Deployment architecture

luckyraul · August 1, 2022, 1:22pm

What happened?

I want to implement Pomerium in our infrastructure to protect some critical services.

We have several clusters with multiple services in each other. I need to create layer of protection with keycloak auth.

Currently our services use domain names in a way of serviceN.corp.domain.com.
Keycloak is in auth.corp.domain.com.

I started with one service example. My current config for pomerium is

autocert: false
address: :80
cookie_secret: xxxx
shared_secret: yyyy

idp_provider: "oidc"
idp_provider_url: "https://auth.corp.domain.com/auth/realms/xxxx"
idp_client_id: xxxx
idp_client_secret: "zzzz"

insecure_server: true
authenticate_service_url: https://service1.cloud.mygento.com

policy:
  - from: https://service1.cloud.mygento.com
    to: http://private_ip:8080
    allowed_users:
      - xxx@domain.com
      - zzz@domain.com

With such a config I got a /.pomerium on home page and any other route is targeting to private service. I’ve spent time debugging this problem and found a reason in source code. It’s similar to Infinite redirect at /.pomerium endpoint after navigating to proxied application · Issue #3364 · pomerium/pomerium · GitHub - same domain to auth and app.

I can try create a new domain verify.corp.domain.com and target it to IP of that cluster and try on that service. It probably will work.

Hovewer I don’t understand how to scale that setup to multiple clusters.
Should I create a sidecar container with pomerium to each service and one global verifyer? Or one per cluster? Can I just silently work without a global verifier?

Current possible service map to IP:

service1.corp.domain.com - IP1
service2.corp.domain.com - IP2
service3.corp.domain.com - IP1
service4.corp.domain.com - IP3


auth.corp.domain.com - IP4

denis · August 3, 2022, 2:07pm

Hello,

I’m not sure I understand what exactly is not working with /.pomerium special path.
verify application is merely a reference example and is not a mandatory part of Pomerium installation
I’m not sure why do you need insecure_server: true and "address:80` in your config. Pomerium is normally supposed to handle TLS traffic, with HTTP-only mode reserved for some exotic (and in general non-recommended) deployment scenarios.

WRT to multi-cluster operation, current recommended deployment is to run Pomerium 0.18+ with Postgres backend in the all-in-one mode (i.e. you do not need to split into proxy, databroker, authorize and authenticate). Pomerium caches the data it receives from the database, thus the latency between individual Pomerium instance and the database do not contribute to the request latency. You may run Pomerium instance per cluster, or if all clusters are in the same region, just run one instance serving all of them.

luckyraul · August 4, 2022, 9:55am

Ideally I want to build such a flow:

A request goes to domain name serviceN.corp.domain.com with any path.
If it is logged in the Keycloak then proxy to a protected application with the same path
If it is not logged - redirect to Keycloak (auth.corp.domain.com).

With config above I had a redirect to /.pomerium/ on a root request. On any other path I had a proxied response.

In github issue above it is said: You have a route and authenticate service on the same domain.

I guess this is the code

github.com

pomerium/pomerium/blob/464ccdf7674bdc9e191fdcd5eff9eed7359233c9/authenticate/handlers.go#L70


      
          				}),
          			csrf.FormValueName("state"), // rfc6749#section-10.12
          			csrf.CookieName(csrfKey),
          			csrf.FieldName(csrfKey),
          			csrf.SameSite(csrf.SameSiteLaxMode),
          			csrf.ErrorHandler(httputil.HandlerFunc(httputil.CSRFFailureHandler)),
          		)(h)
          	})
          
          
	// redirect / to /.pomerium/
          	r.Path("/").Handler(http.RedirectHandler("/.pomerium/", http.StatusFound))
          
          
	r.Path("/robots.txt").HandlerFunc(a.RobotsTxt).Methods(http.MethodGet)
          	// Identity Provider (IdP) endpoints
          	r.Path("/oauth2/callback").Handler(httputil.HandlerFunc(a.OAuthCallback)).Methods(http.MethodGet)
          
          
	a.mountDashboard(r)
          	a.mountWellKnown(r)
          }
          
          
func (a *Authenticate) mountDashboard(r *mux.Router) {

TLS is offloaded before applications.

That config planned to be a sidecar container to every app deployed in a cluster.

So it is not working as I expected, it requires additional domain name for every app. This does not look good.

You mention a multi-cluster operation, how can it works with different regions? different domain name for every region?

luckyraul · August 25, 2022, 12:59pm

@denis Can you suggest something?

denis · August 25, 2022, 11:51pm

your flow, as described, is exactly what Pomerium is supposed to do.

Your problem seems to be with authenticate_service_url being the same as the route url.
please set it to a different domain name.

idp_provider: "oidc"
idp_provider_url: "https://keycloak.corp.com/auth/realms/xxxx"

authenticate_service_url: "https://login.corp.com/auth/realms/xxxx"

routes:
  - from: "https://service1.corp.com"
    to: "http://private_ip:8080"
    allowed_users:
      - "xxx@domain.com"
      - "zzz@domain.com"

luckyraul · August 26, 2022, 9:41am

@denis

If I have 2 cluster with different IP and pomerium instance on each, where should I point
https://login.corp.com/ ?

And I don’t really want to have such a domain.

Please, reread my previous post, I guess you are not fully understood problem.

Topic		Replies	Views
OIDC behind pomerium route Support docker , idp	4	728	August 2, 2023
Integrating pomerium with keycloak Support docker	2	23	October 24, 2024
Using Keycloak as an identity provider with Pomerium Support idp	0	459	December 27, 2021
External Domain configuration Support k8s , idp	18	1725	March 25, 2022
Link a service account to a user from Keycloak idp Support idp	1	506	August 10, 2022

Deployment architecture

What happened?

Related Topics