All Versions
46
Latest Version
Avg Release Cycle
13 days
Latest Release
1572 days ago
Changelog History
Page 2
Changelog History
Page 2
-
v0.10.0-rc3 Changes
July 31, 2020๐ Note: This is a release candidate and should not be used for production deployments. Please see up to date documentation at https://master.docs.pomerium.io/
๐ Changes
- 0๏ธโฃ config: default to google idp credentials for serverless @travisgroth GH-1170
- ๐ grpcutil: add functions for JWTs in gRPC metadata @calebdoxsey GH-1165
- ๐ฆ pkg/storage/redis: do not use timeout to signal redis conn to stop @cuonglm GH-1155
- pkg/storage: introduce storage.Backend Watch method @cuonglm GH-1135
- ๐ pkg/storage/redis: move last version to redis @cuonglm GH-1134
- pkg/storage: change backend interface to return error @cuonglm GH-1131
- internal/databroker: handle new db error @cuonglm GH-1129
- directory.Group entry for groups @calebdoxsey GH-1118
- internal/controlplane: using envoy strip host port matching @cuonglm GH-1126
- internal/databroker: store server version @cuonglm GH-1121
- config: Set loopback address by ipv4 IP @travisgroth GH-1116
๐ New
- authorize: custom rego policies @calebdoxsey GH-1123
- redis storage backend @cuonglm GH-1082
- custom rego in databroker @calebdoxsey GH-1124
- ๐ pkg/storage/redis: add redis TLS support @cuonglm GH-1163
- telmetry: add databroker storage metrics and tracing @travisgroth GH-1161
- ๐ deploy: Add homebrew tap publishing @travisgroth GH-1179
- ๐ deployment: cut separate archive for cli @desimone GH-1177
- databroker: add encryption for records @calebdoxsey GH-1168
- ๐ pkg/storage/redis: add authentication support @cuonglm GH-1159
- databroker server backend config @cuonglm GH-1127
๐ Fixed
- ๐ pomerium-cli: kubernetes fixes @calebdoxsey GH-1176
- envoy: Set ExtAuthz Cluster name to URL Host @travisgroth GH-1132
- authenticate: fix wrong condition checking in VerifySession @cuonglm GH-1146
- ๐ fix databroker restart versioning, handle missing sessions @calebdoxsey GH-1145
- authorize: strip port from host header if necessary @cuonglm GH-1175
- ๐ fix lint errors @travisgroth GH-1171
- ๐ deploy: ensure pomerium-cli is built correctly @travisgroth GH-1180
- ๐ ci: fix arm docker image releases @travisgroth GH-1178
- pomerium-cli: fix kubernetes token caching @calebdoxsey GH-1169
- pkg/storage/redis: handling connection to redis backend failure @cuonglm GH-1174
- ๐ handle example.com and example.com:443 @calebdoxsey GH-1153
- internal/databroker: fix wrong server version init @cuonglm GH-1125
- ๐ fix redirect loop, remove user/session services, remove duplicate deleted_at fields @calebdoxsey GH-1162
- ๐ ci: release fixes @travisgroth GH-1181
๐ Documentation
- ๐ docs: refactor sections, consolidate examples @desimone GH-1164
- ๐ docs: Add recipe for TiddlyWiki on Node.js @favadi GH-1143
- ๐ docs: Add kubectl config commands @travisgroth GH-1152
- ๐ docs: Fix incorrect example middleware @travisgroth GH-1128
- ๐ docs/.vuepress: fix missing local-oidc recipes section @cuonglm GH-1147
- ๐ docs: Add required in cookie_secret @mig4ng GH-1142
- ๐ docs: Redis and stateful storage docs @travisgroth GH-1173
Dependency
-
v0.10.0-rc2 Changes
July 20, 2020๐ Note: This is a release candidate and should not be used for production deployments. Please see up to date documentation at https://master.docs.pomerium.io/
๐ Changes
- authorize,proxy: allow traefik forward auth without uri query @cuonglm GH-1103
- grpc: use relative paths in codegen @desimone GH-1106
- authorize: add evaluator store @calebdoxsey GH-1105
- ๐ฑ internal/frontend/assets/html: make timestamp human readable @cuonglm GH-1107
- ๐ config: add support for policies stored in the databroker @calebdoxsey GH-1099
- ๐ config: allow setting directory sync interval and timeout @cuonglm GH-1098
- ๐ ci: Add cloudrun build @travisgroth GH-1097
- internal/directory: improve google user groups list @cuonglm GH-1092
- ๐จ options refactor @calebdoxsey GH-1088
- internal/directory: use both id and name for group @cuonglm GH-1086
- internal/directory/google: return both group e-mail and id @travisgroth GH-1083
- ๐ฆ pkg/storage: add package docs @cuonglm GH-1078
- โ Add storage backend interface @cuonglm GH-1072
- authorize: clear session state if session was deleted in databroker @cuonglm GH-1053
- authorize: include "kid" in JWT header @cuonglm GH-1049
- audit: add protobuf definitions @calebdoxsey GH-1047
- internal/controlplane: set envoy prefix rewrite if present @cuonglm GH-1034
- ๐ฆ pkg: add grpcutil package @calebdoxsey GH-1032
- ๐ cryptutil: move to pkg dir, add token generator @calebdoxsey GH-1029
๐ New
- ๐ #1054 - Change config key parsing to attempt Base64 decoding first. @dmitrif GH-1055
- pomerium-cli k8s exec-credential @calebdoxsey GH-1073
- implement google cloud serverless authentication @calebdoxsey GH-1080
- kubernetes apiserver integration @calebdoxsey GH-1063
- ๐ use custom binary for arm64 linux release @calebdoxsey GH-1065
๐ Fixed
- authorize: Force redirect scheme to https @travisgroth GH-1075
- proxy: fix wrong forward auth request @cuonglm GH-1030
- ๐ deployment: fix pomerium-cli release @desimone GH-1104
- cache: fix data race in NotifyJoin @cuonglm GH-1028
- authorize/evaluator/opa/policy: fix allow rules with impersonate @cuonglm GH-1094
- ๐ fix deep copy of config @calebdoxsey GH-1089
- proxy: fix invalid session after logout in forward auth mode @cuonglm GH-1062
- pkg/grpc: fix wrong audit protoc gen file @cuonglm GH-1048
- proxy: fix redirect url with traefik forward auth @cuonglm GH-1037
- authenticate: fix wrong SignIn telemetry name @cuonglm GH-1038
- ci: Prevent dirty git state @travisgroth GH-1117
๐ Documentation
- ๐ docs: Cloud Run / GCP Serverless @travisgroth GH-1101
- ๐ docs: Move examples repo into main repo @travisgroth GH-1102
- ๐ kubernetes docs @calebdoxsey GH-1087
- ๐ docs/recipes: add local oidc example @cuonglm GH-1045
- ๐ docs/configuration: add doc for trailing slash limitation in "To" field @cuonglm GH-1040
- ๐ docs/docs: add changelog for #1055 @cuonglm GH-1084
Dependency
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 11fb19a @renovate GH-1109
- โก๏ธ chore(deps): update module spf13/cobra to v1 @renovate GH-1111
- โก๏ธ chore(deps): update module open-policy-agent/opa to v0.22.0 @renovate GH-1110
- โก๏ธ chore(deps): update github.com/skratchdot/open-golang commit hash to eef8423 @renovate GH-1108
- โก๏ธ chore(deps): update module google.golang.org/api to v0.29.0 @renovate GH-1060
- โก๏ธ chore(deps): update module envoyproxy/go-control-plane to v0.9.6 @renovate GH-1059
- โก๏ธ chore(deps): update golang.org/x/net commit hash to ab34263 @renovate GH-1057
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 8698661 @renovate GH-1058
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 948cd5f @renovate GH-1056
- โก๏ธ chore(deps): update module open-policy-agent/opa to v0.21.1 @renovate GH-1061
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 8e8330b @renovate GH-1039
- โก๏ธ chore(deps): update module google.golang.org/protobuf to v1.25.0 @renovate GH-1021
-
v0.10.0-rc1 Changes
June 30, 2020Note : This is a release candidate and should not be used for production deployments. Please see up to date documentation at https://master.docs.pomerium.io/
๐ Changes
- ๐ ci: support rc releases @travisgroth GH-1011
- โ cache: add test for runMemberList @cuonglm GH-1007
- ๐ Allow specify go executable in Makefile @cuonglm GH-1008
- integration: add dummy value for idp_service_account @cuonglm GH-1009
- grpc: rename internal/grpc to pkg/grpc @calebdoxsey GH-1010
- envoy: disable idle timeouts to controlplane @travisgroth GH-1000
- cache: fix missing parameter @travisgroth GH-1005
- config: add check to assert service account is required for policies with allowed_groups @desimone GH-997
- cache: attempt to join memberlist cluster for sanity check @travisgroth GH-1004
- memberlist: use bufio reader instead of scanner @calebdoxsey GH-1002
- authorize/evaluator/opa: use route policy object instead of array index @cuonglm GH-1001
- ๐ authorize: avoid serializing databroker data map to improve performance @calebdoxsey GH-995
- internal/sessions: handle claims "ver" field generally @cuonglm GH-990
- telemetry: add tracing spans to cache and databroker @travisgroth GH-987
- authenticate: hide impersonation form from non-admin users @cuonglm GH-979
- cache: add client telemetry @travisgroth GH-975
- โ Sleep longer before running integration tests @cuonglm GH-968
- ๐ authenticate: move impersonate from proxy to authenticate @calebdoxsey GH-965
- authenticate: revoke current session oauth token before sign out @cuonglm GH-964
- ๐ authenticate: remove useless/duplicated code block @cuonglm GH-962
๐ New
- ๐ identity: support custom code flow request params @desimone GH-998
- github: implement github directory provider @calebdoxsey GH-963
- google: store directory information by user id @calebdoxsey GH-988
- azure: use OID for user id in session @calebdoxsey GH-985
- internal/directory/onelogin: store directory information by user id @cuonglm GH-992
- internal/directory/okta: store directory information by user id @cuonglm GH-991
- ๐ authenticate: support hot reloaded config @cuonglm GH-984
๐ Fixed
- controlplane: add robots route @desimone GH-966
- authorize/evaluator/opa: set client tls cert usage explicitly @travisgroth GH-1026
- internal/controlplane: enable envoy use remote address @cuonglm GH-1023
๐ Documentation
- ๐ Docs: Update Istio VirtualService example @jeffhubLR GH-1006
- ๐ docs: update upgrading document for breaking changes @calebdoxsey GH-974
- ๐ docs: update service account instructions for OneLogin @calebdoxsey GH-973
- ๐ docs: service account instructions for gitlab @calebdoxsey GH-970
- ๐ directory: add service account struct and parsing method @calebdoxsey GH-971
- ๐ docs: update okta service account docs to match new format @calebdoxsey GH-972
- ๐ docs: service account instructions for azure @calebdoxsey GH-969
- ๐ docs: update GitHub documentation for service account @calebdoxsey GH-967
- ๐ docs: Add warnings cones around requiring IdP Service Accounts @travisgroth GH-999
- ๐ docs/docs/identity-providers: document gitlab default scopes changed @cuonglm GH-980
Dependency
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to ee7919e @renovate GH-1019
- โก๏ธ chore(deps): update module google.golang.org/grpc to v1.30.0 @renovate GH-1020
- โก๏ธ chore(deps): update module prometheus/client_golang to v1.7.1 @renovate GH-1022
- โก๏ธ chore(deps): update golang.org/x/sync commit hash to 6e8e738 @renovate GH-1018
- โก๏ธ chore(deps): update golang.org/x/net commit hash to 4c52546 @renovate GH-1017
- depedency: bump opa v0.21.0 @desimone GH-993
- โก๏ธ chore(deps): update module hashicorp/memberlist to v0.2.2 @renovate GH-951
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to fbb79ea @renovate GH-945
- โก๏ธ chore(deps): update module go.opencensus.io to v0.22.4 @renovate GH-948
- โก๏ธ chore(deps): update module cenkalti/backoff/v4 to v4.0.2 @renovate GH-946
- โก๏ธ chore(deps): update module google.golang.org/api to v0.28.0 @renovate GH-949
- โก๏ธ chore(deps): update module google/go-cmp to v0.5.0 @renovate GH-950
- โก๏ธ chore(deps): update module prometheus/client_golang to v1.7.0 @renovate GH-953
- โก๏ธ chore(deps): update module open-policy-agent/opa to v0.21.0 @renovate GH-952
- docs: document preserve_host_header with policy routes to static ip @cuonglm GH-1024
-
v0.9.6 Changes
July 29, 2020๐ This is a bug fix release.
๐ Issues addressed include Istio support and non-standard port handling.
๐ Fixed
- Set ExtAuthz Cluster name to URL Host @travisgroth GH-1133
- ๐ handle example.com and example.com:443 @calebdoxsey GH-1153
-
v0.9.5 Changes
July 22, 2020๐ Changes
- ๐ proxy: remove debug line @cuonglm GH-1095
- authorize,proxy: allow traefik forward auth without uri query @cuonglm GH-1103
- Set loopback address by ipv4 IP @travisgroth GH-1122
๐ Fixed
- ๐ฎ Force redirect scheme to https @travisgroth GH-1077
- authenticate: hide impersonation form from non-admin users @cuonglm GH-1093
Dependency
-
v0.9.4 Changes
July 14, 2020v0.9.4
๐ Security
- ๐ This release addresses vulnerabilities fixed in go version 1.14.5. This update includes security fixes for a data race in ReverseProxy (CVE-2020-15586) and a situation where X.509 verification ignores provided EKUs on Windows (CVE-2020-15586).
-
v0.9.2 Changes
June 22, 2020 -
v0.9.1 Changes
June 16, 2020๐ Changes
- โ Remove unnecessary viper.New() @yegle GH-849
- authorize: reduce duplicate evaluations in opa policy @travisgroth GH-882
- envoy: bump envoy to 1.14.2 @desimone GH-894
- policy: Add consistent route identifier @travisgroth GH-905
๐ Fixed
- xds: use ipv4 address when ipv6 is disabled @calebdoxsey GH-823
- proxy: only set validation context if trusted_ca is used @calebdoxsey GH-863
- config: ensure viper ignores
certificatesconfig field @travisgroth GH-876 - controlplane: use previous preferred cipher suite @desimone GH-889
- controlplane: fix missing full cert chain @desimone GH-888
- internal/controlplane: make sure options.Headers are set for response @cuonglm GH-907
๐ Security
- ๐ envoy: fixes CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters
-
v0.9.0 Changes
May 31, 2020v0.9.0
๐ New
- proxy: envoy is now used to handle proxying
- authenticate: add jwks and .well-known endpoint @desimone [GH-745]
- ๐ authorize: add client mTLS support @calebdoxsey [GH-751]
๐ Fixed
- cache: fix closing too early @calebdoxsey [GH-791]
- 0๏ธโฃ authenticate: fix insecure gRPC connection string default port @calebdoxsey [GH-795]
- authenticate: fix user-info call for AWS cognito @calebdoxsey [GH-792]
- authenticate: clear session if ctx fails @desimone [GH-806]
- telemetry: fix autocache labels @travisgroth [GH-805]
- telemetry: fix missing/incorrect grpc labels @travisgroth [GH-804]
- ๐ฒ authorize: fix authorization panic caused by logging a nil reference @desimone [[GH-704]]
๐ Changes
- ๐ authenticate: remove authorize url validate check @calebdoxsey [GH-790]
- ๐ฒ authorize: reduce log noise for empty jwt @calebdoxsey [GH-793]
- ๐จ authorize: refactor and add additional unit tests @calebdoxsey [GH-757]
- envoy: add GRPC stats handler to control plane service @travisgroth [GH-744]
- envoy: enable zipkin tracing @travisgroth [GH-737]
- ๐ฒ envoy: improvements to logging @calebdoxsey [GH-742]
- ๐ envoy: remove 'accept-encoding' header from proxied metric requests @travisgroth [GH-750]
- ๐ envoy: support ports in hosts for routing @calebdoxsey [GH-748]
- ๐ forward-auth: support x-forwarded-uri @calebdoxsey [GH-780]
- proxy/forward-auth: block expired request prior to 302 @desimone [GH-773]
- sessions/state: add nickname claim @BenoitKnecht [GH-755]
- state: infer user (
user) from subject (sub) @desimone [GH-772] - ๐จ telemetry: refactor GRPC Server Handler @travisgroth [GH-756]
- โก๏ธ telemetry: service label updates @travisgroth [GH-802]
- xds: add catch-all for pomerium routes @calebdoxsey [GH-789]
- โก๏ธ xds: disable cluster validation to handle out-of-order updates @calebdoxsey [GH-783]
๐ Documentation
- ๐ docs: add mTLS recipe @calebdoxsey [GH-807]
- ๐ docs: add argo recipe @calebdoxsey [GH-803]
- ๐ docs: update dockerfiles for v0.9.0 @calebdoxsey [GH-801]
- ๐ docs: typo on configuration doc @kintoandar [GH-800]
- ๐ docs: docs regarding claim headers @strideynet [GH-782]
- ๐ docs: update traefik example and add note about forwarded headers @calebdoxsey [GH-784]
- ๐ docs: add note about unsupported platforms @calebdoxsey [GH-799]
- ๐ docs: expose config parameters in sidebar @travisgroth [GH-797]
- ๐ docs: update examples @travisgroth [GH-796]
-
v0.8.4 Changes
July 14, 2020๐ Security
- โ Addresses vulnerabilities fixed in go version 1.14.5. This update includes security fixes for a data race in ReverseProxy (CVE-2020-15586) and a situation where X.509 verification ignores provided EKUs on Windows (CVE-2020-15586).