diff --git a/docs/docs/reference/examples/config/config.example.env b/docs/docs/reference/examples/config/config.example.env index c94cd5844..5fc2606bb 100644 --- a/docs/docs/reference/examples/config/config.example.env +++ b/docs/docs/reference/examples/config/config.example.env @@ -8,8 +8,9 @@ # export LOG_LEVEL="info" # optional, default is debug export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com -# AUTHORIZE_SERVICE_URL defaults to `localhost:5443` in all-in-one mode -# export AUTHORIZE_SERVICE_URL=https://authorize.corp.beyondperimeter.com +# AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode, +# otherwise it should be set to a "behind-the-ingress" routable url +# export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local # Certificates can be loaded as files or base64 encoded bytes. # See : https://www.pomerium.io/docs/reference/certificates diff --git a/docs/docs/reference/examples/config/config.example.yaml b/docs/docs/reference/examples/config/config.example.yaml index f1b24d2ba..f317b76af 100644 --- a/docs/docs/reference/examples/config/config.example.yaml +++ b/docs/docs/reference/examples/config/config.example.yaml @@ -6,7 +6,9 @@ # log_level: info # optional, default is debug authenticate_service_url: https://authenticate.corp.beyondperimeter.com -# authorize_service_url: https://authorize.corp.beyondperimeter.com # usually a behind an ingress url +# authorize service url will default to localhost in all-in-one mode, otherwise +# it should be set to a "behind-the-ingress" routable url +# authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local # Certificates can be loaded as files or base64 encoded bytes. # certificate_file: "./cert.pem" # optional, defaults to `./cert.pem` diff --git a/docs/docs/reference/examples/config/config.minimal.yaml b/docs/docs/reference/examples/config/config.minimal.yaml index 12f602e58..1d8f2bef1 100644 --- a/docs/docs/reference/examples/config/config.minimal.yaml +++ b/docs/docs/reference/examples/config/config.minimal.yaml @@ -1,6 +1,5 @@ # See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/ authenticate_service_url: https://authenticate.corp.beyondperimeter.com -authorize_service_url: https://authorize.corp.beyondperimeter.com # identity provider settings : https://www.pomerium.io/docs/identity-providers.html idp_provider: google diff --git a/docs/docs/reference/examples/config/config.visual-studio-code.yaml b/docs/docs/reference/examples/config/config.visual-studio-code.yaml deleted file mode 100644 index 68f95450e..000000000 --- a/docs/docs/reference/examples/config/config.visual-studio-code.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/ -authenticate_service_url: https://authenticate.corp.domain.example -authorize_service_url: https://authorize.corp.domain.example - -# identity provider settings : https://www.pomerium.io/docs/identity-providers.html -idp_provider: google -idp_client_id: REPLACE_ME -idp_client_secret: REPLACE_ME - -policy: - - from: https://code.corp.domain.example - to: http://codeserver:8443 - allowed_users: - - some.user@domain.example - allow_websockets: true diff --git a/docs/docs/reference/reference.md b/docs/docs/reference/reference.md index 45414a191..1638b818e 100644 --- a/docs/docs/reference/reference.md +++ b/docs/docs/reference/reference.md @@ -609,8 +609,8 @@ Authenticate Service URL is the externally accessible URL for the authenticate s - Environmental Variable: `AUTHORIZE_SERVICE_URL` - Config File Key: `authorize_service_url` - Type: `URL` -- Required -- Example: `https://authorize.corp.example.com` or `https://pomerium-authorize-service.default.svc.cluster.local` or `https://localhost:5443` +- Required; inferred in all-in-one mode to be localhost. +- Example: https://pomerium-authorize-service.default.svc.cluster.local` or `https://localhost:5443` Authorize Service URL is the location of the internally accessible authorize service. NOTE: Unlike authenticate, authorize has no publicly accessible http handlers so this setting is purely for gRPC communication. @@ -624,7 +624,7 @@ If your load balancer does not support gRPC pass-through you'll need to set this - Optional (but typically required if Authenticate Internal Service Address is set) - Example: `*.corp.example.com` if wild card or `authenticate.corp.example.com`/`authorize.corp.example.com` -When Authenticate Internal Service Address is set, secure service communication can fail because the external certificate name will not match the internally routed service hostname/[SNI](https://en.wikipedia.org/wiki/Server_Name_Indication). This setting allows you to override that check. +Secure service communication can fail if the external certificate does not match the internally routed service hostname/[SNI](https://en.wikipedia.org/wiki/Server_Name_Indication). This setting allows you to override that value. ## Certificate Authority diff --git a/docs/recipes/vs-code-server.md b/docs/recipes/vs-code-server.md index fb7f12ae1..c77cf818e 100644 --- a/docs/recipes/vs-code-server.md +++ b/docs/recipes/vs-code-server.md @@ -36,7 +36,23 @@ This guide assumes you have already completed one of the [quick start] guides, a ### Pomerium Config -<<< @/docs/docs/reference/examples/config/config.visual-studio-code.yaml +``` +# config.yaml +# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/ +authenticate_service_url: https://authenticate.corp.domain.example + +# identity provider settings : https://www.pomerium.io/docs/identity-providers.html +idp_provider: google +idp_client_id: REPLACE_ME +idp_client_secret: REPLACE_ME + +policy: + - from: https://code.corp.domain.example + to: http://codeserver:8443 + allowed_users: + - some.user@domain.example + allow_websockets: true +``` ### Docker-compose