version: "3" services: nginx: image: pomerium/nginx-proxy:latest ports: - "443:443" volumes: # NOTE!!! : nginx must be supplied with your wildcard certificates. # see : https://github.com/jwilder/nginx-proxy#wildcard-certificates - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/fullchain.cer:/etc/nginx/certs/corp.beyondperimeter.com.crt:ro - ~/.acme.sh/*.corp.beyondperimeter.com_ecc/*.corp.beyondperimeter.com.key:/etc/nginx/certs/corp.beyondperimeter.com.key:ro - /var/run/docker.sock:/tmp/docker.sock:ro pomerium-authenticate: image: pomerium/pomerium:latest # or `build: .` to build from source restart: always environment: - SERVICES=authenticate - INSECURE_SERVER=TRUE # NOTE!: Replace with your identity provider settings https://www.pomerium.com/docs/identity-providers.html # - IDP_PROVIDER=okta # - IDP_PROVIDER_URL=https://beyondperimeter.okta.com # - IDP_CLIENT_ID=REPLACE_ME # - IDP_CLIENT_SECRET=REPLACE_ME # - IDP_SERVICE_ACCOUNT=REPLACE_ME # NOTE! Generate new secret keys! e.g. `head -c32 /dev/urandom | base64` # Generated secret keys must match between services - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI= # Tell nginx how to proxy pomerium's routes - VIRTUAL_PROTO=http - VIRTUAL_HOST=authenticate.corp.beyondperimeter.com - VIRTUAL_PORT=443 - DATABROKER_SERVICE_URL=http://pomerium-databroker:443 volumes: - ../config/config.example.yaml:/pomerium/config.yaml:ro expose: - 443 pomerium-proxy: image: pomerium/pomerium:latest # or `build: .` to build from source restart: always environment: - SERVICES=proxy - INSECURE_SERVER=TRUE # IMPORTANT! If you are running pomerium behind another ingress (loadbalancer/firewall/etc) # you must tell pomerium proxy how to communicate using an internal hostname for RPC - AUTHORIZE_SERVICE_URL=http://pomerium-authorize:443 # When communicating internally, rPC is going to get a name conflict expecting an external # facing certificate name (i.e. authenticate-service.local vs *.corp.example.com). - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI= # Tell nginx how to proxy pomerium's routes - VIRTUAL_PROTO=http - VIRTUAL_HOST=*.corp.beyondperimeter.com - VIRTUAL_PORT=443 volumes: - ../config/config.example.yaml:/pomerium/config.yaml:ro expose: - 443 pomerium-authorize: image: pomerium/pomerium:latest # or `build: .` to build from source restart: always environment: - SERVICES=authorize - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= - GRPC_INSECURE=TRUE - GRPC_ADDRESS=:443 volumes: # Retrieve non-secret config keys from the config file : https://www.pomerium.com/docs/reference/ # See `config.example.yaml` and modify to fit your needs. - ../config/config.example.yaml:/pomerium/config.yaml:ro expose: - 443 pomerium-databroker: image: pomerium/pomerium:latest # or `build: .` to build from source restart: always environment: - SERVICES=databroker - SHARED_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M= - GRPC_INSECURE=TRUE - GRPC_ADDRESS=:443 volumes: # Retrieve non-secret config keys from the config file : https://www.pomerium.com/docs/reference/ # See `config.example.yaml` and modify to fit your needs. - ../config/config.example.yaml:/pomerium/config.yaml:ro expose: - 443 # https://verify.corp.beyondperimeter.com verify: image: pomerium/verify:latest expose: - 80 # https://hello.corp.beyondperimeter.com hello: image: gcr.io/google-samples/hello-app:1.0 expose: - 8080