Kubernetes Deployment Reference

Settings

The Pomerium CRD accepts configuration changes via an object named global. The example provided in our Kubernetes Quickstart only shows the minimum values required to start using Pomerium:

pomerium.yaml

apiVersion: ingress.pomerium.io/v1
kind: Pomerium
metadata:
  name: global
spec:
  secrets: pomerium/bootstrap
  authenticate:
      url: https://authenticate.localhost.pomerium.io
  identityProvider:
      provider: ${YOUR_IdP}
      secret: pomerium/idp
  certificates:
      - pomerium/pomerium-wildcard-tls

The remaining configuration options are detailed below.

#Authenticate ({object})

Authenticate sets authenticate service parameters

Required Properties:
• authenticate.url
  

Properties:
• callbackPath ("string")
  CallbackPath see https://www.pomerium.com/reference/#authenticate-callback-path
• url ("string") - Format: uri
  AuthenticateURL should be publicly accessible URL the non-authenticated persons would be referred to see https://www.pomerium.com/reference/#authenticate-service-url

#Certificates ([]string)

Certificates is a list of secrets of type TLS to use

#IdentityProvider ({object})

IdentityProvider see https://www.pomerium.com/docs/identity-providers/

Required Properties:
• identityProvider.provider
  
• identityProvider.secret
  

Properties:
• provider ("string")
  Provider one of accepted providers https://www.pomerium.com/reference/#identity-provider-name
  • auth0
  • azure
  • google
  • okta
  • onelogin
  • oidc
  • ping
  • github
• refreshDirectory ({object})
  Specifies refresh settings
  
  Required Properties:
  • identityProvider.interval
    
  • identityProvider.timeout
    
  
  Properties:
  • interval ("string") - Format: duration
    
  • timeout ("string") - Format: duration
    
• requestParams ({object})
  RequestParams see https://www.pomerium.com/reference/#identity-provider-request-params
• requestParamsSecret ("string")
  RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext
• scopes ([]string)
  Scopes see https://www.pomerium.com/reference/#identity-provider-scopes
• secret ("string")
  Secret refers to a k8s secret containing IdP provider specific parameters and must contain at least `client_id` and `client_secret` map values, an optional `service_account` field, mapped to https://www.pomerium.com/reference/#identity-provider-service-account
• serviceAccountFromSecret ("string")
  ServiceAccountFromSecret is a convenience way to build a value for `idp_service_account` from secret map values, see https://www.pomerium.com/docs/identity-providers/
• url ("string") - Format: uri
  URL is identity provider url, see https://www.pomerium.com/reference/#identity-provider-url

#Secrets ("string")

Secrets references a Secret that must have the following keys - shared_secret - cookie_secret - signing_key

#Storage ({object})

Storage defines persistent storage for sessions and other data it will use in-memory if none specified see https://www.pomerium.com/docs/topics/data-storage
Properties:
• postgres ({object})
  Postgres specifies PostgreSQL database connection parameters
  
  Required Properties:
  • storage.secret
    
  
  Properties:
  • caSecret ("string")
    CASecret should refer to a k8s secret with key `ca.crt` containing CA certificate that, if specified, would be used to populate `sslrootcert` parameter of the connection string
  • secret ("string")
    Secret specifies a name of a Secret that must contain `connection` key for the connection DSN format and parameters, see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING the following keywords are not allowed to be part of the parameters, as they must be populated via `tlsCecret` and `caSecret` fields
  • tlsSecret ("string")
    TLSSecret should refer to a k8s secret of type `kubernetes.io/tls` and allows to specify an optional client certificate and key, by constructing `sslcert` and `sslkey` connection string parameter values see https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
• redis ({object})
  Redis defines REDIS connection parameters
  
  Required Properties:
  • storage.secret
    
  
  Properties:
  • caSecret ("string")
    CASecret should refer to a k8s secret with key `ca.crt` that must be a PEM-encoded certificate authority to use when connecting to the databroker storage engine see https://www.pomerium.com/docs/reference/data-broker-storage-certificate-authority
  • secret ("string")
    Secret specifies a name of a Secret that must contain `connection` key. see https://www.pomerium.com/docs/reference/data-broker-storage-connection-string
  • tlsSecret ("string")
    TLSSecret should refer to a k8s secret of type `kubernetes.io/tls` and allows to specify an optional databroker storage client certificate and key, see - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-file - https://www.pomerium.com/docs/reference/data-broker-storage-certificate-key-file
  • tlsSkipVerify (boolean)
    TLSSkipVerify disables TLS certificate chain validation see https://www.pomerium.com/docs/reference/data-broker-storage-tls-skip-verify

Status

PomeriumStatus defines the observed state of Settings

#Ingress

• error
  Error that prevented latest observedGeneration to be synchronized with Pomerium.
• observedAt
  ObservedAt is when last reconciliation attempt was made.
• observedGeneration
  ObservedGeneration represents the .metadata.generation that was last presented to Pomerium.
• reconciled
  Reconciled is whether this object generation was successfully synced with pomerium.

#SettingsStatus

• error
  Error that prevented latest observedGeneration to be synchronized with Pomerium.
• observedAt
  ObservedAt is when last reconciliation attempt was made.
• observedGeneration
  ObservedGeneration represents the .metadata.generation that was last presented to Pomerium.
• reconciled
  Reconciled is whether this object generation was successfully synced with pomerium.