v0.6.0

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

docs/configuration/examples/config/config.example.env

@@ -11,6 +11,7 @@ export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
 # AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode,
 # otherwise it should be set to a "behind-the-ingress" routable url
 # export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local
+# export CACHE_SERVICE_URL=https://pomerium-cache-service.default.svc.cluster.local
 
 # Certificates can be loaded as files or base64 encoded bytes.
 # See : https://www.pomerium.io/docs/reference/certificates

docs/configuration/examples/config/config.example.yaml

@@ -9,6 +9,7 @@ authenticate_service_url: https://authenticate.corp.beyondperimeter.com
 # authorize service url will default to localhost in all-in-one mode, otherwise
 # it should be set to a "behind-the-ingress" routable url
 # authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
+# cache_service_url: https://pomerium-cache-service.default.svc.cluster.local
 
 # Certificates can be loaded as files or base64 encoded bytes.
 # certificate_file: "./cert.pem" # optional, defaults to `./cert.pem`

docs/configuration/examples/docker/basic.docker-compose.yml

@@ -1,7 +1,7 @@
 version: "3"
 services:
   pomerium:
-    image: pomerium/pomerium:v0.5.0
+    image: pomerium/pomerium:latest
     environment:
       # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
       - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=

docs/configuration/examples/docker/nginx.docker-compose.yml

@@ -12,7 +12,7 @@ services:
       - /var/run/docker.sock:/tmp/docker.sock:ro
 
   pomerium-authenticate:
-    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    image: pomerium/pomerium:latest # or `build: .` to build from source
     restart: always
     environment:
       - SERVICES=authenticate
@@ -31,6 +31,7 @@ services:
       - VIRTUAL_PROTO=http
       - VIRTUAL_HOST=authenticate.corp.beyondperimeter.com
       - VIRTUAL_PORT=443
+      - CACHE_SERVICE_URL=http://pomerium-cache:443
     volumes:
       - ../config/config.example.yaml:/pomerium/config.yaml:ro
 
@@ -38,7 +39,7 @@ services:
       - 443
 
   pomerium-proxy:
-    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    image: pomerium/pomerium:latest # or `build: .` to build from source
     restart: always
     environment:
       - SERVICES=proxy
@@ -60,7 +61,7 @@ services:
       - 443
 
   pomerium-authorize:
-    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    image: pomerium/pomerium:latest # or `build: .` to build from source
     restart: always
     environment:
       - SERVICES=authorize
@@ -75,6 +76,21 @@ services:
     expose:
       - 443
 
+  pomerium-cache:
+    image: pomerium/pomerium:latest # or `build: .` to build from source
+    restart: always
+    environment:
+      - SERVICES=cache
+      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
+      - GRPC_INSECURE=TRUE
+      - GRPC_ADDRESS=:443
+    volumes:
+      # Retrieve non-secret config keys from the config file : https://www.pomerium.io/docs/reference/reference/
+      # See `config.example.yaml` and modify to fit your needs.
+      - ../config/config.example.yaml:/pomerium/config.yaml:ro
+    expose:
+      - 443
+
   # https://httpbin.corp.beyondperimeter.com
   httpbin:
     image: kennethreitz/httpbin:latest

docs/configuration/examples/kubernetes/kubernetes-config.yaml

@@ -1,9 +1,10 @@
 # Main configuration flags : https://www.pomerium.io/docs/reference/reference/
-address: ":80"
 insecure_server: true
+grpc_insecure: true
 
 authenticate_service_url: https://authenticate.corp.beyondperimeter.com
 authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
+cache_service_url: https://pomerium-cache-service.default.svc.cluster.local
 
 override_certificate_name: "*.corp.beyondperimeter.com"
 

docs/configuration/examples/kubernetes/kubernetes_gke.sh

@@ -5,10 +5,10 @@
 # NOTE! You must change the identity provider client secret setting in your config file!
 
 echo "=> creating cluster"
-gcloud container clusters create pomerium --num-nodes 2
+gcloud container clusters create pomerium --num-nodes 3 --region us-west2
 
 echo "=> get cluster credentials so we can use kubctl locally"
-gcloud container clusters get-credentials pomerium
+gcloud container clusters get-credentials pomerium --region us-west2
 
 echo "=> create config from kubernetes-config.yaml which we will mount"
 kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml"
@@ -32,6 +32,7 @@ echo "=> deploy pomerium proxy, authorize, and authenticate"
 kubectl apply -f pomerium-proxy.yml
 kubectl apply -f pomerium-authenticate.yml
 kubectl apply -f pomerium-authorize.yml
+kubectl apply -f pomerium-cache.yml
 
 echo "=> deploy our test app, httpbin"
 kubectl apply -f httpbin.yml

docs/configuration/examples/kubernetes/pomerium-authenticate.yml

@@ -4,8 +4,8 @@ metadata:
   name: pomerium-authenticate-service
 spec:
   ports:
-    - port: 80
-      name: http
+    - port: 443
+      name: https
   selector:
     app: pomerium-authenticate
   type: NodePort
@@ -27,13 +27,13 @@ spec:
         app: pomerium-authenticate
     spec:
       containers:
-        - image: pomerium/pomerium:v0.5.0
+        - image: pomerium/pomerium:master
           name: pomerium-authenticate
           args:
             - --config=/etc/pomerium/config.yaml
           ports:
-            - containerPort: 80
-              name: http
+            - containerPort: 443
+              name: https
               protocol: TCP
           env:
             - name: SERVICES
@@ -51,12 +51,12 @@ spec:
           readinessProbe:
             httpGet:
               path: /ping
-              port: 80
+              port: 443
               scheme: HTTP
           livenessProbe:
             httpGet:
               path: /ping
-              port: 80
+              port: 443
               scheme: HTTP
             initialDelaySeconds: 5
             timeoutSeconds: 1

docs/configuration/examples/kubernetes/pomerium-authorize.yml

@@ -4,7 +4,7 @@ metadata:
   name: pomerium-authorize-service
 spec:
   ports:
-    - port: 80
+    - port: 443
       name: grpc
   selector:
     app: pomerium-authorize
@@ -27,12 +27,12 @@ spec:
         app: pomerium-authorize
     spec:
       containers:
-        - image: pomerium/pomerium:v0.5.0
+        - image: pomerium/pomerium:master
           name: pomerium-authorize
           args:
             - --config=/etc/pomerium/config.yaml
           ports:
-            - containerPort: 80
+            - containerPort: 443
               name: grpc
               protocol: TCP
           env:
@@ -45,12 +45,12 @@ spec:
                   key: shared-secret
           readinessProbe:
             tcpSocket:
-              port: 80
+              port: 443
             initialDelaySeconds: 5
             periodSeconds: 10
           livenessProbe:
             tcpSocket:
-              port: 80
+              port: 443
             initialDelaySeconds: 15
             periodSeconds: 20
 

docs/configuration/examples/kubernetes/pomerium-cache.yml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pomerium-cache-service
+spec:
+  clusterIP: None # cache is a headless service!
+  ports:
+    - port: 443
+      name: grpc
+  selector:
+    app: pomerium-cache
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium-cache
+  labels:
+    app: pomerium-cache
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pomerium-cache
+  template:
+    metadata:
+      labels:
+        app: pomerium-cache
+    spec:
+      containers:
+        - image: pomerium/pomerium:master
+          name: pomerium-cache
+          args:
+            - --config=/etc/pomerium/config.yaml
+          ports:
+            - containerPort: 443
+              name: grpc
+              protocol: TCP
+          env:
+            - name: SERVICES
+              value: cache
+            - name: SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: shared-secret
+                  key: shared-secret
+          readinessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 15
+            periodSeconds: 20
+
+          volumeMounts:
+            - mountPath: /etc/pomerium/
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: config

docs/configuration/examples/kubernetes/pomerium-proxy.yml

@@ -4,10 +4,10 @@ metadata:
   name: pomerium-proxy-service
 spec:
   ports:
-    - port: 80
+    - port: 443
       protocol: TCP
-      name: http
-      targetPort: http
+      name: https
+      targetPort: https
   selector:
     app: pomerium-proxy
   type: NodePort
@@ -29,13 +29,13 @@ spec:
         app: pomerium-proxy
     spec:
       containers:
-        - image: pomerium/pomerium:v0.5.0
+        - image: pomerium/pomerium:master
           name: pomerium-proxy
           args:
             - --config=/etc/pomerium/config.yaml
           ports:
-            - containerPort: 80
-              name: http
+            - containerPort: 443
+              name: https
               protocol: TCP
           env:
             - name: SERVICES
@@ -53,12 +53,12 @@ spec:
           readinessProbe:
             httpGet:
               path: /ping
-              port: 80
+              port: 443
               scheme: HTTP
           livenessProbe:
             httpGet:
               path: /ping
-              port: 80
+              port: 443
               scheme: HTTP
             initialDelaySeconds: 10
             timeoutSeconds: 1

docs/configuration/readme.md

@@ -30,7 +30,7 @@ These are configuration variables shared by all services, in all service modes.
 - Config File Key: `services`
 - Type: `string`
 - Default: `all`
-- Options: `all` `authenticate` `authorize` or `proxy`
+- Options: `all` `authenticate` `authorize` `cache` or `proxy`
 
 Service mode sets the pomerium service(s) to run. If testing, you may want to set to `all` and run pomerium in "all-in-one mode." In production, you'll likely want to spin up several instances of each service mode for high availability.
 
@@ -43,7 +43,7 @@ Service mode sets the pomerium service(s) to run. If testing, you may want to se
 - Default: `:443`
 - Required
 
-Address specifies the host and port to serve HTTP requests from. If empty, `:443` is used.
+Address specifies the host and port to serve HTTP requests from. If empty, `:443` is used. Note, in all-in-one deployments, gRPC traffic will be served on loopback on port `:5443`.
 
 ### Administrators
 
@@ -541,7 +541,7 @@ If your load balancer does not support gRPC pass-through you'll need to set this
 - Environmental Variable: `OVERRIDE_CERTIFICATE_NAME`
 - Config File Key: `override_certificate_name`
 - Type: `int`
-- Optional (but typically required if Authenticate Internal Service Address is set)
+- Optional
 - Example: `*.corp.example.com` if wild card or `authenticate.corp.example.com`/`authorize.corp.example.com`
 
 Secure service communication can fail if the external certificate does not match the internally routed service hostname/[SNI](https://en.wikipedia.org/wiki/Server_Name_Indication). This setting allows you to override that value.
@@ -608,6 +608,64 @@ Refresh cooldown is the minimum amount of time between allowed manually refreshe
 
 Default Upstream Timeout is the default timeout applied to a proxied route when no `timeout` key is specified by the policy.
 
+## Cache Service
+
+The cache service is used for storing user session data.
+
+### Cache Store
+
+- Environmental Variable: `CACHE_STORE`
+- Config File Key: `cache_store`
+- Type: `string`
+- Default: `autocache`
+- Options: `autocache` `bolt` or `redis`. Other contributions are welcome.
+
+CacheStore is the name of session cache backend to use.
+
+### Autocache
+
+[Autocache](https://github.com/pomerium/autocache) is the default session store. Autocache is based off of distributed version of [memecached](https://memcached.org/), called [groupcache](https://github.com/golang/groupcache) made by Google and used by many organizations like Twitter and Vimeo in production. Autocache is suitable for both small deployments, where it acts as a embedded cache, or larger scale, distributed installs.
+
+When deployed in a distributed fashion, autocache uses [gossip](https://github.com/hashicorp/memberlist) based membership to manage its peers.
+
+Autocache does not require any additional settings but does require that the cache url setting returns name records that correspond to a [list of peers](https://kubernetes.io/docs/concepts/services-networking/service/#headless-services).
+
+### [Redis](https://redis.io/)
+
+Redis, when used as a [LRU cache](https://redis.io/topics/lru-cache), functions in a very similar way to autocache. Redis store support allows you to leverage existing infrastructure, and to persist session data if that is a requirement.
+
+#### Redis Address
+
+- Environmental Variable: `CACHE_STORE_ADDRESS`
+- Config File Key: `cache_store_address`
+- Type: `string`
+- Example: `localhost:6379`
+
+CacheStoreAddr specifies the host and port on which the cache store should connect to redis.
+
+#### Redis Password
+
+- Environmental Variable: `CACHE_STORE_PASSWORD`
+- Config File Key: `cache_store_password`
+- Type: `string`
+
+CacheStoreAddr is the password used to connect to redis.
+
+### [Bolt](https://godoc.org/go.etcd.io/bbolt/)
+
+Bolt is a simple, lightweight, low level key value store and is the underlying storage mechanism in projects like [etcd](https://etcd.io/). Bolt persists data to a file, and has no built in eviction mechanism.
+
+Bolt is suitable for all-in-one deployments that do not require concurrent / distributed writes.
+
+#### Bolt Path
+
+- Environmental Variable: `CACHE_STORE_PATH`
+- Config File Key: `cache_store_path`
+- Type: `string`
+- Example: `/etc/bolt.db`
+
+CacheStorePath is the path to save bolt's database file.
+
 ## Policy
 
 - Environmental Variable: `POLICY`