Redirect after authentication returns error 405

Support
1

What happened?

I am using Pomerium to authenticate users to an application deployed in k8s cluster which doesn’t have Authentication support. We are using JumpCloud as SSO and following the example from the ArgoCD team I configured dex to talk to JumpCloud and Pomerium to receive the answer for authentication, something similar to FreeIPA with Dex | Pomerium, the difference being that we use JumpCloud and dex and Pomerium are being deployed to k8s cluster.

After successfully login in JumpCloud the page gets redirected to https://authenticate.myRootDomain/oauth2/callback and HTTP ERROR 405 appears.

What did you expect to happen?

I was expecting to be authorised or not into the page.

How’d it happen?

  1. Navigated on https://myapp.myRootDomain

  2. Page with Forbidden appears

    image
    image1419×664 45.2 KB

  3. Clicking on session details link gets you to JumpCloud login page(through dex), the login succeeds successfully.

  4. After login you are being redirected to unsecure page https://authenticate.myRootDomain/oauth2/callback which is

    image
    image960×571 19 KB

  5. Navigating at step 1 to https://myapp.myRootDomain/.pomerium/ skips you from step 2 and 3(forbidden part)

What’s your environment like?

  • Chart version:latest
  • Container image: v0.16.1
  • Kubernetes version: 1.19
  • Cloud provider: aws
  • Other details:
    Chart is being installed from pomerium-helm with default values except the following ones:
config:
  rootDomain: myRootDomain
  generateTLS: true
  forceGenerateTLS: true
  generateSigningKey: true
  forceGenerateSigningKey: true
  insecure: false
  insecureProxy: false
authenticate:
  idp:
    provider: oidc
    clientID: clientId
    clientSecret: aaaaaaa
    # (your dex url)
    url: https://dex.myRootDomain
    scopes: "openid,email"
  ingress:
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt      
    tls:
      secretName: authenticate-myRootDomain-tls
ingressController:
  enabled: true
## What's your config.yaml?

```config.yaml
autocert: false
dns_lookup_family: V4_ONLY
address: :443
grpc_address: :443
certificate_authority_file: "/pomerium/ca/ca.crt"
certificates:
authenticate_service_url: https://authenticate.myRootDomain
authorize_service_url: https://authorizeService.pomerium.svc.cluster.local
databroker_service_url: https://dataBrokerService.pomerium.svc.cluster.local
idp_provider: oidc
idp_scopes: openid email
idp_provider_url: https://dex.myRootDomain
idp_client_id: clientIdFromDex
idp_client_secret: clientSecretFromDex
routes:

What did you see in the logs?

Authenticate logs

{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "service":"authenticate",
   "config_id":"ingress-controller",
   "version":17,
   "err_count":0,
   "time":"2022-02-01T06:31:05Z",
   "message":"set db config info"
}{
   "level":"error",
   "domain":"*",
   "time":"2022-02-01T06:31:05Z",
   "message":"cryptutil: no TLS certificate found for domain, using self-signed certificate"
}{
   "level":"warn",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "error":"invalid metrics address \"\": missing port in address",
   "time":"2022-02-01T06:31:05Z",
   "message":"metrics announce to service registry is disabled"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "service":"authenticate",
   "config":"databroker",
   "checksum":"9c5ce85dbaf1b36",
   "time":"2022-02-01T06:31:05Z",
   "message":"config: updated config"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "elapsed":225.302241,
   "server_version":4077071779396492351,
   "versions":[
      17
   ],
   "time":"2022-02-01T06:31:05Z",
   "message":"UpdateRecords"
}{
   "level":"info",
   "service":"envoy",
   "name":"upstream",
   "time":"2022-02-01T06:31:05Z",
   "message":"lds: add/update listener \\'https-ingress\\'"
}{
   "level":"info",
   "X-Forwarded-For":[
      "10.20.1.44,10.20.1.5"
   ],
   "X-Forwarded-Proto":[
      "https"
   ],
   "ip":"127.0.0.1",
   "user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"https://myApp.myRootDomain/",
   "request-id":"203af9f2-24fe-4009-9a5e-0341ae04dc61",
   "error":"Bad Request: internal/sessions: session is not found",
   "time":"2022-02-01T06:35:29Z",
   "message":"authenticate: session load error"
}{
   "level":"info",
   "service":"envoy",
   "upstream-cluster":"pomerium-control-plane-http",
   "method":"GET",
   "authority":"authenticate.myRootDomain",
   "path":"/.pomerium/",
   "user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"https://myApp.myRootDomain/",
   "forwarded-for":"10.20.1.44,10.20.1.5",
   "request-id":"203af9f2-24fe-4009-9a5e-0341ae04dc61",
   "duration":69.204558,
   "size":826,
   "response-code":302,
   "response-code-details":"via_upstream",
   "time":"2022-02-01T06:35:29Z",
   "message":"http-request"
}{
   "level":"info",
   "service":"envoy",
   "upstream-cluster":"pomerium-control-plane-http",
   "method":"POST",
   "authority":"authenticate.myRootDomain",
   "path":"/oauth2/callback",
   "user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"https://sso.jumpcloud.com/",
   "forwarded-for":"10.20.1.44,10.20.1.5",
   "request-id":"919e21aa-cd54-46d5-b429-96fcc3391dbf",
   "duration":2.691711,
   "size":0,
   "response-code":405,
   "response-code-details":"via_upstream",
   "time":"2022-02-01T06:35:50Z",
   "message":"http-request"
}

Authorizer logs:

{
   "level":"warn",
   "time":"2022-02-01T06:40:28Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRoorDomain authorize.myRootDomain authorizeService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}{
   "level":"info",
   "service":"authorize",
   "request-id":"69878def-f563-457e-b540-bf49ed90fd50",
   "check-request-id":"93cb9c65-7fa4-445a-83d9-135103bda612",
   "method":"GET",
   "path":"/",
   "host":"myApp.myRootDomain",
   "query":"",
   "allow":false,
   "allow-why-false":[
      "non-pomerium-route"
   ],
   "deny":false,
   "deny-why-false":[
      "valid-client-certificate-or-none-required"
   ],
   "user":"",
   "email":"",
   "databroker_server_version":4077071779396492351,
   "databroker_record_version":27,
   "time":"2022-02-01T06:42:11Z",
   "message":"authorize check"
}{
   "level":"info",
   "service":"authorize",
   "request-id":"5cac8c9a-0ac6-4c87-a34c-949cf1480e86",
   "check-request-id":"d8fd3f06-e104-48cc-b6d5-fd215f020151",
   "method":"GET",
   "path":"/",
   "host":"myApp.myRootDomain",
   "query":"",
   "allow":false,
   "allow-why-false":[
      "non-pomerium-route"
   ],
   "deny":false,
   "deny-why-false":[
      "valid-client-certificate-or-none-required"
   ],
   "user":"",
   "email":"",
   "databroker_server_version":4077071779396492351,
   "databroker_record_version":27,
   "time":"2022-02-01T06:42:44Z",
   "message":"authorize check"
}{
   "level":"info",
   "service":"envoy",
   "name":"main",
   "time":"2022-02-01T06:45:29Z",
   "message":"shutting down parent after drain"
}


Proxy logs

{
   "level":"info",
   "service":"envoy",
   "upstream-cluster":"",
   "method":"GET",
   "authority":"myApp.myRootDomain",
   "path":"/",
   "user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"",
   "forwarded-for":"10.20.1.69",
   "request-id":"d8fd3f06-e104-48cc-b6d5-fd215f020151",
   "duration":4.911007,
   "size":11832,
   "response-code":403,
   "response-code-details":"ext_authz_denied",
   "time":"2022-02-01T06:42:44Z",
   "message":"http-request"
}{
   "level":"info",
   "service":"envoy",
   "upstream-cluster":"pomerium-pomerium-myAppDetails-pomerium-authenticate-authenticate-myRootDomainEscaped-7c9b38720e5aefc7",
   "method":"GET",
   "authority":"authenticate.myRootDomain",
   "path":"/.pomerium/",
   "user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"https://myApp.myRootDomain/",
   "forwarded-for":"10.20.3.11",
   "request-id":"7ed0d674-55f4-4a30-839b-2953ff3b4487",
   "duration":3.329464,
   "size":742,
   "response-code":302,
   "response-code-details":"via_upstream",
   "time":"2022-02-01T06:42:46Z",
   "message":"http-request"
}{
   "level":"info",
   "service":"envoy",
   "upstream-cluster":"pomerium-pomerium-myAppDetails-pomerium-authenticate-authenticate-myRootDomainEscaped-7c9b38720e5aefc7",
   "method":"POST",
   "authority":"authenticate.myRootDomain",
   "path":"/oauth2/callback",
   "user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"https://sso.jumpcloud.com/",
   "forwarded-for":"10.20.3.11",
   "request-id":"845557fe-eb62-4b5d-8cf9-972a46da8e38",
   "duration":11.615181,
   "size":0,
   "response-code":405,
   "response-code-details":"via_upstream",
   "time":"2022-02-01T06:43:03Z",
   "message":"http-request"
}{
   "level":"info",
   "service":"envoy",
   "name":"main",
   "time":"2022-02-01T06:45:32Z",
   "message":"shutting down parent after drain"
}

## Additional context

Add any other context about the problem here.
2

Hi @Dana :wave:,

From the looks of those logs, it appears that the last step of the OpenID Connect / OAuth2 callback is actually making a POST and not a GET. In a typical auth flow, this is usually where the user has signed into their SSO / IDP provider and been redirected back to Pomerium with a set of query params that can then be used by Pomerium to complete the authentication process and grab the required access and identity tokens required.

However, It looks like the incoming request is coming from jumpcloud, and not dex. Is that expected?

{
   "level":"info",
   "service":"envoy",
   "method":"POST",
   "authority":"authenticate.myRootDomain",
   "path":"/oauth2/callback",
   "referer":"https://sso.jumpcloud.com/",
   "request-id":"919e21aa-cd54-46d5-b429-96fcc3391dbf",
   "response-code":405,
   "message":"http-request"
}

I vaguely remember that the oauth2 spec does support a POST callback, but I can’t find the section in the RFC right now. Maybe you could tell me a bit more about the interaction (and configuration if you can share) between jumpcloud, and dex?

3

Hi,

Yes, you are right, the response shouldn’t come to pomerium authenticate from jumpcloud(which is SSO SAML), but from dex, otherwise we wouldn’t have needed dex.
The configuration should go like this:

  1. User should login to https://myApp.myRootDomain
  2. Since https://myApp.myRootDomain is an ingress of classtype pomerium, conforming to pomerium configuration, it should be redirected to dex.
  3. Dex uses it’s staticClient config(which is the connection to pomerium) and it’s connectors to use JumpCloud.
  4. So, the page from step 1 should be redirected to jumpCloud login page.
  5. The login goes successfully, JumpCloud sends back the response to dex, which in it’s turn will use redirectURL from staticClient to go back to pomerium with a response.
  6. Based on the response user is seeing the content of the url from step 1.

Based on your feedback I have changed some JumpCloud config for SAML response and now the flow goes like this:

  1. User logins to https://myApp.myRootDomain
  2. Access forbidden appears if you don’t use https://myApp.myRootDomain/.pomerium/ …Why is this happening?
  3. Clicking on session details you are being re-directed to JumpCloud login page, log successfully
  4. Now is the step where the user should see the content from the step 1, but instead it sees authenticate page from pomerium with session details, which is correct as we clicked on session details at step 3 :slight_smile:

In the logs are now the following:
Authenticate logs:

{
   "level":"info",
   "service":"envoy",
   "upstream-cluster":"pomerium-control-plane-http",
   "method":"GET",
   "authority":"authenticate.myRootDomain",
   "path":"/.pomerium/",
   "user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"",
   "forwarded-for":"10.20.1.69,10.20.1.5",
   "request-id":"b4df27f3-5f78-4a8f-85d6-83e4a850316f",
   "duration":6.685703,
   "size":19915,
   "response-code":200,
   "response-code-details":"via_upstream",
   "time":"2022-02-02T10:00:59Z",
   "message":"http-request"
}{
   "level":"info",
   "service":"envoy",
   "upstream-cluster":"pomerium-control-plane-http",
   "method":"GET",
   "authority":"authenticate.myRootDomain",
   "path":"/.pomerium/assets/img/logo-long.svg",
   "user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"",
   "forwarded-for":"10.20.1.69,10.20.1.5",
   "request-id":"5c3faa56-cca2-4d05-8d86-b36750c92ca7",
   "duration":0.805213,
   "size":4238,
   "response-code":200,
   "response-code-details":"via_upstream",
   "time":"2022-02-02T10:01:00Z",
   "message":"http-request"
}{
   "level":"info",
   "service":"envoy",
   "upstream-cluster":"pomerium-control-plane-http",
   "method":"GET",
   "authority":"authenticate.myRootDomain",
   "path":"/.pomerium/assets/img/jwt.svg",
   "user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"",
   "forwarded-for":"10.20.1.69,10.20.1.5",
   "request-id":"565d0af1-d2a2-41e3-a8eb-6c4bc0013485",
   "duration":0.655048,
   "size":2450,
   "response-code":200,
   "response-code-details":"via_upstream",
   "time":"2022-02-02T10:01:00Z",
   "message":"http-request"
}{
   "level":"info",
   "service":"envoy",
   "upstream-cluster":"pomerium-control-plane-http",
   "method":"GET",
   "authority":"authenticate.myRootDomain",
   "path":"/.pomerium/assets/img/experimental.svg",
   "user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
   "referer":"",
   "forwarded-for":"10.20.1.69,10.20.1.5",
   "request-id":"86b55438-adbd-4d42-bdbb-717dac7f47ed",
   "duration":0.620061,
   "size":813,
   "response-code":200,
   "response-code-details":"via_upstream",
   "time":"2022-02-02T10:01:00Z",
   "message":"http-request"
}

Authorize logs

{
   "level":"info",
   "service":"authorize",
   "request-id":"80ee5ecd-24fc-4ea8-ac23-1394257ab08e",
   "check-request-id":"61c99f97-e1b8-4ff8-8ebb-fa1d8ad661bc",
   "method":"GET",
   "path":"/",
   "host":"myApp.myRootDomain",
   "query":"",
   "allow":false,
   "allow-why-false":[
      "non-pomerium-route"
   ],
   "deny":false,
   "deny-why-false":[
      "valid-client-certificate-or-none-required"
   ],
   "user":"",
   "email":"",
   "databroker_server_version":4077071779396492351,
   "databroker_record_version":279,
   "time":"2022-02-02T10:00:38Z",
   "message":"authorize check"
}

Proxy logs

{"level":"info","service":"envoy","upstream-cluster":"","method":"GET","authority":"54.217.246.167","path":"/","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36","referer":"http://54.217.246.167/","forwarded-for":"10.20.2.146","request-id":"e035bc2f-3174-400b-8b6f-d2c7eba11376","duration":0.191464,"size":0,"response-code":404,"response-code-details":"route_not_found","time":"2022-02-02T09:51:44Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"","method":"GET","authority":"myApp.myRootDomain","path":"/","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36","referer":"","forwarded-for":"10.20.1.53","request-id":"61c99f97-e1b8-4ff8-8ebb-fa1d8ad661bc","duration":3.808255,"size":11832,"response-code":403,"response-code-details":"ext_authz_denied","time":"2022-02-02T10:00:38Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"myApp.myRootDomain","path":"/.pomerium/","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36","referer":"","forwarded-for":"10.20.1.53","request-id":"6d8bd638-b372-4269-a2ed-abb9a9e581a5","duration":0.703227,"size":285,"response-code":302,"response-code-details":"via_upstream","time":"2022-02-02T10:00:59Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-myAuthenticatePomerium-myRootDomainEscaped-7c9b38720e5aefc7","method":"GET","authority":"authenticate.myRootDomain","path":"/.pomerium/","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36","referer":"","forwarded-for":"10.20.1.69","request-id":"80392a6b-4587-465e-9f22-e37d22d589b9","duration":11.175973,"size":19915,"response-code":200,"response-code-details":"via_upstream","time":"2022-02-02T10:01:00Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-myAuthenticatePomerium-myRootDomainEscaped-7c9b38720e5aefc7","method":"GET","authority":"authenticate.myRootDomain","path":"/.pomerium/assets/img/logo-long.svg","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36","referer":"","forwarded-for":"10.20.1.69","request-id":"9c58e4da-08da-4a73-a839-21a37933fce7","duration":2.079304,"size":4238,"response-code":200,"response-code-details":"via_upstream","time":"2022-02-02T10:01:00Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-myAuthenticatePomerium-myRootDomainEscaped-7c9b38720e5aefc7","method":"GET","authority":"authenticate.myRootDomain","path":"/.pomerium/assets/img/jwt.svg","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36","referer":"","forwarded-for":"10.20.1.69","request-id":"d0365145-1a86-4dc2-8620-6a7198891656","duration":1.685097,"size":2450,"response-code":200,"response-code-details":"via_upstream","time":"2022-02-02T10:01:00Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-myAuthenticatePomerium-myRootDomainEscaped-7c9b38720e5aefc7","method":"GET","authority":"authenticate.myRootDomain","path":"/.pomerium/assets/img/experimental.svg","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36","referer":"","forwarded-for":"10.20.1.69","request-id":"fcd7f206-d061-4aa8-97c1-a620d98b8409","duration":1.65811,"size":813,"response-code":200,"response-code-details":"via_upstream","time":"2022-02-02T10:01:00Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"","method":"GET","authority":"54.155.167.249","path":"/","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0","referer":"","forwarded-for":"10.20.3.137","request-id":"b813139b-f6b5-4bcd-a49e-a4c4bfa3077a","duration":0.169687,"size":0,"response-code":404,"response-code-details":"route_not_found","time":"2022-02-02T10:09:59Z","message":"http-request"}
4

Please let me know if you need more details.

5

This is well outside my own realm of experience, but maybe this will help:
We have a little bit of community-contributed docs that refer to Dex-based configs. The page is currently unpublished on the docs site because it doesn’t conform to current docs standards, but maybe it will help you. If it does, maybe you could in turn help us expand this page to be more complete and help others using Dex in their configuration.

6

Hi,

I followed the example from upper from the begining. In order to isolate the problem with dex and JumpCloud I have used github for SSO.
The same Forbidden appears and in the logs it appears that the route for myApp.myRootDomain is unknown, so I still think I missed something when configuring Pomerium.

I will place here the ingress for authenticate, myApp and the logs:

authenticate ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    ingress.pomerium.io/allow_public_unauthenticated_access: 'true'
    ingress.pomerium.io/preserve_host_header: 'true'
    ingress.pomerium.io/secure_upstream: 'true'
    ingress.pomerium.io/tls_server_name: authenticate.myRootDomain
  labels:
    app.kubernetes.io/instance: Pomerium-something
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: pomerium
    helm.sh/chart: pomerium-28.0.1
  name: pomerium-authenticate
  namespace: pomerium
spec:
  ingressClassName: pomerium
  rules:
    - host: authenticate.myRootDomain
      http:
        paths:
          - backend:
              service:
                name: pomerium-authenticate-service-name
                port:
                  name: https
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - authenticate.myRootDomain
      secretName: authenticate-myRootDomain-tls
status:
  loadBalancer:
    ingress:
      - hostname: a28971b46369c429f8af680faa3a72f8-65610947.eu-west-1.elb.amazonaws.com

myApp ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    kubernetes.io/ingress.class: pomerium
  creationTimestamp: '2022-01-30T17:52:51Z'
  generation: 7
  labels:
    app.kubernetes.io/instance: myApp-instance
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: myApp
    app.kubernetes.io/version: 0.35.3-alpha
    helm.sh/chart: myApp-0.3.0
spec:
  rules:
    - host: myApp.myRootDomain
      http:
        paths:
          - backend:
              service:
                name: myAppServiceName
                port:
                  number: 80
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - myApp.myRootDomain
      secretName: myApp.myRootDomain-tls
status:
  loadBalancer:
    ingress:
      - hostname: a28971b46369c429f8af680faa3a72f8-65610947.eu-west-1.elb.amazonaws.com

Authorizer logs:

{"level":"info","service":"authorize","request-id":"3662841c-78fc-4ec4-839f-50572b6b481b","check-request-id":"4cb0a580-ef65-4ed3-a40d-bf02238d2e58","method":"GET","path":"/","host":"myApp.myRootDomain","query":"","allow":false,"allow-why-false":["non-pomerium-route"],"deny":false,"deny-why-false":["valid-client-certificate-or-none-required"],"user":"","email":"","databroker_server_version":5793761470545659637,"databroker_record_version":27,"time":"2022-02-03T09:32:29Z","message":"authorize check"}
7

It look like proxy is recieving it as being of type pomerium and it sends it directly to the authorizer, without any username or other information, without using authenticator first.

8

A lot off warnings regarding certificates in the logs:
Authenticate logs

{
   "level":"error",
   "domain":"authenticate.myRootDomain",
   "time":"2022-02-03T12:42:53Z",
   "message":"overlaps with local certs: skipped"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "service":"authenticate",
   "config_id":"ingress-controller",
   "version":20,
   "err_count":0,
   "time":"2022-02-03T12:42:53Z",
   "message":"set db config info"
}{
   "level":"error",
   "domain":"*",
   "time":"2022-02-03T12:42:53Z",
   "message":"cryptutil: no TLS certificate found for domain, using self-signed certificate"
}{
   "level":"warn",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "error":"invalid metrics address \"\": missing port in address",
   "time":"2022-02-03T12:42:53Z",
   "message":"metrics announce to service registry is disabled"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "service":"authenticate",
   "config":"databroker",
   "checksum":"7ab14dcb166baf7f",
   "time":"2022-02-03T12:42:53Z",
   "message":"config: updated config"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "elapsed":130.169603,
   "server_version":7426718485669055881,
   "versions":[
      20
   ],
   "time":"2022-02-03T12:42:53Z",
   "message":"UpdateRecords"
}{
   "level":"info",
   "service":"envoy",
   "name":"upstream",
   "time":"2022-02-03T12:42:53Z",
   "message":"lds: add/update listener \\'https-ingress\\'"
}{
   "level":"warn",
   "time":"2022-02-03T12:47:42Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain authenticate.myRootDomain pomerium-authenticateService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}{
   "level":"warn",
   "time":"2022-02-03T12:57:42Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain authenticate.myRootDomain pomerium-authenticateService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}

Authorize logs

{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "service":"authorize",
   "config_id":"ingress-controller",
   "version":20,
   "err_count":0,
   "time":"2022-02-03T12:42:53Z",
   "message":"set db config info"
}{
   "level":"error",
   "domain":"*",
   "time":"2022-02-03T12:42:53Z",
   "message":"cryptutil: no TLS certificate found for domain, using self-signed certificate"
}{
   "level":"info",
   "Algorithm":"ES256",
   "KeyID":"32e0760a093fa4028537a4bea762d4d6471755a40e3632560f905e0ccf9bd504",
   "Public Key":{
      "use":"sig",
      "kty":"EC",
      "kid":"32e0760a093fa4028537a4bea762d4d6471755a40e3632560f905e0ccf9bd504",
      "crv":"P-256",
      "alg":"ES256",
      "x":"GNOWeulGmPs9ESW3znWtxBY5f-DAGWNE5WSTRVxBuFc",
      "y":"fsZ1jfYohFOrB7VDlzcrm3EDe4RAMRzNzugH7RHbclI"
   },
   "time":"2022-02-03T12:42:53Z",
   "message":"authorize: signing key"
}{
   "level":"info",
   "service":"envoy",
   "name":"upstream",
   "time":"2022-02-03T12:42:53Z",
   "message":"lds: add/update listener \\'grpc-ingress\\'"
}{
   "level":"warn",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "error":"invalid metrics address \"\": missing port in address",
   "time":"2022-02-03T12:42:53Z",
   "message":"metrics announce to service registry is disabled"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "service":"authorize",
   "config":"databroker",
   "checksum":"4300884eb9fb8836",
   "time":"2022-02-03T12:42:53Z",
   "message":"config: updated config"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "elapsed":275.606211,
   "server_version":7426718485669055881,
   "versions":[
      20
   ],
   "time":"2022-02-03T12:42:53Z",
   "message":"UpdateRecords"
}{
   "level":"warn",
   "time":"2022-02-03T12:47:46Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain authorize.myRootDomain pomerium-authorizerService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}{
   "level":"warn",
   "time":"2022-02-03T12:57:46Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain authorize.myRootDomain pomerium-authorizerService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}{
   "level":"warn",
   "time":"2022-02-03T13:07:46Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain authorize.myRootDomain pomerium-authorizerService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}{
   "level":"warn",
   "time":"2022-02-03T13:17:46Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain authorize.myRootDomain pomerium-authorizerService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}

Databroker logs


{
   "level":"info",
   "service":"envoy",
   "name":"upstream",
   "time":"2022-02-03T12:42:53Z",
   "message":"lds: add/update listener \\'grpc-ingress\\'"
}{
   "level":"info",
   "type":"type.googleapis.com/pomerium.events.EnvoyConfigurationEvent",
   "id":"31fe1a8c-d54d-473c-aeef-cc35cb032deb",
   "time":"2022-02-03T12:42:53Z",
   "message":"put"
}{
   "level":"info",
   "type":"type.googleapis.com/pomerium.events.EnvoyConfigurationEvent",
   "id":"6658d680-5e4a-4ad7-834a-92220c58adf7",
   "time":"2022-02-03T12:42:53Z",
   "message":"put"
}{
   "level":"info",
   "type":"type.googleapis.com/pomerium.events.EnvoyConfigurationEvent",
   "id":"ad4183f5-9d9f-427a-ae8d-101d0d4c079b",
   "time":"2022-02-03T12:42:53Z",
   "message":"put"
}{
   "level":"info",
   "type":"type.googleapis.com/pomerium.events.EnvoyConfigurationEvent",
   "id":"03a88a4f-c626-4dd6-acc7-c53a8deb93c5",
   "time":"2022-02-03T12:42:53Z",
   "message":"put"
}{
   "level":"info",
   "type":"type.googleapis.com/pomerium.events.EnvoyConfigurationEvent",
   "id":"9fbc20ff-d278-442b-93a1-99695b82369f",
   "time":"2022-02-03T12:42:53Z",
   "message":"put"
}{
   "level":"info",
   "type":"type.googleapis.com/pomerium.events.EnvoyConfigurationEvent",
   "id":"103c4c89-d49e-425e-828b-f56ca30fdb23",
   "time":"2022-02-03T12:42:53Z",
   "message":"put"
}{
   "level":"info",
   "type":"type.googleapis.com/pomerium.events.EnvoyConfigurationEvent",
   "id":"08c1fdd9-6eff-4ab5-a50a-ca7eeaee18a3",
   "time":"2022-02-03T12:42:53Z",
   "message":"put"
}{
   "level":"info",
   "type":"type.googleapis.com/pomerium.config.Config",
   "id":"ingress-controller",
   "time":"2022-02-03T12:43:13Z",
   "message":"get"
}{
   "level":"warn",
   "time":"2022-02-03T12:48:36Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain databroker.myRootDomain pomerium-dataBrokerService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}{
   "level":"info",
   "service":"identity_manager",
   "time":"2022-02-03T12:48:37Z",
   "message":"refreshing directory users"
}{
   "level":"warn",
   "time":"2022-02-03T12:58:36Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain databroker.myRootDomain pomerium-dataBrokerService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}{
   "level":"info",
   "service":"identity_manager",
   "time":"2022-02-03T12:58:37Z",
   "message":"refreshing directory users"
}{
   "level":"warn",
   "time":"2022-02-03T13:08:36Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain databroker.myRootDomain pomerium-dataBrokerService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}{
   "level":"info",
   "service":"identity_manager",
   "time":"2022-02-03T13:08:37Z",
   "message":"refreshing directory users"
}

Proxy logs

{
   "level":"error",
   "domain":"authenticate.myRootDomain",
   "time":"2022-02-03T12:42:53Z",
   "message":"overlaps with local certs: skipped"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "service":"authenticate",
   "config_id":"ingress-controller",
   "version":20,
   "err_count":0,
   "time":"2022-02-03T12:42:53Z",
   "message":"set db config info"
}{
   "level":"error",
   "domain":"*",
   "time":"2022-02-03T12:42:53Z",
   "message":"cryptutil: no TLS certificate found for domain, using self-signed certificate"
}{
   "level":"warn",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "error":"invalid metrics address \"\": missing port in address",
   "time":"2022-02-03T12:42:53Z",
   "message":"metrics announce to service registry is disabled"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "service":"authenticate",
   "config":"databroker",
   "checksum":"7ab14dcb166baf7f",
   "time":"2022-02-03T12:42:53Z",
   "message":"config: updated config"
}{
   "level":"info",
   "syncer_id":"databroker",
   "syncer_type":"type.googleapis.com/pomerium.config.Config",
   "elapsed":130.169603,
   "server_version":7426718485669055881,
   "versions":[
      20
   ],
   "time":"2022-02-03T12:42:53Z",
   "message":"UpdateRecords"
}{
   "level":"info",
   "service":"envoy",
   "name":"upstream",
   "time":"2022-02-03T12:42:53Z",
   "message":"lds: add/update listener \\'https-ingress\\'"
}{
   "level":"warn",
   "time":"2022-02-03T12:47:42Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain authenticate.myRootDomain pomerium-authenticateService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}{
   "level":"warn",
   "time":"2022-02-03T12:57:42Z",
   "msg":"stapling OCSP",
   "service":"autocert",
   "error":"no OCSP stapling for [myRootDomain authenticate.myRootDomain pomerium-authenticateService.pomerium.svc.cluster.local]: no OCSP server specified in certificate"
}
9

Hi @Dana - I’ve asked some of our more kubernetes-savy folks to take a look at this thread, but my read of the output makes me think that cert-manager isn’t giving you the certificates you need. What’s the output of kubectl get certificate and kubectl get certificaterequests?

10

Couple general comments:

  1. you need to use kubectl describe to see the recent events from cert-manager and pomerium for your Ingress.
  2. the authorize error means there were policy rule matched; given that you have allow_public_unauthenticated_access annotation in Ingress - it’s likely this ingress was not applied - see #1 to make sure. You probably have some stale current configuration in the databroker for this route.
  3. the error about certificate overlaps with local certs: skipped indicates that you currently have a certificate in local config that is in conflict with the one coming from the databroker (which is derived via Ingress from cert-manager).

I would recommend the following:

  1. start with fresh install; including dropping databroker database
  2. start with just github IDP and get to a point where your application route works
11

Hi,

I did delete pomerium namespace and triggered it again. I usually do this every time I want to test anything because otherwise TLS handshake with generatedTLS on true will fail. This is also a problem that needs to be investigated. The problem with forbidden persists, I will post here the response for each point:

  1. kubectl describe certificate authenticate-myRootDomain-tls -n pomerium
Name:         authenticate-myRootDomain-tls
Namespace:    pomerium
Labels:       app.kubernetes.io/instance=pomerium-instance
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=pomerium
              helm.sh/chart=pomerium-28.0.1
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Spec:
  Dns Names:
    authenticate.myRootDomain
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       letsencrypt
  Secret Name:  authenticate-myRootDomain-tls
Status:
  Conditions:
    Last Transition Time:  2022-02-03T16:41:07Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2022-05-04T15:41:04Z
  Not Before:              2022-02-03T15:41:05Z
  Renewal Time:            2022-04-04T15:41:04Z
  Revision:                1
Events:                    <none>

kubectl describe certificate myApp.myRootDomain-tls -n myApp

Name:         myApp.myRootDomain-tls
Namespace:    airbyte
Labels:       app.kubernetes.io/instance=myAppInstance
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=miApp
              app.kubernetes.io/version=0.35.3-alpha
              helm.sh/chart=myApp-0.3.0
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Spec:
  Dns Names:
    myApp.myRootDomain
  Issuer Ref:
    Group:      cert-manager.io
    Kind:       ClusterIssuer
    Name:       letsencrypt
  Secret Name:  myApp.myRootDomain-tls
Status:
  Conditions:
    Last Transition Time:  2022-02-03T11:16:25Z
    Message:               Certificate is up to date and has not expired
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2022-04-25T06:21:49Z
  Not Before:              2022-01-25T06:21:50Z
  Renewal Time:            2022-03-26T06:21:49Z
Events:                    <none>

kubectl describe ingress pomerium-myRoot-authenticate -n pomerium

Name:             pomerium-myRoot-authenticate
Namespace:        pomerium
Address:          a1791a35473f34656a8271ac70385b74-803216515.eu-west-1.elb.amazonaws.com
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  authenticate-myRootDomain-tls terminates authenticate.myRootDomain.com
Rules:
  Host                              Path  Backends
  ----                              ----  --------
  authenticate.myRootDomain.com
                                    /   pomerium-myRoot-authenticate:https (10.20.3.133:443)
Annotations:                        cert-manager.io/cluster-issuer: letsencrypt
                                    ingress.pomerium.io/allow_public_unauthenticated_access: true
                                    ingress.pomerium.io/preserve_host_header: true
                                    ingress.pomerium.io/secure_upstream: true
                                    ingress.pomerium.io/tls_server_name: authenticate.myRootDomain
Events:                             <none>

kubectl describe ingress myAppIngress -n myApp

Namespace:        myApp
Address:          a1791a35473f34656a8271ac70385b74-803216515.eu-west-1.elb.amazonaws.com
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
  myApp.myRootDomain-tls terminates myApp.myRootDomain
Rules:
  Host                         Path  Backends
  ----                         ----  --------
  myApp.myRootDomain
                               /   myAppService:80 (10.20.1.8:80)
Annotations:                   cert-manager.io/cluster-issuer: letsencrypt
                               kubernetes.io/ingress.class: pomerium
Events:                        <none>
  1. the same setting as allow_public_unauthenticated_access appears in the ingress.
12

In order to be sure again that I have configured the right parameters, as they are a lot I will paste all of them from my values.yaml file:

# For detailed explanation of each of the configuration settings see
# https://www.pomerium.io/reference/

nameOverride: ""
fullnameOverride: ""

# settings that are shared by all services
config:
  # routes under this wildcard domain are handled by pomerium
  rootDomain: myRootDomain
  existingSecret: ""
  existingCASecret: ""
  ca:
    cert: ""
    key: ""
  sharedSecret: ""
  cookieSecret: ""
  forceGenerateServiceSecrets: false
  existingSharedSecret: ""
  generateTLS: true
  generateTLSAnnotations: {}
  forceGenerateTLS: true
  generateSigningKey: true
  forceGenerateSigningKey: true
  extraOpts: {}
  existingPolicy: ""
  insecure: false
  insecureProxy: false
  administrators: ""
  routes: []


  existingSigningKeySecret: ""
  signingKey: ""
  extraSecretLabels: {}
  extraSharedSecretLabels: {}

authenticate:
  name: ""
  fullnameOverride: ""
  nameOverride: ""
  existingTLSSecret: ""
  existingExternalTLSSecret: ""
  proxied: true. #?? is this the problem?
  # see https://www.pomerium.io/docs/identity-providers.html

  idp:
    provider: "github"
    clientID: "c617ed6df0ff"
    clientSecret: "63376d5ad3e33e72f20d5ccf99f"
  tls:
    cert: ""
    key: ""
    defaultSANList: []
    defaultIPList: []
  replicaCount: 1
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 50
    targetMemoryUtilizationPercentage: 50
  pdb:
    enabled: false
    minAvailable: 1
  service:
    annotations: {}
    nodePort: ""
    type: ClusterIP
  deployment:
    annotations: {}
    extraEnv: {}
    podAnnotations: {}
  serviceAccount:
    annotations: {}
    nameOverride: ""
  ingress:
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt      
    tls:
      secretName: authenticate-myRootDomainEscaped-tls

authorize:
  fullnameOverride: ""
  nameOverride: ""
  existingTLSSecret: ""
  tls:
    cert: ""
    key: ""
    defaultSANList: []
    defaultIPList: []
  replicaCount: 1
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 50
    targetMemoryUtilizationPercentage: 50
  pdb:
    enabled: false
    minAvailable: 1
  service:
    annotations: {}
    type: ClusterIP
    clusterIP: None
  deployment:
    annotations: {}
    extraEnv: {}
    podAnnotations: {}
  serviceAccount:
    annotations: {}
    nameOverride: ""

databroker:
  fullnameOverride: ""
  nameOverride: ""
  existingTLSSecret: ""
  tls:
    cert: ""
    key: ""
    defaultSANList: []
    defaultIPList: []
  replicaCount: 1
  pdb:
    enabled: false
    minAvailable: 1
  service:
    annotations: {}
    type: ClusterIP
    clusterIP: None
  deployment:
    annotations: {}
    extraEnv: {}
    podAnnotations: {}
  serviceAccount:
    annotations: {}
    nameOverride: ""
  storage:
    type: "memory"
    connectionString: ""
    tlsSkipVerify: false
    clientTLS:
      existingSecretName: ""
      existingCASecretKey: ""
      cert: ""
      key: ""
      ca: ""

proxy:
  fullnameOverride: ""
  nameOverride: ""
  existingTLSSecret: ""
  tls:
    cert: ""
    key: ""
    defaultSANList: []
    defaultIPList: []
  replicaCount: 1
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 50
    targetMemoryUtilizationPercentage: 50
  pdb:
    enabled: false
    minAvailable: 1
  authenticateServiceUrl: ""
  authorizeInternalUrl: ""
  service:
    annotations: {}
    nodePort: ""
    type: ""
  deployment:
    annotations: {}
    extraEnv: {}
    podAnnotations: {}
  serviceAccount:
    annotations: {}
    nameOverride: ""
  redirectServer: true

apiProxy:
  enabled: false
  ingress: true
  fullNameOverride: ""
  name: "kubernetes"

ingressController:
  enabled: true
  ingressClassResource:
    enabled: true
    default: false
    name: pomerium
    controllerName: pomerium.io/ingress-controller
    parameters: {}
  fullnameOverride: ""
  nameOverride: ""
  image:
    repository: "pomerium/ingress-controller"
    tag: "v0.16.0"
  deployment:
    annotations: {}
    extraEnv: {}
  serviceAccount:
    annotations: {}
    nameOverride: ""
  config:
    namespaces: []
    ingressClass: pomerium.io/ingress-controller
    updateStatus: true
    operatorMode: false
  service:
    annotations: {}
    type: ClusterIP

forwardAuth:
  name: ""
  enabled: false
  # Will not create an ingress. ForwardAuth is ony accessible as internal service.
  internal: false

service:
  # externalPort defaults to 80 or 443 depending on config.insecure
  externalPort: ""
  annotations:
    {}
    # ===  GKE load balancer tweaks; default on until I can figure out
    # how the hell to escape this string from the helm CLI
    # cloud.google.com/app-protocols: '{"https":"HTTPS"}'
  labels: {}
  grpcTrafficPort:
    nameOverride: ""
  httpTrafficPort:
    nameOverride: ""

ingress:
  secretName: ""
  secret:
    name: "pomerium-tls"
    cert: ""
    key: ""
  tls:
    hosts: []
  enabled: true
  hosts: []
  # Sets Ingress/ingressClassName. This way ingress resources are able to bound specific ingress-controllers. Kubernetes version >=1.18 required.
  # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
  # className: ""
  annotations:
    {}
    # === nginx tweaks
    # kubernetes.io/ingress.class: nginx
    # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    # nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
    # ===  GKE load balancer tweaks; default on until I can figure out
    # how the hell to escape this string from the helm CLI
    # kubernetes.io/ingress.allow-http: "false"
  # Ingress pathType (e.g. ImplementationSpecific, Prefix, .. etc.) might also be required by some Ingress Controllers
  pathType: ImplementationSpecific

resources:
  {}
  # limits:
  #   cpu: 1
  #   memory: 600Mi
  # requests:
  #   cpu: 100m
  #   memory: 300Mi

priorityClassName: ""

# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}

# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []

# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}

podAnnotations: {}
podLabels: {}
replicaCount: 1

# For any other settings that are optional. for a complete listing see:
# https://www.pomerium.io/docs/config-reference.html
extraEnv: 
  # (This will give you details if user is not able to authenticate, ideally this should be turned off)
  #POMERIUM_DEBUG: true
  #LOG_LEVEL: "error"
  #IDP_SCOPES: "openid,profile,email,groups,offline_access"
  #DNS_LOOKUP_FAMILY: "V6_ONLY"
  #CERTIFICATE_FILE: "/pomerium/ca/tls.crt"
  #CERTIFICATE_KEY_FILE: "/pomerium/ca/tls.key"
  #CERTIFICATE_AUTHORITY_FILE: "/pomerium/ca/ca.crt"

extraEnvFrom: []
extraArgs: {}
extraVolumes: []
extraVolumeMounts: []
extraTLSSecrets: []

annotations: {}
imagePullSecrets: ""

image:
  repository: "pomerium/pomerium"
  tag: "v0.16.1"
  pullPolicy: "IfNotPresent"

metrics:
  enabled: false
  port: 9090

tracing:
  enabled: false
  provider: ""
  debug: false
  jaeger:
    collector_endpoint: ""
    agent_endpoint: ""

serviceMonitor:
  enabled: false
  namespace: ""
  labels:
    release: prometheus

rbac:
  create: true

redis:
  enabled: false
  auth:
    existingSecret: pomerium-redis-password
    existingSecretPasswordKey: password
  generateTLS: true
  forceGenerateTLS: false
  cluster:
    slaveCount: 1
  tls:
    enabled: true
    certificatesSecret: pomerium-redis-tls
    certFilename: tls.crt
    certKeyFilename: tls.key
    certCAFilename: ca.crt
13

I tried to use my nginx controller and insecure install of pomerium using econfigure with insecure: true and insecureProxy on true…the same result of forbidden. Please let me know what to debug further.

14

If I access https://myApp.myRootDomain/.pomerium/ I get redirected to
https://authenticate.myRootDomain/.pomerium/?pomerium_expiry=1643963327&pomerium_issued=1643963027&pomerium_redirect_uri=https%3A%2F%2FmyApp.myRootDomain2F.pomerium%2F&pomerium_signature=E9Rcl16vzWDaH0HdAf1cnWPcH29NHiWQQJI-z6luTjo%3D and the
Welcome to the user info endpoint. Here you can view your current session details, and authorization context. Pomerium page appears with all the details of my current session from github. If I am not being logged in to github the page with github requiring authentication appears, after accepting I get to pomerium user page.

This is the functionality I was expecting between myApp and github.

When I am accessing https://myApp.myRootDomain/ I get access forbidden.

Proxy logs:

e[90m8:23AMe[0m e[32mINFe[0m http-request e[36mauthority=e[0myApp.myRootDomain e[36mduration=e[0m4.452855 e[36mforwarded-for=e[0m10.20.1.10,10.20.1.68 e[36mmethod=e[0mGET e[36mpath=e[0m**/** e[36mreferer=e[0m e[36mrequest-id=e[0m96d84e6b-1f63-427f-9860-4108108ab902 e[36mresponse-code=e[0m403 e[36mresponse-code-details=e[0mext_authz_denied e[36mservice=e[0menvoy e[36msize=e[0m11832 e[36mupstream-cluster=e[0m e[36muser-agent=e[0m"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"

e[90m8:23AMe[0m e[32mINFe[0m http-request e[36mauthority=e[0mmyApp.myRootDomain e[36mduration=e[0m0.7986 e[36mforwarded-for=e[0m10.20.1.10,10.20.1.68 e[36mmethod=e[0mGET e[36mpath=e[0m**/.pomerium/** e[36mreferer=e[0m e[36mrequest-id=e[0mba8490e5-1c01-4fe4-924e-24bc8dbb6da2 e[36mresponse-code=e[0m302 e[36mresponse-code-details=e[0mvia_upstream e[36mservice=e[0menvoy e[36msize=e[0m285 e[36mupstream-cluster=e[0mpomerium-control-plane-http e[36muser-agent=e[0m"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36"

15

It looks like the connection of the pomerium authenticate with idp(github now) is correct and working. The problem is that myApp gets redirected to authorizer with no session details and and of course I get access forbidden. Is proxy using a default session saved somewhere and not redirecting automatically to authenticate?

And in the case we are using insecure install for Pomerium, but authenticate gets an ingress with certificate, like my App does, how will proxy access authenticate: using the internal service(like it uses for databroker and authorize) or the ingress service using an authenticate certificate which probably know is or not?

The conclusion I got to is: insecure or not, using my nginx controller or pomerium controller proxy is skipping authentication and gets you to authorizer directly.

16

The fact that we used aw loadbalancer with ssl termination (by using aws certificates) may be the cause pomerium proxy can not reach authenticate?
When using pomerium controller we basically had 2 certificates:

  1. one from load balancer(backed by aws)
  2. the other one from cert-manager, created by pomerium controller.

When using our ingress controller we basically have 1 certificate, the one from the load balancer which finishes there and no other secrets are being created inside k8s cluster.

In both the cases(with pomerium controller or without) how proxy should redirect and use authenticator?

17

The certificates self signed using generateTLS include the same DNS as the certificate generated by cert-manager, that is what is conflicting. The fact that I can access authenticate.myRootDomain with the certificate generated by cert-manager means that first certificate that got on the authenticator deployment is the one generated by cert-manager, and not the one selfSigned whose only role was for internal communication between proxy, databroker and the other services?

18

I see your Ingress has an annotation kubernetes.io/ingress.class: pomerium - this is not a supported annotation as it is not part of IngressV1 standard. The correct way to designate an ingress controller to manage a particular ingress is to use ingressClassName key in the spec.