diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 00000000..63a0484f --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,18 @@ +name: Build + +permissions: + contents: read + +on: + push: + branches: + - main + pull_request: + +jobs: + build: + if: ${{ github.actor != 'dependabot[bot]' }} + name: Build + uses: ./.github/workflows/reusable-build.yaml + with: + ref: ${{ github.head_ref }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index 632164e8..00000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Lint -permissions: - contents: read -on: - push: - branches: - - main - pull_request: {} - -jobs: - lint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - with: - fetch-depth: 0 - - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 - with: - go-version: 1.24.x - cache: false - - - run: make envoy - - run: make pomerium-ui - - - name: Run golangci-lint - uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 - with: - version: v1.64.8 - args: --timeout=10m diff --git a/.github/workflows/reusable-build.yaml b/.github/workflows/reusable-build.yaml new file mode 100644 index 00000000..39ddad82 --- /dev/null +++ b/.github/workflows/reusable-build.yaml @@ -0,0 +1,105 @@ +name: Build + +on: + workflow_call: + inputs: + ref: + required: true + type: string + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + with: + ref: ${{ inputs.ref }} + + - name: Setup Go + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 + with: + go-version: 1.24.x + + - name: Build + run: make build + + lint: + name: Lint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + with: + fetch-depth: 0 + ref: ${{ inputs.ref }} + + - name: Setup Go + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 + with: + go-version: 1.24.x + cache: false + + - run: make envoy + - run: make pomerium-ui + + - name: Run golangci-lint + uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 + with: + version: v1.64.8 + args: --timeout=10m + + pre-commit: + name: Pre-Commit + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + with: + fetch-depth: 0 + ref: ${{ inputs.ref }} + + - name: Setup Go + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 + with: + go-version: 1.24.x + + - name: Setup Python + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c + with: + python-version: "3.x" + + - name: Install Kustomize + run: make kustomize + + - name: Pre-Commit + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd + with: + extra_args: --show-diff-on-failure --from-ref ${{ + github.event.pull_request.base.sha }} --to-ref ${{ + github.event.pull_request.head.sha }} + env: + SKIP: go-mod-tidy,lint + + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + with: + fetch-depth: 0 + ref: ${{ inputs.ref }} + + - name: Setup Go + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 + with: + go-version: 1.24.x + + - name: set env vars + run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH + + - name: Test + if: runner.os == 'Linux' + run: make test diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml deleted file mode 100644 index df1b93d4..00000000 --- a/.github/workflows/test.yaml +++ /dev/null @@ -1,62 +0,0 @@ -name: Test -permissions: - contents: read -on: - push: - branches: - - main - pull_request: - -jobs: - pre-commit: - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - with: - fetch-depth: 0 - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 - with: - go-version: 1.24.x - - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: "3.x" - - name: install kustomize - run: make kustomize - - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd - with: - extra_args: --show-diff-on-failure --from-ref ${{ - github.event.pull_request.base.sha }} --to-ref ${{ - github.event.pull_request.head.sha }} - env: - SKIP: go-mod-tidy,lint - - test: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - with: - fetch-depth: 0 - - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 - with: - go-version: 1.24.x - - - name: set env vars - run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH - - - name: test - if: runner.os == 'Linux' - run: make test - - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 - with: - go-version: 1.24.x - - - name: build - run: make build diff --git a/Makefile b/Makefile index b806b522..676110b7 100644 --- a/Makefile +++ b/Makefile @@ -82,7 +82,7 @@ test: envoy generated pomerium-ui .PHONY: lint lint: envoy pomerium-ui @echo "==> $@" - @VERSION=$$(go run github.com/mikefarah/yq/v4@v4.34.1 '.jobs.lint.steps[] | select(.uses == "golangci/golangci-lint-action*") | .with.version' .github/workflows/lint.yml) && \ + @VERSION=$$(go run github.com/mikefarah/yq/v4@v4.34.1 '.jobs.lint.steps[] | select(.uses == "golangci/golangci-lint-action*") | .with.version' .github/workflows/reusable-build.yaml) && \ go run github.com/golangci/golangci-lint/cmd/golangci-lint@$$VERSION run --fix ./... ##@ Build @@ -212,6 +212,9 @@ docs: generated @echo "==> $@" @go run docs/cmd/main.go > reference.md +.PHONY: generate +generate: deployment docs + # # --- internal development targets # diff --git a/docs/cmd/main.go b/docs/cmd/main.go index 433c0a5f..625e0c37 100644 --- a/docs/cmd/main.go +++ b/docs/cmd/main.go @@ -41,7 +41,7 @@ func generateMarkdown(w io.Writer) error { return fmt.Errorf("parsing %s: %w", key, err) } - fmt.Fprintf(w, "## %s\n", strcase.ToCamel(key)) + fmt.Fprintf(w, "\n## %s\n", strcase.ToCamel(key)) if err := tmpl.ExecuteTemplate(w, "object", objects[key]); err != nil { return fmt.Errorf("exec template: %w", err) } diff --git a/docs/templates/header.tmpl b/docs/templates/header.tmpl index 73ddca0a..47b43533 100644 --- a/docs/templates/header.tmpl +++ b/docs/templates/header.tmpl @@ -1,4 +1,5 @@ -{{define "header"}}--- +{{define "header" -}} +--- title: Kubernetes Deployment Reference sidebar_label: Reference description: Reference for Pomerium settings in Kubernetes deployments. diff --git a/docs/templates/object-properties.tmpl b/docs/templates/object-properties.tmpl index ca99e1da..f513b7fa 100644 --- a/docs/templates/object-properties.tmpl +++ b/docs/templates/object-properties.tmpl @@ -1,38 +1,44 @@ -{{define "object-properties"}}{{if .}} +{{- define "object-properties"}} +{{- if .}} - {{range .}} + {{- range .}} - {{end}} + {{- end}}

{{.ID}}   - {{if .ObjectRef}} + {{- if .ObjectRef}} object  ({{.ObjectRef}}) - {{else if and .Atomic .Atomic.ExplainFormat}} + {{- else if and .Atomic .Atomic.ExplainFormat}} {{.Atomic.Type}}  ({{.Atomic.Format}}) - {{else if .Atomic}} + {{- else if .Atomic}} {{.Atomic.Type}}  - {{else if .Map.Atomic}} + {{- else if .Map.Atomic}} map[string]{{.Map.Atomic.Type}} - {{else if .Map.ObjectRef}} + {{- else if .Map.ObjectRef}} map[string] {{.Map.ObjectRef}} - {{end}} + {{- end}}

- {{if .Required}}Required. {{end}} + {{- if .Required}} + Required.  + {{- end}} + {{- if .Description}} {{.Description}} + {{- end}}

- {{if and .Atomic .Atomic.ExplainFormat}} + {{- if and .Atomic .Atomic.ExplainFormat}} Format: {{.Atomic.ExplainFormat}} - {{end}} + {{- end}}
-{{end}}{{end}} +{{- end}} +{{- end}} diff --git a/docs/templates/object.tmpl b/docs/templates/object.tmpl index 797ae887..83266eb1 100644 --- a/docs/templates/object.tmpl +++ b/docs/templates/object.tmpl @@ -1,4 +1,4 @@ {{define "object"}} {{.Description}} {{template "object-properties" .Properties}} -{{end}} +{{- end}} diff --git a/docs/templates/objects.tmpl b/docs/templates/objects.tmpl index 9f52205d..0bf5db03 100644 --- a/docs/templates/objects.tmpl +++ b/docs/templates/objects.tmpl @@ -1,6 +1,6 @@ -{{define "objects"}} +{{- define "objects" }} {{range .}} ### `{{.ID}}` {{template "object" .}} {{end}} -{{end}} +{{- end}} diff --git a/go.mod b/go.mod index d9574a1f..832f5557 100644 --- a/go.mod +++ b/go.mod @@ -16,6 +16,7 @@ require ( github.com/iancoleman/strcase v0.3.0 github.com/martinlindhe/base36 v1.1.1 github.com/open-policy-agent/opa v1.9.0 + github.com/pomerium/csrf v1.7.0 github.com/pomerium/pomerium v0.28.1-0.20251010012545-df8c257314b1 github.com/rs/zerolog v1.34.0 github.com/sergi/go-diff v1.4.0 diff --git a/go.sum b/go.sum index 313c274c..4ea08a8c 100644 --- a/go.sum +++ b/go.sum @@ -465,6 +465,7 @@ github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81 github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= @@ -689,6 +690,8 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pomerium/csrf v1.7.0 h1:Qp4t6oyEod3svQtKfJZs589mdUTWKVf7q0PgCKYCshY= +github.com/pomerium/csrf v1.7.0/go.mod h1:hAPZV47mEj2T9xFs+ysbum4l7SF1IdrryYaY6PdoIqw= github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 h1:3YQY1sb54tEEbr0L73rjHkpLB0IB6qh3zl1+XQbMLis= github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524/go.mod h1:7fGbUYJnU8RcxZJvUvhukOIBv1G7LWDAHMfDxAf5+Y0= github.com/pomerium/envoy-custom v1.35.3-rc3 h1:9K4+Wc5bGbFfqTi+hB1zYj3fRUVokEXg8KjZWuUVtes= diff --git a/reference.md b/reference.md index 377418d7..17137708 100644 --- a/reference.md +++ b/reference.md @@ -14,6 +14,7 @@ kubectl describe pomerium Kubernetes-specific deployment parameters should be added via `kustomize` to the manifests. + ## Spec PomeriumSpec defines Pomerium-specific configuration parameters. @@ -22,429 +23,300 @@ PomeriumSpec defines Pomerium-specific configuration parameters. -

accessLogFields   - []string  -

- AccessLogFields sets the access fields to log.

- -

authenticate   - object  (authenticate) -

- Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used.

- -

authorizeLogFields   - []string  -

- AuthorizeLogFields sets the authorize fields to log.

- -

bearerTokenFormat   - string  -

- BearerTokenFormat sets the Bearer Token Format.

- -

caSecrets   - []string  -

- CASecret should refer to k8s secrets with key ca.crt containing a CA certificate.

- -

certificates   - []string  (namespace/name) -

- Certificates is a list of secrets of type TLS to use

- Format: reference to Kubernetes resource with namespace prefix: namespace/name format. - -

circuitBreakerThresholds   - object  (circuitBreakerThresholds) -

- CircuitBreakerThresholds sets the circuit breaker thresholds settings.

- -

codecType   - string  -

- CodecType sets the Codec Type.

- -

cookie   - object  (cookie) -

- Cookie defines Pomerium session cookie options.

- -

dataBroker   - object  (dataBroker) -

- DataBroker sets the databroker settings.

- -

dns   - object  (dns) -

- DNS sets the dns settings.

- -

downstreamMtls   - object  (downstreamMtls) -

- DownstreamMTLS sets the Downstream MTLS Settings.

- -

identityProvider   - object  (identityProvider) -

- IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider

- -

idpAccessTokenAllowedAudiences   - []string  -

- IDPAccessTokenAllowedAudiences specifies the idp access token allowed audiences list.

- -

jwtClaimHeaders   - map[string]string -

- JWTClaimHeaders convert claims from the assertion token into HTTP headers and adds them into JWT assertion header. Please make sure to read Getting User Identity guide.

- -

otel   - object  (otel) -

- OTEL sets the OpenTelemetry Tracing.

- -

passIdentityHeaders   - boolean  -

- PassIdentityHeaders sets the pass identity headers option.

- -

programmaticRedirectDomains   - []string  -

- ProgrammaticRedirectDomains specifies a list of domains that can be used for programmatic redirects.

- -

runtimeFlags   - map[string]boolean -

- RuntimeFlags sets the runtime flags to enable/disable certain features.

- -

secrets   - string  (namespace/name) -

Required.  Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

- Format: reference to Kubernetes resource with namespace prefix: namespace/name format. - -

setResponseHeaders   - map[string]string -

- SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service. See Set Response Headers

- -

ssh   - object  (ssh) -

- SSH sets the ssh settings.

- -

storage   - object  (storage) -

- Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).

- -

timeouts   - object  (timeouts) -

- Timeout specifies the global timeouts for all routes.

- -

useProxyProtocol   - boolean  -

- UseProxyProtocol enables Proxy Protocol support.

- - - - ### `authenticate` Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used. @@ -453,31 +325,23 @@ Authenticate sets authenticate service parameters. If not specified, a Pomerium- -

url   - string  (uri) -

Required.  AuthenticateURL is a dedicated domain URL the non-authenticated persons would be referred to.

- Format: an URI as parsed by Golang net/url.ParseRequestURI. - - - - ### `circuitBreakerThresholds` CircuitBreakerThresholds sets the circuit breaker thresholds settings. @@ -486,92 +350,64 @@ CircuitBreakerThresholds sets the circuit breaker thresholds settings. -

maxConnectionPools   - integer  -

- MaxConnectionPools sets the maximum number of connection pools per cluster that Envoy will concurrently support at once. If not specified, the default is unlimited. Set this for clusters which create a large number of connection pools.

- -

maxConnections   - integer  -

- MaxConnections sets the maximum number of connections that Envoy will make to the upstream cluster. If not specified, the default is 1024.

- -

maxPendingRequests   - integer  -

- MaxPendingRequests sets the maximum number of pending requests that Envoy will allow to the upstream cluster. If not specified, the default is 1024. This limit is applied as a connection limit for non-HTTP traffic.

- -

maxRequests   - integer  -

- MaxRequests sets the maximum number of parallel requests that Envoy will make to the upstream cluster. If not specified, the default is 1024. This limit does not apply to non-HTTP traffic.

- -

maxRetries   - integer  -

- MaxRetries sets the maximum number of parallel retries that Envoy will allow to the upstream cluster. If not specified, the default is 3.

- - - - ### `cookie` Cookie defines Pomerium session cookie options. @@ -580,95 +416,66 @@ Cookie defines Pomerium session cookie options. -

domain   - string  -

- Domain defaults to the same host that set the cookie. If you specify the domain explicitly, then subdomains would also be included.

- -

expire   - string  (duration) -

- Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected.

See Session Management (Enterprise) for a more fine-grained session controls.

Defaults to 14 hours.

- Format: a duration string like "22s" as parsed by Golang time.ParseDuration. - -

httpOnly   - boolean  -

- HTTPOnly if set to false, the cookie would be accessible from within the JavaScript. Defaults to true.

- -

name   - string  -

- Name sets the Pomerium session cookie name. Defaults to _pomerium

- -

sameSite   - string  -

- SameSite sets the SameSite option for cookies. Defaults to .

- - - - ### `dataBroker` DataBroker sets the databroker settings. @@ -677,28 +484,20 @@ DataBroker sets the databroker settings. -

clusterLeaderId   - string  -

- ClusterLeaderID defines the cluster leader in a clustered databroker.

- - - - ### `dns` DNS sets the dns settings. @@ -707,133 +506,92 @@ DNS sets the dns settings. -

failureRefreshRate   - string  (duration) -

- FailureRefreshRate is the rate at which DNS lookups are refreshed when requests are failing.

- Format: a duration string like "22s" as parsed by Golang time.ParseDuration. - -

lookupFamily   - string  -

- LookupFamily is the DNS IP address resolution policy.

- -

queryTimeout   - string  (duration) -

- QueryTimeout is the amount of time each name server is given to respond to a query on the first try of any given server.

- Format: a duration string like "22s" as parsed by Golang time.ParseDuration. - -

queryTries   - integer  -

- QueryTries is the maximum number of query attempts the resolver will make before giving up. Each attempt may use a different name server.

- -

refreshRate   - string  (duration) -

- RefreshRate is the rate at which DNS lookups are refreshed.

- Format: a duration string like "22s" as parsed by Golang time.ParseDuration. - -

udpMaxQueries   - integer  -

- UDPMaxQueries caps the number of UDP based DNS queries on a single port.

- -

useTcp   - boolean  -

- UseTCP uses TCP for all DNS queries instead of the default protocol UDP.

- - - - ### `downstreamMtls` DownstreamMTLS sets the Downstream MTLS Settings. @@ -842,99 +600,69 @@ DownstreamMTLS sets the matchSubjectAltNames) -

- Match Subject Alt Names can be used to add an additional constraint when validating client certificates.

- -

maxVerifyDepth   - integer  -

- MaxVerifyDepth sets a limit on the depth of a certificate chain presented by the client.

- - - - ### `file` File specifies file storage options. @@ -943,28 +671,21 @@ File specifies file storage options. -

path   - string  -

Required.  Path defines the local file system path to store data.

- - - - ### `identityProvider` IdentityProvider configure single-sign-on authentication and user identity details by integrating with your Identity Provider @@ -973,150 +694,106 @@ IdentityProvider configure single-sign-on authentication and user identity detai -

provider   - string  -

Required.  Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. To use a generic provider, set to oidc.

- -

refreshDirectory   - object  (refreshDirectory) -

- RefreshDirectory is no longer supported, please see Upgrade Guide.

- -

requestParams   - map[string]string -

- RequestParams to be added as part of a sign-in request using OAuth2 code flow.

- -

requestParamsSecret   - string  (namespace/name) -

- RequestParamsSecret is a reference to a secret for additional parameters you'd prefer not to provide in plaintext.

- Format: reference to Kubernetes resource with namespace prefix: namespace/name format. - -

scopes   - []string  -

- Scopes Identity provider scopes correspond to access privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749.

- -

secret   - string  (namespace/name) -

Required.  Secret containing IdP provider specific parameters. and must contain at least client_id and client_secret values.

- Format: reference to Kubernetes resource with namespace prefix: namespace/name format. - -

serviceAccountFromSecret   - string  -

- ServiceAccountFromSecret is no longer supported, see Upgrade Guide.

- -

url   - string  (uri) -

- URL is the base path to an identity provider's OpenID connect discovery document. See Identity Providers guides for details.

- Format: an URI as parsed by Golang net/url.ParseRequestURI. - - - - ### `matchSubjectAltNames` Match Subject Alt Names can be used to add an additional constraint when validating client certificates. @@ -1125,92 +802,59 @@ Match Subject Alt Names can be used to add an additional constraint when validat -

dns   - string  -

- -

- -

email   - string  -

- -

- -

ipAddress   - string  -

- -

- -

uri   - string  -

- -

- -

userPrincipalName   - string  -

- -

- - - - ### `otel` OTEL sets the OpenTelemetry Tracing. @@ -1219,162 +863,114 @@ OTEL sets the Open -

bspMaxExportBatchSize   - integer  -

- BSPMaxExportBatchSize sets the maximum number of spans to export in a single batch

- -

bspScheduleDelay   - string  (duration) -

- BSPScheduleDelay sets interval between two consecutive exports

- Format: a duration string like "22s" as parsed by Golang time.ParseDuration. - -

endpoint   - string  -

Required.  An OTLP/gRPC or OTLP/HTTP base endpoint URL with optional port.
Example: `http://localhost:4318`

- -

headers   - map[string]string -

- Extra headers

- -

logLevel   - string  -

- LogLevel sets the log level for the OpenTelemetry SDK.

- -

protocol   - string  -

Required.  Valid values are `"grpc"` or `"http/protobuf"`.

- -

resourceAttributes   - map[string]string -

- ResourceAttributes sets the additional attributes to be added to the trace.

- -

sampling   - string  -

- Sampling sets sampling probability between [0, 1].

- -

timeout   - string  (duration) -

- Export request timeout duration

- Format: a duration string like "22s" as parsed by Golang time.ParseDuration. - - - - ### `postgres` Postgres specifies PostgreSQL database connection parameters @@ -1383,69 +979,49 @@ Postgres specifies PostgreSQL database connection parameters -

caSecret   - string  (namespace/name) -

- CASecret should refer to a k8s secret with key ca.crt containing CA certificate that, if specified, would be used to populate sslrootcert parameter of the connection string.

- Format: reference to Kubernetes resource with namespace prefix: namespace/name format. - -

secret   - string  (namespace/name) -

Required.  Secret specifies a name of a Secret that must contain connection key. See DSN Format and Parameters. Do not set sslrootcert, sslcert and sslkey via connection string, use tlsSecret and caSecret CRD options instead.

- Format: reference to Kubernetes resource with namespace prefix: namespace/name format. - -

tlsSecret   - string  (namespace/name) -

- TLSSecret should refer to a k8s secret of type kubernetes.io/tls and allows to specify an optional client certificate and key, by constructing sslcert and sslkey connection string parameter values.

- Format: reference to Kubernetes resource with namespace prefix: namespace/name format. - - - - ### `refreshDirectory` RefreshDirectory is no longer supported, please see Upgrade Guide. @@ -1454,50 +1030,37 @@ RefreshDirectory is no longer supported, please see -

timeout   - string  (duration) -

Required.  timeout is the maximum time allowed each run.

- Format: a duration string like "22s" as parsed by Golang time.ParseDuration. - - - - ### `ssh` SSH sets the ssh settings. @@ -1506,44 +1069,29 @@ SSH sets the ssh settings. -

hostKeySecrets   - []string  -

- -

- -

userCaKeySecret   - string  -

- -

- - - - ### `storage` Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production). @@ -1552,46 +1100,33 @@ Storage defines persistent storage for sessions and other data. See file) -

- File specifies file storage options.

- -

postgres   - object  (postgres) -

- Postgres specifies PostgreSQL database connection parameters

- - - - ### `timeouts` Timeout specifies the global timeouts for all routes. @@ -1600,69 +1135,48 @@ Timeout specifies the -

read   - string  (duration) -

- Read specifies the amount of time for the entire request stream to be received from the client.

- Format: a duration string like "22s" as parsed by Golang time.ParseDuration. - -

write   - string  (duration) -

- Write specifies max stream duration is the maximum time that a stream’s lifetime will span. An HTTP request/response exchange fully consumes a single stream. Therefore, this value must be greater than read_timeout as it covers both request and response time.

- Format: a duration string like "22s" as parsed by Golang time.ParseDuration. - - - - ## Status PomeriumStatus represents configuration and Ingress status. @@ -1671,46 +1185,33 @@ PomeriumStatus represents configuration and Ingress status. -

ingress   - map[string] ingress -

- Routes provide per-Ingress status.

- -

settingsStatus   - object  (settingsStatus) -

- SettingsStatus represent most recent main configuration reconciliation status.

- - - - ### `ingress` ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium. @@ -1719,95 +1220,67 @@ ResourceStatus represents the outcome of the latest attempt to reconcile relevan -

error   - string  -

- Error that prevented latest observedGeneration to be synchronized with Pomerium.

- -

observedAt   - string  (date-time) -

- ObservedAt is when last reconciliation attempt was made.

- Format: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339. - -

observedGeneration   - integer  -

- ObservedGeneration represents the .metadata.generation that was last presented to Pomerium.

- -

reconciled   - boolean  -

Required.  Reconciled is whether this object generation was successfully synced with pomerium.

- -

warnings   - []string  -

- Warnings while parsing the resource.

- - - - ### `settingsStatus` SettingsStatus represent most recent main configuration reconciliation status. @@ -1816,89 +1289,63 @@ SettingsStatus represent most recent main configuration reconciliation status. -

error   - string  -

- Error that prevented latest observedGeneration to be synchronized with Pomerium.

- -

observedAt   - string  (date-time) -

- ObservedAt is when last reconciliation attempt was made.

- Format: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339. - -

observedGeneration   - integer  -

- ObservedGeneration represents the .metadata.generation that was last presented to Pomerium.

- -

reconciled   - boolean  -

Required.  Reconciled is whether this object generation was successfully synced with pomerium.

- -

warnings   - []string  -

- Warnings while parsing the resource.

- -