-
Notifications
You must be signed in to change notification settings - Fork 1.6k
add pomerium cloud run tutorial #1397
add pomerium cloud run tutorial #1397
Conversation
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
Thanks for the contribution, @desimone . Since this is based on a document by @travisgroth , it would be good to acknowledge that in the document body. There are a few items in the queue before this, so I'll get to the editorial and production review next week. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
preliminary review
Thanks, @ahmetb . |
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
fc7c10f
to
612de48
Compare
We found a Contributor License Agreement for you (the sender of this pull request), but were unable to find agreements for all the commit author(s) or Co-authors. If you authored these, maybe you used a different email address in the git commits than was used to sign the CLA (login here to double check)? If these were authored by someone else, then they will need to sign a CLA as well, and confirm that they're okay with these being contributed to Google. ℹ️ Googlers: Go here for more info. |
Signed-off-by: Travis Groth <tgroth@pomerium.com>
612de48
to
faf32b5
Compare
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
@googlebot I consent. |
Signed-off-by: Travis Groth <tgroth@pomerium.com>
Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
@ahmetb @ToddKopriva I've done a pass on addressing comments with one outstanding suggestion. Please review. |
Thanks, @travisgroth . There are a couple of items ahead of this in the queue, so I'll probably begin my review late tomorrow or early Friday. |
@ahmetb and @travisgroth , I did an edit pass, and I think that all of the review comments are suitably addressed. Let me know whether you agree that this is ready to be merged and published. |
|
||
## Setup | ||
|
||
To deploy Pomerium to Cloud Run, a [special image](https://console.cloud.google.com/gcr/images/pomerium-io/GLOBAL/pomerium) is available at |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@travisgroth is this still the case? maybe we should change this as soon as Cloud Run integration is available in the main image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The bootstrap to provide secrets from Secret Manager is not going to be in the main image for the time being.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Almost forgot - we have to publish an image for Cloud Run, as our regular image is not hosted in gcr. Cloud Run managed seems to only allows deployments from gcr.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack. For the purposes of the tutorial it's not a bad idea to circumvent the secrets manager entirely, and store the config.yaml in env vars as well.
(assuming that lets you use the main image, sans the gcr limitation)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since environment variables in Cloud Run are considered insecure, I'm hesitant to encourage storing IdP credentials and other sensitive values that way in broadly consumed documentation. We added the Secret Manager wrapper specifically to avoid setting a bad example.
The builds are the same and maintained with our CI, so this isn't a second class image. The wrapper isn't worth putting into the normal image since most of our other container users have additional options for pulling in secrets. In Cloud Run we recommend using the Secrets Manager wrapper until there is an alternative.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack. BTW you can recommend usage of https://github.com/GoogleCloudPlatform/berglas which is a supported tool that wraps a process and has its on Secret Manager reference syntax. It retrieves secrets and sets them as env on runtime.
### DNS in `zonefile.txt` | ||
|
||
Substitute `cloudrun.pomerium.com` for your own subdomain (`zonefile.txt`): | ||
|
||
; zonefile.txt | ||
*.cloudrun.pomerium.com. 18000 IN CNAME ghs.googlehosted.com. | ||
|
||
Alternatively, you can set an equivalent CNAME in your DNS provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think all the user needs to do is:
Create a Custom Domain Mapping for your
hello.cloudrun.pomerium.com
domain and update your domain’s DNS records to the records provided while creating this mapping.
I wouldn't
- give the CNAME here, sometimes (e.g. bare/non-sub domains) we actually give A/AAAA records
- explain zonefile format, most of our user base aren't DNS experts, so they wouldn't know where to put this :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm. I hadn't considered a bare domain might be used.
We would have to provide a table of the mappings that the user is to perform; the demo relies on several. It does make the setup much more manual, which is unfortunate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed this to have a service<>name list, but also provided some commands that can easily be followed on the command line. Thoughts?
|
||
Run the following commands to configure and deploy Pomerium: | ||
|
||
#!/bin/bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the shebang doesn't make a lot of sense here (since we don't tell user to put this into a file)
we can probably split these into separate code blocks like:
```
cmd1
```
```
cmd2
```
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
# Deploy Pomerium with policy and configuration references | ||
gcloud run deploy pomerium --region us-central1 --platform managed --allow-unauthenticated --max-instances 1 \ | ||
--image=gcr.io/pomerium-io/pomerium:v0.10.0-rc2-cloudrun \ | ||
--set-env-vars VALS_FILES="/pomerium/config.yaml:ref+gcpsecrets://${PROJECT}/pomerium-config",POLICY=$(base64 policy.yaml) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fwiw you can separate different envs into different args (you can repeat this arg)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
|
||
![Hello](https://storage.googleapis.com/gcp-community/tutorials/cloud-run-with-pomerium-for-end-user-access/headers.png) | ||
|
||
See [getting user's identity](https://www.pomerium.com/docs/topics/getting-users-identity.html) for details on using this header. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe at the end, add a What's Next
section linking to
- pomerium website/config docs
- pomerium's own Cloud Run recipe page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's mostly good, left some comments, once addressed this is good to go. cc: @ToddKopriva
- update dns config
@ToddKopriva @ahmetb edits done. Please review. |
cc: @ToddKopriva PTAL |
Will do. This is next in my queue. |
Thanks for all of the work on this. I'll publish it with a batch of other changes this week. |
Thanks a lot for your reviews @ToddKopriva. |
* add pomerium cloud run tutorial Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * title lint Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * link Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * fmt Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * ahmet feedback Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * PR feedback Signed-off-by: Travis Groth <tgroth@pomerium.com> * Add gcp secrets info Signed-off-by: Travis Groth <tgroth@pomerium.com> * Update tutorials/cloud-run-with-pomerium-for-end-user-access/index.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * first quick edit pass during read-through * second edit pass * final edit, I think * - break up shell script - update dns config * add links * edit pass * Update index.md Co-authored-by: Todd Kopriva <43478937+ToddKopriva@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com>
This is a slightly modified version of the Pomerium Cloud Run recipe by @travisgroth
\cc @ahmetb