Using kubernetes ingress.pomerium.io with kubernetes.crossplane.io
TypeScriptIn Kubernetes, an Ingress is an API object that manages external access to the services in a cluster, typically HTTP. Pomerium is an identity-aware proxy that integrates with Kubernetes via Ingress resources, enabling secure access to your services. Crossplane is an open-source Kubernetes add-on that extends your cluster to manage and compose infrastructure from multiple clouds.
To use Pomerium with Kubernetes managed by Crossplane, you would typically set up a
Ingress
resource that uses Pomerium's annotations to specify access policies. The external traffic is directed to the Ingress controller, which then routes it to the appropriate services based on the Ingress rules.Below is a TypeScript program using Pulumi to create a Kubernetes
Ingress
resource configured for Pomerium. This program assumes that you have Pomerium and Crossplane already installed and configured in your cluster. If you don't, you would need to install them first, which is outside the scope of this program.First, I'll show you the complete Pulumi program, and then I'll explain each part.
import * as kubernetes from '@pulumi/kubernetes'; const namespace = 'default'; // replace with the namespace of your service // Defining the Ingress resource for a service protected by Pomerium. const pomeriumIngress = new kubernetes.networking.v1.Ingress('pomerium-ingress', { metadata: { name: 'my-service-ingress', namespace: namespace, annotations: { // Annotations required for Pomerium to handle ingress 'ingress.pomerium.io/allowed_users': 'user@example.com', 'ingress.pomerium.io/from': 'https://from.example.com', 'ingress.pomerium.io/policy': '[{"from": "https://from.example.com", "to": "http://my-service"}]', }, }, spec: { rules: [{ http: { paths: [{ path: '/', pathType: 'Prefix', backend: { service: { name: 'my-service', // replace with your actual service name port: { number: 80, // replace with the port your service is exposed on }, }, }, }], }, }], }, }, { provider: crossplaneProvider }); // replace with your Crossplane provider configuration export const ingressName = pomeriumIngress.metadata.name;
Now let's explain the code:
-
We import the
@pulumi/kubernetes
package which allows us to interact with Kubernetes resources in a Pulumi program. -
We declare a namespace variable to specify which Kubernetes namespace our resources will be a part of. This should be replaced with the actual namespace you are working within.
-
We define a new
Ingress
resource namedpomerium-ingress
. In this Ingress definition, we add annotations that Pomerium uses to understand how to secure this endpoint. You'll need to replace'user@example.com'
and URLs with actual users and domains for your application. -
The
spec
property of theIngress
resource specifies the routing rules. Here, we route all traffic coming to/
to a service called'my-service'
. You should replace'my-service'
and80
with the actual service name and port you are exposing. -
Finally, we need to provide this Ingress resource with the right context to be managed by Crossplane. For this, we'd typically provide a Crossplane provider configuration. Here it's represented as
crossplaneProvider
, which should be replaced with the appropriate configuration in your setup. -
We export the ingress name so that it can be easily retrieved by running Pulumi commands or through the Pulumi Console.
This program sets up an Ingress to route traffic through Pomerium to your service protected by the policy defined in annotations. Be sure to replace placeholder values with your actual service details and Pomerium authentication details.
-