#!/bin/bash # Main configuration flags : https://www.pomerium.com/docs/reference/ # Main configuration flags # export ADDRESS=":8443" # optional, default is 443 # export POMERIUM_DEBUG=true # optional, default is false # export SERVICE="all" # optional, default is all # export LOG_LEVEL="info" # optional, default is debug export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com # AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode, # otherwise it should be set to a "behind-the-ingress" routable url # export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local # export DATABROKER_SERVICE_URL=https://pomerium-databroker-service.default.svc.cluster.local # Certificates can be loaded as files or base64 encoded bytes. # See : https://www.pomerium.com/docs/reference/certificates export AUTOCERT=TRUE # Use Let's Encrypt to fetch certs. Port 80/443 must be internet accessible. # export AUTOCERT_DIR="./certs" # The path where you want to place your certificates # export CERTIFICATE_FILE="xxxx" # optional, defaults to `./cert.pem` # export CERTIFICATE_KEY_FILE="xxx" # optional, defaults to `./certprivkey.pem` # export CERTIFICATE="xxx" # base64 encoded cert, eg. `base64 -i cert.pem` # export CERTIFICATE_KEY="xxx" # base64 encoded key, eg. `base64 -i privkey.pem` # Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64` export SHARED_SECRET="$(head -c32 /dev/urandom | base64)" export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)" # If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion` # export SIGNING_KEY="Replace with base64'd private key from ./scripts/self-signed-sign-key.sh" # Identity Provider Settings # Auth0 # export IDP_PROVIDER="auth0" # export IDP_PROVIDER_URL="https://REPLACEME.us.auth0.com" # export IDP_CLIENT_ID="REPLACEME" # from the application the users login to # export IDP_CLIENT_SECRET="REPLACEME" # from the application the users login to # the following is optional and only needed if you want role (Auth0 calls groups roles) data # Azure # export IDP_PROVIDER="azure" # export IDP_PROVIDER_URL="https://login.microsoftonline.com/REPLACEME/v2.0" # export IDP_CLIENT_ID="REPLACEME # export IDP_CLIENT_SECRET="REPLACEME" ## GOOGLE export IDP_PROVIDER="google" # OKTA # export IDP_PROVIDER="okta" # export IDP_CLIENT_ID="REPLACEME" # export IDP_CLIENT_SECRET="REPLACEME" # export IDP_PROVIDER_URL="https://REPLACEME.oktapreview.com/oauth2/default" # OneLogin # export IDP_PROVIDER="onelogin" # export IDP_CLIENT_ID="REPLACEME" # export IDP_CLIENT_SECRET="REPLACEME" # export IDP_PROVIDER_URL="https://openid-connect.onelogin.com/oidc" #optional, defaults to `https://openid-connect.onelogin.com/oidc` # Proxied routes and per-route policies are defined in a policy provided either # directly as a base64 encoded yaml/json file, or as the policy key in the configuration # file export POLICY="$(base64 ./docs/configuration/examples/config/policy.example.yaml)"