a7ae41ee08
Added to kustomization.yaml: - namespaces.yaml: Centralized namespace management - auth/: Keycloak authentication system - keycloak-config.yaml: Identity provider configuration - sealed-secrets.yaml: Secret encryption system Fixed namespace conflicts: - Removed duplicate pomerium-namespace from pomerium.yaml - Removed duplicate external-dns-namespace from external-dns.yaml - All namespaces now managed centrally via namespaces.yaml Now managing 72 Kubernetes resources via GitOps: ✅ Infrastructure: Crossplane providers, external-dns ✅ Certificates: cert-manager, Let's Encrypt, Gandi webhook ✅ Authentication: Keycloak, RBAC configs ✅ Applications: Forgejo, Pomerium, Vaultwarden ✅ Security: Sealed secrets, proper RBAC 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
64 lines
2 KiB
YAML
64 lines
2 KiB
YAML
# Pomerium Helm release
|
|
apiVersion: helm.crossplane.io/v1beta1
|
|
kind: Release
|
|
metadata:
|
|
name: pomerium
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: helm-provider
|
|
forProvider:
|
|
chart:
|
|
name: pomerium
|
|
repository: https://helm.pomerium.io
|
|
version: 34.0.1
|
|
namespace: pomerium
|
|
values:
|
|
config:
|
|
# Pomerium configuration
|
|
rootDomain: nge6.com
|
|
|
|
# Shared secret for service communication
|
|
sharedSecret: "YWJjZGVmZ2hpams="
|
|
|
|
# Cookie secret for session management
|
|
cookieSecret: "bXlzZWNyZXRjb29raWVzZWNyZXQ="
|
|
|
|
# Routes for protected applications
|
|
routes:
|
|
# Allow public access to all Keycloak for testing
|
|
- from: https://keycloak.nge6.com
|
|
to: http://keycloak-http.auth-system.svc.cluster.local
|
|
preserve_host_header: true
|
|
allow_public_unauthenticated_access: true
|
|
# Forgejo Git service - require authentication
|
|
- from: https://git.nge6.com
|
|
to: http://forgejo-http.forgejo.svc.cluster.local:3000
|
|
preserve_host_header: true
|
|
allow_any_authenticated_user: true
|
|
# Forgejo Git service - require authentication (HTTP)
|
|
- from: http://git.nge6.com
|
|
to: http://forgejo-http.forgejo.svc.cluster.local:3000
|
|
preserve_host_header: true
|
|
allow_any_authenticated_user: true
|
|
|
|
# Authentication service configuration
|
|
authenticate:
|
|
proxied: true
|
|
idp:
|
|
provider: oidc
|
|
url: https://keycloak.nge6.com/realms/kubernetes-realm
|
|
clientID: pomerium
|
|
clientSecret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x
|
|
# Manual OIDC endpoint configuration to bypass discovery
|
|
scopes: ["openid", "profile", "email"]
|
|
|
|
# Disable automatic ingress generation
|
|
ingress:
|
|
enabled: false
|
|
|
|
# Service configuration for proxy
|
|
proxy:
|
|
service:
|
|
type: ClusterIP
|
|
|