pomerium icon indicating copy to clipboard operation
pomerium copied to clipboard

Published 20 hours ago verified publisher icon pomerium

Proposal: Gather Config from Docker Labels

Open branchmispredictor opened this issue 4 years ago • 2 comments

Is your feature request related to a problem? Please describe.

I've been thinking more about how to better integrate Pomerium with Traefik (and Docker in general). To me, I see Traefik as a highly extensible reverse proxy (with ACME) and Pomerium as the AuthZ/AuthN server that can secure it.

With the right integration, I think it should be able to solve #591 and #580 without introducing complex routing logic into Pomerium itself. Perhaps this is against the intentions of the maintainers though.

In any case, part of this work might be to be able to pull policy config from docker labels.

Describe the solution you'd like

Derive config from docker labels. In this case, policies may need to be assigned a name in the label, depending on the implementation. One possibility might be: (in this case, the policy name is httpbin)

  httpbin:
    image: kennethreitz/httpbin:latest
    labels:
      - "traefik.http.middlewares.pomerium.forwardauth.authResponseHeaders=x-pomerium-jwt-assertion"
      - "traefik.http.middlewares.pomerium.forwardauth.address=https://fwdauth.x.y.z/"

      - "traefik.http.routers.httpbin.middlewares=pomerium@docker"
      - "traefik.enable=true"
      - "traefik.http.routers.httpbin.rule=Host(`httpbin.x.y.z`)"
      - "traefik.http.routers.httpbin.entrypoints=websecure"
      - "traefik.http.routers.httpbin.tls.certresolver=leresolver"
      
      - "pomerium.policy.httpbin.from=https://httpbin.x.y.z"
      #- "pomerium.policy.httpbin.to=http://httpbin.localhost" # not needed in this case
      - "pomerium.policy.httpbin.allowed_domains=[`pomerium.io`,`gmail.com`]"
      # or maybe
      - "pomerium.policy.httpbin.allowed_domains[0]=pomerium.io"
      - "pomerium.policy.httpbin.allowed_domains[1]=gmail.com"

Describe alternatives you've considered

Maintaining two configs: one in docker-compose and one in Pomerium's config.yaml.

branchmispredictor avatar Apr 12 '20 22:04 branchmispredictor

I currently use pomerium for forward auth in unison with Traefik because Traefik has convenient configuration using docker labels, it autodetects the listening port, etc.

Pomerium removed forward auth support in v0.21.0 (https://github.com/pomerium/pomerium/pull/3628), but without these additional configuration features, it is difficult to migrate purely to Pomerium instead of a Traefik+Pomerium combination.

branchmispredictor avatar Dec 29 '23 16:12 branchmispredictor

@branchmispredictor could you please describe your deployment situation in a bit more details?

  • is your deployment static or you happen to spin a lot of containers dynamically?
  • is it docker compose or plain docker environment?

wasaga avatar Dec 29 '23 17:12 wasaga