pomerium/docs/configuration/examples/config/config.example.env

#!/bin/bash
# Main configuration flags : https://www.pomerium.io/docs/reference/reference/

# Main configuration flags
# export ADDRESS=":8443"                      # optional, default is 443
# export POMERIUM_DEBUG=true                  # optional, default is false
# export SERVICE="all"                        # optional, default is all
# export LOG_LEVEL="info"                     # optional, default is debug

export AUTHENTICATE_SERVICE_URL=https://authenticate.corp.beyondperimeter.com
# AUTHORIZE_SERVICE_URL service url will default to localhost in all-in-one mode,
# otherwise it should be set to a "behind-the-ingress" routable url
# export AUTHORIZE_SERVICE_URL=https://pomerium-authorize-service.default.svc.cluster.local
# export CACHE_SERVICE_URL=https://pomerium-cache-service.default.svc.cluster.local

# Certificates can be loaded as files or base64 encoded bytes.
# See : https://www.pomerium.io/docs/reference/certificates
export AUTOCERT=TRUE # Use Let's Encrypt to fetch certs. Port 80/443 must be internet accessible.
# export AUTOCERT_DIR="./certs" # The path where you want to place your certificates
# export CERTIFICATE_FILE="xxxx"      # optional, defaults to `./cert.pem`
# export CERTIFICATE_KEY_FILE="xxx" # optional, defaults to `./certprivkey.pem`
# export CERTIFICATE="xxx"          # base64 encoded cert, eg. `base64 -i cert.pem`
# export CERTIFICATE_KEY="xxx"      # base64 encoded key, eg. `base64 -i privkey.pem`

# Generate 256 bit random keys  e.g. `head -c32 /dev/urandom | base64`
export SHARED_SECRET="$(head -c32 /dev/urandom | base64)"
export COOKIE_SECRET="$(head -c32 /dev/urandom | base64)"
# If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion`
# export SIGNING_KEY="Replace with base64'd private key from ./scripts/self-signed-sign-key.sh"

# Identity Provider Settings

# Azure
# export IDP_PROVIDER="azure"
# export IDP_PROVIDER_URL="https://login.microsoftonline.com/REPLACEME/v2.0"
# export IDP_CLIENT_ID="REPLACEME
# export IDP_CLIENT_SECRET="REPLACEME"

## GOOGLE
export IDP_PROVIDER="google"
export IDP_PROVIDER_URL="https://accounts.google.com" # optional for google

# IF GSUITE and you want to get user groups you will need to set a service account
# see identity provider docs for gooogle for more info :
# export IDP_SERVICE_ACCOUNT=$(echo '{"impersonate_user": "bdd@pomerium.io"}' | base64)

# OKTA
# export IDP_PROVIDER="okta"
# export IDP_CLIENT_ID="REPLACEME"
# export IDP_CLIENT_SECRET="REPLACEME"
# export IDP_PROVIDER_URL="https://REPLACEME.oktapreview.com/oauth2/default"

# OneLogin
# export IDP_PROVIDER="onelogin"
# export IDP_CLIENT_ID="REPLACEME"
# export IDP_CLIENT_SECRET="REPLACEME"
# export IDP_PROVIDER_URL="https://openid-connect.onelogin.com/oidc" #optional, defaults to `https://openid-connect.onelogin.com/oidc`

# export SCOPE="openid email" # generally, you want the default OIDC scopes

# Proxied routes and per-route policies are defined in a policy provided either
# directly as a base64 encoded yaml/json file, or as the policy key in the configuration
# file
export POLICY="$(base64 ./docs/configuration/examples/config/policy.example.yaml)"