Generate Pomerium-Desktop config by reading pomerium core config
Description:
I have many many TCP routes configured in pomerium. And to be honest, I do not know any individual being happy to copy those by hand. I wrote a little helper in python to read the pomerium core config, extract all tcp routes and write a config file for pomerium desktop. Since pomerium core’s config does not have directives for every option in the desktop config (like the route’s name or the wanted local addr_port) I added those values to the pomerium core config. Fortunately, pomerium ignores unknown directives instead of telling you it does not know.
It is raw and unready but working for me and I share it for everyone who likes to use it and adapt to his use case. I would LOVE to see this feature integrated into pomerium core binary
import yaml
import json
import uuid
# Construct Pomerium Desktop Config
pomerium_desktop_config = {
"@type": "type.googleapis.com/pomerium.cli.Records",
"records": [
]
}
# load pomerium config file
with open('config.yaml', 'r') as stream:
pomeriumConfig = yaml.safe_load(stream)
# loop through all tcp routes
for route in pomeriumConfig['routes']:
if route['from'].startswith('tcp+'):
# Read route details here
confItem = {
'id': uuid.uuid4().__str__(),
'conn': {
# name is no officially supported yaml directive in pomeriums config.yaml.
# but since pomerium ignores unknown directives it can be used as a hint for
# the generated desktop config
'name': route['name'],
'remoteAddr': route['from'],
# same applies to the local listen address.
'listenAddr': route['local_listen_addr'],
'disableTlsVerification': False,
# must be extended to also support ascii encoded certs
"clientCertFromStore": {
"subjectFilter": "CN=commonName"
}
}
}
pomerium_desktop_config['records'].append(confItem)
# Generating config file for pomerium desktop
json_object = json.dumps(pomerium_desktop_config, indent=2)
with open("config.json", "w") as outfile:
outfile.write(json_object)
