eemoore/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infrastructure/pomerium.yaml
Infrastructure Admin 0dee133377 Add Argo Workflows, mTLS container registry, and fix infrastructure 
- Move Keycloak off Helm to plain Crossplane Object manifests (PostgreSQL + Keycloak deployment)
- Add Vaultwarden SSO/OIDC config with Keycloak, fix Recreate deployment strategy for RWO volumes
- Switch routing from Helm-based Pomerium to pomerium-allinone with all service routes
- Deploy Argo Workflows (controller, server, CRDs, RBAC) with KEDA queue-depth autoscaling
- Add Civo cluster autoscaler with pool-scaler for zero-to-one scale-up via Civo API
- Add node-labeler to auto-tag nodes by pool membership for nodeSelector scheduling
- Set up mTLS container registry at registry.nge6.com (Forgejo built-in, client cert required)
- Add internal registry route (registry-internal.nge6.com) for in-cluster image pulls
- Fix DNS records for new Emissary LB IP (212.2.241.28)
- Fix CoreDNS crash from invalid custom config
- Fix Emissary apiext expired webhook CA certificate

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 21:23:12 -04:00

69 lines
2.3 KiB
YAML
Raw Permalink Blame History

# Pomerium Helm release
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: pomerium
namespace: crossplane-system
spec:
providerConfigRef:
name: helm-provider
forProvider:
chart:
name: pomerium
repository: https://helm.pomerium.io
version: 34.0.1
namespace: pomerium
values:
config:
# Pomerium configuration
rootDomain: nge6.com
# Shared secret for service communication
sharedSecret: "YWJjZGVmZ2hpams="
# Cookie secret for session management
cookieSecret: "bXlzZWNyZXRjb29raWVzZWNyZXQ="
# Routes for protected applications
routes:
# Allow public access to all Keycloak for testing
- from: https://keycloak.nge6.com
to: http://keycloak-http.auth-system.svc.cluster.local
preserve_host_header: true
allow_public_unauthenticated_access: true
# Forgejo Git service - require authentication
- from: https://git.nge6.com
to: http://forgejo-http.forgejo.svc.cluster.local:3000
preserve_host_header: true
allow_any_authenticated_user: true
# Forgejo Git service - require authentication (HTTP)
- from: http://git.nge6.com
to: http://forgejo-http.forgejo.svc.cluster.local:3000
preserve_host_header: true
allow_any_authenticated_user: true
# Vaultwarden password manager - require authentication
- from: https://vault.nge6.com
to: http://vaultwarden-http.vaultwarden.svc.cluster.local:8080
preserve_host_header: true
allow_any_authenticated_user: true
# Authentication service configuration
authenticate:
proxied: true
idp:
provider: oidc
url: https://keycloak.nge6.com/realms/kubernetes-realm
clientID: pomerium
clientSecret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x
# Manual OIDC endpoint configuration to bypass discovery
scopes: ["openid", "profile", "email"]
# Disable automatic ingress generation
ingress:
enabled: false
# Service configuration for proxy
proxy:
service:
type: ClusterIP
Reference in a new issue View git blame Copy permalink