3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-10 23:03:23 +02:00
Code Issues Projects Releases Packages Wiki Activity

update script and apply

Browse source
This commit is contained in:
alexfornuto 2021-07-26 17:16:27 -05:00
parent 2fecb4e583
commit 91d4d22156
9 changed files with 191 additions and 169 deletions
Download patch file Download diff file Expand all files Collapse all files

14
docs/.vuepress/config.js
View file

@ -210,7 +210,19 @@ module.exports = {
],
},
"prometheus",
"reference",
{
title: "Reference",
type: "group",
collapsable: false,
path: "/enterprise/reference/configure",
sidebarDepth: 2,
children: [
"/enterprise/reference/configuration-settings",
"/enterprise/reference/configure",
"/enterprise/reference/manage",
"/enterprise/reference/reports",
]
}
],
},
],

6
docs/enterprise/console-settings.yaml
View file

@ -80,7 +80,7 @@ settings:
- name: "Policies"
keys: ["Policy"]
doc: |
A Policy defines what permissions a set of users or groups has. Policies are applied to [Namespaces](#namespaces) or [Routes](#routes) to associate the set of permissions with a service or set of service, completing the authentication model.
A Policy defines what permissions a set of users or groups has. Policies are applied to Namespaces or Routes to associate the set of permissions with a service or set of service, completing the authentication model.
::: tip
This is a separate concept from [policies](../reference/#policy) in the non-enterprise model. In open-source Pomerium, the `policy` block defines both routes and access.
@ -92,13 +92,13 @@ settings:
From the **BUILDER** tab, users can add allow or deny blocks to a policy, containing and/or/not/nor logic to allow or deny sets of users and groups.
![A policy being constructed in Pomerium Enterprise console allowing a single user access](./img/example-policy-single-user.png)
![A policy being constructed in Pomerium Enterprise console allowing a single user access](../img/example-policy-single-user.png)
#### Pomerium Policy Language
From the **EDITOR** tab users can write policies in Pomerium Policy Language (**PPL**), a YAML-based notation.
![A policy as viewed from the editor tab](./img/example-policy-editor.png)
![A policy as viewed from the editor tab](../img/example-policy-editor.png)
#### Rego

160
docs/enterprise/reference.md
View file

@ -1,160 +0,0 @@
---
title: Reference
lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
---
# Pomerium Enterprise Console Settings
The Pomerium Enterprise Console is initially configured using a configuration file ([YAML]/[JSON]/[TOML]) or environment variables. In general, environmental variable keys are identical to config file keys but are uppercase.
If you are coming from a Kubernetes or docker background this should feel familiar. If not, check out the following primers.
- [Store config in the environment](https://12factor.net/config)
- [Kubernetes: Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
- [Kubernetes: Config Maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/)
- [Docker: Environment variables](https://docs.docker.com/compose/environment-variables/)
Using both [environmental variables] and config file keys is allowed and encouraged (for instance, secret keys are probably best set as environmental variables). However, if duplicate configuration keys are found, environment variables take precedence.
Additional configuration and the setting of routes and policies is performed through the web user interface (**UI**).
## Configuration Settings
These configuration values are set in the `config.yaml` file for Pomerium Enterprise Console, or as environment variables. Once the console is accessible, configuration is adjusted through the web UI.
### User Impersonation
@travis fill me with delicious data!
## Reports
### Traffic
### Runtime
### Sessions
### Events
### Deployments
## Manage
### Routes
A Route provides access to a service through Pomerium.
#### General
The **General** tab defines the route path, both from the internet and to the internal service, and the policies attached. Note that policies enforced on a Namespace the Route resides in will also be applied.
##### Name
##### From
##### To
##### Redirect
##### Policies
##### Pass Identity Headers
##### Enable Google Cloud Serverless Authentication
#### Matchers
#### Rewrite
#### Timeouts
#### Headers
#### Load Balancer
### Policies
A Policy defines what permissions a set of users or groups has. Policies are applied to [Namespaces](#namespaces) or [Routes](#routes) to associate the set of permissions with a service or set of service, completing the authentication model.
::: tip
This is a separate concept from [policies](../reference/#policy) in the non-enterprise model. In open-source Pomerium, the `policy` block defines both routes and access.
:::
Policies can be constructed three ways:
#### Web UI
From the **BUILDER** tab, users can add allow or deny blocks to a policy, containing and/or/not/nor logic to allow or deny sets of users and groups.
![A policy being constructed in Pomerium Enterprise console allowing a single user access](./img/example-policy-single-user.png)
#### Pomerium Policy Language
From the **EDITOR** tab users can write policies in Pomerium Policy Language (**PPL**), a YAML-based notation.
![A policy as viewed from the editor tab](./img/example-policy-editor.png)
#### Rego
For those using [OPA](https://www.openpolicyagent.org/), the **REGO** tab will accept policies written in Rego.
::: tip
A policy can only support PPL or Rego. Once one is set, the other tab is disabled.
:::
#### Overrides
- **Any Authenticated User**: This setting will allow access to a route with this policy attached to any user who can authenticate to your Identity Provider (**IdP**).
- **CORS Preflight**:
- **Public Access**: This setting allows complete, unrestricted access to an associated route. Use this setting with caution.
### Certificates
## Configure
### Settings
#### Global
#### Cookies
#### Timeouts
#### GRPC
#### Tracing
#### Authenticate
#### Authorize
#### Proxy
### Service Accounts
<!-- Explain Service Accounts -->
### Namespaces
A Namespace is a collection of users, groups, routes, and policies that allows system administrators to organize, manage, and delegate permissions across their infrastructure.
- Policies can be optional or enforced on a Namespace, and they can be nested to create inheritance.
- Users or groups can be granted permission to edit access to routes within a Namespace, allowing them self-serve access to the routes critical to their work.
[base64 encoded]: https://en.wikipedia.org/wiki/Base64
[elliptic curve]: https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations#Generating_EC_Keys_and_Parameters
[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
[identity provider]: ../docs/identity-providers/
[json]: https://en.wikipedia.org/wiki/JSON
[letsencrypt]: https://letsencrypt.org/
[oidc rfc]: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
[okta]: ../docs/identity-providers/okta.md
[script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh
[signed headers]: ../docs/topics/getting-users-identity.md
[toml]: https://en.wikipedia.org/wiki/TOML
[yaml]: https://en.wikipedia.org/wiki/YAML

17
docs/enterprise/reference/configuration-settings.md Normal file
View file

@ -0,0 +1,17 @@
---
title: Configuration Settings
lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
---
# Configuration Settings
These configuration values are set in the `config.yaml` file for Pomerium Enterprise Console, or as environment variables. Once the console is accessible, configuration is adjusted through the web UI.
## User Impersonation
@travis fill me with delicious data!

40
docs/enterprise/reference/configure.md Normal file
View file

@ -0,0 +1,40 @@
---
title: Configure
lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
---
# Configure
## Settings
### Global
### Cookies
### Timeouts
### GRPC
### Tracing
### Authenticate
### Authorize
### Proxy
## Service Accounts
<!-- Explain Service Accounts -->
## Namespaces
A Namespace is a collection of users, groups, routes, and policies that allows system administrators to organize, manage, and delegate permissions across their infrastructure.
- Policies can be optional or enforced on a Namespace, and they can be nested to create inheritance.
- Users or groups can be granted permission to edit access to routes within a Namespace, allowing them self-serve access to the routes critical to their work.

80
docs/enterprise/reference/manage.md Normal file
View file

@ -0,0 +1,80 @@
---
title: Manage
lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
---
# Manage
## Routes
A Route provides access to a service through Pomerium.
### General
The **General** tab defines the route path, both from the internet and to the internal service, and the policies attached. Note that policies enforced on a Namespace the Route resides in will also be applied.
#### Name
#### From
#### To
#### Redirect
#### Policies
#### Pass Identity Headers
#### Enable Google Cloud Serverless Authentication
### Matchers
### Rewrite
### Timeouts
### Headers
### Load Balancer
## Policies
A Policy defines what permissions a set of users or groups has. Policies are applied to [Namespaces] or [Routes] to associate the set of permissions with a service or set of service, completing the authentication model.
::: tip
This is a separate concept from [policies](../reference/#policy) in the non-enterprise model. In open-source Pomerium, the `policy` block defines both routes and access.
:::
Policies can be constructed three ways:
#### Web UI
From the **BUILDER** tab, users can add allow or deny blocks to a policy, containing and/or/not/nor logic to allow or deny sets of users and groups.
![A policy being constructed in Pomerium Enterprise console allowing a single user access](../img/example-policy-single-user.png)
#### Pomerium Policy Language
From the **EDITOR** tab users can write policies in Pomerium Policy Language (**PPL**), a YAML-based notation.
![A policy as viewed from the editor tab](../img/example-policy-editor.png)
#### Rego
For those using [OPA](https://www.openpolicyagent.org/), the **REGO** tab will accept policies written in Rego.
::: tip
A policy can only support PPL or Rego. Once one is set, the other tab is disabled.
:::
#### Overrides
- **Any Authenticated User**: This setting will allow access to a route with this policy attached to any user who can authenticate to your Identity Provider (**IdP**).
- **CORS Preflight**:
- **Public Access**: This setting allows complete, unrestricted access to an associated route. Use this setting with caution.
## Certificates

21
docs/enterprise/reference/reports.md Normal file
View file

@ -0,0 +1,21 @@
---
title: Reports
lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
---
# Reports
## Traffic
## Runtime
## Sessions
## Events
## Deployments

4
package.json
View file

@ -1,6 +1,7 @@
{
"devDependencies": {
"@vuepress/plugin-google-analytics": "1.8.2",
"js-yaml": "^4.1.0",
"vuepress": "1.8.2",
"vuepress-plugin-check-md": "0.0.2",
"vuepress-plugin-element-tabs": "^0.2.8",
@ -9,7 +10,8 @@
"scripts": {
"docs:dev": "vuepress dev docs",
"docs:build": "vuepress build docs",
"docs:check-md": "vuepress check-md"
"docs:check-md": "vuepress check-md",
"buildref": "node scripts/generate-console-pages.js"
},
"dependencies": {
"esm": "3.2.25"

18
scripts/generate-console-pages.js
View file

@ -6,14 +6,24 @@ const yaml = require('js-yaml');
// Functions
const writePage = (setting) => {
console.log('Generating ', setting.name, ".md")
console.log('Generating ', setting.name, " page")
let frontmatter = `---
title: ${setting.name}
lang: en-US
sidebarDepth: 2
meta:
- name: keywords
content: configuration options settings Pomerium enterprise console
---
`
let path = './docs/enterprise/reference/' + setting.name.replace(/\s/g, '-').toLowerCase() + ".md"
console.log("path=", path) //For Debugging
let header = '# ' + setting.name + '\n'
let header = '# ' + setting.name + '\n' + '\n'
let body = setting.doc ? setting.doc.toString() + '\n' : ''
let moreBody = setting.settings ? setting.settings.map(subsection => writeSubsection(subsection, 2)).join('') : ''
let content = header + body + moreBody
let content = frontmatter + header + body + moreBody
fs.writeFileSync(path, content)
}
@ -22,7 +32,7 @@ const writeSubsection = (subsection, depth) => {
if (!subsection.name) {
return
}
let header = '#'.repeat(depth) + ' ' + subsection.name + '\n'
let header = '#'.repeat(depth) + ' ' + subsection.name + '\n' + '\n'
let subContent = subsection.doc ? subsection.doc.toString() + '\n' : ''
subsection.attributes ? subContent = subContent + subsection.attributes.toString() : null
subsection.settings ? subContent = subContent + subsection.settings.map(turtles => writeSubsection(turtles, depth + 1)).join('') : ''