updates examples for current routes/policy keys (#3034)

* updates examples for current routes/policy keys * fix and prettier
2025-04-28 18:06:34 +02:00 · 2022-02-16 14:06:52 -06:00 · 2022-02-16 14:06:52 -06:00 · 7140562a82
commit 7140562a82
parent f9b95a276b
9 changed files with 63 additions and 36 deletions
--- a/docs/docs/topics/load-balancing.md
+++ b/docs/docs/topics/load-balancing.md
@ -13,7 +13,7 @@ This article covers Pomerium built-in load balancing capabilities in presence of
 You may specify multiple servers for your upstream application, and Pomerium would load balance user requests between them.

 ```yaml
-policy:
+routes:
  - from: https://myapp.localhost.pomerium.io
    to:
      - http://myapp-srv-1:8080
@ -34,7 +34,7 @@ See [Health Checking](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_ove
 ### HTTP Example

 ```yaml
-policy:
+routes:
  - from: https://myapp.localhost.pomerium.io
    to:
      - http://myapp-srv-1:8080
@ -51,7 +51,7 @@ policy:
 ### TCP Example

 ```yaml
-policy:
+routes:
  - from: tcp+https://tcp-service.localhost.pomerium.io
    to:
      - tcp://tcp-1.local
@ -74,7 +74,7 @@ Passive health check tries to deduce upstream server health based on recent obse
 See [Outlier Detection](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier) for comprehensive overview.

 ```yaml
-policy:
+routes:
  - from: https://myapp.localhost.pomerium.io
    to:
      - http://myapp-srv-1:8080
@ -95,7 +95,7 @@ policy:
 ### Example

 ```yaml
-policy:
+routes:
  - from: https://myapp.localhost.pomerium.io
    to:
      - http://myapp-srv-1:8080
@ -117,7 +117,7 @@ When a list of upstream URLs is specified in the `to` field, you may append an o
 This configuration uses the default `round_robin` load balancer policy but specifies different frequency of selection be applied to the upstreams.

 ```yaml
-policy:
+routes:
  - from: https://myapp.localhost.pomerium.io
    to:
      - http://myapp-srv-1:8080,10
--- a/examples/kubernetes/kubernetes-config.yaml
+++ b/examples/kubernetes/kubernetes-config.yaml
@ -18,8 +18,11 @@ idp_client_secret: "REPLACE_ME"
 # https://www.pomerium.com/configuration/#identity-provider-service-account
 idp_service_account: YOUR_SERVICE_ACCOUNT

-policy:
+routes:
  - from: https://verify.localhost.pomerium.io
    to: http://httpbin.default.svc.cluster.local:8000
-    allowed_domains:
-      - gmail.com
+    policy:
+      - allow:
+          or:
+            - domain:
+                is: gmail.com
--- a/examples/mutual-tls/README.md
+++ b/examples/mutual-tls/README.md
@ -16,11 +16,14 @@ idp_provider: google
 idp_client_id: REPLACE_ME
 idp_client_secret: REPLACE_ME

-policy:
+routes:
  - from: https://mtls.corp.domain.example
    to: https://localhost:8443
-    allowed_domains:
-      - domain.example
+    policy:
+      - allow:
+          or:
+            - domain:
+                is: domain.example
    tls_custom_ca_file: "/Users/bdd/examples/mutual-tls/out/good-ca.crt"
    tls_client_cert_file: "/Users/bdd/examples/mutual-tls/out/pomerium.crt"
    tls_client_key_file: "/Users/bdd/examples/mutual-tls/out/pomerium.key"
--- a/examples/mutual-tls/example.config.yaml
+++ b/examples/mutual-tls/example.config.yaml
@ -7,11 +7,14 @@ idp_provider: google
 idp_client_id: REPLACE_ME
 idp_client_secret: REPLACE_ME

-policy:
+routes:
  - from: https://mtls.corp.domain.example
    to: https://localhost:8443
-    allowed_domains:
-      - domain.example
+    policy:
+      - allow:
+          or:
+            - domain:
+                is: domain.example
    #good-ca.crt
    tls_custom_ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU1RENDQXN5Z0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFTTVJBd0RnWURWUVFERXdkbmIyOWsKTFdOaE1CNFhEVEU1TURneE1ERTNOREF3TWxvWERUSXhNREl4TURFM05EQXdNbG93RWpFUU1BNEdBMVVFQXhNSApaMjl2WkMxallUQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUw3b2VldEovNmNFCkdicTcvanNtcU9FM2VyVE1aRHR0eFM4STVGV1c0TkRXbWNpOE5IdWRMZDhlM1JtOEh6Y09jSjRQL0ErcDVsYmsKTjhySzY4OUlsQzhqM28yaEhSdEk2T21saFY3NEoxaUlIOGtkSXU2V2xPMWtOdUx5dGRrbjhRaytJOUNEWjlGSAorZzhRbnVka0tMUWJkZFdDVXJzUjR4cEcyK0VkNWdua0JJNG4zbmNLMFgvWEZocWhDTEU1eFBaQk5OWktGbHJxCm1lYUl4dHoyc2ZvWVY1NmcwMnNGS1QxSUlMNTVFMG14djRUa2JtSWw5Rk9qZEtCdkhFZnJHeXl5OFRGTHErUzMKTXo2em9xNDhuOEhGMUc5cHBLVk9OMUp0Mks1UWEvV2hpbjVrcWNhYTNwNE0vN2tiNmtxU0tMWG1iN0gyN3kvVQpEYjZDUG01d2lodjA2c1FobXN2MHhuS2hqMm8vQzhlcWxzNzZZWDF1Y2NqMzlmSTRlQ1E4cENFbTlVcDh5ZkkvCkxlYVpXbGE0NEZneWw3N1lyc2MvM0U5dk1hS0ZVeGRjR3VtMXQrNUZZYWpkY0EvTlFreTJBeTJqcHRwVXV1SFUKNnhYSzdEcXY5Z01jQS8zM1VYOFpHZklPRk0rY3FlOTQxaTVPT1hGSHJoRDlqeTRQR2M4Z2kxSTRyK1VXd0tCYgoxSGg1clQ3ckJZK1NLTTBzZmtpQlZ1RU9pbnk2dDF1Z2tEdjY4dXNFWFlIWlZXaWl6b1hmcDVHbjZmckUvd1IxCkRkak13TGEvT2tQTnVEVVQ4eU1GS2hWRnFHcXdHQzY2bys1cjQyMlVwa0s4SHJ5K2tsQ3pUTys3U0RodTJiWk4KUVFGT0NLSVVldnR3bGdabVBNck1BNTZ3dzVSSnNhVnhBZ01CQUFHalJUQkRNQTRHQTFVZER3RUIvd1FFQXdJQgpCakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC9BZ0VBTUIwR0ExVWREZ1FXQkJSNTRKQ3pMRlg0T0RTQ1J0dWNBUGZOCnVYVnpuREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBZituUmpBVnZuT0pSckpBQWpKWVY3aVF3bHExUXZYRGcKbHZhY0JoVFJyWFh4OW5GaVRZUzV4MkFMbXZ5WHhubTdIS2VDSUZEclJwOE5MVFkyYjJXR01BcTFxc3JBT0QvegpTNmNSSW1OQ21QNmd0UHNUNDlabzBYajNrZjZyTXBPeHBiSUlnSmZMY056UGZpL25jeC9oRDNBOHl6Zk4wQTZZCnFFd2QvSkZPajdEa3RaQmdlSXZETlJXS0pveEpJRlZ4anJqLzFiVmkxZTRWVjVvWmhOako4SzlyV1FRK1EvK3QKZ3lGK0sycGxDQ1RiRWR6eU9heDY1djh5UDJ5RCs2WkFIRk9sRjI2TnZpUkw4OWJ1VHIwaEpZa0N5VXZ3MmJZaQo4Q3MyWDZkd0NDdXVhZUdVR2VRemszMGxQeUdWSmVKL3ZJMGJRSzlpZ2I5dFozY3d0WHBQdjN6a1B1TDE3d01WCitCMXo2RW1HZVVLNXlTQ0xFWjc2aVliNU0vY3ZjTUVOMWdoeFNIN0FmaDhMS0c0eWszT21SQ253akVqdTFhaWoKZGs3cjJuc0xmYU9KWFBRNU1wMzRYU1ltdTlpTVl0VytMbWZiSDJxMW9vS3dKZDhHNVhhRWRmQmpHUEQ5Q3FkWAphSlh0MDA0cVdsalJOS3p1MFNFRmJ6UldGNHRoeXlUTzE4QVI4eTNHV0Vwak95amdKSzlFeU1sQm9Qa3RYQVVVCjZzTFhqT3ZZU0ovd202NUhxVVZBTTVsRy96WVN3TGdCTDAwc1pJKzVGa0QwblU0Rkx6QWRLV05LWkRXZFVNbUwKVi9lV0ZGNGwwVFBvNTVhM0pUL1BGc2J0RFBLVWxvWVFXeTFybmFqR3J1L0Y5bGRCcHB1bUVUa2FOS2ZWT05Jcgp4cERnc1FhVkVXOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    # pomerium.crt
--- a/examples/nginx/config.yaml
+++ b/examples/nginx/config.yaml
@ -1,6 +1,5 @@
 # Main configuration flags : https://www.pomerium.com/docs/reference/

-
 pomerium_debug: true
 address: :80
 cookie_secret: YVFTMIfW8yBJw+a6sYwdW8rHbU+IAAV/SUkCTg9Jtpo=
@ -14,10 +13,14 @@ insecure_server: true
 forward_auth_url: http://fwdauth.localhost.pomerium.io
 authenticate_service_url: https://authenticate.localhost.pomerium.io

-policy:
+routes:
  - from: https://verify.localhost.pomerium.io
    to: http://verify:8000
-    allowed_domains:
-      - pomerium.com
-      - gmail.com
+    policy:
+      - allow:
+          or:
+            - domain:
+                is: pomerium.com
+            - domain:
+                is: gmail.com
    pass_identity_headers: true
--- a/examples/tcp/config.yaml
+++ b/examples/tcp/config.yaml
@ -7,21 +7,30 @@ cookie_secret: CHANGEME
 idp_client_id: CHANGEME
 idp_client_secret: CHANGEME
 idp_provider: google
-policy:
+routes:
  - from: tcp+https://redis.localhost.pomerium.io:6379
    to: tcp://redis:6379
-    allowed_domains:
-      - gmail.com
+    policy:
+      - allow:
+          or:
+            - domain:
+                is: gmail.com

  - from: tcp+https://ssh.localhost.pomerium.io:22
    to: tcp://ssh:2222
-    allowed_domains:
-      - gmail.com
+    policy:
+      - allow:
+          or:
+            - domain:
+                is: gmail.com

  - from: tcp+https://pgsql.localhost.pomerium.io:5432
    to: tcp://pgsql:5432
-    allowed_domains:
-      - gmail.com
+    policy:
+      - allow:
+          or:
+            - domain:
+                is: gmail.com

 databroker_storage_type: redis
 databroker_storage_connection_string: redis://redis:6379
--- a/examples/tiddlywiki/config.yaml
+++ b/examples/tiddlywiki/config.yaml
@ -8,7 +8,7 @@ idp_client_secret: REPLACEME
 cookie_secret: REPLACEME
 jwt_claims_headers: email

-policy:
+routes:
  - from: https://wiki.localhost.pomerium.io
    to: http://tiddlywiki:8080
    policy:
--- a/examples/traefik/config.yaml
+++ b/examples/traefik/config.yaml
@ -1,6 +1,5 @@
 # Main configuration flags : https://www.pomerium.com/docs/reference/

-
 pomerium_debug: true
 address: :80
 cookie_secret: YVFTMIfW8yBJw+a6sYwdW8rHbU+IAAV/SUkCTg9Jtpo=
@ -15,10 +14,14 @@ forward_auth_url: http://pomerium
 authenticate_service_url: https://authenticate.localhost.pomerium.io
 jwt_claims_headers: email,groups,user

-policy:
+routes:
  - from: https://verify.localhost.pomerium.io
    to: https://httpbin
-    allowed_domains:
-      - pomerium.io
-      - gmail.com
+    policy:
+      - allow:
+          or:
+            - domain:
+                is: pomerium.io
+            - domain:
+                is: gmail.com
    pass_identity_headers: true
--- a/ospkg/conf/config.yaml
+++ b/ospkg/conf/config.yaml
@ -15,8 +15,11 @@ idp_client_id: XXXX
 idp_client_secret: YYYY
 idp_service_account: XXXXXX

-policy:
+routes:
  - from: https://yoursite.localhost.pomerium.io
    to: https://yoursite.local
-    allowed_users:
-      - user@domain.com
+    policy:
+      - allow:
+          or:
+            - user:
+                is: user@domain.com