bobby
Needs prioritization, and clarification around if these endpoints are really solving the underlying problem. E.G. Are users actually looking for `/updatedz`.
Holding off until we can be sure we can support the resulting expansion in route table for our users' deployments.
Pasting logs ```csv pomerium date,stream,content 2023-03-12T15:09:20.091688597Z,stdout,"{\"level\":\"info\",\"service\":\"envoy\",\"upstream-cluster\":\"\",\"method\":\"GET\",\"authority\":\"heim.carmacenter.xyz\",\"path\":\"/items\",\"user-agent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36\",\"referer\":\"\",\"forwarded-for\":\"200.68.183.150,172.17.0.1\",\"request-id\":\"e3223ed3-79d0-4f6c-bbce-6a633d29284f\",\"duration\":10000.346693,\"size\":0,\"response-code\":500,\"response-code-details\":\"ext_authz_error\",\"time\":\"2023-03-12T15:09:20Z\",\"message\":\"http-request\"} " 2023-03-12T15:09:19.983803153Z,stdout,"{\"level\":\"info\",\"service\":\"authorize\",\"request-id\":\"e3223ed3-79d0-4f6c-bbce-6a633d29284f\",\"check-request-id\":\"e3223ed3-79d0-4f6c-bbce-6a633d29284f\",\"method\":\"GET\",\"path\":\"/items\",\"host\":\"heim.carmacenter.xyz\",\"query\":\"\",\"ip\":\"172.17.0.1\",\"allow\":false,\"allow-why-false\":[\"non-pomerium-route\",\"user-unauthenticated\"],\"deny\":false,\"deny-why-false\":[\"valid-client-certificate-or-none-required\"],\"user\":\"\",\"email\":\"\",\"time\":\"2023-03-12T15:09:19Z\",\"message\":\"authorize check\"} " 2023-03-12T15:09:19.983132726Z,stdout,"{\"level\":\"error\",\"error\":\"hpke: error requesting jwks endpoint: Get \\"https://authenticate.carmacenter.xyz/.well-known/pomerium/jwks.json\\": context canceled\",\"request-id\":\"e3223ed3-79d0-4f6c-bbce-6a633d29284f\",\"time\":\"2023-03-12T15:09:19Z\",\"message\":\"grpc check ext_authz_error\"}...
Likely related and fixed by : https://github.com/pomerium/pomerium/pull/4046
Thanks @carmatana ; this might just be "fixed" by the upcoming patch release. If not, additional json formatted logs would be helpful.
@carmatana can you try the latest patch release?
Hey @carmatana -- thanks for the feedback. I haven't had a chance to debug why that might be happening on your setup. Hoping to soon ™️
In split service mode, the authenticate service should only grab certificates for its own domain.
> Synclatest gRPC endpoint What are you trying to do exactly? Also, please repost with the complete bug template filled out.
@0anton -- thanks this is a very helpful feature request. Could we talk about a specific implementation synchronously. We've had (versions) of this ask a few different times and I'd...