Enterprise Upgrade & Changelog Pages (#2453)

* update enterprise reference source * add upgrade and changelog pages
2025-04-29 18:36:30 +02:00 · 2021-08-09 11:55:47 -05:00 · 2021-08-09 11:55:47 -05:00 · faecfd460b
commit faecfd460b
parent 6237668871
7 changed files with 71 additions and 70 deletions
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@ -224,6 +224,8 @@ module.exports = {
                "/enterprise/reference/configure",
              ],
            },
+            "upgrading",
+            "changelog"
          ],
        },
      ],
--- a/docs/enterprise/changelog.md
+++ b/docs/enterprise/changelog.md
@ -0,0 +1,37 @@
+---
+title: Changelog
+sidebarDepth: 0
+---
+
+#  Changelog
+
+## 0.15.0
+
+### New
+
+- [Telemetry]: View real time metrics and status from Pomerium components inside the Enterprise Console.
+- More expressive policy syntax: Pomerium's new extended [policy language] allows more complex policies to be configured, along with non-identity based conditions for access.
+- Support for [Google Cloud Serverless] configuration on routes.
+- Support for [SPDY] configuration on routes.
+- More consistent filtering and sorting across [resource listing pages][runtime].
+
+### Updated
+
+- Certificate Management: Certificates with overlapping SAN names are no longer permitted.
+- [Policies]: New editing screen supports Wizard based, Text based or Rego based policy.
+- Policies: Only global administrators may manage Rego based policies.
+- Policies: Support time based criteria.
+- [Service Accounts]: Simplified UI.
+- Service Accounts: Support token expiration time.
+- Service Accounts: Namespace support.
+- Impersonation: Impersonation is now done on an individual session basis.
+- Various other bug fixes and improvements.
+
+[`signing key`]: /reference/readme.md/#signing-key
+[Telemetry]: /enterprise/reference/reports.md#traffic
+[policy language]: /enterprise/reference/manage.md#pomerium-policy-language
+[Google Cloud Serverless]: /reference/readme.md#enable-google-cloud-serverless-authentication
+[SPDY]: /reference/readme.md#spdy
+[runtime]: /enterprise/reference/reports.md#runtime
+[Policies]: /enterprise/reference/manage.md#policies-2
+[Service Accounts]: /enterprise/concepts.md#service-accounts
--- a/docs/enterprise/console-settings.yaml
+++ b/docs/enterprise/console-settings.yaml
@ -71,6 +71,8 @@ settings:
            settings:
              - name: "Allow Websockets"
                keys: ["allow_websockets"]
+              - name: "Allow SPDY"
+                keys: ["allow_spdy"]
              - name: "Timeout"
                keys: ["timeout"]
              - name: "Idle Timeout"
@ -173,8 +175,6 @@ settings:
        settings:
          - name: "Global"
            settings:
-              - name: "Administrators"
-                doc: A list of users with full access to Pomerium Enterprise
              - name: "Debug"
              - name: "Forward Auth"
              - name: "HTTP Redirect Address"
@ -205,18 +205,12 @@ settings:
                  See https://godoc.org/google.golang.org/grpc/keepalive#ServerParameters (opens new window)for details
          - name: "Tracing"
          - name: "Authenticate"
-          - name: "Authorize"
-            settings:
-              - name: "Signing Key"
-              - name: "Signing Key Algorithm"
          - name: "Proxy"
            settings:
              - name: "Certificate Authority"
                keys: ["certificate_authority"]
              - name: "Default Upstream Timeout"
              - name: "JWT Claim Headers"
-              - name: "Override Certificate Name"
-              - name: "Refresh Cooldown"
              - name: "X-Forward-For HTTP Header"
                keys: ["skip_xff_append"]
              - name: "Response Headers"
--- a/docs/enterprise/reference/configure.md
+++ b/docs/enterprise/reference/configure.md
@ -15,10 +15,6 @@ meta:
 ### Global


-#### Administrators
-
-A list of users with full access to Pomerium Enterprise
-
 #### Debug

 ::: danger
@ -244,54 +240,6 @@ tracing_zipkin_endpoint | Url to the Zipkin HTTP endpoint. | ✅
 ### Authenticate


-### Authorize
-
-
-#### Signing Key
-
-Signing Key is the private key used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.
-
-If set, the signing key's public key will can retrieved by hitting Pomerium's `/.well-known/pomerium/jwks.json` endpoint which lives on the authenticate service. Otherwise, the endpoint will return an empty keyset.
-
-For example, assuming you have [generated an ES256 key](https://github.com/pomerium/pomerium/blob/master/scripts/generate_self_signed_signing_key.sh) as follows.
-
-```bash
-# Generates an P-256 (ES256) signing key
-openssl ecparam  -genkey  -name prime256v1  -noout  -out ec_private.pem
-# careful! this will output your private key in terminal
-cat ec_private.pem | base64
-```
-
-That signing key can be accessed via the well-known jwks endpoint.
-
-```bash
-$ curl https://authenticate.int.example.com/.well-known/pomerium/jwks.json | jq
-```
-
-```json
-{
-  "keys": [
-    {
-      "use": "sig",
-      "kty": "EC",
-      "kid": "ccc5bc9d835ff3c8f7075ed4a7510159cf440fd7bf7b517b5caeb1fa419ee6a1",
-      "crv": "P-256",
-      "alg": "ES256",
-      "x": "QCN7adG2AmIK3UdHJvVJkldsUc6XeBRz83Z4rXX8Va4",
-      "y": "PI95b-ary66nrvA55TpaiWADq8b3O1CYIbvjqIHpXCY"
-    }
-  ]
-}
-```
-
-If no certificate is specified, one will be generated and the base64'd public key will be added to the logs. Note, however, that this key be unique to each service, ephemeral, and will not be accessible via the authenticate service's `jwks_uri` endpoint.
-
-#### Signing Key Algorithm
-
-This setting specifies which signing algorithm to use when signing the upstream attestation JWT. Cryptographic algorithm choice is subtle, and beyond the scope of this document, but we suggest sticking to the default `ES256` unless you have a good reason to use something else.
-
-Be aware that any RSA based signature method may be an order of magnitude lower than [elliptic curve] variants like ECDSA (`ES256`). For more information, checkout [this article](https://www.scottbrady91.com/JOSE/JWTs-Which-Signing-Algorithm-Should-I-Use).
-
 ### Proxy


@ -328,14 +276,6 @@ Will add an `X-Email` header with a value of the `email` claim.

 Use this option if you previously relied on `x-pomerium-authenticated-user-{email|user-id|groups}`.

-#### Override Certificate Name
-
-Secure service communication can fail if the external certificate does not match the internally routed service hostname/[SNI](https://en.wikipedia.org/wiki/Server_Name_Indication). This setting allows you to override that value.
-
-#### Refresh Cooldown
-
-Refresh cooldown is the minimum amount of time between allowed manually refreshed sessions.
-
 #### X-Forward-For HTTP Header

 Do not append proxy IP address to `x-forwarded-for` HTTP header. See [Envoy](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers.html?highlight=skip_xff_append#x-forwarded-for) docs for more detail.
--- a/docs/enterprise/reference/manage.md
+++ b/docs/enterprise/reference/manage.md
@ -164,6 +164,10 @@ If set, enables proxying of websocket connections.

 :::

+#### Allow SPDY
+
+If set, enables proxying of SPDY protocol upgrades.
+
 #### Timeout

 Policy timeout establishes the per-route timeout value. Cannot exceed global timeout values.
--- a/docs/enterprise/upgrading.md
+++ b/docs/enterprise/upgrading.md
@ -0,0 +1,24 @@
+---
+title: Upgrading
+sidebarDepth: 0
+description: >-
+  This page contains the list of deprecations and important or breaking changes
+  for Pomerium Enterprise. Please read it carefully.
+---
+
+#  Upgrading Pomerium Enterprise
+
+When new version of Pomerium Enterprise are released, check back to this page before you upgrade.
+
+## 0.15.0
+
+### Before You Upgrade
+
+- `signing-key` is now a required option to improve request security from Pomerium Core. The value should match the one set in Pomerium Core. See the [signing key] reference page for more information on generating a key.
+- `audience` is now a required option to improve request security from Pomerium Core. The value should match the Enterprise Console's external URL hostname, as defined in the [`from`](/reference/readme.md#routes) field in the Routes entry (not including the protocol).
+
+[signing key]: /reference/readme.md/#signing-key
+
+
+
+
--- a/scripts/generate-console-pages.js
+++ b/scripts/generate-console-pages.js
@ -62,7 +62,7 @@ title: Environment Variables
 lang: en-US
 meta:
    - name: keywords
-      content: configuration options settings Pomerium enterprise console
+      content: configuration options settings Pomerium Enterprise
 ---

 # Pomerium Console Environment Variables
@ -102,7 +102,7 @@ lang: en-US
 sidebarDepth: 2
 meta:
    - name: keywords
-      content: configuration options settings Pomerium enterprise console
+      content: configuration options settings Pomerium Enterprise
 ---

 `;