From Zero to Zero Trust: Securing TiddlyWiki with Pomerium on GKE
When it comes to managing personal or team tools, security shouldn’t be an oversight. Unfortunately, it often is. Whether it’s time or budget constraints, security best practices can fall by the wayside more often than not. A misconfigured or over-engineered company proxy can make a developer’s life so complicated that they opt to go around the proxy—or even temporarily disable it—so they can get their work done.
That's where zero-trust principles come in, ensuring that every connection is verified and secure by default. In this post, we’ll walk through deploying TiddlyWiki as an upstream service on Google Cloud Platform (GCP) using Google Kubernetes Engine (GKE) using Pomerium. Whether you’re writing your latest novel on the state of OSS, or collaborating with teammates on-the-go, this guide has you covered.
Not using TiddlyWiki on your team? No worries, Pomerium can help secure a wide variety of upstream services. These include AdGuard, Jenkins, GitLab, Grafana, and more. Check out the getting started guides on the Pomerium website for more information on these options.
TiddlyWiki is a centralized hub for writing notes, project management, team collaboration, and more. No matter what you’re writing, security shouldn’t be an afterthought. That’s where Pomerium comes in.
With built-in support for Google OAuth, Pomerium simplifies upstream application authentication by letting you leverage the same credentials you use daily, removing the need for extra login steps or managing separate credentials. Pomerium’s seamless integration with GCP makes it a great choice for GKE deployments. Its ease of setup and focus on identity-aware security means you can focus on doing your best work, not on building a fortress brick-by-brick to keep out unauthorized users.
You’ll need to have access to the following tools before you can secure TiddlyWiki with Pomerium:
After setting up GCP, enabling billing, and creating a new project, you should then be taken to a welcome screen. If not, you can find your new project by clicking ‘Cloud Overview’
You’ll want to connect to your cluster directly using Google Cloud Shell.
We’ve named this project Pomerium, but you can call yours whatever you’d like. Working through the Quickstart Guide for setting up Pomerium Core on Kubernetes using GCP and Google Cloud Shell is simplified by the ability to access your project and its associated terminal directly via your browser. You can also do this locally, and will need to (at least partially) for generating your Pomerium wildcard keys with mkcert. Once you’ve generated your keys, you can copy them into your project in GCP.
Pomerium Wildcard Keys generated by mkcert
Using the Pomerium Kubernetes Quickstart guide, we’re working in the Google Cloud Shell on our GKE cluster. Once you’ve gotten your project open in Google Cloud Shell, you’ll see two options available in the top right: ‘Open Terminal’ and ‘Open Editor’. When you’re editing your configuration files, you’ll be working in the editor, and if you’re running commands such as kubectl or docker compose, you’ll want to click on ‘open terminal’ to interact directly with your Pomerium Kubernetes cluster.
A screenshot of the Google Cloud Shell editor showing the ‘config.yaml’ file
Working side-by-side with the existing Kubernetes quickstart guide, you’ll want to open your Google Cloud Shell editor and add the required YAML files. These are our configuration files we’ll need for Pomerium, setting up an Ingress, building our TiddlyWiki Docker containers, verifying our ingress, and services.
Here’s an example of the TiddlyWiki configuration YAML and the Docker Compose YAML we’ll be referencing when we run docker compose up which will spin up our TiddlyWiki instance.
config.yaml
authenticate_service_url: <https://authenticate.pomerium.app>
jwt_claims_headers:
X-Pomerium-Claim-Email: email
routes:
- from: <https://wiki.localhost.pomerium.io>
to: <http://tiddlywiki:8080>
pass_identity_headers: true
policy:
- allow:
and:
- email:
is: [email protected]
docker-compose.yaml
services:
pomerium:
image: cr.pomerium.com/pomerium/pomerium:latest
volumes:
- ./config.yaml:/pomerium/config.yaml:ro
ports:
- 443:443
tiddlywiki_init:
image: elasticdog/tiddlywiki:latest
volumes:
- ./wiki:/tiddlywiki
command: ['mywiki', '--init', 'server']
tiddlywiki:
image: elasticdog/tiddlywiki:latest
ports:
- 8080:8080
volumes:
- ./wiki:/tiddlywiki
command:
- mywiki
- --listen
- host=0.0.0.0
- [email protected]
depends_on:
- tiddlywiki_init
Once you’ve gotten the configuration files into your editor alongside your mkcert generated wildcard keys, it’s time to spin up your Pomerium and TiddlyWiki containers. Navigate to ‘Open Terminal’ in the Google Cloud Shell top nav bar, type docker compose up, then press ‘enter’. You should see your containers start to kick off, and your TiddlyWiki instance served. Visit your TiddlyWiki instance through the secured Pomerium URL generated in your Google Cloud Shell terminal. This should be running on http://0.0.0.0:8080 Check your Pomerium and Kubernetes logs if any issues arise.
A screenshot of the deployed TiddlyWiki service running on port 8080.
After navigating to the URL displayed in your terminal, you should be taken directly to your Pomerium secured TiddlyWiki instance.
Sample TiddlyWiki instance secured by Pomerium
Implementing zero-trust security principles, even for teams deploying smaller applications like TiddlyWiki, is beneficial. Pomerium helps developers work more efficiently, without sacrificing lost time towards over-configuring a VPN, or bypassing their team’s existing configuration by trying to get around a troublesome proxy.
By following these steps, you can securely deploy TiddlyWiki—or any upstream service—on GKE using Pomerium. Want to try it for yourself? Dive into the Pomerium documentation and take the first step towards better application security today. Have questions about your Pomerium setup? Ask us on Discuss.
Table of Contents
In need of some additional references? We’ve got you covered.
Securing TiddlyWiki using Pomerium on GKE Architecture Diagram:
*-----------------------*
| Browser |
| (User Access Point) |
*-----------------------*
|
v
*----------------------------*
| Secure Connection |
| (via HTTPS + Google OAuth) |
*----------------------------*
|
v
*----------------------------*
| Pomerium |
| (Authentication Proxy) |
| Configured with Google OAuth |
*----------------------------*
|
v
*-------------------------------------------------*
| GKE Cluster |
| +------------------+ +---------------------+ |
| | | | | |
| | TiddlyWiki | | Other Upstream | |
| | (Upstream App) | | Services | |
| +------------------+ +---------------------+ |
*-------------------------------------------------*
^
|
*------------------------------------------*
| Google Cloud Platform (GCP) |
| Hosts the GKE Cluster and Networking |
*------------------------------------------*