v0.5.0 (#375)

2025-07-17 16:48:13 +02:00 · 2019-11-14 20:02:16 -08:00 · 2019-11-14 20:02:16 -08:00 · ec9607d1d5
commit ec9607d1d5
parent 00c29f4e77
61 changed files with 894 additions and 468 deletions
--- a/docs/configuration/examples/config/config.example.env
+++ b/docs/configuration/examples/config/config.example.env
@ -0,0 +1,61 @@
+#!/bin/bash
+# Main configuration flags : https://www.pomerium.io/docs/reference/reference/
+
+# Main configuration flags
+# export ADDRESS=":8443"                      # optional, default is 443
+# export POMERIUM_DEBUG=true                  # optional, default is false
+# export SERVICE="all"                        # optional, default is all
+# export LOG_LEVEL="info"                     # optional, default is debug
+
+export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
+# AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode,
+# otherwise it should be set to a "behind-the-ingress" routable url
+# export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local
+
+# Certificates can be loaded as files or base64 encoded bytes.
+# See : https://www.pomerium.io/docs/reference/certificates
+export CERTIFICATE_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer"                      # optional, defaults to `./cert.pem`
+export CERTIFICATE_KEY_FILE="$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key" # optional, defaults to `./certprivkey.pem`
+# export CERTIFICATE="xxxxxx"                 # base64 encoded cert, eg. `base64 -i cert.pem`
+# export CERTIFICATE_KEY="xxxx"               # base64 encoded key, eg. `base64 -i privkey.pem`
+
+# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
+export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"
+export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"
+# If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion`
+# export SIGNING_KEY="Replace with base64'd private key from ./scripts/self-signed-sign-key.sh"
+
+# Identity Provider Settings
+
+# Azure
+# export IDP_PROVIDER="azure"
+# export IDP_PROVIDER_URL="https://login.microsoftonline.com/REPLACEME/v2.0"
+# export IDP_CLIENT_ID="REPLACEME
+# export IDP_CLIENT_SECRET="REPLACEME"
+
+## GOOGLE
+export IDP_PROVIDER="google"
+export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google
+
+# IF GSUITE and you want to get user groups you will need to set a service account
+# see identity provider docs for gooogle for more info :
+# export IDP_SERVICE_ACCOUNT=$(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64)
+
+# OKTA
+# export IDP_PROVIDER="okta"
+# export IDP_CLIENT_ID="REPLACEME"
+# export IDP_CLIENT_SECRET="REPLACEME"
+# export IDP_PROVIDER_URL="https://REPLACEME.oktapreview.com/oauth2/default"
+
+# OneLogin
+# export IDP_PROVIDER="onelogin"
+# export IDP_CLIENT_ID="REPLACEME"
+# export IDP_CLIENT_SECRET="REPLACEME"
+# export IDP_PROVIDER_URL="https://openid-connect.onelogin.com/oidc" #optional, defaults to `https://openid-connect.onelogin.com/oidc`
+
+# export SCOPE="openid email" # generally, you want the default OIDC scopes
+
+# Proxied routes and per-route policies are defined in a policy provided either
+# directly as a base64 encoded yaml/json file, or as the policy key in the configuration
+# file
+export POLICY="$(base64 ./docs/configuration/examples/config/policy.example.yaml)"