Skip to main content

Pomerium Enterprise Quickstart

Learn how to run Pomerium Enterprise using Docker Compose.

Prerequisites

To complete this guide, you need:

This guide runs Pomerium Core and PostgreSQL as Docker containers. To complete this guide, you should first complete the Pomerium Core quickstart guide.

Configure Pomerium Core

If you haven't, create a file called config.yaml and add the following code:

config.yaml
idp_provider: REPLACE_ME
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME

routes:
  - from: https://verify.localhost.pomerium.io
    to: http://verify:8000
    policy:
      - allow:
          or:
            - email:
                is: user@example.com
  - from: https://console.localhost.pomerium.io
    to: http://pomerium_console:8701
    allowed_users:
      - user@example.com
    pass_identity_headers: true

Next, you need to:

  • Update the identity provider configuration variables with your own
  • Replace user@example.com with the email associated with your IdP
  • Generate a signing key

To generate a signing key, use the commands below:

# Generates a P-256 (ES256) signing key
openssl ecparam  -genkey  -name prime256v1  -noout  -out ec_private.pem
# Prints the base64 encoded value of the signing key
cat ec_private.pem | base64

Add the base64-encoded signing key to the signing_key variable in your config.yaml file.

Configure Pomerium Enterprise Console

Note

This guide assumes you've already registered for Pomerium Enterprise and have credentials to access the private Cloudsmith.io Docker registry, and a license key. If you haven't registered for Pomerium Enterprise, sign up here for a free trial.

Create a file called config-console.yaml and update the following values:

administrators: admin@example.com
license_key: REPLACE_ME

You must configure at least one administrator for console access. This user (or users) can then configure additional administrators in the console UI. Multiple administrators are defined as a comma-separated string.

Configure Docker Compose services

Create a file called docker-compose.yaml in your project's root folder and add the configuration below:

docker-compose.yaml
version: '3'
networks:
  main: {}
services:
  pomerium:
    image: pomerium/pomerium:v0.21.1
    volumes:
      - ./config.yaml:/pomerium/config.yaml:ro
    ports:
      - 443:443
    networks:
      main:
        aliases:
          - authenticate.localhost.pomerium.io
    environment:
      - AUTHENTICATE_SERVICE_URL=https://authenticate.localhost.pomerium.io
      - COOKIE_SECRET=j9jZgysWVxCs3uqbmw9a2LxWwz1ZPLKQZ8v20eoDT8Y=
      - SHARED_SECRET=mxGl062SqkrbQKvqG9R2jqHqxq1Oi1BNj2AAeZHNq7c=
      - DATABROKER_STORAGE_TYPE=postgres
      - DATABROKER_STORAGE_CONNECTION_STRING=postgresql://postgres:postgres@database/postgres?sslmode=disable
      - SIGNING_KEY=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUc0R0N4bjlxaDBHRVZnV3VCM0VoRm51RlptZ2VkZXJsMEtLd0ZoRWo4Tk9vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMXFOWXNUMFpSZEVTS0djSXRqZFUxcGJZREVDTktRd2lNcmNHVFl6RUhLM1V5MnVoT1N3bgpXVGdWUHppTk4vcWozYXFJeSs3Sk55ZEFLVlo3bURPNGtnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
  pomerium_console:
    networks:
      main:
    depends_on:
      database:
        condition: service_healthy
      pomerium:
        condition: service_started
    image: docker.cloudsmith.io/pomerium/enterprise/pomerium-console:v0.21.0
    command:
      - 'serve'
      - '--config'
      - '/pomerium/console-config.yaml'
    expose:
      - 8701
      - 9090
    environment:
      - AUDIENCE=console.localhost.pomerium.io
      - DATABASE_ENCRYPTION_KEY=tXBj4gGDj45m8cW7ehhcy5lRuxsEeNl0X/nnsN5YJPw=
      - DATABROKER_SERVICE_URL=http://pomerium:5443
      - SHARED_SECRET=mxGl062SqkrbQKvqG9R2jqHqxq1Oi1BNj2AAeZHNq7c=
      - DATABASE_URL=postgresql://postgres:postgres@database/postgres?sslmode=disable
      - PROMETHEUS_LISTEN_ADDR=:9090
      - PROMETHEUS_DATA_DIR=/data
      - SIGNING_KEY=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUc0R0N4bjlxaDBHRVZnV3VCM0VoRm51RlptZ2VkZXJsMEtLd0ZoRWo4Tk9vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMXFOWXNUMFpSZEVTS0djSXRqZFUxcGJZREVDTktRd2lNcmNHVFl6RUhLM1V5MnVoT1N3bgpXVGdWUHppTk4vcWozYXFJeSs3Sk55ZEFLVlo3bURPNGtnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
    volumes:
      - metrics:/data:rw
      - ./console-config.yaml:/pomerium/console-config.yaml:ro
  database:
    networks:
      main: {}
    image: postgres:latest
    restart: always
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -d postgres -U postgres']
      interval: 5s
      timeout: 5s
      retries: 5
      start_period: 30s
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres
      - POSTGRES_DB=postgres
    expose:
      - 5432
    volumes:
      - pgdata:/var/lib/postgresql/data
  verify:
    networks:
      main: {}
    image: pomerium/verify:latest
    expose:
      - 8000
    restart: always
volumes:
  pgdata:
  metrics:

Below are a few points to note about services running in docker-compose:

  • pomerium_console exposes ports 8701 and 9090. In your config.yaml file,, you will define port 8701 in a route that connects to the Pomerium Enterprise Console. Port 9090 is the default port used by Prometheus to scrape metrics.
  • The healthcheck parameter ensures the database is ready to receive requests. Without a healthcheck, other containers that depend on the database service (like Pomerium Console) will attempt to connect to the database before it is in a ready state, which will crash the container. (See the Docker healthcheck docs for more information.)

Connect to Pomerium Enterprise Console

Run docker compose up to run your containers and connect to the Console.

If your containers run successfully, navigate to https://console.localhost.pomerium.io to access your Console.