mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-03 03:12:50 +02:00
Pomerium is an identity and context-aware access proxy.
7a6d7c5a3c
## Summary Update the `RouteID` to use the `policy.ID` if it is set. This makes it so that updated routes use a stable identifier between updates so if the envoy control plane is updated before the authorize service's internal definitions (or vice-versa) the authorize service will still be able to match the route. The current behavior results in a 404 if envoy passes the old route id. The new behavior will result in inconsistency, but it should be quickly remedied. To help with debugging 4 new fields were added to the authorize check log. The `route-id` and `route-checksum` as the authorize sees it and the `envoy-route-id` and `envoy-route-checksum` as envoy sees it. I also updated the way we send updates to envoy to try and model their recommended approach: > In general, to avoid traffic drop, sequencing of updates should follow a make before break model, wherein: > > - CDS updates (if any) must always be pushed first. > - EDS updates (if any) must arrive after CDS updates for the respective clusters. > - LDS updates must arrive after corresponding CDS/EDS updates. > - RDS updates related to the newly added listeners must arrive after CDS/EDS/LDS updates. > - VHDS updates (if any) related to the newly added RouteConfigurations must arrive after RDS updates. > - Stale CDS clusters and related EDS endpoints (ones no longer being referenced) can then be removed. This should help avoid 404s when configuration is being updated. ## Related issues - [ENG-2386](https://linear.app/pomerium/issue/ENG-2386/large-number-of-routes-leads-to-404s-and-slowness) ## Checklist - [x] reference any related issues - [x] updated unit tests - [x] add appropriate label (`enhancement`, `bug`, `breaking`, `dependencies`, `ci`) - [x] ready for review |
||
|---|---|---|
| .github | ||
| .vscode | ||
| authenticate | ||
| authorize | ||
| changelogs | ||
| cmd/pomerium | ||
| config | ||
| databroker | ||
| examples | ||
| integration | ||
| internal | ||
| k8s/zero | ||
| ospkg | ||
| pkg | ||
| proxy | ||
| scripts | ||
| ui | ||
| .codecov.yml | ||
| .dockerignore | ||
| .fossa.yml | ||
| .gitattributes | ||
| .gitignore | ||
| .golangci.yml | ||
| .pre-commit-config.yaml | ||
| 3RD-PARTY | ||
| DEBUG.MD | ||
| Dockerfile | ||
| Dockerfile.debug | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| Makefile | ||
| pomerium.go | ||
| README.md | ||
| RELEASING.md | ||
| SECURITY.md | ||
Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN.
Pomerium is:
- Easier with clientless access.
- Faster by being tunnel-free and deployed where your apps and services are.
- Safer because every single action is verified before allowed to execute.
- Tailored to your organization’s needs by integrating all data for context-aware access.
It’s not a VPN alternative – it’s the trusted, foolproof way to protect your business. Want a hosted control plane and management GUI? Give Pomerium Zero a try today!
Docs
For comprehensive docs, and tutorials see our documentation.
Contributing
See Contributing for information on how you can contribute to Pomerium.