v0.6.0

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-05-10 15:47:36 +02:00 · 2020-01-24 16:09:47 -08:00 · 2020-01-24 16:09:47 -08:00 · dd54ce4481
commit dd54ce4481
parent 8956bf4411
56 changed files with 272 additions and 49 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-v0.5.0
+v0.6.0
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@ -28,10 +28,11 @@ module.exports = {
      { text: "Enterprise", link: "/enterprise/" },
      {
-        text: "🚧Dev", // current tagged version
+        text: "v0.6.x", // current tagged version
        ariaLabel: "Version menu",
        items: [
          { text: "🚧Dev", link: "https://master.docs.pomerium.io/docs" },
          { text: "v0.6.x", link: "https://0-6-0.docs.pomerium.io/docs" },
          { text: "v0.5.x", link: "https://0-5-0.docs.pomerium.io/docs" },
          { text: "v0.4.x", link: "https://0-4-0.docs.pomerium.io/docs" },
          { text: "v0.3.x", link: "https://0-3-0.docs.pomerium.io/docs" },
--- a/docs/configuration/examples/config/config.example.env
+++ b/docs/configuration/examples/config/config.example.env
@ -11,6 +11,7 @@ export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
 # AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode,
 # otherwise it should be set to a "behind-the-ingress" routable url
 # export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local
 # export CACHE_SERVICE_URL=https://pomerium-cache-service.default.svc.cluster.local
 # Certificates can be loaded as files or base64 encoded bytes.
 # See : https://www.pomerium.io/docs/reference/certificates
--- a/docs/configuration/examples/config/config.example.yaml
+++ b/docs/configuration/examples/config/config.example.yaml
@ -9,6 +9,7 @@ authenticate_service_url: https://authenticate.corp.beyondperimeter.com
 # authorize service url will default to localhost in all-in-one mode, otherwise
 # it should be set to a "behind-the-ingress" routable url
 # authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
 # cache_service_url: https://pomerium-cache-service.default.svc.cluster.local
 # Certificates can be loaded as files or base64 encoded bytes.
 # certificate_file: "./cert.pem" # optional, defaults to `./cert.pem`
--- a/docs/configuration/examples/docker/basic.docker-compose.yml
+++ b/docs/configuration/examples/docker/basic.docker-compose.yml
@ -1,7 +1,7 @@
 version: "3"
 services:
  pomerium:
-    image: pomerium/pomerium:v0.5.0
+    image: pomerium/pomerium:latest
    environment:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
--- a/docs/configuration/examples/docker/nginx.docker-compose.yml
+++ b/docs/configuration/examples/docker/nginx.docker-compose.yml
@ -12,7 +12,7 @@ services:
      - /var/run/docker.sock:/tmp/docker.sock:ro
  pomerium-authenticate:
-    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    image: pomerium/pomerium:latest # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=authenticate
@ -31,6 +31,7 @@ services:
      - VIRTUAL_PROTO=http
      - VIRTUAL_HOST=authenticate.corp.beyondperimeter.com
      - VIRTUAL_PORT=443
      - CACHE_SERVICE_URL=http://pomerium-cache:443
    volumes:
      - ../config/config.example.yaml:/pomerium/config.yaml:ro
@ -38,7 +39,7 @@ services:
      - 443
  pomerium-proxy:
-    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    image: pomerium/pomerium:latest # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=proxy
@ -60,7 +61,7 @@ services:
      - 443
  pomerium-authorize:
-    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    image: pomerium/pomerium:latest # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=authorize
@ -75,6 +76,21 @@ services:
    expose:
      - 443
  pomerium-cache:
    image: pomerium/pomerium:latest # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=cache
      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
      - GRPC_INSECURE=TRUE
      - GRPC_ADDRESS=:443
    volumes:
      # Retrieve non-secret config keys from the config file : https://www.pomerium.io/docs/reference/reference/
      # See `config.example.yaml` and modify to fit your needs.
      - ../config/config.example.yaml:/pomerium/config.yaml:ro
    expose:
      - 443
  # https://httpbin.corp.beyondperimeter.com
  httpbin:
    image: kennethreitz/httpbin:latest
--- a/docs/configuration/examples/kubernetes/kubernetes-config.yaml
+++ b/docs/configuration/examples/kubernetes/kubernetes-config.yaml
@ -1,9 +1,10 @@
 # Main configuration flags : https://www.pomerium.io/docs/reference/reference/
 address: ":80"
 insecure_server: true
 grpc_insecure: true
 authenticate_service_url: https://authenticate.corp.beyondperimeter.com
 authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
 cache_service_url: https://pomerium-cache-service.default.svc.cluster.local
 override_certificate_name: "*.corp.beyondperimeter.com"
--- a/docs/configuration/examples/kubernetes/kubernetes_gke.sh
+++ b/docs/configuration/examples/kubernetes/kubernetes_gke.sh
@ -5,10 +5,10 @@
 # NOTE! You must change the identity provider client secret setting in your config file!
 echo "=> creating cluster"
-gcloud container clusters create pomerium --num-nodes 2
+gcloud container clusters create pomerium --num-nodes 3 --region us-west2
 echo "=> get cluster credentials so we can use kubctl locally"
-gcloud container clusters get-credentials pomerium
+gcloud container clusters get-credentials pomerium --region us-west2
 echo "=> create config from kubernetes-config.yaml which we will mount"
 kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml"
@ -32,6 +32,7 @@ echo "=> deploy pomerium proxy, authorize, and authenticate"
 kubectl apply -f pomerium-proxy.yml
 kubectl apply -f pomerium-authenticate.yml
 kubectl apply -f pomerium-authorize.yml
 kubectl apply -f pomerium-cache.yml
 echo "=> deploy our test app, httpbin"
 kubectl apply -f httpbin.yml
--- a/docs/configuration/examples/kubernetes/pomerium-authenticate.yml
+++ b/docs/configuration/examples/kubernetes/pomerium-authenticate.yml
@ -4,8 +4,8 @@ metadata:
  name: pomerium-authenticate-service
 spec:
  ports:
-    - port: 80
+    - port: 443
-      name: http
+      name: https
  selector:
    app: pomerium-authenticate
  type: NodePort
@ -27,13 +27,13 @@ spec:
        app: pomerium-authenticate
    spec:
      containers:
-        - image: pomerium/pomerium:v0.5.0
+        - image: pomerium/pomerium:master
          name: pomerium-authenticate
          args:
            - --config=/etc/pomerium/config.yaml
          ports:
-            - containerPort: 80
+            - containerPort: 443
-              name: http
+              name: https
              protocol: TCP
          env:
            - name: SERVICES
@ -51,12 +51,12 @@ spec:
          readinessProbe:
            httpGet:
              path: /ping
-              port: 80
+              port: 443
              scheme: HTTP
          livenessProbe:
            httpGet:
              path: /ping
-              port: 80
+              port: 443
              scheme: HTTP
            initialDelaySeconds: 5
            timeoutSeconds: 1
--- a/docs/configuration/examples/kubernetes/pomerium-authorize.yml
+++ b/docs/configuration/examples/kubernetes/pomerium-authorize.yml
@ -4,7 +4,7 @@ metadata:
  name: pomerium-authorize-service
 spec:
  ports:
-    - port: 80
+    - port: 443
      name: grpc
  selector:
    app: pomerium-authorize
@ -27,12 +27,12 @@ spec:
        app: pomerium-authorize
    spec:
      containers:
-        - image: pomerium/pomerium:v0.5.0
+        - image: pomerium/pomerium:master
          name: pomerium-authorize
          args:
            - --config=/etc/pomerium/config.yaml
          ports:
-            - containerPort: 80
+            - containerPort: 443
              name: grpc
              protocol: TCP
          env:
@ -45,12 +45,12 @@ spec:
                  key: shared-secret
          readinessProbe:
            tcpSocket:
-              port: 80
+              port: 443
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            tcpSocket:
-              port: 80
+              port: 443
            initialDelaySeconds: 15
            periodSeconds: 20
--- a/docs/configuration/examples/kubernetes/pomerium-cache.yml
+++ b/docs/configuration/examples/kubernetes/pomerium-cache.yml
@ -0,0 +1,64 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: pomerium-cache-service
 spec:
  clusterIP: None # cache is a headless service!
  ports:
    - port: 443
      name: grpc
  selector:
    app: pomerium-cache
  type: ClusterIP
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: pomerium-cache
  labels:
    app: pomerium-cache
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: pomerium-cache
  template:
    metadata:
      labels:
        app: pomerium-cache
    spec:
      containers:
        - image: pomerium/pomerium:master
          name: pomerium-cache
          args:
            - --config=/etc/pomerium/config.yaml
          ports:
            - containerPort: 443
              name: grpc
              protocol: TCP
          env:
            - name: SERVICES
              value: cache
            - name: SHARED_SECRET
              valueFrom:
                secretKeyRef:
                  name: shared-secret
                  key: shared-secret
          readinessProbe:
            tcpSocket:
              port: 443
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            tcpSocket:
              port: 443
            initialDelaySeconds: 15
            periodSeconds: 20
          volumeMounts:
            - mountPath: /etc/pomerium/
              name: config
      volumes:
        - name: config
          configMap:
            name: config
--- a/docs/configuration/examples/kubernetes/pomerium-proxy.yml
+++ b/docs/configuration/examples/kubernetes/pomerium-proxy.yml
@ -4,10 +4,10 @@ metadata:
  name: pomerium-proxy-service
 spec:
  ports:
-    - port: 80
+    - port: 443
      protocol: TCP
-      name: http
+      name: https
-      targetPort: http
+      targetPort: https
  selector:
    app: pomerium-proxy
  type: NodePort
@ -29,13 +29,13 @@ spec:
        app: pomerium-proxy
    spec:
      containers:
-        - image: pomerium/pomerium:v0.5.0
+        - image: pomerium/pomerium:master
          name: pomerium-proxy
          args:
            - --config=/etc/pomerium/config.yaml
          ports:
-            - containerPort: 80
+            - containerPort: 443
-              name: http
+              name: https
              protocol: TCP
          env:
            - name: SERVICES
@ -53,12 +53,12 @@ spec:
          readinessProbe:
            httpGet:
              path: /ping
-              port: 80
+              port: 443
              scheme: HTTP
          livenessProbe:
            httpGet:
              path: /ping
-              port: 80
+              port: 443
              scheme: HTTP
            initialDelaySeconds: 10
            timeoutSeconds: 1
--- a/docs/configuration/readme.md
+++ b/docs/configuration/readme.md
@ -30,7 +30,7 @@ These are configuration variables shared by all services, in all service modes.
 - Config File Key: `services`
 - Type: `string`
 - Default: `all`
- Options: `all` `authenticate` `authorize` or `proxy`
+- Options: `all` `authenticate` `authorize` `cache` or `proxy`
 Service mode sets the pomerium service(s) to run. If testing, you may want to set to `all` and run pomerium in "all-in-one mode." In production, you'll likely want to spin up several instances of each service mode for high availability.
@ -43,7 +43,7 @@ Service mode sets the pomerium service(s) to run. If testing, you may want to se
 - Default: `:443`
 - Required
-Address specifies the host and port to serve HTTP requests from. If empty, `:443` is used.
+Address specifies the host and port to serve HTTP requests from. If empty, `:443` is used. Note, in all-in-one deployments, gRPC traffic will be served on loopback on port `:5443`.
 ### Administrators
@ -541,7 +541,7 @@ If your load balancer does not support gRPC pass-through you'll need to set this
 - Environmental Variable: `OVERRIDE_CERTIFICATE_NAME`
 - Config File Key: `override_certificate_name`
 - Type: `int`
- Optional (but typically required if Authenticate Internal Service Address is set)
+- Optional
 - Example: `*.corp.example.com` if wild card or `authenticate.corp.example.com`/`authorize.corp.example.com`
 Secure service communication can fail if the external certificate does not match the internally routed service hostname/[SNI](https://en.wikipedia.org/wiki/Server_Name_Indication). This setting allows you to override that value.
@ -608,6 +608,64 @@ Refresh cooldown is the minimum amount of time between allowed manually refreshe
 Default Upstream Timeout is the default timeout applied to a proxied route when no `timeout` key is specified by the policy.
 ## Cache Service
 The cache service is used for storing user session data.
 ### Cache Store
 - Environmental Variable: `CACHE_STORE`
 - Config File Key: `cache_store`
 - Type: `string`
 - Default: `autocache`
 - Options: `autocache` `bolt` or `redis`. Other contributions are welcome.
 CacheStore is the name of session cache backend to use.
 ### Autocache
 [Autocache](https://github.com/pomerium/autocache) is the default session store. Autocache is based off of distributed version of [memecached](https://memcached.org/), called [groupcache](https://github.com/golang/groupcache) made by Google and used by many organizations like Twitter and Vimeo in production. Autocache is suitable for both small deployments, where it acts as a embedded cache, or larger scale, distributed installs.
 When deployed in a distributed fashion, autocache uses [gossip](https://github.com/hashicorp/memberlist) based membership to manage its peers.
 Autocache does not require any additional settings but does require that the cache url setting returns name records that correspond to a [list of peers](https://kubernetes.io/docs/concepts/services-networking/service/#headless-services).
 ### [Redis](https://redis.io/)
 Redis, when used as a [LRU cache](https://redis.io/topics/lru-cache), functions in a very similar way to autocache. Redis store support allows you to leverage existing infrastructure, and to persist session data if that is a requirement.
 #### Redis Address
 - Environmental Variable: `CACHE_STORE_ADDRESS`
 - Config File Key: `cache_store_address`
 - Type: `string`
 - Example: `localhost:6379`
 CacheStoreAddr specifies the host and port on which the cache store should connect to redis.
 #### Redis Password
 - Environmental Variable: `CACHE_STORE_PASSWORD`
 - Config File Key: `cache_store_password`
 - Type: `string`
 CacheStoreAddr is the password used to connect to redis.
 ### [Bolt](https://godoc.org/go.etcd.io/bbolt/)
 Bolt is a simple, lightweight, low level key value store and is the underlying storage mechanism in projects like [etcd](https://etcd.io/). Bolt persists data to a file, and has no built in eviction mechanism.
 Bolt is suitable for all-in-one deployments that do not require concurrent / distributed writes.
 #### Bolt Path
 - Environmental Variable: `CACHE_STORE_PATH`
 - Config File Key: `cache_store_path`
 - Type: `string`
 - Example: `/etc/bolt.db`
 CacheStorePath is the path to save bolt's database file.
 ## Policy
 - Environmental Variable: `POLICY`
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@ -1,19 +1,46 @@
 # Changelog
-## vUnreleased
+## v0.6.0
-### New
+## New
-### Changed
+- authenticate: support backend refresh @desimone [GH-438]
 - cache: add cache service @desimone [GH-457]
- Added yaml tags to all options struct fields
+## Changed
  - [GH-394](https://github.com/pomerium/pomerium/pull/394)
  - [GH-397](https://github.com/pomerium/pomerium/pull/397)
 - Improved config validation for `shared_secret` [GH-427](https://github.com/pomerium/pomerium/pull/427)
-### Fixed
+- authorize: consolidate gRPC packages @desimone [GH-443]
 - config: added yaml tags to all options struct fields @travisgroth [GH-394],[gh-397]
 - config: improved config validation for `shared_secret` @travisgroth [GH-427]
 - config: Remove CookieRefresh [GH-428] @u5surf [GH-436]
 - config: validate that `shared_key` does not contain whitespace @travisgroth [GH-427]
 - httputil : wrap handlers for additional context @desimone [GH-413]
- Fixed regression preventing policy reload [GH-396](https://github.com/pomerium/pomerium/pull/396)
+## Fixed
 - proxy: fix unauthorized redirect loop for forward auth @desimone [GH-448]
 - proxy: fixed regression preventing policy reload [GH-396](https://github.com/pomerium/pomerium/pull/396)
 ## Documentation
 - add cookie settings @danderson [GH-429]
 - fix typo in forward auth nginx example @travisgroth [GH-445]
 - improved sentence flow and other stuff @Rio [GH-422]
 - rename fwdauth to be forwardauth @desimone [GH-447]
 ## Dependency
 - chore(deps): update golang.org/x/crypto commit hash to 61a8779 @renovate [GH-452]
 - chore(deps): update golang.org/x/crypto commit hash to 530e935 @renovate [GH-458]
 - chore(deps): update golang.org/x/crypto commit hash to 53104e6 @renovate [GH-431]
 - chore(deps): update golang.org/x/crypto commit hash to e9b2fee @renovate [GH-414]
 - chore(deps): update golang.org/x/oauth2 commit hash to 858c2ad @renovate [GH-415]
 - chore(deps): update golang.org/x/oauth2 commit hash to bf48bf1 @renovate [GH-453]
 - chore(deps): update module google.golang.org/grpc to v1.26.0 @renovate [GH-433]
 - chore(deps): update module google/go-cmp to v0.4.0 @renovate [GH-454]
 - chore(deps): update module spf13/viper to v1.6.1 @renovate [GH-423]
 - chore(deps): update module spf13/viper to v1.6.2 @renovate [GH-459]
 - chore(deps): update module square/go-jose to v2.4.1 @renovate [GH-435]
 ## v0.5.0
--- a/docs/docs/background.md
+++ b/docs/docs/background.md
@ -16,17 +16,19 @@ For years, security was synonymous with network security. Firewalls, network seg
 >
 > [Rob Joyce](https://en.wikipedia.org/wiki/Rob_Joyce) [Chief of Tailored Access Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations), [National Security Agency @ ENIGMA 2016](https://www.youtube.com/watch?v=bDJb8WOJYdA&feature=youtu.be&t=1627)
-There's no such thing as perfect security. Many recent high-profile breaches have demonstrated just how difficult it is for even large companies with sophisticated security organizations to avoid a breach. To pick just two of many possible breaches were perimeter security played a role, consider the Target and Google hacks. In Target's case, hackers circumvented both the physical and network perimeter by [hacking the HVAC system](https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/) which was connected to the internal corporate network and then moved laterally to exfiltrate customer credit card data. In Google's case, they experienced a devastating attack at the hands of the Chinese military. Google did a bottom up review of their security posture following [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora). The resulting actions from that review would be released as a [series of white papers](https://ai.google/research/pubs/pub43231) called "BeyondCorp" which have since become foundational documents in articulating how and why an organization could move beyond corporate perimeter (BeyondCorp...get it?) based security.
+There's no such thing as perfect security. Many recent high-profile breaches have demonstrated just how difficult it is for even large companies with sophisticated security organizations to avoid a breach. To pick just two of many possible breaches that epitomize the shortcomings of perimeter security, consider the Target and Google hacks. In Target's case, hackers circumvented both the physical and network perimeter by [hacking the HVAC system](https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/) which was connected to the internal corporate network from which hackers were then able  to move laterally and exfiltrate customer credit card data. In Google's case, they experienced a devastating attack at the hands of the Chinese military known as [Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora). After which, Google did a bottom up review of their security posture. The resulting actions from that review would be released as a [series of white papers](https://ai.google/research/pubs/pub43231) called "BeyondCorp" which have since become foundational documents in articulating how and why an organization could move beyond corporate perimeter (BeyondCorp...get it?) based security.
 > In reality, there's never one front door; there are many front doors...[and] ... we're not securing a single castle. We're starting to think about securing many different interconnected castles.
 >
 > [Armon Dadgar, Cofounder of HashiCorp @ PagerDuty Nov 2018](https://www.hashicorp.com/resources/how-zero-trust-networking)
-The other side of the security trade-off is operational agility. Perimeter based approaches tend to focus on network segmentation which entails creating virtual or physical boundaries around services that need to communicate. Making those boundaries is increasingly difficult to manage in a world of microservices, and cloud computing where service communication requirements are constantly in flux. In theory, an organization could "micro/nano/pico-segment" each and every layer of an application stack to ensure the appropriate audience. However, in practice, operators usually choose between two sides. A very precise boundary that is high-touch, time-consuming to manage, and error prone. Or that of a more lax boundary that may entail more risk but is less time consuming to update, manage and less prone to break.
+The other side of the security trade-off is operational agility. Perimeter based approaches tend to focus on network segmentation which entails creating virtual or physical boundaries around services that need to communicate. Making those boundaries is increasingly difficult to manage in a world of microservices, and cloud computing where service communication requirements are constantly in flux.
 In theory, an organization could "micro/nano/pico-segment" each and every layer of an application stack to ensure appropriate access controls. However, in practice, operators are usually pulled in the direction of one of two extremes. That is, either a very precise boundary that is high-touch, time-consuming to manage, and error prone. Or that of a more lax boundary that may entail more risk but is less time consuming to update, manage and less prone to break.
 ### Gaps in the perimeter
-Perimeter based security suffers from the following shortcomings:
+In summary, perimeter based security suffers from the following shortcomings:
 - Perimeter security largely ignores the insider threat.
 - The "impenetrable fortress" model fails in practice even for the most sophisticated of security organizations.
@ -34,14 +36,15 @@ Perimeter based security suffers from the following shortcomings:
 - Even just defining what the network perimeter is is an increasingly difficult proposition in a remote-work, BYOD, multi-cloud world. Most organizations are a heterogeneous mix of clouds, servers, devices, and organizational units.
 - VPNs are often misused and exacerbate the issue by opening yet another door into your network organization.
-### Zero-trust, behind the gates
+### Zero-trust, security behind the gates
 [Zero-trust](https://ldapwiki.com/wiki/Zero%20Trust) instead attempts to mitigate these shortcomings by adopting the following principles:
 - Trust flows from identity, device-state, and context; not network location.
 - Treat both internal and external networks as completely untrusted. Mutually authenticated encryption is used instead of network segmentation.
 - Act like you are already breached, because you probably are. An attacker could be anyone, and anywhere on your network.
- Every device, user, and application's communication should be authenticated, authorized, and encrypted. Access policy should be dynamic, and built from multiple sources.
+- Every device, user, and application's communication should be authenticated, authorized, and encrypted.
 - Access policy should be dynamic, and built from multiple sources.
 To be clear, perimeter security is not defunct, nor is zero-trust security a panacea or a single product. Many of the ideas and principles of perimeter security are still relevant and are part of a holistic, and wide-ranging security policy. After all, we still want our castles to have high walls.
--- a/docs/docs/community/img/contributing-edit-this-page.png
+++ b/docs/docs/community/img/contributing-edit-this-page.png
--- a/docs/docs/identity-providers/img/cognito-app-client-create.png
+++ b/docs/docs/identity-providers/img/cognito-app-client-create.png
--- a/docs/docs/identity-providers/img/cognito-app-client-details.png
+++ b/docs/docs/identity-providers/img/cognito-app-client-details.png
--- a/docs/docs/identity-providers/img/cognito-app-client-settings.png
+++ b/docs/docs/identity-providers/img/cognito-app-client-settings.png
--- a/docs/docs/identity-providers/img/cognito-create-pool.png
+++ b/docs/docs/identity-providers/img/cognito-create-pool.png
--- a/docs/docs/identity-providers/img/cognito-domain-name.png
+++ b/docs/docs/identity-providers/img/cognito-domain-name.png
--- a/docs/docs/identity-providers/img/cognito-pool-settings.png
+++ b/docs/docs/identity-providers/img/cognito-pool-settings.png
--- a/docs/docs/identity-providers/img/cognito-pools.png
+++ b/docs/docs/identity-providers/img/cognito-pools.png
--- a/docs/docs/identity-providers/img/cognito-service.png
+++ b/docs/docs/identity-providers/img/cognito-service.png
--- a/docs/docs/identity-providers/img/cognito-side-menu.png
+++ b/docs/docs/identity-providers/img/cognito-side-menu.png
--- a/docs/docs/identity-providers/img/cognito-user-pool-name.png
+++ b/docs/docs/identity-providers/img/cognito-user-pool-name.png
--- a/docs/docs/identity-providers/img/google-consent-banner.png
+++ b/docs/docs/identity-providers/img/google-consent-banner.png
--- a/docs/docs/identity-providers/img/google-create-sa.png
+++ b/docs/docs/identity-providers/img/google-create-sa.png
--- a/docs/docs/identity-providers/img/google-oauth-consent.png
+++ b/docs/docs/identity-providers/img/google-oauth-consent.png
--- a/docs/docs/identity-providers/img/okta-api-token.png
+++ b/docs/docs/identity-providers/img/okta-api-token.png
--- a/docs/docs/identity-providers/img/one-login-add-app.png
+++ b/docs/docs/identity-providers/img/one-login-add-app.png
--- a/docs/docs/identity-providers/img/one-login-callback-url.png
+++ b/docs/docs/identity-providers/img/one-login-callback-url.png
--- a/docs/docs/quick-start/helm.md
+++ b/docs/docs/quick-start/helm.md
@ -46,6 +46,10 @@ Run [./scripts/helm_gke.sh] which will:
 Open a browser and navigate to `httpbin.your.domain.example`.
 You can also navigate to the special pomerium endpoint `httpbin.your.domain.example/.pomerium/` to see your current user details.
 ![currently logged in user](./img/logged-in-as.png)
 [./scripts/helm_gke.sh]: ../reference/examples.html#helm
 [./scripts/kubernetes_gke.sh]: ../reference/examples.html#google-kubernetes-engine
 [example kubernetes files]: ../reference/examples.html#google-kubernetes-engine
--- a/docs/docs/quick-start/img/logged-in-as.png
+++ b/docs/docs/quick-start/img/logged-in-as.png
--- a/docs/docs/quick-start/img/synology-certifciate-assignment.png
+++ b/docs/docs/quick-start/img/synology-certifciate-assignment.png
--- a/docs/docs/quick-start/img/synology-docker-httpbin.png
+++ b/docs/docs/quick-start/img/synology-docker-httpbin.png
--- a/docs/docs/quick-start/img/synology-docker-pomerium-alias.png
+++ b/docs/docs/quick-start/img/synology-docker-pomerium-alias.png
--- a/docs/docs/quick-start/img/synology-docker-pomerium-create-container.png
+++ b/docs/docs/quick-start/img/synology-docker-pomerium-create-container.png
--- a/docs/docs/quick-start/img/synology-docker-pomerium-done.png
+++ b/docs/docs/quick-start/img/synology-docker-pomerium-done.png
--- a/docs/docs/quick-start/img/synology-docker-pomerium-package.png
+++ b/docs/docs/quick-start/img/synology-docker-pomerium-package.png
--- a/docs/docs/quick-start/img/synology-docker-port-settings.png
+++ b/docs/docs/quick-start/img/synology-docker-port-settings.png
--- a/docs/docs/quick-start/img/synology-firewall-rules.png
+++ b/docs/docs/quick-start/img/synology-firewall-rules.png
--- a/docs/docs/quick-start/img/synology-httpbin.png
+++ b/docs/docs/quick-start/img/synology-httpbin.png
--- a/docs/docs/quick-start/img/synology-reverse-proxy-rules.png
+++ b/docs/docs/quick-start/img/synology-reverse-proxy-rules.png
--- a/docs/docs/quick-start/img/synology-reverse-proxy.png
+++ b/docs/docs/quick-start/img/synology-reverse-proxy.png
--- a/docs/docs/quick-start/img/synology-step-1-redirect.png
+++ b/docs/docs/quick-start/img/synology-step-1-redirect.png
--- a/docs/docs/quick-start/img/synology-step-2-mfa.png
+++ b/docs/docs/quick-start/img/synology-step-2-mfa.png
--- a/docs/docs/quick-start/img/synology-step-3-validate-header.png
+++ b/docs/docs/quick-start/img/synology-step-3-validate-header.png
--- a/docs/docs/quick-start/img/synology-step-4-unauthorized.png
+++ b/docs/docs/quick-start/img/synology-step-4-unauthorized.png
--- a/docs/docs/quick-start/img/synology-step-4-unauthorized.png2
+++ b/docs/docs/quick-start/img/synology-step-4-unauthorized.png2
--- a/docs/docs/quick-start/kubernetes.md
+++ b/docs/docs/quick-start/kubernetes.md
@ -59,6 +59,10 @@ And if you check out Google's Kubernetes Engine dashboard you'll see something l
 Open a browser and navigate to `httpbin.your.domain.example`.
 You can also navigate to the special pomerium endpoint `httpbin.your.domain.example/.pomerium/` to see your current user details.
 ![currently logged in user](./img/logged-in-as.png)
 [./kubernetes_gke.sh]: ../reference/examples#google-kubernetes-engine
 [example kubernetes files]: ../reference/examples#google-kubernetes-engine
 [identity provider]: ../identity-providers/readme.md
--- a/docs/docs/quick-start/readme.md
+++ b/docs/docs/quick-start/readme.md
@ -48,6 +48,10 @@ Docker will automatically download the required [container images] for Pomerium
 You should now be able access to the routes (e.g. `https://httpbin.corp.yourdomain.example`) as specified in your policy file.
 You can also navigate to the special pomerium endpoint `httpbin.corp.yourdomain.example/.pomerium/` to see your current user details.
 ![currently logged in user](./img/logged-in-as.png)
 [configuration file]: ../../configuration/readme.md
 [container images]: https://hub.docker.com/r/pomerium/pomerium
 [docker]: https://docs.docker.com/install/
--- a/docs/docs/quick-start/synology.md
+++ b/docs/docs/quick-start/synology.md
@ -206,6 +206,10 @@ If that user is authorized to see the httpbin service, you should be redirected
 ![Synology done](./img/synology-step-3-validate-header.png)
 You can also navigate to the special pomerium endpoint `httpbin.your.domain.example/.pomerium/` to see your current user details.
 ![currently logged in user](./img/logged-in-as.png)
 And just to be safe, try logging in from another google account to see what happens. You should be greeted with a `403` unauthorized access page.
 ![Synology done](./img/synology-step-4-unauthorized.png)
--- a/docs/docs/releases.md
+++ b/docs/docs/releases.md
@ -55,6 +55,7 @@ To see difference between releases, please refer to the changelog and upgrading
 For convenience, we maintain hosted documentation for each tagged release. The format for which is `https://{MAJOR}-{MINOR}-{PATCH}.docs.pomerium.io`. For example:
 - [github@master](https://master.docs.pomerium.io/)
 - [v0.6.0](https://0-6-0.docs.pomerium.io/)
 - [v0.5.0](https://0-5-0.docs.pomerium.io/)
 - [v0.4.0](https://0-4-0.docs.pomerium.io/)
 - [v0.3.0](https://0-3-0.docs.pomerium.io/)
--- a/docs/docs/upgrading.md
+++ b/docs/docs/upgrading.md
@ -7,6 +7,38 @@ description: >-
 # Upgrade Guide
 ## Since 0.5.0
 ### Breaking
 #### New cache service
 A back-end cache service was added to support session refreshing from [single-page-apps](https://en.wikipedia.org/wiki/Single-page_application).
 - For all-in-one deployments, _no changes are required_. The cache will be embedded in the binary. By default, autocache an in-memory LRU cache will be used to temporarily store user session data. If you wish to persist session data, it's also possible to use bolt or redis.
 - For split-service deployments, you will need to deploy an additional service called cache. By default, pomerium will use autocache as a distributed, automatically managed cache. It is also possible to use redis as backend in this mode.
 For a concrete example of the required changes, consider the following changes for those running split service mode,:
 ```diff
 ...
  pomerium-authenticate:
    environment:
      - SERVICES=authenticate
 +      - CACHE_SERVICE_URL=http://pomerium-cache:443
 ...
 +  pomerium-cache:
 +    image: pomerium/pomerium
 +    environment:
 +      - SERVICES=cache
 +    volumes:
 +      - ../config/config.example.yaml:/pomerium/config.yaml:ro
 +    expose:
 +      - 443
 ```
 Please see the updated examples, and [cache service docs] as a reference and for the available cache stores. For more details as to why this was necessary, please see [PR438](https://github.com/pomerium/pomerium/pull/438) and [PR457](https://github.com/pomerium/pomerium/pull/457).
 ## Since 0.4.0
 ### Breaking
@ -187,5 +219,7 @@ Usage of the POLICY_FILE envvar is no longer supported. Support for file based p
 The configuration variable [Authenticate Internal Service URL] must now be a valid [URL](https://golang.org/pkg/net/url/#URL) type and contain both a hostname and valid `https` schema.
-[policy]: ./configuration/readme.md#policy
+[policy]: ../configuration/readme.md#policy
-[authenticate internal service url]: ./configuration/readme.md#authenticate-service-url
+[authenticate internal service url]: ../configuration/readme.md#authenticate-service-url
 [cache service docs]: ../configuration/readme.md#cache-service
 [split service example]: ../configuration/examples.md#distinct-services
--- a/docs/recipes/kubernetes.md
+++ b/docs/recipes/kubernetes.md
@ -360,6 +360,5 @@ Whichever option you choose to go with, 🎉🍾🎊 **congratulations** 🎉
 [nginx]: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
 [securing your helm installation]: https://helm.sh/docs/using_helm/#securing-your-helm-installation
 [snap]: https://github.com/snapcrafters/helm
 [tiller]: https://helm.sh/docs/install/#installing-tiller
 [with pomerium]: ../docs/reference/reference.html#forward-auth
 [your dashboard]: http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/login