eemoore/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infrastructure/pomerium-allinone.yaml
Infrastructure Admin f29a8833de Add Pomerium passthrough for git HTTP protocol and Forgejo API 
Allows git push/pull and Docker registry token exchange to bypass
Pomerium browser auth - Forgejo handles authentication natively
for these endpoints.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 18:13:21 -04:00

198 lines
No EOL
6.4 KiB
YAML
Raw Permalink Blame History

# Pomerium All-In-One Deployment (single process, no Helm)
# ConfigMap for Pomerium configuration
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: pomerium-allinone-config
namespace: crossplane-system
spec:
providerConfigRef:
name: kubernetes-provider
forProvider:
manifest:
apiVersion: v1
kind: ConfigMap
metadata:
name: pomerium-allinone
namespace: pomerium
data:
config.yaml: |
# Core configuration
address: :443
http_redirect_addr: :80
# Security keys (32 bytes base64)
shared_secret: 5Cz7gj71G5ujzH9HIc1XgwabUXCdJ3st9649gNlknrI=
cookie_secret: SXzBgU9L72OI+QCD9lEOxXcjApyE+4oIbetqtveNcjc=
# Run in insecure mode (no TLS certs required)
insecure_server: true
# Service URLs (internal)
authenticate_service_url: https://authenticate.nge6.com
# Identity provider
idp_provider: oidc
idp_provider_url: https://auth.nge6.com/realms/kubernetes-realm
idp_client_id: pomerium
idp_client_secret: U3Elh0oZEazKRpHpIasgP8yovUGsvq5K
idp_scopes:
- openid
- profile
- email
# Routes
routes:
# Keycloak admin
- from: https://keycloak.nge6.com
to: http://keycloak-http.auth-system.svc.cluster.local
preserve_host_header: true
allow_public_unauthenticated_access: true
# Vaultwarden SSO/OAuth endpoints only (needed for authentication flow)
- from: https://vault.nge6.com
to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080
prefix: /identity/connect
preserve_host_header: true
allow_public_unauthenticated_access: true
- from: https://vault.nge6.com
to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080
prefix: /identity/sso
preserve_host_header: true
allow_public_unauthenticated_access: true
# Vaultwarden API endpoints (protected by Vaultwarden's own auth)
- from: https://vault.nge6.com
to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080
prefix: /api
preserve_host_header: true
allow_public_unauthenticated_access: true
# Vaultwarden web UI - requires Pomerium authentication
- from: https://vault.nge6.com
to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080
preserve_host_header: true
allow_any_authenticated_user: true
# Forgejo container registry token endpoint (Docker auth)
- from: https://git.nge6.com
to: http://forgejo-http.forgejo.svc.cluster.local:3000
prefix: /v2/token
preserve_host_header: true
allow_public_unauthenticated_access: true
# Forgejo Git HTTP protocol (push/pull - Forgejo handles auth)
- from: https://git.nge6.com
to: http://forgejo-http.forgejo.svc.cluster.local:3000
regex: /.+/info/refs
preserve_host_header: true
allow_public_unauthenticated_access: true
- from: https://git.nge6.com
to: http://forgejo-http.forgejo.svc.cluster.local:3000
regex: /.+/git-upload-pack
preserve_host_header: true
allow_public_unauthenticated_access: true
- from: https://git.nge6.com
to: http://forgejo-http.forgejo.svc.cluster.local:3000
regex: /.+/git-receive-pack
preserve_host_header: true
allow_public_unauthenticated_access: true
# Forgejo Git web UI - requires authentication
- from: https://git.nge6.com
to: http://forgejo-http.forgejo.svc.cluster.local:3000
preserve_host_header: true
allow_any_authenticated_user: true
# Argo Workflows UI - requires authentication
- from: https://workflows.nge6.com
to: http://argo-server.argo.svc.cluster.local:2746
preserve_host_header: true
allow_any_authenticated_user: true
---
# Pomerium All-In-One Deployment
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: pomerium-allinone-deployment
namespace: crossplane-system
spec:
providerConfigRef:
name: kubernetes-provider
forProvider:
manifest:
apiVersion: apps/v1
kind: Deployment
metadata:
name: pomerium-allinone
namespace: pomerium
spec:
replicas: 1
selector:
matchLabels:
app: pomerium-allinone
template:
metadata:
labels:
app: pomerium-allinone
spec:
containers:
- name: pomerium
image: pomerium/pomerium:v0.25.0
args:
- --config=/etc/pomerium/config.yaml
env:
# Run all services in one container
- name: SERVICES
value: all
- name: INSECURE_SERVER
value: "true"
ports:
- containerPort: 443
name: https
- containerPort: 80
name: http
volumeMounts:
- name: config
mountPath: /etc/pomerium
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 1000m
memory: 512Mi
volumes:
- name: config
configMap:
name: pomerium-allinone
---
# Pomerium All-In-One Service
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: pomerium-allinone-service
namespace: crossplane-system
spec:
providerConfigRef:
name: kubernetes-provider
forProvider:
manifest:
apiVersion: v1
kind: Service
metadata:
name: pomerium-allinone
namespace: pomerium
spec:
selector:
app: pomerium-allinone
ports:
- name: https
port: 443
targetPort: 443
- name: http
port: 80
targetPort: 80
Reference in a new issue View git blame Copy permalink