# Pomerium All-In-One Deployment (single process, no Helm) # ConfigMap for Pomerium configuration apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-allinone-config namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: v1 kind: ConfigMap metadata: name: pomerium-allinone namespace: pomerium data: config.yaml: | # Core configuration address: :443 http_redirect_addr: :80 # Security keys (32 bytes base64) shared_secret: 5Cz7gj71G5ujzH9HIc1XgwabUXCdJ3st9649gNlknrI= cookie_secret: SXzBgU9L72OI+QCD9lEOxXcjApyE+4oIbetqtveNcjc= # Run in insecure mode (no TLS certs required) insecure_server: true # Service URLs (internal) authenticate_service_url: https://authenticate.nge6.com # Identity provider idp_provider: oidc idp_provider_url: https://auth.nge6.com/realms/kubernetes-realm idp_client_id: pomerium idp_client_secret: U3Elh0oZEazKRpHpIasgP8yovUGsvq5K idp_scopes: - openid - profile - email # Routes routes: # Keycloak admin - from: https://keycloak.nge6.com to: http://keycloak-http.auth-system.svc.cluster.local preserve_host_header: true allow_public_unauthenticated_access: true # Vaultwarden SSO/OAuth endpoints only (needed for authentication flow) - from: https://vault.nge6.com to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080 prefix: /identity/connect preserve_host_header: true allow_public_unauthenticated_access: true - from: https://vault.nge6.com to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080 prefix: /identity/sso preserve_host_header: true allow_public_unauthenticated_access: true # Vaultwarden API endpoints (protected by Vaultwarden's own auth) - from: https://vault.nge6.com to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080 prefix: /api preserve_host_header: true allow_public_unauthenticated_access: true # Vaultwarden web UI - requires Pomerium authentication - from: https://vault.nge6.com to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080 preserve_host_header: true allow_any_authenticated_user: true # Forgejo container registry token endpoint (Docker auth) - from: https://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 prefix: /v2/token preserve_host_header: true allow_public_unauthenticated_access: true # Forgejo Git HTTP protocol (push/pull - Forgejo handles auth) - from: https://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 regex: /.+/info/refs preserve_host_header: true allow_public_unauthenticated_access: true - from: https://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 regex: /.+/git-upload-pack preserve_host_header: true allow_public_unauthenticated_access: true - from: https://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 regex: /.+/git-receive-pack preserve_host_header: true allow_public_unauthenticated_access: true # Forgejo Git web UI - requires authentication - from: https://git.nge6.com to: http://forgejo-http.forgejo.svc.cluster.local:3000 preserve_host_header: true allow_any_authenticated_user: true # Argo Workflows UI - requires authentication - from: https://workflows.nge6.com to: http://argo-server.argo.svc.cluster.local:2746 preserve_host_header: true allow_any_authenticated_user: true --- # Pomerium All-In-One Deployment apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-allinone-deployment namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: apps/v1 kind: Deployment metadata: name: pomerium-allinone namespace: pomerium spec: replicas: 1 selector: matchLabels: app: pomerium-allinone template: metadata: labels: app: pomerium-allinone spec: containers: - name: pomerium image: pomerium/pomerium:v0.25.0 args: - --config=/etc/pomerium/config.yaml env: # Run all services in one container - name: SERVICES value: all - name: INSECURE_SERVER value: "true" ports: - containerPort: 443 name: https - containerPort: 80 name: http volumeMounts: - name: config mountPath: /etc/pomerium resources: requests: cpu: 100m memory: 128Mi limits: cpu: 1000m memory: 512Mi volumes: - name: config configMap: name: pomerium-allinone --- # Pomerium All-In-One Service apiVersion: kubernetes.crossplane.io/v1alpha2 kind: Object metadata: name: pomerium-allinone-service namespace: crossplane-system spec: providerConfigRef: name: kubernetes-provider forProvider: manifest: apiVersion: v1 kind: Service metadata: name: pomerium-allinone namespace: pomerium spec: selector: app: pomerium-allinone ports: - name: https port: 443 targetPort: 443 - name: http port: 80 targetPort: 80