v0.6.0

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

docs/configuration/examples/config/config.example.env

@@ -11,6 +11,7 @@ export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
 # AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode,
 # otherwise it should be set to a "behind-the-ingress" routable url
 # export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local
+# export CACHE_SERVICE_URL=https://pomerium-cache-service.default.svc.cluster.local
 
 # Certificates can be loaded as files or base64 encoded bytes.
 # See : https://www.pomerium.io/docs/reference/certificates

docs/configuration/examples/config/config.example.yaml

@@ -9,6 +9,7 @@ authenticate_service_url: https://authenticate.corp.beyondperimeter.com
 # authorize service url will default to localhost in all-in-one mode, otherwise
 # it should be set to a "behind-the-ingress" routable url
 # authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
+# cache_service_url: https://pomerium-cache-service.default.svc.cluster.local
 
 # Certificates can be loaded as files or base64 encoded bytes.
 # certificate_file: "./cert.pem" # optional, defaults to `./cert.pem`

docs/configuration/examples/docker/basic.docker-compose.yml

@@ -1,7 +1,7 @@
 version: "3"
 services:
   pomerium:
-    image: pomerium/pomerium:v0.5.0
+    image: pomerium/pomerium:latest
     environment:
       # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
       - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=

docs/configuration/examples/docker/nginx.docker-compose.yml

@@ -12,7 +12,7 @@ services:
       - /var/run/docker.sock:/tmp/docker.sock:ro
 
   pomerium-authenticate:
-    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    image: pomerium/pomerium:latest # or `build: .` to build from source
     restart: always
     environment:
       - SERVICES=authenticate
@@ -31,6 +31,7 @@ services:
       - VIRTUAL_PROTO=http
       - VIRTUAL_HOST=authenticate.corp.beyondperimeter.com
       - VIRTUAL_PORT=443
+      - CACHE_SERVICE_URL=http://pomerium-cache:443
     volumes:
       - ../config/config.example.yaml:/pomerium/config.yaml:ro
 
@@ -38,7 +39,7 @@ services:
       - 443
 
   pomerium-proxy:
-    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    image: pomerium/pomerium:latest # or `build: .` to build from source
     restart: always
     environment:
       - SERVICES=proxy
@@ -60,7 +61,7 @@ services:
       - 443
 
   pomerium-authorize:
-    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    image: pomerium/pomerium:latest # or `build: .` to build from source
     restart: always
     environment:
       - SERVICES=authorize
@@ -75,6 +76,21 @@ services:
     expose:
       - 443
 
+  pomerium-cache:
+    image: pomerium/pomerium:latest # or `build: .` to build from source
+    restart: always
+    environment:
+      - SERVICES=cache
+      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
+      - GRPC_INSECURE=TRUE
+      - GRPC_ADDRESS=:443
+    volumes:
+      # Retrieve non-secret config keys from the config file : https://www.pomerium.io/docs/reference/reference/
+      # See `config.example.yaml` and modify to fit your needs.
+      - ../config/config.example.yaml:/pomerium/config.yaml:ro
+    expose:
+      - 443
+
   # https://httpbin.corp.beyondperimeter.com
   httpbin:
     image: kennethreitz/httpbin:latest

docs/configuration/examples/kubernetes/kubernetes-config.yaml

@@ -1,9 +1,10 @@
 # Main configuration flags : https://www.pomerium.io/docs/reference/reference/
-address: ":80"
 insecure_server: true
+grpc_insecure: true
 
 authenticate_service_url: https://authenticate.corp.beyondperimeter.com
 authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
+cache_service_url: https://pomerium-cache-service.default.svc.cluster.local
 
 override_certificate_name: "*.corp.beyondperimeter.com"
 

docs/configuration/examples/kubernetes/kubernetes_gke.sh

@@ -5,10 +5,10 @@
 # NOTE! You must change the identity provider client secret setting in your config file!
 
 echo "=> creating cluster"
-gcloud container clusters create pomerium --num-nodes 2
+gcloud container clusters create pomerium --num-nodes 3 --region us-west2
 
 echo "=> get cluster credentials so we can use kubctl locally"
-gcloud container clusters get-credentials pomerium
+gcloud container clusters get-credentials pomerium --region us-west2
 
 echo "=> create config from kubernetes-config.yaml which we will mount"
 kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml"
@@ -32,6 +32,7 @@ echo "=> deploy pomerium proxy, authorize, and authenticate"
 kubectl apply -f pomerium-proxy.yml
 kubectl apply -f pomerium-authenticate.yml
 kubectl apply -f pomerium-authorize.yml
+kubectl apply -f pomerium-cache.yml
 
 echo "=> deploy our test app, httpbin"
 kubectl apply -f httpbin.yml

docs/configuration/examples/kubernetes/pomerium-authenticate.yml

@@ -4,8 +4,8 @@ metadata:
   name: pomerium-authenticate-service
 spec:
   ports:
-    - port: 80
-      name: http
+    - port: 443
+      name: https
   selector:
     app: pomerium-authenticate
   type: NodePort
@@ -27,13 +27,13 @@ spec:
         app: pomerium-authenticate
     spec:
       containers:
-        - image: pomerium/pomerium:v0.5.0
+        - image: pomerium/pomerium:master
           name: pomerium-authenticate
           args:
             - --config=/etc/pomerium/config.yaml
           ports:
-            - containerPort: 80
-              name: http
+            - containerPort: 443
+              name: https
               protocol: TCP
           env:
             - name: SERVICES
@@ -51,12 +51,12 @@ spec:
           readinessProbe:
             httpGet:
               path: /ping
-              port: 80
+              port: 443
               scheme: HTTP
           livenessProbe:
             httpGet:
               path: /ping
-              port: 80
+              port: 443
               scheme: HTTP
             initialDelaySeconds: 5
             timeoutSeconds: 1

docs/configuration/examples/kubernetes/pomerium-authorize.yml

@@ -4,7 +4,7 @@ metadata:
   name: pomerium-authorize-service
 spec:
   ports:
-    - port: 80
+    - port: 443
       name: grpc
   selector:
     app: pomerium-authorize
@@ -27,12 +27,12 @@ spec:
         app: pomerium-authorize
     spec:
       containers:
-        - image: pomerium/pomerium:v0.5.0
+        - image: pomerium/pomerium:master
           name: pomerium-authorize
           args:
             - --config=/etc/pomerium/config.yaml
           ports:
-            - containerPort: 80
+            - containerPort: 443
               name: grpc
               protocol: TCP
           env:
@@ -45,12 +45,12 @@ spec:
                   key: shared-secret
           readinessProbe:
             tcpSocket:
-              port: 80
+              port: 443
             initialDelaySeconds: 5
             periodSeconds: 10
           livenessProbe:
             tcpSocket:
-              port: 80
+              port: 443
             initialDelaySeconds: 15
             periodSeconds: 20
 

docs/configuration/examples/kubernetes/pomerium-cache.yml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pomerium-cache-service
+spec:
+  clusterIP: None # cache is a headless service!
+  ports:
+    - port: 443
+      name: grpc
+  selector:
+    app: pomerium-cache
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium-cache
+  labels:
+    app: pomerium-cache
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pomerium-cache
+  template:
+    metadata:
+      labels:
+        app: pomerium-cache
+    spec:
+      containers:
+        - image: pomerium/pomerium:master
+          name: pomerium-cache
+          args:
+            - --config=/etc/pomerium/config.yaml
+          ports:
+            - containerPort: 443
+              name: grpc
+              protocol: TCP
+          env:
+            - name: SERVICES
+              value: cache
+            - name: SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: shared-secret
+                  key: shared-secret
+          readinessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 443
+            initialDelaySeconds: 15
+            periodSeconds: 20
+
+          volumeMounts:
+            - mountPath: /etc/pomerium/
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: config

docs/configuration/examples/kubernetes/pomerium-proxy.yml

@@ -4,10 +4,10 @@ metadata:
   name: pomerium-proxy-service
 spec:
   ports:
-    - port: 80
+    - port: 443
       protocol: TCP
-      name: http
-      targetPort: http
+      name: https
+      targetPort: https
   selector:
     app: pomerium-proxy
   type: NodePort
@@ -29,13 +29,13 @@ spec:
         app: pomerium-proxy
     spec:
       containers:
-        - image: pomerium/pomerium:v0.5.0
+        - image: pomerium/pomerium:master
           name: pomerium-proxy
           args:
             - --config=/etc/pomerium/config.yaml
           ports:
-            - containerPort: 80
-              name: http
+            - containerPort: 443
+              name: https
               protocol: TCP
           env:
             - name: SERVICES
@@ -53,12 +53,12 @@ spec:
           readinessProbe:
             httpGet:
               path: /ping
-              port: 80
+              port: 443
               scheme: HTTP
           livenessProbe:
             httpGet:
               path: /ping
-              port: 80
+              port: 443
               scheme: HTTP
             initialDelaySeconds: 10
             timeoutSeconds: 1