3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-04 04:46:01 +02:00
Code Issues Projects Releases Packages Wiki Activity

move docs to settings.yaml (#1579)

Browse source
This commit is contained in:
Caleb Doxsey 2020-11-05 12:13:10 -07:00 committed by GitHub
parent 85a5961e5e
commit bfe68d1fd8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 66 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

54
docs/reference/settings.yaml
View file

@ -148,7 +148,14 @@ settings:
shortdoc: | shortdoc: |
Let's Encrypt has strict usage limits. Enabling this setting allows you to use Let's Encrypt's staging environment which has much more lax usage limits. Let's Encrypt has strict usage limits. Enabling this setting allows you to use Let's Encrypt's staging environment which has much more lax usage limits.
- name: "Certificates" - name: "Certificates"
keys: [ "certificates", "certificate", "certificate_key", "certificate_file", "certificate_key_file" ] keys:
[
"certificates",
"certificate",
"certificate_key",
"certificate_file",
"certificate_key_file",
]
attributes: | attributes: |
- Config File Key: `certificates` (not yet settable using environmental variables) - Config File Key: `certificates` (not yet settable using environmental variables)
- Config File Key: `certificate` / `certificate_key` - Config File Key: `certificate` / `certificate_key`
@ -616,7 +623,14 @@ settings:
shortdoc: | shortdoc: |
Shared Secret is the base64 encoded 256-bit key used to mutually authenticate requests between services. Shared Secret is the base64 encoded 256-bit key used to mutually authenticate requests between services.
- name: "Tracing" - name: "Tracing"
keys: ["tracing_provider", "tracing_sample_rate", "tracing_jaeger_collector_endpoint", "tracing_jaeger_agent_endpoint", "tracing_zipkin_endpoint"] keys:
[
"tracing_provider",
"tracing_sample_rate",
"tracing_jaeger_collector_endpoint",
"tracing_jaeger_agent_endpoint",
"tracing_zipkin_endpoint",
]
doc: | doc: |
Tracing tracks the progression of a single user request as it is handled by Pomerium. Tracing tracks the progression of a single user request as it is handled by Pomerium.
@ -794,7 +808,8 @@ settings:
shortdoc: | shortdoc: |
Headers specifies a mapping of HTTP Header to be added to proxied requests. Nota bene Downstream application headers will be overwritten by Pomerium's headers on conflict. Headers specifies a mapping of HTTP Header to be added to proxied requests. Nota bene Downstream application headers will be overwritten by Pomerium's headers on conflict.
- name: "Identity Provider Refresh Directory Settings" - name: "Identity Provider Refresh Directory Settings"
keys: ["idp_refresh_directory_interval", "idp_refresh_directory_timeout"] keys:
["idp_refresh_directory_interval", "idp_refresh_directory_timeout"]
attributes: | attributes: |
- Environmental Variables: `IDP_REFRESH_DIRECTORY_INTERVAL` `IDP_REFRESH_DIRECTORY_TIMEOUT` - Environmental Variables: `IDP_REFRESH_DIRECTORY_INTERVAL` `IDP_REFRESH_DIRECTORY_TIMEOUT`
- Config File Key: `idp_refresh_directory_interval` `idp_refresh_directory_timeout` - Config File Key: `idp_refresh_directory_interval` `idp_refresh_directory_timeout`
@ -1104,7 +1119,11 @@ settings:
doc: | doc: |
`From` is the externally accessible source of the proxied request. `From` is the externally accessible source of the proxied request.
- name: "Kubernetes Service Account Token" - name: "Kubernetes Service Account Token"
keys: ["kubernetes_service_account_token", "kubernetes_service_account_token_file"] keys:
[
"kubernetes_service_account_token",
"kubernetes_service_account_token_file",
]
attributes: | attributes: |
- `yaml`/`json` setting: `kubernetes_service_account_token` / `kubernetes_service_account_token_file` - `yaml`/`json` setting: `kubernetes_service_account_token` / `kubernetes_service_account_token_file`
- Type: `string` or relative file location containing a Kubernetes bearer token - Type: `string` or relative file location containing a Kubernetes bearer token
@ -1165,7 +1184,13 @@ settings:
A request to `https://from.example.com/admin` would be forwarded to `https://to.example.com/`. A request to `https://from.example.com/admin` would be forwarded to `https://to.example.com/`.
- name: "Host Rewrite" - name: "Host Rewrite"
keys: ["host_rewrite", "host_rewrite_header", "host_path_regex_rewrite_pattern", "host_path_regex_rewrite_substitution"] keys:
[
"host_rewrite",
"host_rewrite_header",
"host_path_regex_rewrite_pattern",
"host_path_regex_rewrite_substitution",
]
attributes: | attributes: |
- `yaml`/`json` settings: `host_rewrite`, `host_rewrite_header`, `host_path_regex_rewrite_pattern`, `host_path_regex_rewrite_substitution` - `yaml`/`json` settings: `host_rewrite`, `host_rewrite_header`, `host_path_regex_rewrite_pattern`, `host_path_regex_rewrite_substitution`
- Type: `string` - Type: `string`
@ -1197,6 +1222,17 @@ settings:
**Use with caution:** Allow all requests for a given route, bypassing authentication and authorization. Suitable for publicly exposed web services. **Use with caution:** Allow all requests for a given route, bypassing authentication and authorization. Suitable for publicly exposed web services.
If this setting is enabled, no whitelists (e.g. Allowed Users) should be provided in this route. If this setting is enabled, no whitelists (e.g. Allowed Users) should be provided in this route.
- name: "Allow Any Authenticated User"
keys: ["allow_any_authenticated_user"]
attributes: |
- `yaml`/`json` setting: `allow_any_authenticated_user`
- Type: `bool`
- Optional
- Default: `false`
doc: |
**Use with caution:** This setting will allow all requests for any user which is able to authenticate with our given identity provider. For instance, if you are using a corporate GSuite account, an unrelated gmail user will be able to access the underlying upstream.
Use of this setting means Pomerium **will not enforce centralized authorization policy** for this route. The upstream is responsible for handling any authorization.
- name: "Regex" - name: "Regex"
keys: ["regex"] keys: ["regex"]
attributes: | attributes: |
@ -1333,7 +1369,13 @@ settings:
Note: This setting will replace (not append) the system's trust store for a given route. Note: This setting will replace (not append) the system's trust store for a given route.
- name: "TLS Client Certificate" - name: "TLS Client Certificate"
keys: ["tls_client_cert", "tls_client_key", "tls_client_cert_file", "tls_client_key_file"] keys:
[
"tls_client_cert",
"tls_client_key",
"tls_client_cert_file",
"tls_client_key_file",
]
attributes: | attributes: |
- Config File Key: `tls_client_cert` and `tls_client_key` or `tls_client_cert_file` and `tls_client_key_file` - Config File Key: `tls_client_cert` and `tls_client_key` or `tls_client_cert_file` and `tls_client_key_file`
- Type: [base64 encoded] `string` or relative file location - Type: [base64 encoded] `string` or relative file location

3
scripts/generate-settings-docs.py Normal file → Executable file
View file

@ -18,8 +18,7 @@ def main():
"..", "docs", "reference", "readme.md"), "w") "..", "docs", "reference", "readme.md"), "w")
f.write(f"{doc['preamble']}\n") f.write(f"{doc['preamble']}\n")
write_setting(f, 1, doc) write_setting(f, 1, doc)
f.write(f"{doc['postamble']}\n") f.write(f"{doc['postamble']}")
f.close() f.close()