Skip to main content

Kubernetes Deployment Reference

Pomerium-specific parameters should be configured via the ingress.pomerium.io/Pomerium CRD. The default Pomerium deployment is listening to the CRD global, that may be customized via command line parameters.

Pomerium posts updates to the CRD /status:

kubectl describe pomerium

Kubernetes-specific deployment parameters should be added via kustomize to the manifests.

Spec

PomeriumSpec defines Pomerium-specific configuration parameters.

accessLogFields  []string 

AccessLogFields sets the access fields to log.

authenticate  object  (authenticate)

Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used.

authorizeLogFields  []string 

AuthorizeLogFields sets the authorize fields to log.

caSecrets  []string 

CASecret should refer to k8s secrets with key ca.crt containing a CA certificate.

certificates  []string  (namespace/name)

Certificates is a list of secrets of type TLS to use

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

cookie  object  (cookie)

Cookie defines Pomerium session cookie options.

identityProvider  object  (identityProvider)

IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider

jwtClaimHeaders  map[string]string

JWTClaimHeaders convert claims from the assertion token into HTTP headers and adds them into JWT assertion header. Please make sure to read Getting User Identity guide.

programmaticRedirectDomains  []string 

ProgrammaticRedirectDomains specifies a list of domains that can be used for programmatic redirects.

secrets  string  (namespace/name)

Required.  Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

setResponseHeaders  map[string]string

SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service. See Set Response Headers

storage  object  (storage)

Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).

timeouts  object  (timeouts)

Timeout specifies the global timeouts for all routes.

useProxyProtocol  boolean 

UseProxyProtocol enables Proxy Protocol support.

authenticate

Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used.

callbackPath  string 

CallbackPath sets the path at which the authenticate service receives callback responses from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client.

This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.

Defaults to /oauth2/callback

url  string  (uri)

Required.  AuthenticateURL is a dedicated domain URL the non-authenticated persons would be referred to.

  • You do not need to create a dedicated Ingress for this virtual route, as it is handled by Pomerium internally.
  • You do need create a secret with corresponding TLS certificate for this route and reference it via certificates. If you use cert-manager with HTTP01 challenge, you may use pomerium ingressClass to solve it.

Format: an URI as parsed by Golang net/url.ParseRequestURI.

Cookie defines Pomerium session cookie options.

domain  string 

Domain defaults to the same host that set the cookie. If you specify the domain explicitly, then subdomains would also be included.

expire  string  (duration)

Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected.

See Session Management (Enterprise) for a more fine-grained session controls.

Defaults to 14 hours.

Format: a duration string like "22s" as parsed by Golang time.ParseDuration.

httpOnly  boolean 

HTTPOnly if set to false, the cookie would be accessible from within the JavaScript. Defaults to true.

name  string 

Name sets the Pomerium session cookie name. Defaults to _pomerium

sameSite  string 

SameSite sets the SameSite option for cookies. Defaults to .

secure  boolean 

Secure if set to false, would make a cookie accessible over insecure protocols (HTTP). Defaults to true.

identityProvider

IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider

provider  string 

Required.  Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. To use a generic provider, set to oidc.

refreshDirectory  object  (refreshDirectory)

RefreshDirectory is no longer supported, please see Upgrade Guide.

requestParams  map[string]string

RequestParams to be added as part of a sign-in request using OAuth2 code flow.

requestParamsSecret  string  (namespace/name)

RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

scopes  []string 

Scopes Identity provider scopes correspond to access privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749.

secret  string  (namespace/name)

Required.  Secret containing IdP provider specific parameters. and must contain at least client_id and client_secret values.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

serviceAccountFromSecret  string 

ServiceAccountFromSecret is no longer supported, see Upgrade Guide.

url  string  (uri)

URL is the base path to an identity provider's OpenID connect discovery document. See Identity Providers guides for details.

Format: an URI as parsed by Golang net/url.ParseRequestURI.

postgres

Postgres specifies PostgreSQL database connection parameters

caSecret  string  (namespace/name)

CASecret should refer to a k8s secret with key ca.crt containing CA certificate that, if specified, would be used to populate sslrootcert parameter of the connection string.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

secret  string  (namespace/name)

Required.  Secret specifies a name of a Secret that must contain connection key. See DSN Format and Parameters. Do not set sslrootcert, sslcert and sslkey via connection string, use tlsSecret and caSecret CRD options instead.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

tlsSecret  string  (namespace/name)

TLSSecret should refer to a k8s secret of type kubernetes.io/tls and allows to specify an optional client certificate and key, by constructing sslcert and sslkey connection string parameter values.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

redis

Redis defines REDIS connection parameters

caSecret  string  (namespace/name)

CASecret should refer to a k8s secret with key ca.crt that must be a PEM-encoded certificate authority to use when connecting to the databroker storage engine.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

secret  string  (namespace/name)

Required.  Secret specifies a name of a Secret that must contain connection key.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

tlsSecret  string  (namespace/name)

TLSSecret should refer to a k8s secret of type kubernetes.io/tls that would be used to perform TLS connection to REDIS.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format.

tlsSkipVerify  boolean 

TLSSkipVerify disables TLS certificate chain validation.

refreshDirectory

RefreshDirectory is no longer supported, please see Upgrade Guide.

interval  string  (duration)

Required.  interval is the time that pomerium will sync your IDP directory.

Format: a duration string like "22s" as parsed by Golang time.ParseDuration.

timeout  string  (duration)

Required.  timeout is the maximum time allowed each run.

Format: a duration string like "22s" as parsed by Golang time.ParseDuration.

storage

Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).

postgres  object  (postgres)

Postgres specifies PostgreSQL database connection parameters

redis  object  (redis)

Redis defines REDIS connection parameters

timeouts

Timeout specifies the global timeouts for all routes.

idle  string  (duration)

Idle specifies the time at which a downstream or upstream connection will be terminated if there are no active streams.

Format: a duration string like "22s" as parsed by Golang time.ParseDuration.

read  string  (duration)

Read specifies the amount of time for the entire request stream to be received from the client.

Format: a duration string like "22s" as parsed by Golang time.ParseDuration.

write  string  (duration)

Write specifies max stream duration is the maximum time that a stream’s lifetime will span. An HTTP request/response exchange fully consumes a single stream. Therefore, this value must be greater than read_timeout as it covers both request and response time.

Format: a duration string like "22s" as parsed by Golang time.ParseDuration.

Status

PomeriumStatus represents configuration and Ingress status.

ingress  map[string]ingress

Routes provide per-Ingress status.

settingsStatus  object  (settingsStatus)

SettingsStatus represent most recent main configuration reconciliation status.

ingress

ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium.

error  string 

Error that prevented latest observedGeneration to be synchronized with Pomerium.

observedAt  string  (date-time)

ObservedAt is when last reconciliation attempt was made.

Format: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.

observedGeneration  integer 

ObservedGeneration represents the .metadata.generation that was last presented to Pomerium.

reconciled  boolean 

Required.  Reconciled is whether this object generation was successfully synced with pomerium.

warnings  []string 

Warnings while parsing the resource.

settingsStatus

SettingsStatus represent most recent main configuration reconciliation status.

error  string 

Error that prevented latest observedGeneration to be synchronized with Pomerium.

observedAt  string  (date-time)

ObservedAt is when last reconciliation attempt was made.

Format: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.

observedGeneration  integer 

ObservedGeneration represents the .metadata.generation that was last presented to Pomerium.

reconciled  boolean 

Required.  Reconciled is whether this object generation was successfully synced with pomerium.

warnings  []string 

Warnings while parsing the resource.