: pomerium --- # Pomerium Authenticate Service apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-authenticate-service namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: v1 kind: Service metadata: name: pomerium-authenticate namespace: pomerium spec: selector: app: pomerium-authenticate ports: - name: http port: 80 targetPort: 80 - name: grpc port: 5443 targetPort: 5443 --- # Pomerium Authorize Deployment apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-authorize-deployment namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: apps/v1 kind: Deployment metadata: name: pomerium-authorize namespace: pomerium spec: replicas: 1 selector: matchLabels: app: pomerium-authorize template: metadata: labels: app: pomerium-authorize spec: containers: - name: pomerium image: pomerium/pomerium:v0.25.0 args: - --config=/etc/pomerium/config.yaml env: - name: SERVICES value: authorize - name: INSECURE_SERVER value: "true" - name: ADDRESS value: :80 - name: GRPC_ADDRESS value: :5443 - name: GRPC_INSECURE value: "true" ports: - containerPort: 80 name: http - containerPort: 5443 name: grpc volumeMounts: - name: config mountPath: /etc/pomerium volumes: - name: config configMap: name: pomerium --- # Pomerium Authorize Service apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-authorize-service namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: v1 kind: Service metadata: name: pomerium-authorize namespace: pomerium spec: selector: app: pomerium-authorize ports: - name: http port: 80 targetPort: 80 - name: grpc port: 5443 targetPort: 5443 --- # Pomerium Databroker Deployment apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-databroker-deployment namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: apps/v1 kind: Deployment metadata: name: pomerium-databroker namespace: pomerium spec: replicas: 1 selector: matchLabels: app: pomerium-databroker template: metadata: labels: app: pomerium-databroker spec: containers: - name: pomerium image: pomerium/pomerium:v0.25.0 args: - --config=/etc/pomerium/config.yaml env: - name: SERVICES value: databroker - name: INSECURE_SERVER value: "true" - name: ADDRESS value: :80 - name: GRPC_ADDRESS value: :5443 - name: GRPC_INSECURE value: "true" ports: - containerPort: 80 name: http - containerPort: 5443 name: grpc volumeMounts: - name: config mountPath: /etc/pomerium volumes: - name: config configMap: name: pomerium --- # Pomerium Databroker Service apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-databroker-service namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: v1 kind: Service metadata: name: pomerium-databroker namespace: pomerium spec: selector: app: pomerium-databroker ports: - name: http port: 80 targetPort: 80 - name: grpc port: 5443 targetPort: 5443 --- # Pomerium Proxy Deployment (the main ingress point) apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-proxy-deployment namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: apps/v1 kind: Deployment metadata: name: pomerium-proxy namespace: pomerium spec: replicas: 1 selector: matchLabels: app: pomerium-proxy template: metadata: labels: app: pomerium-proxy spec: containers: - name: pomerium image: pomerium/pomerium:v0.25.0 args: - --config=/etc/pomerium/config.yaml env: - name: SERVICES value: proxy - name: INSECURE_SERVER value: "true" - name: ADDRESS value: :443 - name: HTTP_REDIRECT_ADDR value: :80 ports: - containerPort: 443 name: https - containerPort: 80 name: http volumeMounts: - name: config mountPath: /etc/pomerium volumes: - name: config configMap: name: pomerium --- # Pomerium Proxy Service apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-proxy-service namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: v1 kind: Service metadata: name: pomerium-proxy namespace: pomerium spec: selector: app: pomerium-proxy ports: - name: https port: 443 targetPort: 443 - name: http port: 80 targetPort: 80