config: add support for policies stored in the databroker (#1099)

* wip * always use databroker config source * add test * valid policy, remove debug lines
2025-04-29 10:26:29 +02:00 · 2020-07-17 10:35:29 -06:00 · 2020-07-17 10:35:29 -06:00 · b79e73b8b8
commit b79e73b8b8
parent 821f2e9000
9 changed files with 965 additions and 6 deletions
--- a/config/config_source.go
+++ b/config/config_source.go
@ -52,6 +52,24 @@ type Source interface {
 	OnConfigChange(ChangeListener)
 }

+// A StaticSource always returns the same config. Useful for testing.
+type StaticSource struct {
+	cfg *Config
+}
+
+// NewStaticSource creates a new StaticSource.
+func NewStaticSource(cfg *Config) *StaticSource {
+	return &StaticSource{cfg: cfg}
+}
+
+// GetConfig gets the config.
+func (src *StaticSource) GetConfig() *Config {
+	return src.cfg
+}
+
+// OnConfigChange is ignored for the StaticSource.
+func (src *StaticSource) OnConfigChange(ChangeListener) {}
+
 // A FileOrEnvironmentSource retrieves config options from a file or the environment.
 type FileOrEnvironmentSource struct {
 	configFile string
--- a/config/policy.go
+++ b/config/policy.go
@ -10,10 +10,12 @@ import (
 	"time"

 	"github.com/cespare/xxhash/v2"
+	"github.com/golang/protobuf/ptypes"
 	"github.com/mitchellh/hashstructure"

 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
+	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 )

 // Policy contains route specific configuration and access settings.
@ -109,6 +111,73 @@ type Policy struct {
 	EnableGoogleCloudServerlessAuthentication bool `mapstructure:"enable_google_cloud_serverless_authentication" yaml:"enable_google_cloud_serverless_authentication,omitempty"` //nolint
 }

+// NewPolicyFromProto creates a new Policy from a protobuf policy config route.
+func NewPolicyFromProto(pb *configpb.Policy) (*Policy, error) {
+	timeout, _ := ptypes.Duration(pb.GetTimeout())
+
+	p := &Policy{
+		From:                             pb.GetFrom(),
+		To:                               pb.GetTo(),
+		AllowedUsers:                     pb.GetAllowedUsers(),
+		AllowedGroups:                    pb.GetAllowedGroups(),
+		AllowedDomains:                   pb.GetAllowedDomains(),
+		Prefix:                           pb.GetPrefix(),
+		Path:                             pb.GetPath(),
+		Regex:                            pb.GetRegex(),
+		CORSAllowPreflight:               pb.GetCorsAllowPreflight(),
+		AllowPublicUnauthenticatedAccess: pb.GetAllowPublicUnauthenticatedAccess(),
+		UpstreamTimeout:                  timeout,
+		AllowWebsockets:                  pb.GetAllowWebsockets(),
+		TLSSkipVerify:                    pb.GetTlsSkipVerify(),
+		TLSServerName:                    pb.GetTlsServerName(),
+		TLSCustomCA:                      pb.GetTlsCustomCa(),
+		TLSCustomCAFile:                  pb.GetTlsCustomCaFile(),
+		TLSClientCert:                    pb.GetTlsClientCert(),
+		TLSClientKey:                     pb.GetTlsClientKey(),
+		TLSClientCertFile:                pb.GetTlsClientCertFile(),
+		TLSClientKeyFile:                 pb.GetTlsClientKeyFile(),
+		SetRequestHeaders:                pb.GetSetRequestHeaders(),
+		RemoveRequestHeaders:             pb.GetRemoveRequestHeaders(),
+		PreserveHostHeader:               pb.GetPreserveHostHeader(),
+		PassIdentityHeaders:              pb.GetPassIdentityHeaders(),
+		KubernetesServiceAccountToken:    pb.GetKubernetesServiceAccountToken(),
+	}
+	return p, p.Validate()
+}
+
+// ToProto converts the policy to a protobuf type.
+func (p *Policy) ToProto() *configpb.Policy {
+	timeout := ptypes.DurationProto(p.UpstreamTimeout)
+	return &configpb.Policy{
+		Name:                             fmt.Sprint(p.RouteID()),
+		From:                             p.From,
+		To:                               p.To,
+		AllowedUsers:                     p.AllowedUsers,
+		AllowedGroups:                    p.AllowedGroups,
+		AllowedDomains:                   p.AllowedDomains,
+		Prefix:                           p.Prefix,
+		Path:                             p.Path,
+		Regex:                            p.Regex,
+		CorsAllowPreflight:               p.CORSAllowPreflight,
+		AllowPublicUnauthenticatedAccess: p.AllowPublicUnauthenticatedAccess,
+		Timeout:                          timeout,
+		AllowWebsockets:                  p.AllowWebsockets,
+		TlsSkipVerify:                    p.TLSSkipVerify,
+		TlsServerName:                    p.TLSServerName,
+		TlsCustomCa:                      p.TLSCustomCA,
+		TlsCustomCaFile:                  p.TLSCustomCAFile,
+		TlsClientCert:                    p.TLSClientCert,
+		TlsClientKey:                     p.TLSClientKey,
+		TlsClientCertFile:                p.TLSClientCertFile,
+		TlsClientKeyFile:                 p.TLSClientKeyFile,
+		SetRequestHeaders:                p.SetRequestHeaders,
+		RemoveRequestHeaders:             p.RemoveRequestHeaders,
+		PreserveHostHeader:               p.PreserveHostHeader,
+		PassIdentityHeaders:              p.PassIdentityHeaders,
+		KubernetesServiceAccountToken:    p.KubernetesServiceAccountToken,
+	}
+}
+
 // Validate checks the validity of a policy.
 func (p *Policy) Validate() error {
 	var err error
--- a/internal/autocert/manager.go
+++ b/internal/autocert/manager.go
@ -45,7 +45,8 @@ func New(src config.Source) (*Manager, error) {
 			return
 		}

-		mgr.Trigger(mgr.GetConfig())
+		cfg = mgr.GetConfig()
+		mgr.Trigger(cfg)
 	})
 	return mgr, nil
 }
@ -112,6 +113,7 @@ func (mgr *Manager) updateAutocert(cfg *config.Config) error {
 			cert, err = cm.CacheManagedCertificate(domain)
 		}
 		if err == nil {
+			log.Info().Strs("names", cert.Names).Msg("autocert: added certificate")
 			cfg.Options.Certificates = append(cfg.Options.Certificates, cert.Certificate)
 		} else {
 			log.Error().Err(err).Msg("autocert: failed to obtain client certificate")
--- a/internal/cmd/pomerium/pomerium.go
+++ b/internal/cmd/pomerium/pomerium.go
@ -20,6 +20,7 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/autocert"
 	"github.com/pomerium/pomerium/internal/controlplane"
+	"github.com/pomerium/pomerium/internal/databroker"
 	"github.com/pomerium/pomerium/internal/envoy"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
@ -33,6 +34,8 @@ import (

 // Run runs the main pomerium application.
 func Run(ctx context.Context, configFile string) error {
+	log.Info().Str("version", version.FullVersion()).Msg("cmd/pomerium")
+
 	var src config.Source

 	src, err := config.NewFileOrEnvironmentSource(configFile)
@ -45,9 +48,9 @@ func Run(ctx context.Context, configFile string) error {
 		return err
 	}

-	cfg := src.GetConfig()
+	src = databroker.NewConfigSource(src)

-	log.Info().Str("version", version.FullVersion()).Msg("cmd/pomerium")
+	cfg := src.GetConfig()

 	if err := setupMetrics(ctx, cfg.Options); err != nil {
 		return err
@ -145,9 +148,6 @@ func setupAuthenticate(src config.Source, cfg *config.Config, controlPlane *cont
 	}
 	src.OnConfigChange(svc.OnConfigChange)
 	svc.OnConfigChange(cfg)
-	if err != nil {
-		return fmt.Errorf("error updating authenticate options: %w", err)
-	}
 	host := urlutil.StripPort(cfg.Options.GetAuthenticateURL().Host)
 	sr := controlPlane.HTTPRouter.Host(host).Subrouter()
 	svc.Mount(sr)
--- a/internal/databroker/config_source.go
+++ b/internal/databroker/config_source.go
@ -0,0 +1,233 @@
+package databroker
+
+import (
+	"context"
+	"errors"
+	"sync"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	"github.com/golang/protobuf/ptypes"
+	"github.com/mitchellh/hashstructure"
+
+	"github.com/pomerium/pomerium/config"
+	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc"
+	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+)
+
+var (
+	configTypeURL string
+)
+
+func init() {
+	any, _ := ptypes.MarshalAny(new(configpb.Config))
+	configTypeURL = any.GetTypeUrl()
+}
+
+// ConfigSource provides a new Config source that decorates an underlying config with
+// configuration derived from the data broker.
+type ConfigSource struct {
+	mu               sync.RWMutex
+	computedConfig   *config.Config
+	underlyingConfig *config.Config
+	dbConfigs        map[string]*configpb.Config
+	updaterHash      uint64
+	cancel           func()
+	serverVersion    string
+	recordVersion    string
+
+	config.ChangeDispatcher
+}
+
+// NewConfigSource creates a new ConfigSource.
+func NewConfigSource(underlying config.Source, listeners ...config.ChangeListener) *ConfigSource {
+	src := &ConfigSource{
+		dbConfigs: map[string]*configpb.Config{},
+	}
+	for _, li := range listeners {
+		src.OnConfigChange(li)
+	}
+	underlying.OnConfigChange(func(cfg *config.Config) {
+		src.mu.Lock()
+		src.underlyingConfig = cfg.Clone()
+		src.mu.Unlock()
+
+		src.rebuild(false)
+	})
+	src.underlyingConfig = underlying.GetConfig()
+	src.rebuild(true)
+	return src
+}
+
+// GetConfig gets the current config.
+func (src *ConfigSource) GetConfig() *config.Config {
+	src.mu.RLock()
+	defer src.mu.RUnlock()
+
+	return src.computedConfig
+}
+
+func (src *ConfigSource) rebuild(firstTime bool) {
+	src.mu.Lock()
+	defer src.mu.Unlock()
+
+	cfg := src.underlyingConfig.Clone()
+	defer func() {
+		src.computedConfig = cfg
+		if !firstTime {
+			src.Trigger(cfg)
+		}
+	}()
+
+	// start the updater
+	src.runUpdater(cfg)
+
+	seen := map[uint64]struct{}{}
+	for _, policy := range cfg.Options.Policies {
+		seen[policy.RouteID()] = struct{}{}
+	}
+
+	// add all the config policies to the list
+	for _, cfgpb := range src.dbConfigs {
+		for _, policypb := range cfgpb.GetPolicies() {
+			policy, err := config.NewPolicyFromProto(policypb)
+			if err != nil {
+				log.Warn().Err(err).Msg("databroker: error converting protobuf into policy")
+				continue
+			}
+
+			err = policy.Validate()
+			if err != nil {
+				log.Warn().Err(err).
+					Str("policy", policy.String()).
+					Msg("databroker: invalid policy, ignoring")
+			}
+
+			routeID := policy.RouteID()
+
+			if _, ok := seen[routeID]; ok {
+				log.Warn().Err(err).
+					Str("policy", policy.String()).
+					Msg("databroker: duplicate policy detected, ignoring")
+				continue
+			}
+			seen[routeID] = struct{}{}
+
+			cfg.Options.Policies = append(cfg.Options.Policies, *policy)
+		}
+	}
+}
+
+func (src *ConfigSource) runUpdater(cfg *config.Config) {
+	connectionOptions := &grpc.Options{
+		Addr:                    cfg.Options.DataBrokerURL,
+		OverrideCertificateName: cfg.Options.OverrideCertificateName,
+		CA:                      cfg.Options.CA,
+		CAFile:                  cfg.Options.CAFile,
+		RequestTimeout:          cfg.Options.GRPCClientTimeout,
+		ClientDNSRoundRobin:     cfg.Options.GRPCClientDNSRoundRobin,
+		WithInsecure:            cfg.Options.GRPCInsecure,
+		ServiceName:             cfg.Options.Services,
+	}
+	h, err := hashstructure.Hash(connectionOptions, nil)
+	if err != nil {
+		log.Fatal().Err(err).Send()
+	}
+	// nothing changed, so don't restart the updater
+	if src.updaterHash == h {
+		return
+	}
+	src.updaterHash = h
+
+	if src.cancel != nil {
+		src.cancel()
+		src.cancel = nil
+	}
+
+	cc, err := grpc.NewGRPCClientConn(connectionOptions)
+	if err != nil {
+		log.Error().Err(err).Msg("databroker: failed to create gRPC connection to data broker")
+		return
+	}
+
+	client := databroker.NewDataBrokerServiceClient(cc)
+
+	ctx := context.Background()
+	ctx, src.cancel = context.WithCancel(ctx)
+
+	go tryForever(ctx, func(onSuccess func()) error {
+		src.mu.Lock()
+		serverVersion, recordVersion := src.serverVersion, src.recordVersion
+		src.mu.Unlock()
+
+		stream, err := client.Sync(ctx, &databroker.SyncRequest{
+			Type:          configTypeURL,
+			ServerVersion: serverVersion,
+			RecordVersion: recordVersion,
+		})
+		if err != nil {
+			return err
+		}
+
+		for {
+			res, err := stream.Recv()
+			if err != nil {
+				return err
+			}
+			onSuccess()
+
+			src.onSync(res.GetRecords())
+
+			for _, record := range res.GetRecords() {
+				recordVersion = record.GetVersion()
+			}
+
+			src.mu.Lock()
+			src.serverVersion, src.recordVersion = res.GetServerVersion(), recordVersion
+			src.mu.Unlock()
+		}
+	})
+}
+
+func (src *ConfigSource) onSync(records []*databroker.Record) {
+	src.mu.Lock()
+	for _, record := range records {
+		if record.GetDeletedAt() != nil {
+			delete(src.dbConfigs, record.GetId())
+			continue
+		}
+
+		var cfgpb configpb.Config
+		err := ptypes.UnmarshalAny(record.GetData(), &cfgpb)
+		if err != nil {
+			log.Warn().Err(err).Msg("databroker: error decoding config")
+			delete(src.dbConfigs, record.GetId())
+			continue
+		}
+
+		src.dbConfigs[record.GetId()] = &cfgpb
+	}
+	src.mu.Unlock()
+
+	src.rebuild(false)
+}
+
+func tryForever(ctx context.Context, callback func(onSuccess func()) error) {
+	bo := backoff.NewExponentialBackOff()
+	bo.MaxElapsedTime = 0
+	for {
+		err := callback(bo.Reset)
+		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+			return
+		} else if err != nil {
+			log.Warn().Err(err).Msg("sync error")
+		}
+		select {
+		case <-ctx.Done():
+			return
+		case <-time.After(bo.NextBackOff()):
+		}
+	}
+}
--- a/internal/databroker/config_source_test.go
+++ b/internal/databroker/config_source_test.go
@ -0,0 +1,84 @@
+package databroker
+
+import (
+	"context"
+	"net"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/golang/protobuf/ptypes"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/grpc"
+
+	"github.com/pomerium/pomerium/config"
+	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+)
+
+func TestConfigSource(t *testing.T) {
+	ctx, clearTimeout := context.WithTimeout(context.Background(), 5*time.Second)
+	defer clearTimeout()
+
+	li, err := net.Listen("tcp", "127.0.0.1:0")
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer li.Close()
+
+	db := New()
+	srv := grpc.NewServer()
+	databroker.RegisterDataBrokerServiceServer(srv, db)
+	go func() { _ = srv.Serve(li) }()
+
+	cfgs := make(chan *config.Config, 10)
+
+	src := NewConfigSource(config.NewStaticSource(&config.Config{
+		Options: &config.Options{
+			DataBrokerURL: mustParse("http://" + li.Addr().String()),
+			GRPCInsecure:  true,
+		},
+	}), func(cfg *config.Config) {
+		cfgs <- cfg
+	})
+	cfgs <- src.GetConfig()
+
+	data, _ := ptypes.MarshalAny(&configpb.Config{
+		Name: "config",
+		Policies: []*configpb.Policy{
+			{
+				From: "https://from.example.com",
+				To:   "https://to.example.com",
+			},
+		},
+	})
+	_, _ = db.Set(ctx, &databroker.SetRequest{
+		Type: configTypeURL,
+		Id:   "1",
+		Data: data,
+	})
+
+	select {
+	case <-ctx.Done():
+		assert.NoError(t, ctx.Err())
+		return
+	case cfg := <-cfgs:
+		assert.Len(t, cfg.Options.Policies, 0)
+	}
+
+	select {
+	case <-ctx.Done():
+		assert.NoError(t, ctx.Err())
+		return
+	case cfg := <-cfgs:
+		assert.Len(t, cfg.Options.Policies, 1)
+	}
+}
+
+func mustParse(raw string) *url.URL {
+	u, err := url.Parse(raw)
+	if err != nil {
+		panic(err)
+	}
+	return u
+}
--- a/pkg/grpc/config/config.pb.go
+++ b/pkg/grpc/config/config.pb.go
@ -0,0 +1,503 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.25.0
+// 	protoc        v3.12.3
+// source: config.proto
+
+package config
+
+import (
+	proto "github.com/golang/protobuf/proto"
+	duration "github.com/golang/protobuf/ptypes/duration"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// This is a compile-time assertion that a sufficiently up-to-date version
+// of the legacy proto package is being used.
+const _ = proto.ProtoPackageIsVersion4
+
+type Config struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Name     string    `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Policies []*Policy `protobuf:"bytes,2,rep,name=policies,proto3" json:"policies,omitempty"`
+}
+
+func (x *Config) Reset() {
+	*x = Config{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_config_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Config) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Config) ProtoMessage() {}
+
+func (x *Config) ProtoReflect() protoreflect.Message {
+	mi := &file_config_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Config.ProtoReflect.Descriptor instead.
+func (*Config) Descriptor() ([]byte, []int) {
+	return file_config_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Config) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *Config) GetPolicies() []*Policy {
+	if x != nil {
+		return x.Policies
+	}
+	return nil
+}
+
+type Policy struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Name                             string             `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	From                             string             `protobuf:"bytes,2,opt,name=from,proto3" json:"from,omitempty"`
+	To                               string             `protobuf:"bytes,3,opt,name=to,proto3" json:"to,omitempty"`
+	AllowedUsers                     []string           `protobuf:"bytes,4,rep,name=allowed_users,json=allowedUsers,proto3" json:"allowed_users,omitempty"`
+	AllowedGroups                    []string           `protobuf:"bytes,5,rep,name=allowed_groups,json=allowedGroups,proto3" json:"allowed_groups,omitempty"`
+	AllowedDomains                   []string           `protobuf:"bytes,6,rep,name=allowed_domains,json=allowedDomains,proto3" json:"allowed_domains,omitempty"`
+	Prefix                           string             `protobuf:"bytes,7,opt,name=prefix,proto3" json:"prefix,omitempty"`
+	Path                             string             `protobuf:"bytes,8,opt,name=path,proto3" json:"path,omitempty"`
+	Regex                            string             `protobuf:"bytes,9,opt,name=regex,proto3" json:"regex,omitempty"`
+	CorsAllowPreflight               bool               `protobuf:"varint,10,opt,name=cors_allow_preflight,json=corsAllowPreflight,proto3" json:"cors_allow_preflight,omitempty"`
+	AllowPublicUnauthenticatedAccess bool               `protobuf:"varint,11,opt,name=allow_public_unauthenticated_access,json=allowPublicUnauthenticatedAccess,proto3" json:"allow_public_unauthenticated_access,omitempty"`
+	Timeout                          *duration.Duration `protobuf:"bytes,12,opt,name=timeout,proto3" json:"timeout,omitempty"`
+	AllowWebsockets                  bool               `protobuf:"varint,13,opt,name=allow_websockets,json=allowWebsockets,proto3" json:"allow_websockets,omitempty"`
+	TlsSkipVerify                    bool               `protobuf:"varint,14,opt,name=tls_skip_verify,json=tlsSkipVerify,proto3" json:"tls_skip_verify,omitempty"`
+	TlsServerName                    string             `protobuf:"bytes,15,opt,name=tls_server_name,json=tlsServerName,proto3" json:"tls_server_name,omitempty"`
+	TlsCustomCa                      string             `protobuf:"bytes,16,opt,name=tls_custom_ca,json=tlsCustomCa,proto3" json:"tls_custom_ca,omitempty"`
+	TlsCustomCaFile                  string             `protobuf:"bytes,17,opt,name=tls_custom_ca_file,json=tlsCustomCaFile,proto3" json:"tls_custom_ca_file,omitempty"`
+	TlsClientCert                    string             `protobuf:"bytes,18,opt,name=tls_client_cert,json=tlsClientCert,proto3" json:"tls_client_cert,omitempty"`
+	TlsClientKey                     string             `protobuf:"bytes,19,opt,name=tls_client_key,json=tlsClientKey,proto3" json:"tls_client_key,omitempty"`
+	TlsClientCertFile                string             `protobuf:"bytes,20,opt,name=tls_client_cert_file,json=tlsClientCertFile,proto3" json:"tls_client_cert_file,omitempty"`
+	TlsClientKeyFile                 string             `protobuf:"bytes,21,opt,name=tls_client_key_file,json=tlsClientKeyFile,proto3" json:"tls_client_key_file,omitempty"`
+	SetRequestHeaders                map[string]string  `protobuf:"bytes,22,rep,name=set_request_headers,json=setRequestHeaders,proto3" json:"set_request_headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	RemoveRequestHeaders             []string           `protobuf:"bytes,23,rep,name=remove_request_headers,json=removeRequestHeaders,proto3" json:"remove_request_headers,omitempty"`
+	PreserveHostHeader               bool               `protobuf:"varint,24,opt,name=preserve_host_header,json=preserveHostHeader,proto3" json:"preserve_host_header,omitempty"`
+	PassIdentityHeaders              bool               `protobuf:"varint,25,opt,name=pass_identity_headers,json=passIdentityHeaders,proto3" json:"pass_identity_headers,omitempty"`
+	KubernetesServiceAccountToken    string             `protobuf:"bytes,26,opt,name=kubernetes_service_account_token,json=kubernetesServiceAccountToken,proto3" json:"kubernetes_service_account_token,omitempty"`
+}
+
+func (x *Policy) Reset() {
+	*x = Policy{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_config_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Policy) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Policy) ProtoMessage() {}
+
+func (x *Policy) ProtoReflect() protoreflect.Message {
+	mi := &file_config_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Policy.ProtoReflect.Descriptor instead.
+func (*Policy) Descriptor() ([]byte, []int) {
+	return file_config_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *Policy) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *Policy) GetFrom() string {
+	if x != nil {
+		return x.From
+	}
+	return ""
+}
+
+func (x *Policy) GetTo() string {
+	if x != nil {
+		return x.To
+	}
+	return ""
+}
+
+func (x *Policy) GetAllowedUsers() []string {
+	if x != nil {
+		return x.AllowedUsers
+	}
+	return nil
+}
+
+func (x *Policy) GetAllowedGroups() []string {
+	if x != nil {
+		return x.AllowedGroups
+	}
+	return nil
+}
+
+func (x *Policy) GetAllowedDomains() []string {
+	if x != nil {
+		return x.AllowedDomains
+	}
+	return nil
+}
+
+func (x *Policy) GetPrefix() string {
+	if x != nil {
+		return x.Prefix
+	}
+	return ""
+}
+
+func (x *Policy) GetPath() string {
+	if x != nil {
+		return x.Path
+	}
+	return ""
+}
+
+func (x *Policy) GetRegex() string {
+	if x != nil {
+		return x.Regex
+	}
+	return ""
+}
+
+func (x *Policy) GetCorsAllowPreflight() bool {
+	if x != nil {
+		return x.CorsAllowPreflight
+	}
+	return false
+}
+
+func (x *Policy) GetAllowPublicUnauthenticatedAccess() bool {
+	if x != nil {
+		return x.AllowPublicUnauthenticatedAccess
+	}
+	return false
+}
+
+func (x *Policy) GetTimeout() *duration.Duration {
+	if x != nil {
+		return x.Timeout
+	}
+	return nil
+}
+
+func (x *Policy) GetAllowWebsockets() bool {
+	if x != nil {
+		return x.AllowWebsockets
+	}
+	return false
+}
+
+func (x *Policy) GetTlsSkipVerify() bool {
+	if x != nil {
+		return x.TlsSkipVerify
+	}
+	return false
+}
+
+func (x *Policy) GetTlsServerName() string {
+	if x != nil {
+		return x.TlsServerName
+	}
+	return ""
+}
+
+func (x *Policy) GetTlsCustomCa() string {
+	if x != nil {
+		return x.TlsCustomCa
+	}
+	return ""
+}
+
+func (x *Policy) GetTlsCustomCaFile() string {
+	if x != nil {
+		return x.TlsCustomCaFile
+	}
+	return ""
+}
+
+func (x *Policy) GetTlsClientCert() string {
+	if x != nil {
+		return x.TlsClientCert
+	}
+	return ""
+}
+
+func (x *Policy) GetTlsClientKey() string {
+	if x != nil {
+		return x.TlsClientKey
+	}
+	return ""
+}
+
+func (x *Policy) GetTlsClientCertFile() string {
+	if x != nil {
+		return x.TlsClientCertFile
+	}
+	return ""
+}
+
+func (x *Policy) GetTlsClientKeyFile() string {
+	if x != nil {
+		return x.TlsClientKeyFile
+	}
+	return ""
+}
+
+func (x *Policy) GetSetRequestHeaders() map[string]string {
+	if x != nil {
+		return x.SetRequestHeaders
+	}
+	return nil
+}
+
+func (x *Policy) GetRemoveRequestHeaders() []string {
+	if x != nil {
+		return x.RemoveRequestHeaders
+	}
+	return nil
+}
+
+func (x *Policy) GetPreserveHostHeader() bool {
+	if x != nil {
+		return x.PreserveHostHeader
+	}
+	return false
+}
+
+func (x *Policy) GetPassIdentityHeaders() bool {
+	if x != nil {
+		return x.PassIdentityHeaders
+	}
+	return false
+}
+
+func (x *Policy) GetKubernetesServiceAccountToken() string {
+	if x != nil {
+		return x.KubernetesServiceAccountToken
+	}
+	return ""
+}
+
+var File_config_proto protoreflect.FileDescriptor
+
+var file_config_proto_rawDesc = []byte{
+	0x0a, 0x0c, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0f,
+	0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x1a,
+	0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
+	0x51, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d,
+	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x33, 0x0a,
+	0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x17, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x08, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x69,
+	0x65, 0x73, 0x22, 0xb2, 0x09, 0x0a, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x12, 0x0a,
+	0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d,
+	0x65, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x04, 0x66, 0x72, 0x6f, 0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x74, 0x6f, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x02, 0x74, 0x6f, 0x12, 0x23, 0x0a, 0x0d, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64,
+	0x5f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x61, 0x6c,
+	0x6c, 0x6f, 0x77, 0x65, 0x64, 0x55, 0x73, 0x65, 0x72, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x61, 0x6c,
+	0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x05, 0x20, 0x03,
+	0x28, 0x09, 0x52, 0x0d, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x47, 0x72, 0x6f, 0x75, 0x70,
+	0x73, 0x12, 0x27, 0x0a, 0x0f, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x64, 0x6f, 0x6d,
+	0x61, 0x69, 0x6e, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0e, 0x61, 0x6c, 0x6c, 0x6f,
+	0x77, 0x65, 0x64, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72,
+	0x65, 0x66, 0x69, 0x78, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66,
+	0x69, 0x78, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18,
+	0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x12, 0x30, 0x0a, 0x14,
+	0x63, 0x6f, 0x72, 0x73, 0x5f, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x6c,
+	0x69, 0x67, 0x68, 0x74, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x63, 0x6f, 0x72, 0x73,
+	0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x50, 0x72, 0x65, 0x66, 0x6c, 0x69, 0x67, 0x68, 0x74, 0x12, 0x4d,
+	0x0a, 0x23, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x75,
+	0x6e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61,
+	0x63, 0x63, 0x65, 0x73, 0x73, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x20, 0x61, 0x6c, 0x6c,
+	0x6f, 0x77, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x55, 0x6e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e,
+	0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x64, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x12, 0x33, 0x0a,
+	0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19,
+	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f,
+	0x75, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x77, 0x65, 0x62, 0x73,
+	0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x61, 0x6c,
+	0x6c, 0x6f, 0x77, 0x57, 0x65, 0x62, 0x73, 0x6f, 0x63, 0x6b, 0x65, 0x74, 0x73, 0x12, 0x26, 0x0a,
+	0x0f, 0x74, 0x6c, 0x73, 0x5f, 0x73, 0x6b, 0x69, 0x70, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79,
+	0x18, 0x0e, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x74, 0x6c, 0x73, 0x53, 0x6b, 0x69, 0x70, 0x56,
+	0x65, 0x72, 0x69, 0x66, 0x79, 0x12, 0x26, 0x0a, 0x0f, 0x74, 0x6c, 0x73, 0x5f, 0x73, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d,
+	0x74, 0x6c, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x22, 0x0a,
+	0x0d, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x63, 0x61, 0x18, 0x10,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x74, 0x6c, 0x73, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x43,
+	0x61, 0x12, 0x2b, 0x0a, 0x12, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f,
+	0x63, 0x61, 0x5f, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x74,
+	0x6c, 0x73, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x43, 0x61, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x26,
+	0x0a, 0x0f, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65, 0x72,
+	0x74, 0x18, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x74, 0x6c, 0x73, 0x43, 0x6c, 0x69, 0x65,
+	0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x12, 0x24, 0x0a, 0x0e, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6c,
+	0x69, 0x65, 0x6e, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x13, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
+	0x74, 0x6c, 0x73, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x2f, 0x0a, 0x14,
+	0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x5f,
+	0x66, 0x69, 0x6c, 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x74, 0x6c, 0x73, 0x43,
+	0x6c, 0x69, 0x65, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x2d, 0x0a,
+	0x13, 0x74, 0x6c, 0x73, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x5f,
+	0x66, 0x69, 0x6c, 0x65, 0x18, 0x15, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x74, 0x6c, 0x73, 0x43,
+	0x6c, 0x69, 0x65, 0x6e, 0x74, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x5e, 0x0a, 0x13,
+	0x73, 0x65, 0x74, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64,
+	0x65, 0x72, 0x73, 0x18, 0x16, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x70, 0x6f, 0x6d, 0x65,
+	0x72, 0x69, 0x75, 0x6d, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x50, 0x6f, 0x6c, 0x69,
+	0x63, 0x79, 0x2e, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61,
+	0x64, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x11, 0x73, 0x65, 0x74, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x34, 0x0a, 0x16,
+	0x72, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x68,
+	0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x17, 0x20, 0x03, 0x28, 0x09, 0x52, 0x14, 0x72, 0x65,
+	0x6d, 0x6f, 0x76, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65,
+	0x72, 0x73, 0x12, 0x30, 0x0a, 0x14, 0x70, 0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x5f, 0x68,
+	0x6f, 0x73, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x18, 0x20, 0x01, 0x28, 0x08,
+	0x52, 0x12, 0x70, 0x72, 0x65, 0x73, 0x65, 0x72, 0x76, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x48, 0x65,
+	0x61, 0x64, 0x65, 0x72, 0x12, 0x32, 0x0a, 0x15, 0x70, 0x61, 0x73, 0x73, 0x5f, 0x69, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x19, 0x20,
+	0x01, 0x28, 0x08, 0x52, 0x13, 0x70, 0x61, 0x73, 0x73, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x47, 0x0a, 0x20, 0x6b, 0x75, 0x62, 0x65,
+	0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61,
+	0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x1a, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x1d, 0x6b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x53, 0x65,
+	0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x54, 0x6f, 0x6b, 0x65,
+	0x6e, 0x1a, 0x44, 0x0a, 0x16, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48,
+	0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b,
+	0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a,
+	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x2e, 0x5a, 0x2c, 0x67, 0x69, 0x74, 0x68, 0x75,
+	0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70,
+	0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x72, 0x70, 0x63,
+	0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_config_proto_rawDescOnce sync.Once
+	file_config_proto_rawDescData = file_config_proto_rawDesc
+)
+
+func file_config_proto_rawDescGZIP() []byte {
+	file_config_proto_rawDescOnce.Do(func() {
+		file_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_config_proto_rawDescData)
+	})
+	return file_config_proto_rawDescData
+}
+
+var file_config_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
+var file_config_proto_goTypes = []interface{}{
+	(*Config)(nil),            // 0: pomerium.config.Config
+	(*Policy)(nil),            // 1: pomerium.config.Policy
+	nil,                       // 2: pomerium.config.Policy.SetRequestHeadersEntry
+	(*duration.Duration)(nil), // 3: google.protobuf.Duration
+}
+var file_config_proto_depIdxs = []int32{
+	1, // 0: pomerium.config.Config.policies:type_name -> pomerium.config.Policy
+	3, // 1: pomerium.config.Policy.timeout:type_name -> google.protobuf.Duration
+	2, // 2: pomerium.config.Policy.set_request_headers:type_name -> pomerium.config.Policy.SetRequestHeadersEntry
+	3, // [3:3] is the sub-list for method output_type
+	3, // [3:3] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
+}
+
+func init() { file_config_proto_init() }
+func file_config_proto_init() {
+	if File_config_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_config_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Config); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_config_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Policy); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_config_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   3,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_config_proto_goTypes,
+		DependencyIndexes: file_config_proto_depIdxs,
+		MessageInfos:      file_config_proto_msgTypes,
+	}.Build()
+	File_config_proto = out.File
+	file_config_proto_rawDesc = nil
+	file_config_proto_goTypes = nil
+	file_config_proto_depIdxs = nil
+}
--- a/pkg/grpc/config/config.proto
+++ b/pkg/grpc/config/config.proto
@ -0,0 +1,49 @@
+syntax = "proto3";
+
+package pomerium.config;
+option go_package = "github.com/pomerium/pomerium/pkg/grpc/config";
+
+import "google/protobuf/duration.proto";
+
+message Config {
+  string name = 1;
+  repeated Policy policies = 2;
+}
+
+message Policy {
+  string name = 1;
+
+  string from = 2;
+  string to = 3;
+
+  repeated string allowed_users = 4;
+  repeated string allowed_groups = 5;
+  repeated string allowed_domains = 6;
+
+  string prefix = 7;
+  string path = 8;
+  string regex = 9;
+
+  bool cors_allow_preflight = 10;
+  bool allow_public_unauthenticated_access = 11;
+  google.protobuf.Duration timeout = 12;
+  bool allow_websockets = 13;
+
+  bool tls_skip_verify = 14;
+  string tls_server_name = 15;
+  string tls_custom_ca = 16;
+  string tls_custom_ca_file = 17;
+
+  string tls_client_cert = 18;
+  string tls_client_key = 19;
+  string tls_client_cert_file = 20;
+  string tls_client_key_file = 21;
+
+  map<string, string> set_request_headers = 22;
+  repeated string remove_request_headers = 23;
+
+  bool preserve_host_header = 24;
+  bool pass_identity_headers = 25;
+
+  string kubernetes_service_account_token = 26;
+}
--- a/pkg/grpc/grpc.go
+++ b/pkg/grpc/grpc.go
@ -5,3 +5,4 @@ package grpc
 //go:generate ../../scripts/protoc -I ./databroker/ --go_out=plugins=grpc:$GOPATH/src ./databroker/databroker.proto
 //go:generate ../../scripts/protoc -I ./directory/ --go_out=plugins=grpc:$GOPATH/src ./directory/directory.proto
 //go:generate ../../scripts/protoc -I ./audit/ --go_out=plugins=grpc:$GOPATH/src ./audit/audit.proto
+//go:generate ../../scripts/protoc -I ./config/ --go_out=plugins=grpc:$GOPATH/src ./config/config.proto