# Changelog
# v0.15.0 (opens new window) (2021-08-05)
Full Changelog (opens new window)
# Breaking
- config: remove support for ed25519 signing keys #2430 (opens new window) (@calebdoxsey)
# New
- telemetry: add nonce and make explicit ack/nack #2434 (opens new window) (@wasaga)
- authorize: log additional session details #2419 (opens new window) (@calebdoxsey)
- telemetry: try guess hostname or external IP addr for metrics #2412 (opens new window) (@wasaga)
- sessions: add impersonate_session_id, remove legacy impersonation #2407 (opens new window) (@calebdoxsey)
- envoyconfig: improvements #2402 (opens new window) (@calebdoxsey)
- config: add support for embedded PPL policy #2401 (opens new window) (@calebdoxsey)
- ppl: remove support for aliases #2400 (opens new window) (@calebdoxsey)
- directory: add logging http client to help with debugging outbound http requests #2385 (opens new window) (@calebdoxsey)
- evaluator: use
cryptutil.Hash
for script spans #2384 (opens new window) (@desimone) - authorize: add additional tracing for rego evaluation #2381 (opens new window) (@calebdoxsey)
- k8s: add flush-credentials command #2379 (opens new window) (@calebdoxsey)
- urlutil: improve error message for urls with port in path #2377 (opens new window) (@calebdoxsey)
- ci: use revive instead of golint #2370 (opens new window) (@calebdoxsey)
- authorize: remove service account impersonate user id, email and groups #2365 (opens new window) (@calebdoxsey)
- envoyconfig: default zipkin path to / when empty #2359 (opens new window) (@calebdoxsey)
- config: add warning about http URLs #2358 (opens new window) (@calebdoxsey)
- authorize: log service account and impersonation details #2354 (opens new window) (@calebdoxsey)
- tools: add tools.go to pin go run apps #2344 (opens new window) (@calebdoxsey)
- envoyconfig: add bootstrap layered runtime configuration #2343 (opens new window) (@calebdoxsey)
- registry/redis: call publish from within lua function #2337 (opens new window) (@calebdoxsey)
- proxy: add idle timeout #2319 (opens new window) (@wasaga)
- cli: use proxy from environment #2316 (opens new window) (@tskinn)
- authorize: do not send redirects to gRPC #2314 (opens new window) (@wasaga)
- certs: reject certs from databroker if they conflict with local #2309 (opens new window) (@wasaga)
- config: add enable_google_cloud_serverless_authentication to config protobuf #2306 (opens new window) (@calebdoxsey)
- envoy: refactor envoy embedding #2296 (opens new window) (@calebdoxsey)
- envoy: add full version #2287 (opens new window) (@calebdoxsey)
- authorize: handle grpc-web content types like json #2268 (opens new window) (@calebdoxsey)
- xds: retry storing configuration events #2266 (opens new window) (@calebdoxsey)
- envoyconfig: use zipkin tracer #2265 (opens new window) (@calebdoxsey)
- authorize: preserve original context #2247 (opens new window) (@wasaga)
- ppl: add data type, implement string and list matchers #2228 (opens new window) (@calebdoxsey)
- ppl: refactor authorize to evaluate PPL #2224 (opens new window) (@calebdoxsey)
- ppl: convert config policy to ppl #2218 (opens new window) (@calebdoxsey)
- Pomerium Policy Language #2202 (opens new window) (@calebdoxsey)
- telemetry: add hostname tag to metrics #2191 (opens new window) (@wasaga)
- envoy: disable timeouts for kubernetes #2189 (opens new window) (@calebdoxsey)
- registry: implement redis backend #2179 (opens new window) (@calebdoxsey)
- report instance hostname in xds events #2175 (opens new window) (@wasaga)
- databroker: implement leases #2172 (opens new window) (@calebdoxsey)
# Fixed
- config: remove grpc server max connection age options #2427 (opens new window) (@calebdoxsey)
- authorize: add sid to JWT claims #2420 (opens new window) (@calebdoxsey)
- disable http/2 for websockets #2399 (opens new window) (@calebdoxsey)
- ci: update gcloud action #2393 (opens new window) (@travisgroth)
- google: remove WithHTTPClient #2391 (opens new window) (@calebdoxsey)
- telemetry: support b3 headers on gRPC server calls #2376 (opens new window) (@calebdoxsey)
- authorize: allow redirects on deny #2361 (opens new window) (@calebdoxsey)
- authorize: decode CheckRequest path for redirect #2357 (opens new window) (@calebdoxsey)
- envoyconfig: only delete cached files, ignore noisy error #2356 (opens new window) (@calebdoxsey)
- envoy: only check for pid with monitor #2355 (opens new window) (@calebdoxsey)
- fix: timeout in protobuf #2341 (opens new window) (@wasaga)
- authorize: support boolean deny results #2338 (opens new window) (@calebdoxsey)
- ppl: fix not/nor rules #2313 (opens new window) (@calebdoxsey)
- directory/azure: add paging support to user group members call #2311 (opens new window) (@calebdoxsey)
- ocsp: reload on response changes #2286 (opens new window) (@wasaga)
- envoy: fix usage of codec_type with alpn #2277 (opens new window) (@calebdoxsey)
- databroker: only tag contexts used for UpdateRecords #2269 (opens new window) (@wasaga)
- redis: enforce capacity via ZREVRANGE to avoid race #2267 (opens new window) (@calebdoxsey)
- authorize: only redirect for HTML pages #2264 (opens new window) (@calebdoxsey)
- tracing: support dynamic reloading, more aggressive envoy restart #2262 (opens new window) (@calebdoxsey)
- envoy: always set jwt claim headers even if no value is available #2261 (opens new window) (@calebdoxsey)
- envoy: disable hot-reload for macos #2259 (opens new window) (@calebdoxsey)
- authorize: round timestamp #2258 (opens new window) (@wasaga)
- options: s/shared-key/shared secret #2257 (opens new window) (@desimone)
- config: warn about unrecognized keys #2256 (opens new window) (@wasaga)
- darwin: use gopsutil v3 to fix arm issue #2245 (opens new window) (@calebdoxsey)
- policy: fix allowed idp claims PPL generation #2243 (opens new window) (@calebdoxsey)
- envoy: exit if envoy exits #2240 (opens new window) (@calebdoxsey)
- envoyconfig: fallback to global custom ca when no policy ca is defined #2235 (opens new window) (@calebdoxsey)
- envoy: add global response headers to local replies #2217 (opens new window) (@calebdoxsey)
- forward auth: don't strip query parameters #2216 (opens new window) (@wasaga)
- PPL: bubble up values, bug fixes #2213 (opens new window) (@calebdoxsey)
- Revert "authenticate,proxy: add same site lax to cookies" #2203 (opens new window) (@desimone)
- authorize: grpc health check #2200 (opens new window) (@wasaga)
- proxy / controplane: use old upstream cipher suite #2196 (opens new window) (@desimone)
- deployment: fix empty version on master builds #2193 (opens new window) (@travisgroth)
# Security
- envoy: only allow embedding #2368 (opens new window) (@calebdoxsey)
- deps: bump envoy to v1.17.3 #2198 (opens new window) (@travisgroth)
# Documentation
- doc updates #2433 (opens new window) (@calebdoxsey)
- Update Console installs to match signing_key #2432 (opens new window) (@alexfornuto)
- docs/reference: Clarify use of idp_service_account #2431 (opens new window) (@the-maldridge)
- docs: clarify device identity, not state via client certs #2428 (opens new window) (@desimone)
- v0.15 release notes #2409 (opens new window) (@travisgroth)
- docs: only secure schemes are supported #2408 (opens new window) (@desimone)
- Installation Docs Restructuring #2406 (opens new window) (@alexfornuto)
- symlink security policy to root of project #2396 (opens new window) (@desimone)
- Enterprise Docs #2390 (opens new window) (@alexfornuto)
- Helm Quickstart Update #2380 (opens new window) (@alexfornuto)
- Docs bug fixes #2362 (opens new window) (@alexfornuto)
- Docs sorting #2346 (opens new window) (@alexfornuto)
- Update installation source for mkcert #2340 (opens new window) (@alexfornuto)
- Update kubernetes-dashboard.md #2285 (opens new window) (@WeeHong)
- Transmission BitTorrent Client Guide #2281 (opens new window) (@alexfornuto)
- docs: google gcp / workspace instructions #2272 (opens new window) (@desimone)
- docs: update helm values for chart v20.0.0 #2242 (opens new window) (@travisgroth)
- docs: update _redirects #2237 (opens new window) (@desimone)
- add support for latest version of code-server #2229 (opens new window) (@bpmct)
- fix(docs): use correct name for code-server #2223 (opens new window) (@jsjoeio)
- docs: rm broken link #2215 (opens new window) (@alexfornuto)
- docs: Match Tenses #2214 (opens new window) (@alexfornuto)
- Update programmatic-access.md #2190 (opens new window) (@yyolk)
- docs: add v0.14 feature highlights #2184 (opens new window) (@github-actions[bot])
- docs: add v0.14 feature highlights #2183 (opens new window) (@travisgroth)
- docs: update slack link to vanity url #2177 (opens new window) (@travisgroth)
# Dependency
- chore(deps): bump gopkg.in/auth0.v5 from 5.19.1 to 5.19.2 #2422 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0-rc.1 to 3.0.0 #2421 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.29.0 to 0.30.0 #2417 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.30.2 to 0.31.0 #2416 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.51.0 to 0.52.0 #2415 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.6 to 3.21.7 #2414 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.0 to 8.11.1 #2413 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.7.0 to 0.7.1 #2395 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.50.0 to 0.51.0 #2394 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/google/uuid from 1.2.0 to 1.3.0 #2374 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.30.1 to 0.30.2 #2373 (opens new window) (@dependabot[bot])
- ci: convert to FOSSA scan #2371 (opens new window) (@travisgroth)
- chore(deps): bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 #2353 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.0 to 0.14.1 #2352 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0 #2334 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.49.0 to 0.50.0 #2333 (opens new window) (@dependabot[bot])
- chore(deps): upgrade kind action to v1.2.0 #2331 (opens new window) (@travisgroth)
- chore(deps): bump github.com/spf13/cobra from 1.1.3 to 1.2.1 #2330 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.10.0 to 8.11.0 #2329 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.6.0 to 0.7.0 #2328 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.6 #2326 (opens new window) (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.17.0 to 1.18.1 #2325 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.38.0 to 1.39.0 #2324 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.29.4 to 0.30.1 #2323 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.0 #2318 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.8.0 to 1.8.1 #2317 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.48.0 to 0.49.0 #2315 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.7.1 to 1.8.0 #2305 (opens new window) (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.18.0 to 5.19.1 #2304 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/ory/dockertest/v3 from 3.6.5 to 3.7.0 #2303 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.47.0 to 0.48.0 #2295 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.10.0 to 1.11.0 #2294 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.22.0 to 1.23.0 #2293 (opens new window) (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.17.0 to 5.18.0 #2292 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.13.1 to 0.14.0 #2291 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/golang/mock from 1.5.0 to 1.6.0 #2290 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.25.0 to 0.29.0 #2289 (opens new window) (@dependabot[bot])
- deps: upgrade to go-jose v3 #2284 (opens new window) (@calebdoxsey)
- chore(deps): bump github.com/go-redis/redis/v8 from 8.9.0 to 8.10.0 #2276 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.4 to 3.21.5 #2274 (opens new window) (@dependabot[bot])
- chore(deps): bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0 #2273 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.28.0 to 0.29.4 #2255 (opens new window) (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.16.0 to 1.17.0 #2254 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/google/go-cmp from 0.5.5 to 0.5.6 #2253 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 #2252 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/mitchellh/hashstructure/v2 from 2.0.1 to 2.0.2 #2251 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.8.3 to 8.9.0 #2249 (opens new window) (@dependabot[bot])
- darwin: use x86 envoy build for arm64 #2246 (opens new window) (@calebdoxsey)
- chore(deps): bump github.com/prometheus/common from 0.24.0 to 0.25.0 #2234 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.46.0 to 0.47.0 #2233 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.8.2 to 8.8.3 #2232 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.37.1 to 1.38.0 #2231 (opens new window) (@dependabot[bot])
- dependency: update /x/net #2227 (opens new window) (@desimone)
- chore(deps): bump github.com/lithammer/shortuuid/v3 from 3.0.6 to 3.0.7 #2211 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.23.0 to 0.24.0 #2210 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.21.0 to 1.22.0 #2209 (opens new window) (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.16.0 to 5.17.0 #2208 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.37.0 to 1.37.1 #2207 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.13.0 to 0.13.1 #2188 (opens new window) (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.15.0 to 5.16.0 #2187 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.45.0 to 0.46.0 #2186 (opens new window) (@dependabot[bot])
# Changed
- redis: increase timeout on test #2425 (opens new window) (@calebdoxsey)
- build: add envoy files to
make clean
#2411 (opens new window) (@travisgroth) - envoy: bump to 1.19 #2392 (opens new window) (@travisgroth)
- ci: use github app for backport credentials #2369 (opens new window) (@travisgroth)
- databroker: tests #2367 (opens new window) (@calebdoxsey)
- storage/inmemory: add tests for close behavior #2336 (opens new window) (@calebdoxsey)
- redis: refactor change signal test to be more deterministic #2335 (opens new window) (@calebdoxsey)
- internal/envoy: add debugging information if envoy is no longer running #2320 (opens new window) (@travisgroth)
- ci: add coveralls #2279 (opens new window) (@travisgroth)
# v0.14.7 (opens new window) (2021-06-24)
Full Changelog (opens new window)
# Fixed
- directory/azure: add paging support to user group members call #2312 (opens new window) (@github-actions[bot])
# v0.14.6 (opens new window) (2021-06-16)
Full Changelog (opens new window)
# Fixed
- authorize: only redirect for HTML pages (#2264) #2298 (opens new window) (@calebdoxsey)
# v0.14.5 (opens new window) (2021-06-07)
Full Changelog (opens new window)
# Fixed
- envoy: fix usage of codec_type with alpn #2278 (opens new window) (@github-actions[bot])
- authorize: round JWT claim timestamps #2260 (opens new window) (@wasaga)
# Documentation
- docs: update helm values for chart v20.0.0 #2244 (opens new window) (@github-actions[bot])
- docs: update _redirects #2238 (opens new window) (@github-actions[bot])
# v0.14.4 (opens new window) (2021-05-24)
Full Changelog (opens new window)
# Fixed
- authorize: add rego functions to custom evaluator #2236 (opens new window) (@calebdoxsey)
# v0.14.3 (opens new window) (2021-05-21)
Full Changelog (opens new window)
# Fixed
- authorize: fix custom rego panic #2226 (opens new window) (@calebdoxsey)
# Changed
- envoy: add global response headers to local replies #2225 (opens new window) (@github-actions[bot])
# v0.14.2 (opens new window) (2021-05-17)
Full Changelog (opens new window)
# Fixed
- Revert "authenticate,proxy: add same site lax to cookies" #2204 (opens new window) (@github-actions[bot])
# Documentation
- Update programmatic-access.md #2205 (opens new window) (@github-actions[bot])
# v0.14.1 (opens new window) (2021-05-13)
Full Changelog (opens new window)
# Fixed
- proxy / controplane: use old upstream cipher suite #2197 (opens new window) (@github-actions[bot])
# Security
- deps: bump envoy to v1.17.3 #2199 (opens new window) (@github-actions[bot])
# Documentation
- docs: update slack link to vanity url #2178 (opens new window) (@github-actions[bot])
# v0.14.0 (opens new window) (2021-05-04)
Full Changelog (opens new window)
# New
- databroker: store issued at timestamp with session #2173 (opens new window) (@calebdoxsey)
- config: add support for set_response_headers in a policy #2171 (opens new window) (@calebdoxsey)
- authenticate,proxy: add same site lax to cookies #2159 (opens new window) (@calebdoxsey)
- xds extended event #2158 (opens new window) (@wasaga)
- config: add client_crl #2157 (opens new window) (@calebdoxsey)
- config: add support for codec_type #2156 (opens new window) (@calebdoxsey)
- controlplane: save configuration events to databroker #2153 (opens new window) (@calebdoxsey)
- control plane: add request id to all error pages #2149 (opens new window) (@desimone)
- let pass custom dial opts #2144 (opens new window) (@wasaga)
- envoy: re-implement recommended defaults #2123 (opens new window) (@calebdoxsey)
- Drop tun.cfg.dstHost from jwtCacheKey #2115 (opens new window) (@bl0m1)
- config: remove validate side effects #2109 (opens new window) (@calebdoxsey)
- log context #2107 (opens new window) (@wasaga)
- databroker: add options for maximum capacity #2095 (opens new window) (@calebdoxsey)
- envoyconfig: move most bootstrap config to shared package #2088 (opens new window) (@calebdoxsey)
- envoy: refactor controlplane xds to new envoyconfig package #2086 (opens new window) (@calebdoxsey)
- config: rename headers to set_response_headers #2081 (opens new window) (@calebdoxsey)
- crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (opens new window) (@calebdoxsey)
- cryptutil: use bytes for hmac #2067 (opens new window) (@calebdoxsey)
- cryptutil: always use kek public id, add x509 support #2066 (opens new window) (@calebdoxsey)
- authorize: additional tracing, add benchmark for encryptor #2059 (opens new window) (@calebdoxsey)
- authorize: audit logging #2050 (opens new window) (@calebdoxsey)
- support host:port in metrics_address #2042 (opens new window) (@wasaga)
- databroker: return server version in Get #2039 (opens new window) (@wasaga)
- authorize: add databroker server and record version to result, force sync via polling #2024 (opens new window) (@calebdoxsey)
- protoutil: add generic transformer #2023 (opens new window) (@calebdoxsey)
- cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (opens new window) (@calebdoxsey)
- autocert: add metrics for renewal count, total and next expiration #2019 (opens new window) (@calebdoxsey)
- telemetry: add installation id #2017 (opens new window) (@calebdoxsey)
- config: use getters for certificates #2001 (opens new window) (@calebdoxsey)
- config: use getters for authenticate, signout and forward auth urls #2000 (opens new window) (@calebdoxsey)
- xds: use ALPN Auto config for upstream protocol when possible #1995 (opens new window) (@calebdoxsey)
- envoy: upgrade to v1.17.1 #1993 (opens new window) (@calebdoxsey)
- redis: add redis cluster support #1992 (opens new window) (@calebdoxsey)
- redis: add support for redis-sentinel #1991 (opens new window) (@calebdoxsey)
- authorize: set JWT to expire after 5 minutes #1980 (opens new window) (@calebdoxsey)
- identity: infer email from mail claim #1977 (opens new window) (@calebdoxsey)
- ping: identity and directory providers #1975 (opens new window) (@calebdoxsey)
- config: add rewrite_response_headers to protobuf #1962 (opens new window) (@calebdoxsey)
- config: add rewrite_response_headers option #1961 (opens new window) (@calebdoxsey)
- assets: use embed instead of statik #1960 (opens new window) (@calebdoxsey)
- config: log config source changes #1959 (opens new window) (@calebdoxsey)
- config: multiple endpoints for authorize and databroker #1957 (opens new window) (@calebdoxsey)
- telemetry: add process collector for envoy #1948 (opens new window) (@calebdoxsey)
- use build_info as liveness gauge metric #1940 (opens new window) (@wasaga)
- metrics: add TLS options #1939 (opens new window) (@calebdoxsey)
- identity: record metric for last refresh #1936 (opens new window) (@calebdoxsey)
- middleware: basic auth equalize lengths of input #1934 (opens new window) (@desimone)
- autocert: remove non-determinism #1932 (opens new window) (@calebdoxsey)
- config: add metrics_basic_auth option #1917 (opens new window) (@calebdoxsey)
- envoy: validate binary checksum #1908 (opens new window) (@calebdoxsey)
- config: support map of jwt claim headers #1906 (opens new window) (@calebdoxsey)
- Remove internal/protoutil. #1893 (opens new window) (@yegle)
- databroker: refactor databroker to sync all changes #1879 (opens new window) (@calebdoxsey)
- config: add CertificateFiles to FileWatcherSource list #1878 (opens new window) (@travisgroth)
- config: allow customization of envoy boostrap admin options #1872 (opens new window) (@calebdoxsey)
- proxy: implement pass-through for authenticate backend #1870 (opens new window) (@calebdoxsey)
- authorize: move headers and jwt signing to rego #1856 (opens new window) (@calebdoxsey)
# Fixed
- deployment: update alpine debug image dependencies #2154 (opens new window) (@travisgroth)
- authorize: refactor store locking #2151 (opens new window) (@calebdoxsey)
- databroker: store server version in backend #2142 (opens new window) (@calebdoxsey)
- authorize: audit log had duplicate "message" key #2141 (opens new window) (@desimone)
- httputil: fix SPDY support with reverse proxy #2134 (opens new window) (@calebdoxsey)
- envoyconfig: fix metrics ingress listener name #2124 (opens new window) (@calebdoxsey)
- authorize: fix empty sub policy arrays #2119 (opens new window) (@calebdoxsey)
- authorize: fix unsigned URL #2118 (opens new window) (@calebdoxsey)
- authorize: support arbitrary jwt claims #2102 (opens new window) (@calebdoxsey)
- authorize: support arbitrary jwt claims #2106 (opens new window) (@github-actions[bot])
- xdsmgr: update resource versions on NACK #2093 (opens new window) (@calebdoxsey)
- config: don't change address value on databroker or authorize #2092 (opens new window) (@travisgroth)
- metrics_address should be optional parameter #2087 (opens new window) (@wasaga)
- propagate changes back from encrypted backend #2079 (opens new window) (@wasaga)
- config: use tls_custom_ca from policy when available #2077 (opens new window) (@calebdoxsey)
- databroker: remove unused installation id, close streams when backend is closed #2062 (opens new window) (@calebdoxsey)
- authenticate: fix default sign out url #2061 (opens new window) (@calebdoxsey)
- change require_proxy_protocol to use_proxy_protocol #2043 (opens new window) (@contrun)
- authorize: bypass data in rego for databroker data #2041 (opens new window) (@calebdoxsey)
- proxy: add nil check for fix-misdirected #2040 (opens new window) (@calebdoxsey)
- config: add headers to config proto #1996 (opens new window) (@calebdoxsey)
- Fix process cpu usage metric #1979 (opens new window) (@wasaga)
- cmd/pomerium: exit 0 for normal shutdown #1958 (opens new window) (@travisgroth)
- proxy: redirect to dashboard for logout #1944 (opens new window) (@calebdoxsey)
- config: fix redirect routes from protobuf #1930 (opens new window) (@travisgroth)
- google: fix default provider URL #1928 (opens new window) (@calebdoxsey)
- fix registry test #1911 (opens new window) (@wasaga)
- ci: pin goreleaser version #1900 (opens new window) (@travisgroth)
- onelogin: fix default scopes for v2 #1896 (opens new window) (@calebdoxsey)
- xds: fix misdirected script #1895 (opens new window) (@calebdoxsey)
- authenticate: validate origin of signout #1876 (opens new window) (@desimone)
- redis: fix deletion versioning #1871 (opens new window) (@calebdoxsey)
- options: header only applies to routes and authN #1862 (opens new window) (@desimone)
- controlplane: add global headers to virtualhost #1861 (opens new window) (@desimone)
- unique envoy cluster ids #1858 (opens new window) (@wasaga)
# Security
- ci: remove codecov #2161 (opens new window) (@travisgroth)
- internal/envoy: always extract envoy #2160 (opens new window) (@travisgroth)
- deps: bump envoy to 1.17.2 #2113 (opens new window) (@travisgroth)
- deps: bump envoy to 1.17.2 #2114 (opens new window) (@github-actions[bot])
- proxy: restrict programmatic URLs to localhost #2049 (opens new window) (@travisgroth)
- authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (opens new window) (@travisgroth)
# Documentation
- docs: add inline instructions to generate signing-key #2164 (opens new window) (@desimone)
- docs: add info note to set_response_headers #2162 (opens new window) (@calebdoxsey)
- docs: mention alternative bearer token header format #2155 (opens new window) (@travisgroth)
- docs: upgrade notes on
allowed\_users
by ID #2133 (opens new window) (@travisgroth) - docs: add threat model to security page #2097 (opens new window) (@desimone)
- docs: update community slack link #2063 (opens new window) (@travisgroth)
- Update local-oidc.md #1994 (opens new window) (@dharmendrakariya)
- ping: add documentation #1976 (opens new window) (@calebdoxsey)
- docs: add JWT Verification w/Envoy guide #1974 (opens new window) (@calebdoxsey)
- Update data-storage.md #1941 (opens new window) (@TanguyPatte)
- docs: fix query param name #1920 (opens new window) (@calebdoxsey)
- docs: add breaking sa changes in v0.13 #1919 (opens new window) (@desimone)
- docs: add v0.13 to docs site menu #1913 (opens new window) (@travisgroth)
- docs: update changelog for v0.13.0 #1909 (opens new window) (@desimone)
- docs: update security policy #1897 (opens new window) (@desimone)
- docs: misc upgrade notes and changelog #1884 (opens new window) (@travisgroth)
- docs: add load balancing weight documentation #1883 (opens new window) (@travisgroth)
- docs: additional load balancing documentation #1875 (opens new window) (@travisgroth)
# Dependency
- chore(deps): bump github.com/ory/dockertest/v3 from 3.6.3 to 3.6.5 #2168 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.21.0 to 0.23.0 #2167 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.0 to 0.6.1 #2166 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.27.1 to 0.28.0 #2165 (opens new window) (@dependabot[bot])
- use cached envoy #2132 (opens new window) (@wasaga)
- chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (opens new window) (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (opens new window) (@dependabot[bot])
- do not require project be in GOPATH/src #2078 (opens new window) (@wasaga)
- chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (opens new window) (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (opens new window) (@dependabot[bot])
- deps: switch from renovate to dependabot #2069 (opens new window) (@travisgroth)
- fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (opens new window) (@renovate[bot])
- skip REDIS cluster test if GOOS != linux #2045 (opens new window) (@wasaga)
- fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (opens new window) (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (opens new window) (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.43.0 #2035 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.3 #2031 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (opens new window) (@renovate[bot])
- deps: bundle all patch upgrades in a single group #2016 (opens new window) (@travisgroth)
- fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/google/btree to v1.0.1 #2010 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.2 #2007 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to d523dce #2005 (opens new window) (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.42.0 #1989 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (opens new window) (@renovate[bot])
- fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (opens new window) (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (opens new window) (@renovate[bot])
- fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/go-chi/chi to v5 #1956 (opens new window) (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (opens new window) (@renovate[bot])
- fix(deps): update module go.opencensus.io to v0.23.0 #1954 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (opens new window) (@renovate[bot])
- chore(deps): update vuepress monorepo to v1.8.2 #1952 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.1 #1951 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (opens new window) (@renovate[bot])
- chore(deps): update yaml v2 to v3 #1927 (opens new window) (@desimone)
- chore(deps): update vuepress monorepo to v1.8.1 #1891 (opens new window) (@renovate[bot])
- chore(deps): update module spf13/cobra to v1.1.3 #1890 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.40.0 #1889 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.1 #1888 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (opens new window) (@renovate[bot])
- chore(deps): update module auth0 to v5 #1868 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.39.0 #1867 (opens new window) (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.0 #1865 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (opens new window) (@renovate[bot])
# Deployment
- deployment: update get-envoy script and release hooks #2111 (opens new window) (@travisgroth)
- deployment: Publish OS packages to cloudsmith #2105 (opens new window) (@travisgroth)
- deployment: update get-envoy script and release hooks #2112 (opens new window) (@github-actions[bot])
- deployment: Publish OS packages to cloudsmith #2108 (opens new window) (@github-actions[bot])
- ci: cache build and test binaries #1938 (opens new window) (@desimone)
- ci: go 1.16.x, cached tests #1937 (opens new window) (@desimone)
# Changed
- authorize: remove log #2122 (opens new window) (@calebdoxsey)
- config related metrics #2065 (opens new window) (@wasaga)
- proxy: support re-proxying request through control plane for kubernetes #2051 (opens new window) (@calebdoxsey)
- add default gitlab url #2044 (opens new window) (@contrun)
- Updating Doc for Pomerium-Dex Exercise #2018 (opens new window) (@dharmendrakariya)
- Add
xff\_num\_trusted\_hops
config option #2003 (opens new window) (@ntoofu) - envoy: restrict permissions on embedded envoy binary #1999 (opens new window) (@calebdoxsey)
- ci: deploy master to integration environments #1973 (opens new window) (@travisgroth)
- oidc: use groups claim from ID token if present #1970 (opens new window) (@bonifaido)
- config: expose viper policy hooks #1947 (opens new window) (@calebdoxsey)
- ci: deploy latest release to test environment #1916 (opens new window) (@travisgroth)
- logs: strip query string #1894 (opens new window) (@calebdoxsey)
- in-memory service registry #1892 (opens new window) (@wasaga)
- controlplane: maybe fix flaky test #1873 (opens new window) (@calebdoxsey)
- remove generated code from code coverage metrics #1857 (opens new window) (@travisgroth)
# v0.14.0-rc2 (opens new window) (2021-04-29)
Full Changelog (opens new window)
# New
- controlplane: save configuration events to databroker #2153 (opens new window) (@calebdoxsey)
- control plane: add request id to all error pages #2149 (opens new window) (@desimone)
- let pass custom dial opts #2144 (opens new window) (@wasaga)
- envoy: re-implement recommended defaults #2123 (opens new window) (@calebdoxsey)
- Drop tun.cfg.dstHost from jwtCacheKey #2115 (opens new window) (@bl0m1)
- config: remove validate side effects #2109 (opens new window) (@calebdoxsey)
- log context #2107 (opens new window) (@wasaga)
- databroker: add options for maximum capacity #2095 (opens new window) (@calebdoxsey)
# Fixed
- deployment: update alpine debug image dependencies #2154 (opens new window) (@travisgroth)
- authorize: refactor store locking #2151 (opens new window) (@calebdoxsey)
- databroker: store server version in backend #2142 (opens new window) (@calebdoxsey)
- authorize: audit log had duplicate "message" key #2141 (opens new window) (@desimone)
- httputil: fix SPDY support with reverse proxy #2134 (opens new window) (@calebdoxsey)
- envoyconfig: fix metrics ingress listener name #2124 (opens new window) (@calebdoxsey)
- authorize: fix empty sub policy arrays #2119 (opens new window) (@calebdoxsey)
- authorize: fix unsigned URL #2118 (opens new window) (@calebdoxsey)
- authorize: support arbitrary jwt claims #2102 (opens new window) (@calebdoxsey)
# Security
- deps: bump envoy to 1.17.2 #2113 (opens new window) (@travisgroth)
# Documentation
- docs: mention alternative bearer token header format #2155 (opens new window) (@travisgroth)
- docs: upgrade notes on
allowed\_users
by ID #2133 (opens new window) (@travisgroth)
# Dependency
- use cached envoy #2132 (opens new window) (@wasaga)
- chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (opens new window) (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (opens new window) (@dependabot[bot])
# Deployment
- deployment: update get-envoy script and release hooks #2111 (opens new window) (@travisgroth)
- deployment: Publish OS packages to cloudsmith #2105 (opens new window) (@travisgroth)
# Changed
- authorize: remove log #2122 (opens new window) (@calebdoxsey)
# v0.14.0-rc1 (opens new window) (2021-04-22)
Full Changelog (opens new window)
# Breaking
- directory: remove provider from user id #2068 (opens new window) (@calebdoxsey)
# New
- envoyconfig: move most bootstrap config to shared package #2088 (opens new window) (@calebdoxsey)
- envoy: refactor controlplane xds to new envoyconfig package #2086 (opens new window) (@calebdoxsey)
- config: rename headers to set_response_headers #2081 (opens new window) (@calebdoxsey)
- crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (opens new window) (@calebdoxsey)
- cryptutil: use bytes for hmac #2067 (opens new window) (@calebdoxsey)
- cryptutil: always use kek public id, add x509 support #2066 (opens new window) (@calebdoxsey)
- authorize: additional tracing, add benchmark for encryptor #2059 (opens new window) (@calebdoxsey)
- authorize: audit logging #2050 (opens new window) (@calebdoxsey)
- support host:port in metrics_address #2042 (opens new window) (@wasaga)
- databroker: return server version in Get #2039 (opens new window) (@wasaga)
- authorize: add databroker server and record version to result, force sync via polling #2024 (opens new window) (@calebdoxsey)
- protoutil: add generic transformer #2023 (opens new window) (@calebdoxsey)
- cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (opens new window) (@calebdoxsey)
- autocert: add metrics for renewal count, total and next expiration #2019 (opens new window) (@calebdoxsey)
- telemetry: add installation id #2017 (opens new window) (@calebdoxsey)
- config: use getters for certificates #2001 (opens new window) (@calebdoxsey)
- config: use getters for authenticate, signout and forward auth urls #2000 (opens new window) (@calebdoxsey)
- xds: use ALPN Auto config for upstream protocol when possible #1995 (opens new window) (@calebdoxsey)
- envoy: upgrade to v1.17.1 #1993 (opens new window) (@calebdoxsey)
- redis: add redis cluster support #1992 (opens new window) (@calebdoxsey)
- redis: add support for redis-sentinel #1991 (opens new window) (@calebdoxsey)
- authorize: set JWT to expire after 5 minutes #1980 (opens new window) (@calebdoxsey)
- identity: infer email from mail claim #1977 (opens new window) (@calebdoxsey)
- ping: identity and directory providers #1975 (opens new window) (@calebdoxsey)
- config: add rewrite_response_headers to protobuf #1962 (opens new window) (@calebdoxsey)
- config: add rewrite_response_headers option #1961 (opens new window) (@calebdoxsey)
- assets: use embed instead of statik #1960 (opens new window) (@calebdoxsey)
- config: log config source changes #1959 (opens new window) (@calebdoxsey)
- config: multiple endpoints for authorize and databroker #1957 (opens new window) (@calebdoxsey)
- telemetry: add process collector for envoy #1948 (opens new window) (@calebdoxsey)
- use build_info as liveness gauge metric #1940 (opens new window) (@wasaga)
- metrics: add TLS options #1939 (opens new window) (@calebdoxsey)
- identity: record metric for last refresh #1936 (opens new window) (@calebdoxsey)
- middleware: basic auth equalize lengths of input #1934 (opens new window) (@desimone)
- autocert: remove non-determinism #1932 (opens new window) (@calebdoxsey)
- config: add metrics_basic_auth option #1917 (opens new window) (@calebdoxsey)
- envoy: validate binary checksum #1908 (opens new window) (@calebdoxsey)
- config: support map of jwt claim headers #1906 (opens new window) (@calebdoxsey)
- Remove internal/protoutil. #1893 (opens new window) (@yegle)
- databroker: refactor databroker to sync all changes #1879 (opens new window) (@calebdoxsey)
- config: add CertificateFiles to FileWatcherSource list #1878 (opens new window) (@travisgroth)
- config: allow customization of envoy boostrap admin options #1872 (opens new window) (@calebdoxsey)
- proxy: implement pass-through for authenticate backend #1870 (opens new window) (@calebdoxsey)
- authorize: move headers and jwt signing to rego #1856 (opens new window) (@calebdoxsey)
# Fixed
- authorize: support arbitrary jwt claims #2106 (opens new window) (@github-actions[bot])
- xdsmgr: update resource versions on NACK #2093 (opens new window) (@calebdoxsey)
- config: don't change address value on databroker or authorize #2092 (opens new window) (@travisgroth)
- metrics_address should be optional parameter #2087 (opens new window) (@wasaga)
- propagate changes back from encrypted backend #2079 (opens new window) (@wasaga)
- config: use tls_custom_ca from policy when available #2077 (opens new window) (@calebdoxsey)
- databroker: remove unused installation id, close streams when backend is closed #2062 (opens new window) (@calebdoxsey)
- authenticate: fix default sign out url #2061 (opens new window) (@calebdoxsey)
- change require_proxy_protocol to use_proxy_protocol #2043 (opens new window) (@contrun)
- authorize: bypass data in rego for databroker data #2041 (opens new window) (@calebdoxsey)
- proxy: add nil check for fix-misdirected #2040 (opens new window) (@calebdoxsey)
- config: add headers to config proto #1996 (opens new window) (@calebdoxsey)
- Fix process cpu usage metric #1979 (opens new window) (@wasaga)
- cmd/pomerium: exit 0 for normal shutdown #1958 (opens new window) (@travisgroth)
- proxy: redirect to dashboard for logout #1944 (opens new window) (@calebdoxsey)
- config: fix redirect routes from protobuf #1930 (opens new window) (@travisgroth)
- google: fix default provider URL #1928 (opens new window) (@calebdoxsey)
- fix registry test #1911 (opens new window) (@wasaga)
- ci: pin goreleaser version #1900 (opens new window) (@travisgroth)
- onelogin: fix default scopes for v2 #1896 (opens new window) (@calebdoxsey)
- xds: fix misdirected script #1895 (opens new window) (@calebdoxsey)
- authenticate: validate origin of signout #1876 (opens new window) (@desimone)
- redis: fix deletion versioning #1871 (opens new window) (@calebdoxsey)
- options: header only applies to routes and authN #1862 (opens new window) (@desimone)
- controlplane: add global headers to virtualhost #1861 (opens new window) (@desimone)
- unique envoy cluster ids #1858 (opens new window) (@wasaga)
# Security
- deps: bump envoy to 1.17.2 #2114 (opens new window) (@github-actions[bot])
- proxy: restrict programmatic URLs to localhost #2049 (opens new window) (@travisgroth)
- authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (opens new window) (@travisgroth)
# Documentation
- docs: add threat model to security page #2097 (opens new window) (@desimone)
- docs: update community slack link #2063 (opens new window) (@travisgroth)
- Update local-oidc.md #1994 (opens new window) (@dharmendrakariya)
- ping: add documentation #1976 (opens new window) (@calebdoxsey)
- docs: add JWT Verification w/Envoy guide #1974 (opens new window) (@calebdoxsey)
- Update data-storage.md #1941 (opens new window) (@TanguyPatte)
- docs: fix query param name #1920 (opens new window) (@calebdoxsey)
- docs: add breaking sa changes in v0.13 #1919 (opens new window) (@desimone)
- docs: add v0.13 to docs site menu #1913 (opens new window) (@travisgroth)
- docs: update changelog for v0.13.0 #1909 (opens new window) (@desimone)
- docs: update security policy #1897 (opens new window) (@desimone)
- docs: misc upgrade notes and changelog #1884 (opens new window) (@travisgroth)
- docs: add load balancing weight documentation #1883 (opens new window) (@travisgroth)
- docs: additional load balancing documentation #1875 (opens new window) (@travisgroth)
# Dependency
- chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (opens new window) (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (opens new window) (@dependabot[bot])
- do not require project be in GOPATH/src #2078 (opens new window) (@wasaga)
- chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (opens new window) (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (opens new window) (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (opens new window) (@dependabot[bot])
- deps: switch from renovate to dependabot #2069 (opens new window) (@travisgroth)
- fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (opens new window) (@renovate[bot])
- skip REDIS cluster test if GOOS != linux #2045 (opens new window) (@wasaga)
- fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (opens new window) (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (opens new window) (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.43.0 #2035 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.3 #2031 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (opens new window) (@renovate[bot])
- deps: bundle all patch upgrades in a single group #2016 (opens new window) (@travisgroth)
- fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/google/btree to v1.0.1 #2010 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.2 #2007 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to d523dce #2005 (opens new window) (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.42.0 #1989 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (opens new window) (@renovate[bot])
- fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (opens new window) (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (opens new window) (@renovate[bot])
- fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/go-chi/chi to v5 #1956 (opens new window) (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (opens new window) (@renovate[bot])
- fix(deps): update module go.opencensus.io to v0.23.0 #1954 (opens new window) (@renovate[bot])
- fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (opens new window) (@renovate[bot])
- chore(deps): update vuepress monorepo to v1.8.2 #1952 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.1 #1951 (opens new window) (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (opens new window) (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (opens new window) (@renovate[bot])
- chore(deps): update yaml v2 to v3 #1927 (opens new window) (@desimone)
- chore(deps): update vuepress monorepo to v1.8.1 #1891 (opens new window) (@renovate[bot])
- chore(deps): update module spf13/cobra to v1.1.3 #1890 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.40.0 #1889 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.1 #1888 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (opens new window) (@renovate[bot])
- chore(deps): update module auth0 to v5 #1868 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.39.0 #1867 (opens new window) (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.0 #1865 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (opens new window) (@renovate[bot])
# Deployment
- deployment: update get-envoy script and release hooks #2112 (opens new window) (@github-actions[bot])
- deployment: Publish OS packages to cloudsmith #2108 (opens new window) (@github-actions[bot])
- ci: cache build and test binaries #1938 (opens new window) (@desimone)
- ci: go 1.16.x, cached tests #1937 (opens new window) (@desimone)
# Changed
- config related metrics #2065 (opens new window) (@wasaga)
- proxy: support re-proxying request through control plane for kubernetes #2051 (opens new window) (@calebdoxsey)
- add default gitlab url #2044 (opens new window) (@contrun)
- Updating Doc for Pomerium-Dex Exercise #2018 (opens new window) (@dharmendrakariya)
- Add
xff\_num\_trusted\_hops
config option #2003 (opens new window) (@ntoofu) - envoy: restrict permissions on embedded envoy binary #1999 (opens new window) (@calebdoxsey)
- ci: deploy master to integration environments #1973 (opens new window) (@travisgroth)
- oidc: use groups claim from ID token if present #1970 (opens new window) (@bonifaido)
- config: expose viper policy hooks #1947 (opens new window) (@calebdoxsey)
- ci: deploy latest release to test environment #1916 (opens new window) (@travisgroth)
- logs: strip query string #1894 (opens new window) (@calebdoxsey)
- in-memory service registry #1892 (opens new window) (@wasaga)
- controlplane: maybe fix flaky test #1873 (opens new window) (@calebdoxsey)
- remove generated code from code coverage metrics #1857 (opens new window) (@travisgroth)
# v0.13.6 (opens new window) (2021-04-17)
Full Changelog (opens new window)
# Security
- deps: upgrade envoy to 1.16.3 #2096 (opens new window) (@travisgroth)
# Documentation
- docs: update community slack link #2064 (opens new window) (@github-actions[bot])
# v0.13.5 (opens new window) (2021-04-06)
Full Changelog (opens new window)
# Fixed
- change require_proxy_protocol to use_proxy_protocol #2058 (opens new window) (@github-actions[bot])
# v0.13.4 (opens new window) (2021-03-31)
Full Changelog (opens new window)
# Security
- proxy: restrict programmatic URLs to localhost #2047 (opens new window) (@travisgroth)
- authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2046 (opens new window) (@travisgroth)
# v0.13.3 (opens new window) (2021-03-12)
Full Changelog (opens new window)
# New
- identity: infer email from mail claim #1978 (opens new window) (@github-actions[bot])
# v0.13.2 (opens new window) (2021-02-25)
Full Changelog (opens new window)
# Documentation
- Update data-storage.md #1942 (opens new window) (@github-actions[bot])
# Changed
- proxy: redirect to dashboard for logout #1945 (opens new window) (@github-actions[bot])
# v0.13.1 (opens new window) (2021-02-22)
Full Changelog (opens new window)
# Fixed
- config: fix redirect routes from protobuf #1931 (opens new window) (@github-actions[bot])
- google: fix default provider URL #1929 (opens new window) (@github-actions[bot])
# Documentation
- docs: fix query param name #1923 (opens new window) (@github-actions[bot])
- docs: add breaking sa changes in v0.13 #1921 (opens new window) (@github-actions[bot])
- docs: add v0.13 to docs site menu #1914 (opens new window) (@github-actions[bot])
# Changed
- ci: deploy releases to test environment (#1916) #1918 (opens new window) (@travisgroth)
* This Changelog was automatically generated by github_changelog_generator (opens new window)
# v0.13.0 (opens new window) (2021-02-17)
Full Changelog (opens new window)
# Breaking
- authorize: remove admin #1833 (opens new window) (@calebdoxsey)
- remove user impersonation and service account cli #1768 (opens new window) (@calebdoxsey)
# New
- authorize: allow access by user id #1850 (opens new window) (@calebdoxsey)
- authorize: remove DataBrokerData input #1847 (opens new window) (@calebdoxsey)
- opa: format rego files #1845 (opens new window) (@calebdoxsey)
- policy: add new certificate-authority option for downstream mTLS client certificates #1835 (opens new window) (@calebdoxsey)
- metrics: human readable cluster name #1834 (opens new window) (@wasaga)
- upstream endpoints load balancer weights #1830 (opens new window) (@wasaga)
- controlplane: only add listener virtual domains for addresses matching the current TLS domain #1823 (opens new window) (@calebdoxsey)
- authenticate: delay evaluation of OIDC provider #1802 (opens new window) (@calebdoxsey)
- config: require shared key if using redis backed databroker #1801 (opens new window) (@travisgroth)
- upstream health check config #1796 (opens new window) (@wasaga)
- new skip_xff_append option #1788 (opens new window) (@wasaga)
- policy: add outlier_detection #1786 (opens new window) (@calebdoxsey)
- reduce memory usage by handling http/2 coalescing via a lua script #1779 (opens new window) (@calebdoxsey)
- add support for proxy protocol on HTTP listener #1777 (opens new window) (@calebdoxsey)
- config: support redirect actions #1776 (opens new window) (@calebdoxsey)
- config: detect underlying file changes #1775 (opens new window) (@calebdoxsey)
- authenticate: update user info screens #1774 (opens new window) (@desimone)
- jws: remove issuer #1754 (opens new window) (@calebdoxsey)
# Fixed
- redis: fix deletion versioning #1874 (opens new window) (@github-actions[bot])
- rego: handle null #1853 (opens new window) (@calebdoxsey)
- config: fix data race #1851 (opens new window) (@calebdoxsey)
- deployment: set maintainer field in packages #1848 (opens new window) (@travisgroth)
- xds: fix always requiring client certificates #1844 (opens new window) (@calebdoxsey)
- fix go:generate for envoy config #1826 (opens new window) (@calebdoxsey)
- controlplane: only enable STATIC dns when all adresses are IP addresses #1822 (opens new window) (@calebdoxsey)
- config: fix databroker policies #1821 (opens new window) (@calebdoxsey)
- config: fix hot-reloading #1820 (opens new window) (@calebdoxsey)
- Revert "reduce memory usage by handling http/2 coalescing via a lua script" #1785 (opens new window) (@calebdoxsey)
- google: fix nil name #1771 (opens new window) (@calebdoxsey)
- autocert: improve logging #1767 (opens new window) (@travisgroth)
# Documentation
- github: add tag suggestion to checklist #1819 (opens new window) (@desimone)
- docs: add reference to the go-sdk #1800 (opens new window) (@desimone)
- updated host rewrite docs #1799 (opens new window) (@vihardesu)
- docs: update menu for v0.12 #1755 (opens new window) (@travisgroth)
- Update GitLab provider docs #1591 (opens new window) (@bradjones1)
- Fix command in Kubernetes Quick start docs #1582 (opens new window) (@wesleyw72)
# Dependency
- chore(deps): update module go.opencensus.io to v0.22.6 #1842 (opens new window) (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.11 #1841 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 44e461b #1840 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to f9ce19e #1839 (opens new window) (@renovate[bot])
- chore(deps): update module stretchr/testify to v1.7.0 #1816 (opens new window) (@renovate[bot])
- chore(deps): update module open-policy-agent/opa to v0.26.0 #1815 (opens new window) (@renovate[bot])
- chore(deps): update module mitchellh/mapstructure to v1.4.1 #1814 (opens new window) (@renovate[bot])
- chore(deps): update module google/uuid to v1.2.0 #1813 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/grpc to v1.35.0 #1812 (opens new window) (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.10 #1811 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.4.1 #1810 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 8081c04 #1809 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to d3ed898 #1808 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 5f4716e #1807 (opens new window) (@renovate[bot])
- chore(deps): update oidc to v3 #1783 (opens new window) (@desimone)
- chore(deps): update vuepress monorepo to v1.8.0 #1761 (opens new window) (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.8 #1760 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.3.1 #1759 (opens new window) (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.2.1 #1758 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to c7d5778 #1757 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.38.0 #1656 (opens new window) (@renovate[bot])
# Deployment
- ci: fix usage of env variable in latest tag #1791 (opens new window) (@travisgroth)
- databroker: rename cache service #1790 (opens new window) (@calebdoxsey)
- ci: fix deprecated command in latestTag step #1763 (opens new window) (@travisgroth)
# Changed
- docs: additional load balancing documentation #1882 (opens new window) (@github-actions[bot])
- authenticate: validate origin of signout #1881 (opens new window) (@github-actions[bot])
- config: add CertificateFiles to FileWatcherSource list #1880 (opens new window) (@github-actions[bot])
- ci: enable backporting from forks #1854 (opens new window) (@travisgroth)
- ci: fix version metadata in non-releases #1836 (opens new window) (@travisgroth)
- protobuf: upgrade protoc to 3.14 #1832 (opens new window) (@calebdoxsey)
- Update codeowners #1831 (opens new window) (@travisgroth)
- config: return errors on invalid URLs, fix linting #1829 (opens new window) (@calebdoxsey)
- grpc: use custom resolver #1828 (opens new window) (@calebdoxsey)
- controlplane: return errors in xds build methods #1827 (opens new window) (@calebdoxsey)
- include envoy's proto specs into config.proto #1817 (opens new window) (@wasaga)
- expose all envoy cluster options in policy #1804 (opens new window) (@wasaga)
- autocert: store certificates separately from config certificates #1794 (opens new window) (@calebdoxsey)
- move file change detection before autocert #1793 (opens new window) (@calebdoxsey)
- config: support multiple destination addresses #1789 (opens new window) (@calebdoxsey)
- ci: license check action #1773 (opens new window) (@travisgroth)
- authorize: move impersonation into session/service account #1765 (opens new window) (@calebdoxsey)
# v0.12.2 (opens new window) (2021-02-02)
Full Changelog (opens new window)
# Fixed
- [Backport 0-12-0] deployment: set maintainer field in packages #1849 (opens new window) (@github-actions[bot])
# Changed
- [Backport 0-12-0] ci: fix usage of env variable in latest tag #1806 (opens new window) (@github-actions[bot])
- [Backport 0-12-0] docs: add reference to the go-sdk #1803 (opens new window) (@github-actions[bot])
# v0.12.1 (opens new window) (2021-01-13)
Full Changelog (opens new window)
# Fixed
- [Backport 0-12-0] google: fix nil name #1772 (opens new window) (@github-actions[bot])
- [Backport 0-12-0] autocert: improve logging #1769 (opens new window) (@travisgroth)
# Documentation
- [Backport 0-12-0] docs: update menu for v0.12 #1762 (opens new window) (@github-actions[bot])
# Deployment
- [Backport 0-12-0] ci: fix deprecated command in latestTag step #1764 (opens new window) (@github-actions[bot])
# v0.12.0 (opens new window) (2021-01-07)
Full Changelog (opens new window)
# New
- tcp: prevent idle stream timeouts for TCP and Websocket routes #1744 (opens new window) (@calebdoxsey)
- telemetry: add support for datadog tracing #1743 (opens new window) (@calebdoxsey)
- use incremental API for envoy xDS #1732 (opens new window) (@calebdoxsey)
- cli: add version command #1726 (opens new window) (@desimone)
- add TLS flags for TCP tunnel #1725 (opens new window) (@calebdoxsey)
- k8s cmd: use authclient package #1722 (opens new window) (@calebdoxsey)
- internal/controlplane: 0s default timeout for tcp routes #1716 (opens new window) (@travisgroth)
- use impersonate groups if impersonate email is set #1701 (opens new window) (@calebdoxsey)
- unimpersonate button #1700 (opens new window) (@calebdoxsey)
- TCP client command #1696 (opens new window) (@calebdoxsey)
- add support for TCP routes #1695 (opens new window) (@calebdoxsey)
- internal/directory: use gitlab provider url option #1689 (opens new window) (@nghnam)
- improve ca cert error message, use GetCertPool for databroker storage #1666 (opens new window) (@calebdoxsey)
- implement new redis storage backend with go-redis package #1649 (opens new window) (@calebdoxsey)
- authenticate: oidc frontchannel-logout endpoint #1586 (opens new window) (@pflipp)
# Fixed
- remove :443 or :80 from proxy URLs in authclient #1733 (opens new window) (@calebdoxsey)
- tcptunnel: handle invalid http response codes #1727 (opens new window) (@calebdoxsey)
- update azure docs #1723 (opens new window) (@calebdoxsey)
- config: fix ignored yaml fields #1698 (opens new window) (@travisgroth)
- fix concurrency race #1675 (opens new window) (@calebdoxsey)
- don't create users when updating sessions #1671 (opens new window) (@calebdoxsey)
# Documentation
- update google docs #1738 (opens new window) (@calebdoxsey)
- docs: add TCP guide #1714 (opens new window) (@travisgroth)
- docs: tcp support #1712 (opens new window) (@travisgroth)
- docs: replace httpbin with verify #1702 (opens new window) (@desimone)
- docs: fix nginx config #1691 (opens new window) (@desimone)
- remove "see policy" phrase in settings docs #1668 (opens new window) (@calebdoxsey)
- docs: add allowed_idp_claims docs #1665 (opens new window) (@travisgroth)
- docs: add v0.11 link to version menu #1663 (opens new window) (@travisgroth)
# Dependency
- chore(deps): update module google/uuid to v1.1.4 #1729 (opens new window) (@renovate[bot])
- dev: update linter #1728 (opens new window) (@desimone)
- chore(deps): update codecov/codecov-action action to v1.1.1 #1720 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 6772e93 #1719 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to eec23a3 #1718 (opens new window) (@renovate[bot])
- chore(deps): update precommit hook pre-commit/pre-commit-hooks to v3.4.0 #1710 (opens new window) (@renovate[bot])
- chore(deps): update module prometheus/client_golang to v1.9.0 #1709 (opens new window) (@renovate[bot])
- chore(deps): update module ory/dockertest/v3 to v3.6.3 #1708 (opens new window) (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.4 #1707 (opens new window) (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.1.0 #1706 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 8c77b98 #1705 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 986b41b #1704 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 9d13527 #1703 (opens new window) (@renovate[bot])
- chore(deps): update module open-policy-agent/opa to v0.25.2 #1685 (opens new window) (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.2 #1684 (opens new window) (@renovate[bot])
- chore(deps): update module envoyproxy/go-control-plane to v0.9.8 #1683 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 40ec1c2 #1682 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/sync commit hash to 09787c9 #1681 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 08078c5 #1680 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to ac852fb #1679 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 5f87f34 #1678 (opens new window) (@renovate[bot])
# Deployment
- ci: upgrade yq syntax for v4 #1745 (opens new window) (@travisgroth)
- deployment: Fix docker and rpm workflows #1687 (opens new window) (@travisgroth)
- ci: fix pomerium-cli rpm name #1661 (opens new window) (@travisgroth)
# Changed
- ci: fix typo in yq image #1746 (opens new window) (@travisgroth)
- fix coverage #1741 (opens new window) (@calebdoxsey)
- fix error wrapping #1737 (opens new window) (@calebdoxsey)
- Revert "set recommended defaults" #1735 (opens new window) (@calebdoxsey)
- set recommended defaults #1734 (opens new window) (@calebdoxsey)
- internal/telemetry/metrics: update redis metrics for go-redis #1694 (opens new window) (@travisgroth)
# v0.11.1 (opens new window) (2020-12-11)
Full Changelog (opens new window)
# Fixed
- [Backport 0-11-0] fix concurrency race #1676 (opens new window) (@github-actions[bot])
- [Backport 0-11-0] don't create users when updating sessions #1672 (opens new window) (@github-actions[bot])
# Documentation
- [Backport 0-11-0] remove "see policy" phrase in settings docs #1669 (opens new window) (@github-actions[bot])
- [Backport 0-11-0] docs: add allowed_idp_claims docs #1667 (opens new window) (@github-actions[bot])
- [Backport 0-11-0] docs: add v0.11 link to version menu #1664 (opens new window) (@github-actions[bot])
# Deployment
- [Backport 0-11-0] ci: fix pomerium-cli rpm name #1662 (opens new window) (@travisgroth)
# v0.11.0 (opens new window) (2020-12-04)
Full Changelog (opens new window)
# Breaking
- remove deprecated cache_service_url config option #1614 (opens new window) (@calebdoxsey)
- add flag to enable user impersonation #1514 (opens new window) (@calebdoxsey)
# New
- microsoft: add support for common endpoint #1648 (opens new window) (@desimone)
- use the directory email when provided for the jwt #1647 (opens new window) (@calebdoxsey)
- fix profile image on dashboard #1637 (opens new window) (@calebdoxsey)
- wait for initial sync to complete before starting control plane #1636 (opens new window) (@calebdoxsey)
- authorize: add signature algo support (RSA / EdDSA) #1631 (opens new window) (@desimone)
- replace GetAllPages with InitialSync, improve merge performance #1624 (opens new window) (@calebdoxsey)
- cryptutil: more explicit decryption error #1607 (opens new window) (@desimone)
- add paging support to GetAll #1601 (opens new window) (@calebdoxsey)
- attach version to gRPC server metadata #1598 (opens new window) (@calebdoxsey)
- use custom default http transport #1576 (opens new window) (@calebdoxsey)
- update user info in addition to refreshing the token #1572 (opens new window) (@calebdoxsey)
- databroker: add audience to session #1557 (opens new window) (@calebdoxsey)
- authorize: implement allowed_idp_claims #1542 (opens new window) (@calebdoxsey)
- autocert: support certificate renewal #1516 (opens new window) (@calebdoxsey)
- add policy to allow any authenticated user #1515 (opens new window) (@pflipp)
- debug: add pprof endpoints #1504 (opens new window) (@calebdoxsey)
- databroker: require JWT for access #1503 (opens new window) (@calebdoxsey)
- authenticate: remove unused paths, generate cipher at startup, remove qp store #1495 (opens new window) (@desimone)
- forward-auth: use envoy's ext_authz check #1482 (opens new window) (@desimone)
- auth0: implement directory provider #1479 (opens new window) (@grounded042)
- azure: incremental sync #1471 (opens new window) (@calebdoxsey)
- auth0: implement identity provider #1470 (opens new window) (@calebdoxsey)
- dashboard: format timestamps #1468 (opens new window) (@calebdoxsey)
- directory: additional user info #1467 (opens new window) (@calebdoxsey)
- directory: add explicit RefreshUser endpoint for faster sync #1460 (opens new window) (@calebdoxsey)
- config: add support for host header rewriting #1457 (opens new window) (@calebdoxsey)
- proxy: preserve path and query string for http->https redirect #1456 (opens new window) (@calebdoxsey)
- redis: use pubsub instead of keyspace events #1450 (opens new window) (@calebdoxsey)
- proxy: add support for /.pomerium/jwt #1446 (opens new window) (@calebdoxsey)
- databroker: add support for querying the databroker #1443 (opens new window) (@calebdoxsey)
- config: add dns_lookup_family option to customize DNS IP resolution #1436 (opens new window) (@calebdoxsey)
- okta: handle deleted groups #1418 (opens new window) (@calebdoxsey)
- controlplane: support P-384 / P-512 EC curves #1409 (opens new window) (@desimone)
- azure: add support for nested groups #1408 (opens new window) (@calebdoxsey)
- authorize: add support for service accounts #1374 (opens new window) (@calebdoxsey)
- Cuonglm/improve timeout error message #1373 (opens new window) (@cuonglm)
- internal/directory/okta: remove rate limiter #1370 (opens new window) (@cuonglm)
- {proxy/controlplane}: make health checks debug level #1368 (opens new window) (@desimone)
- databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source #1367 (opens new window) (@calebdoxsey)
- authorize: use impersonate email/groups in JWT #1364 (opens new window) (@calebdoxsey)
- config: support explicit prefix and regex path rewriting #1363 (opens new window) (@calebdoxsey)
- proxy: support websocket timeouts #1362 (opens new window) (@calebdoxsey)
- proxy: disable control-plane robots.txt for public unauthenticated routes #1361 (opens new window) (@calebdoxsey)
- certmagic: improve logging #1358 (opens new window) (@calebdoxsey)
- logs: add new log scrubber #1346 (opens new window) (@calebdoxsey)
- Allow setting the shared secret via an environment variable. #1337 (opens new window) (@rspier)
- authorize: add jti to JWT payload #1328 (opens new window) (@calebdoxsey)
- all: add signout redirect url #1324 (opens new window) (@cuonglm)
- proxy: remove unused handlers #1317 (opens new window) (@desimone)
- azure: support deriving credentials from client id, client secret and provider url #1300 (opens new window) (@calebdoxsey)
- cache: support databroker option changes #1294 (opens new window) (@calebdoxsey)
- authenticate: move databroker connection to state #1292 (opens new window) (@calebdoxsey)
- authorize: use atomic state for properties #1290 (opens new window) (@calebdoxsey)
- proxy: move properties to atomically updated state #1280 (opens new window) (@calebdoxsey)
- Improving okta API requests #1278 (opens new window) (@cuonglm)
- authenticate: move properties to atomically updated state #1277 (opens new window) (@calebdoxsey)
- authenticate: support reloading IDP settings #1273 (opens new window) (@calebdoxsey)
- Rate limit for okta #1271 (opens new window) (@cuonglm)
- config: allow dynamic configuration of cookie settings #1267 (opens new window) (@calebdoxsey)
- internal/directory/okta: increase default batch size to 200 #1264 (opens new window) (@cuonglm)
- envoy: add support for hot-reloading bootstrap configuration #1259 (opens new window) (@calebdoxsey)
- config: allow reloading of telemetry settings #1255 (opens new window) (@calebdoxsey)
- databroker: add support for config settings #1253 (opens new window) (@calebdoxsey)
- config: warn if custom scopes set for builtin providers #1252 (opens new window) (@cuonglm)
- authorize: add databroker url check #1228 (opens new window) (@desimone)
- internal/databroker: make Sync send data in smaller batches #1226 (opens new window) (@cuonglm)
# Fixed
- fix config race #1660 (opens new window) (@calebdoxsey)
- fix ordering of autocert config source #1640 (opens new window) (@calebdoxsey)
- pkg/storage/redis: Prevent connection churn #1603 (opens new window) (@travisgroth)
- forward-auth: fix special character support for nginx #1578 (opens new window) (@desimone)
- proxy/forward_auth: copy response headers as request headers #1577 (opens new window) (@desimone)
- fix querying claim data on the dashboard #1560 (opens new window) (@calebdoxsey)
- github: fix retrieving team id with graphql API (#1554) #1555 (opens new window) (@toshipp)
- store raw id token so it can be passed to the logout url #1543 (opens new window) (@calebdoxsey)
- fix databroker requiring signed jwt #1538 (opens new window) (@calebdoxsey)
- authorize: add redirect url to debug page #1533 (opens new window) (@desimone)
- internal/frontend: resolve authN helper url #1521 (opens new window) (@desimone)
- fwd-auth: match nginx-ingress config #1505 (opens new window) (@desimone)
- authenticate: protect /.pomerium/admin endpoint #1500 (opens new window) (@calebdoxsey)
- ci: ensure systemd unit file is in packages #1481 (opens new window) (@travisgroth)
- identity manager: fix directory sync timing #1455 (opens new window) (@calebdoxsey)
- proxy/forward_auth: don't reset forward auth path if X-Forwarded-Uri is not set #1447 (opens new window) (@whs)
- httputil: remove retry button #1438 (opens new window) (@desimone)
- proxy: always use https for application callback #1433 (opens new window) (@travisgroth)
- controplane: remove p-521 EC #1420 (opens new window) (@desimone)
- redirect-server: add config headers to responses #1416 (opens new window) (@calebdoxsey)
- proxy: remove impersonate headers for kubernetes #1394 (opens new window) (@calebdoxsey)
- Desimone/authenticate default logout #1390 (opens new window) (@desimone)
- proxy: for filter matches only include bare domain name #1389 (opens new window) (@calebdoxsey)
- internal/envoy: start epoch from 0 #1387 (opens new window) (@travisgroth)
- internal/directory/okta: acceept non-json service account #1359 (opens new window) (@cuonglm)
- internal/controlplane: add telemetry http handler #1353 (opens new window) (@travisgroth)
- autocert: fix locking issue #1310 (opens new window) (@calebdoxsey)
- authorize: log users and groups #1303 (opens new window) (@desimone)
- proxy: fix wrong applied middleware #1298 (opens new window) (@cuonglm)
- internal/directory/okta: fix wrong API query filter #1296 (opens new window) (@cuonglm)
- autocert: fix bootstrapped cache store path #1283 (opens new window) (@desimone)
- config: validate databroker settings #1260 (opens new window) (@calebdoxsey)
- internal/autocert: re-use cert if renewing failed but cert not expired #1237 (opens new window) (@cuonglm)
# Security
- chore(deps): update envoy 1.16.1 #1613 (opens new window) (@desimone)
# Documentation
- move signing key algorithm documentation into yaml file #1646 (opens new window) (@calebdoxsey)
- update docs #1645 (opens new window) (@desimone)
- docs: update build badge #1635 (opens new window) (@travisgroth)
- docs: add cache_service_url upgrade notice #1621 (opens new window) (@travisgroth)
- docs: use standard language for lists #1590 (opens new window) (@desimone)
- Fix command in Kubernetes Quick start docs #1582 (opens new window) (@wesleyw72)
- move docs to settings.yaml #1579 (opens new window) (@calebdoxsey)
- docs: add round logo #1574 (opens new window) (@desimone)
- add settings.yaml file #1540 (opens new window) (@calebdoxsey)
- update the documentation for auth0 to include group/role information #1502 (opens new window) (@grounded042)
- examples: fix nginx example #1478 (opens new window) (@desimone)
- docs: add architecture diagram for cloudrun #1444 (opens new window) (@travisgroth)
- fix(examples): Use X-Pomerium-Claim headers #1422 (opens new window) (@tdorsey)
- chore(docs): Fix typo in example policy #1419 (opens new window) (@tdorsey)
- docs: fix grammar #1412 (opens new window) (@shinebayar-g)
- docs: Add Traefik + Kubernetes example #1411 (opens new window) (@travisgroth)
- Remove typo on remove_request_headers docs #1388 (opens new window) (@whs)
- docs: update azure docs #1377 (opens new window) (@desimone)
- docs: add nginx example #1329 (opens new window) (@travisgroth)
- docs: use .com sitemap hostname #1274 (opens new window) (@desimone)
- docs: fix in-action video #1268 (opens new window) (@travisgroth)
- docs: image, sitemap and redirect fixes #1263 (opens new window) (@travisgroth)
- Fix broken logo link in README.md #1261 (opens new window) (@cuonglm)
- docs/docs: fix wrong okta service account field #1251 (opens new window) (@cuonglm)
- [Backport latest] Docs/enterprise button #1247 (opens new window) (@github-actions[bot])
- Docs/enterprise button #1245 (opens new window) (@desimone)
- remove rootDomain from examples #1244 (opens new window) (@karelbilek)
- docs: add / redirect #1241 (opens new window) (@desimone)
- docs: prepare for enterprise / oss split #1238 (opens new window) (@desimone)
# Dependency
- chore(deps): update module open-policy-agent/opa to v0.25.1 #1659 (opens new window) (@renovate[bot])
- chore(deps): update module lithammer/shortuuid/v3 to v3.0.5 #1658 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/grpc to v1.34.0 #1657 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 9ee31aa #1655 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 9317641 #1654 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to c7110b5 #1653 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to be400ae #1652 (opens new window) (@renovate[bot])
- deps: update hashstructure v2 #1632 (opens new window) (@desimone)
- chore(deps): update precommit hook pre-commit/pre-commit-hooks to v3 #1630 (opens new window) (@renovate[bot])
- chore(deps): update module yaml to v2.4.0 #1629 (opens new window) (@renovate[bot])
- chore(deps): update module google/go-cmp to v0.5.4 #1628 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to c8d3bf9 #1627 (opens new window) (@renovate[bot])
- chore(deps): update module google/go-jsonnet to v0.17.0 #1611 (opens new window) (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.0.15 #1610 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 9b1e624 #1609 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to c1f2f97 #1608 (opens new window) (@renovate[bot])
- chore(deps): update module google/go-cmp to v0.5.3 #1597 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to ce600e9 #1596 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 9fd6049 #1595 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 69a7880 #1594 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 0c6587e #1593 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/grpc to v1.33.2 #1585 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to f9bfe23 #1583 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v3.4.1 #1567 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 24207fd #1566 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to ff519b6 #1565 (opens new window) (@renovate[bot])
- chore(deps): update olegtarasov/get-tag action to v2 #1552 (opens new window) (@renovate[bot])
- chore(deps): update goreleaser/goreleaser-action action to v2 #1551 (opens new window) (@renovate[bot])
- chore(deps): update actions/setup-go action to v2 #1550 (opens new window) (@renovate[bot])
- chore(deps): update toolmantim/release-drafter action to v5.12.1 #1549 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/grpc to v1.33.1 #1548 (opens new window) (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.0.14 #1547 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 0ff5f38 #1546 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/sync commit hash to 67f06af #1545 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to be3efd7 #1544 (opens new window) (@renovate[bot])
- chore(deps): update vuepress monorepo to v1.7.1 #1531 (opens new window) (@renovate[bot])
- chore(deps): update module spf13/cobra to v1.1.1 #1530 (opens new window) (@renovate[bot])
- chore(deps): update module prometheus/client_golang to v1.8.0 #1529 (opens new window) (@renovate[bot])
- chore(deps): update module ory/dockertest/v3 to v3.6.2 #1528 (opens new window) (@renovate[bot])
- chore(deps): update module open-policy-agent/opa to v0.24.0 #1527 (opens new window) (@renovate[bot])
- chore(deps): update module golang/protobuf to v1.4.3 #1525 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 32ed001 #1524 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 7b1cca2 #1523 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 9e8e0b3 #1522 (opens new window) (@renovate[bot])
- chore(deps): upgrade envoy to v0.16.0 #1519 (opens new window) (@desimone)
- deployment: run go mod tidy #1512 (opens new window) (@desimone)
- chore(deps): update module ory/dockertest/v3 to v3.6.1 #1511 (opens new window) (@renovate[bot])
- chore(deps): update module go.opencensus.io to v0.22.5 #1510 (opens new window) (@renovate[bot])
- chore(deps): update module cenkalti/backoff/v4 to v4.1.0 #1509 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 4d944d3 #1508 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/sync commit hash to b3e1573 #1507 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 4f7140c #1506 (opens new window) (@renovate[bot])
- deployment: pin /x/sys to fix dockertest #1491 (opens new window) (@desimone)
- chore(deps): update module openzipkin/zipkin-go to v0.2.5 #1488 (opens new window) (@renovate[bot])
- chore(deps): update module envoyproxy/go-control-plane to v0.9.7 #1487 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to bcad7cf #1486 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/sync commit hash to 3042136 #1485 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 7f63de1 #1483 (opens new window) (@renovate[bot])
- deps: update envoy arm64 to v1.15.1 #1475 (opens new window) (@travisgroth)
- chore(deps): envoy 1.15.1 #1473 (opens new window) (@desimone)
- chore(deps): update vuepress monorepo to v1.6.0 #1463 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to c2d885f #1462 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 5d4f700 #1461 (opens new window) (@renovate[bot])
- deps: go mod tidy #1434 (opens new window) (@travisgroth)
- chore(deps): update module rs/zerolog to v1.20.0 #1431 (opens new window) (@renovate[bot])
- chore(deps): update module caddyserver/certmagic to v0.12.0 #1429 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to d0d6055 #1428 (opens new window) (@renovate[bot])
- chore(deps): update module openzipkin/zipkin-go to v0.2.4 #1407 (opens new window) (@renovate[bot])
- chore(deps): update module gorilla/handlers to v1.5.1 #1406 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/grpc to v1.32.0 #1405 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 645f7a4 #1404 (opens new window) (@renovate[bot])
- Run go mod tidy #1384 (opens new window) (@cuonglm)
- chore(deps): update module go.uber.org/zap to v1.16.0 #1381 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 0bd0a95 #1380 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 5d25da1 #1379 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 62affa3 #1378 (opens new window) (@renovate[bot])
- deps: ensure renovate runs
go mod tidy
#1357 (opens new window) (@travisgroth) - deps: go mod tidy #1356 (opens new window) (@travisgroth)
- Update module open-policy-agent/opa to v0.23.2 #1351 (opens new window) (@renovate[bot])
- Update module google/uuid to v1.1.2 #1350 (opens new window) (@renovate[bot])
- Update module google/go-cmp to v0.5.2 #1349 (opens new window) (@renovate[bot])
- Update module google.golang.org/grpc to v1.31.1 #1348 (opens new window) (@renovate[bot])
- Update google.golang.org/genproto commit hash to 2bf3329 #1347 (opens new window) (@renovate[bot])
- chore(deps): update vuepress monorepo to v1.5.4 #1323 (opens new window) (@renovate[bot])
- chore(deps): update module open-policy-agent/opa to v0.23.1 #1322 (opens new window) (@renovate[bot])
- chore(deps): update module gorilla/mux to v1.8.0 #1321 (opens new window) (@renovate[bot])
- chore(deps): update module gorilla/handlers to v1.5.0 #1320 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to c890458 #1319 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 5c72a88 #1318 (opens new window) (@renovate[bot])
- Upgrade zipkin-go to v0.2.3 #1288 (opens new window) (@cuonglm)
- chore(deps): update google.golang.org/genproto commit hash to f69a880 #1286 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/time commit hash to 3af7569 #1285 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 3edf25e #1284 (opens new window) (@renovate[bot])
- .github/workflows: upgrade to go1.15 #1258 (opens new window) (@cuonglm)
- Fix tests failed with go115 #1257 (opens new window) (@cuonglm)
- chore(deps): update dependency @vuepress/plugin-google-analytics to v1.5.3 #1236 (opens new window) (@renovate[bot])
- Update module google.golang.org/api to v0.30.0 #1235 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to a062522 #1234 (opens new window) (@renovate[bot])
# Deployment
- deployment: enable multi-arch release images #1643 (opens new window) (@travisgroth)
- ci: add bintray publishing #1618 (opens new window) (@travisgroth)
- ci: remove bad quoting in publish steps #1617 (opens new window) (@travisgroth)
- ci: update tag parsing step #1616 (opens new window) (@travisgroth)
- remove memberlist #1615 (opens new window) (@calebdoxsey)
- ci: automatically update test environment with master #1562 (opens new window) (@travisgroth)
- deployment: add debug build / container / docs #1513 (opens new window) (@travisgroth)
- deployment: Generate deb and rpm packages #1458 (opens new window) (@travisgroth)
- deployment: bump release go to v1.15.x #1439 (opens new window) (@desimone)
- ci: publish cloudrun latest tag #1398 (opens new window) (@travisgroth)
- deployment: fully split release archives and brews #1365 (opens new window) (@travisgroth)
- Include pomerium-cli in the docker image by default. Fixes #1343. #1345 (opens new window) (@rspier)
- Use apt-get instead of apt to eliminate warning. #1344 (opens new window) (@rspier)
- deployment: add goimports with path awareness #1316 (opens new window) (@desimone)
# Changed
- identity/oidc/azure: goimports #1651 (opens new window) (@travisgroth)
- fix panic when deleting a record twice from the inmemory data store #1639 (opens new window) (@calebdoxsey)
- ci: improve release snapshot name template #1602 (opens new window) (@travisgroth)
- ci: fix release workflow syntax #1592 (opens new window) (@travisgroth)
- ci: update changelog generation to script #1589 (opens new window) (@travisgroth)
- [Backport 0-10-0] docs: add round logo #1575 (opens new window) (@github-actions[bot])
- tidy #1494 (opens new window) (@desimone)
- dev: add remote container debug configs #1459 (opens new window) (@desimone)
- ci: add stale issue automation #1366 (opens new window) (@travisgroth)
- internal/urlutil: remove un-used constants #1326 (opens new window) (@cuonglm)
- integration: add forward auth test #1312 (opens new window) (@cuonglm)
- pkg/storage/redis: update tests to use local certs + upstream image #1306 (opens new window) (@travisgroth)
- config: omit empty subpolicies in yaml/json #1229 (opens new window) (@travisgroth)
- Cuonglm/increase coverrage 1 #1227 (opens new window) (@cuonglm)
# v0.11.0-rc2 (opens new window) (2020-11-19)
Full Changelog (opens new window)
# New
- add paging support to GetAll #1601 (opens new window) (@calebdoxsey)
- attach version to gRPC server metadata #1598 (opens new window) (@calebdoxsey)
# Fixed
- pkg/storage/redis: Prevent connection churn #1603 (opens new window) (@travisgroth)
# Dependency
- chore(deps): update module google/go-cmp to v0.5.3 #1597 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to ce600e9 #1596 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 9fd6049 #1595 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 69a7880 #1594 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 0c6587e #1593 (opens new window) (@renovate[bot])
# Changed
- ci: improve release snapshot name template #1602 (opens new window) (@travisgroth)
# v0.11.0-rc1 (opens new window) (2020-11-13)
Full Changelog (opens new window)
# Breaking
- add flag to enable user impersonation #1514 (opens new window) (@calebdoxsey)
# New
- use custom default http transport #1576 (opens new window) (@calebdoxsey)
- update user info in addition to refreshing the token #1572 (opens new window) (@calebdoxsey)
- databroker: add audience to session #1557 (opens new window) (@calebdoxsey)
- authorize: implement allowed_idp_claims #1542 (opens new window) (@calebdoxsey)
- autocert: support certificate renewal #1516 (opens new window) (@calebdoxsey)
- add policy to allow any authenticated user #1515 (opens new window) (@pflipp)
- debug: add pprof endpoints #1504 (opens new window) (@calebdoxsey)
- databroker: require JWT for access #1503 (opens new window) (@calebdoxsey)
- authenticate: remove unused paths, generate cipher at startup, remove qp store #1495 (opens new window) (@desimone)
- forward-auth: use envoy's ext_authz check #1482 (opens new window) (@desimone)
- auth0: implement directory provider #1479 (opens new window) (@grounded042)
- azure: incremental sync #1471 (opens new window) (@calebdoxsey)
- auth0: implement identity provider #1470 (opens new window) (@calebdoxsey)
- dashboard: format timestamps #1468 (opens new window) (@calebdoxsey)
- directory: additional user info #1467 (opens new window) (@calebdoxsey)
- directory: add explicit RefreshUser endpoint for faster sync #1460 (opens new window) (@calebdoxsey)
- config: add support for host header rewriting #1457 (opens new window) (@calebdoxsey)
- proxy: preserve path and query string for http->https redirect #1456 (opens new window) (@calebdoxsey)
- redis: use pubsub instead of keyspace events #1450 (opens new window) (@calebdoxsey)
- proxy: add support for /.pomerium/jwt #1446 (opens new window) (@calebdoxsey)
- databroker: add support for querying the databroker #1443 (opens new window) (@calebdoxsey)
- config: add dns_lookup_family option to customize DNS IP resolution #1436 (opens new window) (@calebdoxsey)
- okta: handle deleted groups #1418 (opens new window) (@calebdoxsey)
- controlplane: support P-384 / P-512 EC curves #1409 (opens new window) (@desimone)
- azure: add support for nested groups #1408 (opens new window) (@calebdoxsey)
- authorize: add support for service accounts #1374 (opens new window) (@calebdoxsey)
- Cuonglm/improve timeout error message #1373 (opens new window) (@cuonglm)
- internal/directory/okta: remove rate limiter #1370 (opens new window) (@cuonglm)
- {proxy/controlplane}: make health checks debug level #1368 (opens new window) (@desimone)
- databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source #1367 (opens new window) (@calebdoxsey)
- authorize: use impersonate email/groups in JWT #1364 (opens new window) (@calebdoxsey)
- config: support explicit prefix and regex path rewriting #1363 (opens new window) (@calebdoxsey)
- proxy: support websocket timeouts #1362 (opens new window) (@calebdoxsey)
- proxy: disable control-plane robots.txt for public unauthenticated routes #1361 (opens new window) (@calebdoxsey)
- certmagic: improve logging #1358 (opens new window) (@calebdoxsey)
- logs: add new log scrubber #1346 (opens new window) (@calebdoxsey)
- Allow setting the shared secret via an environment variable. #1337 (opens new window) (@rspier)
- authorize: add jti to JWT payload #1328 (opens new window) (@calebdoxsey)
- all: add signout redirect url #1324 (opens new window) (@cuonglm)
- proxy: remove unused handlers #1317 (opens new window) (@desimone)
- azure: support deriving credentials from client id, client secret and provider url #1300 (opens new window) (@calebdoxsey)
- cache: support databroker option changes #1294 (opens new window) (@calebdoxsey)
- authenticate: move databroker connection to state #1292 (opens new window) (@calebdoxsey)
- authorize: use atomic state for properties #1290 (opens new window) (@calebdoxsey)
- proxy: move properties to atomically updated state #1280 (opens new window) (@calebdoxsey)
- Improving okta API requests #1278 (opens new window) (@cuonglm)
- authenticate: move properties to atomically updated state #1277 (opens new window) (@calebdoxsey)
- authenticate: support reloading IDP settings #1273 (opens new window) (@calebdoxsey)
- Rate limit for okta #1271 (opens new window) (@cuonglm)
- config: allow dynamic configuration of cookie settings #1267 (opens new window) (@calebdoxsey)
- internal/directory/okta: increase default batch size to 200 #1264 (opens new window) (@cuonglm)
- envoy: add support for hot-reloading bootstrap configuration #1259 (opens new window) (@calebdoxsey)
- config: allow reloading of telemetry settings #1255 (opens new window) (@calebdoxsey)
- databroker: add support for config settings #1253 (opens new window) (@calebdoxsey)
- config: warn if custom scopes set for builtin providers #1252 (opens new window) (@cuonglm)
- authorize: add databroker url check #1228 (opens new window) (@desimone)
- internal/databroker: make Sync send data in smaller batches #1226 (opens new window) (@cuonglm)
# Fixed
- forward-auth: fix special character support for nginx #1578 (opens new window) (@desimone)
- proxy/forward_auth: copy response headers as request headers #1577 (opens new window) (@desimone)
- fix querying claim data on the dashboard #1560 (opens new window) (@calebdoxsey)
- github: fix retrieving team id with graphql API (#1554) #1555 (opens new window) (@toshipp)
- store raw id token so it can be passed to the logout url #1543 (opens new window) (@calebdoxsey)
- fix databroker requiring signed jwt #1538 (opens new window) (@calebdoxsey)
- authorize: add redirect url to debug page #1533 (opens new window) (@desimone)
- internal/frontend: resolve authN helper url #1521 (opens new window) (@desimone)
- fwd-auth: match nginx-ingress config #1505 (opens new window) (@desimone)
- authenticate: protect /.pomerium/admin endpoint #1500 (opens new window) (@calebdoxsey)
- ci: ensure systemd unit file is in packages #1481 (opens new window) (@travisgroth)
- identity manager: fix directory sync timing #1455 (opens new window) (@calebdoxsey)
- proxy/forward_auth: don't reset forward auth path if X-Forwarded-Uri is not set #1447 (opens new window) (@whs)
- httputil: remove retry button #1438 (opens new window) (@desimone)
- proxy: always use https for application callback #1433 (opens new window) (@travisgroth)
- controplane: remove p-521 EC #1420 (opens new window) (@desimone)
- redirect-server: add config headers to responses #1416 (opens new window) (@calebdoxsey)
- proxy: remove impersonate headers for kubernetes #1394 (opens new window) (@calebdoxsey)
- Desimone/authenticate default logout #1390 (opens new window) (@desimone)
- proxy: for filter matches only include bare domain name #1389 (opens new window) (@calebdoxsey)
- internal/envoy: start epoch from 0 #1387 (opens new window) (@travisgroth)
- internal/directory/okta: acceept non-json service account #1359 (opens new window) (@cuonglm)
- internal/controlplane: add telemetry http handler #1353 (opens new window) (@travisgroth)
- autocert: fix locking issue #1310 (opens new window) (@calebdoxsey)
- authorize: log users and groups #1303 (opens new window) (@desimone)
- proxy: fix wrong applied middleware #1298 (opens new window) (@cuonglm)
- internal/directory/okta: fix wrong API query filter #1296 (opens new window) (@cuonglm)
- autocert: fix bootstrapped cache store path #1283 (opens new window) (@desimone)
- config: validate databroker settings #1260 (opens new window) (@calebdoxsey)
- internal/autocert: re-use cert if renewing failed but cert not expired #1237 (opens new window) (@cuonglm)
# Documentation
- docs: use standard language for lists #1590 (opens new window) (@desimone)
- Fix command in Kubernetes Quick start docs #1582 (opens new window) (@wesleyw72)
- move docs to settings.yaml #1579 (opens new window) (@calebdoxsey)
- docs: add round logo #1574 (opens new window) (@desimone)
- add settings.yaml file #1540 (opens new window) (@calebdoxsey)
- update the documentation for auth0 to include group/role information #1502 (opens new window) (@grounded042)
- examples: fix nginx example #1478 (opens new window) (@desimone)
- docs: add architecture diagram for cloudrun #1444 (opens new window) (@travisgroth)
- fix(examples): Use X-Pomerium-Claim headers #1422 (opens new window) (@tdorsey)
- chore(docs): Fix typo in example policy #1419 (opens new window) (@tdorsey)
- docs: fix grammar #1412 (opens new window) (@shinebayar-g)
- docs: Add Traefik + Kubernetes example #1411 (opens new window) (@travisgroth)
- Remove typo on remove_request_headers docs #1388 (opens new window) (@whs)
- docs: update azure docs #1377 (opens new window) (@desimone)
- docs: add nginx example #1329 (opens new window) (@travisgroth)
- docs: use .com sitemap hostname #1274 (opens new window) (@desimone)
- docs: fix in-action video #1268 (opens new window) (@travisgroth)
- docs: image, sitemap and redirect fixes #1263 (opens new window) (@travisgroth)
- Fix broken logo link in README.md #1261 (opens new window) (@cuonglm)
- docs/docs: fix wrong okta service account field #1251 (opens new window) (@cuonglm)
- [Backport latest] Docs/enterprise button #1247 (opens new window) (@github-actions[bot])
- Docs/enterprise button #1245 (opens new window) (@desimone)
- remove rootDomain from examples #1244 (opens new window) (@karelbilek)
- docs: add / redirect #1241 (opens new window) (@desimone)
- docs: prepare for enterprise / oss split #1238 (opens new window) (@desimone)
# Dependency
- chore(deps): update module google.golang.org/grpc to v1.33.2 #1585 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to f9bfe23 #1583 (opens new window) (@renovate[bot])
- chore(deps): update mikefarah/yq action to v3.4.1 #1567 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 24207fd #1566 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to ff519b6 #1565 (opens new window) (@renovate[bot])
- chore(deps): update olegtarasov/get-tag action to v2 #1552 (opens new window) (@renovate[bot])
- chore(deps): update goreleaser/goreleaser-action action to v2 #1551 (opens new window) (@renovate[bot])
- chore(deps): update actions/setup-go action to v2 #1550 (opens new window) (@renovate[bot])
- chore(deps): update toolmantim/release-drafter action to v5.12.1 #1549 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/grpc to v1.33.1 #1548 (opens new window) (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.0.14 #1547 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 0ff5f38 #1546 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/sync commit hash to 67f06af #1545 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to be3efd7 #1544 (opens new window) (@renovate[bot])
- chore(deps): update vuepress monorepo to v1.7.1 #1531 (opens new window) (@renovate[bot])
- chore(deps): update module spf13/cobra to v1.1.1 #1530 (opens new window) (@renovate[bot])
- chore(deps): update module prometheus/client_golang to v1.8.0 #1529 (opens new window) (@renovate[bot])
- chore(deps): update module ory/dockertest/v3 to v3.6.2 #1528 (opens new window) (@renovate[bot])
- chore(deps): update module open-policy-agent/opa to v0.24.0 #1527 (opens new window) (@renovate[bot])
- chore(deps): update module golang/protobuf to v1.4.3 #1525 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 32ed001 #1524 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 7b1cca2 #1523 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 9e8e0b3 #1522 (opens new window) (@renovate[bot])
- chore(deps): upgrade envoy to v0.16.0 #1519 (opens new window) (@desimone)
- deployment: run go mod tidy #1512 (opens new window) (@desimone)
- chore(deps): update module ory/dockertest/v3 to v3.6.1 #1511 (opens new window) (@renovate[bot])
- chore(deps): update module go.opencensus.io to v0.22.5 #1510 (opens new window) (@renovate[bot])
- chore(deps): update module cenkalti/backoff/v4 to v4.1.0 #1509 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 4d944d3 #1508 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/sync commit hash to b3e1573 #1507 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 4f7140c #1506 (opens new window) (@renovate[bot])
- deployment: pin /x/sys to fix dockertest #1491 (opens new window) (@desimone)
- chore(deps): update module openzipkin/zipkin-go to v0.2.5 #1488 (opens new window) (@renovate[bot])
- chore(deps): update module envoyproxy/go-control-plane to v0.9.7 #1487 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to bcad7cf #1486 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/sync commit hash to 3042136 #1485 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 7f63de1 #1483 (opens new window) (@renovate[bot])
- deps: update envoy arm64 to v1.15.1 #1475 (opens new window) (@travisgroth)
- chore(deps): envoy 1.15.1 #1473 (opens new window) (@desimone)
- chore(deps): update vuepress monorepo to v1.6.0 #1463 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to c2d885f #1462 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 5d4f700 #1461 (opens new window) (@renovate[bot])
- deps: go mod tidy #1434 (opens new window) (@travisgroth)
- chore(deps): update module rs/zerolog to v1.20.0 #1431 (opens new window) (@renovate[bot])
- chore(deps): update module caddyserver/certmagic to v0.12.0 #1429 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to d0d6055 #1428 (opens new window) (@renovate[bot])
- chore(deps): update module openzipkin/zipkin-go to v0.2.4 #1407 (opens new window) (@renovate[bot])
- chore(deps): update module gorilla/handlers to v1.5.1 #1406 (opens new window) (@renovate[bot])
- chore(deps): update module google.golang.org/grpc to v1.32.0 #1405 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 645f7a4 #1404 (opens new window) (@renovate[bot])
- Run go mod tidy #1384 (opens new window) (@cuonglm)
- chore(deps): update module go.uber.org/zap to v1.16.0 #1381 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 0bd0a95 #1380 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 5d25da1 #1379 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 62affa3 #1378 (opens new window) (@renovate[bot])
- deps: ensure renovate runs
go mod tidy
#1357 (opens new window) (@travisgroth) - deps: go mod tidy #1356 (opens new window) (@travisgroth)
- Update module open-policy-agent/opa to v0.23.2 #1351 (opens new window) (@renovate[bot])
- Update module google/uuid to v1.1.2 #1350 (opens new window) (@renovate[bot])
- Update module google/go-cmp to v0.5.2 #1349 (opens new window) (@renovate[bot])
- Update module google.golang.org/grpc to v1.31.1 #1348 (opens new window) (@renovate[bot])
- Update google.golang.org/genproto commit hash to 2bf3329 #1347 (opens new window) (@renovate[bot])
- chore(deps): update vuepress monorepo to v1.5.4 #1323 (opens new window) (@renovate[bot])
- chore(deps): update module open-policy-agent/opa to v0.23.1 #1322 (opens new window) (@renovate[bot])
- chore(deps): update module gorilla/mux to v1.8.0 #1321 (opens new window) (@renovate[bot])
- chore(deps): update module gorilla/handlers to v1.5.0 #1320 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to c890458 #1319 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 5c72a88 #1318 (opens new window) (@renovate[bot])
- Upgrade zipkin-go to v0.2.3 #1288 (opens new window) (@cuonglm)
- chore(deps): update google.golang.org/genproto commit hash to f69a880 #1286 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/time commit hash to 3af7569 #1285 (opens new window) (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 3edf25e #1284 (opens new window) (@renovate[bot])
- .github/workflows: upgrade to go1.15 #1258 (opens new window) (@cuonglm)
- Fix tests failed with go115 #1257 (opens new window) (@cuonglm)
- chore(deps): update dependency @vuepress/plugin-google-analytics to v1.5.3 #1236 (opens new window) (@renovate[bot])
- Update module google.golang.org/api to v0.30.0 #1235 (opens new window) (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to a062522 #1234 (opens new window) (@renovate[bot])
# Deployment
- ci: automatically update test environment with master #1562 (opens new window) (@travisgroth)
- deployment: add debug build / container / docs #1513 (opens new window) (@travisgroth)
- deployment: Generate deb and rpm packages #1458 (opens new window) (@travisgroth)
- deployment: bump release go to v1.15.x #1439 (opens new window) (@desimone)
- ci: publish cloudrun latest tag #1398 (opens new window) (@travisgroth)
- deployment: fully split release archives and brews #1365 (opens new window) (@travisgroth)
- Include pomerium-cli in the docker image by default. Fixes #1343. #1345 (opens new window) (@rspier)
- Use apt-get instead of apt to eliminate warning. #1344 (opens new window) (@rspier)
- deployment: add goimports with path awareness #1316 (opens new window) (@desimone)
# Changed
- ci: fix release workflow syntax #1592 (opens new window) (@travisgroth)
- ci: update changelog generation to script #1589 (opens new window) (@travisgroth)
- [Backport 0-10-0] docs: add round logo #1575 (opens new window) (@github-actions[bot])
- tidy #1494 (opens new window) (@desimone)
- dev: add remote container debug configs #1459 (opens new window) (@desimone)
- ci: add stale issue automation #1366 (opens new window) (@travisgroth)
- internal/urlutil: remove un-used constants #1326 (opens new window) (@cuonglm)
- integration: add forward auth test #1312 (opens new window) (@cuonglm)
- pkg/storage/redis: update tests to use local certs + upstream image #1306 (opens new window) (@travisgroth)
- config: omit empty subpolicies in yaml/json #1229 (opens new window) (@travisgroth)
- Cuonglm/increase coverrage 1 #1227 (opens new window) (@cuonglm)
# v0.10.6 (opens new window) (2020-09-30)
Full Changelog (opens new window)
# Changed
- docs: Update changelog for v0.10.6 #1477 (opens new window) (@travisgroth)
- [Backport 0-10-0] deps: update envoy arm64 to v1.15.1 #1476 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] chore(deps): envoy 1.15.1 #1474 (opens new window) (@github-actions[bot])
# v0.10.5 (opens new window) (2020-09-28)
Full Changelog (opens new window)
# Documentation
- docs: Update changelog for v0.10.5 #1469 (opens new window) (@travisgroth)
# Changed
- redis: use pubsub instead of keyspace events #1451 (opens new window) (@calebdoxsey)
# v0.10.4 (opens new window) (2020-09-22)
Full Changelog (opens new window)
# Documentation
- docs: update 0.10.4 changelog #1441 (opens new window) (@travisgroth)
- Add v0.10.4 changelog entry #1437 (opens new window) (@travisgroth)
# Changed
- [Backport 0-10-0] httputil: remove retry button #1440 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] proxy: always use https for application callback #1435 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] redirect-server: add config headers to responses #1427 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] controplane: remove p-521 EC #1423 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] controlplane: support P-384 / P-512 EC curves #1410 (opens new window) (@github-actions[bot])
# v0.10.3 (opens new window) (2020-09-11)
Full Changelog (opens new window)
# Changed
- Update changelog for v0.10.3 #1401 (opens new window) (@travisgroth)
- [Backport 0-10-0] ci: publish cloudrun latest tag #1399 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] proxy: remove impersonate headers for kubernetes #1396 (opens new window) (@travisgroth)
- [Backport 0-10-0] docs: update azure docs #1385 (opens new window) (@github-actions[bot])
- internal/directory/okta: remove rate limiter (#1370) #1371 (opens new window) (@cuonglm)
- [Backport 0-10-0] internal/directory/okta: acceept non-json service account #1360 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] internal/controlplane: add telemetry http handler #1355 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] docs: add nginx example #1339 (opens new window) (@github-actions[bot])
# v0.10.2 (opens new window) (2020-08-26)
Full Changelog (opens new window)
# Documentation
- docs: update change log for 0.10.2 #1330 (opens new window) (@travisgroth)
# Changed
- Backport go 1.15 changes for 0-10-0 #1334 (opens new window) (@travisgroth)
- [Backport 0-10-0] internal/directory/okta: improve API requests #1332 (opens new window) (@travisgroth)
- autocert: fix locking issue (#1310) #1311 (opens new window) (@calebdoxsey)
# v0.10.1 (opens new window) (2020-08-20)
Full Changelog (opens new window)
# Documentation
- [Backport 0-10-0] Docs/enterprise button #1246 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] docs: add / redirect #1242 (opens new window) (@github-actions[bot])
# Changed
- docs: v0.10.1 changelog #1308 (opens new window) (@travisgroth)
- [Backport 0-10-0] pkg/storage/redis: update tests to use local certs + upstream image #1307 (opens new window) (@github-actions[bot])
- azure: support deriving credentials from client id, client secret and… #1301 (opens new window) (@calebdoxsey)
- [Backport 0-10-0] autocert: fix bootstrapped cache store path #1291 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] docs: use .com sitemap hostname #1275 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] docs: fix in-action video #1269 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] docs: image, sitemap and redirect fixes #1265 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] docs: prepare for enterprise / oss split #1239 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] authorize: add databroker url check #1231 (opens new window) (@github-actions[bot])
- [Backport 0-10-0] config: omit empty subpolicies in yaml/json #1230 (opens new window) (@github-actions[bot])
# v0.10.0
# Changes
- Add storage backend interface @cuonglm GH-1072
- all: update outdated comments about OptionsUpdater interface @cuonglm GH-1207
- Allow specify go executable in Makefile @cuonglm GH-1008
- audit: add protobuf definitions @calebdoxsey GH-1047
- authenticate: hide impersonation form from non-admin users @cuonglm GH-979
- authenticate: move impersonate from proxy to authenticate @calebdoxsey GH-965
- authenticate: remove useless/duplicated code block @cuonglm GH-962
- authenticate: revoke current session oauth token before sign out @cuonglm GH-964
- authorize,proxy: allow traefik forward auth without uri query @cuonglm GH-1103
- authorize: add evaluator store @calebdoxsey GH-1105
- authorize: add test for denied response @cuonglm GH-1197
- authorize: avoid serializing databroker data map to improve performance @calebdoxsey GH-995
- authorize: clear session state if session was deleted in databroker @cuonglm GH-1053
- authorize: derive check response message from reply message @cuonglm GH-1193
- authorize: include "kid" in JWT header @cuonglm GH-1049
- authorize: store policy evaluator on success only @cuonglm GH-1206
- authorize/evaluator: add more test cases @cuonglm GH-1198
- authorize/evaluator: fix wrong custom policies decision @cuonglm GH-1199
- authorize/evaluator/opa: use route policy object instead of array index @cuonglm GH-1001
- cache: add client telemetry @travisgroth GH-975
- cache: add test for runMemberList @cuonglm GH-1007
- cache: attempt to join memberlist cluster for sanity check @travisgroth GH-1004
- cache: fix missing parameter @travisgroth GH-1005
- cache: only run memberlist for in-memory databroker @travisgroth GH-1224
- ci: Add cloudrun build @travisgroth GH-1097
- ci: support rc releases @travisgroth GH-1011
- cmd/pomerium-cli: do not require terminal with cached creds @travisgroth GH-1196
- config: add check to assert service account is required for policies with allowed_groups @desimone GH-997
- config: add support for policies stored in the databroker @calebdoxsey GH-1099
- config: additional kubernetes token source support @travisgroth GH-1200
- config: allow setting directory sync interval and timeout @cuonglm GH-1098
- config: default to google idp credentials for serverless @travisgroth GH-1170
- config: fix loading storage client cert from wrong location @travisgroth GH-1212
- config: Set loopback address by ipv4 IP @travisgroth GH-1116
- cryptutil: move to pkg dir, add token generator @calebdoxsey GH-1029
- deployment: fix brew creation for pomerium-cli @travisgroth GH-1192
- directory.Group entry for groups @calebdoxsey GH-1118
- docs/docs: update upgrading to mention redis storage backend @cuonglm GH-1172
- envoy: disable idle timeouts to controlplane @travisgroth GH-1000
- grpc: rename internal/grpc to pkg/grpc @calebdoxsey GH-1010
- grpc: use relative paths in codegen @desimone GH-1106
- grpcutil: add functions for JWTs in gRPC metadata @calebdoxsey GH-1165
- Increasing authorize coverage @cuonglm GH-1221
- integration: add dummy value for idp_service_account @cuonglm GH-1009
- internal/controlplane: set envoy prefix rewrite if present @cuonglm GH-1034
- internal/controlplane: using envoy strip host port matching @cuonglm GH-1126
- internal/databroker: handle new db error @cuonglm GH-1129
- internal/databroker: store server version @cuonglm GH-1121
- internal/directory: improve google user groups list @cuonglm GH-1092
- internal/directory: use both id and name for group @cuonglm GH-1086
- internal/directory/google: return both group e-mail and id @travisgroth GH-1083
- internal/frontend/assets/html: make timestamp human readable @cuonglm GH-1107
- internal/sessions: handle claims "ver" field generally @cuonglm GH-990
- internal/urlutil: add tests for GetDomainsForURL @cuonglm GH-1183
- memberlist: use bufio reader instead of scanner @calebdoxsey GH-1002
- config: options refactor @calebdoxsey GH-1088
- pkg: add grpcutil package @calebdoxsey GH-1032
- pkg/storage: add package docs @cuonglm GH-1078
- pkg/storage: change backend interface to return error @cuonglm GH-1131
- pkg/storage: introduce storage.Backend Watch method @cuonglm GH-1135
- pkg/storage: make Watch returns receive only channel @cuonglm GH-1211
- pkg/storage/redis: do not use timeout to signal redis conn to stop @cuonglm GH-1155
- pkg/storage/redis: fix multiple data race @cuonglm GH-1210
- pkg/storage/redis: metrics updates @travisgroth GH-1195
- pkg/storage/redis: move last version to redis @cuonglm GH-1134
- proxy: add support for spdy upgrades @travisgroth GH-1203
- proxy: avoid second policy validation @travisgroth GH-1204
- proxy: refactor handler setup code @travisgroth GH-1205
- set session state expiry @calebdoxsey GH-1215
- Sleep longer before running integration tests @cuonglm GH-968
- telemetry: add tracing spans to cache and databroker @travisgroth GH-987
# New
- authenticate: allow hot reloaded admin users config @cuonglm [GH-984]
- authenticate: support hot reloaded config @cuonglm GH-984
- authorize: custom rego policies @calebdoxsey GH-1123
- authorize: include "kid" in JWT headers @cuonglm [GH-1046]
- azure: use OID for user id in session @calebdoxsey GH-985
- config: add pass_identity_headers @cuonglm [GH-903]
- config: add remove_request_headers @cuonglm [GH-822]
- config: both base64 and file reference can be used for "certificates" @dmitrif [GH-1055]
- config: change config key parsing to attempt Base64 decoding first. @dmitrif GH-1055
- config: change default log level to INFO @cuonglm [GH-902]
- custom rego in databroker @calebdoxsey GH-1124
- databroker server backend config @cuonglm GH-1127
- databroker: add encryption for records @calebdoxsey GH-1168
- deploy: Add homebrew tap publishing @travisgroth GH-1179
- deployment: cut separate archive for cli @desimone GH-1177
- directory: add service account struct and parsing method @calebdoxsey GH-971
- envoy: enable strip host port matching @cuonglm [GH-1126]
- github: implement github directory provider @calebdoxsey GH-963
- google: store directory information by user id @calebdoxsey GH-988
- identity: support custom code flow request params @desimone GH-998
- implement google cloud serverless authentication @calebdoxsey GH-1080
- internal/directory/okta: store directory information by user id @cuonglm GH-991
- internal/directory/onelogin: store directory information by user id @cuonglm GH-992
- kubernetes apiserver integration @calebdoxsey GH-1063
- pkg/storage/redis: add authentication support @cuonglm GH-1159
- pkg/storage/redis: add redis TLS support @cuonglm GH-1163
- pomerium-cli k8s exec-credential @calebdoxsey GH-1073
- redis storage backend @cuonglm GH-1082
- telmetry: add databroker storage metrics and tracing @travisgroth GH-1161
- use custom binary for arm64 linux release @calebdoxsey GH-1065
# Fixed
- authenticate: fix wrong condition checking in VerifySession @cuonglm GH-1146
- authenticate: fix wrong SignIn telemetry name @cuonglm GH-1038
- authorize: Force redirect scheme to https @travisgroth GH-1075
- authorize: strip port from host header if necessary @cuonglm GH-1175
- authorize/evaluator/opa: set client tls cert usage explicitly @travisgroth GH-1026
- authorize/evaluator/opa/policy: fix allow rules with impersonate @cuonglm GH-1094
- cache: fix data race in NotifyJoin @cuonglm GH-1028
- ci: fix arm docker image releases @travisgroth GH-1178
- ci: Prevent dirty git state @travisgroth GH-1117
- ci: release fixes @travisgroth GH-1181
- config: fix deep copy of config @calebdoxsey GH-1089
- controlplane: add robots route @desimone GH-966
- deploy: ensure pomerium-cli is built correctly @travisgroth GH-1180
- deployment: fix pomerium-cli release @desimone GH-1104
- envoy: Set ExtAuthz Cluster name to URL Host @travisgroth GH-1132
- fix databroker restart versioning, handle missing sessions @calebdoxsey GH-1145
- fix lint errors @travisgroth GH-1171
- fix redirect loop, remove user/session services, remove duplicate deleted_at fields @calebdoxsey GH-1162
- handle example.com and example.com:443 @calebdoxsey GH-1153
- internal/controlplane: enable envoy use remote address @cuonglm GH-1023
- internal/databroker: fix wrong server version init @cuonglm GH-1125
- pkg/grpc: fix wrong audit protoc gen file @cuonglm GH-1048
- pkg/storage/redis: handling connection to redis backend failure @cuonglm GH-1174
- pomerium-cli: fix kubernetes token caching @calebdoxsey GH-1169
- pomerium-cli: kubernetes fixes @calebdoxsey GH-1176
- proxy: do not set X-Pomerium-Jwt-Assertion/X-Pomerium-Claim-* headers by default @cuonglm [GH-903]
- proxy: fix invalid session after logout in forward auth mode @cuonglm GH-1062
- proxy: fix redirect url with traefik forward auth @cuonglm GH-1037
- proxy: fix wrong forward auth request @cuonglm GH-1030
# Documentation
- docs: Update synology.md @roulesse GH-1219
- docs: add installation section @travisgroth GH-1223
- docs: add kubectl config commands @travisgroth GH-1152
- docs: add kubernetes docs @calebdoxsey GH-1087
- docs: add recipe for TiddlyWiki on Node.js @favadi GH-1143
- docs: add required in cookie_secret @mig4ng GH-1142
- docs: add warnings cones around requiring IdP Service Accounts @travisgroth GH-999
- docs: cloud Run / GCP Serverless @travisgroth GH-1101
- docs: document preserve_host_header with policy routes to static ip @cuonglm GH-1024
- docs: fix incorrect example middleware @travisgroth GH-1128
- docs: fix links, clarify upgrade guide for v0.10 @desimone GH-1220
- docs: fix minor errors @travisgroth GH-1214
- docs: Kubernetes topic @travisgroth GH-1222
- docs: Move examples repo into main repo @travisgroth GH-1102
- docs: Redis and stateful storage docs @travisgroth GH-1173
- docs: refactor sections, consolidate examples @desimone GH-1164
- docs: rename docs/reference to docs/topics @desimone GH-1182
- docs: service account instructions for azure @calebdoxsey GH-969
- docs: service account instructions for gitlab @calebdoxsey GH-970
- docs: update architecture diagrams + descriptions @travisgroth GH-1218
- docs: update GitHub documentation for service account @calebdoxsey GH-967
- docs: Update Istio VirtualService example @jeffhubLR GH-1006
- docs: update okta service account docs to match new format @calebdoxsey GH-972
- Docs: Update README stating specific requirements for SIGNING_KEY @bradjones1 GH-1217
- docs: update reference docs @desimone GH-1208
- docs: update service account instructions for OneLogin @calebdoxsey GH-973
- docs: update upgrading document for breaking changes @calebdoxsey GH-974
- docs/.vuepress: fix missing local-oidc recipes section @cuonglm GH-1147
- docs/configuration: add doc for trailing slash limitation in "To" field @cuonglm GH-1040
- docs/docs: add changelog for #1055 @cuonglm GH-1084
- docs/docs/identity-providers: document gitlab default scopes changed @cuonglm GH-980
- docs/recipes: add local oidc example @cuonglm GH-1045
# Dependency
- chore(deps): bump envoy to 1.15.0 @desimone GH-1119
- chore(deps): google.golang.org/genproto commit hash to da3ae01 @renovate GH-1138
- chore(deps): module google/go-cmp to v0.5.1 @renovate GH-1139
- chore(deps): update envoy to 1.14.4 @desimone GH-1076
- chore(deps): update github.com/skratchdot/open-golang commit hash to eef8423 @renovate GH-1108
- chore(deps): update golang.org/x/crypto commit hash to 123391f @renovate GH-1184
- chore(deps): update golang.org/x/crypto commit hash to 948cd5f @renovate GH-1056
- chore(deps): update golang.org/x/net commit hash to 4c52546 @renovate GH-1017
- chore(deps): update golang.org/x/net commit hash to ab34263 @renovate GH-1057
- chore(deps): update golang.org/x/sync commit hash to 6e8e738 @renovate GH-1018
- chore(deps): update google.golang.org/genproto commit hash to 11fb19a @renovate GH-1109
- chore(deps): update google.golang.org/genproto commit hash to 8145dea @renovate GH-1185
- chore(deps): update google.golang.org/genproto commit hash to 8698661 @renovate GH-1058
- chore(deps): update google.golang.org/genproto commit hash to 8e8330b @renovate GH-1039
- chore(deps): update google.golang.org/genproto commit hash to ee7919e @renovate GH-1019
- chore(deps): update google.golang.org/genproto commit hash to fbb79ea @renovate GH-945
- chore(deps): update module cenkalti/backoff/v4 to v4.0.2 @renovate GH-946
- chore(deps): update module contrib.go.opencensus.io/exporter/jaeger to v0.2.1 @renovate GH-1186
- chore(deps): update module contrib.go.opencensus.io/exporter/zipkin to v0.1.2 @renovate GH-1187
- chore(deps): update module envoyproxy/go-control-plane to v0.9.6 @renovate GH-1059
- chore(deps): update module go.opencensus.io to v0.22.4 @renovate GH-948
- chore(deps): update module golang/mock to v1.4.4 @renovate GH-1188
- chore(deps): update module google.golang.org/api to v0.28.0 @renovate GH-949
- chore(deps): update module google.golang.org/api to v0.29.0 @renovate GH-1060
- chore(deps): update module google.golang.org/grpc to v1.30.0 @renovate GH-1020
- chore(deps): update module google.golang.org/grpc to v1.31.0 @renovate GH-1189
- chore(deps): update module google.golang.org/protobuf to v1.25.0 @renovate GH-1021
- chore(deps): update module google/go-cmp to v0.5.0 @renovate GH-950
- chore(deps): update module hashicorp/memberlist to v0.2.2 @renovate GH-951
- chore(deps): update module open-policy-agent/opa to v0.21.0 @renovate GH-952
- chore(deps): update module open-policy-agent/opa to v0.21.1 @renovate GH-1061
- chore(deps): update module open-policy-agent/opa to v0.22.0 @renovate GH-1110
- chore(deps): update module prometheus/client_golang to v1.7.0 @renovate GH-953
- chore(deps): update module prometheus/client_golang to v1.7.1 @renovate GH-1022
- chore(deps): update module spf13/cobra to v1 @renovate GH-1111
- chore(deps): update module spf13/viper to v1.7.1 @renovate GH-1190
- chore(deps)😒 bump opa v0.21.0 @desimone GH-993
# v0.9.1
# Security
- envoy: fixes CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters
# v0.9.0
# New
- proxy: envoy is now used to handle proxying
- authenticate: add jwks and .well-known endpoint @desimone [GH-745]
- authorize: add client mTLS support @calebdoxsey [GH-751]
# Fixed
- cache: fix closing too early @calebdoxsey [GH-791]
- authenticate: fix insecure gRPC connection string default port @calebdoxsey [GH-795]
- authenticate: fix user-info call for AWS cognito @calebdoxsey [GH-792]
- authenticate: clear session if ctx fails @desimone [GH-806]
- telemetry: fix autocache labels @travisgroth [GH-805]
- telemetry: fix missing/incorrect grpc labels @travisgroth [GH-804]
- authorize: fix authorization panic caused by logging a nil reference @desimone [GH-704]
# Changes
- authenticate: remove authorize url validate check @calebdoxsey [GH-790]
- authorize: reduce log noise for empty jwt @calebdoxsey [GH-793]
- authorize: refactor and add additional unit tests @calebdoxsey [GH-757]
- envoy: add GRPC stats handler to control plane service @travisgroth [GH-744]
- envoy: enable zipkin tracing @travisgroth [GH-737]
- envoy: improvements to logging @calebdoxsey [GH-742]
- envoy: remove 'accept-encoding' header from proxied metric requests @travisgroth [GH-750]
- envoy: support ports in hosts for routing @calebdoxsey [GH-748]
- forward-auth: support x-forwarded-uri @calebdoxsey [GH-780]
- proxy/forward-auth: block expired request prior to 302 @desimone [GH-773]
- sessions/state: add nickname claim @BenoitKnecht [GH-755]
- state: infer user (
user
) from subject (sub
) @desimone [GH-772] - telemetry: refactor GRPC Server Handler @travisgroth [GH-756]
- telemetry: service label updates @travisgroth [GH-802]
- xds: add catch-all for pomerium routes @calebdoxsey [GH-789]
- xds: disable cluster validation to handle out-of-order updates @calebdoxsey [GH-783]
# Documentation
- docs: add mTLS recipe @calebdoxsey [GH-807]
- docs: add argo recipe @calebdoxsey [GH-803]
- docs: update dockerfiles for v0.9.0 @calebdoxsey [GH-801]
- docs: typo on configuration doc @kintoandar [GH-800]
- docs: docs regarding claim headers @strideynet [GH-782]
- docs: update traefik example and add note about forwarded headers @calebdoxsey [GH-784]
- docs: add note about unsupported platforms @calebdoxsey [GH-799]
- docs: expose config parameters in sidebar @travisgroth [GH-797]
- docs: update examples @travisgroth [GH-796]
# v0.8.3
# Changes
- state: infer user (
user
) from subject (sub
) @desimone GH-772 - proxy/forward-auth: block expired request prior to 302 @desimone GH-773
# v0.8.2
# Security
This release includes a fix for a bug that, under certain circumstances, could allow a user with a valid but expired session to resend a request to an upstream application. The repeated request would not return a response, but could reach the upstream application. Thank you to @selaux for reporting this issue! [GH-762]
# v0.8.1
# Fixed
- authorize: fix authorization panic caused by logging a nil reference @desimone [GH-704]
# v0.8.0
To see a complete list of changes see the diff (opens new window).
# New
- cryptutil: add automatic certificate management @desimone GH-644 (opens new window)
- implement path-based route matching @calebdoxsey GH-615 (opens new window)
- internal/identity: implement github provider support @Lumexralph GH-582 (opens new window)
- proxy: add configurable JWT claim headers @travisgroth (#596)
- proxy: remove extra session unmarshalling @desimone (#592)
# Changes
- ci: Switch integration tests from minikube to kind @travisgroth GH-656 (opens new window)
- integration-tests: add CORS test @calebdoxsey GH-662 (opens new window)
- integration-tests: add websocket enabled/disabled test @calebdoxsey GH-661 (opens new window)
- integration-tests: set_request_headers and preserve_host_header options @calebdoxsey GH-668 (opens new window)
- pre-commit: add pre-commit configuration @calebdoxsey GH-666 (opens new window)
- proxy: improve JWT header behavior @travisgroth GH-642 (opens new window)
# Fixed
- authorize: fix authorization check for allowed_domains to only match current route @calebdoxsey GH-624 (opens new window)
- authorize: fix unexpected panic on reload @travisgroth GH-652 (opens new window)
- site: fix site on mobile @desimone GH-597 (opens new window)
# Documentation
- deploy: autocert documentation and defaults @travisgroth GH-658 (opens new window)
# v0.7.5
# Fixed
- authorize: fix authorization check for allowed_domains to only match current route @calebdoxsey GH-624 (opens new window)
# v0.7.4
# Fixed
- pomerium-cli: fix service account cli @desimone GH-613 (opens new window)
# v0.7.3
# Fixed
- Upgrade gRPC to 1.27.1 @travisgroth GH-609 (opens new window)
# v0.7.2
# Changes
- proxy: remove extra session unmarshalling @desimone GH-592 (opens new window)
- proxy: add configurable JWT claim headers @travisgroth GH-596 (opens new window)
- grpcutil: remove unused pkg @desimone GH-593 (opens new window)
# Fixed
- site: fix site on mobile @desimone GH-597 (opens new window)
# Documentation
- site: fix site on mobile @desimone GH-597 (opens new window)
# Dependency
- chore(deps): update vuepress monorepo to v1.4.0 @renovate GH-559 (opens new window)
# v0.7.1
There were no changes in the v0.7.1 release, but we updated the build process slightly.
# v0.7.0
# New
- *: remove import path comments @desimone GH-545 (opens new window)
- authenticate: make callback path configurable @desimone GH-493 (opens new window)
- authenticate: return 401 for some specific error codes @cuonglm GH-561 (opens new window)
- authorization: log audience claim failure @desimone GH-553 (opens new window)
- authorize: use jwt instead of state struct @desimone GH-514 (opens new window)
- authorize: use opa for policy engine @desimone GH-474 (opens new window)
- cmd: add cli to generate service accounts @desimone GH-552 (opens new window)
- config: Expose and set default GRPC Server Keepalive Parameters @travisgroth GH-509 (opens new window)
- config: Make IDP_PROVIDER env var mandatory @mihaitodor GH-536 (opens new window)
- config: Remove superfluous Options.Checksum type conversions @travisgroth GH-522 (opens new window)
- gitlab/identity: change group unique identifier to ID @Lumexralph GH-571 (opens new window)
- identity: support oidc UserInfo Response @desimone GH-529 (opens new window)
- internal/cryptutil: standardize leeway to 5 mins @desimone GH-476 (opens new window)
- metrics: Add storage metrics @travisgroth GH-554 (opens new window)
# Fixed
- cache: add option validations @desimone GH-468 (opens new window)
- config: Add proper yaml tag to Options.Policies @travisgroth GH-475 (opens new window)
- ensure correct service name on GRPC related metrics @travisgroth GH-510 (opens new window)
- fix group impersonation @desimone GH-569 (opens new window)
- fix sign-out bug , fixes #530 @desimone GH-544 (opens new window)
- proxy: move set request headers before handle allow public access @ohdarling GH-479 (opens new window)
- use service port for session audiences @travisgroth GH-562 (opens new window)
# Documentation
- fix
the
typo @ilgooz GH-566 (opens new window) - fix kubernetes dashboard recipe docs @desimone GH-504 (opens new window)
- make from source quickstart @desimone GH-519 (opens new window)
- update background @desimone GH-505 (opens new window)
- update helm for v3 @desimone GH-469 (opens new window)
- various fixes @desimone GH-478 (opens new window)
- fix cookie_domain @nitper GH-472 (opens new window)
# Dependency
- chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate GH-480 (opens new window)
- chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate GH-537 (opens new window)
- chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate GH-574 (opens new window)
- chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate GH-538 (opens new window)
- chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate GH-481 (opens new window)
- chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate GH-556 (opens new window)
- chore(deps): update module fatih/color to v1.9.0 @renovate GH-575 (opens new window)
- chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate GH-539 (opens new window)
- chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate GH-557 (opens new window)
- chore(deps): update module go.opencensus.io to v0.22.3 @renovate GH-483 (opens new window)
- chore(deps): update module golang/mock to v1.4.0 @renovate GH-470 (opens new window)
- chore(deps): update module golang/mock to v1.4.3 @renovate GH-540 (opens new window)
- chore(deps): update module golang/protobuf to v1.3.4 @renovate GH-485 (opens new window)
- chore(deps): update module golang/protobuf to v1.3.5 @renovate GH-541 (opens new window)
- chore(deps): update module google.golang.org/api to v0.20.0 @renovate GH-495 (opens new window)
- chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate GH-496 (opens new window)
- chore(deps): update module gorilla/mux to v1.7.4 @renovate GH-506 (opens new window)
- chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate GH-497 (opens new window)
- chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate GH-513 (opens new window)
- chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate GH-558 (opens new window)
- chore(deps): update module prometheus/client_golang to v1.4.1 @renovate GH-498 (opens new window)
- chore(deps): update module prometheus/client_golang to v1.5.0 @renovate GH-531 (opens new window)
- chore(deps): update module prometheus/client_golang to v1.5.1 @renovate GH-543 (opens new window)
- chore(deps): update module rakyll/statik to v0.1.7 @renovate GH-517 (opens new window)
- chore(deps): update module rs/zerolog to v1.18.0 @renovate GH-507 (opens new window)
- chore(deps): update module yaml to v2.2.8 @renovate GH-471 (opens new window)
- ci: Consolidate matrix build parameters @travisgroth GH-521 (opens new window)
- dependency: use go mod redis @desimone GH-528 (opens new window)
- deployment: throw away golanglint-ci defaults @desimone GH-439 (opens new window)
- deployment: throw away golanglint-ci defaults @desimone GH-439 (opens new window)
- deps: enable automerge and set labels on renovate PRs @travisgroth GH-527 (opens new window)
- Roll back grpc to v1.25.1 @travisgroth GH-484 (opens new window)
# v0.6.0
# New
- authenticate: support backend refresh @desimone GH-438 (opens new window)
- cache: add cache service @desimone GH-457 (opens new window)
# Changed
- authorize: consolidate gRPC packages @desimone GH-443 (opens new window)
- config: added yaml tags to all options struct fields @travisgroth GH-394 (opens new window),gh-397 (opens new window)
- config: improved config validation for
shared_secret
@travisgroth GH-427 (opens new window) - config: Remove CookieRefresh GH-428 (opens new window) @u5surf GH-436 (opens new window)
- config: validate that
shared_key
does not contain whitespace @travisgroth GH-427 (opens new window) - httputil : wrap handlers for additional context @desimone GH-413 (opens new window)
- forward-auth: validate using forwarded uri header @branchmispredictor GH-600 (opens new window)
# Fixed
- proxy: fix unauthorized redirect loop for forward auth @desimone GH-448 (opens new window)
- proxy: fixed regression preventing policy reload GH-396 (opens new window)
# Documentation
- add cookie settings @danderson GH-429 (opens new window)
- fix typo in forward auth nginx example @travisgroth GH-445 (opens new window)
- improved sentence flow and other stuff @Rio GH-422 (opens new window)
- rename fwdauth to be forwardauth @desimone GH-447 (opens new window)
# Dependency
- chore(deps): update golang.org/x/crypto commit hash to 61a8779 @renovate GH-452 (opens new window)
- chore(deps): update golang.org/x/crypto commit hash to 530e935 @renovate GH-458 (opens new window)
- chore(deps): update golang.org/x/crypto commit hash to 53104e6 @renovate GH-431 (opens new window)
- chore(deps): update golang.org/x/crypto commit hash to e9b2fee @renovate GH-414 (opens new window)
- chore(deps): update golang.org/x/oauth2 commit hash to 858c2ad @renovate GH-415 (opens new window)
- chore(deps): update golang.org/x/oauth2 commit hash to bf48bf1 @renovate GH-453 (opens new window)
- chore(deps): update module google.golang.org/grpc to v1.26.0 @renovate GH-433 (opens new window)
- chore(deps): update module google/go-cmp to v0.4.0 @renovate GH-454 (opens new window)
- chore(deps): update module spf13/viper to v1.6.1 @renovate GH-423 (opens new window)
- chore(deps): update module spf13/viper to v1.6.2 @renovate GH-459 (opens new window)
- chore(deps): update module square/go-jose to v2.4.1 @renovate GH-435 (opens new window)
# v0.5.0
# New
- Session state is now route-scoped. Each managed route uses a transparent, signed JSON Web Token (JWT) to assert identity.
- Managed routes no longer need to be under the same subdomain! Access can be delegated to any route, on any domain.
- Programmatic access now also uses JWT tokens. Access tokens are now generated via a standard oauth2 token flow, and credentials can be refreshed for as long as is permitted by the underlying identity provider.
- User dashboard now pulls in additional user context fields (where supported) like the profile picture, first and last name, and so on.
# Security
- Some identity providers (Okta, Onelogin, and Azure) previously used mutable signifiers to set and assert group membership. Group membership for all providers now use globally unique and immutable identifiers when available.
# Changed
- Azure AD identity provider now uses globally unique and immutable
ID
for group membership (opens new window). - Okta no longer uses tokens to retrieve group membership. Group membership is now fetched using Okta's HTTP API. Group membership (opens new window) is now determined by the globally unique and immutable
ID
field. - Okta now requires an additional set of credentials to be used to query for group membership set as a service account (opens new window).
- URLs are no longer validated to be on the same domain-tree as the authenticate service. Managed routes can live on any domain.
- OneLogin no longer uses tokens to retrieve group membership. Group membership is now fetched using OneLogin's HTTP API. Group membership (opens new window) is now determined by the globally unique and immutable
ID
field.
# Removed
- Force refresh has been removed from the dashboard.
- Previous programmatic authentication endpoints (
/api/v1/token
) has been removed and is no longer supported.
# Fixed
- Fixed an issue where cookie sessions would not clear on error.GH-376 (opens new window)
# v0.4.2
# Security
- Fixes vulnerabilities fixed in 1.13.2 (opens new window) including CVE-2019-17596.
# v0.4.1
# Fixed
- Fixed an issue where requests handled by forward-auth would not be redirected back to the underlying route after successful authentication and authorization. GH-363 (opens new window)
- Fixed an issue where requests handled by forward-auth would add an extraneous query-param following sign-in causing issues in some configurations. GH-366 (opens new window)
# v0.4.0
# New
- Allow setting request headers on a per route basis in policy. GH-308 (opens new window)
- Support "forward-auth" integration with third-party ingresses and proxies. nginx (opens new window), nginx-ingress (opens new window), and Traefik (opens new window) are currently supported. GH-324 (opens new window)
- Add insecure transport / TLS termination support. GH-328 (opens new window)
- Add setting to override a route's TLS Server Name. GH-297 (opens new window)
- Pomerium's session can now be passed as a bearer-auth header (opens new window) or query string (opens new window) in addition to as a session cookie.
- Add host to the main request logger middleware. GH-308 (opens new window)
- Add AWS cognito identity provider settings. GH-314 (opens new window)
# Security
- The user's original intended location before completing the authentication process is now encrypted and kept confidential from the identity provider. GH-316 (opens new window)
- Under certain circumstances, where debug logging was enabled, pomerium's shared secret could be leaked to http access logs as a query param. GH-338 (opens new window)
# Fixed
- Fixed an issue where CSRF would fail if multiple tabs were open. GH-306 (opens new window)
- Fixed an issue where pomerium would clean double slashes from paths. GH-262 (opens new window)
- Fixed a bug where the impersonate form would persist an empty string for groups value if none set. GH-303 (opens new window)
- Fixed HTTP redirect server which was not redirecting the correct hostname.
# Changed
- The healthcheck endpoints (
/ping
) now returns the http status405
StatusMethodNotAllowed for non-GET
requests. - Authenticate service no longer uses gRPC.
- The global request logger now captures the full array of proxies from
X-Forwarded-For
, in addition to just the client IP. - Options code refactored to eliminate global Viper state. GH-332 (opens new window)
- Pomerium will no longer default to looking for certificates in the root directory. GH-328 (opens new window)
- Pomerium will validate that either
insecure_server
, or a valid certificate bundle is set. GH-328 (opens new window)
# Removed
- Removed
AUTHENTICATE_INTERNAL_URL
/authenticate_internal_url
which is no longer used.
# v0.3.1
# Security
- Fixes vulnerabilities fixed in Go 1.13.1 (opens new window) including CVE-2019-16276.
# v0.3.0
# New
GRPC Improvements. GH-261 (opens new window) / GH-69 (opens new window)
- Enable WaitForReady to allow background retries through transient failures
- Expose a configurable timeout for backend requests to Authorize and Authenticate
- Enable DNS round_robin load balancing to Authorize and Authenticate services by default
Add ability to set client certificates for downstream connections. GH-259 (opens new window)
# Fixed
- Fixed non-
amd64
based docker images.GH-284 (opens new window) - Fixed an issue where stripped cookie headers would result in a cookie full of semi-colons (
Cookie: ;;;
). GH-285 (opens new window) - HTTP status codes now better adhere to RFC7235 (opens new window). In particular, authentication failures reply with 401 Unauthorized (opens new window) while authorization failures reply with 403 Forbidden (opens new window). GH-272 (opens new window)
# Changed
Pomerium will now strip
_csrf
cookies in addition to session cookies. GH-285 (opens new window)Disabled gRPC service config. GH-280 (opens new window)
A policy's custom certificate authority can set as a file or a base64 encoded blob(
tls_custom_ca
/tls_custom_ca_file
). GH-259 (opens new window)Remove references to service named ports (opens new window) and instead use their numeric equivalent. GH-266 (opens new window)
# v0.2.1
# Security
- Fixes vulnerabilities fixed in Go 1.12.8 (opens new window) including CVE-2019-9512, CVE-2019-9514 and CVE-2019-14809.
# v0.2.0
# New
# Telemetry GH-35 (opens new window)
Tracing GH-230 (opens new window) aka distributed tracing, provides insight into the full lifecycles, aka traces, of requests to the system, allowing you to pinpoint failures and performance issues.
- Add Jaeger (opens new window) support. GH-230 (opens new window)
Metrics provide quantitative information about processes running inside the system, including counters, gauges, and histograms.
Add informational metrics. GH-227 (opens new window)
GRPC Metrics Implementation. GH-218 (opens new window)
- Additional GRPC server metrics and request sizes
- Improved GRPC metrics implementation internals
- The GRPC method label is now 'grpc_method' and GRPC status is now
grpc_client_status
andgrpc_server_status
HTTP Metrics Implementation. GH-220 (opens new window)
- Support HTTP request sizes on client and server side of proxy
- Improved HTTP metrics implementation internals
- The HTTP method label is now
http_method
, and HTTP status label is nowhttp_status
# Changed
- GRPC version upgraded to v1.22 GH-219 (opens new window)
- Add support for large cookie sessions by chunking. GH-211 (opens new window)
- Prefer curve (opens new window) X25519 to P256 for TLS connections. GH-233 (opens new window)
- Pomerium and its services will gracefully shutdown on interrupt signal (opens new window). GH-230 (opens new window)
- Google (opens new window) now prompts the user to select a user account (by adding
select_account
to the sign in url). This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.
# FIXED
- Fixed potential race condition when signing requests. GH-240 (opens new window)
- Fixed panic when reloading configuration in single service mode GH-247 (opens new window)
# v0.1.0
# NEW
- Add programmatic authentication support. GH-177 (opens new window)
- Add Prometheus format metrics endpoint. GH-35 (opens new window)
- Add policy setting to enable self-signed certificate support. GH-179 (opens new window)
- Add policy setting to skip tls certificate verification. GH-179 (opens new window)
# CHANGED
- Policy
to
andfrom
settings must be set to valid HTTP URLs including schemes (opens new window) and hostnames (e.g.http.corp.domain.example
should now behttps://http.corp.domain.example
). - Proxy's sign out handler
{}/.pomerium/sign_out
now accepts an optionalredirect_uri
parameter which can be used to specify a custom redirect page, so long as it is under the same top-level domain. GH-183 (opens new window) - Policy configuration can now be empty at startup. GH-190 (opens new window)
- Websocket support is now set per-route instead of globally. GH-204 (opens new window)
- Golint removed from amd64 container. GH-215 (opens new window)
- Pomerium will error if a session cookie is over 4096 bytes, instead of failing silently. GH-212 (opens new window)
# FIXED
- Fixed HEADERS environment variable parsing. GH-188 (opens new window)
- Fixed Azure group lookups. GH-190 (opens new window)
- If a session is too large (over 4096 bytes) Pomerium will no longer fail silently. GH-211 (opens new window)
- Internal URLs like dashboard now start auth process to login a user if no session is found. GH-205 (opens new window).
- When set,
CookieDomain
lets a user set the scope of the user session. CSRF cookies will still always be scoped at the individual route level. GH-181 (opens new window)
# v0.0.5
# NEW
- Add ability to detect changes and reload policy configuration files. GH-150 (opens new window)
- Add user dashboard containing information about the current user's session. GH-123 (opens new window)
- Add functionality allowing users to initiate manual refresh of their session. This is helpful when a user's access control details are updated but their session hasn't updated yet. To prevent abuse, manual refresh is gated by a cooldown (
REFRESH_COOLDOWN
) which defaults to five minutes. GH-73 (opens new window) - Add Administrator (super user) account support (
ADMINISTRATORS
). GH-110 (opens new window) - Add feature that allows Administrators to impersonate / sign-in as another user from the user dashboard. GH-110 (opens new window)
- Add docker images and builds for ARM. GH-95 (opens new window)
- Add support for public, unauthenticated routes. GH-129 (opens new window)
# CHANGED
- Add Request ID to error pages. GH-144 (opens new window)
- Refactor configuration handling to use spf13/viper bringing a variety of additional supported storage formats.GH-115 (opens new window)
- Changed config
AUTHENTICATE_INTERNAL_URL
to be a URL containing both a valid hostname and schema. GH-153 (opens new window) - User state is now maintained and scoped at the domain level vs at the route level. GH-128 (opens new window)
- Error pages contain a link to sign out from the current user session. GH-100 (opens new window)
- Removed
LifetimeDeadline
fromsessions.SessionState
. - Removed favicon specific request handling. GH-131 (opens new window)
- Headers are now configurable via the
HEADERS
configuration variable. GH-108 (opens new window) - Refactored proxy and authenticate services to share the same session state cookie. GH-131 (opens new window)
- Removed instances of extraneous session state saves. GH-131 (opens new window)
- Changed default behavior when no session is found. Users are now redirected to login instead of being shown an error page.GH-131 (opens new window)
- Updated routes such that all http handlers are now wrapped with a standard set of middleware. Headers, request id, loggers, and health checks middleware are now applied to all routes including 4xx and 5xx responses. GH-116 (opens new window)
- Changed docker images to be built from distroless (opens new window). This fixed an issue with
nsswitch
GH-97 (opens new window), includesca-certificates
and limits the attack surface area of our images. GH-101 (opens new window) - Changed HTTP to HTTPS redirect server to be user configurable via
HTTP_REDIRECT_ADDR
. GH-103 (opens new window) Content-Security-Policy
hash updated to match new UI assets.
# FIXED
- Fixed websocket support. GH-151 (opens new window)
- Fixed an issue where policy and routes were being pre-processed incorrectly. GH-132 (opens new window)
- Fixed an issue where
golint
was not being found in our docker image. GH-121 (opens new window)
# v0.0.4
# CHANGED
- HTTP Strict Transport Security (opens new window) is included by default and set to one year. GH-92 (opens new window)
- HTTP now redirects to HTTPS. GH-92 (opens new window)
- Removed extraneous
AUTHORIZE_INTERNAL_URL
config option since authorization has no public http handlers, only a gRPC service endpoint. GH-93 (opens new window) - Removed
PROXY_ROOT_DOMAIN
config option which is now inferred fromAUTHENTICATE_SERVICE_URL
. Only callback requests originating from a URL on the same sub-domain are permitted. GH-83 (opens new window) - Removed
REDIRECT_URL
config option which is now inferred fromAUTHENTICATE_SERVICE_URL
(e.g.https://$AUTHENTICATE_SERVICE_URL/oauth2/callback
). GH-83 (opens new window)
# FIXED
- Fixed a bug in the Google provider implementation where the
refresh_token
. Updated the google implementation to use the newprompt=consent
oauth2 parameters. Reported and fixed by @chemhack GH-81 (opens new window)
# DOCUMENTATION
- Added synology tutorial. GH-96 (opens new window)
- Added certificates documentation. GH-79 (opens new window)
# v0.0.3
# FEATURES
Authorization : The authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy:
allowed_users
,allowed_groups
, andallowed_domains
. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details.Group Support : The authenticate service now retrieves a user's group membership information during authentication and refresh. This change may require additional identity provider configuration; all of which are described in the updated docs (opens new window). A brief summary of the requirements for each IdP are as follows:
- Google requires the Admin SDK (opens new window) to enabled, a service account with properly delegated access, and
IDP_SERVICE_ACCOUNT
to be set to the base64 encoded value of the service account's key file. - Okta requires a
groups
claim to be added to both theid_token
andaccess_token
. No additional API calls are made. - Microsoft Azure Active Directory requires the application be given an additional API permission (opens new window),
Directory.Read.All
. - Onelogin requires the groups (opens new window) was supplied during authentication and that groups parameter has been mapped. Group membership is validated on refresh with the user-info api endpoint (opens new window).
- Google requires the Admin SDK (opens new window) to enabled, a service account with properly delegated access, and
WebSocket Support : With Go 1.12 (opens new window) pomerium automatically proxies WebSocket requests.
# CHANGED
- Added
LOG_LEVEL
config setting that allows for setting the desired minimum log level for an event to be logged. GH-74 (opens new window) - Changed
POMERIUM_DEBUG
config setting to just do console-pretty printing. No longer sets log level. GH-74 (opens new window) - Updated
generate_wildcard_cert.sh
to generate a elliptic curve 256 cert by default. - Updated
env.example
to include aPOLICY
setting example. - Added
IDP_SERVICE_ACCOUNT
toenv.example
. - Removed
ALLOWED_DOMAINS
settings which has been replaced byPOLICY
. Authorization is now handled by the authorization service and is defined in the policy configuration files. - Removed
ROUTES
settings which has been replaced byPOLICY
. - Add refresh endpoint
${url}/.pomerium/refresh
which forces a token refresh and responds with the json result. - Group membership added to proxy headers (
x-pomerium-authenticated-user-groups
) and (x-pomerium-jwt-assertion
). - Default Cookie lifetime (
COOKIE_EXPIRE
) changed from 7 days to 14 hours ~ roughly one business day. - Moved identity (
authenticate/providers
) into its own internal identity package as third party identity providers are going to authorization details (group membership, user role, etc) in addition to just authentication attributes. - Removed circuit breaker package. Calls that were previously wrapped with a circuit breaker fall under gRPC timeouts; which are gated by relatively short timeouts.
- Session expiration times are truncated at the second.
- Removed gitlab provider. We can't support groups until this gitlab bug (opens new window) is fixed.
- Request context is now maintained throughout request-flow via the context package (opens new window) enabling timeouts, request tracing, and cancellation.
# FIXED
http.Server
andhttputil.NewSingleHostReverseProxy
now uses pomerium's logging package instead of the standard library's built in one. GH-58 (opens new window)
← Upgrading Quick-Start →