3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 18:06:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

zero/k8s: deployment manifests (#4763)

Browse source 
* zero/k8s: deployment manifests

* convert to statefulset so that it has persistent volume claim

* use standard ports to avoid config customization for k8s

* add XDG_DATA_HOME mapping
This commit is contained in:
Denis Mishin 2024-01-08 12:08:14 -05:00 committed by GitHub
parent ca71b3ae60
commit c84a251c93
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 244 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
k8s/zero/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
pomerium-secret.yaml

43
k8s/zero/README.md Normal file
View file

@ -0,0 +1,43 @@
# Installing Pomerium Zero
Visit https://console.pomerium.app and register for an account.
# Install base pomerium zero
```shell
kubectl apply -k https://github.com/pomerium/pomerium/k8s/zero?ref=main
```
(that would install an evergreen `main`)
# Create a secret with Pomerium Zero token to complete your installation
```yaml filename="pomerium-secret.yaml"
apiVersion: v1
kind: Secret
metadata:
name: pomerium
namespace: pomerium-zero
type: Opaque
stringData:
pomerium_zero_token:
```
```shell
kubectl apply -f pomerium-secret.yaml
```
Now your Pomerium deployment should be up and running.
# Update Pomerium cluster configuration
1. The externally available address of your Pomerium Cluster should be set to the value assigned by your Load Balancer:
```shell
kubectl get svc/pomerium-proxy -n pomerium-zero -o=jsonpath='{.status.loadBalancer.ingress[0].ip}'
```
2. Because container is configured to run as non-root, the following should be adjusted:
- http redirect address set to `:8080`
- server address set to `:8443`

15
k8s/zero/deployment/base.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
serviceName: "pomerium-proxy"
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: pomerium-zero
template:
spec:
containers:
- name: pomerium
terminationGracePeriodSeconds: 10

25
k8s/zero/deployment/env.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
containers:
- name: pomerium
env:
- name: POMERIUM_ZERO_TOKEN
valueFrom:
secretKeyRef:
name: pomerium
key: pomerium_zero_token
optional: false
- name: POMERIUM_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP

12
k8s/zero/deployment/image.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
replicas: 1
template:
spec:
containers:
- name: pomerium
image: pomerium/pomerium:main
imagePullPolicy: Always

10
k8s/zero/deployment/kustomization.yaml Normal file
View file

@ -0,0 +1,10 @@
resources:
- base.yaml
patchesStrategicMerge:
- env.yaml
- image.yaml
- ports.yaml
- resources.yaml
- no-root.yaml
- readonly-root-fs.yaml
- volumes.yaml

22
k8s/zero/deployment/no-root.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
securityContext:
fsGroup: 1000
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 1000
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "80"
containers:
- name: pomerium
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

19
k8s/zero/deployment/ports.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
containers:
- name: pomerium
ports:
- containerPort: 443
name: https
protocol: TCP
- name: http
containerPort: 80
protocol: TCP
- name: metrics
containerPort: 9090
protocol: TCP

11
k8s/zero/deployment/readonly-root-fs.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
containers:
- name: pomerium
securityContext:
readOnlyRootFilesystem: true

16
k8s/zero/deployment/resources.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
containers:
- name: pomerium
resources:
limits:
cpu: 5000m
memory: 1Gi
requests:
cpu: 300m
memory: 200Mi

34
k8s/zero/deployment/volumes.yaml Normal file
View file

@ -0,0 +1,34 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: pomerium
spec:
template:
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- name: pomerium
env:
- name: TMPDIR
value: "/tmp/pomerium"
- name: XDG_CACHE_HOME
value: "/var/cache"
- name: XDG_DATA_HOME
value: "/var/cache"
volumeMounts:
- mountPath: "/tmp/pomerium"
name: tmp
- mountPath: "/var/cache"
name: pomerium-cache
volumes:
- name: tmp
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: pomerium-cache
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 100Mi

7
k8s/zero/kustomization.yaml Normal file
View file

@ -0,0 +1,7 @@
namespace: pomerium-zero
commonLabels:
app.kubernetes.io/name: pomerium-zero
resources:
- namespace.yaml
- ./deployment
- ./service

4
k8s/zero/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: pomerium-zero

8
k8s/zero/pomerium-secret.yaml.example Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: pomerium
namespace: pomerium-zero
type: Opaque
stringData:
pomerium_zero_token: YOUR_TOKEN_HERE

2
k8s/zero/service/kustomization.yaml Normal file
View file

@ -0,0 +1,2 @@
resources:
- proxy.yaml

15
k8s/zero/service/proxy.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: pomerium-proxy
spec:
type: LoadBalancer
ports:
- port: 443
targetPort: https
protocol: TCP
name: https
- name: http
targetPort: http
protocol: TCP
port: 80