Adds zero quickstart draft #1326
Conversation
✅ Deploy Preview for pomerium-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
content/docs/quickstart.mdx
Outdated
| ## Run Docker Compose | ||
| Pomerium Zero will attempt to detect your **public IP** address to connect you to your cluster. | ||
|
|
||
| But, it won't be able to because you're running Pomerium Zero in an isolated container with its own private network and IP address. |
There was a problem hiding this comment.
I think right after this we need to showcase what someone is seeing so it's spelled out for them
"You'll see an error like the following (see attached image), and that's completely normal!"
content/docs/quickstart.mdx
Outdated
|
|
||
| ```bash | ||
| docker compose up | ||
| pomerium-cli tcp ssh.<YOUR_CLUSTER_DOMAIN_NAME>.app:22 |
There was a problem hiding this comment.
Mild nit but it doesn't have the same highlight
content/docs/quickstart.mdx
Outdated
| ## Next Steps | ||
| ### Connect to Verify | ||
|
|
||
| In the Zero Console, select the **From** route for the Verify app. |
There was a problem hiding this comment.
| In the Zero Console, select the **From** route for the Verify app. | |
| Now, let's test one of the preconfigured routes to see if it works. In the Zero Console, select the **From** route for the Verify app. |
content/docs/quickstart.mdx
Outdated
|
|
||
| :::caution | ||
| Because the Verify service uses a publically accessible URL, Pomerium Zero won't be able to connect to the `jwks.json` endpoint to fetch the signing key used to verify the user's JWT. |
There was a problem hiding this comment.
| Because the Verify service uses a publically accessible URL, Pomerium Zero won't be able to connect to the `jwks.json` endpoint to fetch the signing key used to verify the user's JWT. | |
| You will see the following error because the Verify service uses a publicly accessible URL. In the current setup, Pomerium Zero won't be able to connect to the `jwks.json` endpoint to fetch the signing key used to verify the user's JWT. |
content/docs/quickstart.mdx
Outdated
|
|
||
| ## Build your own policy | ||
|
|
||
| In the **Policy** tab, create a new policy that instructs Pomerim to grant access only if the user's email address ends the specified value. |
There was a problem hiding this comment.
| In the **Policy** tab, create a new policy that instructs Pomerim to grant access only if the user's email address ends the specified value. | |
| In the **Policy** tab, create a new policy that instructs Pomerim to grant access only if the user's email address ends with the specified value. |
content/docs/quickstart.mdx
Outdated
|
|
||
| Now that you've completed the Pomerium Zero Quickstart, build your first route: | ||
|
|
||
| - **Pomerium Zero Fundamentals: Build Routes** |
There was a problem hiding this comment.
This doesn't currently link to anything. Are we waiting on the fundamentals to be built too?
There was a problem hiding this comment.
Finished my review. @ZPain8464 let me know if I can clarify anything.
content/docs/quickstart.mdx
Outdated
|
|
||
| ## Get Pomerium Zero configuration | ||
|
|
||
| In the Zero onboarding screen, select the **Docker** tab and copy the Docker Compose configuration. (If you selected **Finish** before copying the Docker configuration, we've provided a copy below.) |
There was a problem hiding this comment.
It's probably worth mentioning something here about how you get to the onboarding screen, maybe something like "after creating an account, you should see an onboarding page"?
There was a problem hiding this comment.
Good point, I'll add that in.
content/docs/quickstart.mdx
Outdated
|
|
||
| ## Prerequisites | ||
| You can find your **Starter Domain** at the top of the Zero Console in the navigation bar. |
There was a problem hiding this comment.
I think we don't show the starter domain while on the onboarding page.
There was a problem hiding this comment.
We do, since Caleb implemented the change to make the hosted Verify service reachable for deployments running in Docker. Here's the current config in our onboarding flow:
services:
pomerium:
image: pomerium/pomerium:v0.26.0
ports:
- 443:443
restart: always
environment:
POMERIUM_ZERO_TOKEN: AMf-vBy2rzctrTCXBgcAIpUfLKWSme0Bs_HtTcQYb5nbFe8idwaiIt4MjemObphF_L-Pdz_pqCggHHwszIziQU4bC2nGJklhgMTfGGEtpntqfmXRBT6D_m09maHqSJy_75DrLFL2SQOgw3pjuWELm4WhtjD1Rs8aCTl7acjPJe0CKJk5zfSMZcAeFajMhKFpEk-yq_c9G9MN
XDG_CACHE_HOME: /var/cache
volumes:
- pomerium-cache:/var/cache
networks:
main:
aliases:
- verify.pro-cricket-4498.pomerium.app
verify:
image: cr.pomerium.com/pomerium/verify:latest
networks:
main:
aliases:
- verify
networks:
main: {}
volumes:
pomerium-cache:
content/docs/quickstart.mdx
Outdated
|
|
||
| ## Prerequisites | ||
| You can find your **Starter Domain** at the top of the Zero Console in the navigation bar. |
There was a problem hiding this comment.
It might be nice to give some explanation here about what the verify app is and why it's included here? (Do we have a docs page about the verify app? Maybe we should add one if not?)
There was a problem hiding this comment.
Good point. We do not have anything I can think of that discusses the Verify app. For now, it would be easiest to link to the GH repo and add an explanation about the service and it's intended use.
content/docs/quickstart.mdx
Outdated
|
|
||
| ## Configure Docker | ||
| This command will deploy a local cluster running Pomerium in a Docker container. If your cluster deploys successfully, the Pomerium Zero cloud will attempt to secure a connection to your cluster. |
There was a problem hiding this comment.
I think we could give some better explanation here. In particular "Pomerium Zero cloud will attempt to secure a connection to your cluster" doesn't make sense to me. Maybe we could say something about how this starts Pomerium in a mode where it connects to the cloud service?
We might also want to hold off on talking about a "cluster" just yet... this might be confusing to some folks if they assume "cluster" implies multiple replicas.
There was a problem hiding this comment.
If we want to start being more consistent with terminology, this might be a good time to mention "Zero-managed mode", and that that really means Pomerium connects to the Pomerium Zero cloud?
I see your point with the mention of a cluster. I'm in favor of removing it, we just need to agree on how we want to replace it.
content/docs/quickstart.mdx
Outdated
|
|
||
|  | ||
|
|
||
| ### Connect to SSH |
There was a problem hiding this comment.
I'd recommend starting with the simpler example service first (i.e. swapping this section and the "Connect to Verify" section).
content/docs/quickstart.mdx
Outdated
|
|
||
| You should be redirected to the **verify** service. You'll see a page like this: | ||
| <Tabs> |
There was a problem hiding this comment.
I wonder if it makes more sense to link out to a different page for the pomerium-cli installation instructions... it seems a hassle to keep duplicate copies of these instructions in sync.
There was a problem hiding this comment.
We can import Markdown in Docusaurus. This would make it so we have one source of truth that we can reuse and maintain.
content/docs/quickstart.mdx
Outdated
| ## Next Steps | ||
| ### Connect to Verify | ||
|
|
||
| In the Zero Console, select the **From** URL for the **Verify** app. |
There was a problem hiding this comment.
Either above or here, I think this would definitely benefit from some explanation — what is the verify service? what does it demonstrate?
There was a problem hiding this comment.
I think it makes most sense to include it at the first mention of the Verify app, so earlier in the page. Will do.
|
|
||
| If you want to [try Enterprise](https://www.pomerium.com/enterprise-sales/), check out the [Enterprise with Docker quickstart](/docs/deploy/enterprise/quickstart). | ||
| ## Review authorization policy |
There was a problem hiding this comment.
Before talking about policies and certificates, would it make sense to show how to create your own route? I think it might be good to explain how the starter domain is set up so you can add any sub-domain as a route, and the steps involved to set up a new route, i.e.
- pick a sub-domain to use with the From URL
- set up some upstream service to use with the To URL
- attach the demo policy to grant access to the route
There was a problem hiding this comment.
Well that was the original intention of the Fundamentals courses. This links to the Routes course first, so they can learn to build a route once they have Zero set up. The Zero Fundamentals course does not re-iterate the Quickstart; it instructs users to go back to the Quickstart and complete it first before continuing with Fundamentals.
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-0-26-0 0-26-0
# Navigate to the new working tree
cd .worktrees/backport-0-26-0
# Create a new branch
git switch --create backport-1326-to-0-26-0
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick --mainline 1 e7829ccb0ef622c46d331e3732e11d4f72095c48
# Push it to GitHub
git push --set-upstream origin backport-1326-to-0-26-0
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-0-26-0Then, create a pull request where the |
This PR adds the Pomerium Zero official quickstart guide, and moves the Core Quickstart to the Core directory.
related to https://github.com/pomerium/internal/issues/1739