eemoore/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infrastructure/pomerium/values.yaml
Infrastructure Admin d770504fa5 Initial infrastructure as code deployment 
This commit includes the complete Kubernetes infrastructure deployment for NGE6:

- Crossplane setup with providers (Kubernetes, Helm, Civo)
- Ambassador/Emissary ingress controller with SSL termination
- Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges
- ExternalDNS integration with Gandi for automatic DNS management
- Keycloak authentication server with PostgreSQL
- Pomerium identity-aware proxy with OIDC integration
- Forgejo Git server with persistent storage and authentication
- Spire/SPIFFE for secure service communication

All services are deployed using Infrastructure as Code principles with
Crossplane managing Kubernetes and Helm resources declaratively.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-23 08:43:06 -04:00

349 lines
7.3 KiB
YAML
Raw Blame History

# For detailed explanation of each of the configuration settings see
# https://www.pomerium.io/reference/
nameOverride: ''
fullnameOverride: ''
# settings that are shared by all services
config:
# routes under this wildcard domain are handled by pomerium
rootDomain: corp.beyondperimeter.com
existingSecret: ''
existingCASecret: ''
ca:
cert: ''
key: ''
sharedSecret: ''
cookieSecret: ''
forceGenerateServiceSecrets: false
existingSharedSecret: ''
generateTLS: true
generateTLSAnnotations: {}
forceGenerateTLS: false
generateSigningKey: true
forceGenerateSigningKey: false
extraOpts: {}
existingPolicy: ''
insecure: false
insecureProxy: false
administrators: ''
routes: []
existingSigningKeySecret: ''
signingKey: ''
extraSecretLabels: {}
extraSharedSecretLabels: {}
authenticate:
name: ''
fullnameOverride: ''
nameOverride: ''
existingTLSSecret: ''
existingExternalTLSSecret: ''
proxied: true
# see https://www.pomerium.io/docs/identity-providers.html
idp:
provider: google
clientID: 'REPLACE_ME'
clientSecret: 'REPLACE_ME'
url: ''
scopes: ''
serviceAccount: ''
tls:
cert: ''
key: ''
defaultSANList: []
defaultIPList: []
replicaCount: 1
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
pdb:
enabled: false
minAvailable: 1
service:
annotations: {}
nodePort: ''
type: ClusterIP
deployment:
annotations: {}
extraEnv: {}
podAnnotations: {}
serviceAccount:
annotations: {}
nameOverride: ''
ingress:
# cert-manager example
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt-prod
annotations: {}
tls:
secretName: ''
# secretName: authenticate-ingress-tls
authorize:
fullnameOverride: ''
nameOverride: ''
existingTLSSecret: ''
tls:
cert: ''
key: ''
defaultSANList: []
defaultIPList: []
replicaCount: 1
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
pdb:
enabled: false
minAvailable: 1
service:
annotations: {}
type: ClusterIP
clusterIP: None
deployment:
annotations: {}
extraEnv: {}
podAnnotations: {}
serviceAccount:
annotations: {}
nameOverride: ''
databroker:
fullnameOverride: ''
nameOverride: ''
existingTLSSecret: ''
tls:
cert: ''
key: ''
defaultSANList: []
defaultIPList: []
replicaCount: 1
pdb:
enabled: false
minAvailable: 1
service:
annotations: {}
type: ClusterIP
clusterIP: None
deployment:
annotations: {}
extraEnv: {}
podAnnotations: {}
serviceAccount:
annotations: {}
nameOverride: ''
storage:
type: 'memory'
connectionString: ''
tlsSkipVerify: false
clientTLS:
existingSecretName: ''
existingCASecretKey: ''
cert: ''
key: ''
ca: ''
proxy:
fullnameOverride: ''
nameOverride: ''
existingTLSSecret: ''
tls:
cert: ''
key: ''
defaultSANList: []
defaultIPList: []
replicaCount: 1
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50
pdb:
enabled: false
minAvailable: 1
authenticateServiceUrl: ''
authorizeInternalUrl: ''
service:
annotations: {}
nodePort: ''
type: ''
externalIPs: []
deployment:
annotations: {}
extraEnv: {}
podAnnotations: {}
serviceAccount:
annotations: {}
nameOverride: ''
redirectServer: true
apiProxy:
enabled: false
ingress: true
fullNameOverride: ''
name: 'kubernetes'
ingressController:
enabled: false
ingressClassResource:
enabled: true
default: false
name: pomerium
controllerName: pomerium.io/ingress-controller
parameters: {}
defaultCertSecret: ''
fullnameOverride: ''
nameOverride: ''
image:
repository: 'pomerium/ingress-controller'
tag: 'sha-54e3ddc'
pullPolicy: IfNotPresent
deployment:
annotations: {}
extraEnv: {}
podAnnotations: {}
serviceAccount:
annotations: {}
nameOverride: ''
config:
namespaces: []
ingressClass: pomerium.io/ingress-controller
updateStatus: true
operatorMode: false
service:
annotations: {}
type: ClusterIP
forwardAuth:
name: ''
enabled: false
# Will not create an ingress. ForwardAuth is ony accessible as internal service.
internal: false
service:
# externalPort defaults to 80 or 443 depending on config.insecure
externalPort: ''
annotations:
{}
# === GKE load balancer tweaks; default on until I can figure out
# how the hell to escape this string from the helm CLI
# cloud.google.com/app-protocols: '{"https":"HTTPS"}'
labels: {}
grpcTrafficPort:
nameOverride: ''
httpTrafficPort:
nameOverride: ''
ingress:
secretName: ''
secret:
name: 'pomerium-tls'
cert: ''
key: ''
tls:
hosts: []
enabled: true
hosts: []
# Sets Ingress/ingressClassName. This way ingress resources are able to bound specific ingress-controllers. Kubernetes version >=1.18 required.
# Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
# className: ""
annotations:
{}
# === nginx tweaks
# kubernetes.io/ingress.class: nginx
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
# === GKE load balancer tweaks; default on until I can figure out
# how the hell to escape this string from the helm CLI
# kubernetes.io/ingress.allow-http: "false"
# Ingress pathType (e.g. ImplementationSpecific, Prefix, .. etc.) might also be required by some Ingress Controllers
pathType: ImplementationSpecific
resources:
{}
# limits:
# cpu: 1
# memory: 600Mi
# requests:
# cpu: 100m
# memory: 300Mi
priorityClassName: ''
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicaCount: 1
# For any other settings that are optional. for a complete listing see:
# https://www.pomerium.io/docs/config-reference.html
extraEnv: {}
extraEnvFrom: []
extraArgs: {}
extraVolumes: []
extraVolumeMounts: []
extraTLSSecrets: []
annotations: {}
imagePullSecrets: ''
image:
repository: 'pomerium/pomerium'
tag: 'v0.22.1'
pullPolicy: IfNotPresent
metrics:
enabled: false
port: 9090
tracing:
enabled: false
provider: ''
debug: false
jaeger:
collector_endpoint: ''
agent_endpoint: ''
serviceMonitor:
enabled: false
namespace: ''
labels:
release: prometheus
rbac:
create: true
redis:
enabled: false
auth:
existingSecret: pomerium-redis-password
existingSecretPasswordKey: password
createSecret: true
generateTLS: true
forceGenerateTLS: false
replica:
replicaCount: 1
tls:
enabled: true
certificatesSecret: pomerium-redis-tls
certFilename: tls.crt
certKeyFilename: tls.key
certCAFilename: ca.crt
Reference in a new issue View git blame Copy permalink