Adds a custom domains Capabilities page/guide #1343
Conversation
✅ Deploy Preview for pomerium-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Few comments. Would defer to @calebdoxsey for a technical review and @cmo-pomerium for copy.
|
|
||
| :::info | ||
|
|
||
| See the Clusters Concepts page for more information about clusters in Pomerium Zero. |
There was a problem hiding this comment.
Assume link is coming?
| See the Clusters Concepts page for more information about clusters in Pomerium Zero. | |
| See the [Clusters] Concepts page for more information about clusters in Pomerium Zero. |
| @@ -56,6 +56,8 @@ const sidebars = { | |||
| type: 'category', | |||
| label: 'Capabilities', | |||
| items: [ | |||
| // zero | |||
| 'docs/capabilities/custom-domains', | |||
There was a problem hiding this comment.
Eventually we should probably put these all collected together with a prepended highlight like ent or something.
|
|
||
| ### DNS validation | ||
|
|
||
| In order for Pomerium to issue certificates on behalf of a custom domain, you must prove that you control the domain name specified in the certificate through DNS validation. Per the [ACME protocol](https://datatracker.ietf.org/doc/html/rfc8555#section-2), Pomerium uses its own ACME client to communicate with Let's Encrypt, a free Certificate Authority, to validate a domain's DNS records. |
There was a problem hiding this comment.
I think it's a nice detail we cover how.
Co-authored-by: bobby <[email protected]>
Co-authored-by: bobby <[email protected]>
Co-authored-by: bobby <[email protected]>
| Let's Encrypt provides several [challenge types](https://letsencrypt.org/docs/challenge-types/) to validate a domain, including the [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge). At a high level, this challenge consists of two steps: | ||
|
|
||
| 1. A TXT record containing a specific token value must be placed into the `_acme-challenge.<YOUR_DOMAIN>` endpoint | ||
| 1. A **wildcard CNAME record** must be added under the custom domain that points to your cluster's **Starter Domain** |
There was a problem hiding this comment.
It's more of an either/or.
Either a TXT record must be placed at _acme-challenge.<YOUR_DOMAIN>, or a CNAME record must be placed at _acme-challenge.<YOUR_DOMAIN> that points to another domain that has the TXT record. Since we own the .pomerium.app sub-domain, we can write the TXT record for them.
Using a *.<YOUR_DOMAIN> CNAME record also works for this. We recommend it because it also allows client requests to be forwarded to Pomerium.
|
|
||
| In the context of Pomerium Zero, an FQDN is the complete domain name of a custom domain. The example below resembles a valid FQDN, where `service` is the hostname, `mycorp` is the subdomain, and `example.com` is the domain name: | ||
|
|
||
| `service.mycorp.example.com` |
There was a problem hiding this comment.
I'm not sure what the best example here would be. Maybe we should give some example routes?
For example, given routes like:
verify.mycorp.example.cominternal-tool.mycorp.example.comauthenticate.mycorp.example.com
You would want to use mycorp.example.com as the custom domain.
|
@calebdoxsey could you review this again when you have a second? |
|
|
||
| Each starter subdomain comes with its own DNS records and TLS certificates, which makes it easier for new users to quickly build and test routes and policies in Pomerium Zero. | ||
|
|
||
| After testing Pomerium Zero with your starter domain, you may want to add a custom domain for use by your cluster's routes to secure your apps and services. |
There was a problem hiding this comment.
suggestion: "you may want" -> "you'll likely want"
|
|
||
| In Pomerium Zero, a valid **Custom Domain** is a fully qualified domain name (FQDN) where the domain owner can demonstrate control over the domain through DNS validation. | ||
|
|
||
| After you successfully add a custom domain to your cluster, Pomerium will automatically issue and renew X.509 wildcard certificates on behalf of the domain to secure the connection over TLS. |
There was a problem hiding this comment.
I'd suggest removing this paragraph if you like my suggestion for the previous paragraph.
(Otherwise, I'd suggest using "TLS certificate" rather than "X.509 certificate" as that's the terminology first used in the Overview section.)
| ### Fully Qualified Domain Names | ||
|
|
||
| In the context of Pomerium Zero, an FQDN is the complete domain name of a custom domain. The example below resembles a valid custom domain, where `mycorp` is the subdomain and `example.com` is the domain name: | ||
|
|
||
| `mycorp.example.com` | ||
|
|
||
| If you build routes with this custom domain to upstream services with hostnames like `verify`, `internal-tool`, and `authenticate`, your routes would look like: |
There was a problem hiding this comment.
I wonder if we should skip some of the jargon where possible?
Maybe just:
| ### Fully Qualified Domain Names | |
| In the context of Pomerium Zero, an FQDN is the complete domain name of a custom domain. The example below resembles a valid custom domain, where `mycorp` is the subdomain and `example.com` is the domain name: | |
| `mycorp.example.com` | |
| If you build routes with this custom domain to upstream services with hostnames like `verify`, `internal-tool`, and `authenticate`, your routes would look like: | |
| Say you want to use Pomerium Zero with the domain `mycorp.example.com`. After adding this custom domain, you'll be able to build routes like: |
| - `internal-tool.mycorp.example.com` | ||
| - `authenticate.mycorp.example.com` | ||
|
|
||
| ### DNS validation |
There was a problem hiding this comment.
I'd suggest moving this section further down, after "How to add a custom domain", and possibly renaming this section to "How it works". (I expect more users will want to know "how do I do this" compared to "what's going on behind the scenes".)
|
|
||
| ### DNS validation | ||
|
|
||
| In order for Pomerium to issue certificates on behalf of a custom domain, you must prove that you control the domain name specified in the certificate through DNS validation. Per the [ACME protocol](https://datatracker.ietf.org/doc/html/rfc8555#section-2), Pomerium uses its own ACME client to communicate with Let's Encrypt, a free Certificate Authority, to validate a domain's DNS records. |
There was a problem hiding this comment.
one terminology nit: Pomerium doesn't "issue" certificates itself (only a "certificate authority" can do that), so if we want to be more precise I might suggest using "request" or "provision" instead of "issue".
|
|
||
| ## How to add a custom domain | ||
|
|
||
| Add a wildcard CNAME record that points to your starter domain: |
There was a problem hiding this comment.
I wonder if we should include a little code snippet too?
| Add a wildcard CNAME record that points to your starter domain: | |
| Add a wildcard CNAME record that points to your starter domain, for example: | |
| *.mycorp.example.com CNAME unique-jellyfish-3578.pomerium.app | |
| In Google Cloud Platform, this looks something like: |
For example, one of Cloudflare's help pages does something similar when giving instructions for adding a CNAME:
Co-authored-by: Kenneth Jenkins <[email protected]>
This PR adds a first draft of the Custom Domains capabilities page.
TODOs:
Related to https://github.com/pomerium/internal/issues/1766