all: support insecure mode

- pomerium/authenticate: add cookie secure setting
- internal/config: transport security validation moved to options
- internal/config: certificate struct hydrated
- internal/grpcutil: add grpc server mirroring http one
- internal/grpcutil: move grpc middleware
- cmd/pomerium: use run wrapper around main to pass back errors
- cmd/pomerium: add waitgroup (block on) all servers http/grpc

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

docs/docs/CHANGELOG.md

@@ -17,6 +17,7 @@
 
 - Fixed an issue where CSRF would fail if multiple tabs were open. [GH-306](https://github.com/pomerium/pomerium/issues/306)
 - Fixed an issue where pomerium would clean double slashes from paths.[GH-262](https://github.com/pomerium/pomerium/issues/262)
+- Fixed a bug where the impersonate form would persist an empty string for groups value if none set.[GH-303](https://github.com/pomerium/pomerium/issues/303)
 
 ### Changed
 
@@ -24,15 +25,13 @@
 - Authenticate service no longer uses gRPC.
 - The global request logger now captures the full array of proxies from `X-Forwarded-For`, in addition to just the client IP.
 - Options code refactored to eliminate global Viper state. [GH-332](https://github.com/pomerium/pomerium/pull/332/files)
+- Pomerium will no longer default to looking for certificates in the root directory. [GH-328](https://github.com/pomerium/pomerium/issues/328)
+- Pomerium will validate that either `insecure_server`, or a valid certificate bundle is set. [GH-328](https://github.com/pomerium/pomerium/issues/328)
 
 ### Removed
 
 - Removed `AUTHENTICATE_INTERNAL_URL`/`authenticate_internal_url` which is no longer used.
 
-## Fixed
-
-- Fixed a bug where the impersonate form would persist an empty string for groups value if none set.[GH-303](https://github.com/pomerium/pomerium/issues/303)
-
 ## v0.3.0
 
 ### New

docs/docs/reference/reference.md

@@ -45,7 +45,7 @@ Service mode sets the pomerium service(s) to run. If testing, you may want to se
 - Default: `:443`
 - Required
 
-Address specifies the host and port to serve HTTPS and gRPC requests from. If empty, `:443` is used.
+Address specifies the host and port to serve HTTP requests from. If empty, `:443` is used.
 
 ## Administrators
 
@@ -112,6 +112,21 @@ If `false`
 
 Log level sets the global logging level for pomerium. Only logs of the desired level and above will be logged.
 
+## Insecure Server
+
+- Environmental Variable: `INSECURE_SERVER`
+- Config File Key: `insecure_server`
+- Type: `bool`
+- Required if certificates unset
+
+Turning on insecure server mode will result in pomerium starting, and operating without any protocol encryption in transit.
+
+This setting can be useful in a situation where you have Pomerium behind a TLS terminating ingress or proxy. However, even in that case, it is highly recommended to use TLS to protect the confidentiality and integrity of service communication even behind the ingress using self-signed certificates or an internal CA. Please see our helm-chart for an example of just that.
+
+:::warning
+Pomerium should _never_ be exposed to the internet without TLS encryption.
+:::
+
 ## Certificate
 
 - Environmental Variable: either `CERTIFICATE` or `CERTIFICATE_FILE`
@@ -119,7 +134,7 @@ Log level sets the global logging level for pomerium. Only logs of the desired l
 - Type: [base64 encoded] `string` or relative file location
 - Required
 
-Certificate is the x509 _public-key_ used to establish secure HTTP and gRPC connections. If unset, pomerium will attempt to find and use `./cert.pem`.
+Certificate is the x509 _public-key_ used to establish secure HTTP and gRPC connections.
 
 ## Certificate Key
 
@@ -128,7 +143,7 @@ Certificate is the x509 _public-key_ used to establish secure HTTP and gRPC conn
 - Type: [base64 encoded] `string`
 - Required
 
-Certificate key is the x509 _private-key_ used to establish secure HTTP and gRPC connections. If unset, pomerium will attempt to find and use `./privkey.pem`.
+Certificate key is the x509 _private-key_ used to establish secure HTTP and gRPC connections.
 
 ## Global Timeouts
 
@@ -148,9 +163,28 @@ Timeouts set the global server timeouts. For route-specific timeouts, see [polic
 
 These settings control upstream connections to the Authorize service.
 
+## GRPC Address
+
+- Environmental Variable: `GRPC_ADDRESS`
+- Config File Key: `grpc_address`
+- Type: `string`
+- Example: `:443`, `:8443`
+- Default: `:443` or `:5443` if in all-in-one mode
+
+Address specifies the host and port to serve GRPC requests from. Defaults to `:443` (or `:5443` in all in one mode).
+
+## GRPC Insecure
+
+- Environmental Variable: `GRPC_INSECURE`
+- Config File Key: `grpc_insecure`
+- Type: `bool`
+- Default: `:443` (or `:5443` if in all-in-one mode)
+
+If set, GRPC Insecure disables transport security for communication between the proxy and authorize components. If running in all-in-one mode, defaults to true as communication will run over localhost's own socket.
+
 ### GRPC Client Timeout
 
-Maxmimum time before canceling an upstream RPC request. During transient failures, the proxy will retry upstreams for this duration, if possible. You should leave this high enough to handle backend service restart and rediscovery so that client requests do not fail.
+Maximum time before canceling an upstream RPC request. During transient failures, the proxy will retry upstreams for this duration, if possible. You should leave this high enough to handle backend service restart and rediscovery so that client requests do not fail.
 
 - Environmental Variable: `GRPC_CLIENT_TIMEOUT`
 - Config File Key: `grpc_client_timeout`

docs/docs/upgrading.md

@@ -7,6 +7,12 @@ description: >-
 
 # Upgrade Guide
 
+## Since 0.3.0
+
+### Breaking: No default certificate location
+
+In previous versions, if no explicit certificate pair (in base64 or file form) was set, Pomerium would make a last ditch effort to check for certificate files (`cert.key`/`privkey.pem`) in the root directory. With the introduction of insecure server configuration, we've removed that functionality. If there settings for certificates and insecure server mode are unset, pomerium will give a appropriate error instead of a failed to find/open certificate error.
+
 ## Since 0.2.0
 
 Pomerium `v0.3.0` has no known breaking changes compared to `v0.2.0`.