# For detailed explanation of each of the configuration settings see # https://www.pomerium.io/reference/ nameOverride: '' fullnameOverride: '' # settings that are shared by all services config: # routes under this wildcard domain are handled by pomerium rootDomain: corp.beyondperimeter.com existingSecret: '' existingCASecret: '' ca: cert: '' key: '' sharedSecret: '' cookieSecret: '' forceGenerateServiceSecrets: false existingSharedSecret: '' generateTLS: true generateTLSAnnotations: {} forceGenerateTLS: false generateSigningKey: true forceGenerateSigningKey: false extraOpts: {} existingPolicy: '' insecure: false insecureProxy: false administrators: '' routes: [] existingSigningKeySecret: '' signingKey: '' extraSecretLabels: {} extraSharedSecretLabels: {} authenticate: name: '' fullnameOverride: '' nameOverride: '' existingTLSSecret: '' existingExternalTLSSecret: '' proxied: true # see https://www.pomerium.io/docs/identity-providers.html idp: provider: google clientID: 'REPLACE_ME' clientSecret: 'REPLACE_ME' url: '' scopes: '' serviceAccount: '' tls: cert: '' key: '' defaultSANList: [] defaultIPList: [] replicaCount: 1 autoscaling: enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 pdb: enabled: false minAvailable: 1 service: annotations: {} nodePort: '' type: ClusterIP deployment: annotations: {} extraEnv: {} podAnnotations: {} serviceAccount: annotations: {} nameOverride: '' ingress: # cert-manager example # annotations: # cert-manager.io/cluster-issuer: letsencrypt-prod annotations: {} tls: secretName: '' # secretName: authenticate-ingress-tls authorize: fullnameOverride: '' nameOverride: '' existingTLSSecret: '' tls: cert: '' key: '' defaultSANList: [] defaultIPList: [] replicaCount: 1 autoscaling: enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 pdb: enabled: false minAvailable: 1 service: annotations: {} type: ClusterIP clusterIP: None deployment: annotations: {} extraEnv: {} podAnnotations: {} serviceAccount: annotations: {} nameOverride: '' databroker: fullnameOverride: '' nameOverride: '' existingTLSSecret: '' tls: cert: '' key: '' defaultSANList: [] defaultIPList: [] replicaCount: 1 pdb: enabled: false minAvailable: 1 service: annotations: {} type: ClusterIP clusterIP: None deployment: annotations: {} extraEnv: {} podAnnotations: {} serviceAccount: annotations: {} nameOverride: '' storage: type: 'memory' connectionString: '' tlsSkipVerify: false clientTLS: existingSecretName: '' existingCASecretKey: '' cert: '' key: '' ca: '' proxy: fullnameOverride: '' nameOverride: '' existingTLSSecret: '' tls: cert: '' key: '' defaultSANList: [] defaultIPList: [] replicaCount: 1 autoscaling: enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 pdb: enabled: false minAvailable: 1 authenticateServiceUrl: '' authorizeInternalUrl: '' service: annotations: {} nodePort: '' type: '' externalIPs: [] deployment: annotations: {} extraEnv: {} podAnnotations: {} serviceAccount: annotations: {} nameOverride: '' redirectServer: true apiProxy: enabled: false ingress: true fullNameOverride: '' name: 'kubernetes' ingressController: enabled: false ingressClassResource: enabled: true default: false name: pomerium controllerName: pomerium.io/ingress-controller parameters: {} defaultCertSecret: '' fullnameOverride: '' nameOverride: '' image: repository: 'pomerium/ingress-controller' tag: 'sha-54e3ddc' pullPolicy: IfNotPresent deployment: annotations: {} extraEnv: {} podAnnotations: {} serviceAccount: annotations: {} nameOverride: '' config: namespaces: [] ingressClass: pomerium.io/ingress-controller updateStatus: true operatorMode: false service: annotations: {} type: ClusterIP forwardAuth: name: '' enabled: false # Will not create an ingress. ForwardAuth is ony accessible as internal service. internal: false service: # externalPort defaults to 80 or 443 depending on config.insecure externalPort: '' annotations: {} # === GKE load balancer tweaks; default on until I can figure out # how the hell to escape this string from the helm CLI # cloud.google.com/app-protocols: '{"https":"HTTPS"}' labels: {} grpcTrafficPort: nameOverride: '' httpTrafficPort: nameOverride: '' ingress: secretName: '' secret: name: 'pomerium-tls' cert: '' key: '' tls: hosts: [] enabled: true hosts: [] # Sets Ingress/ingressClassName. This way ingress resources are able to bound specific ingress-controllers. Kubernetes version >=1.18 required. # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class # className: "" annotations: {} # === nginx tweaks # kubernetes.io/ingress.class: nginx # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" # === GKE load balancer tweaks; default on until I can figure out # how the hell to escape this string from the helm CLI # kubernetes.io/ingress.allow-http: "false" # Ingress pathType (e.g. ImplementationSpecific, Prefix, .. etc.) might also be required by some Ingress Controllers pathType: ImplementationSpecific resources: {} # limits: # cpu: 1 # memory: 600Mi # requests: # cpu: 100m # memory: 300Mi priorityClassName: '' # Affinity for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} # Tolerations for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ tolerations: [] # Node labels for pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ nodeSelector: {} podAnnotations: {} podLabels: {} replicaCount: 1 # For any other settings that are optional. for a complete listing see: # https://www.pomerium.io/docs/config-reference.html extraEnv: {} extraEnvFrom: [] extraArgs: {} extraVolumes: [] extraVolumeMounts: [] extraTLSSecrets: [] annotations: {} imagePullSecrets: '' image: repository: 'pomerium/pomerium' tag: 'v0.22.1' pullPolicy: IfNotPresent metrics: enabled: false port: 9090 tracing: enabled: false provider: '' debug: false jaeger: collector_endpoint: '' agent_endpoint: '' serviceMonitor: enabled: false namespace: '' labels: release: prometheus rbac: create: true redis: enabled: false auth: existingSecret: pomerium-redis-password existingSecretPasswordKey: password createSecret: true generateTLS: true forceGenerateTLS: false replica: replicaCount: 1 tls: enabled: true certificatesSecret: pomerium-redis-tls certFilename: tls.crt certKeyFilename: tls.key certCAFilename: ca.crt