3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-03 20:36:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

updates examples for current routes/policy keys (#3034)

Browse source 
* updates examples for current routes/policy keys

* fix and prettier
This commit is contained in:
Alex Fornuto 2022-02-16 14:06:52 -06:00 committed by GitHub
parent f9b95a276b
commit 7140562a82
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 63 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
docs/docs/topics/load-balancing.md
View file

@ -13,7 +13,7 @@ This article covers Pomerium built-in load balancing capabilities in presence of
You may specify multiple servers for your upstream application, and Pomerium would load balance user requests between them. You may specify multiple servers for your upstream application, and Pomerium would load balance user requests between them.
```yaml ```yaml
policy: routes:
- from: https://myapp.localhost.pomerium.io - from: https://myapp.localhost.pomerium.io
to: to:
- http://myapp-srv-1:8080 - http://myapp-srv-1:8080
@ -34,7 +34,7 @@ See [Health Checking](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_ove
### HTTP Example ### HTTP Example
```yaml ```yaml
policy: routes:
- from: https://myapp.localhost.pomerium.io - from: https://myapp.localhost.pomerium.io
to: to:
- http://myapp-srv-1:8080 - http://myapp-srv-1:8080
@ -51,7 +51,7 @@ policy:
### TCP Example ### TCP Example
```yaml ```yaml
policy: routes:
- from: tcp+https://tcp-service.localhost.pomerium.io - from: tcp+https://tcp-service.localhost.pomerium.io
to: to:
- tcp://tcp-1.local - tcp://tcp-1.local
@ -74,7 +74,7 @@ Passive health check tries to deduce upstream server health based on recent obse
See [Outlier Detection](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier) for comprehensive overview. See [Outlier Detection](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier) for comprehensive overview.
```yaml ```yaml
policy: routes:
- from: https://myapp.localhost.pomerium.io - from: https://myapp.localhost.pomerium.io
to: to:
- http://myapp-srv-1:8080 - http://myapp-srv-1:8080
@ -95,7 +95,7 @@ policy:
### Example ### Example
```yaml ```yaml
policy: routes:
- from: https://myapp.localhost.pomerium.io - from: https://myapp.localhost.pomerium.io
to: to:
- http://myapp-srv-1:8080 - http://myapp-srv-1:8080
@ -117,7 +117,7 @@ When a list of upstream URLs is specified in the `to` field, you may append an o
This configuration uses the default `round_robin` load balancer policy but specifies different frequency of selection be applied to the upstreams. This configuration uses the default `round_robin` load balancer policy but specifies different frequency of selection be applied to the upstreams.
```yaml ```yaml
policy: routes:
- from: https://myapp.localhost.pomerium.io - from: https://myapp.localhost.pomerium.io
to: to:
- http://myapp-srv-1:8080,10 - http://myapp-srv-1:8080,10

9
examples/kubernetes/kubernetes-config.yaml
View file

@ -18,8 +18,11 @@ idp_client_secret: "REPLACE_ME"
# https://www.pomerium.com/configuration/#identity-provider-service-account # https://www.pomerium.com/configuration/#identity-provider-service-account
idp_service_account: YOUR_SERVICE_ACCOUNT idp_service_account: YOUR_SERVICE_ACCOUNT
policy: routes:
- from: https://verify.localhost.pomerium.io - from: https://verify.localhost.pomerium.io
to: http://httpbin.default.svc.cluster.local:8000 to: http://httpbin.default.svc.cluster.local:8000
allowed_domains: policy:
- gmail.com - allow:
or:
- domain:
is: gmail.com

9
examples/mutual-tls/README.md
View file

@ -16,11 +16,14 @@ idp_provider: google
idp_client_id: REPLACE_ME idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME idp_client_secret: REPLACE_ME
policy: routes:
- from: https://mtls.corp.domain.example - from: https://mtls.corp.domain.example
to: https://localhost:8443 to: https://localhost:8443
allowed_domains: policy:
- domain.example - allow:
or:
- domain:
is: domain.example
tls_custom_ca_file: "/Users/bdd/examples/mutual-tls/out/good-ca.crt" tls_custom_ca_file: "/Users/bdd/examples/mutual-tls/out/good-ca.crt"
tls_client_cert_file: "/Users/bdd/examples/mutual-tls/out/pomerium.crt" tls_client_cert_file: "/Users/bdd/examples/mutual-tls/out/pomerium.crt"
tls_client_key_file: "/Users/bdd/examples/mutual-tls/out/pomerium.key" tls_client_key_file: "/Users/bdd/examples/mutual-tls/out/pomerium.key"

9
examples/mutual-tls/example.config.yaml
View file

@ -7,11 +7,14 @@ idp_provider: google
idp_client_id: REPLACE_ME idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME idp_client_secret: REPLACE_ME
policy: routes:
- from: https://mtls.corp.domain.example - from: https://mtls.corp.domain.example
to: https://localhost:8443 to: https://localhost:8443
allowed_domains: policy:
- domain.example - allow:
or:
- domain:
is: domain.example
#good-ca.crt #good-ca.crt
tls_custom_ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU1RENDQXN5Z0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFTTVJBd0RnWURWUVFERXdkbmIyOWsKTFdOaE1CNFhEVEU1TURneE1ERTNOREF3TWxvWERUSXhNREl4TURFM05EQXdNbG93RWpFUU1BNEdBMVVFQXhNSApaMjl2WkMxallUQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUw3b2VldEovNmNFCkdicTcvanNtcU9FM2VyVE1aRHR0eFM4STVGV1c0TkRXbWNpOE5IdWRMZDhlM1JtOEh6Y09jSjRQL0ErcDVsYmsKTjhySzY4OUlsQzhqM28yaEhSdEk2T21saFY3NEoxaUlIOGtkSXU2V2xPMWtOdUx5dGRrbjhRaytJOUNEWjlGSAorZzhRbnVka0tMUWJkZFdDVXJzUjR4cEcyK0VkNWdua0JJNG4zbmNLMFgvWEZocWhDTEU1eFBaQk5OWktGbHJxCm1lYUl4dHoyc2ZvWVY1NmcwMnNGS1QxSUlMNTVFMG14djRUa2JtSWw5Rk9qZEtCdkhFZnJHeXl5OFRGTHErUzMKTXo2em9xNDhuOEhGMUc5cHBLVk9OMUp0Mks1UWEvV2hpbjVrcWNhYTNwNE0vN2tiNmtxU0tMWG1iN0gyN3kvVQpEYjZDUG01d2lodjA2c1FobXN2MHhuS2hqMm8vQzhlcWxzNzZZWDF1Y2NqMzlmSTRlQ1E4cENFbTlVcDh5ZkkvCkxlYVpXbGE0NEZneWw3N1lyc2MvM0U5dk1hS0ZVeGRjR3VtMXQrNUZZYWpkY0EvTlFreTJBeTJqcHRwVXV1SFUKNnhYSzdEcXY5Z01jQS8zM1VYOFpHZklPRk0rY3FlOTQxaTVPT1hGSHJoRDlqeTRQR2M4Z2kxSTRyK1VXd0tCYgoxSGg1clQ3ckJZK1NLTTBzZmtpQlZ1RU9pbnk2dDF1Z2tEdjY4dXNFWFlIWlZXaWl6b1hmcDVHbjZmckUvd1IxCkRkak13TGEvT2tQTnVEVVQ4eU1GS2hWRnFHcXdHQzY2bys1cjQyMlVwa0s4SHJ5K2tsQ3pUTys3U0RodTJiWk4KUVFGT0NLSVVldnR3bGdabVBNck1BNTZ3dzVSSnNhVnhBZ01CQUFHalJUQkRNQTRHQTFVZER3RUIvd1FFQXdJQgpCakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC9BZ0VBTUIwR0ExVWREZ1FXQkJSNTRKQ3pMRlg0T0RTQ1J0dWNBUGZOCnVYVnpuREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBZituUmpBVnZuT0pSckpBQWpKWVY3aVF3bHExUXZYRGcKbHZhY0JoVFJyWFh4OW5GaVRZUzV4MkFMbXZ5WHhubTdIS2VDSUZEclJwOE5MVFkyYjJXR01BcTFxc3JBT0QvegpTNmNSSW1OQ21QNmd0UHNUNDlabzBYajNrZjZyTXBPeHBiSUlnSmZMY056UGZpL25jeC9oRDNBOHl6Zk4wQTZZCnFFd2QvSkZPajdEa3RaQmdlSXZETlJXS0pveEpJRlZ4anJqLzFiVmkxZTRWVjVvWmhOako4SzlyV1FRK1EvK3QKZ3lGK0sycGxDQ1RiRWR6eU9heDY1djh5UDJ5RCs2WkFIRk9sRjI2TnZpUkw4OWJ1VHIwaEpZa0N5VXZ3MmJZaQo4Q3MyWDZkd0NDdXVhZUdVR2VRemszMGxQeUdWSmVKL3ZJMGJRSzlpZ2I5dFozY3d0WHBQdjN6a1B1TDE3d01WCitCMXo2RW1HZVVLNXlTQ0xFWjc2aVliNU0vY3ZjTUVOMWdoeFNIN0FmaDhMS0c0eWszT21SQ253akVqdTFhaWoKZGs3cjJuc0xmYU9KWFBRNU1wMzRYU1ltdTlpTVl0VytMbWZiSDJxMW9vS3dKZDhHNVhhRWRmQmpHUEQ5Q3FkWAphSlh0MDA0cVdsalJOS3p1MFNFRmJ6UldGNHRoeXlUTzE4QVI4eTNHV0Vwak95amdKSzlFeU1sQm9Qa3RYQVVVCjZzTFhqT3ZZU0ovd202NUhxVVZBTTVsRy96WVN3TGdCTDAwc1pJKzVGa0QwblU0Rkx6QWRLV05LWkRXZFVNbUwKVi9lV0ZGNGwwVFBvNTVhM0pUL1BGc2J0RFBLVWxvWVFXeTFybmFqR3J1L0Y5bGRCcHB1bUVUa2FOS2ZWT05Jcgp4cERnc1FhVkVXOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= tls_custom_ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU1RENDQXN5Z0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFTTVJBd0RnWURWUVFERXdkbmIyOWsKTFdOaE1CNFhEVEU1TURneE1ERTNOREF3TWxvWERUSXhNREl4TURFM05EQXdNbG93RWpFUU1BNEdBMVVFQXhNSApaMjl2WkMxallUQ0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUw3b2VldEovNmNFCkdicTcvanNtcU9FM2VyVE1aRHR0eFM4STVGV1c0TkRXbWNpOE5IdWRMZDhlM1JtOEh6Y09jSjRQL0ErcDVsYmsKTjhySzY4OUlsQzhqM28yaEhSdEk2T21saFY3NEoxaUlIOGtkSXU2V2xPMWtOdUx5dGRrbjhRaytJOUNEWjlGSAorZzhRbnVka0tMUWJkZFdDVXJzUjR4cEcyK0VkNWdua0JJNG4zbmNLMFgvWEZocWhDTEU1eFBaQk5OWktGbHJxCm1lYUl4dHoyc2ZvWVY1NmcwMnNGS1QxSUlMNTVFMG14djRUa2JtSWw5Rk9qZEtCdkhFZnJHeXl5OFRGTHErUzMKTXo2em9xNDhuOEhGMUc5cHBLVk9OMUp0Mks1UWEvV2hpbjVrcWNhYTNwNE0vN2tiNmtxU0tMWG1iN0gyN3kvVQpEYjZDUG01d2lodjA2c1FobXN2MHhuS2hqMm8vQzhlcWxzNzZZWDF1Y2NqMzlmSTRlQ1E4cENFbTlVcDh5ZkkvCkxlYVpXbGE0NEZneWw3N1lyc2MvM0U5dk1hS0ZVeGRjR3VtMXQrNUZZYWpkY0EvTlFreTJBeTJqcHRwVXV1SFUKNnhYSzdEcXY5Z01jQS8zM1VYOFpHZklPRk0rY3FlOTQxaTVPT1hGSHJoRDlqeTRQR2M4Z2kxSTRyK1VXd0tCYgoxSGg1clQ3ckJZK1NLTTBzZmtpQlZ1RU9pbnk2dDF1Z2tEdjY4dXNFWFlIWlZXaWl6b1hmcDVHbjZmckUvd1IxCkRkak13TGEvT2tQTnVEVVQ4eU1GS2hWRnFHcXdHQzY2bys1cjQyMlVwa0s4SHJ5K2tsQ3pUTys3U0RodTJiWk4KUVFGT0NLSVVldnR3bGdabVBNck1BNTZ3dzVSSnNhVnhBZ01CQUFHalJUQkRNQTRHQTFVZER3RUIvd1FFQXdJQgpCakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC9BZ0VBTUIwR0ExVWREZ1FXQkJSNTRKQ3pMRlg0T0RTQ1J0dWNBUGZOCnVYVnpuREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBZituUmpBVnZuT0pSckpBQWpKWVY3aVF3bHExUXZYRGcKbHZhY0JoVFJyWFh4OW5GaVRZUzV4MkFMbXZ5WHhubTdIS2VDSUZEclJwOE5MVFkyYjJXR01BcTFxc3JBT0QvegpTNmNSSW1OQ21QNmd0UHNUNDlabzBYajNrZjZyTXBPeHBiSUlnSmZMY056UGZpL25jeC9oRDNBOHl6Zk4wQTZZCnFFd2QvSkZPajdEa3RaQmdlSXZETlJXS0pveEpJRlZ4anJqLzFiVmkxZTRWVjVvWmhOako4SzlyV1FRK1EvK3QKZ3lGK0sycGxDQ1RiRWR6eU9heDY1djh5UDJ5RCs2WkFIRk9sRjI2TnZpUkw4OWJ1VHIwaEpZa0N5VXZ3MmJZaQo4Q3MyWDZkd0NDdXVhZUdVR2VRemszMGxQeUdWSmVKL3ZJMGJRSzlpZ2I5dFozY3d0WHBQdjN6a1B1TDE3d01WCitCMXo2RW1HZVVLNXlTQ0xFWjc2aVliNU0vY3ZjTUVOMWdoeFNIN0FmaDhMS0c0eWszT21SQ253akVqdTFhaWoKZGs3cjJuc0xmYU9KWFBRNU1wMzRYU1ltdTlpTVl0VytMbWZiSDJxMW9vS3dKZDhHNVhhRWRmQmpHUEQ5Q3FkWAphSlh0MDA0cVdsalJOS3p1MFNFRmJ6UldGNHRoeXlUTzE4QVI4eTNHV0Vwak95amdKSzlFeU1sQm9Qa3RYQVVVCjZzTFhqT3ZZU0ovd202NUhxVVZBTTVsRy96WVN3TGdCTDAwc1pJKzVGa0QwblU0Rkx6QWRLV05LWkRXZFVNbUwKVi9lV0ZGNGwwVFBvNTVhM0pUL1BGc2J0RFBLVWxvWVFXeTFybmFqR3J1L0Y5bGRCcHB1bUVUa2FOS2ZWT05Jcgp4cERnc1FhVkVXOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
# pomerium.crt # pomerium.crt

13
examples/nginx/config.yaml
View file

@ -1,6 +1,5 @@
# Main configuration flags : https://www.pomerium.com/docs/reference/ # Main configuration flags : https://www.pomerium.com/docs/reference/
pomerium_debug: true pomerium_debug: true
address: :80 address: :80
cookie_secret: YVFTMIfW8yBJw+a6sYwdW8rHbU+IAAV/SUkCTg9Jtpo= cookie_secret: YVFTMIfW8yBJw+a6sYwdW8rHbU+IAAV/SUkCTg9Jtpo=
@ -14,10 +13,14 @@ insecure_server: true
forward_auth_url: http://fwdauth.localhost.pomerium.io forward_auth_url: http://fwdauth.localhost.pomerium.io
authenticate_service_url: https://authenticate.localhost.pomerium.io authenticate_service_url: https://authenticate.localhost.pomerium.io
policy: routes:
- from: https://verify.localhost.pomerium.io - from: https://verify.localhost.pomerium.io
to: http://verify:8000 to: http://verify:8000
allowed_domains: policy:
- pomerium.com - allow:
- gmail.com or:
- domain:
is: pomerium.com
- domain:
is: gmail.com
pass_identity_headers: true pass_identity_headers: true

23
examples/tcp/config.yaml
View file

@ -7,21 +7,30 @@ cookie_secret: CHANGEME
idp_client_id: CHANGEME idp_client_id: CHANGEME
idp_client_secret: CHANGEME idp_client_secret: CHANGEME
idp_provider: google idp_provider: google
policy: routes:
- from: tcp+https://redis.localhost.pomerium.io:6379 - from: tcp+https://redis.localhost.pomerium.io:6379
to: tcp://redis:6379 to: tcp://redis:6379
allowed_domains: policy:
- gmail.com - allow:
or:
- domain:
is: gmail.com
- from: tcp+https://ssh.localhost.pomerium.io:22 - from: tcp+https://ssh.localhost.pomerium.io:22
to: tcp://ssh:2222 to: tcp://ssh:2222
allowed_domains: policy:
- gmail.com - allow:
or:
- domain:
is: gmail.com
- from: tcp+https://pgsql.localhost.pomerium.io:5432 - from: tcp+https://pgsql.localhost.pomerium.io:5432
to: tcp://pgsql:5432 to: tcp://pgsql:5432
allowed_domains: policy:
- gmail.com - allow:
or:
- domain:
is: gmail.com
databroker_storage_type: redis databroker_storage_type: redis
databroker_storage_connection_string: redis://redis:6379 databroker_storage_connection_string: redis://redis:6379

2
examples/tiddlywiki/config.yaml
View file

@ -8,7 +8,7 @@ idp_client_secret: REPLACEME
cookie_secret: REPLACEME cookie_secret: REPLACEME
jwt_claims_headers: email jwt_claims_headers: email
policy: routes:
- from: https://wiki.localhost.pomerium.io - from: https://wiki.localhost.pomerium.io
to: http://tiddlywiki:8080 to: http://tiddlywiki:8080
policy: policy:

13
examples/traefik/config.yaml
View file

@ -1,6 +1,5 @@
# Main configuration flags : https://www.pomerium.com/docs/reference/ # Main configuration flags : https://www.pomerium.com/docs/reference/
pomerium_debug: true pomerium_debug: true
address: :80 address: :80
cookie_secret: YVFTMIfW8yBJw+a6sYwdW8rHbU+IAAV/SUkCTg9Jtpo= cookie_secret: YVFTMIfW8yBJw+a6sYwdW8rHbU+IAAV/SUkCTg9Jtpo=
@ -15,10 +14,14 @@ forward_auth_url: http://pomerium
authenticate_service_url: https://authenticate.localhost.pomerium.io authenticate_service_url: https://authenticate.localhost.pomerium.io
jwt_claims_headers: email,groups,user jwt_claims_headers: email,groups,user
policy: routes:
- from: https://verify.localhost.pomerium.io - from: https://verify.localhost.pomerium.io
to: https://httpbin to: https://httpbin
allowed_domains: policy:
- pomerium.io - allow:
- gmail.com or:
- domain:
is: pomerium.io
- domain:
is: gmail.com
pass_identity_headers: true pass_identity_headers: true

9
ospkg/conf/config.yaml
View file

@ -15,8 +15,11 @@ idp_client_id: XXXX
idp_client_secret: YYYY idp_client_secret: YYYY
idp_service_account: XXXXXX idp_service_account: XXXXXX
policy: routes:
- from: https://yoursite.localhost.pomerium.io - from: https://yoursite.localhost.pomerium.io
to: https://yoursite.local to: https://yoursite.local
allowed_users: policy:
- user@domain.com - allow:
or:
- user:
is: user@domain.com