Merge remote-tracking branch 'origin/master' into feature/envoy

docs/configuration/examples/config/config.example.env

@@ -15,10 +15,12 @@ export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
 
 # Certificates can be loaded as files or base64 encoded bytes.
 # See : https://www.pomerium.io/docs/reference/certificates
-export CERTIFICATE_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"                      # optional, defaults to `./cert.pem`
-export CERTIFICATE_KEY_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" # optional, defaults to `./certprivkey.pem`
-# export CERTIFICATE="xxxxxx"                 # base64 encoded cert, eg. `base64 -i cert.pem`
-# export CERTIFICATE_KEY="xxxx"               # base64 encoded key, eg. `base64 -i privkey.pem`
+export AUTOCERT=TRUE # Use Let's Encrypt to fetch certs. Port 80/443 must be internet accessible.
+# export AUTOCERT_DIR="./certs" # The path where you want to place your certificates
+# export CERTIFICATE_FILE="xxxx"      # optional, defaults to `./cert.pem`
+# export CERTIFICATE_KEY_FILE="xxx" # optional, defaults to `./certprivkey.pem`
+# export CERTIFICATE="xxx"          # base64 encoded cert, eg. `base64 -i cert.pem`
+# export CERTIFICATE_KEY="xxx"      # base64 encoded key, eg. `base64 -i privkey.pem`
 
 # Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
 export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"

docs/configuration/examples/config/config.minimal.env

@@ -1,8 +1,7 @@
 #!/bin/bash
 
 # See : https://www.pomerium.io/docs/reference/certificates
-export CERTIFICATE_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"                      # optional, defaults to `./cert.pem`
-export CERTIFICATE_KEY_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" # optional, defaults to `./certprivkey.pem`
+export AUTOCERT=TRUE # Use Let's Encrypt to fetch certs. Port 80/443 must be internet accessible.
 
 # 256 bit random keys
 export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"

docs/configuration/examples/config/config.minimal.yaml

@@ -4,8 +4,10 @@
 authenticate_service_url: https://authenticate.localhost.pomerium.io
 
 # certificate settings:  https://www.pomerium.io/docs/reference/certificates.html
-certificate_file: "./_wildcard.localhost.pomerium.io.pem"
-certificate_key_file: "./_wildcard.localhost.pomerium.io-key.pem"
+autocert: true
+
+# REMOVE FOR PRODUCTION
+autocert_use_staging: true
 
 # identity provider settings : https://www.pomerium.io/docs/identity-providers.html
 idp_provider: google

docs/configuration/examples/docker/autocert.docker-compose.yml

@@ -0,0 +1,18 @@
+version: "3"
+services:
+  pomerium:
+    image: pomerium/pomerium:v0.7.0
+    environment:
+      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
+      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
+    volumes:
+      # Use a volume to store ACME certificates
+      - pomerium:/data:rw
+    ports:
+      - 443:443
+
+  # https://httpbin.corp.beyondperimeter.com --> Pomerium --> http://httpbin
+  httpbin:
+    image: kennethreitz/httpbin:latest
+    expose:
+      - 80