From 0bc7cf94fe84539f61db2744d1b8746fd2f31616 Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Thu, 25 Jul 2024 10:15:20 -0400 Subject: [PATCH 01/16] adds redirects and merges settings --- content/docs/reference/reference.json | 4 +- content/docs/reference/signing-key-file.mdx | 65 --------------------- content/docs/reference/signing-key.mdx | 61 +++++++++++++++++-- static/_redirects | 4 ++ 4 files changed, 61 insertions(+), 73 deletions(-) delete mode 100644 content/docs/reference/signing-key-file.mdx diff --git a/content/docs/reference/reference.json b/content/docs/reference/reference.json index 3957ac07f..2480661d7 100644 --- a/content/docs/reference/reference.json +++ b/content/docs/reference/reference.json @@ -1476,7 +1476,7 @@ "signing-key": { "id": "signing-key", "title": "Signing Key", - "path": "/signing-key", + "path": "/signing-key-settings#signing-key", "description": "Signing Key is the key used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.", "services": [], "type": "string", @@ -1485,7 +1485,7 @@ "signing-key-file": { "id": "signing-key-file", "title": "Signing Key File", - "path": "/signing-key-file", + "path": "/signing-key-settings#signing-key-file", "description": "File path to a secret containing the signing key, used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.", "services": [], "type": "string", diff --git a/content/docs/reference/signing-key-file.mdx b/content/docs/reference/signing-key-file.mdx deleted file mode 100644 index 5c648f05f..000000000 --- a/content/docs/reference/signing-key-file.mdx +++ /dev/null @@ -1,65 +0,0 @@ ---- -id: signing-key-file -title: Signing Key File -description: | - File path to a secret containing the signing key. -keywords: - - reference - - Signing Key File -pagination_prev: null -pagination_next: null -toc_max_heading_level: 2 ---- - -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; - -# Signing Key File - -## Summary - -**Signing Key File** is the path to a file containing a [Signing Key](./signing-key). - -The signing key is the private key used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user session information such as username, id, and groups. - -See [Signing Key](./signing-key) for more information. - -## How to configure - - - - -| **Config file keys** | **Environment variables** | **Type** | **Usage** | -| :------------------- | :------------------------ | :------- | :----------- | -| `signing_key_file` | `SIGNING_KEY_FILE` | `string` | **optional** | - -### Examples - -Signing Key File is useful when deploying in environments that provide secret management like [Docker Swarm](https://docs.docker.com/engine/swarm/secrets/). - -For example: - -```yaml -signing_key_file: '/run/secrets/POMERIUM_SIGNING_KEY' -``` - -```bash -SIGNING_KEY_FILE='/run/secrets/POMERIUM_SIGNING_KEY' -``` - - - - -`signing_key_file` is a bootstrap configuration setting and is not configurable in the Console. - - - - -| **Name** | **Type** | **Usage** | -| :-------------------- | :------- | :----------- | -| `secrets.signing_key` | `string` | **optional** | - -See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more information. - - - diff --git a/content/docs/reference/signing-key.mdx b/content/docs/reference/signing-key.mdx index 64cff3876..b1d81ef98 100644 --- a/content/docs/reference/signing-key.mdx +++ b/content/docs/reference/signing-key.mdx @@ -1,10 +1,11 @@ --- # cSpell:ignore ecparam genkey noout QCN7adG2AmIK3UdHJvVJkldsUc6XeBRz83Z4rXX8Va4 ary66nrvA55TpaiWADq8b3O1CYIbvjqIHpXCY -id: signing-key -title: Signing Key +id: signing-key-settings +title: Signing Key Settings +sidebar_label: Signing Key Settings description: | - Signing Key is one or more PEM-encoded private keys used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups. If multiple keys are provided only the first will be used for signing. + This page discusses the signing key settings Pomerium uses to sign the Pomerium JWT that's sent to upstream services to verify a user's identity. keywords: - reference - Signing Key @@ -16,13 +17,13 @@ toc_max_heading_level: 2 import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Signing Key +# Signing Key Settings -## Summary +## Signing Key **Signing Key** is one or more PEM-encoded private keys used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user information like username, id, and groups. -## How to configure +### How to configure @@ -104,3 +105,51 @@ To implement key rotation, follow a 3-step process: 3. Remove the old key from the list. With sufficient time between the steps, this process should be resilient to caching of the JWKS endpoint by applications. + +## Signing Key File + +**Signing Key File** is the path to a file containing a [Signing Key](./signing-key). + +The signing key is the private key used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user session information such as username, id, and groups. + +See [Signing Key](./signing-key) for more information. + +### How to configure + + + + +| **Config file keys** | **Environment variables** | **Type** | **Usage** | +| :------------------- | :------------------------ | :------- | :----------- | +| `signing_key_file` | `SIGNING_KEY_FILE` | `string` | **optional** | + +### Examples + +Signing Key File is useful when deploying in environments that provide secret management like [Docker Swarm](https://docs.docker.com/engine/swarm/secrets/). + +For example: + +```yaml +signing_key_file: '/run/secrets/POMERIUM_SIGNING_KEY' +``` + +```bash +SIGNING_KEY_FILE='/run/secrets/POMERIUM_SIGNING_KEY' +``` + + + + +`signing_key_file` is a bootstrap configuration setting and is not configurable in the Console. + + + + +| **Name** | **Type** | **Usage** | +| :-------------------- | :------- | :----------- | +| `secrets.signing_key` | `string` | **optional** | + +See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more information. + + + diff --git a/static/_redirects b/static/_redirects index 6f8af396c..60d514379 100644 --- a/static/_redirects +++ b/static/_redirects @@ -462,6 +462,10 @@ https://0-20-0.docs.pomerium.com/category/guides https://0-20-0.docs.pomerium.co /docs/reference/x-forwarded-for-http-header /docs/reference/x-forwarded-for-settings#skip-xff-append /docs/reference/the-number-of-trusted-hops /docs/reference/x-forwarded-for-settings#xff-number-of-trusted-hops +# Signing Key settings +/docs/reference/signing-key /docs/reference/signing-key-settings#signing-key +/docs/reference/signing-key-file /docs/reference/signing-key-settings#signing-key-file + # Topics links - now concepts /docs/topics/auth-logs /docs/capabilities/audit-logs /docs/topics/single-sign-out.html /docs/capabilities/single-sign-out From ee8035bd5a9eb99b84ba1ceafe84a777b34da8be Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:06:49 -0400 Subject: [PATCH 02/16] moves shared secret, redirects --- content/docs/reference/reference.json | 4 +- content/docs/reference/shared-secret-file.mdx | 79 --------------- content/docs/reference/shared-secret.mdx | 95 ++++++++++++++++--- content/docs/reference/signing-key.mdx | 2 +- content/docs/troubleshooting.mdx | 4 +- static/_redirects | 4 + 6 files changed, 90 insertions(+), 98 deletions(-) delete mode 100644 content/docs/reference/shared-secret-file.mdx diff --git a/content/docs/reference/reference.json b/content/docs/reference/reference.json index 2480661d7..3330d1429 100644 --- a/content/docs/reference/reference.json +++ b/content/docs/reference/reference.json @@ -532,7 +532,7 @@ "shared-secret": { "id": "shared-secret", "title": "Shared Secret", - "path": "/shared-secret", + "path": "/shared-secret-settings#shared-secret", "description": "Shared Secret is the base64-encoded, 256-bit key used to mutually authenticate requests between services.", "services": [], "type": "string", @@ -541,7 +541,7 @@ "shared-secret-file": { "id": "shared-secret-file", "title": "Shared Secret File", - "path": "/shared-secret-file", + "path": "/shared-secret-settings#shared-secret-file", "description": "File path containing base64-encoded shared secret.", "services": [], "type": "string", diff --git a/content/docs/reference/shared-secret-file.mdx b/content/docs/reference/shared-secret-file.mdx deleted file mode 100644 index 092eea803..000000000 --- a/content/docs/reference/shared-secret-file.mdx +++ /dev/null @@ -1,79 +0,0 @@ ---- -id: shared-secret-file -title: Shared Secret File -description: | - Shared Secret is the base64 encoded 256-bit key used to mutually authenticate requests between services. -keywords: - - reference - - Shared Secret File -pagination_prev: null -pagination_next: null -toc_max_heading_level: 2 ---- - -import Tabs from '@theme/Tabs'; -import TabItem from '@theme/TabItem'; - -# Shared Secret File - -## Summary - -**Shared Secret File** is the location of a file containing the base64-encoded, 256-bit key used to mutually authenticate requests between services. It's critical that secret keys are random, and stored safely. - -## How to configure - - - - -| **Config file keys** | **Environment variables** | **Type** | **Usage** | -| :-- | :-- | :-- | :-- | -| `shared_secret_file` | `SHARED_SECRET_FILE` | `string` | **required** (unless using [shared_secret]) | - -:::tip - -Pomerium Core configurations do not require a `shared_secret` or `shared_secret_file`. You only need to include a shared secret if you are running the Console. - -If you are connecting to the Console, your Pomerium Core and Console configurations require the same shared secret. - -See the [**Enterprise Quickstart**](/docs/enterprise/quickstart) for an example implementation. - -::: - -### Examples - -`shared_secret_file` points to a file containing the secret. This is useful when deploying in environments that provide secret management like [Docker Swarm](https://docs.docker.com/engine/swarm/secrets/). - -To generate a key, run the following command: - -```shell -head -c32 /dev/urandom | base64 -``` - -Place the value in your `shared_secret_file`: - -```yaml -shared_secret_file: '/run/secrets/POMERIUM_SHARED_SECRET' -``` - -:::note - -If you adjust your shared secret and/or how it's accessed by Pomerium, you may create a [**secret mismatch**](/docs/troubleshooting#shared-secret-mismatch). - -::: - - - - -`shared_secret_file` is a bootstrap configuration setting and is not configurable in the Console. - - - - -| **Name** | -| :---------------------- | -| `secrets.shared_secret` | - -See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more information. - - - diff --git a/content/docs/reference/shared-secret.mdx b/content/docs/reference/shared-secret.mdx index da10073be..b59e09666 100644 --- a/content/docs/reference/shared-secret.mdx +++ b/content/docs/reference/shared-secret.mdx @@ -1,8 +1,7 @@ --- -id: shared-secret -title: Shared Secret -description: | - Shared Secret is the base64 encoded 256-bit key used to mutually authenticate requests between services. +id: shared-secret-settings +title: Shared Secret Settings +description: This page discusses shared secret settings in Pomerium, which are used to mutually authenticate requests between Pomerium services. keywords: - reference - Shared Secret @@ -14,33 +13,39 @@ toc_max_heading_level: 2 import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Shared Secret +# Shared Secret Settings -## Summary +## Shared Secret -**Shared Secret** is the base64-encoded, 256-bit key used to mutually authenticate requests between services. It's critical that secret keys are random, and stored safely. +**Shared Secret** is the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely. -## How to configure +### How to configure | **Config file keys** | **Environment variables** | **Type** | **Usage** | | :-- | :-- | :-- | :-- | -| `shared_secret` | `SHARED_SECRET` | `string` | **required** (unless using [shared_secret_file](/docs/reference/shared-secret-file)) | +| `shared_secret` | `SHARED_SECRET` | `string` | \***optional** | -:::tip **Note** +\* Standalone Pomerium Core configurations do not require a `shared_secret` or `shared_secret_file`. If you don't set a shared secret, Pomerium will generate one for you. -Pomerium Core configurations do not require a `shared_secret` or `shared_secret_file`. You only need to include a shared secret if you are running the Console. +:::enterprise Shared Secret in Enterprise Configurations -If you are connecting to the Console, your Pomerium Core and Console configurations require the same shared secret. +If you're connecting to the [Enterprise Console](/docs/enterprise), your Pomerium Core and Enterprise configurations each require the same shared secret. -See the [**Enterprise Quickstart**](/docs/enterprise/quickstart) for an example implementation. +See the [Enterprise Quickstart](/docs/enterprise/quickstart) for an example implementation. ::: ### Examples +:::note + +If you adjust your shared secret and/or how it's accessed by Pomerium, you may create a [**secret mismatch**](/docs/troubleshooting#shared-secret-mismatch). + +::: + To generate a key, run the following command: ```shell @@ -67,7 +72,69 @@ SHARED_SECRET=wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs= | **Name** | **Type** | **Usage** | | :-- | :-- | :-- | -| `secrets.shared_secret` | `string` | **required** (unless using [shared_secret_file](/docs/reference/shared-secret-file)) | +| `secrets.shared_secret` | `string` | **required** | + +See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more information. + + + + +## Shared Secret File + +**Shared Secret File** is the location of a file containing the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely. + +### How to configure + + + + +| **Config file keys** | **Environment variables** | **Type** | **Usage** | +| :-- | :-- | :-- | :-- | +| `shared_secret_file` | `SHARED_SECRET_FILE` | `string` | \***optional** | + +\* Standalone Pomerium Core configurations do not require a `shared_secret` or `shared_secret_file`. If you don't set a shared secret, Pomerium will generate one for you. + +:::enterprise Shared Secret in Enterprise Configurations + +If you're connecting to the [Enterprise Console](/docs/enterprise), your Pomerium Core and Enterprise configurations each require the same shared secret. + +See the [Enterprise Quickstart](/docs/enterprise/quickstart) for an example implementation. + +::: + +### Examples + +:::note + +If you adjust your shared secret and/or how it's accessed by Pomerium, you may create a [**secret mismatch**](/docs/troubleshooting#shared-secret-mismatch). + +::: + +`shared_secret_file` points to a file containing the secret. This is useful when deploying in environments that provide secret management like [Docker Swarm](https://docs.docker.com/engine/swarm/secrets/). + +To generate a key, run the following command: + +```shell +head -c32 /dev/urandom | base64 +``` + +Place the value in your `shared_secret_file`: + +```yaml +shared_secret_file: '/run/secrets/POMERIUM_SHARED_SECRET' +``` + + + + +`shared_secret_file` is a bootstrap configuration setting and is not configurable in the Console. + + + + +| **Name** | **Type** | **Usage** | +| :-- | :-- | :-- | +| `secrets.shared_secret` | `string` | **required** | See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more information. diff --git a/content/docs/reference/signing-key.mdx b/content/docs/reference/signing-key.mdx index b1d81ef98..7ed4bc21a 100644 --- a/content/docs/reference/signing-key.mdx +++ b/content/docs/reference/signing-key.mdx @@ -96,7 +96,7 @@ If no certificate is specified, one will be generated and the base64'd public ke If multiple keys are provided, only the first will be used for signing. -## Key rotation +### Key rotation To implement key rotation, follow a 3-step process: diff --git a/content/docs/troubleshooting.mdx b/content/docs/troubleshooting.mdx index 00b04de54..d604ec332 100644 --- a/content/docs/troubleshooting.mdx +++ b/content/docs/troubleshooting.mdx @@ -148,7 +148,7 @@ Events: ### Shared Secret Mismatch -Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). When services or the databroker have mismatched secrets, Pomerium will fail. +Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). When Pomerium services share a mismatched secret, or these services share a secret that is not the same secret set in the Databroker service, Pomerium will fail. Pomerium Core will log a shared secret mismatch with: @@ -163,7 +163,7 @@ Pomerium Core will log a shared secret mismatch with: } ``` -And Pomerium Enterprise will log the error with: +Pomerium Enterprise will log a shared secret mismatch with: ```json { diff --git a/static/_redirects b/static/_redirects index 60d514379..b354ba9aa 100644 --- a/static/_redirects +++ b/static/_redirects @@ -466,6 +466,10 @@ https://0-20-0.docs.pomerium.com/category/guides https://0-20-0.docs.pomerium.co /docs/reference/signing-key /docs/reference/signing-key-settings#signing-key /docs/reference/signing-key-file /docs/reference/signing-key-settings#signing-key-file +# Shared Secret settings +/docs/reference/shared-secret /docs/reference/shared-secret-settings#shared-secret +/docs/reference/shared-secret-file /docs/reference/shared-secret-settings#shared-secret-file + # Topics links - now concepts /docs/topics/auth-logs /docs/capabilities/audit-logs /docs/topics/single-sign-out.html /docs/capabilities/single-sign-out From 5ef6e6e3263aa2dd2c0122573da916b2cb8c11b7 Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:20:14 -0400 Subject: [PATCH 03/16] fixes breaking links --- content/docs/capabilities/getting-users-identity.md | 4 ++-- content/docs/core/quickstart.md | 2 +- content/docs/courses/fundamentals/jwt-verification.md | 2 +- content/docs/enterprise/changelog.mdx | 2 +- content/docs/enterprise/upgrading.mdx | 4 ++-- content/docs/guides/tooljet.mdx | 4 ++-- content/docs/identity-providers/oidc.mdx | 2 +- content/docs/internals/data-storage.md | 2 +- content/docs/k8s/reference.md | 2 +- content/docs/reference/downstream-mtls-settings.mdx | 2 +- content/docs/reference/signing-key.mdx | 4 ++-- content/docs/troubleshooting.mdx | 4 ++-- content/examples/tooljet/config-tooljet.yaml.md | 2 +- 13 files changed, 18 insertions(+), 18 deletions(-) diff --git a/content/docs/capabilities/getting-users-identity.md b/content/docs/capabilities/getting-users-identity.md index 3696e47c9..8419b5e8a 100644 --- a/content/docs/capabilities/getting-users-identity.md +++ b/content/docs/capabilities/getting-users-identity.md @@ -167,5 +167,5 @@ In an actual client, you'll want to ensure that all the other claims values are [key management service]: https://en.wikipedia.org/wiki/Key_management [nist p-256]: https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session6-adalier-mehmet.pdf [pass identity headers]: /docs/reference/routes/pass-identity-headers-per-route -[signing key]: /docs/reference/signing-key -[signing key file]: /docs/reference/signing-key-file +[signing key]: /docs/reference/signing-key-settings#signing-key +[signing key file]: /docs/reference/signing-key-settings#signing-key-file diff --git a/content/docs/core/quickstart.md b/content/docs/core/quickstart.md index 7c8295dc7..7707f64fa 100644 --- a/content/docs/core/quickstart.md +++ b/content/docs/core/quickstart.md @@ -71,7 +71,7 @@ Although identity verification failed, you successfully integrated Pomerium with :::tip -Because this guide doesn't include a [signing key](/docs/reference/signing-key) in the configuration, identity verification will fail. +Because this guide doesn't include a [signing key](/docs/reference/signing-key-settings#signing-key) in the configuration, identity verification will fail. See [Identity Verification](/docs/capabilities/getting-users-identity) for more information on how Pomerium can use JWTs for authentication. diff --git a/content/docs/courses/fundamentals/jwt-verification.md b/content/docs/courses/fundamentals/jwt-verification.md index b3895eed6..7d24f5faa 100644 --- a/content/docs/courses/fundamentals/jwt-verification.md +++ b/content/docs/courses/fundamentals/jwt-verification.md @@ -97,7 +97,7 @@ If that’s a lot to take in, don’t worry, Pomerium handles a lot of it for yo There are two settings that you need to configure to implement identity verification with signed headers: - [Pass Identity Headers](/docs/reference/routes/pass-identity-headers-per-route) -- [Signing Key](/docs/reference/signing-key) +- [Signing Key](/docs/reference/signing-key-settings#signing-key) :::info **Global and Route Settings** diff --git a/content/docs/enterprise/changelog.mdx b/content/docs/enterprise/changelog.mdx index 2ad0164b0..4845e26b3 100644 --- a/content/docs/enterprise/changelog.mdx +++ b/content/docs/enterprise/changelog.mdx @@ -292,7 +292,7 @@ Added support for the Rego [**`print()`**](https://www.openpolicyagent.org/docs/ - Impersonation - Impersonation is now done on an individual session basis. - Various other bug fixes and improvements. -[`signing key`]: /docs/reference/signing-key +[`signing key`]: /docs/reference/signing-key-settings#signing-key [google cloud serverless]: /docs/reference/routes/enable-google-cloud-serverless-authentication [policy language]: /docs/capabilities/ppl [runtime]: /docs/capabilities/reports.md#runtime diff --git a/content/docs/enterprise/upgrading.mdx b/content/docs/enterprise/upgrading.mdx index 4dc3534e3..45266149e 100644 --- a/content/docs/enterprise/upgrading.mdx +++ b/content/docs/enterprise/upgrading.mdx @@ -140,7 +140,7 @@ Pomerium Core would only perform user authentication and session refresh with th ### Before You Upgrade -- The [`signing-key`](/docs/reference/signing-key) has been replaced with [`authenticate-service-url`](/docs/reference/authenticate-service-url). Instead of manually setting the signing key in the Enterprise Console to match the Authenticate Service, we specify the trusted URL of the Authenticate Service to pull the signing key from. +- The [`signing-key`](/docs/reference/signing-key-settings#signing-key) has been replaced with [`authenticate-service-url`](/docs/reference/authenticate-service-url). Instead of manually setting the signing key in the Enterprise Console to match the Authenticate Service, we specify the trusted URL of the Authenticate Service to pull the signing key from. The `signing-key` key will continue to work for existing configurations, but [device enrollment](/docs/capabilities/device-identity#new-enrollment-enterprise) will not work until it is replaced by `authenticate-service-url`. @@ -151,7 +151,7 @@ Pomerium Core would only perform user authentication and session refresh with th - `signing-key` is now a required option to improve request security from Pomerium Core. The value should match the one set in Pomerium Core. See the [signing key] reference page for more information on generating a key. - `audience` is now a required option to improve request security from Pomerium Core. The value should match the Enterprise Console's external URL hostname, as defined in the [`from`](/docs/reference/routes) field in the Routes entry (not including the protocol). -[signing key]: /docs/reference/signing-key +[signing key]: /docs/reference/signing-key-settings#signing-key ### Helm Installations diff --git a/content/docs/guides/tooljet.mdx b/content/docs/guides/tooljet.mdx index 90e45da66..cecd9f1d9 100644 --- a/content/docs/guides/tooljet.mdx +++ b/content/docs/guides/tooljet.mdx @@ -49,7 +49,7 @@ Next, you need to: - Replace user@example.com with the email associated with your IdP - Generate a signing key -To generate a [signing key](/docs/reference/signing-key), use the commands below: +To generate a [signing key](/docs/reference/signing-key-settings#signing-key), use the commands below: ```bash # Generates a P-256 (ES256) signing key @@ -133,7 +133,7 @@ Next, you need to: - Replace user@example.com with the email associated with your IdP - Generate a signing key -To generate a [signing key](/docs/reference/signing-key), use the commands below: +To generate a [signing key](/docs/reference/signing-key-settings#signing-key), use the commands below: ```bash # Generates a P-256 (ES256) signing key diff --git a/content/docs/identity-providers/oidc.mdx b/content/docs/identity-providers/oidc.mdx index 334b8ce04..a80b2138e 100644 --- a/content/docs/identity-providers/oidc.mdx +++ b/content/docs/identity-providers/oidc.mdx @@ -179,7 +179,7 @@ Note the following points: :::caution -Do not use the **signing key** in the example above in a production environment. See [**Signing Keys**](/docs/reference/signing-key) for more information on generating and using signing keys. +Do not use the **signing key** in the example above in a production environment. See [**Signing Keys**](/docs/reference/signing-key-settings#signing-key) for more information on generating and using signing keys. ::: diff --git a/content/docs/internals/data-storage.md b/content/docs/internals/data-storage.md index f3229b778..5fa0e0df6 100644 --- a/content/docs/internals/data-storage.md +++ b/content/docs/internals/data-storage.md @@ -94,4 +94,4 @@ Configuration options for each backend are detailed in the [**databroker configu ## Troubleshooting -Most issues with the Databroker service are caused by a [`shared_secret`](/docs/reference/shared-secret) mismatch between services. See [Troubleshooting - Shared Secret Mismatch](/docs/reference/shared-secret) for details. +Most issues with the Databroker service are caused by a [`shared_secret`](/docs/reference/shared-secret-settings#shared-secret) mismatch between services. See [Troubleshooting - Shared Secret Mismatch](/docs/reference/shared-secret-settings#shared-secret) for details. diff --git a/content/docs/k8s/reference.md b/content/docs/k8s/reference.md index 5c5032587..666ffadda 100644 --- a/content/docs/k8s/reference.md +++ b/content/docs/k8s/reference.md @@ -216,7 +216,7 @@ PomeriumSpec defines Pomerium-specific configuration parameters.

Required.  - Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

+ Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format. diff --git a/content/docs/reference/downstream-mtls-settings.mdx b/content/docs/reference/downstream-mtls-settings.mdx index e68c6a244..3fed5d9b0 100644 --- a/content/docs/reference/downstream-mtls-settings.mdx +++ b/content/docs/reference/downstream-mtls-settings.mdx @@ -168,7 +168,7 @@ The Ingress Controller does not support these settings. This matches the default behavior of many popular reverse proxies, such as Apache httpd and Caddy. - Note that in this mode, client certificates will be required even for internal Pomerium routes, such as the authenticate URL (if using the self-hosted authenticate service) and the /.pomerium/ page (the page showing details of a user's current login session). In particular, any upstream services that perform [JWT verification](/docs/capabilities/getting-users-identity) will not be able to access the default [JWKS endpoint](/docs/reference/signing-key#how-to-use-signing-key). You may need to host your own JWKS endpoint, or provide some other means of distributing the JWT verification key(s). + Note that in this mode, client certificates will be required even for internal Pomerium routes, such as the authenticate URL (if using the self-hosted authenticate service) and the /.pomerium/ page (the page showing details of a user's current login session). In particular, any upstream services that perform [JWT verification](/docs/capabilities/getting-users-identity) will not be able to access the default [JWKS endpoint](/docs/reference/signing-key-settings#signing-key#how-to-use-signing-key). You may need to host your own JWKS endpoint, or provide some other means of distributing the JWT verification key(s). This mode also adds a requirement that any configured [**CRL**](#crl) is valid only between its `thisUpdate` and `nextUpdate` timestamps. _If an invalid CRL is provided for a certain CA, no certificates issued by that CA will be allowed._ diff --git a/content/docs/reference/signing-key.mdx b/content/docs/reference/signing-key.mdx index 7ed4bc21a..3f1e75bec 100644 --- a/content/docs/reference/signing-key.mdx +++ b/content/docs/reference/signing-key.mdx @@ -108,11 +108,11 @@ With sufficient time between the steps, this process should be resilient to cach ## Signing Key File -**Signing Key File** is the path to a file containing a [Signing Key](./signing-key). +**Signing Key File** is the path to a file containing a [Signing Key](#signing-key). The signing key is the private key used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user session information such as username, id, and groups. -See [Signing Key](./signing-key) for more information. +See [Signing Key](#signing-key) for more information. ### How to configure diff --git a/content/docs/troubleshooting.mdx b/content/docs/troubleshooting.mdx index d604ec332..1f2fa0962 100644 --- a/content/docs/troubleshooting.mdx +++ b/content/docs/troubleshooting.mdx @@ -148,7 +148,7 @@ Events: ### Shared Secret Mismatch -Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). When Pomerium services share a mismatched secret, or these services share a secret that is not the same secret set in the Databroker service, Pomerium will fail. +Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret-settings#shared-secret). When Pomerium services share a mismatched secret, or these services share a secret that is not the same secret set in the Databroker service, Pomerium will fail. Pomerium Core will log a shared secret mismatch with: @@ -182,7 +182,7 @@ Pomerium Enterprise will log a shared secret mismatch with: } ``` -Update the [shared secret](/docs/reference/shared-secret) across all Pomerium services to match the one set for the Databroker. +Update the [shared secret](/docs/reference/shared-secret-settings#shared-secret) across all Pomerium services to match the one set for the Databroker. ### RPC Errors diff --git a/content/examples/tooljet/config-tooljet.yaml.md b/content/examples/tooljet/config-tooljet.yaml.md index 2517fcb13..9f33b651b 100644 --- a/content/examples/tooljet/config-tooljet.yaml.md +++ b/content/examples/tooljet/config-tooljet.yaml.md @@ -6,7 +6,7 @@ idp_provider: github idp_client_id: REPLACE_ME idp_client_secret: REPLACE_ME -# Update the signing key: https://www.pomerium.com/docs/reference/signing-key +# Update the signing key: https://www.pomerium.com/docs/reference/signing-key-settings#signing-key signing_key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURRemVZWDZyT2tuemFnTjRJVTYxaEtRc3pzY1EvRllmbzZPcXhWd2YvdGZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFc1V0V2psYXZ3eHprSU9DVUNDeFVnTDJza2NjL3QxSTFmQXlxUDgrMWw5YU1CWDlzdm1pYgpRajJxcWFUbUJZZWhuQzhmak5LODZmVXhpc3d1SXN5bnp3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= routes: From 0f885a70328e55acba4dc3ab6d705c226969d0a4 Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Thu, 25 Jul 2024 11:25:14 -0400 Subject: [PATCH 04/16] runs prettier --- content/docs/reference/shared-secret.mdx | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/content/docs/reference/shared-secret.mdx b/content/docs/reference/shared-secret.mdx index b59e09666..3f3836771 100644 --- a/content/docs/reference/shared-secret.mdx +++ b/content/docs/reference/shared-secret.mdx @@ -24,9 +24,9 @@ import TabItem from '@theme/TabItem'; -| **Config file keys** | **Environment variables** | **Type** | **Usage** | -| :-- | :-- | :-- | :-- | -| `shared_secret` | `SHARED_SECRET` | `string` | \***optional** | +| **Config file keys** | **Environment variables** | **Type** | **Usage** | +| :------------------- | :------------------------ | :------- | :------------- | +| `shared_secret` | `SHARED_SECRET` | `string` | \***optional** | \* Standalone Pomerium Core configurations do not require a `shared_secret` or `shared_secret_file`. If you don't set a shared secret, Pomerium will generate one for you. @@ -70,8 +70,8 @@ SHARED_SECRET=wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs= -| **Name** | **Type** | **Usage** | -| :-- | :-- | :-- | +| **Name** | **Type** | **Usage** | +| :---------------------- | :------- | :----------- | | `secrets.shared_secret` | `string` | **required** | See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more information. @@ -88,9 +88,9 @@ See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more informatio -| **Config file keys** | **Environment variables** | **Type** | **Usage** | -| :-- | :-- | :-- | :-- | -| `shared_secret_file` | `SHARED_SECRET_FILE` | `string` | \***optional** | +| **Config file keys** | **Environment variables** | **Type** | **Usage** | +| :------------------- | :------------------------ | :------- | :------------- | +| `shared_secret_file` | `SHARED_SECRET_FILE` | `string` | \***optional** | \* Standalone Pomerium Core configurations do not require a `shared_secret` or `shared_secret_file`. If you don't set a shared secret, Pomerium will generate one for you. @@ -132,8 +132,8 @@ shared_secret_file: '/run/secrets/POMERIUM_SHARED_SECRET' -| **Name** | **Type** | **Usage** | -| :-- | :-- | :-- | +| **Name** | **Type** | **Usage** | +| :---------------------- | :------- | :----------- | | `secrets.shared_secret` | `string` | **required** | See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more information. From 0863691894c34fe3881dd8e4199d738b5eb34b5f Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:16:43 -0400 Subject: [PATCH 05/16] Update content/docs/reference/shared-secret.mdx Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com> --- content/docs/reference/shared-secret.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/reference/shared-secret.mdx b/content/docs/reference/shared-secret.mdx index 3f3836771..61eb96b07 100644 --- a/content/docs/reference/shared-secret.mdx +++ b/content/docs/reference/shared-secret.mdx @@ -1,6 +1,6 @@ --- -id: shared-secret-settings -title: Shared Secret Settings +id: shared-secret +title: Shared Secret description: This page discusses shared secret settings in Pomerium, which are used to mutually authenticate requests between Pomerium services. keywords: - reference From 6ddee410e0341dd1cdc99fd4d2f1f59a31b0b277 Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:28:41 -0400 Subject: [PATCH 06/16] updates signign key settings --- content/docs/reference/reference.json | 8 +-- content/docs/reference/shared-secret.mdx | 4 +- content/docs/reference/signing-key.mdx | 69 ++++++------------------ static/_redirects | 4 +- 4 files changed, 22 insertions(+), 63 deletions(-) diff --git a/content/docs/reference/reference.json b/content/docs/reference/reference.json index 3330d1429..e94693a19 100644 --- a/content/docs/reference/reference.json +++ b/content/docs/reference/reference.json @@ -532,7 +532,7 @@ "shared-secret": { "id": "shared-secret", "title": "Shared Secret", - "path": "/shared-secret-settings#shared-secret", + "path": "/shared-secret", "description": "Shared Secret is the base64-encoded, 256-bit key used to mutually authenticate requests between services.", "services": [], "type": "string", @@ -541,7 +541,7 @@ "shared-secret-file": { "id": "shared-secret-file", "title": "Shared Secret File", - "path": "/shared-secret-settings#shared-secret-file", + "path": "/shared-secret#shared-secret-file", "description": "File path containing base64-encoded shared secret.", "services": [], "type": "string", @@ -1476,7 +1476,7 @@ "signing-key": { "id": "signing-key", "title": "Signing Key", - "path": "/signing-key-settings#signing-key", + "path": "/signing-key", "description": "Signing Key is the key used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.", "services": [], "type": "string", @@ -1485,7 +1485,7 @@ "signing-key-file": { "id": "signing-key-file", "title": "Signing Key File", - "path": "/signing-key-settings#signing-key-file", + "path": "/signing-key", "description": "File path to a secret containing the signing key, used to sign a user's attestation JWT which can be consumed by upstream applications to pass along identifying user information like username, id, and groups.", "services": [], "type": "string", diff --git a/content/docs/reference/shared-secret.mdx b/content/docs/reference/shared-secret.mdx index 61eb96b07..d1113707c 100644 --- a/content/docs/reference/shared-secret.mdx +++ b/content/docs/reference/shared-secret.mdx @@ -13,9 +13,7 @@ toc_max_heading_level: 2 import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Shared Secret Settings - -## Shared Secret +# Shared Secret **Shared Secret** is the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely. diff --git a/content/docs/reference/signing-key.mdx b/content/docs/reference/signing-key.mdx index 3f1e75bec..6d81e03a7 100644 --- a/content/docs/reference/signing-key.mdx +++ b/content/docs/reference/signing-key.mdx @@ -1,8 +1,8 @@ --- # cSpell:ignore ecparam genkey noout QCN7adG2AmIK3UdHJvVJkldsUc6XeBRz83Z4rXX8Va4 ary66nrvA55TpaiWADq8b3O1CYIbvjqIHpXCY -id: signing-key-settings -title: Signing Key Settings +id: signing-key +title: Signing Key sidebar_label: Signing Key Settings description: | This page discusses the signing key settings Pomerium uses to sign the Pomerium JWT that's sent to upstream services to verify a user's identity. @@ -17,13 +17,11 @@ toc_max_heading_level: 2 import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; -# Signing Key Settings - -## Signing Key +# Signing Key **Signing Key** is one or more PEM-encoded private keys used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user information like username, id, and groups. -### How to configure +## How to configure @@ -31,6 +29,7 @@ import TabItem from '@theme/TabItem'; | **Config file keys** | **Environment variables** | **Type** | **Usage** | | :------------------- | :------------------------ | :------- | :----------- | | `signing_key` | `SIGNING_KEY` | `string` | **optional** | +| `signing_key_file` | `SIGNING_KEY_FILE` | `string` | **optional** | @@ -49,6 +48,16 @@ See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more informatio +## Examples + +```yaml +signing_key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUNUWHlVQ0phYmlHTW1wd3VqYlBmWHhNS2MzWjNFM0tEcmlEbmQwZktiTmtvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFM1FYQmZ1eEV1UEhJT0ZDb3RaaXBOMUFqM3UrOUtFRWd4RFVURW9CcjYxYXpaYWFvYlRGbwo0cGY3WFRSbzVhM2U2aDdKUW9wckp4QSszd0dwTUpSYWl3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= +``` + +```bash +SIGNING_KEY_FILE='/run/secrets/POMERIUM_SIGNING_KEY' +``` + ### How to use signing key If set, the signing key's public key(s) can be retrieved by hitting Pomerium's well-known JWKS endpoint: @@ -105,51 +114,3 @@ To implement key rotation, follow a 3-step process: 3. Remove the old key from the list. With sufficient time between the steps, this process should be resilient to caching of the JWKS endpoint by applications. - -## Signing Key File - -**Signing Key File** is the path to a file containing a [Signing Key](#signing-key). - -The signing key is the private key used to sign a user's attestation JWT, which can be consumed by upstream applications to pass along identifying user session information such as username, id, and groups. - -See [Signing Key](#signing-key) for more information. - -### How to configure - - - - -| **Config file keys** | **Environment variables** | **Type** | **Usage** | -| :------------------- | :------------------------ | :------- | :----------- | -| `signing_key_file` | `SIGNING_KEY_FILE` | `string` | **optional** | - -### Examples - -Signing Key File is useful when deploying in environments that provide secret management like [Docker Swarm](https://docs.docker.com/engine/swarm/secrets/). - -For example: - -```yaml -signing_key_file: '/run/secrets/POMERIUM_SIGNING_KEY' -``` - -```bash -SIGNING_KEY_FILE='/run/secrets/POMERIUM_SIGNING_KEY' -``` - - - - -`signing_key_file` is a bootstrap configuration setting and is not configurable in the Console. - - - - -| **Name** | **Type** | **Usage** | -| :-------------------- | :------- | :----------- | -| `secrets.signing_key` | `string` | **optional** | - -See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more information. - - - diff --git a/static/_redirects b/static/_redirects index b354ba9aa..31f01d335 100644 --- a/static/_redirects +++ b/static/_redirects @@ -463,8 +463,8 @@ https://0-20-0.docs.pomerium.com/category/guides https://0-20-0.docs.pomerium.co /docs/reference/the-number-of-trusted-hops /docs/reference/x-forwarded-for-settings#xff-number-of-trusted-hops # Signing Key settings -/docs/reference/signing-key /docs/reference/signing-key-settings#signing-key -/docs/reference/signing-key-file /docs/reference/signing-key-settings#signing-key-file +/docs/reference/signing-key /docs/reference/signing-key +/docs/reference/signing-key-file /docs/reference/signing-key # Shared Secret settings /docs/reference/shared-secret /docs/reference/shared-secret-settings#shared-secret From 78b033160296bcfb0f226f9bee5694fcce55882e Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:34:20 -0400 Subject: [PATCH 07/16] updates shared secret --- content/docs/reference/reference.json | 2 +- content/docs/reference/shared-secret.mdx | 85 ++++-------------------- static/_redirects | 4 +- 3 files changed, 15 insertions(+), 76 deletions(-) diff --git a/content/docs/reference/reference.json b/content/docs/reference/reference.json index e94693a19..349b83900 100644 --- a/content/docs/reference/reference.json +++ b/content/docs/reference/reference.json @@ -541,7 +541,7 @@ "shared-secret-file": { "id": "shared-secret-file", "title": "Shared Secret File", - "path": "/shared-secret#shared-secret-file", + "path": "/shared-secret", "description": "File path containing base64-encoded shared secret.", "services": [], "type": "string", diff --git a/content/docs/reference/shared-secret.mdx b/content/docs/reference/shared-secret.mdx index d1113707c..bcc031cbd 100644 --- a/content/docs/reference/shared-secret.mdx +++ b/content/docs/reference/shared-secret.mdx @@ -15,28 +15,9 @@ import TabItem from '@theme/TabItem'; # Shared Secret -**Shared Secret** is the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely. - -### How to configure - - - - -| **Config file keys** | **Environment variables** | **Type** | **Usage** | -| :------------------- | :------------------------ | :------- | :------------- | -| `shared_secret` | `SHARED_SECRET` | `string` | \***optional** | - -\* Standalone Pomerium Core configurations do not require a `shared_secret` or `shared_secret_file`. If you don't set a shared secret, Pomerium will generate one for you. - -:::enterprise Shared Secret in Enterprise Configurations - -If you're connecting to the [Enterprise Console](/docs/enterprise), your Pomerium Core and Enterprise configurations each require the same shared secret. - -See the [Enterprise Quickstart](/docs/enterprise/quickstart) for an example implementation. - -::: +## Summary -### Examples +**Shared Secret** is the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely. :::note @@ -44,53 +25,15 @@ If you adjust your shared secret and/or how it's accessed by Pomerium, you may c ::: -To generate a key, run the following command: - -```shell -head -c32 /dev/urandom | base64 -``` - -Add the value to your configuration file: - -```yaml -shared_secret: wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs= -``` - -```bash -SHARED_SECRET=wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs= -``` - - - - -`shared_secret` is a bootstrap configuration setting and is not configurable in the Console. - - - - -| **Name** | **Type** | **Usage** | -| :---------------------- | :------- | :----------- | -| `secrets.shared_secret` | `string` | **required** | - -See Kubernetes [bootstrap secrets](/docs/k8s/reference#spec) for more information. - - - - -## Shared Secret File - -**Shared Secret File** is the location of a file containing the base64-encoded, 256-bit key used to mutually authenticate requests between Pomerium services. It's critical that secret keys are random, and stored safely. - -### How to configure +## How to configure | **Config file keys** | **Environment variables** | **Type** | **Usage** | | :------------------- | :------------------------ | :------- | :------------- | -| `shared_secret_file` | `SHARED_SECRET_FILE` | `string` | \***optional** | - -\* Standalone Pomerium Core configurations do not require a `shared_secret` or `shared_secret_file`. If you don't set a shared secret, Pomerium will generate one for you. +| `shared_secret` | `SHARED_SECRET` | `string` | **required** | +| `shared_secret_file` | `SHARED_SECRET_FILE` | `string` | **required** | :::enterprise Shared Secret in Enterprise Configurations @@ -102,30 +45,26 @@ See the [Enterprise Quickstart](/docs/enterprise/quickstart) for an example impl ### Examples -:::note - -If you adjust your shared secret and/or how it's accessed by Pomerium, you may create a [**secret mismatch**](/docs/troubleshooting#shared-secret-mismatch). - -::: - -`shared_secret_file` points to a file containing the secret. This is useful when deploying in environments that provide secret management like [Docker Swarm](https://docs.docker.com/engine/swarm/secrets/). - To generate a key, run the following command: ```shell head -c32 /dev/urandom | base64 ``` -Place the value in your `shared_secret_file`: +Add the value to your configuration file: ```yaml -shared_secret_file: '/run/secrets/POMERIUM_SHARED_SECRET' +shared_secret: wC4RFsEdM1gHFzvRt3XW+iWw6Ddt/1kKkdh66OKxiqs= +``` + +```bash +SHARED_SECRET_FILE='/run/secrets/POMERIUM_SHARED_SECRET' ``` -`shared_secret_file` is a bootstrap configuration setting and is not configurable in the Console. +`shared_secret` is a bootstrap configuration setting and is not configurable in the Console. diff --git a/static/_redirects b/static/_redirects index 31f01d335..0df898ef8 100644 --- a/static/_redirects +++ b/static/_redirects @@ -467,8 +467,8 @@ https://0-20-0.docs.pomerium.com/category/guides https://0-20-0.docs.pomerium.co /docs/reference/signing-key-file /docs/reference/signing-key # Shared Secret settings -/docs/reference/shared-secret /docs/reference/shared-secret-settings#shared-secret -/docs/reference/shared-secret-file /docs/reference/shared-secret-settings#shared-secret-file +/docs/reference/shared-secret /docs/reference/shared-secret-settings +/docs/reference/shared-secret-file /docs/reference/shared-secret-settings # Topics links - now concepts /docs/topics/auth-logs /docs/capabilities/audit-logs From d26b02cd87e8dede0ef6be72ad8c765c48fc7b1f Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:40:02 -0400 Subject: [PATCH 08/16] fixes breaking links --- content/docs/capabilities/getting-users-identity.md | 4 ++-- content/docs/core/quickstart.md | 2 +- content/docs/courses/fundamentals/jwt-verification.md | 2 +- content/docs/enterprise/changelog.mdx | 2 +- content/docs/enterprise/upgrading.mdx | 4 ++-- content/docs/guides/tooljet.mdx | 4 ++-- content/docs/identity-providers/oidc.mdx | 2 +- content/docs/internals/data-storage.md | 2 +- content/docs/k8s/reference.md | 2 +- content/docs/reference/downstream-mtls-settings.mdx | 2 +- content/docs/troubleshooting.mdx | 4 ++-- content/examples/tooljet/config-tooljet.yaml.md | 2 +- 12 files changed, 16 insertions(+), 16 deletions(-) diff --git a/content/docs/capabilities/getting-users-identity.md b/content/docs/capabilities/getting-users-identity.md index 8419b5e8a..c12a58683 100644 --- a/content/docs/capabilities/getting-users-identity.md +++ b/content/docs/capabilities/getting-users-identity.md @@ -167,5 +167,5 @@ In an actual client, you'll want to ensure that all the other claims values are [key management service]: https://en.wikipedia.org/wiki/Key_management [nist p-256]: https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session6-adalier-mehmet.pdf [pass identity headers]: /docs/reference/routes/pass-identity-headers-per-route -[signing key]: /docs/reference/signing-key-settings#signing-key -[signing key file]: /docs/reference/signing-key-settings#signing-key-file +[signing key]: /docs/reference/signing-key#signing-key +[signing key file]: /docs/reference/signing-key#signing-key-file diff --git a/content/docs/core/quickstart.md b/content/docs/core/quickstart.md index 7707f64fa..890fa15f1 100644 --- a/content/docs/core/quickstart.md +++ b/content/docs/core/quickstart.md @@ -71,7 +71,7 @@ Although identity verification failed, you successfully integrated Pomerium with :::tip -Because this guide doesn't include a [signing key](/docs/reference/signing-key-settings#signing-key) in the configuration, identity verification will fail. +Because this guide doesn't include a [signing key](/docs/reference/signing-key#signing-key) in the configuration, identity verification will fail. See [Identity Verification](/docs/capabilities/getting-users-identity) for more information on how Pomerium can use JWTs for authentication. diff --git a/content/docs/courses/fundamentals/jwt-verification.md b/content/docs/courses/fundamentals/jwt-verification.md index 7d24f5faa..7662914f0 100644 --- a/content/docs/courses/fundamentals/jwt-verification.md +++ b/content/docs/courses/fundamentals/jwt-verification.md @@ -97,7 +97,7 @@ If that’s a lot to take in, don’t worry, Pomerium handles a lot of it for yo There are two settings that you need to configure to implement identity verification with signed headers: - [Pass Identity Headers](/docs/reference/routes/pass-identity-headers-per-route) -- [Signing Key](/docs/reference/signing-key-settings#signing-key) +- [Signing Key](/docs/reference/signing-key#signing-key) :::info **Global and Route Settings** diff --git a/content/docs/enterprise/changelog.mdx b/content/docs/enterprise/changelog.mdx index 4845e26b3..2b2562e78 100644 --- a/content/docs/enterprise/changelog.mdx +++ b/content/docs/enterprise/changelog.mdx @@ -292,7 +292,7 @@ Added support for the Rego [**`print()`**](https://www.openpolicyagent.org/docs/ - Impersonation - Impersonation is now done on an individual session basis. - Various other bug fixes and improvements. -[`signing key`]: /docs/reference/signing-key-settings#signing-key +[`signing key`]: /docs/reference/signing-key#signing-key [google cloud serverless]: /docs/reference/routes/enable-google-cloud-serverless-authentication [policy language]: /docs/capabilities/ppl [runtime]: /docs/capabilities/reports.md#runtime diff --git a/content/docs/enterprise/upgrading.mdx b/content/docs/enterprise/upgrading.mdx index 45266149e..0b845afb4 100644 --- a/content/docs/enterprise/upgrading.mdx +++ b/content/docs/enterprise/upgrading.mdx @@ -140,7 +140,7 @@ Pomerium Core would only perform user authentication and session refresh with th ### Before You Upgrade -- The [`signing-key`](/docs/reference/signing-key-settings#signing-key) has been replaced with [`authenticate-service-url`](/docs/reference/authenticate-service-url). Instead of manually setting the signing key in the Enterprise Console to match the Authenticate Service, we specify the trusted URL of the Authenticate Service to pull the signing key from. +- The [`signing-key`](/docs/reference/signing-key#signing-key) has been replaced with [`authenticate-service-url`](/docs/reference/authenticate-service-url). Instead of manually setting the signing key in the Enterprise Console to match the Authenticate Service, we specify the trusted URL of the Authenticate Service to pull the signing key from. The `signing-key` key will continue to work for existing configurations, but [device enrollment](/docs/capabilities/device-identity#new-enrollment-enterprise) will not work until it is replaced by `authenticate-service-url`. @@ -151,7 +151,7 @@ Pomerium Core would only perform user authentication and session refresh with th - `signing-key` is now a required option to improve request security from Pomerium Core. The value should match the one set in Pomerium Core. See the [signing key] reference page for more information on generating a key. - `audience` is now a required option to improve request security from Pomerium Core. The value should match the Enterprise Console's external URL hostname, as defined in the [`from`](/docs/reference/routes) field in the Routes entry (not including the protocol). -[signing key]: /docs/reference/signing-key-settings#signing-key +[signing key]: /docs/reference/signing-key#signing-key ### Helm Installations diff --git a/content/docs/guides/tooljet.mdx b/content/docs/guides/tooljet.mdx index cecd9f1d9..145cbd8b7 100644 --- a/content/docs/guides/tooljet.mdx +++ b/content/docs/guides/tooljet.mdx @@ -49,7 +49,7 @@ Next, you need to: - Replace user@example.com with the email associated with your IdP - Generate a signing key -To generate a [signing key](/docs/reference/signing-key-settings#signing-key), use the commands below: +To generate a [signing key](/docs/reference/signing-key#signing-key), use the commands below: ```bash # Generates a P-256 (ES256) signing key @@ -133,7 +133,7 @@ Next, you need to: - Replace user@example.com with the email associated with your IdP - Generate a signing key -To generate a [signing key](/docs/reference/signing-key-settings#signing-key), use the commands below: +To generate a [signing key](/docs/reference/signing-key#signing-key), use the commands below: ```bash # Generates a P-256 (ES256) signing key diff --git a/content/docs/identity-providers/oidc.mdx b/content/docs/identity-providers/oidc.mdx index a80b2138e..4dece7b7f 100644 --- a/content/docs/identity-providers/oidc.mdx +++ b/content/docs/identity-providers/oidc.mdx @@ -179,7 +179,7 @@ Note the following points: :::caution -Do not use the **signing key** in the example above in a production environment. See [**Signing Keys**](/docs/reference/signing-key-settings#signing-key) for more information on generating and using signing keys. +Do not use the **signing key** in the example above in a production environment. See [**Signing Keys**](/docs/reference/signing-key#signing-key) for more information on generating and using signing keys. ::: diff --git a/content/docs/internals/data-storage.md b/content/docs/internals/data-storage.md index 5fa0e0df6..ff6bce33b 100644 --- a/content/docs/internals/data-storage.md +++ b/content/docs/internals/data-storage.md @@ -94,4 +94,4 @@ Configuration options for each backend are detailed in the [**databroker configu ## Troubleshooting -Most issues with the Databroker service are caused by a [`shared_secret`](/docs/reference/shared-secret-settings#shared-secret) mismatch between services. See [Troubleshooting - Shared Secret Mismatch](/docs/reference/shared-secret-settings#shared-secret) for details. +Most issues with the Databroker service are caused by a [`shared_secret`](/docs/reference/shared-secret#shared-secret) mismatch between services. See [Troubleshooting - Shared Secret Mismatch](/docs/reference/shared-secret#shared-secret) for details. diff --git a/content/docs/k8s/reference.md b/content/docs/k8s/reference.md index 666ffadda..3aef29788 100644 --- a/content/docs/k8s/reference.md +++ b/content/docs/k8s/reference.md @@ -216,7 +216,7 @@ PomeriumSpec defines Pomerium-specific configuration parameters.

Required.  - Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

+ Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format. diff --git a/content/docs/reference/downstream-mtls-settings.mdx b/content/docs/reference/downstream-mtls-settings.mdx index 3fed5d9b0..c1cbe47e4 100644 --- a/content/docs/reference/downstream-mtls-settings.mdx +++ b/content/docs/reference/downstream-mtls-settings.mdx @@ -168,7 +168,7 @@ The Ingress Controller does not support these settings. This matches the default behavior of many popular reverse proxies, such as Apache httpd and Caddy. - Note that in this mode, client certificates will be required even for internal Pomerium routes, such as the authenticate URL (if using the self-hosted authenticate service) and the /.pomerium/ page (the page showing details of a user's current login session). In particular, any upstream services that perform [JWT verification](/docs/capabilities/getting-users-identity) will not be able to access the default [JWKS endpoint](/docs/reference/signing-key-settings#signing-key#how-to-use-signing-key). You may need to host your own JWKS endpoint, or provide some other means of distributing the JWT verification key(s). + Note that in this mode, client certificates will be required even for internal Pomerium routes, such as the authenticate URL (if using the self-hosted authenticate service) and the /.pomerium/ page (the page showing details of a user's current login session). In particular, any upstream services that perform [JWT verification](/docs/capabilities/getting-users-identity) will not be able to access the default [JWKS endpoint](/docs/reference/signing-key#signing-key#how-to-use-signing-key). You may need to host your own JWKS endpoint, or provide some other means of distributing the JWT verification key(s). This mode also adds a requirement that any configured [**CRL**](#crl) is valid only between its `thisUpdate` and `nextUpdate` timestamps. _If an invalid CRL is provided for a certain CA, no certificates issued by that CA will be allowed._ diff --git a/content/docs/troubleshooting.mdx b/content/docs/troubleshooting.mdx index 1f2fa0962..6280d8d05 100644 --- a/content/docs/troubleshooting.mdx +++ b/content/docs/troubleshooting.mdx @@ -148,7 +148,7 @@ Events: ### Shared Secret Mismatch -Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret-settings#shared-secret). When Pomerium services share a mismatched secret, or these services share a secret that is not the same secret set in the Databroker service, Pomerium will fail. +Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret#shared-secret). When Pomerium services share a mismatched secret, or these services share a secret that is not the same secret set in the Databroker service, Pomerium will fail. Pomerium Core will log a shared secret mismatch with: @@ -182,7 +182,7 @@ Pomerium Enterprise will log a shared secret mismatch with: } ``` -Update the [shared secret](/docs/reference/shared-secret-settings#shared-secret) across all Pomerium services to match the one set for the Databroker. +Update the [shared secret](/docs/reference/shared-secret#shared-secret) across all Pomerium services to match the one set for the Databroker. ### RPC Errors diff --git a/content/examples/tooljet/config-tooljet.yaml.md b/content/examples/tooljet/config-tooljet.yaml.md index 9f33b651b..6b5a35762 100644 --- a/content/examples/tooljet/config-tooljet.yaml.md +++ b/content/examples/tooljet/config-tooljet.yaml.md @@ -6,7 +6,7 @@ idp_provider: github idp_client_id: REPLACE_ME idp_client_secret: REPLACE_ME -# Update the signing key: https://www.pomerium.com/docs/reference/signing-key-settings#signing-key +# Update the signing key: https://www.pomerium.com/docs/reference/signing-key#signing-key signing_key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURRemVZWDZyT2tuemFnTjRJVTYxaEtRc3pzY1EvRllmbzZPcXhWd2YvdGZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFc1V0V2psYXZ3eHprSU9DVUNDeFVnTDJza2NjL3QxSTFmQXlxUDgrMWw5YU1CWDlzdm1pYgpRajJxcWFUbUJZZWhuQzhmak5LODZmVXhpc3d1SXN5bnp3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= routes: From af52451bef585700c49afadf147328d62875a054 Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:42:18 -0400 Subject: [PATCH 09/16] runs prettier --- content/docs/reference/shared-secret.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/reference/shared-secret.mdx b/content/docs/reference/shared-secret.mdx index bcc031cbd..448796796 100644 --- a/content/docs/reference/shared-secret.mdx +++ b/content/docs/reference/shared-secret.mdx @@ -30,8 +30,8 @@ If you adjust your shared secret and/or how it's accessed by Pomerium, you may c -| **Config file keys** | **Environment variables** | **Type** | **Usage** | -| :------------------- | :------------------------ | :------- | :------------- | +| **Config file keys** | **Environment variables** | **Type** | **Usage** | +| :------------------- | :------------------------ | :------- | :----------- | | `shared_secret` | `SHARED_SECRET` | `string` | **required** | | `shared_secret_file` | `SHARED_SECRET_FILE` | `string` | **required** | From c8ae082fd6432be8ffe8a0431fc28d7317a8cd75 Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Fri, 26 Jul 2024 10:55:29 -0400 Subject: [PATCH 10/16] incorporates feedback --- content/docs/capabilities/getting-users-identity.md | 5 ++--- content/docs/core/quickstart.md | 2 +- content/docs/courses/fundamentals/jwt-verification.md | 2 +- content/docs/enterprise/changelog.mdx | 2 +- content/docs/enterprise/upgrading.mdx | 4 ++-- content/docs/guides/tooljet.mdx | 4 ++-- content/docs/identity-providers/oidc.mdx | 2 +- content/docs/k8s/reference.md | 2 +- content/docs/reference/downstream-mtls-settings.mdx | 2 +- content/examples/tooljet/config-tooljet.yaml.md | 2 +- 10 files changed, 13 insertions(+), 14 deletions(-) diff --git a/content/docs/capabilities/getting-users-identity.md b/content/docs/capabilities/getting-users-identity.md index c12a58683..1548749e0 100644 --- a/content/docs/capabilities/getting-users-identity.md +++ b/content/docs/capabilities/getting-users-identity.md @@ -98,7 +98,7 @@ curl https://your-app.corp.example.com/.well-known/pomerium/jwks.json | jq :::caution -In order to use the `/.well-known/pomerium/jwks.json` endpoint you must set either the [Signing Key] or [Signing Key File] configuration option. +In order to use the `/.well-known/pomerium/jwks.json` endpoint, you must set either [Signing Key] configuration option. ::: @@ -167,5 +167,4 @@ In an actual client, you'll want to ensure that all the other claims values are [key management service]: https://en.wikipedia.org/wiki/Key_management [nist p-256]: https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session6-adalier-mehmet.pdf [pass identity headers]: /docs/reference/routes/pass-identity-headers-per-route -[signing key]: /docs/reference/signing-key#signing-key -[signing key file]: /docs/reference/signing-key#signing-key-file +[signing key]: /docs/reference/signing-key \ No newline at end of file diff --git a/content/docs/core/quickstart.md b/content/docs/core/quickstart.md index 890fa15f1..7c8295dc7 100644 --- a/content/docs/core/quickstart.md +++ b/content/docs/core/quickstart.md @@ -71,7 +71,7 @@ Although identity verification failed, you successfully integrated Pomerium with :::tip -Because this guide doesn't include a [signing key](/docs/reference/signing-key#signing-key) in the configuration, identity verification will fail. +Because this guide doesn't include a [signing key](/docs/reference/signing-key) in the configuration, identity verification will fail. See [Identity Verification](/docs/capabilities/getting-users-identity) for more information on how Pomerium can use JWTs for authentication. diff --git a/content/docs/courses/fundamentals/jwt-verification.md b/content/docs/courses/fundamentals/jwt-verification.md index 7662914f0..b3895eed6 100644 --- a/content/docs/courses/fundamentals/jwt-verification.md +++ b/content/docs/courses/fundamentals/jwt-verification.md @@ -97,7 +97,7 @@ If that’s a lot to take in, don’t worry, Pomerium handles a lot of it for yo There are two settings that you need to configure to implement identity verification with signed headers: - [Pass Identity Headers](/docs/reference/routes/pass-identity-headers-per-route) -- [Signing Key](/docs/reference/signing-key#signing-key) +- [Signing Key](/docs/reference/signing-key) :::info **Global and Route Settings** diff --git a/content/docs/enterprise/changelog.mdx b/content/docs/enterprise/changelog.mdx index 2b2562e78..2ad0164b0 100644 --- a/content/docs/enterprise/changelog.mdx +++ b/content/docs/enterprise/changelog.mdx @@ -292,7 +292,7 @@ Added support for the Rego [**`print()`**](https://www.openpolicyagent.org/docs/ - Impersonation - Impersonation is now done on an individual session basis. - Various other bug fixes and improvements. -[`signing key`]: /docs/reference/signing-key#signing-key +[`signing key`]: /docs/reference/signing-key [google cloud serverless]: /docs/reference/routes/enable-google-cloud-serverless-authentication [policy language]: /docs/capabilities/ppl [runtime]: /docs/capabilities/reports.md#runtime diff --git a/content/docs/enterprise/upgrading.mdx b/content/docs/enterprise/upgrading.mdx index 0b845afb4..4dc3534e3 100644 --- a/content/docs/enterprise/upgrading.mdx +++ b/content/docs/enterprise/upgrading.mdx @@ -140,7 +140,7 @@ Pomerium Core would only perform user authentication and session refresh with th ### Before You Upgrade -- The [`signing-key`](/docs/reference/signing-key#signing-key) has been replaced with [`authenticate-service-url`](/docs/reference/authenticate-service-url). Instead of manually setting the signing key in the Enterprise Console to match the Authenticate Service, we specify the trusted URL of the Authenticate Service to pull the signing key from. +- The [`signing-key`](/docs/reference/signing-key) has been replaced with [`authenticate-service-url`](/docs/reference/authenticate-service-url). Instead of manually setting the signing key in the Enterprise Console to match the Authenticate Service, we specify the trusted URL of the Authenticate Service to pull the signing key from. The `signing-key` key will continue to work for existing configurations, but [device enrollment](/docs/capabilities/device-identity#new-enrollment-enterprise) will not work until it is replaced by `authenticate-service-url`. @@ -151,7 +151,7 @@ Pomerium Core would only perform user authentication and session refresh with th - `signing-key` is now a required option to improve request security from Pomerium Core. The value should match the one set in Pomerium Core. See the [signing key] reference page for more information on generating a key. - `audience` is now a required option to improve request security from Pomerium Core. The value should match the Enterprise Console's external URL hostname, as defined in the [`from`](/docs/reference/routes) field in the Routes entry (not including the protocol). -[signing key]: /docs/reference/signing-key#signing-key +[signing key]: /docs/reference/signing-key ### Helm Installations diff --git a/content/docs/guides/tooljet.mdx b/content/docs/guides/tooljet.mdx index 145cbd8b7..90e45da66 100644 --- a/content/docs/guides/tooljet.mdx +++ b/content/docs/guides/tooljet.mdx @@ -49,7 +49,7 @@ Next, you need to: - Replace user@example.com with the email associated with your IdP - Generate a signing key -To generate a [signing key](/docs/reference/signing-key#signing-key), use the commands below: +To generate a [signing key](/docs/reference/signing-key), use the commands below: ```bash # Generates a P-256 (ES256) signing key @@ -133,7 +133,7 @@ Next, you need to: - Replace user@example.com with the email associated with your IdP - Generate a signing key -To generate a [signing key](/docs/reference/signing-key#signing-key), use the commands below: +To generate a [signing key](/docs/reference/signing-key), use the commands below: ```bash # Generates a P-256 (ES256) signing key diff --git a/content/docs/identity-providers/oidc.mdx b/content/docs/identity-providers/oidc.mdx index 4dece7b7f..334b8ce04 100644 --- a/content/docs/identity-providers/oidc.mdx +++ b/content/docs/identity-providers/oidc.mdx @@ -179,7 +179,7 @@ Note the following points: :::caution -Do not use the **signing key** in the example above in a production environment. See [**Signing Keys**](/docs/reference/signing-key#signing-key) for more information on generating and using signing keys. +Do not use the **signing key** in the example above in a production environment. See [**Signing Keys**](/docs/reference/signing-key) for more information on generating and using signing keys. ::: diff --git a/content/docs/k8s/reference.md b/content/docs/k8s/reference.md index 3aef29788..f79283c60 100644 --- a/content/docs/k8s/reference.md +++ b/content/docs/k8s/reference.md @@ -216,7 +216,7 @@ PomeriumSpec defines Pomerium-specific configuration parameters.

Required.  - Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

+ Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format. diff --git a/content/docs/reference/downstream-mtls-settings.mdx b/content/docs/reference/downstream-mtls-settings.mdx index c1cbe47e4..e68c6a244 100644 --- a/content/docs/reference/downstream-mtls-settings.mdx +++ b/content/docs/reference/downstream-mtls-settings.mdx @@ -168,7 +168,7 @@ The Ingress Controller does not support these settings. This matches the default behavior of many popular reverse proxies, such as Apache httpd and Caddy. - Note that in this mode, client certificates will be required even for internal Pomerium routes, such as the authenticate URL (if using the self-hosted authenticate service) and the /.pomerium/ page (the page showing details of a user's current login session). In particular, any upstream services that perform [JWT verification](/docs/capabilities/getting-users-identity) will not be able to access the default [JWKS endpoint](/docs/reference/signing-key#signing-key#how-to-use-signing-key). You may need to host your own JWKS endpoint, or provide some other means of distributing the JWT verification key(s). + Note that in this mode, client certificates will be required even for internal Pomerium routes, such as the authenticate URL (if using the self-hosted authenticate service) and the /.pomerium/ page (the page showing details of a user's current login session). In particular, any upstream services that perform [JWT verification](/docs/capabilities/getting-users-identity) will not be able to access the default [JWKS endpoint](/docs/reference/signing-key#how-to-use-signing-key). You may need to host your own JWKS endpoint, or provide some other means of distributing the JWT verification key(s). This mode also adds a requirement that any configured [**CRL**](#crl) is valid only between its `thisUpdate` and `nextUpdate` timestamps. _If an invalid CRL is provided for a certain CA, no certificates issued by that CA will be allowed._ diff --git a/content/examples/tooljet/config-tooljet.yaml.md b/content/examples/tooljet/config-tooljet.yaml.md index 6b5a35762..2517fcb13 100644 --- a/content/examples/tooljet/config-tooljet.yaml.md +++ b/content/examples/tooljet/config-tooljet.yaml.md @@ -6,7 +6,7 @@ idp_provider: github idp_client_id: REPLACE_ME idp_client_secret: REPLACE_ME -# Update the signing key: https://www.pomerium.com/docs/reference/signing-key#signing-key +# Update the signing key: https://www.pomerium.com/docs/reference/signing-key signing_key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURRemVZWDZyT2tuemFnTjRJVTYxaEtRc3pzY1EvRllmbzZPcXhWd2YvdGZvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFc1V0V2psYXZ3eHprSU9DVUNDeFVnTDJza2NjL3QxSTFmQXlxUDgrMWw5YU1CWDlzdm1pYgpRajJxcWFUbUJZZWhuQzhmak5LODZmVXhpc3d1SXN5bnp3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= routes: From b83690d10ce65a414d5eb04055d30e3e39c963c0 Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Fri, 26 Jul 2024 10:58:58 -0400 Subject: [PATCH 11/16] runs prettier --- content/docs/capabilities/getting-users-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/capabilities/getting-users-identity.md b/content/docs/capabilities/getting-users-identity.md index 1548749e0..0db177e8f 100644 --- a/content/docs/capabilities/getting-users-identity.md +++ b/content/docs/capabilities/getting-users-identity.md @@ -167,4 +167,4 @@ In an actual client, you'll want to ensure that all the other claims values are [key management service]: https://en.wikipedia.org/wiki/Key_management [nist p-256]: https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session6-adalier-mehmet.pdf [pass identity headers]: /docs/reference/routes/pass-identity-headers-per-route -[signing key]: /docs/reference/signing-key \ No newline at end of file +[signing key]: /docs/reference/signing-key From f9bcb03dd3363f4b03f5f6a35d7a1af5dddbf016 Mon Sep 17 00:00:00 2001 From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com> Date: Tue, 30 Jul 2024 10:16:52 -0700 Subject: [PATCH 12/16] revert some unnecessary changes Revert the addition of some #shared-secret anchor tags in links, the change to the sidebar label for the Signing Key page, and remove two unnecessary redirects. --- content/docs/internals/data-storage.md | 2 +- content/docs/k8s/reference.md | 2 +- content/docs/reference/signing-key.mdx | 1 - content/docs/troubleshooting.mdx | 4 ++-- static/_redirects | 8 +++----- 5 files changed, 7 insertions(+), 10 deletions(-) diff --git a/content/docs/internals/data-storage.md b/content/docs/internals/data-storage.md index ff6bce33b..f3229b778 100644 --- a/content/docs/internals/data-storage.md +++ b/content/docs/internals/data-storage.md @@ -94,4 +94,4 @@ Configuration options for each backend are detailed in the [**databroker configu ## Troubleshooting -Most issues with the Databroker service are caused by a [`shared_secret`](/docs/reference/shared-secret#shared-secret) mismatch between services. See [Troubleshooting - Shared Secret Mismatch](/docs/reference/shared-secret#shared-secret) for details. +Most issues with the Databroker service are caused by a [`shared_secret`](/docs/reference/shared-secret) mismatch between services. See [Troubleshooting - Shared Secret Mismatch](/docs/reference/shared-secret) for details. diff --git a/content/docs/k8s/reference.md b/content/docs/k8s/reference.md index f79283c60..5c5032587 100644 --- a/content/docs/k8s/reference.md +++ b/content/docs/k8s/reference.md @@ -216,7 +216,7 @@ PomeriumSpec defines Pomerium-specific configuration parameters.

Required.  - Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

+ Secrets references a Secret with Pomerium bootstrap parameters.

In a default Pomerium installation manifest, they would be generated via a one-time job and stored in a pomerium/bootstrap Secret. You may re-run the job to rotate the secrets, or update the Secret values manually.

Format: reference to Kubernetes resource with namespace prefix: namespace/name format. diff --git a/content/docs/reference/signing-key.mdx b/content/docs/reference/signing-key.mdx index 6d81e03a7..c976ec280 100644 --- a/content/docs/reference/signing-key.mdx +++ b/content/docs/reference/signing-key.mdx @@ -3,7 +3,6 @@ id: signing-key title: Signing Key -sidebar_label: Signing Key Settings description: | This page discusses the signing key settings Pomerium uses to sign the Pomerium JWT that's sent to upstream services to verify a user's identity. keywords: diff --git a/content/docs/troubleshooting.mdx b/content/docs/troubleshooting.mdx index 6280d8d05..d604ec332 100644 --- a/content/docs/troubleshooting.mdx +++ b/content/docs/troubleshooting.mdx @@ -148,7 +148,7 @@ Events: ### Shared Secret Mismatch -Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret#shared-secret). When Pomerium services share a mismatched secret, or these services share a secret that is not the same secret set in the Databroker service, Pomerium will fail. +Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). When Pomerium services share a mismatched secret, or these services share a secret that is not the same secret set in the Databroker service, Pomerium will fail. Pomerium Core will log a shared secret mismatch with: @@ -182,7 +182,7 @@ Pomerium Enterprise will log a shared secret mismatch with: } ``` -Update the [shared secret](/docs/reference/shared-secret#shared-secret) across all Pomerium services to match the one set for the Databroker. +Update the [shared secret](/docs/reference/shared-secret) across all Pomerium services to match the one set for the Databroker. ### RPC Errors diff --git a/static/_redirects b/static/_redirects index 0df898ef8..dc9ac3a94 100644 --- a/static/_redirects +++ b/static/_redirects @@ -462,13 +462,11 @@ https://0-20-0.docs.pomerium.com/category/guides https://0-20-0.docs.pomerium.co /docs/reference/x-forwarded-for-http-header /docs/reference/x-forwarded-for-settings#skip-xff-append /docs/reference/the-number-of-trusted-hops /docs/reference/x-forwarded-for-settings#xff-number-of-trusted-hops -# Signing Key settings -/docs/reference/signing-key /docs/reference/signing-key +# Signing Key /docs/reference/signing-key-file /docs/reference/signing-key -# Shared Secret settings -/docs/reference/shared-secret /docs/reference/shared-secret-settings -/docs/reference/shared-secret-file /docs/reference/shared-secret-settings +# Shared Secret +/docs/reference/shared-secret-file /docs/reference/shared-secret # Topics links - now concepts /docs/topics/auth-logs /docs/capabilities/audit-logs From 485701c129c5e0eba5dec2af357fd281476296db Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Tue, 30 Jul 2024 14:27:55 -0400 Subject: [PATCH 13/16] Update content/docs/capabilities/getting-users-identity.md Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com> --- content/docs/capabilities/getting-users-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/capabilities/getting-users-identity.md b/content/docs/capabilities/getting-users-identity.md index 0db177e8f..34f3463ef 100644 --- a/content/docs/capabilities/getting-users-identity.md +++ b/content/docs/capabilities/getting-users-identity.md @@ -98,7 +98,7 @@ curl https://your-app.corp.example.com/.well-known/pomerium/jwks.json | jq :::caution -In order to use the `/.well-known/pomerium/jwks.json` endpoint, you must set either [Signing Key] configuration option. +In order to use the `/.well-known/pomerium/jwks.json` endpoint, you must set the [Signing Key] configuration option. ::: From 029bc6b55538bca3c2d8ac32074f17aa7ee013ca Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Tue, 30 Jul 2024 16:06:41 -0400 Subject: [PATCH 14/16] updates 'share' to 'contain' --- content/docs/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/troubleshooting.mdx b/content/docs/troubleshooting.mdx index d604ec332..e63ae9101 100644 --- a/content/docs/troubleshooting.mdx +++ b/content/docs/troubleshooting.mdx @@ -148,7 +148,7 @@ Events: ### Shared Secret Mismatch -Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). When Pomerium services share a mismatched secret, or these services share a secret that is not the same secret set in the Databroker service, Pomerium will fail. +Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). When Pomerium services contain a mismatched secret, or these services contain a secret that is not the same secret set in the Databroker service, Pomerium will fail. Pomerium Core will log a shared secret mismatch with: From 97ec41ee53c9ed6f4d4a3ab128da2e1d8a7c7530 Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Tue, 30 Jul 2024 16:10:33 -0400 Subject: [PATCH 15/16] updates contain to exchange --- content/docs/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/troubleshooting.mdx b/content/docs/troubleshooting.mdx index e63ae9101..1ce1f4e33 100644 --- a/content/docs/troubleshooting.mdx +++ b/content/docs/troubleshooting.mdx @@ -148,7 +148,7 @@ Events: ### Shared Secret Mismatch -Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). When Pomerium services contain a mismatched secret, or these services contain a secret that is not the same secret set in the Databroker service, Pomerium will fail. +Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). When Pomerium services exchange a mismatched secret, or these services exchange a secret that is not the same secret set in the Databroker service, Pomerium will fail. Pomerium Core will log a shared secret mismatch with: From f8e49dc7f4c8c8de4e6b23d4ce6b9f8f9d4379fc Mon Sep 17 00:00:00 2001 From: zachary painter <60552605+ZPain8464@users.noreply.github.com> Date: Tue, 30 Jul 2024 17:38:37 -0400 Subject: [PATCH 16/16] updates wording --- content/docs/troubleshooting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/troubleshooting.mdx b/content/docs/troubleshooting.mdx index 1ce1f4e33..be2b1787e 100644 --- a/content/docs/troubleshooting.mdx +++ b/content/docs/troubleshooting.mdx @@ -148,7 +148,7 @@ Events: ### Shared Secret Mismatch -Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). When Pomerium services exchange a mismatched secret, or these services exchange a secret that is not the same secret set in the Databroker service, Pomerium will fail. +Pomerium's independent services communicate securely using a [shared secret](/docs/reference/shared-secret). If any services have mismatched secrets, Pomerium will fail. Pomerium Core will log a shared secret mismatch with: