3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

docs: update kubernetes example

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2019-08-19 14:34:10 -07:00
parent b3fa7023f6
commit 32f280f8f9
No known key found for this signature in database
GPG key ID: AEE4CF12FE86D07E
18 changed files with 200 additions and 206 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
docs/docs/quick-start/img/kubernetes-gke.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 215 KiB

After

Width:  |  Height:  |  Size: 120 KiB

12
docs/docs/quick-start/kubernetes.md
View file

@ -24,17 +24,18 @@ Retrieve the latest copy of pomerium's source-code by cloning the repository.
```bash
git clone https://github.com/pomerium/pomerium.git $HOME/pomerium
cd $HOME/pomerium/docs/docs/reference/examples/kubernetes
```
## Configure
Edit [./scripts/kubernetes_gke.sh] making sure to change the identity provider secret value to match your [identity provider] and [wild-card tls certificate] settings.
Edit [./kubernetes_gke.sh] making sure to change the identity provider secret value to match your [identity provider] and [wild-card tls certificate] settings.
<<<@/scripts/kubernetes_gke.sh
<<<@/docs/docs/reference/examples/kubernetes/kubernetes_gke.sh
## Run
Run [./scripts/kubernetes_gke.sh] which will:
Run [./kubernetes_gke.sh] which will:
1. Provision a new cluster.
2. Create authenticate, authorize, and proxy [deployments](https://cloud.google.com/kubernetes-engine/docs/concepts/deployment).
@ -42,7 +43,8 @@ Run [./scripts/kubernetes_gke.sh] which will:
4. Configure an ingress load balancer.
```bash
sh ./scripts/kubernetes_gke.sh
cd $HOME/pomerium/docs/docs/reference/examples/kubernetes
sh ./kubernetes_gke.sh
```
You should see roughly the following in your terminal. Note, provisioning does take a few minutes.
@ -57,7 +59,7 @@ And if you check out Google's Kubernetes Engine dashboard you'll see something l
Open a browser and navigate to `httpbin.your.domain.example`.
[./scripts/kubernetes_gke.sh]: ../reference/examples#google-kubernetes-engine
[./kubernetes_gke.sh]: ../reference/examples#google-kubernetes-engine
[example kubernetes files]: ../reference/examples#google-kubernetes-engine
[identity provider]: ../identity-providers/readme.md
[letsencrypt]: https://letsencrypt.org/

26
docs/docs/reference/examples.md
View file

@ -95,31 +95,23 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
#### kubernetes_gke
<<< @/scripts/kubernetes_gke.sh
<<< @/docs/docs/reference/examples/kubernetes/kubernetes_gke.sh
#### authenticate.deploy.yml
#### kubernetes-config.yaml
<<< @/docs/docs/reference/examples/kubernetes/authenticate.deploy.yml
<<< @/docs/docs/reference/examples/kubernetes/kubernetes-config.yaml
#### authenticate.service.yml
#### pomerium-authenticate.yml
<<< @/docs/docs/reference/examples/kubernetes/authenticate.service.yml
<<< @/docs/docs/reference/examples/kubernetes/pomerium-authenticate.yml
#### authorize.deploy.yml
#### pomerium-authorize.yml
<<< @/docs/docs/reference/examples/kubernetes/authorize.deploy.yml
<<< @/docs/docs/reference/examples/kubernetes/pomerium-authorize.yml
#### authorize.service.yml
#### pomerium-proxy.yml
<<< @/docs/docs/reference/examples/kubernetes/authorize.service.yml
#### proxy.deploy.yml
<<< @/docs/docs/reference/examples/kubernetes/proxy.deploy.yml
#### proxy.service.yml
<<< @/docs/docs/reference/examples/kubernetes/proxy.service.yml
<<< @/docs/docs/reference/examples/kubernetes/pomerium-proxy.yml
#### ingress.yml

2
docs/docs/reference/examples/docker/basic.docker-compose.yml
View file

@ -1,7 +1,7 @@
version: "3"
services:
pomerium:
image: pomerium/pomerium:v0.2.0
image: pomerium/pomerium:latest
environment:
# Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
- COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=

6
docs/docs/reference/examples/docker/nginx.docker-compose.yml
View file

@ -12,7 +12,7 @@ services:
- /var/run/docker.sock:/tmp/docker.sock:ro
pomerium-authenticate:
image: pomerium/pomerium:v0.2.0 # or `build: .` to build from source
image: pomerium/pomerium:latest # or `build: .` to build from source
restart: always
environment:
- SERVICES=authenticate
@ -42,7 +42,7 @@ services:
- 443
pomerium-proxy:
image: pomerium/pomerium:v0.2.0 # or `build: .` to build from source
image: pomerium/pomerium:latest # or `build: .` to build from source
restart: always
environment:
- SERVICES=proxy
@ -69,7 +69,7 @@ services:
- 443
pomerium-authorize:
image: pomerium/pomerium:v0.2.0 # or `build: .` to build from source
image: pomerium/pomerium:latest # or `build: .` to build from source
restart: always
environment:
- SERVICES=authorize

14
docs/docs/reference/examples/kubernetes/authenticate.service.yml
View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: pomerium-authenticate-service
namespace: pomerium
annotations:
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
spec:
ports:
- port: 443
name: https
selector:
app: pomerium-authenticate
type: NodePort

14
docs/docs/reference/examples/kubernetes/authorize.service.yml
View file

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: pomerium-authorize-service
namespace: pomerium
annotations:
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
spec:
ports:
- port: 443
name: https
selector:
app: pomerium-authorize
type: NodePort

37
docs/docs/reference/examples/kubernetes/httpbin.yml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
spec:
type: NodePort
ports:
- name: http
port: 8000
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
app: httpbin
version: v1
spec:
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80

8
docs/docs/reference/examples/kubernetes/ingress.nginx.yml
View file

@ -2,7 +2,6 @@ apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: pomerium-http
namespace: pomerium
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
@ -35,10 +34,3 @@ spec:
backend:
serviceName: pomerium-authenticate-service
servicePort: https
- host: "authorize.corp.beyondperimeter.com"
http:
paths:
- paths:
backend:
serviceName: pomerium-authorize-service
servicePort: https

9
docs/docs/reference/examples/kubernetes/ingress.yml
View file

@ -2,7 +2,6 @@ apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: pomerium-ingress
namespace: pomerium
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: pomerium
@ -13,7 +12,6 @@ spec:
hosts:
- "*.corp.beyondperimeter.com"
- "authenticate.corp.beyondperimeter.com"
- "authorize.corp.beyondperimeter.com"
rules:
- host: "*.corp.beyondperimeter.com"
@ -30,10 +28,3 @@ spec:
backend:
serviceName: pomerium-authenticate-service
servicePort: https
- host: "authorize.corp.beyondperimeter.com"
http:
paths:
- paths:
backend:
serviceName: pomerium-authorize-service
servicePort: https

16
docs/docs/reference/examples/kubernetes/kubernetes-config.yaml Normal file
View file

@ -0,0 +1,16 @@
# Main configuration flags : https://www.pomerium.io/reference/
authenticate_service_url: https://authenticate.corp.beyondperimeter.com
authenticate_internal_url: https://pomerium-authenticate-service.default.svc.cluster.local
authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
override_certificate_name: "*.corp.beyondperimeter.com"
idp_provider: google
idp_client_id: REPLACE_ME.apps.googleusercontent.com
idp_client_secret: "REPLACE_ME"
policy:
- from: https://httpbin.corp.beyondperimeter.com
to: http://httpbin.default.svc.cluster.local:8000
allowed_domains:
- gmail.com

46
docs/docs/reference/examples/kubernetes/kubernetes_gke.sh Executable file
View file

@ -0,0 +1,46 @@
#!/bin/bash
# NOTE! This will create real resources on Google GCP. Make sure you clean up any unused
# resources to avoid being billed.
# For reference, this tutorial cost ~10 cents for a couple of hours.
# NOTE! You must change the identity provider client secret setting in your config file!
echo "=> creating cluster"
gcloud container clusters create pomerium --num-nodes 2
echo "=> get cluster credentials so we can use kubctl locally"
gcloud container clusters get-credentials pomerium
echo "=> create config from kubernetes-config.yaml which we will mount"
kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml"
echo "=> create our random shared-secret and cookie-secret keys as envars"
kubectl create secret generic shared-secret --from-literal=shared-secret=$(head -c32 /dev/urandom | base64)
kubectl create secret generic cookie-secret --from-literal=cookie-secret=$(head -c32 /dev/urandom | base64)
echo "=> initiliaze secrets for TLS wild card for service use"
kubectl create secret generic certificate \
--from-literal=certificate=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer")
kubectl create secret generic certificate-key \
--from-literal=certificate-key=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key")
echo "=> load TLS to ingress"
kubectl create secret tls pomerium-tls \
--key "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" \
--cert "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"
echo "=> deploy pomerium proxy, authorize, and authenticate"
kubectl apply -f pomerium-proxy.yml
kubectl apply -f pomerium-authenticate.yml
kubectl apply -f pomerium-authorize.yml
echo "=> deploy our test app, httpbin"
kubectl apply -f httpbin.yml
echo "=> deploy the GKE specific ingress"
kubectl apply -f ingress.yml
# Alternatively, nginx-ingress can be used
# kubectl apply -f ingress.nginx.yml
# When done, clean up by deleting the cluster!
# gcloud container clusters delete pomerium

44
docs/docs/reference/examples/kubernetes/authenticate.deploy.yml → docs/docs/reference/examples/kubernetes/pomerium-authenticate.yml
View file

@ -1,10 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: pomerium-authenticate-service
annotations:
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
spec:
ports:
- port: 443
name: https
selector:
app: pomerium-authenticate
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pomerium-authenticate
labels:
app: pomerium-authenticate
namespace: pomerium
spec:
replicas: 1
selector:
@ -16,8 +29,10 @@ spec:
app: pomerium-authenticate
spec:
containers:
- image: pomerium/pomerium:v0.2.0
- image: pomerium/pomerium:latest
name: pomerium-authenticate
args:
- --config=/etc/pomerium/config.yaml
ports:
- containerPort: 443
name: https
@ -25,14 +40,6 @@ spec:
env:
- name: SERVICES
value: authenticate
- name: AUTHENTICATE_SERVICE_URL
value: https://authenticate.corp.beyondperimeter.com
- name: IDP_PROVIDER
value: google
- name: IDP_PROVIDER_URL
value: https://accounts.google.com
- name: IDP_CLIENT_ID
value: 851877082059-bfgkpj09noog7as3gpc3t7r6n9sjbgs6.apps.googleusercontent.com
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
@ -43,16 +50,6 @@ spec:
secretKeyRef:
name: cookie-secret
key: cookie-secret
- name: IDP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: idp-client-secret
key: idp-client-secret
- name: IDP_SERVICE_ACCOUNT
valueFrom:
secretKeyRef:
name: idp-service-account
key: idp-service-account
- name: CERTIFICATE
valueFrom:
secretKeyRef:
@ -75,3 +72,10 @@ spec:
scheme: HTTPS
initialDelaySeconds: 10
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/pomerium/
name: config
volumes:
- name: config
configMap:
name: config

33
docs/docs/reference/examples/kubernetes/authorize.deploy.yml → docs/docs/reference/examples/kubernetes/pomerium-authorize.yml
View file

@ -1,10 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: pomerium-authorize-service
annotations:
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
spec:
ports:
- port: 443
name: https
selector:
app: pomerium-authorize
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pomerium-authorize
labels:
app: pomerium-authorize
namespace: pomerium
spec:
replicas: 1
selector:
@ -16,18 +29,15 @@ spec:
app: pomerium-authorize
spec:
containers:
- image: pomerium/pomerium:v0.2.0
- image: pomerium/pomerium:latest
name: pomerium-authorize
args:
- --config=/etc/pomerium/config.yaml
ports:
- containerPort: 443
name: https
protocol: TCP
env:
- name: POLICY
valueFrom:
configMapKeyRef:
name: policy
key: policy
- name: SERVICES
value: authorize
- name: SHARED_SECRET
@ -39,7 +49,7 @@ spec:
valueFrom:
secretKeyRef:
name: certificate
key: certificate
key: certificate
- name: CERTIFICATE_KEY
valueFrom:
secretKeyRef:
@ -57,3 +67,10 @@ spec:
scheme: HTTPS
initialDelaySeconds: 10
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/pomerium/
name: config
volumes:
- name: config
configMap:
name: config

52
docs/docs/reference/examples/kubernetes/proxy.deploy.yml → docs/docs/reference/examples/kubernetes/pomerium-proxy.yml
View file

@ -1,10 +1,25 @@
apiVersion: v1
kind: Service
metadata:
name: pomerium-proxy-service
annotations:
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
spec:
ports:
- port: 443
protocol: TCP
name: https
targetPort: https
selector:
app: pomerium-proxy
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pomerium-proxy
labels:
app: pomerium-proxy
namespace: pomerium
spec:
replicas: 1
selector:
@ -16,8 +31,10 @@ spec:
app: pomerium-proxy
spec:
containers:
- image: pomerium/pomerium:v0.2.0
- image: pomerium/pomerium:latest
name: pomerium-proxy
args:
- --config=/etc/pomerium/config.yaml
ports:
- containerPort: 443
name: https
@ -25,14 +42,6 @@ spec:
env:
- name: SERVICES
value: proxy
- name: AUTHORIZE_SERVICE_URL
value: https://pomerium-authorize-service.pomerium.svc.cluster.local
- name: AUTHENTICATE_SERVICE_URL
value: https://authenticate.corp.beyondperimeter.com
- name: AUTHENTICATE_INTERNAL_URL
value: "https://pomerium-authenticate-service.pomerium.svc.cluster.local"
- name: OVERRIDE_CERTIFICATE_NAME
value: "*.corp.beyondperimeter.com"
- name: SHARED_SECRET
valueFrom:
secretKeyRef:
@ -43,17 +52,6 @@ spec:
secretKeyRef:
name: cookie-secret
key: cookie-secret
- name: IDP_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: idp-client-secret
key: idp-client-secret
# e.g. service account for group retrieval, e.g. gsuite
- name: IDP_SERVICE_ACCOUNT
valueFrom:
secretKeyRef:
name: idp-service-account
key: idp-service-account
- name: CERTIFICATE
valueFrom:
secretKeyRef:
@ -64,11 +62,6 @@ spec:
secretKeyRef:
name: certificate-key
key: certificate-key
- name: POLICY
valueFrom:
configMapKeyRef:
name: policy
key: policy
readinessProbe:
httpGet:
path: /ping
@ -81,3 +74,10 @@ spec:
scheme: HTTPS
initialDelaySeconds: 10
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/pomerium/
name: config
volumes:
- name: config
configMap:
name: config

17
docs/docs/reference/examples/kubernetes/proxy.service.yml
View file

@ -1,17 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: pomerium-proxy-service
namespace: pomerium
annotations:
cloud.google.com/app-protocols: '{"https":"HTTPS"}'
spec:
ports:
- port: 443
protocol: TCP
name: https
targetPort: https
selector:
app: pomerium-proxy
type: NodePort

15
docs/docs/reference/reference.md
View file

@ -150,25 +150,22 @@ These settings control upstream connections to the Authorize and Authenticate se
### GRPC Client Timeout
Maxmimum time before canceling an upstream RPC request. During transient failures, the proxy will retry upstreams for this duration, if possible. You should leave this high enough to handle backend service restart and rediscovery so that client requests do not fail.
Maxmimum time before canceling an upstream RPC request. During transient failures, the proxy will retry upstreams for this duration, if possible. You should leave this high enough to handle backend service restart and rediscovery so that client requests do not fail.
- Environmental Variable: `GRPC_CLIENT_TIMEOUT`
- Environmental Variable: `GRPC_CLIENT_TIMEOUT`
- Config File Key: `grpc_client_timeout`
- Type: [Go Duration](https://golang.org/pkg/time/#Duration.String) `string`
- Default: `10s`
### GRPC Client DNS RoundRobin
Enable grpc DNS based round robin load balancing. This method uses DNS to resolve endpoints and does client side load balancing of _all_ addresses returned by the DNS record. Do not disable unless you have a specific use case.
Enable grpc DNS based round robin load balancing. This method uses DNS to resolve endpoints and does client side load balancing of _all_ addresses returned by the DNS record. Do not disable unless you have a specific use case.
- Environmental Variable: `GRPC_CLIENT_DNS_ROUNDROBIN`
- Config File Key: `grpc_client_dns_roundrobin`
- Type: `bool`
- Default: `true`
## HTTP Redirect Address
- Environmental Variable: `HTTP_REDIRECT_ADDR`
@ -473,7 +470,7 @@ Authenticate Service URL is the externally accessible URL for the authenticate s
- Config File Key: `authenticate_internal_url`
- Type: `URL`
- Optional
- Example: `https://pomerium-authenticate-service.pomerium.svc.cluster.local`
- Example: `https://pomerium-authenticate-service.default.svc.cluster.local`
Authenticate Internal Service URL is the internally routed dns name of the authenticate service. This setting is typically used with load balancers that do not gRPC, thus allowing you to specify an internally accessible name.
@ -483,11 +480,11 @@ Authenticate Internal Service URL is the internally routed dns name of the authe
- Config File Key: `authorize_service_url`
- Type: `URL`
- Required
- Example: `https://access.corp.example.com` or `https://pomerium-authorize-service.pomerium.svc.cluster.local`
- Example: `https://access.corp.example.com` or `https://pomerium-authorize-service.default.svc.cluster.local`
Authorize Service URL is the location of the internally accessible authorize service. NOTE: Unlike authenticate, authorize has no publicly accessible http handlers so this setting is purely for gRPC communication.
If your load balancer does not support gRPC pass-through you'll need to set this value to an internally routable location (`https://pomerium-authorize-service.pomerium.svc.cluster.local`) instead of an externally routable one (`https://access.corp.example.com`).
If your load balancer does not support gRPC pass-through you'll need to set this value to an internally routable location (`https://pomerium-authorize-service.default.svc.cluster.local`) instead of an externally routable one (`https://access.corp.example.com`).
## Override Certificate Name

55
scripts/kubernetes_gke.sh
View file

@ -1,55 +0,0 @@
#!/bin/bash
# NOTE! This will create real resources on Google's cloud. Make sure you clean up any unused
# resources to avoid being billed. For reference, this tutorial cost me <10 cents for a couple of hours.
# NOTE! You must change the identity provider client secret setting, and service account setting!
echo "=> creating cluster"
gcloud container clusters create pomerium --num-nodes 1
echo "=> get cluster credentials os we can use kubctl locally"
gcloud container clusters get-credentials pomerium
echo "=> create pomerium namespace"
kubectl create ns pomerium
echo "=> create our cryptographically random keys forshared-secret andcookie-secret from urandom"
kubectl create secret generic -n pomerium shared-secret --from-literal=shared-secret=$(head -c32 /dev/urandom | base64)
kubectl create secret generic -n pomerium cookie-secret --from-literal=cookie-secret=$(head -c32 /dev/urandom | base64)
echo "=> initiliaze secrets for TLS wild card certificatescertificate andcertificate-key"
kubectl create secret generic -n pomerium certificate \
--from-literal=certificate=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer")
kubectl create secret generic -n pomerium certificate-key \
--from-literal=certificate-key=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key")
echo "=> load TLS to ingress"
kubectl create secret tls -n pomerium pomerium-tls \
--key "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" \
--cert "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"
echo "=> initiliaze a configmap setting for POLICY from policy.example.yaml"
kubectl create configmap -n pomerium policy --from-literal=policy=$(cat docs/docs/examples/config/policy.example.yaml | base64)
echo "=> settingidp-client-secret, you changed this right? :)"
exit 1 # comment out or delete this line once you change the following two settings
kubectl create secret generic -n pomerium idp-client-secret --from-literal=idp-client-secret=REPLACE_ME
kubectl create secret generic -n pomerium idp-service-account --from-literal=idp-service-account=$(base64 -i gsuite.service.account.json)
echo "=> apply the proxy, authorize, and authenticate deployment configs"
kubectl apply -f docs/docs/examples/kubernetes/authorize.deploy.yml
kubectl apply -f docs/docs/examples/kubernetes/authenticate.deploy.yml
kubectl apply -f docs/docs/examples/kubernetes/proxy.deploy.yml
echo "=> apply the proxy, authorize, and authenticate service configs"
kubectl apply -f docs/docs/examples/kubernetes/proxy.service.yml
kubectl apply -f docs/docs/examples/kubernetes/authenticate.service.yml
kubectl apply -f docs/docs/examples/kubernetes/authorize.service.yml
echo "=> create and apply the Ingress; this is GKE specific"
kubectl apply -f docs/docs/examples/kubernetes/ingress.yml
# Alternatively, nginx-ingress can be used
# kubectl apply -f docs/docs/examples/kubernetes/ingress.nginx.yml
# When done, clean up by deleting the cluster!
# gcloud container clusters delete pomerium