Global Configuration

Once Pomerium is installed into your cluster, you need to complete its global configuration to become fully operational.

Individual routes are configured via Ingress objects.

Configuration

While Pomerium distributions for bare-metal installations are configured via a config file and/or environment variables, Pomerium distribution for Kubernetes should be configured via Pomerium CRD, that brings the following benefits:

Supply sensitive parts of the configuration via Kubernetes Secrets.
Seamless configuration updates.
Configuration validation.
Centralized place to observe events.
/status endpoint posts Ingress status.

The default installation uses Pomerium Settings CRD named global. This is a cluster-wide resource. The below is a minimum configuration you need to set up.

apiVersion: ingress.pomerium.io/v1
kind: Pomerium
metadata:
  name: global
spec:
  authenticate:
    url: https://authenticate.localhost.pomerium.io
  certificates:
    - pomerium/authenticate-localhost-pomerium-io-prod
  identityProvider:
    provider: google
    secret: pomerium/idp-google
  secrets: pomerium/bootstrap

Bootstrap Secrets

Bootstrap secrets are provisioned via secrets property of the CRD. The default installation would run a one-off Job that would generate them and store into bootstrap Secret of the pomerium namespace.

Identity Provider

Integration with your Identity Provider is configured using identityProvider parameter.

Authenticate endpoint

Each Pomerium installation has a special route that unauthenticated users are redirected to that handles sign-in via your Identity Provider. It is configured via the authenticate parameter of the CRD.

The authenticate endpoint DNS address should resolve to an external IP address assigned by your Kubernetes Load Balancer to the pomerium-proxy service. If you use external-dns, that may be done automatically.

note

You should not create a separate Ingress resource for the Authenticate URL.

However, you should provision a matching certificate, and supply it via certificates section of the CRD.

Routes (Ingress)

See a dedicated Ingress guide for details on how to configure Pomerium to serve Ingress.

Supported configuration options

All Pomerium features are available in the Kubernetes deployment, except for autocert. Use cert-manager or other Kubernetes-native certificate solution instead.

See Configuration Reference for full description of all CRD configuration options.

Status

Pomerium posts updates about its internal state to the /status section of the Pomerium CRD.

Name:         global
Namespace:
Labels:       app.kubernetes.io/name=pomerium
API Version:  ingress.pomerium.io/v1
Kind:         Pomerium
 ... some details omitted ...
Spec:
  Authenticate:
    URL:  https://authenticate.localhost.pomerium.io
  Certificates:
    pomerium/authenticate-localhost-pomerium-io-prod
  Identity Provider:
    Provider:  google
    Secret:    pomerium/idp-google
  Secrets:     pomerium/bootstrap
Status:
  Ingress:
    httpbin/httpbin:
      Observed At:          2022-11-18T03:04:23Z
      Observed Generation:  1
      Reconciled:           true
  Settings Status:
    Observed At:          2022-11-18T03:04:23Z
    Observed Generation:  4
    Reconciled:           true
Events:
  Type     Reason      Age   From                                 Message
  ----     ------      ----  ----                                 -------
  Normal   Updated     5s    bootstrap-pomerium-69fcccc487-wcztn  config updated
  Normal   Updated     2s    pomerium-crd                         config updated
  Normal   Updated     2s    pomerium-ingress                     httpbin/httpbin: config updated

Configuration​

Bootstrap Secrets​

Identity Provider​

Authenticate endpoint​

Routes (Ingress)​

Supported configuration options​

Status​