merge master

2025-05-19 20:17:30 +02:00 · 2020-05-18 08:18:56 -06:00 · 2020-05-18 08:18:56 -06:00 · ef399380b7
commit ef399380b7
parent d514ec2ecf
49 changed files with 1473 additions and 534 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-v0.7.5
+v0.8.0
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@ -45,12 +45,12 @@ module.exports = {
      { text: "Configuration", link: "/configuration/" },
      { text: "Recipes", link: "/recipes/" },
      { text: "Enterprise", link: "/enterprise/" },
      {
-        text: "v0.7.x", // current tagged version
+        text: "v0.8.x", // current tagged version
        ariaLabel: "Version menu",
        items: [
          { text: "🚧Dev", link: "https://master.docs.pomerium.io/docs" },
          { text: "v0.8.x", link: "https://0-8-0.docs.pomerium.io/docs" },
          { text: "v0.7.x", link: "https://0-7-0.docs.pomerium.io/docs" },
          { text: "v0.6.x", link: "https://0-6-0.docs.pomerium.io/docs" },
          { text: "v0.5.x", link: "https://0-5-0.docs.pomerium.io/docs" },
--- a/docs/.vuepress/public/_redirects
+++ b/docs/.vuepress/public/_redirects
@ -1,5 +1,6 @@
 /docs/reference/reference			/configuration/
 /docs/reference/reference.html		/configuration/
 /docs/configuration/				/configuration/
 /community/							/docs/community/
 /community/index.html				/docs/community/
--- a/docs/_posts/2020-05-11-release-0-8.md
+++ b/docs/_posts/2020-05-11-release-0-8.md
@ -0,0 +1,34 @@
 ---
 title: Announcing Pomerium 0.8
 date: 2020-5-11
 tags:
  - release
  - pomerium
  - announcement
 author: Bobby DeSimone
 ---
 # Announcing Pomerium 0.8
 We are excited to announce the [0.8 release] of Pomerium which adds support for some of our most requested features including:
 - [**Automatic Certificate Management**] — Pomerium can now be configured to automatically retrieve and renew certificates, adding HTTPS to all Pomerium managed routes. In addition, Pomerium will do [OCSP stapling](https://en.wikipedia.org/wiki/OCSP_stapling) for automatic and custom certificates alike.
 - [**Advanced Route Matching**] — Operators can now write access policy that supports route matching based on [regex], [prefix], and [path] settings. Pomerium now has the flexibility to support multiple and layered authorization policies across a single managed route.
 - And finally, this release adds [**Github**](https://github.com/) as a supported identity provider.
 Pomerium had 95 commits from 8 authors across 5 organizations in this release. This release also includes additional new features, general improvements, and bug fixes, a complete list of which can be found in the [changelog].
 As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Pomerium GitHub [issue tracker].
 <SimpleNewsletter/>
 [**advanced route matching**]: ../configuration/readme.md#policy
 [**automatic certificate management**]: ../docs/reference/certificates.md#per-route-automatic-certificates
 [0.8 release]: https://github.com/pomerium/pomerium/releases/tag/v8.0.0
 [changelog]: ../docs/CHANGELOG.md
 [**github**]: ../docs/identity-providers/github.md
 [issue tracker]: https://github.com/pomerium/pomerium/issues
 [let's encrypt]: https://letsencrypt.org/
 [path]: ../configuration/readme.md#path
 [prefix]: ../configuration/readme.md#prefix
 [regex]: ../configuration/readme.md#regex
--- a/docs/configuration/examples.md
+++ b/docs/configuration/examples.md
@ -5,7 +5,6 @@ sidebarDepth: 2
 meta:
  - name: keywords
    content: pomerium community help bugs updates features
 description: >-
  This document describes how you users can stay up to date with pomerium,
  report issues, get help, and suggest new features.
@ -86,15 +85,15 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
 - Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing]
-<<< @/scripts/helm_gke.sh
+<<< @/docs/configuration/examples/helm/helm_gke.sh
 ### AWS ECS
 - Uses Amazon Elastic Container Service
-<<< @/scripts/helm_aws.sh
+<<< @/docs/configuration/examples/helm/helm_aws.sh
-## Kubernetes
+### Kubernetes
 - Uses Google Kubernetes Engine's built-in ingress to do [HTTPS load balancing]
 - HTTPS (TLS) between client, load balancer, and services
@ -129,3 +128,43 @@ Customize for your identity provider run `docker-compose up -f nginx.docker-comp
 [helloworld]: https://hub.docker.com/r/tutum/hello-world
 [httpbin]: https://httpbin.org/
 [https load balancing]: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress
 ## Istio
 [istio]: https://github.com/istio/istio
 [certmanager]: https://github.com/jetstack/cert-manager
 [grafana]: https://github.com/grafana/grafana
 - Istio provides mutual TLS via sidecars and to make Istio play well with Pomerium we need to disable TLS on the Pomerium side.
 - We need to provide Istio with information on how to route requests via Pomerium to their destinations.
 - The following example shows how to make Grafana's [auth proxy](https://grafana.com/docs/grafana/latest/auth/auth-proxy) work with Pomerium inside of an Istio mesh.
 #### Gateway
 We are using the standard istio-ingressgateway that comes configured with Istio and attach a Gateway to it that deals with a subset of our ingress traffic based on the Host header (in this case `*.yourcompany.com`). This is the Gateway to which we will later attach VirtualServices for more granular routing decisions. Along with the Gateway, because we care about TLS, we are using Certmanager to provision a self-signed certificate (see Certmanager [docs](https://cert-manager.io/docs) for setup instructions).
 <<< @/docs/configuration/examples/kubernetes/istio/gateway.yml
 #### Virtual Services
 Here we are configuring two Virtual Services. One to route from the Gateway to the Authenticate service and one to route from the Gateway to the Pomerium Proxy, which will route the request to Grafana according to the configured Pomerium policy.
 <<< @/docs/configuration/examples/kubernetes/istio/virtual-services.yml
 #### Service Entry
 If you are enforcing mutual TLS in your service mesh you will need to add a ServiceEntry for your identity provider so that Istio knows not to expect a mutual TLS connection with, for example `https://yourcompany.okta.com`.
 <<< @/docs/configuration/examples/kubernetes/istio/service-entry.yml
 #### Pomerium Configuration
 For this example we're using the Pomerium Helm chart with the following `values.yaml` file. Things to note here are the `insecure` flag, where we are disabling TLS in Pomerium in favor of the Istio-provided TLS via sidecars. Also note the `extaEnv` arguments where we are asking Pomerium to extract the email property from the JWT and pass it on to Grafana in a header called `X-Pomerium-Claim-Email`. We need to do this because Grafana does not know how to read the Pomerium JWT but its auth-proxy authentication method can be configured to read user information from headers. The policy document contains a single route that will send all requests with a host header of `https://grafana.yourcompany.com` to the Grafana instance running in the monitoring namespace. We disable ingress because we are using the Istio ingressgateway for ingress traffic and don't need the Pomerium helm chart to create ingress objects for us.
 <<< @/docs/configuration/examples/kubernetes/istio/pomerium-helm-values.yml
 #### Grafana ini
 On the Grafana side we are using the Grafana Helm chart and what follows is the relevant section of the `values.yml` file. The most important thing here is that we need to tell Grafana from which request header to grab the username. In this case that's `X-Pomerium-Claim-Email` because we will be using the user's email (provided by your identity provider) as their username in Grafana. For all the configuration options check out the Grafana documentation about its auth-proxy authentication method.
 <<< @/docs/configuration/examples/kubernetes/istio/grafana.ini.yml
--- a/docs/configuration/examples/docker/autocert.docker-compose.yml
+++ b/docs/configuration/examples/docker/autocert.docker-compose.yml
@ -1,7 +1,7 @@
 version: "3"
 services:
  pomerium:
-    image: pomerium/pomerium:v0.7.0
+    image: pomerium/pomerium:v0.8.0
    environment:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
--- a/docs/configuration/examples/docker/basic.docker-compose.yml
+++ b/docs/configuration/examples/docker/basic.docker-compose.yml
@ -1,7 +1,7 @@
 version: "3"
 services:
  pomerium:
-    image: pomerium/pomerium:v0.7.0
+    image: pomerium/pomerium:v0.8.0
    environment:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
--- a/docs/configuration/examples/docker/nginx.docker-compose.yml
+++ b/docs/configuration/examples/docker/nginx.docker-compose.yml
@ -12,7 +12,7 @@ services:
      - /var/run/docker.sock:/tmp/docker.sock:ro
  pomerium-authenticate:
-    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
+    image: pomerium/pomerium:v0.8.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=authenticate
@ -39,7 +39,7 @@ services:
      - 443
  pomerium-proxy:
-    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
+    image: pomerium/pomerium:v0.8.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=proxy
@ -61,7 +61,7 @@ services:
      - 443
  pomerium-authorize:
-    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
+    image: pomerium/pomerium:v0.8.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=authorize
@ -77,7 +77,7 @@ services:
      - 443
  pomerium-cache:
-    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
+    image: pomerium/pomerium:v0.8.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=cache
--- a/docs/configuration/examples/helm/helm_aws.sh
+++ b/docs/configuration/examples/helm/helm_aws.sh
--- a/docs/configuration/examples/helm/helm_gke.sh
+++ b/docs/configuration/examples/helm/helm_gke.sh
@ -7,7 +7,7 @@
 # NOTE! If you are using gsuite, you should also set `authenticate.idp.serviceAccount`, see docs !
 echo "=> [GCE] creating cluster"
-gcloud container clusters create pomerium --region us-west2
+gcloud container clusters create pomerium --region us-west2 --num-nodes 1
 echo "=> [GCE] get cluster credentials so we can use kubctl locally"
 gcloud container clusters get-credentials pomerium --region us-west2
@ -15,27 +15,26 @@ gcloud container clusters get-credentials pomerium --region us-west2
 echo "=> add pomerium's helm repo"
 helm repo add pomerium https://helm.pomerium.io
 echo "=> add bitnami's helm repo"
 helm repo add bitnami https://charts.bitnami.com/bitnami
 echo "=> install nginx as a sample hello world app"
 helm upgrade --install nginx bitnami/nginx --set service.type=ClusterIP
 echo "=> update helm"
 helm repo update
 echo "=> install pomerium with helm"
 echo "=> initiliaze a configmap setting from config.example.yaml"
 kubectl create configmap config --from-file="config.yaml"="docs/configuration/examples/kubernetes/kubernetes-config.yaml"
 helm install \
 	pomerium \
 	pomerium/pomerium \
 	--set service.type="NodePort" \
 	--set config.rootDomain="corp.beyondperimeter.com" \
 	--set config.existingConfig="config" \
 	--set config.sharedSecret=$(head -c32 /dev/urandom | base64) \
 	--set config.cookieSecret=$(head -c32 /dev/urandom | base64) \
 	--set ingress.secret.name="pomerium-tls" \
 	--set ingress.secret.cert=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer") \
 	--set ingress.secret.key=$(base64 -i "$HOME/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key") \
-	--set-string ingress.annotations."kubernetes\.io/ingress\.allow-http"=false \
+	--values docs/configuration/examples/kubernetes/values.yaml
 	--set authenticate.service.annotations."cloud\.google\.com/app-protocols"='\{"https":"HTTPS"\}' \
 	--set proxy.service.annotations."cloud\.google\.com/app-protocols"='\{"https":"HTTPS"\}'
 # When done, clean up by deleting the cluster!
 # helm del $(helm ls --all --short) --purge # deletes all your helm instances
--- a/docs/configuration/examples/kubernetes/istio/gateway.yml
+++ b/docs/configuration/examples/kubernetes/istio/gateway.yml
@ -0,0 +1,41 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
  name: internal-gateway
  namespace: istio-system
 spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      protocol: HTTPS
      name: https-default
    tls:
      mode: SIMPLE
      serverCertificate: "sds"
      privateKey: "sds"
      credentialName: internal-cert
    hosts:
    - *.yourcompany.com
 ---
 apiVersion: cert-manager.io/v1alpha2
 kind: Certificate
 metadata:
  name: internal-cert
  namespace: istio-system
 spec:
  secretName: internal-cert
  issuerRef:
    name: self-signed-issuer
    kind: ClusterIssuer
  commonName: *.yourcompany.com
  dnsNames:
    - *.yourcompany.com
 ---
 apiVersion: cert-manager.io/v1alpha2
 kind: ClusterIssuer
 metadata:
  name: self-signed-issuer
 spec:
  selfSigned: {}
--- a/docs/configuration/examples/kubernetes/istio/grafana.ini.yml
+++ b/docs/configuration/examples/kubernetes/istio/grafana.ini.yml
@ -0,0 +1,12 @@
 grafana.ini:
  users:
    allow_sign_up: false
    auto_assign_org: true
    auto_assign_org_role: Editor
  auth.proxy:
    enabled: true
    header_name: X-Pomerium-Claim-Email
    header_property: username
    auto_sign_up: true
    sync_ttl: 60
    enable_login_token: false
--- a/docs/configuration/examples/kubernetes/istio/pomerium-helm-values.yml
+++ b/docs/configuration/examples/kubernetes/istio/pomerium-helm-values.yml
@ -0,0 +1,13 @@
 config:
  insecure: true
  policy:
    - from: https://grafana.yourcompany.com
      to: "http://prometheus-grafana.monitoring.svc.cluster.local"
      timeout: 30s
      allowed_domains:
        - yourcompany.com
 ingress:
  enabled: false
 extraEnv:
  JWT_CLAIMS_HEADERS: email
--- a/docs/configuration/examples/kubernetes/istio/service-entry.yml
+++ b/docs/configuration/examples/kubernetes/istio/service-entry.yml
@ -0,0 +1,14 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
  name: external-idp
  namespace: pomerium
 spec:
  hosts:
    - yourcompany.okta.com
  location: MESH_EXTERNAL
  ports:
    - number: 443
      name: https
      protocol: TLS
  resolution: DNS
--- a/docs/configuration/examples/kubernetes/istio/virtual-services.yml
+++ b/docs/configuration/examples/kubernetes/istio/virtual-services.yml
@ -0,0 +1,30 @@
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
  name: grafana-virtual-service
  namespace: pomerium
 spec:
  gateways:
    - istio-system/internal-gateway
  hosts:
    - grafana.yourcompany.com
  http:
    - route:
        - destination:
            host: pomerium-proxy
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
  name: authenticate-virtual-service
  namespace: pomerium
 spec:
  gateways:
    - istio-system/internal-gateway
  hosts:
    - authenticate.yourcompany.com
  http:
    - route:
        - destination:
            host: pomerium-authenticate
 ---
--- a/docs/configuration/examples/kubernetes/values.yaml
+++ b/docs/configuration/examples/kubernetes/values.yaml
@ -0,0 +1,28 @@
 authenticate:
  idp:
    provider: "google"
    clientID: YOUR_CLIENT_ID
    clientSecret: YOUR_SECRET
  service:
    annotations:
      cloud.google.com/app-protocols: '{"https":"HTTPS"}'
 proxy:
  service:
    annotations:
      cloud.google.com/app-protocols: '{"https":"HTTPS"}'
 service:
  type: NodePort
 config:
  rootDomain: corp.beyondperimeter.com
  policy:
    - from: https://hello.corp.beyondperimeter.com
      to: http://nginx.default.svc.cluster.local:80
      allowed_domains:
        - gmail.com
 ingress:
  annotations:
    kubernetes.io/ingress.allow-http: false
--- a/docs/configuration/readme.md
+++ b/docs/configuration/readme.md
@ -144,7 +144,7 @@ Pomerium should _never_ be exposed to the internet without TLS encryption.
 - Type: `bool`
 - Optional
-Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from [Let's Encrypt][letsencrypt] for each of your managed pomerium routes as well as for the authenticate service. This setting must be used in conjunction with `Certificate Folder` as Autocert must have a place to persist, and share certificate data between services. Provides [OCSP stapling](https://en.wikipedia.org/wiki/OCSP_stapling).
+Turning on autocert allows Pomerium to automatically retrieve, manage, and renew public facing TLS certificates from [Let's Encrypt][letsencrypt] for each of your managed pomerium routes as well as for the authenticate service. This setting must be used in conjunction with [Autocert Directory](./#autocert-directory) as Autocert must have a place to persist, and share certificate data between services. Provides [OCSP stapling](https://en.wikipedia.org/wiki/OCSP_stapling).
 This setting can be useful in a situation where you do not have Pomerium behind a TLS terminating ingress or proxy that is already handling your public certificates on your behalf.
@ -156,7 +156,7 @@ By using autocert, you agree to the [Let's Encrypt Subscriber Agreement](https:/
 :::warning
-Autocert requires that port `443` be accessible from the internet in order to complete a [TLS-ALPN-01 challenge](https://letsencrypt.org/docs/challenge-types/#tls-alpn-01).
+Autocert requires that ports `80`/`443` be accessible from the internet in order to complete a [TLS-ALPN-01 challenge](https://letsencrypt.org/docs/challenge-types/#tls-alpn-01).
 :::
@ -165,7 +165,7 @@ Autocert requires that port `443` be accessible from the internet in order to co
 - Environmental Variable: either `AUTOCERT_DIR`
 - Config File Key: `autocert_dir`
 - Type: `string` pointing to the path of the directory
- Required if using Autocert setting
+- Required if using [Autocert](./#autocert) setting
 - Default:
  - `/data/autocert` in published Pomerium docker images
  - [$XDG_DATA_HOME](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html)
@ -384,62 +384,62 @@ Expose a prometheus format HTTP endpoint on the specified port. Disabled by defa
 **Metrics tracked**
-| Name                                          | Type      | Description                                                             |
+Name                                          | Type      | Description
-| --------------------------------------------- | --------- | ----------------------------------------------------------------------- |
+--------------------------------------------- | --------- | -----------------------------------------------------------------------
-| boltdb_free_alloc_size_bytes                  | Gauge     | Bytes allocated in free pages                                           |
+boltdb_free_alloc_size_bytes                  | Gauge     | Bytes allocated in free pages
-| boltdb_free_page_n                            | Gauge     | Number of free pages on the freelist                                    |
+boltdb_free_page_n                            | Gauge     | Number of free pages on the freelist
-| boltdb_freelist_inuse_size_bytes              | Gauge     | Bytes used by the freelist                                              |
+boltdb_freelist_inuse_size_bytes              | Gauge     | Bytes used by the freelist
-| boltdb_open_txn                               | Gauge     | number of currently open read transactions                              |
+boltdb_open_txn                               | Gauge     | number of currently open read transactions
-| boltdb_pending_page_n                         | Gauge     | Number of pending pages on the freelist                                 |
+boltdb_pending_page_n                         | Gauge     | Number of pending pages on the freelist
-| boltdb_txn                                    | Gauge     | total number of started read transactions                               |
+boltdb_txn                                    | Gauge     | total number of started read transactions
-| boltdb_txn_cursor_total                       | Counter   | Total number of cursors created                                         |
+boltdb_txn_cursor_total                       | Counter   | Total number of cursors created
-| boltdb_txn_node_deref_total                   | Counter   | Total number of node dereferences                                       |
+boltdb_txn_node_deref_total                   | Counter   | Total number of node dereferences
-| boltdb_txn_node_total                         | Counter   | Total number of node allocations                                        |
+boltdb_txn_node_total                         | Counter   | Total number of node allocations
-| boltdb_txn_page_alloc_size_bytes_total        | Counter   | Total bytes allocated                                                   |
+boltdb_txn_page_alloc_size_bytes_total        | Counter   | Total bytes allocated
-| boltdb_txn_page_total                         | Counter   | Total number of page allocations                                        |
+boltdb_txn_page_total                         | Counter   | Total number of page allocations
-| boltdb_txn_rebalance_duration_ms_total        | Counter   | Total time spent rebalancing                                            |
+boltdb_txn_rebalance_duration_ms_total        | Counter   | Total time spent rebalancing
-| boltdb_txn_rebalance_total                    | Counter   | Total number of node rebalances                                         |
+boltdb_txn_rebalance_total                    | Counter   | Total number of node rebalances
-| boltdb_txn_spill_duration_ms_total            | Counter   | Total time spent spilling                                               |
+boltdb_txn_spill_duration_ms_total            | Counter   | Total time spent spilling
-| boltdb_txn_spill_total                        | Counter   | Total number of nodes spilled                                           |
+boltdb_txn_spill_total                        | Counter   | Total number of nodes spilled
-| boltdb_txn_split_total                        | Counter   | Total number of nodes split                                             |
+boltdb_txn_split_total                        | Counter   | Total number of nodes split
-| boltdb_txn_write_duration_ms_total            | Counter   | Total time spent writing to disk                                        |
+boltdb_txn_write_duration_ms_total            | Counter   | Total time spent writing to disk
-| boltdb_txn_write_total                        | Counter   | Total number of writes performed                                        |
+boltdb_txn_write_total                        | Counter   | Total number of writes performed
-| groupcache_cache_hits_total                   | Counter   | Total cache hits in local or cluster cache                              |
+groupcache_cache_hits_total                   | Counter   | Total cache hits in local or cluster cache
-| groupcache_cache_hits_total                   | Counter   | Total cache hits in local or cluster cache                              |
+groupcache_cache_hits_total                   | Counter   | Total cache hits in local or cluster cache
-| groupcache_gets_total                         | Counter   | Total get request, including from peers                                 |
+groupcache_gets_total                         | Counter   | Total get request, including from peers
-| groupcache_loads_deduped_total                | Counter   | gets without cache hits after duplicate suppression                     |
+groupcache_loads_deduped_total                | Counter   | gets without cache hits after duplicate suppression
-| groupcache_loads_total                        | Counter   | Total gets without cache hits                                           |
+groupcache_loads_total                        | Counter   | Total gets without cache hits
-| groupcache_local_load_errs_total              | Counter   | Total local load errors                                                 |
+groupcache_local_load_errs_total              | Counter   | Total local load errors
-| groupcache_local_loads_total                  | Counter   | Total good local loads                                                  |
+groupcache_local_loads_total                  | Counter   | Total good local loads
-| groupcache_peer_errors_total                  | Counter   | Total errors from peers                                                 |
+groupcache_peer_errors_total                  | Counter   | Total errors from peers
-| groupcache_peer_loads_total                   | Counter   | Total remote loads or cache hits without error                          |
+groupcache_peer_loads_total                   | Counter   | Total remote loads or cache hits without error
-| groupcache_server_requests_total              | Counter   | Total gets from peers                                                   |
+groupcache_server_requests_total              | Counter   | Total gets from peers
-| grpc_client_request_duration_ms               | Histogram | GRPC client request duration by service                                 |
+grpc_client_request_duration_ms               | Histogram | GRPC client request duration by service
-| grpc_client_request_size_bytes                | Histogram | GRPC client request size by service                                     |
+grpc_client_request_size_bytes                | Histogram | GRPC client request size by service
-| grpc_client_requests_total                    | Counter   | Total GRPC client requests made by service                              |
+grpc_client_requests_total                    | Counter   | Total GRPC client requests made by service
-| grpc_client_response_size_bytes               | Histogram | GRPC client response size by service                                    |
+grpc_client_response_size_bytes               | Histogram | GRPC client response size by service
-| grpc_server_request_duration_ms               | Histogram | GRPC server request duration by service                                 |
+grpc_server_request_duration_ms               | Histogram | GRPC server request duration by service
-| grpc_server_request_size_bytes                | Histogram | GRPC server request size by service                                     |
+grpc_server_request_size_bytes                | Histogram | GRPC server request size by service
-| grpc_server_requests_total                    | Counter   | Total GRPC server requests made by service                              |
+grpc_server_requests_total                    | Counter   | Total GRPC server requests made by service
-| grpc_server_response_size_bytes               | Histogram | GRPC server response size by service                                    |
+grpc_server_response_size_bytes               | Histogram | GRPC server response size by service
-| http_client_request_duration_ms               | Histogram | HTTP client request duration by service                                 |
+http_client_request_duration_ms               | Histogram | HTTP client request duration by service
-| http_client_request_size_bytes                | Histogram | HTTP client request size by service                                     |
+http_client_request_size_bytes                | Histogram | HTTP client request size by service
-| http_client_requests_total                    | Counter   | Total HTTP client requests made by service                              |
+http_client_requests_total                    | Counter   | Total HTTP client requests made by service
-| http_client_response_size_bytes               | Histogram | HTTP client response size by service                                    |
+http_client_response_size_bytes               | Histogram | HTTP client response size by service
-| http_server_request_duration_ms               | Histogram | HTTP server request duration by service                                 |
+http_server_request_duration_ms               | Histogram | HTTP server request duration by service
-| http_server_request_size_bytes                | Histogram | HTTP server request size by service                                     |
+http_server_request_size_bytes                | Histogram | HTTP server request size by service
-| http_server_requests_total                    | Counter   | Total HTTP server requests handled by service                           |
+http_server_requests_total                    | Counter   | Total HTTP server requests handled by service
-| http_server_response_size_bytes               | Histogram | HTTP server response size by service                                    |
+http_server_response_size_bytes               | Histogram | HTTP server response size by service
-| pomerium_build_info                           | Gauge     | Pomerium build metadata by git revision, service, version and goversion |
+pomerium_build_info                           | Gauge     | Pomerium build metadata by git revision, service, version and goversion
-| pomerium_config_checksum_int64                | Gauge     | Currently loaded configuration checksum by service                      |
+pomerium_config_checksum_int64                | Gauge     | Currently loaded configuration checksum by service
-| pomerium_config_last_reload_success           | Gauge     | Whether the last configuration reload succeeded by service              |
+pomerium_config_last_reload_success           | Gauge     | Whether the last configuration reload succeeded by service
-| pomerium_config_last_reload_success_timestamp | Gauge     | The timestamp of the last successful configuration reload by service    |
+pomerium_config_last_reload_success_timestamp | Gauge     | The timestamp of the last successful configuration reload by service
-| redis_conns                                   | Gauge     | Number of total connections in the pool                                 |
+redis_conns                                   | Gauge     | Number of total connections in the pool
-| redis_hits_total                              | Counter   | Total number of times free connection was found in the pool             |
+redis_hits_total                              | Counter   | Total number of times free connection was found in the pool
-| redis_idle_conns                              | Gauge     | Number of idle connections in the pool                                  |
+redis_idle_conns                              | Gauge     | Number of idle connections in the pool
-| redis_misses_total                            | Counter   | Total number of times free connection was NOT found in the pool         |
+redis_misses_total                            | Counter   | Total number of times free connection was NOT found in the pool
-| redis_stale_conns_total                       | Counter   | Total number of stale connections removed from the pool                 |
+redis_stale_conns_total                       | Counter   | Total number of stale connections removed from the pool
-| redis_timeouts_total                          | Counter   | Total number of times a wait timeout occurred                           |
+redis_timeouts_total                          | Counter   | Total number of times a wait timeout occurred
 ### Tracing
@ -449,10 +449,10 @@ Each unit work is called a Span in a trace. Spans include metadata about the wor
 #### Shared Tracing Settings
-| Config Key       | Description                                                       | Required |
+Config Key       | Description                                                       | Required
-| :--------------- | :---------------------------------------------------------------- | -------- |
+:--------------- | :---------------------------------------------------------------- | --------
-| tracing_provider | The name of the tracing provider. (e.g. jaeger)                   | ✅        |
+tracing_provider | The name of the tracing provider. (e.g. jaeger)                   | ✅
-| tracing_debug    | Will disable [sampling](https://opencensus.io/tracing/sampling/). | ❌        |
+tracing_debug    | Will disable [sampling](https://opencensus.io/tracing/sampling/). | ❌
 #### Jaeger
@ -464,10 +464,10 @@ Each unit work is called a Span in a trace. Spans include metadata about the wor
 - Service dependency analysis
 - Performance / latency optimization
-| Config Key                        | Description                                 | Required |
+Config Key                        | Description                                 | Required
-| :-------------------------------- | :------------------------------------------ | -------- |
+:-------------------------------- | :------------------------------------------ | --------
-| tracing_jaeger_collector_endpoint | Url to the Jaeger HTTP Thrift collector.    | ✅        |
+tracing_jaeger_collector_endpoint | Url to the Jaeger HTTP Thrift collector.    | ✅
-| tracing_jaeger_agent_endpoint     | Send spans to jaeger-agent at this address. | ✅        |
+tracing_jaeger_agent_endpoint     | Send spans to jaeger-agent at this address. | ✅
 #### Example
@ -978,7 +978,7 @@ Note: This setting will replace (not append) the system's trust store for a give
 - Type: [base64 encoded] `string` or relative file location
 - Optional
-Pomerium supports client certificates which can be used to enforce [mutually authenticated and encrypted TLS connections](https://en.wikipedia.org/wiki/Mutual_authentication) (mTLS). For more details, see our [mTLS example repository](https://github.com/pomerium/examples/tree/master/mutual-tls) and the [certificate docs](./certificates.md).
+Pomerium supports client certificates which can be used to enforce [mutually authenticated and encrypted TLS connections](https://en.wikipedia.org/wiki/Mutual_authentication) (mTLS). For more details, see our [mTLS example repository](https://github.com/pomerium/examples/tree/master/mutual-tls) and the [certificate docs](../docs/reference/certificates.md).
 ### Set Request Headers
@ -1020,16 +1020,17 @@ See [ProxyPreserveHost](http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#prox
 - Type: [base64 encoded] `string`
 - Optional
-Signing key is the base64 encoded key used to sign outbound requests. For more information see the [signed headers](./signed-headers.md) docs.
+Signing key is the base64 encoded key used to sign outbound requests. For more information see the [signed headers] docs.
 If no certificate is specified, one will be generated for you and the base64'd public key will be added to the logs.
 [base64 encoded]: https://en.wikipedia.org/wiki/Base64
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
-[identity provider]: ./identity-providers.md
+[identity provider]: ../docs/identity-providers/
 [json]: https://en.wikipedia.org/wiki/JSON
 [letsencrypt]: https://letsencrypt.org/
 [oidc rfc]: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 [script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh
 [signed headers]: ./signed-headers.md
 [toml]: https://en.wikipedia.org/wiki/TOML
 [yaml]: https://en.wikipedia.org/wiki/YAML
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@ -1,5 +1,36 @@
 # Changelog
 ## v0.8.0
 To see a complete list of changes [see the diff](https://github.com/pomerium/pomerium/compare/v0.7.0...v0.8.0).
 ### New
 - cryptutil: add automatic certificate management @desimone [GH-644]
 - implement path-based route matching @calebdoxsey [GH-615]
 - internal/identity: implement github provider support @Lumexralph [GH-582]
 - proxy: add configurable JWT claim headers @travisgroth (#596)
 - proxy: remove extra session unmarshalling @desimone (#592)
 ### Changes
 - ci: Switch integration tests from minikube to kind @travisgroth [GH-656]
 - integration-tests: add CORS test @calebdoxsey [GH-662]
 - integration-tests: add websocket enabled/disabled test @calebdoxsey [GH-661]
 - integration-tests: set_request_headers and preserve_host_header options @calebdoxsey [GH-668]
 - pre-commit: add pre-commit configuration @calebdoxsey [GH-666]
 - proxy: improve JWT header behavior @travisgroth [GH-642]
 ## Fixed
 - authorize: fix authorization check for allowed_domains to only match current route @calebdoxsey [GH-624]
 - authorize: fix unexpected panic on reload @travisgroth [GH-652]
 - site: fix site on mobile @desimone [GH-597]
 ### Documentation
 - deploy: autocert documentation and defaults @travisgroth [GH-658]
 ## v0.7.5
 ### Fixed
@ -46,7 +77,7 @@ There were no changes in the v0.7.1 release, but we updated the build process sl
 ### New
- \*: remove import path comments @desimone [GH-545]
+- *: remove import path comments @desimone [GH-545]
 - authenticate: make callback path configurable @desimone [GH-493]
 - authenticate: return 401 for some specific error codes @cuonglm [GH-561]
 - authorization: log audience claim failure @desimone [GH-553]
@ -131,6 +162,7 @@ There were no changes in the v0.7.1 release, but we updated the build process sl
 - config: Remove CookieRefresh [GH-428] @u5surf [GH-436]
 - config: validate that `shared_key` does not contain whitespace @travisgroth [GH-427]
 - httputil : wrap handlers for additional context @desimone [GH-413]
 - forward-auth: validate using forwarded uri header @branchmispredictor [GH-600]
 ### Fixed
--- a/docs/docs/quick-start/binary.md
+++ b/docs/docs/quick-start/binary.md
@ -52,6 +52,6 @@ Browse to `external-httpbin.your.domain.example`. Connections between you and [h
 [download]: https://github.com/pomerium/pomerium/releases
 [environmental configuration variables]: https://12factor.net/config
 [httpbin]: https://httpbin.org/
-[identity provider]: ../docs/identity-providers/
+[identity provider]: ../identity-providers/
 [make]: https://en.wikipedia.org/wiki/Make_(software)
 [tls certificates]: ../reference/certificates.md
--- a/docs/docs/quick-start/from-source.md
+++ b/docs/docs/quick-start/from-source.md
@ -73,6 +73,6 @@ Browse to `httpbin.localhost.pomerium.io`. Connections between you and [httpbin]
 [configuration variables]: ../../configuration/readme.md
 [httpbin]: https://httpbin.org/
-[identity provider]: ../docs/identity-providers/
+[identity provider]: ../identity-providers/
 [make]: https://en.wikipedia.org/wiki/Make_(software)
 [tls certificates]: ../reference/certificates.md
--- a/docs/docs/quick-start/helm.md
+++ b/docs/docs/quick-start/helm.md
@ -19,15 +19,17 @@ This quick-start will show you how to deploy Pomerium with [Helm](https://helm.s
 - Install [helm](https://helm.sh/docs/using_helm/)
 - [TLS certificates]
-Though there are [many ways](https://kubernetes.io/docs/setup/pick-right-solution/) to work with Kubernetes, for the purpose of this guide, we will be using Google's [Kubernetes Engine](https://cloud.google.com/kubernetes-engine/). That said, most of the following steps should be very similar using any other provider.
+Though there are [many ways](https://unofficial-kubernetes.readthedocs.io/en/latest/setup/pick-right-solution/) to work with Kubernetes, for the purpose of this guide, we will be using Google's [Kubernetes Engine](https://cloud.google.com/kubernetes-engine/). That said, most of the following steps should be very similar using any other provider.
 In addition to sharing many of the same features as the Kubernetes quickstart guide, the default helm deployment script also includes a bootstrapped certificate authority enabling mutually authenticated and encrypted communication between services that does not depend on the external LetsEncrypt certificates. Having the external domain certificate de-coupled makes it easier to renew external certificates.
 ## Configure
-Download and modify the following [helm_gke.sh script][./scripts/helm_gke.sh] to match your [identity provider] and [TLS certificates] settings.
+Download and modify the following helm_gke.sh script and values file to match your [identity provider] and [TLS certificates] settings.
-<<<@/scripts/helm_gke.sh
+<<<@/docs/configuration/examples/helm/helm_gke.sh
 <<<@/docs/configuration/examples/kubernetes/values.yaml
 ## Run
--- a/docs/docs/quick-start/kubernetes.md
+++ b/docs/docs/quick-start/kubernetes.md
@ -63,8 +63,8 @@ You can also navigate to the special pomerium endpoint `httpbin.your.domain.exam
 ![currently logged in user](./img/logged-in-as.png)
-[./kubernetes_gke.sh]: ../reference/examples#google-kubernetes-engine
+[./kubernetes_gke.sh]: ../../configuration/examples.md#google-kubernetes-engine
-[example kubernetes files]: ../reference/examples#google-kubernetes-engine
+[example kubernetes files]: ../../configuration/examples.md#google-kubernetes-engine
 [identity provider]: ../identity-providers/readme.md
 [letsencrypt]: https://letsencrypt.org/
 [script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh
--- a/docs/docs/reference/certificates.md
+++ b/docs/docs/reference/certificates.md
@ -44,6 +44,8 @@ Pomerium itself can be used to retrieve, manage, and renew certificates certific
 autocert: true
 ```
 See the [Autocert] and [Autocert Directory] settings for more details.
 ### Self-signed wildcard certificate
 In production, we'd use a public certificate authority such as LetsEncrypt. But for a local proof of concept or for development, we can use [mkcert](https://mkcert.dev/) to make locally trusted development certificates with any names you'd like. The easiest, is probably to use `*.localhost.pomerium.io` which we've already pre-configured to point back to localhost.
@ -98,9 +100,11 @@ Certificates, TLS, and Public Key Cryptography is a vast subject we cannot adequ
 - [Use TLS](https://smallstep.com/blog/use-tls.html) covers why TLS should be used everywhere; not just for securing typical internet traffic but for securing service communication in both "trusted" and adversarial situations.
 - [Everything you should know about certificates and PKI but are too afraid to ask](https://smallstep.com/blog/everything-pki.html)
 [autocert]: ../../configuration/readme.md#autocert
 [autocert directory]: ../../configuration/readme.md#autocert-directory
 [certificate]: ../../configuration/readme.md#certificates
 [certificate_authority]: ../../configuration/readme.md#certificate-authority
 [certificate_key]: ../../configuration/readme.md#certificates
 [override_certificate_name]: ../../configuration/readme.md#override-certificate-name
-[principles]: ../docs/#why
+[principles]: ../#why
-[zero-trust]: ../docs/#why
+[zero-trust]: ../#why
--- a/docs/docs/reference/getting-users-identity.md
+++ b/docs/docs/reference/getting-users-identity.md
@ -1,7 +1,6 @@
 ---
 title: Getting the user's identity
-description: >-
+description: This article describes how to to get a user's identity with Pomerium.
  This article describes how to to get a user's identity with Pomerium.
 ---
 # Getting the user's identity
@ -19,19 +18,19 @@ To secure your app with signed headers, you'll need the following:
 A JWT attesting to the authorization of a given request is added to the downstream HTTP request header `x-pomerium-jwt-assertion`. You should verify that the JWT contains at least the following claims:
-|  [JWT]   | description                                                                                            |
+ [JWT]   | description
-| :------: | ------------------------------------------------------------------------------------------------------ |
+:------: | ------------------------------------------------------------------------------------------------------
-|  `exp`   | Expiration time in seconds since the UNIX epoch. Allow 1 minute for skew.                              |
+ `exp`   | Expiration time in seconds since the UNIX epoch. Allow 1 minute for skew.
-|  `iat`   | Issued-at time in seconds since the UNIX epoch. Allow 1 minute for skew.                               |
+ `iat`   | Issued-at time in seconds since the UNIX epoch. Allow 1 minute for skew.
-|  `aud`   | The client's final domain e.g. `httpbin.corp.example.com`.                                             |
+ `aud`   | The client's final domain e.g. `httpbin.corp.example.com`.
-|  `iss`   | Issuer must be the URL of your authentication domain e.g. `authenticate.corp.example`.                 |
+ `iss`   | Issuer must be the URL of your authentication domain e.g. `authenticate.corp.example`.
-|  `sub`   | Subject is the user's id. Can be used instead of the `x-pomerium-authenticated-user-id` header.        |
+ `sub`   | Subject is the user's id. Can be used instead of the `x-pomerium-authenticated-user-id` header.
-| `email`  | Email is the user's email. Can be used instead of the `x-pomerium-authenticated-user-email` header.    |
+`email`  | Email is the user's email. Can be used instead of the `x-pomerium-authenticated-user-email` header.
-| `groups` | Groups is the user's groups. Can be used instead of the `x-pomerium-authenticated-user-groups` header. |
+`groups` | Groups is the user's groups. Can be used instead of the `x-pomerium-authenticated-user-groups` header.
 ### Manual verification
-Though you will very likely be verifying signed-headers programmatically in your application's middleware, and using a third-party JWT library, if you are new to JWT it may be helpful to show what manual verification looks like. The following guide assumes you are using the provided [docker-compose.yml] as a base and [httpbin]. Httpbin gives us a convenient way of inspecting client headers.
+Though you will very likely be verifying signed-headers programmatically in your application's middleware, and using a third-party JWT library, if you are new to JWT it may be helpful to show what manual verification looks like.
 1. Provide pomerium with a base64 encoded Elliptic Curve ([NIST P-256] aka [secp256r1] aka prime256v1) Private Key. In production, you'd likely want to get these from your KMS.
@ -49,17 +48,17 @@ Copy the base64 encoded value of your private key to `pomerium-proxy`'s environm
 SIGNING_KEY=ZxqyyIPPX0oWrrOwsxXgl0hHnTx3mBVhQ2kvW1YB4MM=
 ```
-2. Reload `pomerium-proxy`. Navigate to httpbin (by default, `https://httpbin.corp.${YOUR-DOMAIN}.com`), and login as usual. Click **request inspection**. Select `/headers'. Click **try it out** and then **execute**. You should see something like the following.
+1. Reload `pomerium-proxy`. Navigate to httpbin (by default, `https://httpbin.corp.${YOUR-DOMAIN}.com`), and login as usual. Click **request inspection**. Select `/headers'. Click **try it out** and then **execute**. You should see something like the following.
 ![httpbin displaying jwt headers](./img/inspect-headers.png)
-3. `X-Pomerium-Jwt-Assertion` is the signature value. It's less scary than it looks and basically just a compressed, json blob as described above. Navigate to [jwt.io] which provides a helpful GUI to manually verify JWT values.
+1. `X-Pomerium-Jwt-Assertion` is the signature value. It's less scary than it looks and basically just a compressed, json blob as described above. Navigate to [jwt.io] which provides a helpful GUI to manually verify JWT values.
-4. Paste the value of `X-Pomerium-Jwt-Assertion` header token into the `Encoded` form. You should notice that the decoded values look much more familiar.
+2. Paste the value of `X-Pomerium-Jwt-Assertion` header token into the `Encoded` form. You should notice that the decoded values look much more familiar.
 ![httpbin displaying decoded jwt](./img/verifying-headers-1.png)
-5. Finally, we want to cryptographically verify the validity of the token. To do this, we will need the signer's public key. You can simply copy and past the output of `cat ec_public.pem`.
+1. Finally, we want to cryptographically verify the validity of the token. To do this, we will need the signer's public key. You can simply copy and past the output of `cat ec_public.pem`.
 ![httpbin displaying verified jwt](./img/verifying-headers-2.png)
--- a/docs/docs/upgrading.md
+++ b/docs/docs/upgrading.md
@ -5,7 +5,7 @@ description: >-
  for Pomerium. Please read it carefully.
 ---
-# Since 0.8.0
+# Since 0.7.0
 ## Breaking
@ -17,6 +17,7 @@ Although it's unlikely anyone ever used it, prior to 0.8.0 the policy configurat
 policy:
  - from: "https://example.com/some/path"
 ```
 The proxy and authorization server would simply ignore the path and route/authorize based on the host name.
 With the introduction of `prefix`, `path` and `regex` fields to the policy route configuration, we decided not to support using a path in the `from` url, since the behavior was somewhat ambiguous and better handled by the explicit fields.
--- a/docs/jobs/Backend-Engineer.md
+++ b/docs/jobs/Backend-Engineer.md
@ -0,0 +1,40 @@
 # Backend Engineer
 Job Posted: May 12, 2020 9:59 AM Languages: Go Location: Remote US/CA
 # Backend Engineer
 Hi there! We're looking for a Backend Software Engineer to join the team!
 ## Responsibilities:
 - Write robust, maintainable code
 - Work with product and design to iterate on customer needs
 - Review code and participate in group discussions
 ## Qualifications:
 - 3+ years experience building web applications at scale
 - Go (Golang)
 - Experience with relational databases
 - Knowledge of standard methodologies: monitoring, alerting, metrics
 - Strong written communication and collaboration skills
 - Experience with AWS, GCP, or Azure environments
 ## Preferred Qualifications:
 - Remote work experience
 - Experience with OAuth2, OIDC, SAML, and other IAM technologies
 - Experience building gRPC and REST based services
 - Familiarity with Kubernetes, Helm, and other Cloud Native applications
 ## About Pomerium:
 Pomerium helps companies manage and secure internal access. We
 - are a fast growing, well funded, venture backed startup.
 - are a fully remote team. While prior experience working remotely isn't required, we are looking for team members who perform well given a high level of independence and autonomy.
 - offer competitive salaries
 - are committed to building a team that represents a variety of backgrounds, perspectives, and skills. We believe the more inclusive we are, the better our company will be.
 Check out our [github](https://github.com/pomerium/pomerium) and [site](http://www.pomerium.com/) to learn more about us!
--- a/docs/jobs/Frontend-Engineer.md
+++ b/docs/jobs/Frontend-Engineer.md
@ -0,0 +1,36 @@
 # Frontend Engineer
 Job Posted: May 12, 2020 10:04 AM Languages: Javascript, React Location: Remote US/CA
 Hi there! We're looking for a Frontend Software Engineer to join the team.
 ## Responsibilities:
 - Write robust, maintainable code
 - Work with product and design to iterate on customer needs
 - Review code and participate in group discussions
 ## Qualifications:
 - 3+ years experience building web applications at scale
 - 3+ years of javascript, css, typescript, or other
 - React, React Native, or similar framework experience
 - Experience with relational databases
 - Knowledge of standard methodologies: monitoring, alerting, metrics
 - Strong written communication and collaboration skills
 - Experience with AWS, GCP, or Azure environments
 ## Preferred Qualifications:
 - Remote work experience
 - Experience with OAuth2, OIDC, SAML, and other IAM technologies
 - Familiarity with Kubernetes, Helm, and other Cloud Native applications
 ## About Pomerium:
 Pomerium helps companies manage and secure internal access. We
 - are a fast growing, well funded, venture backed startup.
 - are a fully remote team. While prior experience working remotely isn't required, we are looking for team members who perform well given a high level of independence and autonomy.
 - offer competitive salaries
 - are committed to building a team that represents a variety of backgrounds, perspectives, and skills. We believe the more inclusive we are, the better our company will be
--- a/docs/jobs/readme.md
+++ b/docs/jobs/readme.md
@ -0,0 +1,12 @@
 # Careers at Pomerium
 ## Help us build the future secure application access
 Pomerium builds identity and access management infrastructure for the internet. We're helping small startups and the world's biggest companies improve their security posture, facilitate distributed remote work, and scale their efforts globally. And we'd like your help.
 Interested in joining our all-remote team? Check out some of our open positions.
 # Open Positions
 - [Frontend Engineer](./Frontend-Engineer.md)
 - [Backend Engineer](./Backend-Engineer.md)
--- a/docs/recipes/kubernetes.md
+++ b/docs/recipes/kubernetes.md
@ -218,7 +218,7 @@ Pomerium is an identity-aware access proxy that can used to serve as an identity
 ### Configure
-Before installing, we will configure Pomerium's configuration settings in `config.yaml`. Other than the typical configuration settings covered in the quick-start guides, we will add a few settings that will make working with Kubernetes Dashboard easier.
+Before installing, we will configure Pomerium's configuration settings in `values.yaml`. Other than the typical configuration settings covered in the quick-start guides, we will add a few settings that will make working with Kubernetes Dashboard easier.
 We can retrieve the token to add to our proxied policy's authorization header as follows.
@ -245,10 +245,22 @@ token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.......
 The above token then needs to be assigned to our route configuration and policy.
 ```yaml
-# config.yaml
+# values.yaml
-forward_auth_url: https://forwardauth.domain.example
+authenticate:
  idp:
    provider: "google"
    clientID: YOUR_CLIENT_ID
    clientSecret: YOUR_SECRET
-policy:
+forwardAuth:
  enabled: true
 config:
  sharedSecret: YOUR_SHARED_SECRET
  cookieSecret: YOUR_COOKIE_SECRET
  rootDomain: domain.example
  policy:
    # this route is directly proxied by pomerium & injects the authorization header
    - from: https://dashboard-proxied.domain.example
      to: https://helm-dashboard-kubernetes-dashboard
@ -263,15 +275,13 @@ policy:
      to: https://helm-dashboard-kubernetes-dashboard
      allowed_users:
        - user@domain.example
 ingress:
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "letsencrypt-prod" # see `le.issuer.yaml`
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  secretName: pomerium-ingress-tls
 ```
 We then add our configuration to Kubernetes as a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/).
 ```bash
 # add our pomerium policy to kubernetes as a configmap
 $ kubectl create configmap config --from-file="config.yaml"="config.yaml"
 ```
 ### Install
 Finally, we get to install Pomerium! 🎉 Once again, we will use Helm to deploy Pomerium.
@ -279,24 +289,14 @@ Finally, we get to install Pomerium! 🎉 Once again, we will use Helm to deploy
 ```bash
 helm install \
 	"helm-pomerium" \
-	stable/pomerium \
+	pomerium/pomerium \
-	--set config.rootDomain="domain.example" \
+  --values values.yaml
 	--set config.existingConfig="config" \
 	--set authenticate.idp.provider="google" \
 	--set authenticate.idp.clientID="YOUR_CLIENT_ID" \
 	--set authenticate.idp.clientSecret="YOUR_SECRET"
 ```
 ## Putting it all together
 Now we just need to tell external traffic how to route everything by deploying the following ingresses.
 ```sh
 $kubectl apply -f docs/recipes/yml/pomerium.ingress.yaml
 ```
 <<< @/docs/recipes/yml/pomerium.ingress.yaml
 ```sh
 $kubectl apply -f docs/recipes/yml/dashboard-forwardauth.ingress.yaml
 ```
--- a/docs/recipes/yml/pomerium.ingress.yaml
+++ b/docs/recipes/yml/pomerium.ingress.yaml
@ -1,33 +0,0 @@
 # pomerium.ingress.yaml
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: pomerium-authenticate
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/issuer: "letsencrypt-prod" # see `le.issuer.yaml`
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 spec:
  tls:
    - hosts:
        - authenticate.domain.example
      secretName: pomerium-authenticate-external-tls
    - hosts:
        - forwardauth.domain.example
      secretName: pomerium-forwardauth-external-tls
  rules:
    - host: authenticate.domain.example
      http:
        paths:
          - path: /
            backend:
              serviceName: helm-pomerium-authenticate
              servicePort: https
    - host: forwardauth.domain.example
      http:
        paths:
          - path: /
            backend:
              serviceName: helm-pomerium-proxy
              servicePort: https
--- a/go.mod
+++ b/go.mod
@ -10,16 +10,16 @@ require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/envoyproxy/go-control-plane v0.9.5
 	github.com/fsnotify/fsnotify v1.4.9
 	github.com/go-acme/lego/v3 v3.7.0 // indirect
 	github.com/go-redis/redis/v7 v7.2.0
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
 	github.com/golang/mock v1.4.3
-	github.com/golang/protobuf v1.4.0
+	github.com/golang/protobuf v1.4.2
-	github.com/google/go-cmp v0.4.0
+	github.com/google/go-cmp v0.4.1
 	github.com/google/go-jsonnet v0.15.0
 	github.com/google/uuid v1.1.1
 	github.com/gorilla/handlers v1.4.2
 	github.com/gorilla/mux v1.7.4
-	github.com/gorilla/websocket v1.4.0
+	github.com/gorilla/websocket v1.4.2
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/lithammer/shortuuid/v3 v3.0.4
 	github.com/mitchellh/hashstructure v1.0.0
@ -29,8 +29,7 @@ require (
 	github.com/onsi/gomega v1.8.1 // indirect
 	github.com/open-policy-agent/opa v0.19.2
 	github.com/pelletier/go-toml v1.6.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pomerium/autocache v0.0.0-20200505053831-8c1cd659f055
 	github.com/pomerium/autocache v0.0.0-20200309220911-227c9939d0ce
 	github.com/pomerium/csrf v1.6.2-0.20190918035251-f3318380bad3
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/prometheus/client_golang v1.6.0
@ -42,22 +41,20 @@ require (
 	github.com/spf13/cast v1.3.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.6.3
+	github.com/spf13/viper v1.7.0
 	github.com/stretchr/testify v1.5.1
 	github.com/uber/jaeger-client-go v2.20.1+incompatible // indirect
 	go.etcd.io/bbolt v1.3.4
 	go.opencensus.io v0.22.3
-	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
+	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37
-	golang.org/x/net v0.0.0-20200505041828-1ed23360d12c
+	golang.org/x/net v0.0.0-20200506145744-7e3656a0809f
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
+	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
-	google.golang.org/api v0.22.0
+	google.golang.org/api v0.23.0
-	google.golang.org/appengine v1.6.5 // indirect
+	google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940
-	google.golang.org/genproto v0.0.0-20200204235621-fb4a7afc5178
+	google.golang.org/grpc v1.28.0
-	google.golang.org/grpc v1.27.1
+	google.golang.org/protobuf v1.23.0
 	google.golang.org/protobuf v1.21.0
 	gopkg.in/cookieo9/resources-go.v2 v2.0.0-20150225115733-d27c04069d0d
 	gopkg.in/ini.v1 v1.51.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1
 	gopkg.in/yaml.v2 v2.2.8
 )
--- a/go.sum
+++ b/go.sum
@ -8,10 +8,24 @@ cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTj
 cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
 cloud.google.com/go v0.50.0 h1:0E3eE8MX426vUOs7aHfI7aN1BrIzzzf4ccKCSfSjGmc=
 cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
 cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
 cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
 cloud.google.com/go v0.54.0 h1:3ithwDMr7/3vpAMXiH+ZQnYbuIsh+OPhUPMFC9enmn0=
 cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
 cloud.google.com/go v0.56.0 h1:WRz29PgAsVEyPSDHyk+0fpEkwEFyfhHn+JbksT6gIL4=
 cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
 cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
 cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 contrib.go.opencensus.io/exporter/jaeger v0.2.0 h1:nhTv/Ry3lGmqbJ/JGvCjWxBl5ozRfqo86Ngz59UAlfk=
 contrib.go.opencensus.io/exporter/jaeger v0.2.0/go.mod h1:ukdzwIYYHgZ7QYtwVFQUjiT28BJHiMhTERo32s6qVgM=
 contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA=
@ -43,19 +57,22 @@ github.com/OpenDNS/vegadns2client v0.0.0-20180418235048-a3fa4a771d87/go.mod h1:i
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/akamai/AkamaiOPEN-edgegrid-golang v0.9.0/go.mod h1:zpDJeKyp9ScW4NNrbdr+Eyxvry3ilGPewKoXw3XGN1k=
 github.com/akamai/AkamaiOPEN-edgegrid-golang v0.9.8/go.mod h1:aVvklgKsPENRkl29bNwrHISa1F+YLGTHArMxZMBqWM8=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190808125512-07798873deee/go.mod h1:myCDvQSzCW+wB1WAlocEru4wMGJxy+vlxHdhegi1CDQ=
 github.com/aliyun/alibaba-cloud-sdk-go v1.61.112/go.mod h1:pUKYbK5JQ+1Dfxk80P0qxGqe5dkxDoabbZS7zOcouyA=
 github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
-github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-metrics v0.3.0 h1:B7AQgHi8QSEi4uHu7Sbsga+IJDU+CENgjxoo81vDUqU=
 github.com/armon/go-metrics v0.3.0/go.mod h1:zXjbSimjXTd7vOpY8B0/2LpvNvDoXBuplAD+gJD3GYs=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/aws/aws-sdk-go v1.23.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.30.20/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0=
@ -63,6 +80,7 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
 github.com/caddyserver/certmagic v0.10.12 h1:aZtgzcIssiMSlP0jDdpDBbBzQ5INf5eKL9T6Nf3YzKM=
 github.com/caddyserver/certmagic v0.10.12/go.mod h1:Y8jcUBctgk/IhpAzlHKfimZNyXCkfGgRTC0orl8gROQ=
 github.com/cenkalti/backoff/v4 v4.0.0 h1:6VeaLF9aI+MAUQ95106HwWzYZgJJpZ4stumjj6RFYAU=
@ -74,20 +92,25 @@ github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/cloudflare-go v0.10.2/go.mod h1:qhVI5MKwBGhdNU89ZRz2plgYutcJ5PCekLxXn56w6SY=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200313221541-5f7e5dd04533 h1:8wZizuKuZVu5COB7EsBYxBQz8nRcXXn5d4Gt91eJLvU=
 github.com/cncf/udpa/go v0.0.0-20200313221541-5f7e5dd04533/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
 github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpu/goacmedns v0.0.1/go.mod h1:sesf/pNnCYwUevQEQfEwY0Y3DydlQWSGZbaMElOWxok=
 github.com/cpu/goacmedns v0.0.2/go.mod h1:4MipLkI+qScwqtVxcNO6okBhbgRrr7/tKXUSgSL0teQ=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -98,11 +121,13 @@ github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8
 github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
 github.com/dnaeon/go-vcr v0.0.0-20180814043457-aafff18a5cc2/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
 github.com/dnsimple/dnsimple-go v0.30.0/go.mod h1:O5TJ0/U6r7AfT8niYNlmohpLbCSG+c71tQlGr9SeGrg=
 github.com/dnsimple/dnsimple-go v0.60.0/go.mod h1:O5TJ0/U6r7AfT8niYNlmohpLbCSG+c71tQlGr9SeGrg=
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.5 h1:lRJIqDD8yjV1YyPRqecMdytjDLs2fTXq363aCib5xPU=
 github.com/envoyproxy/go-control-plane v0.9.5/go.mod h1:OXl5to++W0ctG+EHWTFUjiypVxC/Y4VLc/KFU+al13s=
 github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
@ -118,9 +143,13 @@ github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-acme/lego/v3 v3.4.0 h1:deB9NkelA+TfjGHVw8J7iKl/rMtffcGMWSMmptvMv0A=
 github.com/go-acme/lego/v3 v3.4.0/go.mod h1:xYbLDuxq3Hy4bMUT1t9JIuz6GWIWb3m5X+TeTHYaT7M=
 github.com/go-acme/lego/v3 v3.7.0 h1:qC5/8/CbltyAE8fGLE6bGlqucj7pXc/vBxiLwLOsmAQ=
 github.com/go-acme/lego/v3 v3.7.0/go.mod h1:4eDjjYkAsDXyNcwN8IhhZAwxz9Ltiks1Zmpv0q20J7A=
 github.com/go-cmd/cmd v1.0.5/go.mod h1:y8q8qlK5wQibcw63djSl/ntiHUHXHGdCkPk0j4QeW4s=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.44.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
@ -128,6 +157,7 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-redis/redis/v7 v7.2.0 h1:CrCexy/jYWZjW0AyVoHlcJUeZN19VWlbepTh1Vq6dJs=
 github.com/go-redis/redis/v7 v7.2.0/go.mod h1:JDNMw23GTyLNC4GZu9njt15ctBQVn7xjRfnwdHj/Dcg=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
@ -141,11 +171,14 @@ github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekf
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.3 h1:GV+pQPG/EUUbkh47niozDcADz6go/dUwhVzdUQHIVRw=
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/protobuf v0.0.0-20181025225059-d3de96c4c28e/go.mod h1:Qd/q+1AKNOZr9uGQzbzCmRO6sUih6GTPZv6a1/R87v0=
@ -153,12 +186,16 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0 h1:oOuy+ugB+P/kBdUnG5QaMXSIyJ1q38wWSojYCb3z5VQ=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
@ -168,6 +205,8 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.4.1 h1:/exdXoGamhu5ONeUJH0deniYLWYvQwW66yvlfiiKTu0=
 github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-jsonnet v0.15.0 h1:lEUXTDnVsHu+CLLzMeWAdWV4JpCgkJeDqdVNS8RtyuY=
 github.com/google/go-jsonnet v0.15.0/go.mod h1:ex9QcU8vzXQUDeNe4gaN1uhGQbTYpOeZ6AbWdy6JbX4=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
@ -175,6 +214,9 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@ -194,16 +236,20 @@ github.com/gorilla/mux v1.7.4 h1:VuZ8uybHlWmqV03+zRzdwKL4tUnIp1MAQtp1mIFE1bc=
 github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/websocket v1.4.0 h1:WDFjx/TMzVgy9VdMMQi2K2Emtwi2QcUQsztZ/zLaH/Q=
+github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
-github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0 h1:Iju5GlWwrvL6UBg4zJJt3btmonfrMlCDdsejg4CZE7c=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
 github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-immutable-radix v1.1.0 h1:vN9wG1D6KG6YHRTWr8512cxGOVgTMEfgEdSj/hr8MPc=
 github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
@ -213,11 +259,16 @@ github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iP
 github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
 github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
 github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
 github.com/hashicorp/go-uuid v1.0.0 h1:RS8zrF7PhGwyNPOtxSClXXj9HA8feRnJzgnI1RJCSnM=
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1 h1:fv1ep09latC32wFoVwnqcnKJGnMSdBanPczbHAYm1BE=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
@ -225,19 +276,26 @@ github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+l
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/memberlist v0.2.0 h1:WeeNspppWi5s1OFefTviPQueC/Bq8dONfvNjPhiEQKE=
+github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
-github.com/hashicorp/memberlist v0.2.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
+github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/memberlist v0.2.2 h1:5+RffWKwqJ71YPu9mWsF7ZOscZmwfasdA8kbdC7AO2g=
 github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df/go.mod h1:QMZY7/J/KSQEhKWFeDesPjMj+wCHReeknARU3wqlyN4=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
@ -276,16 +334,22 @@ github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
 github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 github.com/miekg/dns v1.1.27 h1:aEH/kqUzUxGJ/UHcEKdJY+ugH6WEzsEBBSPa8zuy1aM=
 github.com/miekg/dns v1.1.27/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/go-vnc v0.0.0-20150629162542-723ed9867aed/go.mod h1:3rdaFaCv4AyBgu5ALFM0+tSuHrBh6v692nyQe3ikrq0=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
 github.com/mitchellh/hashstructure v1.0.0 h1:ZkRJX1CyOoTkar7p/mLS5TZU4nJ1Rn/F8u9dGS02Q3Y=
 github.com/mitchellh/hashstructure v1.0.0/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@ -298,6 +362,7 @@ github.com/natefinch/atomic v0.0.0-20150920032501-a62ce929ffcc h1:7xGrl4tTpBQu5Z
 github.com/natefinch/atomic v0.0.0-20150920032501-a62ce929ffcc/go.mod h1:1rLVY/DWf3U6vSZgH16S7pymfrhK2lcUlXjgGglw/lY=
 github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms=
 github.com/nrdcg/auroradns v1.0.0/go.mod h1:6JPXKzIRzZzMqtTDgueIhTi6rFf1QvYE/HzqidhOhjw=
 github.com/nrdcg/auroradns v1.0.1/go.mod h1:y4pc0i9QXYlFCWrhWrUSIETnZgrf4KuwjDIWmmXo3JI=
 github.com/nrdcg/dnspod-go v0.4.0/go.mod h1:vZSoFSFeQVm2gWLMkyX61LZ8HI3BaqtHZWgPTGKr6KQ=
 github.com/nrdcg/goinwx v0.6.1/go.mod h1:XPiut7enlbEdntAqalBIqcYcTEVhpv/dKWgDCX2SwKQ=
 github.com/nrdcg/namesilo v0.2.1/go.mod h1:lwMvfQTyYq+BbjJd30ylEG4GPSS6PII0Tia4rRpRiyw=
@ -334,8 +399,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pomerium/autocache v0.0.0-20200309220911-227c9939d0ce h1:oqn4rqjp23rLyW3wwsYnWf01iNgeKsE29N6EMycTvlA=
+github.com/pomerium/autocache v0.0.0-20200505053831-8c1cd659f055 h1:y73x4eEnZkCHdC46HG2h+ZAuNQUW1tu7hgvC7v+jI2o=
-github.com/pomerium/autocache v0.0.0-20200309220911-227c9939d0ce/go.mod h1:C6qF5bWZF7gIkJurnnWKx/PgJjYfR9aSfpOzpM454fo=
+github.com/pomerium/autocache v0.0.0-20200505053831-8c1cd659f055/go.mod h1:xCwNSx2PcCbOG6XT0PpAGRkM5ZHnbXZLKg2ntE22j+M=
 github.com/pomerium/csrf v1.6.2-0.20190918035251-f3318380bad3 h1:FmzFXnCAepHZwl6QPhTFqBHcbcGevdiEQjutK+M5bj4=
 github.com/pomerium/csrf v1.6.2-0.20190918035251-f3318380bad3/go.mod h1:UE2U4JOsjXNeq+MX/lqhZpUFsNAxbXERuYsWK2iULh0=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
@ -389,6 +454,7 @@ github.com/rs/zerolog v1.18.0 h1:CbAm3kP2Tptby1i9sYy2MGRg0uxIN9cyDb59Ys7W8z8=
 github.com/rs/zerolog v1.18.0/go.mod h1:9nvC1axdVrAHcu/s9taAVfBuIdTZLVQmKQyvrUjF5+I=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sacloud/libsacloud v1.26.1/go.mod h1:79ZwATmHLIFZIMd7sxA3LwzVy/B77uj3LDoToVTxDoQ=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
@ -422,8 +488,8 @@ github.com/spf13/pflag v0.0.0-20181024212040-082b515c9490/go.mod h1:DYY7MBk1bdzu
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.6.3 h1:pDDu1OyEDTKzpJwdq4TiuLyMsUgRa/BT5cn5O62NoHs=
+github.com/spf13/viper v1.7.0 h1:xVKxvI7ouOI5I+U9s2eeiUfMaWBVoXA3AWskkrqK0VM=
-github.com/spf13/viper v1.6.3/go.mod h1:jUMtyi0/lB5yZH/FjyGAoH7IMNrIhlBf6pXZmbMDvzw=
+github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
@ -436,6 +502,7 @@ github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69
 github.com/timewasted/linode v0.0.0-20160829202747-37e84520dcf7/go.mod h1:imsgLplxEC/etjIhdr3dNzV3JeT27LbVu5pYWm0JCBY=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/transip/gotransip v0.0.0-20190812104329-6d8d9179b66f/go.mod h1:i0f4R4o2HM0m3DZYQWsj6/MEowD57VzoH0v3d7igeFY=
 github.com/transip/gotransip/v6 v6.0.2/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g=
 github.com/uber/jaeger-client-go v2.15.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
@ -446,10 +513,11 @@ github.com/vultr/govultr v0.1.4/go.mod h1:9H008Uxr/C4vFNGLqKx232C206GL0PBHzOP080
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b h1:vVRagRXf67ESqAb72hG2C/ZwI8NtJF2u2V76EsuOHGY=
 github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg=
@ -458,6 +526,7 @@ go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3 h1:8sGtKOrtQqkN1bp2AtX+misvLIlOmsEsNd+9NIcPEm8=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@ -467,6 +536,7 @@ go.uber.org/ratelimit v0.0.0-20180316092928-c15da0234277/go.mod h1:2X8KaoNd1J0lZ
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20180621125126-a49355c7e3f8/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
@ -476,13 +546,18 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200117160349-530e935923ad/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79 h1:IaQbIIB2X/Mp/DKctl6ROxz1KyMlKp4uyvL6+kQ7C88=
+golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 h1:cg5LA/zNPRzIXIWSCxQW10Rvpy94aQh3LT/ShoCpkHw=
-golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
 golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
 golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
 golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181023182221-1baf3a9d7d67/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@ -492,16 +567,22 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180611182652-db08ff08e862/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -512,7 +593,7 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65 h1:+rhAzEzT3f4JtomfC371qB+0Ola2caSKcY69NUBZrRQ=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@ -520,12 +601,20 @@ golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190930134127-c5a3c61f89f3/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191027093000-83d349e8ac1a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa h1:F+8P+gmewFQYRk6JoLQLwjBCTu3mcIURZfNkVweuRKA=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200505041828-1ed23360d12c h1:zJ0mtu4jCalhKg6Oaukv6iIkb+cOvDrajDH9DH46Q4M=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200505041828-1ed23360d12c/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200506145744-7e3656a0809f h1:QBjCr1Fz5kw158VqdE9JfI9cJnl/ymnJWAdMuinqL7Y=
 golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -535,11 +624,14 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180622082034-63fc586f45fe/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -559,12 +651,23 @@ golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200117145432-59e60aa80a0c h1:gUYreENmqtjZb2brVfUas1sC6UivSY8XwKwPo8tloLs=
 golang.org/x/sys v0.0.0-20200117145432-59e60aa80a0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f h1:gWF768j/LaZugp8dyS4UwsslYCYz9XgFxvlgsn0n9H8=
 golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -575,6 +678,7 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190921001708-c4c64cad1fd0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -597,9 +701,25 @@ golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425 h1:VvQyQJN0tSuecqgcIxMWnnfG5kSmgy9KZR9sW3W5QeA=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
 golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
@ -609,9 +729,15 @@ google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEt
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
 google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/api v0.14.0 h1:uMf5uLi4eQMRrMKhCplNik4U4H8Z6C1br3zOtAa/aDE=
 google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.22.0 h1:J1Pl9P2lnmYFSJvgs70DKELqHNh8CNWXPbud4njEE2s=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/api v0.23.0 h1:YlvGEOq2NA2my8cZ/9V8BcEO9okD48FlJcdqN0xJL3s=
 google.golang.org/api v0.23.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@ -627,26 +753,41 @@ google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRn
 google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204235621-fb4a7afc5178 h1:4mrurAiSXsNNb6GoJatrIsnI+JqKHAVQQ1SbMS5OtDI=
+google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204235621-fb4a7afc5178/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
+google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
 google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200305110556-506484158171 h1:xes2Q2k+d/+YNXVw0FpZkIDJiaux4OVrRKXRAzH6A0U=
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940 h1:MRHtG0U6SnaUb+s+LhNE1qt1FQ1wlhqr5E4usBKC0uA=
 google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0 h1:rRYRFMVgRv6E0D70Skyfsr28tDXIuuPZyWGMPdMcnXg=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.1 h1:zvIju4sqAGvwKspUQOhwnpcqSbzi7/H6QomNNjTL4sk=
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.28.0 h1:bO/TA4OxCOummhSf10siHuG7vJOiwh7SpRpFZDkOgl4=
 google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0 h1:qdOKuR/EIArgaWNjetjgTzgVTAZ+S/WXVrq9HW9zimw=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@ -684,6 +825,7 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
--- a/integration/backends/httpdetails/go.mod
+++ b/integration/backends/httpdetails/go.mod
@ -0,0 +1,3 @@
 module github.com/pomerium/pomerium/integration/backends/httpdetails
 go 1.14
--- a/integration/backends/httpdetails/index.js
+++ b/integration/backends/httpdetails/index.js
@ -1,29 +0,0 @@
 const http = require("http");
 const requestListener = function (req, res) {
  const {
    pathname: path,
    hostname: host,
    port: port,
    search: query,
    hash: hash,
  } = new URL(req.url, `http://${req.headers.host}`);
  res.setHeader("Content-Type", "application/json");
  res.writeHead(200);
  res.end(
    JSON.stringify({
      headers: req.headers,
      method: req.method,
      host: host,
      port: port,
      path: path,
      query: query,
      hash: hash,
    })
  );
 };
 const server = http.createServer(requestListener);
 console.log("starting http server on :8080");
 server.listen(8080);
--- a/integration/backends/httpdetails/main.go
+++ b/integration/backends/httpdetails/main.go
@ -0,0 +1,94 @@
 package main
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
 	"flag"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"os"
 )
 func main() {
 	var (
 		certFile, keyFile, mutualAuthCAFile, bindAddr string
 	)
 	flag.StringVar(&certFile, "cert-file", "", "the tls cert file to use")
 	flag.StringVar(&keyFile, "key-file", "", "the tls key file to use")
 	flag.StringVar(&mutualAuthCAFile, "mutual-auth-ca-file", "", "if set, require a client cert signed via this ca file")
 	flag.StringVar(&bindAddr, "bind-addr", "", "the address to listen on")
 	flag.Parse()
 	srv := &http.Server{
 		Handler: http.HandlerFunc(handle),
 	}
 	if mutualAuthCAFile != "" {
 		caCert, err := ioutil.ReadFile(mutualAuthCAFile)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "failed to read mutual-auth-ca-file: %v", err)
 			os.Exit(1)
 		}
 		caCertPool := x509.NewCertPool()
 		caCertPool.AppendCertsFromPEM(caCert)
 		srv.TLSConfig = &tls.Config{
 			ClientCAs:  caCertPool,
 			ClientAuth: tls.RequireAndVerifyClientCert,
 		}
 		srv.TLSConfig.BuildNameToCertificate()
 	}
 	var err error
 	if certFile != "" && keyFile != "" {
 		if bindAddr == "" {
 			bindAddr = ":5443"
 		}
 		srv.Addr = bindAddr
 		fmt.Println("starting server on", bindAddr)
 		err = srv.ListenAndServeTLS(certFile, keyFile)
 	} else {
 		if bindAddr == "" {
 			bindAddr = ":5080"
 		}
 		srv.Addr = bindAddr
 		fmt.Println("starting server on", bindAddr)
 		err = srv.ListenAndServe()
 	}
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "failed to listen and serve: %v", err)
 		os.Exit(1)
 	}
 }
 type Result struct {
 	Headers    map[string]string `json:"headers"`
 	Method     string            `json:"method"`
 	Host       string            `json:"host"`
 	Port       string            `json:"port"`
 	Path       string            `json:"path"`
 	Query      string            `json:"query"`
 	RequestURI string            `json:"requestURI"`
 }
 func handle(w http.ResponseWriter, r *http.Request) {
 	res := &Result{
 		Headers:    map[string]string{},
 		Method:     r.Method,
 		Host:       r.Host,
 		Port:       r.URL.Port(),
 		Path:       r.URL.Path,
 		Query:      r.URL.RawQuery,
 		RequestURI: r.RequestURI,
 	}
 	for k := range r.Header {
 		res.Headers[k] = r.Header.Get(k)
 	}
 	res.Headers["Host"] = r.Host
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(200)
 	_ = json.NewEncoder(w).Encode(res)
 }
--- a/integration/backends/ws-echo/go.mod
+++ b/integration/backends/ws-echo/go.mod
@ -0,0 +1,5 @@
 module github.com/pomerium/pomerium/integration/backends/ws-echo
 go 1.14
 require github.com/gorilla/websocket v1.4.2
--- a/integration/backends/ws-echo/go.sum
+++ b/integration/backends/ws-echo/go.sum
@ -0,0 +1,2 @@
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
--- a/integration/backends/ws-echo/index.js
+++ b/integration/backends/ws-echo/index.js
@ -1,10 +0,0 @@
 const WebSocket = require("ws");
 console.log("starting websocket server on :8080");
 const wss = new WebSocket.Server({ port: 8080 });
 wss.on("connection", function connection(ws) {
  ws.on("message", function incoming(message) {
    console.log("received: %s", message);
    ws.send(message);
  });
 });
--- a/integration/backends/ws-echo/main.go
+++ b/integration/backends/ws-echo/main.go
@ -0,0 +1,60 @@
 package main
 import (
 	"flag"
 	"fmt"
 	"net/http"
 	"os"
 	"github.com/gorilla/websocket"
 )
 func main() {
 	var (
 		certFile, keyFile, bindAddr string
 	)
 	flag.StringVar(&certFile, "cert-file", "", "the tls cert file to use")
 	flag.StringVar(&keyFile, "key-file", "", "the tls key file to use")
 	flag.StringVar(&bindAddr, "bind-addr", "", "the address to listen on")
 	flag.Parse()
 	var err error
 	if certFile != "" && keyFile != "" {
 		if bindAddr == "" {
 			bindAddr = ":5443"
 		}
 		fmt.Println("starting server on", bindAddr)
 		err = http.ListenAndServeTLS(bindAddr, certFile, keyFile, http.HandlerFunc(handle))
 	} else {
 		if bindAddr == "" {
 			bindAddr = ":5080"
 		}
 		fmt.Println("starting server on", bindAddr)
 		err = http.ListenAndServe(bindAddr, http.HandlerFunc(handle))
 	}
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "failed to listen and serve: %v", err)
 		os.Exit(1)
 	}
 }
 func handle(w http.ResponseWriter, r *http.Request) {
 	conn, err := websocket.Upgrade(w, r, nil, 1024, 1024)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 	}
 	defer conn.Close()
 	for {
 		mt, p, err := conn.ReadMessage()
 		if err != nil {
 			return
 		}
 		err = conn.WriteMessage(mt, p)
 		if err != nil {
 			return
 		}
 	}
 }
--- a/integration/backends/ws-echo/package.json
+++ b/integration/backends/ws-echo/package.json
@ -1,14 +0,0 @@
 {
  "name": "ws-echo",
  "version": "0.1.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "ws": "^7.2.5"
  }
 }
--- a/integration/internal/cluster/certs.go
+++ b/integration/internal/cluster/certs.go
@ -1,69 +1,120 @@
 package cluster
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/google/uuid"
 )
 // TLSCerts holds the certificate authority, certificate and certificate key for a TLS connection.
 type TLSCerts struct {
-	CA   string
+	CA     []byte
-	Cert string
+	Cert   []byte
-	Key  string
+	Key    []byte
 	Client struct {
 		Cert []byte
 		Key  []byte
 	}
 }
-func bootstrapCerts(ctx context.Context) (*TLSCerts, error) {
+// TLSCertsBundle holds various TLSCerts.
-	err := run(ctx, "mkcert", withArgs("-install"))
+type TLSCertsBundle struct {
-	if err != nil {
+	Trusted      TLSCerts
-		return nil, fmt.Errorf("error install root certificate: %w", err)
+	WronglyNamed TLSCerts
-	}
+	Untrusted    TLSCerts
-
+}
-	var buf bytes.Buffer
+
-	err = run(ctx, "mkcert", withArgs("-CAROOT"), withStdout(&buf))
+func bootstrapCerts(ctx context.Context) (*TLSCertsBundle, error) {
-	if err != nil {
+	wd := filepath.Join(os.TempDir(), "pomerium-integration-tests", "certs")
-		return nil, fmt.Errorf("error running mkcert")
+	err := os.MkdirAll(wd, 0755)
-	}
+	if err != nil {
-
+		return nil, fmt.Errorf("error creating integration tests working directory: %w", err)
-	caPath := strings.TrimSpace(buf.String())
+	}
-	ca, err := ioutil.ReadFile(filepath.Join(caPath, "rootCA.pem"))
+
-	if err != nil {
+	var bundle TLSCertsBundle
-		return nil, fmt.Errorf("error reading root ca: %w", err)
+
-	}
+	var generators = []struct {
-
+		certs   *TLSCerts
-	wd := filepath.Join(os.TempDir(), uuid.New().String())
+		caroot  string
-	err = os.MkdirAll(wd, 0755)
+		install bool
-	if err != nil {
+		name    string
-		return nil, fmt.Errorf("error creating temporary directory: %w", err)
+	}{
-	}
+		{&bundle.Trusted, filepath.Join(wd, "trusted"), true, "*.localhost.pomerium.io"},
-	defer func() {
+		{&bundle.WronglyNamed, filepath.Join(wd, "wrongly-named"), true, "*.localhost.notpomerium.io"},
-		_ = os.RemoveAll(wd)
+		{&bundle.Untrusted, filepath.Join(wd, "untrusted"), false, "*.localhost.pomerium.io"},
-	}()
+	}
-
+
-	err = run(ctx, "mkcert", withArgs("*.localhost.pomerium.io"), withWorkingDir(wd))
+	for _, generator := range generators {
-	if err != nil {
+		err = os.MkdirAll(generator.caroot, 0755)
-		return nil, fmt.Errorf("error generating certificates: %w", err)
+		if err != nil {
-	}
+			return nil, fmt.Errorf("error creating integration tests %s working directory: %w",
-
+				filepath.Base(generator.caroot), err)
-	cert, err := ioutil.ReadFile(filepath.Join(wd, "_wildcard.localhost.pomerium.io.pem"))
+		}
-	if err != nil {
+
-		return nil, fmt.Errorf("error reading certificate: %w", err)
+		args := []string{"-install"}
-	}
+		env := []string{"CAROOT=" + generator.caroot}
-
+		if !generator.install {
-	key, err := ioutil.ReadFile(filepath.Join(wd, "_wildcard.localhost.pomerium.io-key.pem"))
+			env = append(env, "TRUST_STORES=xxx")
-	if err != nil {
+		}
-		return nil, fmt.Errorf("error reading certificate key: %w", err)
+		err = run(ctx, "mkcert", withArgs(args...), withEnv(env...))
-	}
+		if err != nil {
-
+			return nil, fmt.Errorf("error creating %s certificate authority: %w",
-	return &TLSCerts{
+				filepath.Base(generator.caroot), err)
-		CA:   string(ca),
+		}
-		Cert: string(cert),
+
-		Key:  string(key),
+		fp := filepath.Join(generator.caroot, "rootCA.pem")
-	}, nil
+		generator.certs.CA, err = ioutil.ReadFile(fp)
 		if err != nil {
 			return nil, fmt.Errorf("error reading %s root ca: %w",
 				filepath.Base(generator.caroot), err)
 		}
 		root := filepath.Join(generator.caroot, strings.ReplaceAll(generator.name, "*", "_wildcard"))
 		fileMap := map[string]*[]byte{
 			root + ".pem":            &generator.certs.Cert,
 			root + "-client.pem":     &generator.certs.Client.Cert,
 			root + "-key.pem":        &generator.certs.Key,
 			root + "-client-key.pem": &generator.certs.Client.Key,
 		}
 		regenerate := false
 		for name := range fileMap {
 			if _, err := os.Stat(name); err != nil {
 				regenerate = true
 			}
 		}
 		if regenerate {
 			env = []string{"CAROOT=" + generator.caroot}
 			err = run(ctx, "mkcert",
 				withArgs(generator.name),
 				withWorkingDir(generator.caroot),
 				withEnv(env...))
 			if err != nil {
 				return nil, fmt.Errorf("error generating %s certificates: %w",
 					filepath.Base(generator.caroot), err)
 			}
 			err = run(ctx, "mkcert",
 				withArgs("-client", generator.name),
 				withWorkingDir(generator.caroot),
 				withEnv(env...))
 			if err != nil {
 				return nil, fmt.Errorf("error generating %s client certificates: %w",
 					filepath.Base(generator.caroot), err)
 			}
 		}
 		for name, ptr := range fileMap {
 			*ptr, err = ioutil.ReadFile(name)
 			if err != nil {
 				return nil, fmt.Errorf("error reading %s: %w",
 					name, err)
 			}
 		}
 	}
 	return &bundle, nil
 }
--- a/integration/internal/cluster/cluster.go
+++ b/integration/internal/cluster/cluster.go
@ -14,7 +14,7 @@ type Cluster struct {
 	Transport *http.Transport
 	workingDir  string
-	certs      *TLSCerts
+	certsBundle *TLSCertsBundle
 }
 // New creates a new Cluster.
--- a/integration/internal/cluster/cmd.go
+++ b/integration/internal/cluster/cmd.go
@ -5,6 +5,7 @@ import (
 	"context"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"github.com/rs/zerolog/log"
@ -18,6 +19,12 @@ func withArgs(args ...string) cmdOption {
 	}
 }
 func withEnv(env ...string) cmdOption {
 	return func(cmd *exec.Cmd) {
 		cmd.Env = append(os.Environ(), env...)
 	}
 }
 func withStdin(rdr io.Reader) cmdOption {
 	return func(cmd *exec.Cmd) {
 		cmd.Stdin = rdr
--- a/integration/internal/cluster/setup.go
+++ b/integration/internal/cluster/setup.go
@ -21,12 +21,12 @@ import (
 )
 var requiredDeployments = []string{
 	"ingress-nginx/nginx-ingress-controller",
 	"default/httpdetails",
 	"default/openid",
 	"default/pomerium-authenticate",
 	"default/pomerium-authorize",
 	"default/pomerium-proxy",
 	"ingress-nginx/nginx-ingress-controller",
 }
 // Setup configures the test cluster so that it is ready for the integration tests.
@ -36,7 +36,7 @@ func (cluster *Cluster) Setup(ctx context.Context) error {
 		return fmt.Errorf("error running kubectl cluster-info: %w", err)
 	}
-	cluster.certs, err = bootstrapCerts(ctx)
+	cluster.certsBundle, err = bootstrapCerts(ctx)
 	if err != nil {
 		return err
 	}
@ -146,9 +146,21 @@ func (cluster *Cluster) generateManifests() (string, error) {
 	}
 	vm := jsonnet.MakeVM()
-	vm.ExtVar("tls-ca", cluster.certs.CA)
+	for _, item := range []struct {
-	vm.ExtVar("tls-cert", cluster.certs.Cert)
+		name  string
-	vm.ExtVar("tls-key", cluster.certs.Key)
+		certs *TLSCerts
 	}{
 		{"trusted", &cluster.certsBundle.Trusted},
 		{"wrongly-named", &cluster.certsBundle.WronglyNamed},
 		{"untrusted", &cluster.certsBundle.Untrusted},
 	} {
 		vm.ExtVar("tls-"+item.name+"-ca", string(item.certs.CA))
 		vm.ExtVar("tls-"+item.name+"-cert", string(item.certs.Cert))
 		vm.ExtVar("tls-"+item.name+"-key", string(item.certs.Key))
 		vm.ExtVar("tls-"+item.name+"-client-cert", string(item.certs.Client.Cert))
 		vm.ExtVar("tls-"+item.name+"-client-key", string(item.certs.Client.Key))
 	}
 	vm.Importer(&jsonnet.FileImporter{
 		JPaths: []string{filepath.Join(cluster.workingDir, "manifests")},
 	})
@ -167,7 +179,7 @@ func applyManifests(ctx context.Context, jsonsrc string) error {
 	}
 	log.Info().Msg("waiting for deployments to come up")
-	ctx, clearTimeout := context.WithTimeout(ctx, 5*time.Minute)
+	ctx, clearTimeout := context.WithTimeout(ctx, 15*time.Minute)
 	defer clearTimeout()
 	ticker := time.NewTicker(time.Second * 5)
 	defer ticker.Stop()
--- a/integration/manifests/lib/backends.libsonnet
+++ b/integration/manifests/lib/backends.libsonnet
@ -11,95 +11,149 @@ local configMap = function(name, data) {
  data: data,
 };
-local service = function(name) {
+local service = function(name, tlsName, requireMutualAuth) {
  local fullName = (if tlsName != null then tlsName + '-' else '') +
                   (if requireMutualAuth then 'mtls-' else '') +
                   name,
  apiVersion: 'v1',
  kind: 'Service',
  metadata: {
    namespace: 'default',
-    name: name,
+    name: fullName,
-    labels: { app: name },
+    labels: { app: fullName },
  },
  spec: {
-    selector: { app: name },
+    selector: { app: fullName },
-    ports: [{
+    ports: [
      {
        name: 'http',
        port: 80,
        targetPort: 'http',
-    }],
+      },
      {
        name: 'https',
        port: 443,
        targetPort: 'https',
      },
    ],
  },
 };
-local deployment = function(name) {
+local deployment = function(name, tlsName, requireMutualAuth) {
  local fullName = (if tlsName != null then tlsName + '-' else '') +
                   (if requireMutualAuth then 'mtls-' else '') +
                   name,
  apiVersion: 'apps/v1',
  kind: 'Deployment',
  metadata: {
    namespace: 'default',
-    name: name,
+    name: fullName,
  },
  spec: {
    replicas: 1,
-    selector: { matchLabels: { app: name } },
+    selector: { matchLabels: { app: fullName } },
    template: {
      metadata: {
-        labels: { app: name },
+        labels: { app: fullName },
      },
      spec: {
-        initContainers: [{
+        containers: [{
-          name: 'init',
+          name: 'main',
-          image: 'node:14-stretch-slim',
+          image: 'golang:buster',
          imagePullPolicy: 'IfNotPresent',
-          args: ['bash', '-c', 'cp -rL /src/* /app/'],
+          args: [
-          volumeMounts: [{
+            'bash',
            '-c',
            'cd /src && go run . ' +
            (if tlsName != null then
               ' -cert-file=/certs/tls.crt -key-file=/certs/tls.key'
             else
               '') +
            (if requireMutualAuth then
               ' -mutual-auth-ca-file=/certs/tls-ca.crt'
             else
               ''),
          ],
          ports: [
            {
              name: 'http',
              containerPort: 5080,
            },
            {
              name: 'https',
              containerPort: 5443,
            },
          ],
          volumeMounts: [
            {
              name: 'src',
              mountPath: '/src',
-          }, {
+            },
-            name: 'app',
+            {
-            mountPath: '/app',
+              name: 'certs',
              mountPath: '/certs',
            },
          ],
        }],
-        }],
+        volumes: [
-        containers: [{
+          {
          name: name,
          image: 'node:14-stretch-slim',
          imagePullPolicy: 'IfNotPresent',
          args: ['bash', '-c', 'cd /app && npm install && node index.js'],
          ports: [{
            name: 'http',
            containerPort: 8080,
          }],
          volumeMounts: [{
            name: 'app',
            mountPath: '/app',
          }],
        }],
        volumes: [{
            name: 'src',
            configMap: {
              name: name,
            },
-        }, {
+          },
-          name: 'app',
+        ] + if tlsName != null then [
          {
            name: 'certs',
            secret: {
              secretName: 'pomerium-' + tlsName + '-tls',
            },
          },
        ] else [
          {
            name: 'certs',
            emptyDir: {},
-        }],
+          },
        ],
      },
    },
  },
 };
 local backends = [
  { name: 'httpdetails', files: {
    'main.go': importstr '../../backends/httpdetails/main.go',
    'go.mod': importstr '../../backends/httpdetails/go.mod',
  } },
  { name: 'ws-echo', files: {
    'main.go': importstr '../../backends/ws-echo/main.go',
    'go.mod': importstr '../../backends/ws-echo/go.mod',
    'go.sum': importstr '../../backends/ws-echo/go.sum',
  } },
 ];
 {
  apiVersion: 'v1',
  kind: 'List',
-  items: [
+  items: std.flattenArrays(
-    configMap('httpdetails', {
+    [
-      'index.js': importstr '../../backends/httpdetails/index.js',
+      [
-    }),
+        configMap(backend.name, backend.files),
-    service('httpdetails'),
+        service(backend.name, null, false),
-    deployment('httpdetails'),
+        deployment(backend.name, null, false),
-
+        service(backend.name, 'wrongly-named', false),
-    configMap('ws-echo', {
+        deployment(backend.name, 'wrongly-named', false),
-      'package.json': importstr '../../backends/ws-echo/package.json',
+        service(backend.name, 'untrusted', false),
-      'index.js': importstr '../../backends/ws-echo/index.js',
+        deployment(backend.name, 'untrusted', false),
-    }),
+      ]
-    service('ws-echo'),
+      for backend in backends
-    deployment('ws-echo'),
+    ] + [
      [
        service('httpdetails', 'trusted', true),
        deployment('httpdetails', 'trusted', true),
      ],
    ],
  ),
 }
--- a/integration/manifests/lib/pomerium.libsonnet
+++ b/integration/manifests/lib/pomerium.libsonnet
@ -1,6 +1,70 @@
 local tls = import './tls.libsonnet';
-local PomeriumPolicy = function() std.flattenArrays([
+local PomeriumPolicy = function() std.flattenArrays(
  [
    [
      // tls_skip_verify
      {
        from: 'http://httpdetails.localhost.pomerium.io',
        to: 'https://untrusted-httpdetails.default.svc.cluster.local',
        path: '/tls-skip-verify-enabled',
        tls_skip_verify: true,
        allow_public_unauthenticated_access: true,
      },
      {
        from: 'http://httpdetails.localhost.pomerium.io',
        to: 'https://untrusted-httpdetails.default.svc.cluster.local',
        path: '/tls-skip-verify-disabled',
        tls_skip_verify: false,
        allow_public_unauthenticated_access: true,
      },
      // tls_server_name
      {
        from: 'http://httpdetails.localhost.pomerium.io',
        to: 'https://wrongly-named-httpdetails.default.svc.cluster.local',
        path: '/tls-server-name-enabled',
        tls_server_name: 'httpdetails.localhost.notpomerium.io',
        allow_public_unauthenticated_access: true,
      },
      {
        from: 'http://httpdetails.localhost.pomerium.io',
        to: 'https://wrongly-named-httpdetails.default.svc.cluster.local',
        path: '/tls-server-name-disabled',
        allow_public_unauthenticated_access: true,
      },
      // tls_custom_certificate_authority
      {
        from: 'http://httpdetails.localhost.pomerium.io',
        to: 'https://untrusted-httpdetails.default.svc.cluster.local',
        path: '/tls-custom-ca-enabled',
        tls_custom_ca: std.base64(tls.untrusted.ca),
        tls_server_name: 'httpdetails.localhost.pomerium.io',
        allow_public_unauthenticated_access: true,
      },
      {
        from: 'http://httpdetails.localhost.pomerium.io',
        to: 'https://untrusted-httpdetails.default.svc.cluster.local',
        path: '/tls-custom-ca-disabled',
        allow_public_unauthenticated_access: true,
      },
      // tls_client_cert
      {
        from: 'http://httpdetails.localhost.pomerium.io',
        to: 'https://trusted-mtls-httpdetails.default.svc.cluster.local',
        path: '/tls-client-cert-enabled',
        tls_client_cert: std.base64(tls.trusted.client.cert),
        tls_client_key: std.base64(tls.trusted.client.key),
        tls_server_name: 'httpdetails.localhost.pomerium.io',
        allow_public_unauthenticated_access: true,
      },
      {
        from: 'http://httpdetails.localhost.pomerium.io',
        to: 'https://trusted-mtls-httpdetails.default.svc.cluster.local',
        path: '/tls-client-cert-disabled',
        allow_public_unauthenticated_access: true,
      },
    ],
  ] + [
    [
      {
        from: 'http://' + domain + '.localhost.pomerium.io',
@ -62,7 +126,8 @@ local PomeriumPolicy = function() std.flattenArrays([
      },
    ]
    for domain in ['httpdetails', 'fa-httpdetails', 'ws-echo']
-]) + [
+  ] + [
    [
      {
        from: 'http://enabled-ws-echo.localhost.pomerium.io',
        to: 'http://ws-echo.default.svc.cluster.local',
@ -74,36 +139,26 @@ local PomeriumPolicy = function() std.flattenArrays([
        to: 'http://ws-echo.default.svc.cluster.local',
        allow_public_unauthenticated_access: true,
      },
-];
+    ],
  ]
 );
 local PomeriumPolicyHash = std.base64(std.md5(std.manifestJsonEx(PomeriumPolicy(), '')));
-local PomeriumTLSSecret = function() {
+local PomeriumTLSSecret = function(name) {
  apiVersion: 'v1',
  kind: 'Secret',
  type: 'kubernetes.io/tls',
  metadata: {
    namespace: 'default',
-    name: 'pomerium-tls',
+    name: 'pomerium-' + name + '-tls',
  },
  data: {
-    'tls.crt': std.base64(tls.cert),
+    'tls-ca.crt': std.base64(tls[name].ca),
-    'tls.key': std.base64(tls.key),
+    'tls.crt': std.base64(tls[name].cert),
-  },
+    'tls.key': std.base64(tls[name].key),
-};
+    'tls-client.crt': std.base64(tls[name].client.cert),
-
+    'tls-client.key': std.base64(tls[name].client.key),
 local PomeriumCAsConfigMap = function() {
  apiVersion: 'v1',
  kind: 'ConfigMap',
  metadata: {
    namespace: 'default',
    name: 'pomerium-cas',
    labels: {
      'app.kubernetes.io/part-of': 'pomerium',
    },
  },
  data: {
    'pomerium.crt': tls.ca,
  },
 };
@ -133,8 +188,8 @@ local PomeriumConfigMap = function() {
    SHARED_SECRET: 'Wy+c0uSuIM0yGGXs82MBwTZwRiZ7Ki2T0LANnmzUtkI=',
    COOKIE_SECRET: 'eZ91a/j9fhgki9zPDU5zHdQWX4io89pJanChMVa5OoM=',
-    CERTIFICATE: std.base64(tls.cert),
+    CERTIFICATE: std.base64(tls.trusted.cert),
-    CERTIFICATE_KEY: std.base64(tls.key),
+    CERTIFICATE_KEY: std.base64(tls.trusted.key),
    IDP_PROVIDER: 'oidc',
    IDP_PROVIDER_URL: 'https://openid.localhost.pomerium.io',
@ -181,25 +236,43 @@ local PomeriumDeployment = function(svc) {
            'authenticate.localhost.pomerium.io',
          ],
        }],
-        initContainers: [{
+        initContainers: [
-          name: 'pomerium-' + svc + '-certs',
+          {
            name: 'init',
            image: 'buildpack-deps:buster-curl',
-          imagePullPolicy: 'Always',
+            imagePullPolicy: 'IfNotPresent',
            command: ['sh', '-c', |||
-            cp /incoming-certs/* /usr/local/share/ca-certificates
+              cp /incoming-certs/trusted/tls-ca.crt /usr/local/share/ca-certificates/pomerium-trusted.crt
              cp /incoming-certs/wrongly-named/tls-ca.crt /usr/local/share/ca-certificates/pomerium-wrongly-named.crt
              update-ca-certificates
            |||],
            volumeMounts: [
              {
-              name: 'incoming-certs',
+                name: 'trusted-incoming-certs',
-              mountPath: '/incoming-certs',
+                mountPath: '/incoming-certs/trusted',
              },
              {
                name: 'wrongly-named-incoming-certs',
                mountPath: '/incoming-certs/wrongly-named',
              },
              {
                name: 'outgoing-certs',
                mountPath: '/etc/ssl/certs',
              },
            ],
-        }],
+          },
        ] + if svc == 'authenticate' then [
          {
            name: 'wait-for-openid',
            image: 'buildpack-deps:buster-curl',
            imagePullPolicy: 'IfNotPresent',
            command: ['sh', '-c', |||
              while ! curl http://openid.default.svc.cluster.local/.well-known/openid-configuration ; do
                sleep 5
              done
            |||],
          },
        ] else [],
        containers: [{
          name: 'pomerium-' + svc,
          image: 'pomerium/pomerium:dev',
@ -224,9 +297,15 @@ local PomeriumDeployment = function(svc) {
        }],
        volumes: [
          {
-            name: 'incoming-certs',
+            name: 'trusted-incoming-certs',
-            configMap: {
+            secret: {
-              name: 'pomerium-cas',
+              secretName: 'pomerium-trusted-tls',
            },
          },
          {
            name: 'wrongly-named-incoming-certs',
            secret: {
              secretName: 'pomerium-wrongly-named-tls',
            },
          },
          {
@ -318,7 +397,7 @@ local PomeriumIngress = function() {
        hosts: [
          'authenticate.localhost.pomerium.io',
        ] + proxyHosts,
-        secretName: 'pomerium-tls',
+        secretName: 'pomerium-trusted-tls',
      },
    ],
    rules: [
@ -370,7 +449,7 @@ local PomeriumForwardAuthIngress = function() {
        hosts: [
          'fa-httpdetails.localhost.pomerium.io',
        ],
-        secretName: 'pomerium-tls',
+        secretName: 'pomerium-trusted-tls',
      },
    ],
    rules: [
@ -404,8 +483,9 @@ local PomeriumForwardAuthIngress = function() {
  kind: 'List',
  items: [
    PomeriumConfigMap(),
-    PomeriumCAsConfigMap(),
+    PomeriumTLSSecret('trusted'),
-    PomeriumTLSSecret(),
+    PomeriumTLSSecret('untrusted'),
    PomeriumTLSSecret('wrongly-named'),
    PomeriumService('authenticate'),
    PomeriumDeployment('authenticate'),
    PomeriumService('authorize'),
--- a/integration/manifests/lib/reference-openid-provider.libsonnet
+++ b/integration/manifests/lib/reference-openid-provider.libsonnet
@ -73,7 +73,7 @@ local Ingress = function() {
        hosts: [
          'openid.localhost.pomerium.io',
        ],
-        secretName: 'pomerium-tls',
+        secretName: 'pomerium-trusted-tls',
      },
    ],
    rules: [
--- a/integration/manifests/lib/tls.libsonnet
+++ b/integration/manifests/lib/tls.libsonnet
@ -1,5 +1,29 @@
 {
-  cert: std.extVar('tls-cert'),
+  trusted: {
-  key: std.extVar('tls-key'),
+    cert: std.extVar('tls-trusted-cert'),
-  ca: std.extVar('tls-ca'),
+    key: std.extVar('tls-trusted-key'),
    ca: std.extVar('tls-trusted-ca'),
    client: {
      cert: std.extVar('tls-trusted-client-cert'),
      key: std.extVar('tls-trusted-client-key'),
    },
  },
  'wrongly-named': {
    cert: std.extVar('tls-wrongly-named-cert'),
    key: std.extVar('tls-wrongly-named-key'),
    ca: std.extVar('tls-wrongly-named-ca'),
    client: {
      cert: std.extVar('tls-wrongly-named-client-cert'),
      key: std.extVar('tls-wrongly-named-client-key'),
    },
  },
  untrusted: {
    cert: std.extVar('tls-untrusted-cert'),
    key: std.extVar('tls-untrusted-key'),
    ca: std.extVar('tls-untrusted-ca'),
    client: {
      cert: std.extVar('tls-untrusted-client-cert'),
      key: std.extVar('tls-untrusted-client-key'),
    },
  },
 }
--- a/integration/policy_test.go
+++ b/integration/policy_test.go
@ -10,8 +10,9 @@ import (
 	"time"
 	"github.com/gorilla/websocket"
 	"github.com/pomerium/pomerium/integration/internal/netutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/pomerium/pomerium/integration/internal/netutil"
 )
 func TestCORS(t *testing.T) {
@ -77,15 +78,15 @@ func TestPreserveHostHeader(t *testing.T) {
 		defer res.Body.Close()
 		var result struct {
-			Headers map[string]string `json:"headers"`
+			Host string `json:"host"`
 		}
 		err = json.NewDecoder(res.Body).Decode(&result)
 		if !assert.NoError(t, err) {
 			return
 		}
-		assert.Equal(t, "httpdetails.localhost.pomerium.io", result.Headers["host"],
+		assert.Equal(t, "httpdetails.localhost.pomerium.io", result.Host,
-			"destination host should be preserved")
+			"destination host should be preserved in %v", result)
 	})
 	t.Run("disabled", func(t *testing.T) {
 		client := testcluster.NewHTTPClient()
@ -102,15 +103,15 @@ func TestPreserveHostHeader(t *testing.T) {
 		defer res.Body.Close()
 		var result struct {
-			Headers map[string]string `json:"headers"`
+			Host string `json:"host"`
 		}
 		err = json.NewDecoder(res.Body).Decode(&result)
 		if !assert.NoError(t, err) {
 			return
 		}
-		assert.NotEqual(t, "httpdetails.localhost.pomerium.io", result.Headers["host"],
+		assert.NotEqual(t, "httpdetails.localhost.pomerium.io", result.Host,
-			"destination host should not be preserved")
+			"destination host should not be preserved in %v", result)
 	})
 }
@ -141,7 +142,7 @@ func TestSetRequestHeaders(t *testing.T) {
 		return
 	}
-	assert.Equal(t, "custom-request-header-value", result.Headers["x-custom-request-header"],
+	assert.Equal(t, "custom-request-header-value", result.Headers["X-Custom-Request-Header"],
 		"expected custom request header to be sent upstream")
 }
@ -183,16 +184,171 @@ func TestWebsocket(t *testing.T) {
 	})
 }
 func TestTLSSkipVerify(t *testing.T) {
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
 	t.Run("enabled", func(t *testing.T) {
 		client := testcluster.NewHTTPClient()
 		req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/tls-skip-verify-enabled", nil)
 		if err != nil {
 			t.Fatal(err)
 		}
 		res, err := client.Do(req)
 		if !assert.NoError(t, err, "unexpected http error") {
 			return
 		}
 		defer res.Body.Close()
 		assert.Equal(t, http.StatusOK, res.StatusCode)
 	})
 	t.Run("disabled", func(t *testing.T) {
 		client := testcluster.NewHTTPClient()
 		req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/tls-skip-verify-disabled", nil)
 		if err != nil {
 			t.Fatal(err)
 		}
 		res, err := client.Do(req)
 		if !assert.NoError(t, err, "unexpected http error") {
 			return
 		}
 		defer res.Body.Close()
 		assert.Equal(t, http.StatusBadGateway, res.StatusCode)
 	})
 }
 func TestTLSServerName(t *testing.T) {
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
 	t.Run("enabled", func(t *testing.T) {
 		client := testcluster.NewHTTPClient()
 		req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/tls-server-name-enabled", nil)
 		if err != nil {
 			t.Fatal(err)
 		}
 		res, err := client.Do(req)
 		if !assert.NoError(t, err, "unexpected http error") {
 			return
 		}
 		defer res.Body.Close()
 		assert.Equal(t, http.StatusOK, res.StatusCode)
 	})
 	t.Run("disabled", func(t *testing.T) {
 		client := testcluster.NewHTTPClient()
 		req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/tls-server-name-disabled", nil)
 		if err != nil {
 			t.Fatal(err)
 		}
 		res, err := client.Do(req)
 		if !assert.NoError(t, err, "unexpected http error") {
 			return
 		}
 		defer res.Body.Close()
 		assert.Equal(t, http.StatusBadGateway, res.StatusCode)
 	})
 }
 func TestTLSCustomCA(t *testing.T) {
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
 	t.Run("enabled", func(t *testing.T) {
 		client := testcluster.NewHTTPClient()
 		req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/tls-custom-ca-enabled", nil)
 		if err != nil {
 			t.Fatal(err)
 		}
 		res, err := client.Do(req)
 		if !assert.NoError(t, err, "unexpected http error") {
 			return
 		}
 		defer res.Body.Close()
 		assert.Equal(t, http.StatusOK, res.StatusCode)
 	})
 	t.Run("disabled", func(t *testing.T) {
 		client := testcluster.NewHTTPClient()
 		req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/tls-custom-ca-disabled", nil)
 		if err != nil {
 			t.Fatal(err)
 		}
 		res, err := client.Do(req)
 		if !assert.NoError(t, err, "unexpected http error") {
 			return
 		}
 		defer res.Body.Close()
 		assert.Equal(t, http.StatusBadGateway, res.StatusCode)
 	})
 }
 func TestTLSClientCert(t *testing.T) {
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
 	t.Run("enabled", func(t *testing.T) {
 		client := testcluster.NewHTTPClient()
 		req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/tls-client-cert-enabled", nil)
 		if err != nil {
 			t.Fatal(err)
 		}
 		res, err := client.Do(req)
 		if !assert.NoError(t, err, "unexpected http error") {
 			return
 		}
 		defer res.Body.Close()
 		assert.Equal(t, http.StatusOK, res.StatusCode)
 	})
 	t.Run("disabled", func(t *testing.T) {
 		client := testcluster.NewHTTPClient()
 		req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/tls-client-cert-disabled", nil)
 		if err != nil {
 			t.Fatal(err)
 		}
 		res, err := client.Do(req)
 		if !assert.NoError(t, err, "unexpected http error") {
 			return
 		}
 		defer res.Body.Close()
 		assert.Equal(t, http.StatusBadGateway, res.StatusCode)
 	})
 }
 func TestSNIMismatch(t *testing.T) {
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
 	// Browsers will coalesce connections for the same IP address and TLS certificate
 	// even if the request was made to different domain names. We need to support this
 	// so this test makes a request with an incorrect TLS server name to make sure it
 	// gets routed properly
 	ctx := mainCtx
 	ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
 	defer clearTimeout()
 	hostport, err := testcluster.GetNodePortAddr(ctx, "default", "pomerium-proxy-nodeport")
 	if err != nil {
 		t.Fatal(err)
		`@ -0,0 +1,3 @@`
							`module github.com/pomerium/pomerium/integration/backends/httpdetails`

							`go 1.14`
		`@ -0,0 +1,2 @@`
							`github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=`
							`github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=`