eemoore/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infrastructure/pomerium/templates/secret.yaml
Infrastructure Admin d770504fa5 Initial infrastructure as code deployment 
This commit includes the complete Kubernetes infrastructure deployment for NGE6:

- Crossplane setup with providers (Kubernetes, Helm, Civo)
- Ambassador/Emissary ingress controller with SSL termination
- Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges
- ExternalDNS integration with Gandi for automatic DNS management
- Keycloak authentication server with PostgreSQL
- Pomerium identity-aware proxy with OIDC integration
- Forgejo Git server with persistent storage and authentication
- Spire/SPIFFE for secure service communication

All services are deployed using Infrastructure as Code principles with
Crossplane managing Kubernetes and Helm resources declaratively.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-23 08:43:06 -04:00

50 lines
1.9 KiB
YAML
Raw Blame History

{{- if not .Values.config.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "pomerium.secretName" . }}
labels:
app.kubernetes.io/name: {{ template "pomerium.name" . }}
helm.sh/chart: {{ template "pomerium.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.config.extraSecretLabels }}
{{- range $key, $value := .Values.config.extraSecretLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
type: Opaque
stringData:
config.yaml: |
{{ include "pomerium.config.static" . | indent 4 -}}
{{ include "pomerium.config.dynamic" . | indent 4 -}}
{{- end }}
---
{{- if not .Values.config.existingSharedSecret }}
{{- $sharedSecret := coalesce .Values.config.sharedSecret (randAscii 32 | b64enc) }}
{{- $cookieSecret := coalesce .Values.config.cookieSecret (randAscii 32 | b64enc) }}
{{- $sharedSecretData := (lookup "v1" "Secret" .Release.Namespace (include "pomerium.sharedSecretName" .) ).data }}
{{- if and $sharedSecretData (not .Values.config.forceGenerateServiceSecrets) }}
{{- $sharedSecret = (index $sharedSecretData "SHARED_SECRET" | b64dec) }}
{{- $cookieSecret = (index $sharedSecretData "COOKIE_SECRET" | b64dec) }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "pomerium.sharedSecretName" . }}
labels:
app.kubernetes.io/name: {{ template "pomerium.name" . }}
helm.sh/chart: {{ template "pomerium.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.config.extraSharedSecretLabels }}
{{- range $key, $value := .Values.config.extraSharedSecretLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
type: Opaque
data:
SHARED_SECRET: {{ $sharedSecret | b64enc }}
COOKIE_SECRET: {{ $cookieSecret | b64enc }}
{{- end }}
Reference in a new issue View git blame Copy permalink