move docs to settings.yaml (#1579)

2025-05-03 12:26:03 +02:00 · 2020-11-05 12:13:10 -07:00 · 2020-11-05 12:13:10 -07:00 · bfe68d1fd8
commit bfe68d1fd8
parent 85a5961e5e
2 changed files with 66 additions and 25 deletions
--- a/docs/reference/settings.yaml
+++ b/docs/reference/settings.yaml
@ -148,7 +148,14 @@ settings:
        shortdoc: |
          Let's Encrypt has strict usage limits. Enabling this setting allows you to use Let's Encrypt's staging environment which has much more lax usage limits.
      - name: "Certificates"
-        keys: [ "certificates", "certificate", "certificate_key", "certificate_file", "certificate_key_file" ]
+        keys:
+          [
+            "certificates",
+            "certificate",
+            "certificate_key",
+            "certificate_file",
+            "certificate_key_file",
+          ]
        attributes: |
          - Config File Key: `certificates` (not yet settable using environmental variables)
          - Config File Key: `certificate` / `certificate_key`
@ -616,7 +623,14 @@ settings:
        shortdoc: |
          Shared Secret is the base64 encoded 256-bit key used to mutually authenticate requests between services.
      - name: "Tracing"
-        keys: ["tracing_provider", "tracing_sample_rate", "tracing_jaeger_collector_endpoint", "tracing_jaeger_agent_endpoint", "tracing_zipkin_endpoint"]
+        keys:
+          [
+            "tracing_provider",
+            "tracing_sample_rate",
+            "tracing_jaeger_collector_endpoint",
+            "tracing_jaeger_agent_endpoint",
+            "tracing_zipkin_endpoint",
+          ]
        doc: |
          Tracing tracks the progression of a single user request as it is handled by Pomerium.

@ -794,7 +808,8 @@ settings:
        shortdoc: |
          Headers specifies a mapping of HTTP Header to be added to proxied  requests. Nota bene Downstream application headers will be overwritten by Pomerium's headers on conflict.
      - name: "Identity Provider Refresh Directory Settings"
-        keys: ["idp_refresh_directory_interval", "idp_refresh_directory_timeout"]
+        keys:
+          ["idp_refresh_directory_interval", "idp_refresh_directory_timeout"]
        attributes: |
          - Environmental Variables: `IDP_REFRESH_DIRECTORY_INTERVAL` `IDP_REFRESH_DIRECTORY_TIMEOUT`
          - Config File Key: `idp_refresh_directory_interval` `idp_refresh_directory_timeout`
@ -1104,7 +1119,11 @@ settings:
        doc: |
          `From` is the externally accessible source of the proxied request.
      - name: "Kubernetes Service Account Token"
-        keys: ["kubernetes_service_account_token", "kubernetes_service_account_token_file"]
+        keys:
+          [
+            "kubernetes_service_account_token",
+            "kubernetes_service_account_token_file",
+          ]
        attributes: |
          - `yaml`/`json` setting: `kubernetes_service_account_token` / `kubernetes_service_account_token_file`
          - Type: `string` or relative file location containing a Kubernetes bearer token
@ -1165,7 +1184,13 @@ settings:

          A request to `https://from.example.com/admin` would be forwarded to `https://to.example.com/`.
      - name: "Host Rewrite"
-        keys: ["host_rewrite", "host_rewrite_header", "host_path_regex_rewrite_pattern", "host_path_regex_rewrite_substitution"]
+        keys:
+          [
+            "host_rewrite",
+            "host_rewrite_header",
+            "host_path_regex_rewrite_pattern",
+            "host_path_regex_rewrite_substitution",
+          ]
        attributes: |
          - `yaml`/`json` settings: `host_rewrite`, `host_rewrite_header`, `host_path_regex_rewrite_pattern`, `host_path_regex_rewrite_substitution`
          - Type: `string`
@ -1197,6 +1222,17 @@ settings:
          **Use with caution:** Allow all requests for a given route, bypassing authentication and authorization. Suitable for publicly exposed web services.

          If this setting is enabled, no whitelists (e.g. Allowed Users) should be provided in this route.
+      - name: "Allow Any Authenticated User"
+        keys: ["allow_any_authenticated_user"]
+        attributes: |
+          - `yaml`/`json` setting: `allow_any_authenticated_user`
+          - Type: `bool`
+          - Optional
+          - Default: `false`
+        doc: |
+          **Use with caution:** This setting will allow all requests for any user which is able to authenticate with our given identity provider. For instance, if you are using a corporate GSuite account, an unrelated gmail user will be able to access the underlying upstream.
+
+          Use of this setting means Pomerium **will not enforce centralized authorization policy** for this route. The upstream is responsible for handling any authorization.
      - name: "Regex"
        keys: ["regex"]
        attributes: |
@ -1333,7 +1369,13 @@ settings:

          Note: This setting will replace (not append) the system's trust store for a given route.
      - name: "TLS Client Certificate"
-        keys: ["tls_client_cert", "tls_client_key", "tls_client_cert_file", "tls_client_key_file"]
+        keys:
+          [
+            "tls_client_cert",
+            "tls_client_key",
+            "tls_client_cert_file",
+            "tls_client_key_file",
+          ]
        attributes: |
          - Config File Key: `tls_client_cert` and `tls_client_key` or `tls_client_cert_file` and `tls_client_key_file`
          - Type: [base64 encoded] `string` or relative file location
--- a/scripts/generate-settings-docs.py
+++ b/scripts/generate-settings-docs.py
@ -18,8 +18,7 @@ def main():
                          "..", "docs", "reference", "readme.md"), "w")
    f.write(f"{doc['preamble']}\n")
    write_setting(f, 1, doc)
-    f.write(f"{doc['postamble']}\n")
-
+    f.write(f"{doc['postamble']}")
    f.close()