Skip to main content

Pomerium Enterprise Quickstart

Learn how to run Pomerium Enterprise using Docker Compose.

Prerequisites

To complete this guide, you need:

This guide runs Pomerium Core and PostgreSQL as Docker containers. To complete this guide, you should first complete the Pomerium Core quickstart guide.

Configure Pomerium Core

If you haven't, create a file called config.yaml and add the following code:

config.yaml
idp_provider: REPLACE_ME
idp_client_id: REPLACE_ME
idp_client_secret: REPLACE_ME

routes:
- from: https://verify.localhost.pomerium.io
to: http://verify:8000
policy:
- allow:
or:
- email:
is: user@example.com
- from: https://console.localhost.pomerium.io
to: http://pomerium_console:8701
allowed_users:
- user@example.com
pass_identity_headers: true

Next, you need to:

  • Update the identity provider configuration variables with your own
  • Replace user@example.com with the email associated with your IdP account

Configure Pomerium Enterprise Console

Note

This guide assumes you've already registered for Pomerium Enterprise and have credentials to access the private Cloudsmith.io Docker registry, and a license key. If you haven't registered for Pomerium Enterprise, sign up here for a free trial.

Create a file called config-console.yaml and update the following values:

administrators: admin@example.com
license_key: REPLACE_ME

You must configure at least one administrator for console access. This user (or users) can then configure additional administrators in the console UI. Multiple administrators are defined as a comma-separated string.

Configure Docker Compose services

Create a file called docker-compose.yaml in your project's root folder and add the configuration below:

docker-compose.yaml
version: '3'
networks:
main: {}
services:
pomerium:
image: pomerium/pomerium:v0.21.1
volumes:
- ./config.yaml:/pomerium/config.yaml:ro
ports:
- 443:443
networks:
main:
aliases:
- authenticate.localhost.pomerium.io
environment:
- AUTHENTICATE_SERVICE_URL=https://authenticate.localhost.pomerium.io
- COOKIE_SECRET=j9jZgysWVxCs3uqbmw9a2LxWwz1ZPLKQZ8v20eoDT8Y=
- SHARED_SECRET=mxGl062SqkrbQKvqG9R2jqHqxq1Oi1BNj2AAeZHNq7c=
- DATABROKER_STORAGE_TYPE=postgres
- DATABROKER_STORAGE_CONNECTION_STRING=postgresql://postgres:postgres@database/postgres?sslmode=disable
- SIGNING_KEY=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUc0R0N4bjlxaDBHRVZnV3VCM0VoRm51RlptZ2VkZXJsMEtLd0ZoRWo4Tk9vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMXFOWXNUMFpSZEVTS0djSXRqZFUxcGJZREVDTktRd2lNcmNHVFl6RUhLM1V5MnVoT1N3bgpXVGdWUHppTk4vcWozYXFJeSs3Sk55ZEFLVlo3bURPNGtnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
pomerium_console:
networks:
main:
depends_on:
database:
condition: service_healthy
pomerium:
condition: service_started
image: docker.cloudsmith.io/pomerium/enterprise/pomerium-console:v0.21.0
command:
- 'serve'
- '--config'
- '/pomerium/console-config.yaml'
expose:
- 8701
- 9090
environment:
- AUDIENCE=console.localhost.pomerium.io
- DATABASE_ENCRYPTION_KEY=tXBj4gGDj45m8cW7ehhcy5lRuxsEeNl0X/nnsN5YJPw=
- DATABROKER_SERVICE_URL=http://pomerium:5443
- SHARED_SECRET=mxGl062SqkrbQKvqG9R2jqHqxq1Oi1BNj2AAeZHNq7c=
- DATABASE_URL=postgresql://postgres:postgres@database/postgres?sslmode=disable
- PROMETHEUS_LISTEN_ADDR=:9090
- PROMETHEUS_DATA_DIR=/data
- SIGNING_KEY=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUc0R0N4bjlxaDBHRVZnV3VCM0VoRm51RlptZ2VkZXJsMEtLd0ZoRWo4Tk9vQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFMXFOWXNUMFpSZEVTS0djSXRqZFUxcGJZREVDTktRd2lNcmNHVFl6RUhLM1V5MnVoT1N3bgpXVGdWUHppTk4vcWozYXFJeSs3Sk55ZEFLVlo3bURPNGtnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
volumes:
- metrics:/data:rw
- ./console-config.yaml:/pomerium/console-config.yaml:ro
database:
networks:
main: {}
image: postgres:latest
restart: always
healthcheck:
test: ['CMD-SHELL', 'pg_isready -d postgres -U postgres']
interval: 5s
timeout: 5s
retries: 5
start_period: 30s
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=postgres
- POSTGRES_DB=postgres
expose:
- 5432
volumes:
- pgdata:/var/lib/postgresql/data
verify:
networks:
main: {}
image: pomerium/verify:latest
expose:
- 8000
restart: always
volumes:
pgdata:
metrics:

Below are a few points to note about services running in docker-compose:

  • pomerium_console exposes ports 8701 and 9090. In your config.yaml file,, you will define port 8701 in a route that connects to the Pomerium Enterprise Console. Port 9090 is the default port used by Prometheus to scrape metrics.
  • The healthcheck parameter ensures the database is ready to receive requests. Without a healthcheck, other containers that depend on the database service (like Pomerium Console) will attempt to connect to the database before it is in a ready state, which will crash the container. (See the Docker healthcheck docs for more information.)

Connect to Pomerium Enterprise Console

Run docker compose up to run your containers and connect to the Console.

If your containers run successfully, navigate to https://console.localhost.pomerium.io to access your Console.