Progress! I didn’t understand that the policy allow meant the idp email domain, so that is helpful. With the policy ingress.pomerium.io/policy: '[{"allow":{"and":[{"domain":{"is":"sw.com"}}]}}]' on the verify ingress I didn’t get a 403 but got an immediate redirect to the authenticate url. However with this it still resulted in upstream connect error or disconnect/reset before headers. reset reason: connection failure. I take this to mean there is an issue with the site I am redirecting to somehow?
Update: Interestingly, I added the policy and then reinstalled pomerium with insecure set to true, then reinstalled again with insecure set to false. I deleted all pods to make sure they reset. Now I’m getting the 403 forbidden again with the policy added.
Update 2: And it’s redirecting again to the upstream connect error. I pinned the ingress controller image to v0.15.3 and then removed the pin, and now it’s redirecting again.
I see from issue Getting connection_failure errors - #10 by travisgroth that I am running into a bug. I tried installing v30.1.1 ( v30.1.10 didn’t exist ) with ingress controller v0.15.3 but I still got the 403 and upstream connection failures. Happy to help troubleshoot any way I can.
