Skip to main content

Upgrading Pomerium Enterprise

When new version of Pomerium Enterprise are released, check back to this page before you upgrade.


Before You Upgrade


Before You Upgrade

  • The new license-key option is required for starting Pomerium Enterprise. Please contact your account team if you have not been issued one yet.


Before You Upgrade

  • The signing-key has been replaced with authenticate-service-url. Instead of manually setting the signing key in the Enterprise Console to match the Authenticate Service, we specify the trusted URL of the Authenticate Service to pull the signing key from.

    The signing-key key will continue to work for existing configurations, but device enrollment will not work until it is replaced by authenticate-service-url.


Before You Upgrade

  • signing-key is now a required option to improve request security from Pomerium Core. The value should match the one set in Pomerium Core. See the signing key reference page for more information on generating a key.
  • audience is now a required option to improve request security from Pomerium Core. The value should match the Enterprise Console's external URL hostname, as defined in the from field in the Routes entry (not including the protocol).

Helm Installations

  • As of v0.15.0, All Helm charts have been consolidated to a single repository. Remove the pomerium-enterprise repo and upgrade from pomerium:

    helm repo remove pomerium-enterprise
    helm upgrade --install pomerium-console pomerium/pomerium-console --values=pomerium-console-values.yaml
  • As noted above, signing-key must be shared between Pomerium and Enterprise. See the Update Pomerium section of Install Pomerium Enterprise in Helm for more information.