search

pomerium / pomerium

Pomerium is an identity and context-aware access proxy.
https://www.pomerium.com
Apache License 2.0
4.06k stars 284 forks source link

`to` in rules required when using forward-proxy #3561

Open xeor opened 2 years ago

xeor commented 2 years ago

What happened?

I have configured pomerium to be used as forward-auth, ie, nginx asks it if the request is ok or not. It doesnt make sense to define a to field in this context.

What did you expect to happen?

Being able to use pomerium as a forward-auth service, without having to define information it doesnt need.

How'd it happen?

  1. Configure a service to use forward-auth to pomerium
  2. Configure a rule in pomerium
  3. If no to field is defined, it complains with validation error config: failed to parse policy: policy should have eithertoorredirectdefined

What's your environment like?

What's your config.yaml?

Not complete, but included the most important part of values.yaml


config:
  routes:
    - from: https://test.example.com
      preserve_host_header: true
      pass_identity_headers: true
      allowed_users:
        - name@example.com

forwardAuth:
  enabled: true

ingressController:
  enabled: false

ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/enable-global-auth: "false"

redis:
  enabled: true

authenticate:
  name: auth
  idp:
    provider: google

What did you see in the logs?

{"level":"fatal","error":"config: options from config file \"/etc/pomerium/config.yaml\": validation error config: failed to parse policy: policy should have either `to` or `redirect` defined","time":"2022-08-21T20:54:23Z","message":"cmd/pomerium"

Additional context

I have used the operator and added ingress annotations like ingress.pomerium.io/allowed_users. I understand that this is not really possible anymore, and I am moving myself over to rules in the config instead.

The environment is complex, and I would like to not have to fields defined as well since their service-names are usually generated by other helm packages. It will make it almost impossible to do gitops in a sane way without adding additional hacks..

jontro commented 2 years ago

I am also using forward-auth, just fyi I'm using the same to-url as the from-url. Maybe it's a good band aid solution until this is fixed.