First-time installation; questions about integrations

What happened?

I am currently preparing the structure for basically the second - and first actually really proper - version of my homelab. After literally a whole year of digging around for certain solutions to my problems, I ended up picking Pomerium as one of the components; that is, a method to restrict users based on their groups, to access services.

For a simplified example: Consider Jellyfin and Wizarr as the services, and consider Casdoor as the IdP which federates to/with Discord through an Oauth2/OIDC bridge - so there are the groups admin that is for my personal local user, and guild:123456 as being within the groups claim from the federated Discord integration.

So far, Pomerium was the only solution I could find that would allow me to determine that “everyone in guild:123456 can access Jellyfin” and “only users in admin can access Wizarr” with a rather simple policy (I think you call it PPL - Pomerium Policy Language?).

Previously, I tried avoiding Pomerium because of the confusion in Free versus paid tiers. I plan to host Pomerium on my own infrastructure and connect it to Casdoor to handle the authentication. However, I might swap Casdoor out, since authorization is handled entirely within Pomerium - but, I am not entirely sure just yet. It has some good features after all.

But, as I have come to terms with the fact that Pomerium is my only “out”, I figured I might as well go ahead and dump all my questions here. Perhaps this’ll help up clear the fog!

What did you expect to happen?

When looking at Pomerium’s pricing, there is a clear limitation on “Custom Domains” and the amount of users - 10 for the “Free” one.

• Does this mean that I can only use exactly one domain (but unlimited subdomains)? I technically have five domains that I own, three of which I plan to use.
• Eventhough my users will come in via an external IdP, can I still only have a maximum of ten users known to Pomerium at any given time?

Then, I looked at the Helm values (GitHub - pomerium/pomerium-helm: Official helm charts for Pomerium.) to figure out what values I would have to set. Since I will be using k0s for my Kubernetes distribution of choice, I can take advantage of their “Extensions” feature - which basically means, “define Helm repos and values and have them installed as part of cluster bootstrap”. That makes for a really clean setup together with their k0sctl tool and is the route I plan to go to set up a few essentials - MetalLB, Cert-Manager, External Secrets, ArgoCD. And Pomerium too, as the primary and only ingress controller. I had previously used Traefik within k3s - but since k0s does not provide a default, I figured I might as well go all-in. Everything else will be handled via ArgoCD - only the “cluster essentials” should go into this extension config.

Looking at those helm values, I saw that Pomerium is made up of a whole lot of different services. Each one of them wants it’s own TLS/CA configuration - at least from what I gather from reading the values.yaml in the chart’s directory.

• I plan to use Cert Manager with Let’s Encrypt - do I even need to specify any of the TLS configurations?
• When using Pomerium’s CRDs to define an ingress, how do I ensure it uses the same Let’s Encrypt cluster issuer for those domains?
• And, this is more of a hypothetical question, if I was to introduce a deep packet inspection into my homelab via my OPNSense firewall, how or where would I teach Pomerium about the custom CA to trust? Highly optional - but, might as well ask while I am at it…

Lastly, a different aspect about deploying.
I have an external VPS which will become part of the cluster through a Headscale VPN and routing configuration. Although I may swap Headscale for some other solution, the idea is the same: The VPS becomes part of the overall network with a lil’ bit of the good old routing configuration. In doing so, I technically need to expose two “endpoints” to the Pomerium reverse Proxy: One at home through a MetalLB provided VIP and another that needs to use hostPort on the VPS via nodeSelector.

• What is the cleanest way to make Pomerium listen on both endpoints so I can expose it to the outside world properly?

And, a few “rapid fire” questions. This is mainly related to the pricing table too - but consider that I will be writing basically everything in YAML and only use the UI to see “how things are doing” and perhaps even exporting metrics to a Grafana stack (VictoriaMetrics/-Logs/-Traces behind it as data source and Keep for alerting).

• Policies: 5
  Is that per Ingress configuration or globally?
• Routes: 10
  Are those routes per ingress or total amount of ingress configurations or ten routes across multiple ingresses together?
• There is no mention of SSH limitations in the pricing - but this feature is genuenly pretty cool since I have some outside-of-cluster nodes (dedicated job server with Concourse and AI server). Which details do apply?
• I perhaps plan on bringing in a few RISC-V workers. Which repository do I turn to, to build a RISC-V version of the Pomerium Core container(s)? My job server is actually a Milk-V Pioneer with Concourse CI/CD - I want to use this to literally “build everything that’s missing” - and I plan to mount a few JH7110s and SpacemiT CPUs into the cluster to see how viable and powerful some smol RISC-V workers can be

How’d it happen?

What, exactly? Me coming across Pomerium? I believe somebody that’s a maintainer here eventually responded to one of my posts on r/homelab or r/kubernetes - it’s been a hot minute… apologies.

What’s your environment like?

• Pomerium version (retrieve with pomerium --version): I am eyeballing 0.30.0 as a starting point
• Server Operating System/Architecture/Cloud:
  • Alpine Linux 3.22
  • Kubernetes (k0s) - currently 1.33

What’s your config.yaml?

# None... yet!

What did you see in the logs?

# None yet.

Additional context

I do all and anything of this because it’s fun. Running stuff at home is a passion project of mine to learn about all the things that I can not and will never learn at work - because the Microsoftness over there is just way, way too strong. So, if I want to broaden my horizon - be that hobbyist FOSS software or semi-enterprise stuff - I have to actually, literally do it myself. Setting up split-horizon DNS to avoid roundtripping to my outside VPS with CoreDNS templating and now adding protected routes with Pomerium is literally just a “because I can” case. I do this, because I have the resources and the know-how to set stuff up that my friends and myself would like to use. That’s… literally all. Learning stuff, having fun - and who knows, eventually deploying the knowledge I obtained in the wild, at some company. Who knows!

Hi,

A lot of questions here. I will try to answer them.

First there are different ways Pomerium can be installed. There’s an open-source version, a paid, hybrid managed version (Pomerium Zero), and an enterprise version. There’s also an ingress controller if you are using kubernetes that can configure the open source version based on kubernetes manifests.

Does this mean that I can only use exactly one domain (but unlimited subdomains)? I technically have five domains that I own, three of which I plan to use.

For Pomerium Zero you can only have 1 custom domain. This custom domain can be a wildcard domain, effectively giving you unlimited subdomains.

Eventhough my users will come in via an external IdP, can I still only have a maximum of ten users known to Pomerium at any given time?

Yes, with Pomerium Zero.

Then, I looked at the Helm values ( GitHub - pomerium/pomerium-helm: Official helm charts for Pomerium. ) to figure out what values I would have to set.

The helm chart is deprecated. Up to date installation instructions can be found here: Installation | Pomerium . I haven’t used k0s before, so I’m not sure if it can install via kustomize.

I plan to use Cert Manager with Let’s Encrypt - do I even need to specify any of the TLS configurations?

TLS configuration in an ingress will be used by the Pomerium ingress controller, so yes it will work with Cert Manager.

And, this is more of a hypothetical question, if I was to introduce a deep packet inspection into my homelab via my OPNSense firewall, how or where would I teach Pomerium about the custom CA to trust? Highly optional - but, might as well ask while I am at it…

There is a caSecrets field in the spec you can use.

What is the cleanest way to make Pomerium listen on both endpoints so I can expose it to the outside world properly?

Not sure I understand, but if you have kubernetes services routing traffic to the ingress controller, the ingress controller’s routing logic should work based on the :authority header and url, regardless of how that traffic arrives.

Policies: 5
Is that per Ingress configuration or globally?
Routes: 10
Are those routes per ingress or total amount of ingress configurations or ten routes across multiple ingresses together?
There is no mention of SSH limitations in the pricing - but this feature is genuenly pretty cool since I have some outside-of-cluster nodes (dedicated job server with Concourse and AI server). Which details do apply?

These limitations are for Pomerium Zero. The ingress controller does not have these limitations.

I perhaps plan on bringing in a few RISC-V workers. Which repository do I turn to, to build a RISC-V version of the Pomerium Core container(s)?

We do not have a RISC-V build of Pomerium and have never attempted to do this. It would first require a build of Envoy for RISC-V and I’m not sure if this is possible.

Hey hey

Thank you @calebdoxsey for answering so many of the questions! That helped me get a grip of things.

Since I have my whole entire infra (both local and a remote VPS), all I really need is “Core”.

For Pomerium Zero you can only have 1 custom domain.

Then I would assume, since Core is not the SaaS offering, this restriction does not apply?

The helm chart is deprecated.

Oh, okay - thanks! I can make Kustomize work - worst case, I just set up my own Helm chart in the long run.

We do not have a RISC-V build of Pomerium and have never attempted to do this. It would first require a build of Envoy for RISC-V and I’m not sure if this is possible.

I see! So, if I get Envoy to build on RISC-V, which repository would I go for to attempt a RISC-V build of Pomerium Core then?

Since I plan to essentially host my own CI/CD server, I don’t mind setting this up - if only to see if it builds or not.

Thanks again for all the info! Will dig more into the docs for now - but I think I got the gist of it. Stick to Core and most of the restrictions on the pricing does not apply, since I do not use the Saas - Zero - offering.

Hi @IngwiePhoenix,

To answer your follow-up questions:

Then I would assume, since Core is not the SaaS offering, this restriction does not apply?

That’s correct, there are no inherent limits on how you can configure the open-source Pomerium Core. As long as you have can point your DNS records at your Pomerium instance and configure Pomerium with appropriate TLS certificates, you can use any route domains you like.

So, if I get Envoy to build on RISC-V, which repository would I go for to attempt a RISC-V build of Pomerium Core then?

If you want to attempt this, you can start here: GitHub - pomerium/envoy-custom. Pomerium uses a few custom Envoy extensions, and this repo contains the source code for these extensions. I would install bazelisk if you don’t have Bazel already, then clone that repo and attempt to run bazel build envoy.

If you succeed in building Envoy for RISC-V, then next you’ll want to build Pomerium Core from the GitHub - pomerium/pomerium: Pomerium is an identity and context-aware access proxy. repo. To embed your custom Envoy build, you’ll want to copy your binary to the pkg/envoy/files directory and add a files_linux_riscv64.go file there (you can follow pomerium/pkg/envoy/files/files_linux_amd64.go at main · pomerium/pomerium · GitHub as an example). You’ll need to add a checksum and version file as well. You can also remove the get-envoy target from the Makefile, as you won’t need to fetch any of the arm64 or amd64 binaries.

If you do get it working please let us know. Best of luck!

–Ken