pomerium · wasaga · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026
@@ -0,0 +1,54 @@
+name: Sync CRDs to install
+
+# Publishes the generated CRD bases to pomerium/install so the Terraform
+# install module never silently lags this repo. Opens a PR against install
+# whenever the CRD bases change on main (and on demand).
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "config/crd/bases/**"
+  workflow_dispatch:
+
+# Only this repo is checked out with GITHUB_TOKEN; the PR against pomerium/install
+# is created with the APPARITOR_GITHUB_TOKEN PAT, so contents: read is enough here.
+permissions:
+  contents: read
+
+jobs:
+  sync-crds:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout ingress-controller
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        with:
+          sparse-checkout: config/crd/bases
+
+      - name: Checkout install
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        with:
+          repository: pomerium/install
+          path: install
+          token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
+
+      - name: Copy CRD bases
+        run: |
+          dst="install/ingress-controller/kustomize/crd/bases"
+          mkdir -p "$dst"
+          cp config/crd/bases/ingress.pomerium.io_pomerium.yaml "$dst/"
+          cp config/crd/bases/gateway.pomerium.io_policyfilters.yaml "$dst/"
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1
+        with:
+          path: install
+          author: GitHub Actions <apparitor@users.noreply.github.com>
+          body: "Automated CRD sync from pomerium/ingress-controller@${{ github.sha }}."
+          branch: ci/sync-crds
+          commit-message: "ci: sync CRDs from ingress-controller"
+          delete-branch: true
+          labels: ci
+          title: "ci: sync CRDs from ingress-controller"
+          token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
@@ -0,0 +1,8 @@
+# CRD-less variant of clustered-databroker: the clustered StatefulSet install
+# without the CRD bases, for clusters where the CRD is owned by a separate
+# installer. Mirrors clustered-databroker but builds on default-no-crd.
+namespace: pomerium
+resources:
+  - ../default-no-crd
+components:
+  - ../components/databroker-cluster
@@ -1,107 +1,5 @@
 namespace: pomerium
 resources:
   - ../default
-  - ./service
-  - ./pdb.yaml
-patches:
-  - patch: |-
-      - op: replace
-        path: /kind
-        value: StatefulSet
-      - op: add
-        path: /spec/template/spec/containers/0/args/-
-        value: '--databroker-cluster-node-id=$(POD_NAME)'
-      - op: add
-        path: /spec/template/spec/containers/0/args/-
-        value: '--databroker-raft-bind-address=:5999'
-      - op: add
-        path: /spec/template/spec/containers/0/args/-
-        value: '--databroker-auto-tls=*.pomerium-headless'
-      - op: add
-        path: /spec/template/spec/containers/0/env/-
-        value:
-          name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-      - op: add
-        path: /spec/template/spec/containers/0/env/-
-        value:
-          name: DATABROKER_CLUSTER_NODES
-          value: |-
-            [
-              { "id": "pomerium-0", "grpc_address": "https://pomerium-0.pomerium-headless:5443", "raft_address": "pomerium-0.pomerium-headless:5999" },
-              { "id": "pomerium-1", "grpc_address": "https://pomerium-1.pomerium-headless:5443", "raft_address": "pomerium-1.pomerium-headless:5999" },
-              { "id": "pomerium-2", "grpc_address": "https://pomerium-2.pomerium-headless:5443", "raft_address": "pomerium-2.pomerium-headless:5999" }
-            ]
-      - op: add
-        path: /spec/template/spec/containers/0/ports/-
-        value:
-          name: grpc
-          containerPort: 5443
-          protocol: TCP
-      - op: add
-        path: /spec/template/spec/containers/0/ports/-
-        value:
-          name: raft
-          containerPort: 5999
-          protocol: TCP
-      - op: add
-        path: /spec/template/spec/containers/0/volumeMounts/-
-        value:
-          name: storage
-          mountPath: /var/pomerium/databroker
-      - op: add
-        path: /spec/replicas
-        value: 3
-      - op: add
-        path: /spec/updateStrategy
-        value:
-          type: RollingUpdate
-          rollingUpdate:
-            maxUnavailable: 1
-      - op: add
-        path: /spec/podManagementPolicy
-        value: Parallel
-      - op: add
-        path: /spec/persistentVolumeClaimRetentionPolicy
-        value:
-          whenDeleted: Delete
-          whenScaled: Delete
-      - op: add
-        path: /spec/serviceName
-        value: pomerium-headless
-      - op: add
-        path: /spec/volumeClaimTemplates
-        value:
-          - metadata:
-              name: storage
-            spec:
-              accessModes:
-                - ReadWriteOnce
-              resources:
-                requests:
-                  storage: 1Gi
-      - op: replace
-        path: /spec/template/spec/containers/0/resources/requests/cpu
-        value: 500m
-      - op: add
-        path: /spec/template/spec/securityContext/fsGroup
-        value: 65532
-      - op: add
-        path: /spec/template/spec/securityContext/fsGroupChangePolicy
-        value: OnRootMismatch
-      - op: add
-        path: /spec/template/spec/affinity
-        value:
-          podAntiAffinity:
-            requiredDuringSchedulingIgnoredDuringExecution:
-              - topologyKey: kubernetes.io/hostname
-                labelSelector:
-                  matchLabels:
-                    app.kubernetes.io/name: pomerium
-    target:
-      group: apps
-      version: v1
-      kind: Deployment
-      name: pomerium
+components:
+  - ../components/databroker-cluster
@@ -0,0 +1,111 @@
+# Component: converts the all-in-one pomerium Deployment into a clustered,
+# raft-backed StatefulSet with a 3-node databroker. Shared by the
+# clustered-databroker and clustered-databroker-no-crd variants so the
+# (large) patch is defined exactly once.
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - ./service
+  - ./pdb.yaml
+patches:
+  - patch: |-
+      - op: replace
+        path: /kind
+        value: StatefulSet
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: '--databroker-cluster-node-id=$(POD_NAME)'
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: '--databroker-raft-bind-address=:5999'
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
+        value: '--databroker-auto-tls=*.pomerium-headless'
+      - op: add
+        path: /spec/template/spec/containers/0/env/-
+        value:
+          name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+      - op: add
+        path: /spec/template/spec/containers/0/env/-
+        value:
+          name: DATABROKER_CLUSTER_NODES
+          value: |-
+            [
+              { "id": "pomerium-0", "grpc_address": "https://pomerium-0.pomerium-headless:5443", "raft_address": "pomerium-0.pomerium-headless:5999" },
+              { "id": "pomerium-1", "grpc_address": "https://pomerium-1.pomerium-headless:5443", "raft_address": "pomerium-1.pomerium-headless:5999" },
+              { "id": "pomerium-2", "grpc_address": "https://pomerium-2.pomerium-headless:5443", "raft_address": "pomerium-2.pomerium-headless:5999" }
+            ]
+      - op: add
+        path: /spec/template/spec/containers/0/ports/-
+        value:
+          name: grpc
+          containerPort: 5443
+          protocol: TCP
+      - op: add
+        path: /spec/template/spec/containers/0/ports/-
+        value:
+          name: raft
+          containerPort: 5999
+          protocol: TCP
+      - op: add
+        path: /spec/template/spec/containers/0/volumeMounts/-
+        value:
+          name: storage
+          mountPath: /var/pomerium/databroker
+      - op: add
+        path: /spec/replicas
+        value: 3
+      - op: add
+        path: /spec/updateStrategy
+        value:
+          type: RollingUpdate
+          rollingUpdate:
+            maxUnavailable: 1
+      - op: add
+        path: /spec/podManagementPolicy
+        value: Parallel
+      - op: add
+        path: /spec/persistentVolumeClaimRetentionPolicy
+        value:
+          whenDeleted: Delete
+          whenScaled: Delete
+      - op: add
+        path: /spec/serviceName
+        value: pomerium-headless
+      - op: add
+        path: /spec/volumeClaimTemplates
+        value:
+          - metadata:
+              name: storage
+            spec:
+              accessModes:
+                - ReadWriteOnce
+              resources:
+                requests:
+                  storage: 1Gi
+      - op: replace
+        path: /spec/template/spec/containers/0/resources/requests/cpu
+        value: 500m
+      - op: add
+        path: /spec/template/spec/securityContext/fsGroup
+        value: 65532
+      - op: add
+        path: /spec/template/spec/securityContext/fsGroupChangePolicy
+        value: OnRootMismatch
+      - op: add
+        path: /spec/template/spec/affinity
+        value:
+          podAntiAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              - topologyKey: kubernetes.io/hostname
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: pomerium
+    target:
+      group: apps
+      version: v1
+      kind: Deployment
+      name: pomerium
@@ -0,0 +1,11 @@
+# Same as config/default but WITHOUT the CRD bases. Use this when the
+# pomerium.ingress.pomerium.io / policyfilters.gateway.pomerium.io CRDs are
+# owned by a separate installer (e.g. a dedicated ArgoCD CRD Application or a
+# Terraform-managed CRD) so the controller install does not also write the
+# cluster-scoped CRD object and fight over its schema.
+namespace: pomerium
+commonLabels:
+  app.kubernetes.io/name: pomerium
+resources:
+  - ../pomerium
+  - ../gen_secrets