0dee133377
- Move Keycloak off Helm to plain Crossplane Object manifests (PostgreSQL + Keycloak deployment) - Add Vaultwarden SSO/OIDC config with Keycloak, fix Recreate deployment strategy for RWO volumes - Switch routing from Helm-based Pomerium to pomerium-allinone with all service routes - Deploy Argo Workflows (controller, server, CRDs, RBAC) with KEDA queue-depth autoscaling - Add Civo cluster autoscaler with pool-scaler for zero-to-one scale-up via Civo API - Add node-labeler to auto-tag nodes by pool membership for nodeSelector scheduling - Set up mTLS container registry at registry.nge6.com (Forgejo built-in, client cert required) - Add internal registry route (registry-internal.nge6.com) for in-cluster image pulls - Fix DNS records for new Emissary LB IP (212.2.241.28) - Fix CoreDNS crash from invalid custom config - Fix Emissary apiext expired webhook CA certificate Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
397 lines
No EOL
11 KiB
YAML
397 lines
No EOL
11 KiB
YAML
# Pomerium Native Kubernetes Deployment (No Helm!)
|
|
# Namespace already exists from previous deployment
|
|
|
|
# ConfigMap for Pomerium configuration
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-config
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: pomerium
|
|
namespace: pomerium
|
|
data:
|
|
config.yaml: |
|
|
# Core configuration
|
|
address: :443
|
|
grpc_address: :5443
|
|
|
|
# Security keys
|
|
shared_secret: 5Cz7gj71G5ujzH9HIc1XgwabUXCdJ3st9649gNlknrI=
|
|
cookie_secret: SXzBgU9L72OI+QCD9lEOxXcjApyE+4oIbetqtveNcjc=
|
|
|
|
# Service URLs
|
|
authenticate_service_url: https://authenticate.nge6.com
|
|
authorize_service_url: http://pomerium-authorize.pomerium.svc.cluster.local:5443
|
|
databroker_service_url: http://pomerium-databroker.pomerium.svc.cluster.local:5443
|
|
|
|
# Run in insecure mode for internal cluster communication
|
|
insecure_server: true
|
|
|
|
# Identity provider
|
|
idp_provider: oidc
|
|
idp_provider_url: https://keycloak.nge6.com/realms/kubernetes-realm
|
|
idp_client_id: pomerium
|
|
idp_client_secret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x
|
|
idp_scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
|
|
# Routes
|
|
routes:
|
|
# Keycloak admin (public for initial setup)
|
|
- from: https://keycloak.nge6.com
|
|
to: http://keycloak-http.auth-system.svc.cluster.local
|
|
preserve_host_header: true
|
|
allow_public_unauthenticated_access: true
|
|
|
|
# Vaultwarden - requires authentication
|
|
- from: https://vault.nge6.com
|
|
to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080
|
|
preserve_host_header: true
|
|
allow_any_authenticated_user: true
|
|
|
|
# Forgejo Git - requires authentication
|
|
- from: https://git.nge6.com
|
|
to: http://forgejo-http.forgejo.svc.cluster.local:3000
|
|
preserve_host_header: true
|
|
allow_any_authenticated_user: true
|
|
|
|
# Authentication endpoint
|
|
- from: https://authenticate.nge6.com
|
|
to: http://pomerium-authenticate.pomerium.svc.cluster.local
|
|
allow_public_unauthenticated_access: true
|
|
---
|
|
# Pomerium Authenticate Deployment
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-authenticate-deployment
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: pomerium-authenticate
|
|
namespace: pomerium
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: pomerium-authenticate
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: pomerium-authenticate
|
|
spec:
|
|
containers:
|
|
- name: pomerium
|
|
image: pomerium/pomerium:v0.25.0
|
|
args:
|
|
- --config=/etc/pomerium/config.yaml
|
|
env:
|
|
- name: SERVICES
|
|
value: authenticate
|
|
- name: INSECURE_SERVER
|
|
value: "true"
|
|
- name: ADDRESS
|
|
value: :80
|
|
- name: GRPC_ADDRESS
|
|
value: :5443
|
|
- name: GRPC_INSECURE
|
|
value: "true"
|
|
ports:
|
|
- containerPort: 80
|
|
name: http
|
|
- containerPort: 5443
|
|
name: grpc
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /etc/pomerium
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: pomerium
|
|
---
|
|
# Pomerium Authenticate Service
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-authenticate-service
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: pomerium-authenticate
|
|
namespace: pomerium
|
|
spec:
|
|
selector:
|
|
app: pomerium-authenticate
|
|
ports:
|
|
- name: http
|
|
port: 80
|
|
targetPort: 80
|
|
- name: grpc
|
|
port: 5443
|
|
targetPort: 5443
|
|
---
|
|
# Pomerium Authorize Deployment
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-authorize-deployment
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: pomerium-authorize
|
|
namespace: pomerium
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: pomerium-authorize
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: pomerium-authorize
|
|
spec:
|
|
containers:
|
|
- name: pomerium
|
|
image: pomerium/pomerium:v0.25.0
|
|
args:
|
|
- --config=/etc/pomerium/config.yaml
|
|
env:
|
|
- name: SERVICES
|
|
value: authorize
|
|
- name: INSECURE_SERVER
|
|
value: "true"
|
|
- name: ADDRESS
|
|
value: :80
|
|
- name: GRPC_ADDRESS
|
|
value: :5443
|
|
- name: GRPC_INSECURE
|
|
value: "true"
|
|
ports:
|
|
- containerPort: 80
|
|
name: http
|
|
- containerPort: 5443
|
|
name: grpc
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /etc/pomerium
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: pomerium
|
|
---
|
|
# Pomerium Authorize Service
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-authorize-service
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: pomerium-authorize
|
|
namespace: pomerium
|
|
spec:
|
|
selector:
|
|
app: pomerium-authorize
|
|
ports:
|
|
- name: http
|
|
port: 80
|
|
targetPort: 80
|
|
- name: grpc
|
|
port: 5443
|
|
targetPort: 5443
|
|
---
|
|
# Pomerium Databroker Deployment
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-databroker-deployment
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: pomerium-databroker
|
|
namespace: pomerium
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: pomerium-databroker
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: pomerium-databroker
|
|
spec:
|
|
containers:
|
|
- name: pomerium
|
|
image: pomerium/pomerium:v0.25.0
|
|
args:
|
|
- --config=/etc/pomerium/config.yaml
|
|
env:
|
|
- name: SERVICES
|
|
value: databroker
|
|
- name: INSECURE_SERVER
|
|
value: "true"
|
|
- name: ADDRESS
|
|
value: :80
|
|
- name: GRPC_ADDRESS
|
|
value: :5443
|
|
- name: GRPC_INSECURE
|
|
value: "true"
|
|
ports:
|
|
- containerPort: 80
|
|
name: http
|
|
- containerPort: 5443
|
|
name: grpc
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /etc/pomerium
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: pomerium
|
|
---
|
|
# Pomerium Databroker Service
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-databroker-service
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: pomerium-databroker
|
|
namespace: pomerium
|
|
spec:
|
|
selector:
|
|
app: pomerium-databroker
|
|
ports:
|
|
- name: http
|
|
port: 80
|
|
targetPort: 80
|
|
- name: grpc
|
|
port: 5443
|
|
targetPort: 5443
|
|
---
|
|
# Pomerium Proxy Deployment (the main ingress point)
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-proxy-deployment
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: pomerium-proxy
|
|
namespace: pomerium
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: pomerium-proxy
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: pomerium-proxy
|
|
spec:
|
|
containers:
|
|
- name: pomerium
|
|
image: pomerium/pomerium:v0.25.0
|
|
args:
|
|
- --config=/etc/pomerium/config.yaml
|
|
env:
|
|
- name: SERVICES
|
|
value: proxy
|
|
- name: INSECURE_SERVER
|
|
value: "true"
|
|
- name: ADDRESS
|
|
value: :443
|
|
- name: HTTP_REDIRECT_ADDR
|
|
value: :80
|
|
ports:
|
|
- containerPort: 443
|
|
name: https
|
|
- containerPort: 80
|
|
name: http
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /etc/pomerium
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: pomerium
|
|
---
|
|
# Pomerium Proxy Service
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-proxy-service
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: pomerium-proxy
|
|
namespace: pomerium
|
|
spec:
|
|
selector:
|
|
app: pomerium-proxy
|
|
ports:
|
|
- name: https
|
|
port: 443
|
|
targetPort: 443
|
|
- name: http
|
|
port: 80
|
|
targetPort: 80 |