d770504fa5
This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
80 lines
2.4 KiB
YAML
80 lines
2.4 KiB
YAML
# Pomerium namespace
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: pomerium-namespace
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: pomerium
|
|
---
|
|
# Pomerium Helm release
|
|
apiVersion: helm.crossplane.io/v1beta1
|
|
kind: Release
|
|
metadata:
|
|
name: pomerium
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: helm-provider
|
|
forProvider:
|
|
chart:
|
|
name: pomerium
|
|
repository: https://helm.pomerium.io
|
|
version: 34.0.1
|
|
namespace: pomerium
|
|
values:
|
|
config:
|
|
# Pomerium configuration
|
|
rootDomain: nge6.com
|
|
|
|
# Shared secret for service communication
|
|
sharedSecret: "YWJjZGVmZ2hpams="
|
|
|
|
# Cookie secret for session management
|
|
cookieSecret: "bXlzZWNyZXRjb29raWVzZWNyZXQ="
|
|
|
|
# Routes for protected applications
|
|
routes:
|
|
# Allow public access to all Keycloak for testing
|
|
- from: https://keycloak.nge6.com
|
|
to: http://keycloak-http.auth-system.svc.cluster.local
|
|
preserve_host_header: true
|
|
allow_public_unauthenticated_access: true
|
|
# Forgejo Git service - temporarily allow unauthenticated for setup
|
|
- from: https://git.nge6.com
|
|
to: http://forgejo-http.forgejo.svc.cluster.local:3000
|
|
preserve_host_header: true
|
|
allow_public_unauthenticated_access: true
|
|
# Forgejo Git service - temporarily allow unauthenticated for setup (HTTP)
|
|
- from: http://git.nge6.com
|
|
to: http://forgejo-http.forgejo.svc.cluster.local:3000
|
|
preserve_host_header: true
|
|
allow_public_unauthenticated_access: true
|
|
|
|
# Authentication service configuration
|
|
authenticate:
|
|
proxied: true
|
|
idp:
|
|
provider: oidc
|
|
url: https://keycloak.nge6.com/realms/kubernetes-realm
|
|
clientID: pomerium
|
|
clientSecret: 3JFMh3DZDOYlNiSQ64abL0z0bw1WJt3x
|
|
# Manual OIDC endpoint configuration to bypass discovery
|
|
scopes: ["openid", "profile", "email"]
|
|
|
|
# Disable automatic ingress generation
|
|
ingress:
|
|
enabled: false
|
|
|
|
# Service configuration for proxy
|
|
proxy:
|
|
service:
|
|
type: ClusterIP
|
|
|