Pomerium v0.11.0 Release Notes
Release Date: 2020-12-07 // over 4 years ago-
๐ฅ Breaking
- remove deprecated cache_service_url config option #1614 (@calebdoxsey)
- โ add flag to enable user impersonation #1514 (@calebdoxsey)
๐ New
- ๐ microsoft: add support for common endpoint #1648 (@desimone)
- ๐ use the directory email when provided for the jwt #1647 (@calebdoxsey)
- ๐ fix profile image on dashboard #1637 (@calebdoxsey)
- ๐ wait for initial sync to complete before starting control plane #1636 (@calebdoxsey)
- ๐ authorize: add signature algo support (RSA / EdDSA) #1631 (@desimone)
- ๐ replace GetAllPages with InitialSync, improve merge performance #1624 (@calebdoxsey)
- cryptutil: more explicit decryption error #1607 (@desimone)
- โ add paging support to GetAll #1601 (@calebdoxsey)
- ๐ attach version to gRPC server metadata #1598 (@calebdoxsey)
- 0๏ธโฃ use custom default http transport #1576 (@calebdoxsey)
- โก๏ธ update user info in addition to refreshing the token #1572 (@calebdoxsey)
- databroker: add audience to session #1557 (@calebdoxsey)
- authorize: implement allowed_idp_claims #1542 (@calebdoxsey)
- ๐ autocert: support certificate renewal #1516 (@calebdoxsey)
- โ add policy to allow any authenticated user #1515 (@pflipp)
- debug: add pprof endpoints #1504 (@calebdoxsey)
- databroker: require JWT for access #1503 (@calebdoxsey)
- ๐ authenticate: remove unused paths, generate cipher at startup, remove qp store #1495 (@desimone)
- forward-auth: use envoy's ext_authz check #1482 (@desimone)
- auth0: implement directory provider #1479 (@grounded042)
- ๐ azure: incremental sync #1471 (@calebdoxsey)
- auth0: implement identity provider #1470 (@calebdoxsey)
- dashboard: format timestamps #1468 (@calebdoxsey)
- directory: additional user info #1467 (@calebdoxsey)
- ๐ directory: add explicit RefreshUser endpoint for faster sync #1460 (@calebdoxsey)
- ๐ config: add support for host header rewriting #1457 (@calebdoxsey)
- proxy: preserve path and query string for http->https redirect #1456 (@calebdoxsey)
- redis: use pubsub instead of keyspace events #1450 (@calebdoxsey)
- ๐ proxy: add support for /.pomerium/jwt #1446 (@calebdoxsey)
- ๐ databroker: add support for querying the databroker #1443 (@calebdoxsey)
- config: add dns_lookup_family option to customize DNS IP resolution #1436 (@calebdoxsey)
- okta: handle deleted groups #1418 (@calebdoxsey)
- ๐ controlplane: support P-384 / P-512 EC curves #1409 (@desimone)
- ๐ azure: add support for nested groups #1408 (@calebdoxsey)
- ๐ authorize: add support for service accounts #1374 (@calebdoxsey)
- โฑ Cuonglm/improve timeout error message #1373 (@cuonglm)
- ๐ internal/directory/okta: remove rate limiter #1370 (@cuonglm)
- {proxy/controlplane}: make health checks debug level #1368 (@desimone)
- ๐ databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source #1367 (@calebdoxsey)
- authorize: use impersonate email/groups in JWT #1364 (@calebdoxsey)
- ๐ config: support explicit prefix and regex path rewriting #1363 (@calebdoxsey)
- ๐ proxy: support websocket timeouts #1362 (@calebdoxsey)
- proxy: disable control-plane robots.txt for public unauthenticated routes #1361 (@calebdoxsey)
- ๐ฒ certmagic: improve logging #1358 (@calebdoxsey)
- ๐ logs: add new log scrubber #1346 (@calebdoxsey)
- ๐ Allow setting the shared secret via an environment variable. #1337 (@rspier)
- ๐ฐ authorize: add jti to JWT payload #1328 (@calebdoxsey)
- all: add signout redirect url #1324 (@cuonglm)
- ๐ proxy: remove unused handlers #1317 (@desimone)
- ๐ azure: support deriving credentials from client id, client secret and provider url #1300 (@calebdoxsey)
- ๐ cache: support databroker option changes #1294 (@calebdoxsey)
- ๐ authenticate: move databroker connection to state #1292 (@calebdoxsey)
- authorize: use atomic state for properties #1290 (@calebdoxsey)
- โก๏ธ proxy: move properties to atomically updated state #1280 (@calebdoxsey)
- Improving okta API requests #1278 (@cuonglm)
- โก๏ธ authenticate: move properties to atomically updated state #1277 (@calebdoxsey)
- ๐ authenticate: support reloading IDP settings #1273 (@calebdoxsey)
- Rate limit for okta #1271 (@cuonglm)
- ๐ง config: allow dynamic configuration of cookie settings #1267 (@calebdoxsey)
- 0๏ธโฃ internal/directory/okta: increase default batch size to 200 #1264 (@cuonglm)
- ๐ง envoy: add support for hot-reloading bootstrap configuration #1259 (@calebdoxsey)
- config: allow reloading of telemetry settings #1255 (@calebdoxsey)
- ๐ databroker: add support for config settings #1253 (@calebdoxsey)
- config: warn if custom scopes set for builtin providers #1252 (@cuonglm)
- authorize: add databroker url check #1228 (@desimone)
- ๐ internal/databroker: make Sync send data in smaller batches #1226 (@cuonglm)
๐ Fixed
- ๐ fix config race #1660 (@calebdoxsey)
- ๐ fix ordering of autocert config source #1640 (@calebdoxsey)
- pkg/storage/redis: Prevent connection churn #1603 (@travisgroth)
- ๐ forward-auth: fix special character support for nginx #1578 (@desimone)
- proxy/forward_auth: copy response headers as request headers #1577 (@desimone)
- ๐ fix querying claim data on the dashboard #1560 (@calebdoxsey)
- github: fix retrieving team id with graphql API (#1554) #1555 (@toshipp)
- store raw id token so it can be passed to the logout url #1543 (@calebdoxsey)
- ๐ fix databroker requiring signed jwt #1538 (@calebdoxsey)
- authorize: add redirect url to debug page #1533 (@desimone)
- internal/frontend: resolve authN helper url #1521 (@desimone)
- fwd-auth: match nginx-ingress config #1505 (@desimone)
- authenticate: protect /.pomerium/admin endpoint #1500 (@calebdoxsey)
- ๐ฆ ci: ensure systemd unit file is in packages #1481 (@travisgroth)
- ๐ identity manager: fix directory sync timing #1455 (@calebdoxsey)
- proxy/forward_auth: don't reset forward auth path if X-Forwarded-Uri is not set #1447 (@whs)
- ๐ httputil: remove retry button #1438 (@desimone)
- proxy: always use https for application callback #1433 (@travisgroth)
- ๐ controplane: remove p-521 EC #1420 (@desimone)
- redirect-server: add config headers to responses #1416 (@calebdoxsey)
- ๐ proxy: remove impersonate headers for kubernetes #1394 (@calebdoxsey)
- 0๏ธโฃ Desimone/authenticate default logout #1390 (@desimone)
- proxy: for filter matches only include bare domain name #1389 (@calebdoxsey)
- internal/envoy: start epoch from 0 #1387 (@travisgroth)
- internal/directory/okta: acceept non-json service account #1359 (@cuonglm)
- internal/controlplane: add telemetry http handler #1353 (@travisgroth)
- autocert: fix locking issue #1310 (@calebdoxsey)
- ๐ฒ authorize: log users and groups #1303 (@desimone)
- proxy: fix wrong applied middleware #1298 (@cuonglm)
- internal/directory/okta: fix wrong API query filter #1296 (@cuonglm)
- autocert: fix bootstrapped cache store path #1283 (@desimone)
- config: validate databroker settings #1260 (@calebdoxsey)
- internal/autocert: re-use cert if renewing failed but cert not expired #1237 (@cuonglm)
๐ Security
๐ Documentation
- ๐ move signing key algorithm documentation into yaml file #1646 (@calebdoxsey)
- โก๏ธ update docs #1645 (@desimone)
- ๐ docs: update build badge #1635 (@travisgroth)
- docs: add cache_service_url upgrade notice #1621 (@travisgroth)
- ๐ docs: use standard language for lists #1590 (@desimone)
- ๐ Fix command in Kubernetes Quick start docs #1582 (@wesleyw72)
- ๐ move docs to settings.yaml #1579 (@calebdoxsey)
- ๐ docs: add round logo #1574 (@desimone)
- โ add settings.yaml file #1540 (@calebdoxsey)
- ๐ update the documentation for auth0 to include group/role information #1502 (@grounded042)
- examples: fix nginx example #1478 (@desimone)
- ๐ docs: add architecture diagram for cloudrun #1444 (@travisgroth)
- ๐ fix(examples): Use X-Pomerium-Claim headers #1422 (@tdorsey)
- ๐ chore(docs): Fix typo in example policy #1419 (@tdorsey)
- ๐ docs: fix grammar #1412 (@shinebayar-g)
- ๐ docs: Add Traefik + Kubernetes example #1411 (@travisgroth)
- Remove typo on remove_request_headers docs #1388 (@whs)
- ๐ docs: update azure docs #1377 (@desimone)
- ๐ docs: add nginx example #1329 (@travisgroth)
- ๐ docs: use .com sitemap hostname #1274 (@desimone)
- ๐ docs: fix in-action video #1268 (@travisgroth)
- ๐ docs: image, sitemap and redirect fixes #1263 (@travisgroth)
- ๐ Fix broken logo link in README.md #1261 (@cuonglm)
- ๐ docs/docs: fix wrong okta service account field #1251 (@cuonglm)
- โ [Backport latest] Docs/enterprise button #1247 (@github-actions[bot])
- ๐ Docs/enterprise button #1245 (@desimone)
- โ remove rootDomain from examples #1244 (@karelbilek)
- ๐ docs: add / redirect #1241 (@desimone)
- ๐ docs: prepare for enterprise / oss split #1238 (@desimone)
Dependency
- โก๏ธ chore(deps): update module open-policy-agent/opa to v0.25.1 #1659 (@renovate[bot])
- โก๏ธ chore(deps): update module lithammer/shortuuid/v3 to v3.0.5 #1658 (@renovate[bot])
- โก๏ธ chore(deps): update module google.golang.org/grpc to v1.34.0 #1657 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 9ee31aa #1655 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/oauth2 commit hash to 9317641 #1654 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to c7110b5 #1653 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to be400ae #1652 (@renovate[bot])
- โก๏ธ deps: update hashstructure v2 #1632 (@desimone)
- โก๏ธ chore(deps): update precommit hook pre-commit/pre-commit-hooks to v3 #1630 (@renovate[bot])
- โก๏ธ chore(deps): update module yaml to v2.4.0 #1629 (@renovate[bot])
- โก๏ธ chore(deps): update module google/go-cmp to v0.5.4 #1628 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to c8d3bf9 #1627 (@renovate[bot])
- โก๏ธ chore(deps): update module google/go-jsonnet to v0.17.0 #1611 (@renovate[bot])
- โก๏ธ chore(deps): update codecov/codecov-action action to v1.0.15 #1610 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 9b1e624 #1609 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to c1f2f97 #1608 (@renovate[bot])
- โก๏ธ chore(deps): update module google/go-cmp to v0.5.3 #1597 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to ce600e9 #1596 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/oauth2 commit hash to 9fd6049 #1595 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to 69a7880 #1594 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 0c6587e #1593 (@renovate[bot])
- โก๏ธ chore(deps): update module google.golang.org/grpc to v1.33.2 #1585 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to f9bfe23 #1583 (@renovate[bot])
- โก๏ธ chore(deps): update mikefarah/yq action to v3.4.1 #1567 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 24207fd #1566 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to ff519b6 #1565 (@renovate[bot])
- โก๏ธ chore(deps): update olegtarasov/get-tag action to v2 #1552 (@renovate[bot])
- ๐ chore(deps): update goreleaser/goreleaser-action action to v2 #1551 (@renovate[bot])
- โก๏ธ chore(deps): update actions/setup-go action to v2 #1550 (@renovate[bot])
- ๐ chore(deps): update toolmantim/release-drafter action to v5.12.1 #1549 (@renovate[bot])
- โก๏ธ chore(deps): update module google.golang.org/grpc to v1.33.1 #1548 (@renovate[bot])
- โก๏ธ chore(deps): update codecov/codecov-action action to v1.0.14 #1547 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 0ff5f38 #1546 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/sync commit hash to 67f06af #1545 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to be3efd7 #1544 (@renovate[bot])
- โก๏ธ chore(deps): update vuepress monorepo to v1.7.1 #1531 (@renovate[bot])
- โก๏ธ chore(deps): update module spf13/cobra to v1.1.1 #1530 (@renovate[bot])
- โก๏ธ chore(deps): update module prometheus/client_golang to v1.8.0 #1529 (@renovate[bot])
- โก๏ธ chore(deps): update module ory/dockertest/v3 to v3.6.2 #1528 (@renovate[bot])
- โก๏ธ chore(deps): update module open-policy-agent/opa to v0.24.0 #1527 (@renovate[bot])
- โก๏ธ chore(deps): update module golang/protobuf to v1.4.3 #1525 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 32ed001 #1524 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to 7b1cca2 #1523 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 9e8e0b3 #1522 (@renovate[bot])
- โฌ๏ธ chore(deps): upgrade envoy to v0.16.0 #1519 (@desimone)
- ๐ deployment: run go mod tidy #1512 (@desimone)
- โก๏ธ chore(deps): update module ory/dockertest/v3 to v3.6.1 #1511 (@renovate[bot])
- โก๏ธ chore(deps): update module go.opencensus.io to v0.22.5 #1510 (@renovate[bot])
- โก๏ธ chore(deps): update module cenkalti/backoff/v4 to v4.1.0 #1509 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 4d944d3 #1508 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/sync commit hash to b3e1573 #1507 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to 4f7140c #1506 (@renovate[bot])
- ๐ deployment: pin /x/sys to fix dockertest #1491 (@desimone)
- โก๏ธ chore(deps): update module openzipkin/zipkin-go to v0.2.5 #1488 (@renovate[bot])
- โก๏ธ chore(deps): update module envoyproxy/go-control-plane to v0.9.7 #1487 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to bcad7cf #1486 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/sync commit hash to 3042136 #1485 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 7f63de1 #1483 (@renovate[bot])
- โก๏ธ deps: update envoy arm64 to v1.15.1 #1475 (@travisgroth)
- chore(deps): envoy 1.15.1 #1473 (@desimone)
- โก๏ธ chore(deps): update vuepress monorepo to v1.6.0 #1463 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to c2d885f #1462 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to 5d4f700 #1461 (@renovate[bot])
- deps: go mod tidy #1434 (@travisgroth)
- โก๏ธ chore(deps): update module rs/zerolog to v1.20.0 #1431 (@renovate[bot])
- โก๏ธ chore(deps): update module caddyserver/certmagic to v0.12.0 #1429 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to d0d6055 #1428 (@renovate[bot])
- โก๏ธ chore(deps): update module openzipkin/zipkin-go to v0.2.4 #1407 (@renovate[bot])
- โก๏ธ chore(deps): update module gorilla/handlers to v1.5.1 #1406 (@renovate[bot])
- โก๏ธ chore(deps): update module google.golang.org/grpc to v1.32.0 #1405 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 645f7a4 #1404 (@renovate[bot])
- โ Run go mod tidy #1384 (@cuonglm)
- โก๏ธ chore(deps): update module go.uber.org/zap to v1.16.0 #1381 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to 0bd0a95 #1380 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/oauth2 commit hash to 5d25da1 #1379 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to 62affa3 #1378 (@renovate[bot])
- deps: ensure renovate runs
go mod tidy#1357 (@travisgroth) - deps: go mod tidy #1356 (@travisgroth)
- โก๏ธ Update module open-policy-agent/opa to v0.23.2 #1351 (@renovate[bot])
- โก๏ธ Update module google/uuid to v1.1.2 #1350 (@renovate[bot])
- โก๏ธ Update module google/go-cmp to v0.5.2 #1349 (@renovate[bot])
- โก๏ธ Update module google.golang.org/grpc to v1.31.1 #1348 (@renovate[bot])
- โก๏ธ Update google.golang.org/genproto commit hash to 2bf3329 #1347 (@renovate[bot])
- โก๏ธ chore(deps): update vuepress monorepo to v1.5.4 #1323 (@renovate[bot])
- โก๏ธ chore(deps): update module open-policy-agent/opa to v0.23.1 #1322 (@renovate[bot])
- โก๏ธ chore(deps): update module gorilla/mux to v1.8.0 #1321 (@renovate[bot])
- โก๏ธ chore(deps): update module gorilla/handlers to v1.5.0 #1320 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to c890458 #1319 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 5c72a88 #1318 (@renovate[bot])
- โฌ๏ธ Upgrade zipkin-go to v0.2.3 #1288 (@cuonglm)
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to f69a880 #1286 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/time commit hash to 3af7569 #1285 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to 3edf25e #1284 (@renovate[bot])
- โฌ๏ธ .github/workflows: upgrade to go1.15 #1258 (@cuonglm)
- ๐ Fix tests failed with go115 #1257 (@cuonglm)
- โก๏ธ chore(deps): update dependency @vuepress/plugin-google-analytics to v1.5.3 #1236 (@renovate[bot])
- โก๏ธ Update module google.golang.org/api to v0.30.0 #1235 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to a062522 #1234 (@renovate[bot])
๐ Deployment
- ๐ deployment: enable multi-arch release images #1643 (@travisgroth)
- ci: add bintray publishing #1618 (@travisgroth)
- ๐ ci: remove bad quoting in publish steps #1617 (@travisgroth)
- โก๏ธ ci: update tag parsing step #1616 (@travisgroth)
- โ remove memberlist #1615 (@calebdoxsey)
- โก๏ธ ci: automatically update test environment with master #1562 (@travisgroth)
- ๐ deployment: add debug build / container / docs #1513 (@travisgroth)
- ๐ deployment: Generate deb and rpm packages #1458 (@travisgroth)
- ๐ deployment: bump release go to v1.15.x #1439 (@desimone)
- โ ci: publish cloudrun latest tag #1398 (@travisgroth)
- ๐ deployment: fully split release archives and brews #1365 (@travisgroth)
- ๐ณ Include pomerium-cli in the docker image by default. Fixes #1343. #1345 (@rspier)
- โ Use apt-get instead of apt to eliminate warning. #1344 (@rspier)
- ๐ deployment: add goimports with path awareness #1316 (@desimone)
๐ Changed
- identity/oidc/azure: goimports #1651 (@travisgroth)
- ๐ fix panic when deleting a record twice from the inmemory data store #1639 (@calebdoxsey)
- ๐ ci: improve release snapshot name template #1602 (@travisgroth)
- ๐ ci: fix release workflow syntax #1592 (@travisgroth)
- โก๏ธ ci: update changelog generation to script #1589 (@travisgroth)
- ๐ [Backport 0-10-0] docs: add round logo #1575 (@github-actions[bot])
- tidy #1494 (@desimone)
- dev: add remote container debug configs #1459 (@desimone)
- ci: add stale issue automation #1366 (@travisgroth)
- ๐ internal/urlutil: remove un-used constants #1326 (@cuonglm)
- โ integration: add forward auth test #1312 (@cuonglm)
- โก๏ธ pkg/storage/redis: update tests to use local certs + upstream image #1306 (@travisgroth)
- config: omit empty subpolicies in yaml/json #1229 (@travisgroth)
- Cuonglm/increase coverrage 1 #1227 (@cuonglm)
Previous changes from v0.11.0-rc2
-
๐ New
- โ add paging support to GetAll #1601 (@calebdoxsey)
- ๐ attach version to gRPC server metadata #1598 (@calebdoxsey)
๐ Fixed
- pkg/storage/redis: Prevent connection churn #1603 (@travisgroth)
Dependency
- โก๏ธ chore(deps): update module google/go-cmp to v0.5.3 #1597 (@renovate[bot])
- โก๏ธ chore(deps): update google.golang.org/genproto commit hash to ce600e9 #1596 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/oauth2 commit hash to 9fd6049 #1595 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/net commit hash to 69a7880 #1594 (@renovate[bot])
- โก๏ธ chore(deps): update golang.org/x/crypto commit hash to 0c6587e #1593 (@renovate[bot])
๐ Changed
- ๐ ci: improve release snapshot name template #1602 (@travisgroth)