You need deploy two instances of Pomerium into your cluster.
The following has to be changed compared to vanilla installation. Assuming you name your installations one and i.e. two:
- Namespace:
pomerium=>pomerium-one - Global settings:
global=>global-one - Databases MUST be distinct.
- Controller name:
pomerium.io/ingress-controller=>pomerium.io/ingress-controller-one -
IngressClass:pomerium=>pomerium-one - Authenticate URLs should be distinct - i.e.
https://authenticate-one.corp.com
You may use kustomize that is part of kubectl to create a variation of the installation: create a folder pomerium-one with the following two files:
kustomization.yaml
namespace: pomerium-one
bases:
- https://raw.githubusercontent.com/pomerium/ingress-controller/main/deployment.yaml
patchesStrategicMerge:
- deployment.yaml
patches:
- target:
kind: IngressClass
name: pomerium
patch: |-
- op: replace
path: /metadata/name
value: pomerium-one
- op: replace
path: /spec/controller
value: pomerium.io/ingress-controller-one
and deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: pomerium
namespace: pomerium
spec:
template:
spec:
containers:
- name: pomerium
args:
- all-in-one
- --pomerium-config=pomerium-one
- --update-status-from-service=$(POMERIUM_NAMESPACE)/pomerium-proxy
- --metrics-bind-address=$(POD_IP):9090
- --name=pomerium.io/ingress-controller-one
From that directory, run kubectl apply -k . and it should deploy an installation for pomerium-one. Now repeat the same for pomerium-two, and create secrets and appropriate global configurations.
Now you may start assigning spec.ingressClass pomerium-one and pomerium-two to the Ingress objects to make them use different Pomerium installations (and identity providers).
