DOCS: Production Deployment rewrite (#3129)

* sort and consolidate service url keys * Production doc first pass * move Production Deployment to top level * Apply suggestions from code review Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/docs/production-deployment.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: cmo-pomerium <91488121+cmo-pomerium@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: cmo-pomerium <91488121+cmo-pomerium@users.noreply.github.com>
2025-08-03 16:59:22 +02:00 · 2022-03-28 09:10:49 -05:00 · 2022-03-28 09:10:49 -05:00 · 666b57522a
commit 666b57522a
parent 69ba511c64
5 changed files with 229 additions and 228 deletions
--- a/docs/reference/readme.md
+++ b/docs/reference/readme.md
@ -48,6 +48,16 @@ These configuration variables are shared by all services, in all service modes.
 Address specifies the host and port to serve HTTP requests from. If empty, `:443` is used. Note, in all-in-one deployments, gRPC traffic will be served on loopback on port `:5443`.


+### Authenticate Service URL
+- Environmental Variable: `AUTHENTICATE_SERVICE_URL`
+- Config File Key: `authenticate_service_url`
+- Type: `URL`
+- Required
+- Example: `https://authenticate.corp.example.com`
+
+Authenticate Service URL is the externally accessible URL for the authenticate service. In split service mode, this key is required by all services other than Databroker.
+
+
 ### Autocert
 - Environmental Variable: `AUTOCERT`
 - Config File Key: `autocert`
@ -297,6 +307,16 @@ Setting this to false enables hostile javascript to steal session cookies and im
 Sets the lifetime of session cookies. After this interval, users must reauthenticate.


+### Data Broker Service URL
+- Environmental Variable: `DATABROKER_SERVICE_URL` or `DATABROKER_SERVICE_URLS`
+- Config File Key: `databroker_service_url` or `databroker_service_urls`
+- Type: `URL`
+- Example: `https://databroker.corp.example.com`
+- Default: in all-in-one mode, `http://localhost:5443`
+
+The data broker service URL points to a data broker which is responsible for storing associated authorization context (e.g. sessions, users and user groups). Multiple URLs can be specified with `databroker_service_urls`.
+
+
 ### Debug
 - Environmental Variable: `POMERIUM_DEBUG`
 - Config File Key: `pomerium_debug`
@ -745,16 +765,6 @@ See also:
 - [Google - Setting Redirect URI](https://developers.google.com/identity/protocols/OpenIDConnect#setredirecturi)


-### Authenticate Service URL
- Environmental Variable: `AUTHENTICATE_SERVICE_URL`
- Config File Key: `authenticate_service_url`
- Type: `URL`
- Required
- Example: `https://authenticate.corp.example.com`
-
-Authenticate Service URL is the externally accessible URL for the authenticate service.
-
-
 ### Authenticate Internal Service URL
 - Environmental Variable: `AUTHENTICATE_INTERNAL_SERVICE_URL`
 - Config File Key: `authenticate_internal_service_url`
@ -877,25 +887,17 @@ Use it at your own risk, if you set a too low value, you may reach IDP API rate

 ## Proxy Service

-### Authenticate Service URL
- Environmental Variable: `AUTHENTICATE_SERVICE_URL`
- Config File Key: `authenticate_service_url`
- Type: `URL`
- Required
- Example: `https://authenticate.corp.example.com`
-
-Authenticate Service URL is the externally accessible URL for the authenticate service.
-
-
 ### Authorize Service URL
- Environmental Variable: `AUTHORIZE_SERVICE_URL`
- Config File Key: `authorize_service_url`
+- Environmental Variable: `AUTHORIZE_SERVICE_URL or `AUTHORIZE_SERVICE_URLS`
+- Config File Key: `authorize_service_url` or `authorize_service_urls`
 - Type: `URL`
 - Required; inferred in all-in-one mode to be localhost.
- Example: `https://pomerium-authorize-service.default.svc.cluster.local` or `https://localhost:5443`
+- Example: `https://pomerium-authorize-service.default.svc.cluster.local`, `https://localhost:5443`, `https://authorize.corp.example.com`

 Authorize Service URL is the location of the internally accessible Authorize service. NOTE: Unlike authenticate, authorize has no publicly accessible http handlers so this setting is purely for gRPC communication.

+Multiple URLs can be specified with `authorize_service_urls`.
+
 If your load balancer does not support gRPC pass-through you'll need to set this value to an internally routable location (`https://pomerium-authorize-service.default.svc.cluster.local`) instead of an externally routable one (`https://authorize.corp.example.com`).


@ -1082,16 +1084,6 @@ More details on this problem are available in [Github Issue #2150](https://githu
 ## Data Broker Service
 The databroker service is used for storing user session data.

-
-### Data Broker Service URL
- Environmental Variable: `DATABROKER_SERVICE_URL` or `DATABROKER_SERVICE_URLS`
- Config File Key: `databroker_service_url` or `databroker_service_urls`
- Type: `URL`
- Example: `https://databroker.corp.example.com`
- Default: in all-in-one mode, `http://localhost:5443`
-
-The data broker service URL points to a data broker which is responsible for storing associated authorization context (e.g. sessions, users and user groups). Multiple URLs can be specified with `databroker_service_urls`.
-
 By default, the `databroker` service uses an in-memory databroker.

 To create your own data broker, implement the following gRPC interface:
@ -1805,16 +1797,6 @@ If set, enables proxying of websocket connections.

 ## Authorize Service

-### Authorize Service URL
- Environmental Variable: `AUTHORIZE_SERVICE_URL` or `AUTHORIZE_SERVICE_URLS`
- Config File Key: `authorize_service_url` or `authorize_service_urls`
- Type: `URL`
- Required
- Example: `https://authorize.corp.example.com`
-
-Authorize Service URL is the location of the internally accessible Authorize service. Multiple URLs can be specified with `authorize_service_urls`.
-
-
 ### Google Cloud Serverless Authentication Service Account
 - Environmental Variable: `GOOGLE_CLOUD_SERVERLESS_AUTHENTICATION_SERVICE_ACCOUNT`
 - Config File Key: `google_cloud_serverless_authentication_service_account`
--- a/docs/reference/settings.yaml
+++ b/docs/reference/settings.yaml
@ -65,6 +65,18 @@ settings:
          Address specifies the host and port to serve HTTP requests from. If empty, `:443` is used. Note, in all-in-one deployments, gRPC traffic will be served on loopback on port `:5443`.
        shortdoc: |
          Address specifies the host and port to serve HTTP requests from.
+      - name: "Authenticate Service URL"
+        keys: ["authenticate_service_url"]
+        attributes: |
+          - Environmental Variable: `AUTHENTICATE_SERVICE_URL`
+          - Config File Key: `authenticate_service_url`
+          - Type: `URL`
+          - Required
+          - Example: `https://authenticate.corp.example.com`
+        doc: |
+          Authenticate Service URL is the externally accessible URL for the authenticate service. In split service mode, this key is required by all services other than Databroker.
+        shortdoc: |
+          Authenticate Service URL is the externally accessible URL for the authenticate service.
      - name: "Autocert"
        keys: ["autocert"]
        attributes: |
@ -347,6 +359,16 @@ settings:
              Sets the lifetime of session cookies. After this interval, users must reauthenticate.
            shortdoc: |
              Sets the lifetime of session cookies. After this interval, users must reauthenticate.
+      - name: "Data Broker Service URL"
+        keys: ["databroker_service_url"]
+        attributes: |
+          - Environmental Variable: `DATABROKER_SERVICE_URL` or `DATABROKER_SERVICE_URLS`
+          - Config File Key: `databroker_service_url` or `databroker_service_urls`
+          - Type: `URL`
+          - Example: `https://databroker.corp.example.com`
+          - Default: in all-in-one mode, `http://localhost:5443`
+        doc: |
+          The data broker service URL points to a data broker which is responsible for storing associated authorization context (e.g. sessions, users and user groups). Multiple URLs can be specified with `databroker_service_urls`.
      - name: "Debug"
        keys: ["pomerium_debug"]
        attributes: |
@ -844,18 +866,6 @@ settings:
          - [Google - Setting Redirect URI](https://developers.google.com/identity/protocols/OpenIDConnect#setredirecturi)
        shortdoc: |
          The authenticate callback path is the path/url from the authenticate service that will receive the response from your identity provider.
-      - name: "Authenticate Service URL"
-        keys: ["authenticate_service_url"]
-        attributes: |
-          - Environmental Variable: `AUTHENTICATE_SERVICE_URL`
-          - Config File Key: `authenticate_service_url`
-          - Type: `URL`
-          - Required
-          - Example: `https://authenticate.corp.example.com`
-        doc: |
-          Authenticate Service URL is the externally accessible URL for the authenticate service.
-        shortdoc: |
-          Authenticate Service URL is the externally accessible URL for the authenticate service.
      - name: "Authenticate Internal Service URL"
        keys: ["authenticate_internal_service_url"]
        attributes: |
@ -996,28 +1006,22 @@ settings:
          :::
  - name: "Proxy Service"
    settings:
-      - name: "Authenticate Service URL"
-        keys: ["authenticate_service_url"]
-        attributes: |
-          - Environmental Variable: `AUTHENTICATE_SERVICE_URL`
-          - Config File Key: `authenticate_service_url`
-          - Type: `URL`
-          - Required
-          - Example: `https://authenticate.corp.example.com`
-        doc: |
-          Authenticate Service URL is the externally accessible URL for the authenticate service.
      - name: "Authorize Service URL"
        keys: ["authorize_service_url"]
        attributes: |
-          - Environmental Variable: `AUTHORIZE_SERVICE_URL`
-          - Config File Key: `authorize_service_url`
+          - Environmental Variable: `AUTHORIZE_SERVICE_URL or `AUTHORIZE_SERVICE_URLS`
+          - Config File Key: `authorize_service_url` or `authorize_service_urls`
          - Type: `URL`
          - Required; inferred in all-in-one mode to be localhost.
-          - Example: `https://pomerium-authorize-service.default.svc.cluster.local` or `https://localhost:5443`
+          - Example: `https://pomerium-authorize-service.default.svc.cluster.local`, `https://localhost:5443`, `https://authorize.corp.example.com`
        doc: |
          Authorize Service URL is the location of the internally accessible Authorize service. NOTE: Unlike authenticate, authorize has no publicly accessible http handlers so this setting is purely for gRPC communication.

+          Multiple URLs can be specified with `authorize_service_urls`.
+
          If your load balancer does not support gRPC pass-through you'll need to set this value to an internally routable location (`https://pomerium-authorize-service.default.svc.cluster.local`) instead of an externally routable one (`https://authorize.corp.example.com`).
+        shortdoc: |
+          Authorize Service URL is the location of the internally accessible Authorize service.
      - name: "Authorize Internal Service URL"
        keys: ["authorize_internal_service_url"]
        attributes: |
@ -1213,27 +1217,17 @@ settings:
  - name: "Data Broker Service"
    doc: |
      The databroker service is used for storing user session data.
+
+      By default, the `databroker` service uses an in-memory databroker.
+
+      To create your own data broker, implement the following gRPC interface:
+
+      - [pkg/grpc/databroker/databroker.proto](https://github.com/pomerium/pomerium/blob/main/pkg/grpc/databroker/databroker.proto)
+
+      For an example implementation, the in-memory database used by the databroker service can be found here:
+
+      - [pkg/databroker/memory](https://github.com/pomerium/pomerium/tree/main/pkg/databroker/memory)
    settings:
-      - name: "Data Broker Service URL"
-        keys: ["databroker_service_url"]
-        attributes: |
-          - Environmental Variable: `DATABROKER_SERVICE_URL` or `DATABROKER_SERVICE_URLS`
-          - Config File Key: `databroker_service_url` or `databroker_service_urls`
-          - Type: `URL`
-          - Example: `https://databroker.corp.example.com`
-          - Default: in all-in-one mode, `http://localhost:5443`
-        doc: |
-          The data broker service URL points to a data broker which is responsible for storing associated authorization context (e.g. sessions, users and user groups). Multiple URLs can be specified with `databroker_service_urls`.
-
-          By default, the `databroker` service uses an in-memory databroker.
-
-          To create your own data broker, implement the following gRPC interface:
-
-          - [pkg/grpc/databroker/databroker.proto](https://github.com/pomerium/pomerium/blob/main/pkg/grpc/databroker/databroker.proto)
-
-          For an example implementation, the in-memory database used by the databroker service can be found here:
-
-          - [pkg/databroker/memory](https://github.com/pomerium/pomerium/tree/main/pkg/databroker/memory)
      - name: "Data Broker Internal Service URL"
        keys: ["databroker_internal_service_url"]
        attributes: |
@ -1958,18 +1952,6 @@ settings:
          :::
  - name: "Authorize Service"
    settings:
-      - name: "Authorize Service URL"
-        keys: ["authorize_service_url"]
-        attributes: |
-          - Environmental Variable: `AUTHORIZE_SERVICE_URL` or `AUTHORIZE_SERVICE_URLS`
-          - Config File Key: `authorize_service_url` or `authorize_service_urls`
-          - Type: `URL`
-          - Required
-          - Example: `https://authorize.corp.example.com`
-        doc: |
-          Authorize Service URL is the location of the internally accessible Authorize service. Multiple URLs can be specified with `authorize_service_urls`.
-        shortdoc: |
-          Authorize Service URL is the location of the internally accessible Authorize service.
      - name: "Google Cloud Serverless Authentication Service Account"
        keys: ["google_cloud_serverless_authentication_service_account"]
        attributes: |