docs: s/fwdauth/forwardauth/ (#447)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2020-01-07 13:54:36 -08:00 committed by GitHub
parent e20e1f08c5
commit 8b7f344e01
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 30 additions and 30 deletions

View file

@ -335,8 +335,8 @@ Each unit work is called a Span in a trace. Spans include metadata about the wor
| Config Key | Description | Required |
| :--------------- | :---------------------------------------------------------------- | -------- |
| tracing_provider | The name of the tracing provider. (e.g. jaeger) | ✅ |
| tracing_debug | Will disable [sampling](https://opencensus.io/tracing/sampling/). | ❌ |
| tracing_provider | The name of the tracing provider. (e.g. jaeger) | ✅ |
| tracing_debug | Will disable [sampling](https://opencensus.io/tracing/sampling/). | ❌ |
#### Jaeger
@ -350,8 +350,8 @@ Each unit work is called a Span in a trace. Spans include metadata about the wor
| Config Key | Description | Required |
| :-------------------------------- | :------------------------------------------ | -------- |
| tracing_jaeger_collector_endpoint | Url to the Jaeger HTTP Thrift collector. | ✅ |
| tracing_jaeger_agent_endpoint | Send spans to jaeger-agent at this address. | ✅ |
| tracing_jaeger_collector_endpoint | Url to the Jaeger HTTP Thrift collector. | ✅ |
| tracing_jaeger_agent_endpoint | Send spans to jaeger-agent at this address. | ✅ |
#### Example
@ -362,8 +362,8 @@ Each unit work is called a Span in a trace. Spans include metadata about the wor
- Environmental Variable: `FORWARD_AUTH_URL`
- Config File Key: `forward_auth_url`
- Type: `URL` (must contain a scheme and hostname)
- Example: `https://fwdauth.corp.example.com`
- Resulting Verification URL: `https://fwdauth.corp.example.com/.pomerium/verify/{URL-TO-VERIFY}`
- Example: `https://forwardauth.corp.example.com`
- Resulting Verification URL: `https://forwardauth.corp.example.com/.pomerium/verify/{URL-TO-VERIFY}`
- Optional
Forward authentication creates an endpoint that can be used with third-party proxies that do not have rich access control capabilities ([nginx](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html), [nginx-ingress](https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/), [ambassador](https://www.getambassador.io/reference/services/auth-service/), [traefik](https://docs.traefik.io/middlewares/forwardauth/)). Forward authentication allow you to delegate authentication and authorization for each request to Pomerium.
@ -386,8 +386,8 @@ metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/verify?uri=$scheme://$host$request_uri
nginx.ingress.kubernetes.io/auth-signin: "https://fwdauth.corp.example.com/?uri=$scheme://$host$request_uri"
nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/verify?uri=$scheme://$host$request_uri
nginx.ingress.kubernetes.io/auth-signin: "https://forwardauth.corp.example.com/?uri=$scheme://$host$request_uri"
spec:
tls:
- hosts:
@ -429,7 +429,7 @@ services:
- "traefik.http.routers.httpbin.rule=Host(`httpbin.corp.example.com`)"
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion"
- "traefik.http.middlewares.test-auth.forwardauth.address=http://fwdauth.corp.example.com/?uri=https://httpbin.corp.example.com"
- "traefik.http.middlewares.test-auth.forwardauth.address=http://forwardauth.corp.example.com/?uri=https://httpbin.corp.example.com"
- "traefik.http.routers.httpbin.middlewares=test-auth@docker"
```

View file

@ -39,17 +39,17 @@ Previous programmatic authentication endpoints (`/api/v1/token`) has been remove
#### Forward-auth route change
Previously, routes were verified by taking the downstream applications hostname in the form of a path `(e.g. ${fwdauth}/.pomerium/verify/httpbin.some.example`) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string `(e.g. ${fwdauth}/.pomerium/verify?url=https://httpbin.some.example)` where the routed domain is the value of the `uri` key.
Previously, routes were verified by taking the downstream applications hostname in the form of a path `(e.g. ${forwardauth}/.pomerium/verify/httpbin.some.example`) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string `(e.g. ${forwardauth}/.pomerium/verify?url=https://httpbin.some.example)` where the routed domain is the value of the `uri` key.
Note that the verification URL is no longer nested under the `.pomerium` endpoint.
For example, in nginx this would look like:
```diff
- nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no_redirect=true
- nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com
+ nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/verify?uri=$scheme://$host$request_uri
+ nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com?uri=$scheme://$host$request_uri
- nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no_redirect=true
- nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com
+ nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/verify?uri=$scheme://$host$request_uri
+ nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com?uri=$scheme://$host$request_uri
```

View file

@ -252,7 +252,7 @@ The above token then needs to be assigned to our route configuration and policy.
```yaml
# config.yaml
forward_auth_url: https://fwdauth.domain.example
forward_auth_url: https://forwardauth.domain.example
policy:
# this route is directly proxied by pomerium & injects the authorization header
@ -265,7 +265,7 @@ policy:
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.....
# this route is indirectly checked for access using forward-auth
- from: https://dashboard-fwdauth.domain.example
- from: https://dashboard-forwardauth.domain.example
to: https://helm-dashboard-kubernetes-dashboard
allowed_users:
- user@domain.example
@ -303,10 +303,10 @@ $kubectl apply -f docs/recipes/yml/pomerium.ingress.yaml
<<< @/docs/recipes/yml/pomerium.ingress.yaml
```sh
$kubectl apply -f docs/recipes/yml/dashboard-fwdauth.ingress.yaml
$kubectl apply -f docs/recipes/yml/dashboard-forwardauth.ingress.yaml
```
<<< @/docs/recipes/yml/dashboard-fwdauth.ingress.yaml
<<< @/docs/recipes/yml/dashboard-forwardauth.ingress.yaml
```sh
$kubectl apply -f docs/recipes/yml/dashboard-proxied.ingress.yaml
@ -322,7 +322,7 @@ And finally, check that the ingresses are up and running.
```sh
NAME HOSTS ADDRESS PORTS AGE
dashboard-fwdauth dashboard-fwdauth.domain.example 80, 443 42h
dashboard-forwardauth dashboard-forwardauth.domain.example 80, 443 42h
dashboard-proxied dashboard-proxied.domain.example 80, 443 42h
helm-pomerium *.domain.example,authenticate.domain.example 80, 443 42h
```

View file

@ -1,22 +1,22 @@
# dashboard-fwdauth.ingress.yaml
# dashboard-forwardauth.ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard-fwdauth
name: dashboard-forwardauth
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: "letsencrypt-prod" # see `letsencrypt.issuer.yaml`
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/auth-url: "https://fwdauth.domain.example/verify?uri=$scheme://$host$request_uri"
nginx.ingress.kubernetes.io/auth-signin: "https://fwdauth.domain.example?uri=$scheme://$host$request_uri"
nginx.ingress.kubernetes.io/auth-url: "https://forwardauth.domain.example/verify?uri=$scheme://$host$request_uri"
nginx.ingress.kubernetes.io/auth-signin: "https://forwardauth.domain.example?uri=$scheme://$host$request_uri"
spec:
tls:
- hosts:
- dashboard-fwdauth.domain.example
secretName: dashboard-fwdauth-tls
- dashboard-forwardauth.domain.example
secretName: dashboard-forwardauth-tls
rules:
- host: dashboard-fwdauth.domain.example
- host: dashboard-forwardauth.domain.example
http:
paths:
- path: /

View file

@ -13,8 +13,8 @@ spec:
- authenticate.domain.example
secretName: pomerium-authenticate-external-tls
- hosts:
- fwdauth.domain.example
secretName: pomerium-fwdauth-external-tls
- forwardauth.domain.example
secretName: pomerium-forwardauth-external-tls
rules:
- host: authenticate.domain.example
@ -24,7 +24,7 @@ spec:
backend:
serviceName: helm-pomerium-authenticate
servicePort: https
- host: fwdauth.domain.example
- host: forwardauth.domain.example
http:
paths:
- path: /