v0.5.0 (#375)

docs/configuration/examples/config/config.example.env

@@ -0,0 +1,61 @@
+#!/bin/bash
+# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
+
+# Main configuration flags
+# export ADDRESS=":8443"                      # optional, default is 443
+# export POMERIUM_DEBUG=true                  # optional, default is false
+# export SERVICE="all"                        # optional, default is all
+# export LOG_LEVEL="info"                     # optional, default is debug
+
+export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
+# AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode,
+# otherwise it should be set to a "behind-the-ingress" routable url
+# export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local
+
+# Certificates can be loaded as files or base64 encoded bytes.
+# See : https://www.pomerium.io/docs/reference/certificates
+export CERTIFICATE_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"                      # optional, defaults to `./cert.pem`
+export CERTIFICATE_KEY_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" # optional, defaults to `./certprivkey.pem`
+# export CERTIFICATE="xxxxxx"                 # base64 encoded cert, eg. `base64 -i cert.pem`
+# export CERTIFICATE_KEY="xxxx"               # base64 encoded key, eg. `base64 -i privkey.pem`
+
+# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
+export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"
+export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"
+# If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion`
+# export SIGNING_KEY="Replace with base64'd private key from ./scripts/self-signed-sign-key.sh"
+
+# Identity Provider Settings
+
+# Azure
+# export IDP_PROVIDER="azure"
+# export IDP_PROVIDER_URL="https://login.microsoftonline.com/REPLACEME/v2.0"
+# export IDP_CLIENT_ID="REPLACEME
+# export IDP_CLIENT_SECRET="REPLACEME"
+
+## GOOGLE
+export IDP_PROVIDER="google"
+export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google
+
+# IF GSUITE and you want to get user groups you will need to set a service account
+# see identity provider docs for gooogle for more info :
+# export IDP_SERVICE_ACCOUNT=$(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64)
+
+# OKTA
+# export IDP_PROVIDER="okta"
+# export IDP_CLIENT_ID="REPLACEME"
+# export IDP_CLIENT_SECRET="REPLACEME"
+# export IDP_PROVIDER_URL="https://REPLACEME.oktapreview.com/oauth2/default"
+
+# OneLogin
+# export IDP_PROVIDER="onelogin"
+# export IDP_CLIENT_ID="REPLACEME"
+# export IDP_CLIENT_SECRET="REPLACEME"
+# export IDP_PROVIDER_URL="https://openid-connect.onelogin.com/oidc" #optional, defaults to `https://openid-connect.onelogin.com/oidc`
+
+# export SCOPE="openid email" # generally, you want the default OIDC scopes
+
+# Proxied routes and per-route policies are defined in a policy provided either
+# directly as a base64 encoded yaml/json file, or as the policy key in the configuration
+# file
+export POLICY="$(base64 ./docs/configuration/examples/config/policy.example.yaml)"

docs/configuration/examples/config/config.example.yaml

@@ -0,0 +1,81 @@
+# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
+#
+# address: ":8443" # optional, default is 443
+# pomerium_debug: true # optional, default is false
+# service: "all" # optional, default is all
+# log_level: info # optional, default is debug
+
+authenticate_service_url: https://authenticate.corp.beyondperimeter.com
+# authorize service url will default to localhost in all-in-one mode, otherwise
+# it should be set to a "behind-the-ingress" routable url
+# authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
+
+# Certificates can be loaded as files or base64 encoded bytes.
+# certificate_file: "./cert.pem" # optional, defaults to `./cert.pem`
+# certificate_key_file: "./privkey.pem" # optional, defaults to `./certprivkey.pem`
+# certificate_authority_file: "./cert.pem"
+
+# alternatively, insecure mode can be used if behind a TLS terminating ingress,
+# or when using a sidecar proxy
+# insecure_server: true
+
+# base64 encoded cert, eg. `base64 -i cert.pem` / `base64 -i privkey.pem`
+# certificate: |
+#  "xxxxxx"
+# certificate_key: |
+#  "xxxx"
+
+# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
+# shared_secret: hsJIQsx9KKx4qVlggg/T3AuLTmVu0uHhwTQgMPlVs7U=
+# cookie_secret: WwMtDXWaRDMBQCylle8OJ+w4kLIDIGd8W3cB4/zFFtg=
+# If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion`
+# signing_key: "Replace with base64'd private key from ./scripts/self-signed-sign-key.sh"
+
+# Identity Provider Settings
+
+# Azure
+# idp_provider: "azure"
+# idp_provider_url: "https://login.microsoftonline.com/REPLACEME/v2.0"
+# idp_client_id: "REPLACEME
+# idp_client_secret: "REPLACEME"
+
+## GOOGLE
+# idp_provider: "google"
+# idp_provider_url: "https://accounts.google.com" # optional for google
+# idp_client_id: "REPLACEME
+# idp_client_secret: "REPLACEME
+
+# IF GSUITE and you want to get user groups you will need to set a service account
+# see identity provider docs for gooogle for more info :
+# idp_service_account: $(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64)
+
+# OKTA
+# idp_provider: "okta"
+# idp_client_id: "REPLACEME"
+# idp_client_secret: "replaceme"
+# idp_provider_url: "https://REPLACEME.oktapreview.com/oauth2/default"
+
+# OneLogin
+# idp_provider: "onelogin"
+# idp_client_id: "REPLACEME"
+# idp_client_secret: "REPLACEME"
+# idp_provider_url: "https://openid-connect.onelogin.com/oidc" #optional, defaults to `https://openid-connect.onelogin.com/oidc`
+
+# scope: "openid email" # generally, you want the default OIDC scopes
+
+# Proxied routes and per-route policies are defined in a policy block
+policy:
+  - from: https://httpbin.corp.beyondperimeter.com
+    to: http://httpbin
+    allowed_domains:
+      - pomerium.io
+    cors_allow_preflight: true
+    timeout: 30s
+  - from: https://external-httpbin.corp.beyondperimeter.com
+    to: https://httpbin.org
+    allowed_domains:
+      - gmail.com
+  - from: https://hello.corp.beyondperimeter.com
+    to: http://hello:8080
+    allowed_groups:
+      - admins@pomerium.io

docs/configuration/examples/config/config.minimal.env

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# See : https://www.pomerium.io/docs/reference/certificates
+export CERTIFICATE_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"                      # optional, defaults to `./cert.pem`
+export CERTIFICATE_KEY_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" # optional, defaults to `./certprivkey.pem`
+
+# 256 bit random keys
+export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"
+export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"

docs/configuration/examples/config/config.minimal.yaml

@@ -0,0 +1,16 @@
+# See detailed configuration settings : https://www.pomerium.io/docs/reference/reference/
+authenticate_service_url: https://authenticate.corp.beyondperimeter.com
+
+# identity provider settings : https://www.pomerium.io/docs/identity-providers.html
+idp_provider: google
+idp_client_id: REPLACE_ME
+idp_client_secret: REPLACE_ME
+
+policy:
+  - from: https://httpbin.corp.beyondperimeter.com
+    to: http://httpbin
+    allowed_domains:
+      - pomerium.io
+  - from: https://external-httpbin.corp.beyondperimeter.com
+    to: https://httpbin.org
+    allow_public_unauthenticated_access: true

docs/configuration/examples/config/policy.example.yaml

@@ -0,0 +1,31 @@
+# This file contains only policy and route configuration details. Other
+# configuration settings required by pomerium are excluded for clarity.
+# See: https://www.pomerium.io/docs/reference/reference/
+#
+# For a complete self contained configuration see : config.example.yaml.
+# Or, mix and match a policy file (this) with env vars : config.example.env
+
+# Proxied routes and per-route policies are defined in a policy block
+# NOTA BENE: You must uncomment the bellow 'policy' key if you are loading policy as a file.
+# policy:
+- from: https://httpbin.corp.beyondperimeter.com
+  to: http://localhost:8000
+  allowed_domains:
+    - pomerium.io
+  cors_allow_preflight: true
+  timeout: 30s
+- from: https://external-httpbin.corp.beyondperimeter.com
+  to: https://httpbin.org
+  allowed_domains:
+    - gmail.com
+- from: https://weirdlyssl.corp.beyondperimeter.com
+  to: http://neverssl.com
+  allowed_users:
+    - bdd@pomerium.io
+  allowed_groups:
+    - admins
+    - developers
+- from: https://hello.corp.beyondperimeter.com
+  to: http://localhost:8080
+  allowed_groups:
+    - admins@pomerium.io

docs/configuration/examples/docker/basic.docker-compose.yml

@@ -0,0 +1,21 @@
+version: "3"
+services:
+  pomerium:
+    image: pomerium/pomerium:v0.5.0
+    environment:
+      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
+      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
+    volumes:
+      # Mount your domain's certificates : https://www.pomerium.io/docs/reference/certificates
+      - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer:/pomerium/cert.pem:ro
+      - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key:/pomerium/privkey.pem:ro
+      # Mount your config file : https://www.pomerium.io/docs/reference/reference/
+      - ../config/config.minimal.yaml:/pomerium/config.yaml:ro
+    ports:
+      - 443:443
+
+  # https://httpbin.corp.beyondperimeter.com --> Pomerium --> http://httpbin
+  httpbin:
+    image: kennethreitz/httpbin:latest
+    expose:
+      - 80

docs/configuration/examples/docker/nginx.docker-compose.yml

@@ -0,0 +1,87 @@
+version: "3"
+services:
+  nginx:
+    image: pomerium/nginx-proxy:latest
+    ports:
+      - "443:443"
+    volumes:
+      # NOTE!!! : nginx must be supplied with your wildcard certificates.
+      # see : https://github.com/jwilder/nginx-proxy#wildcard-certificates
+      - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer:/etc/nginx/certs/corp.beyondperimeter.com.crt:ro
+      - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key:/etc/nginx/certs/corp.beyondperimeter.com.key:ro
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+
+  pomerium-authenticate:
+    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    restart: always
+    environment:
+      - SERVICES=authenticate
+      - INSECURE_SERVER=TRUE
+      # NOTE!: Replace with your identity provider settings https://www.pomerium.io/docs/identity-providers.html
+      # - IDP_PROVIDER=google
+      # - IDP_PROVIDER_URL=https://accounts.google.com
+      # - IDP_CLIENT_ID=REPLACE_ME
+      # - IDP_CLIENT_SECRET=REPLACE_ME
+      # - IDP_SERVICE_ACCOUNT=REPLACE_ME
+      # NOTE! Generate new secret keys! e.g. `head -c32 /dev/urandom | base64`
+      # Generated secret keys must match between services
+      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
+      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
+      # Tell nginx how to proxy pomerium's routes
+      - VIRTUAL_PROTO=http
+      - VIRTUAL_HOST=authenticate.corp.beyondperimeter.com
+      - VIRTUAL_PORT=443
+    volumes:
+      - ../config/config.example.yaml:/pomerium/config.yaml:ro
+
+    expose:
+      - 443
+
+  pomerium-proxy:
+    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    restart: always
+    environment:
+      - SERVICES=proxy
+      - INSECURE_SERVER=TRUE
+      # IMPORTANT! If you are running pomerium behind another ingress (loadbalancer/firewall/etc)
+      # you must tell pomerium proxy how to communicate using an internal hostname for RPC
+      - AUTHORIZE_SERVICE_URL=http://pomerium-authorize:443
+      # When communicating internally, rPC is going to get a name conflict expecting an external
+      # facing certificate name (i.e. authenticate-service.local vs *.corp.example.com).
+      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
+      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
+      # Tell nginx how to proxy pomerium's routes
+      - VIRTUAL_PROTO=http
+      - VIRTUAL_HOST=*.corp.beyondperimeter.com
+      - VIRTUAL_PORT=443
+    volumes:
+      - ../config/config.example.yaml:/pomerium/config.yaml:ro
+    expose:
+      - 443
+
+  pomerium-authorize:
+    image: pomerium/pomerium:v0.5.0 # or `build: .` to build from source
+    restart: always
+    environment:
+      - SERVICES=authorize
+      - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
+      - GRPC_INSECURE=TRUE
+      - GRPC_ADDRESS=:443
+
+    volumes:
+      # Retrieve non-secret config keys from the config file : https://www.pomerium.io/docs/reference/reference/
+      # See `config.example.yaml` and modify to fit your needs.
+      - ../config/config.example.yaml:/pomerium/config.yaml:ro
+    expose:
+      - 443
+
+  # https://httpbin.corp.beyondperimeter.com
+  httpbin:
+    image: kennethreitz/httpbin:latest
+    expose:
+      - 80
+  # https://hello.corp.beyondperimeter.com
+  hello:
+    image: gcr.io/google-samples/hello-app:1.0
+    expose:
+      - 8080

docs/configuration/examples/kubernetes/httpbin.yml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: httpbin
+  labels:
+    app: httpbin
+spec:
+  type: NodePort
+  ports:
+    - name: http
+      port: 8000
+      targetPort: 80
+  selector:
+    app: httpbin
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: httpbin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: httpbin
+      version: v1
+  template:
+    metadata:
+      labels:
+        app: httpbin
+        version: v1
+    spec:
+      containers:
+        - image: docker.io/kennethreitz/httpbin
+          imagePullPolicy: IfNotPresent
+          name: httpbin
+          ports:
+            - containerPort: 80

docs/configuration/examples/kubernetes/ingress.nginx.yml

@@ -0,0 +1,37 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: pomerium-ingress
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    # kubernetes.io/tls-acme: "true"
+    # certmanager.k8s.io/issuer: "letsencrypt-prod"
+    # nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+    # to avoid ingress routing, enable
+    # nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+
+spec:
+  tls:
+    - secretName: pomerium-tls
+      hosts:
+        - "*.corp.beyondperimeter.com"
+        - "authenticate.corp.beyondperimeter.com"
+
+  rules:
+    - host: "*.corp.beyondperimeter.com"
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: pomerium-proxy-service
+              servicePort: http
+
+    - host: "authenticate.corp.beyondperimeter.com"
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: pomerium-authenticate-service
+              servicePort: http

docs/configuration/examples/kubernetes/ingress.yml

@@ -0,0 +1,30 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: pomerium-ingress
+  annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.global-static-ip-name: pomerium
+
+spec:
+  tls:
+    - secretName: pomerium-tls
+      hosts:
+        - "*.corp.beyondperimeter.com"
+        - "authenticate.corp.beyondperimeter.com"
+
+  rules:
+    - host: "*.corp.beyondperimeter.com"
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: pomerium-proxy-service
+              servicePort: https
+    - host: "authenticate.corp.beyondperimeter.com"
+      http:
+        paths:
+          - paths:
+            backend:
+              serviceName: pomerium-authenticate-service
+              servicePort: https

docs/configuration/examples/kubernetes/kubernetes-config.yaml

@@ -0,0 +1,18 @@
+# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
+address: ":80"
+insecure_server: true
+
+authenticate_service_url: https://authenticate.corp.beyondperimeter.com
+authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local
+
+override_certificate_name: "*.corp.beyondperimeter.com"
+
+idp_provider: google
+idp_client_id: REPLACE_ME.apps.googleusercontent.com
+idp_client_secret: "REPLACE_ME"
+
+policy:
+  - from: https://httpbin.corp.beyondperimeter.com
+    to: http://httpbin.default.svc.cluster.local:8000
+    allowed_domains:
+      - gmail.com

docs/configuration/examples/kubernetes/kubernetes_gke.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# NOTE! This will create real resources on Google GCP. Make sure you clean up any unused
+# resources to avoid being billed.
+# For reference, this tutorial cost ~10 cents for a couple of hours.
+# NOTE! You must change the identity provider client secret setting in your config file!
+
+echo "=> creating cluster"
+gcloud container clusters create pomerium --num-nodes 2
+
+echo "=> get cluster credentials so we can use kubctl locally"
+gcloud container clusters get-credentials pomerium
+
+echo "=> create config from kubernetes-config.yaml which we will mount"
+kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml"
+
+echo "=> create our random shared-secret and cookie-secret keys as envars"
+kubectl create secret generic shared-secret --from-literal=shared-secret=$(head -c32 /dev/urandom | base64)
+kubectl create secret generic cookie-secret --from-literal=cookie-secret=$(head -c32 /dev/urandom | base64)
+
+echo "=> initiliaze secrets for TLS wild card for service use"
+kubectl create secret generic certificate \
+	--from-literal=certificate=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer")
+kubectl create secret generic certificate-key \
+	--from-literal=certificate-key=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key")
+
+echo "=> load TLS to ingress"
+kubectl create secret tls pomerium-tls \
+	--key "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" \
+	--cert "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"
+
+echo "=> deploy pomerium proxy, authorize, and authenticate"
+kubectl apply -f pomerium-proxy.yml
+kubectl apply -f pomerium-authenticate.yml
+kubectl apply -f pomerium-authorize.yml
+
+echo "=> deploy our test app, httpbin"
+kubectl apply -f httpbin.yml
+
+echo "=> deploy the GKE specific ingress"
+kubectl apply -f ingress.yml
+
+# Alternatively, nginx-ingress can be used
+# kubectl apply -f ingress.nginx.yml
+
+# When done, clean up by deleting the cluster!
+# gcloud container clusters delete pomerium

docs/configuration/examples/kubernetes/kubernetes_nginx.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+echo "=> create config from kubernetes-config.yaml which we will mount"
+kubectl create configmap config --from-file="config.yaml"="kubernetes-config.yaml"
+
+echo "=> create our random shared-secret and cookie-secret keys as envars"
+kubectl create secret generic shared-secret --from-literal=shared-secret=$(head -c32 /dev/urandom | base64)
+kubectl create secret generic cookie-secret --from-literal=cookie-secret=$(head -c32 /dev/urandom | base64)
+
+echo "=> deploy pomerium proxy, authorize, and authenticate"
+kubectl apply -f pomerium-proxy.yml
+kubectl apply -f pomerium-authenticate.yml
+kubectl apply -f pomerium-authorize.yml
+
+echo "=> deploy our test app, httpbin"
+kubectl apply -f httpbin.yml
+
+echo "=> deploy nginx-ingress"
+kubectl apply -f ingress.yml

docs/configuration/examples/kubernetes/pomerium-authenticate.yml

@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pomerium-authenticate-service
+spec:
+  ports:
+    - port: 80
+      name: http
+  selector:
+    app: pomerium-authenticate
+  type: NodePort
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium-authenticate
+  labels:
+    app: pomerium-authenticate
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pomerium-authenticate
+  template:
+    metadata:
+      labels:
+        app: pomerium-authenticate
+    spec:
+      containers:
+        - image: pomerium/pomerium:v0.5.0
+          name: pomerium-authenticate
+          args:
+            - --config=/etc/pomerium/config.yaml
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          env:
+            - name: SERVICES
+              value: authenticate
+            - name: SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: shared-secret
+                  key: shared-secret
+            - name: COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: cookie-secret
+                  key: cookie-secret
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+              scheme: HTTP
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 5
+            timeoutSeconds: 1
+          volumeMounts:
+            - mountPath: /etc/pomerium/
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: config

docs/configuration/examples/kubernetes/pomerium-authorize.yml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pomerium-authorize-service
+spec:
+  ports:
+    - port: 80
+      name: grpc
+  selector:
+    app: pomerium-authorize
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium-authorize
+  labels:
+    app: pomerium-authorize
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pomerium-authorize
+  template:
+    metadata:
+      labels:
+        app: pomerium-authorize
+    spec:
+      containers:
+        - image: pomerium/pomerium:v0.5.0
+          name: pomerium-authorize
+          args:
+            - --config=/etc/pomerium/config.yaml
+          ports:
+            - containerPort: 80
+              name: grpc
+              protocol: TCP
+          env:
+            - name: SERVICES
+              value: authorize
+            - name: SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: shared-secret
+                  key: shared-secret
+          readinessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 80
+            initialDelaySeconds: 15
+            periodSeconds: 20
+
+          volumeMounts:
+            - mountPath: /etc/pomerium/
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: config

docs/configuration/examples/kubernetes/pomerium-proxy.yml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pomerium-proxy-service
+spec:
+  ports:
+    - port: 80
+      protocol: TCP
+      name: http
+      targetPort: http
+  selector:
+    app: pomerium-proxy
+  type: NodePort
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pomerium-proxy
+  labels:
+    app: pomerium-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pomerium-proxy
+  template:
+    metadata:
+      labels:
+        app: pomerium-proxy
+    spec:
+      containers:
+        - image: pomerium/pomerium:v0.5.0
+          name: pomerium-proxy
+          args:
+            - --config=/etc/pomerium/config.yaml
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          env:
+            - name: SERVICES
+              value: proxy
+            - name: SHARED_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: shared-secret
+                  key: shared-secret
+            - name: COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: cookie-secret
+                  key: cookie-secret
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+              scheme: HTTP
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 80
+              scheme: HTTP
+            initialDelaySeconds: 10
+            timeoutSeconds: 1
+          volumeMounts:
+            - mountPath: /etc/pomerium/
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: config