3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

specify expected audience in Console config (#2442)

Browse source
This commit is contained in:
Alex Fornuto 2021-08-05 19:08:57 -05:00 committed by GitHub
parent 2b200f8704
commit 1931f11649
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docs/enterprise/install/helm.md
View file

@ -101,6 +101,7 @@ This setup assumes an existing certificate solution using cert-manager, as descr
databaseEncryptionKey: #Generate from "head -c32 /dev/urandom | base64" databaseEncryptionKey: #Generate from "head -c32 /dev/urandom | base64"
administrators: "youruser@yourcompany.com" #This is a hard-coded access, remove once setup is complete administrators: "youruser@yourcompany.com" #This is a hard-coded access, remove once setup is complete
signing_key: "ZZZZZZZ" #This base64-encoded key is shared with open-source Pomerium signing_key: "ZZZZZZZ" #This base64-encoded key is shared with open-source Pomerium
audience: console.localhost.pomerium.com # This should match the "from" value in your Pomerium route, excluding protocol.
tls: tls:
existingCASecret: pomerium-tls existingCASecret: pomerium-tls
caSecretKey: ca.crt caSecretKey: ca.crt

12
docs/enterprise/install/quickstart.md
View file

@ -158,7 +158,7 @@ administrators: you@mydomain.com
Once you have set permissions in the console UI, you should remove this configuration. Once you have set permissions in the console UI, you should remove this configuration.
### TLS and Signing Key ### TLS, Signing Key and Audience
1. If your open-source Pomerium installation is already configured to use TLS to secure back-end communication, you can do the same for the Pomerium Enterprise Console by providing it a certificate, key, and optional custom CA file to validate the `databroker_service_url` connection: 1. If your open-source Pomerium installation is already configured to use TLS to secure back-end communication, you can do the same for the Pomerium Enterprise Console by providing it a certificate, key, and optional custom CA file to validate the `databroker_service_url` connection:
@ -172,6 +172,14 @@ Once you have set permissions in the console UI, you should remove this configur
1. Set the [`signing_key`](/enterprise/reference/config.md#signing-key) to match Pomerium's. 1. Set the [`signing_key`](/enterprise/reference/config.md#signing-key) to match Pomerium's.
1. Set the `audience` key to match the `from` domain value from your [Pomerium configuration](#update-pomerium), excluding protocol:
```yaml
audience: console.localhost.pomerium.com
```
This sets the expected "audience" key in the [JWT header](/reference/#jwt-claim-headers) to match what's provided by open-source Pomerium as it proxies traffic to the Enterprise Console UI.
Once complete, your `/etc/pomerium-console/config.yaml` file should look something like this: Once complete, your `/etc/pomerium-console/config.yaml` file should look something like this:
```yaml ```yaml
@ -188,6 +196,8 @@ tls_cert_file: /etc/pomerium-console/cert.pem
tls_key_file: /etc/pomerium-console/key.pem tls_key_file: /etc/pomerium-console/key.pem
signing_key: "ZZZZZZZZZZZZZZ" signing_key: "ZZZZZZZZZZZZZZ"
audience: console.localhost.pomerium.com
``` ```
## Next Steps ## Next Steps