Releases: pomerium/pomerium
Releases · pomerium/pomerium
v0.15.2
New
- allow pomerium to start without certs #2556 (@backport-actions-token[bot])
Fixed
- authorize: use session.user_id in headers #2572 (@backport-actions-token[bot])
- ppl: use session.user_id instead of user.id for user criterion #2563 (@backport-actions-token[bot])
- authorize: fix google cloudrun header audience #2560 (@backport-actions-token[bot])
- authorize: fix X-Pomerium-Claim-Groups #2540 (@backport-actions-token[bot])
Documentation
- docs: enterprise console v0.15.2 changelog #2565 (@backport-actions-token[bot])
- Docs: Fix merged PR #2547 (@backport-actions-token[bot])
- Update Ping Identity IdP #2545 (@backport-actions-token[bot])
- update OneLogin IdP doc #2544 (@backport-actions-token[bot])
- docs: enterprise v0.15.1 changelog #2543 (@backport-actions-token[bot])
- Updates to Enterprise Quickstart instructions #2531 (@backport-actions-token[bot])
v0.14.8
Security Notice
This release includes fixes to several high severity security issues in one of our dependencies, envoy.
We recommend that all users upgrade.
Security
- deps: bump envoy to v0.17.4 #2535 (@travisgroth)
Documentation
- docs: only secure schemes are supported #2410 (@backport-actions-token[bot])
- Docs bug fixes #2364 (@github-actions[bot])
- Docs backporting #2351 (@alexfornuto)
- docs: google gcp / workspace instructions #2350 (@github-actions[bot])
Changed
- chore(deps): upgrade kind action to v1.2.0 (#2281) #2366 (@travisgroth)
Contributors
alexfornuto and travisgroth
Assets 25
v0.15.1
Security Notice
This release includes fixes to several high severity security issues in one of our dependencies, envoy.
We recommend that all users upgrade.
Fixed
- options: remove refresh_cooldown, add allow_spdy to proto #2448 (@backport-actions-token[bot])
Security
- deps: update envoy to 1.19.1 #2527 (@backport-actions-token[bot])
Documentation
- update GitHub IdP doc #2508 (@backport-actions-token[bot])
- docs: update codeowners #2506 (@backport-actions-token[bot])
- Update Helm Instructions #2505 (@backport-actions-token[bot])
- Update Azure IdP Doc #2504 (@backport-actions-token[bot])
- Update IdP Overview Page #2502 (@backport-actions-token[bot])
- Update AWS cognito IdP doc #2501 (@backport-actions-token[bot])
- Auth0 Doc Refresh #2500 (@backport-actions-token[bot])
- document binding service to 443 #2499 (@backport-actions-token[bot])
- Update Okta IdP doc #2495 (@backport-actions-token[bot])
- adjust comment blocking #2489 (@backport-actions-token[bot])
- Update Docker Quickstart (#2482) #2486 (@alexfornuto)
- docs: use generic email #2485 (@backport-actions-token[bot])
- wrap header example values as inline code. #2479 (@backport-actions-token[bot])
- docs: clarify custom request header limitations #2472 (@backport-actions-token[bot])
- Document moving routes #2466 (@backport-actions-token[bot])
- Document tracing sample rate in console #2465 (@backport-actions-token[bot])
- docs: update enterprise helm instructions to use main repo #2464 (@backport-actions-token[bot])
- Enterprise Upgrade & Changelog Pages #2458 (@backport-actions-token[bot])
- Update binary install doc #2452 (@backport-actions-token[bot])
- docs: update branding, concepts #2449 (@backport-actions-token[bot])
- specify expected audience in Console config #2444 (@backport-actions-token[bot])
- redirect logo to the marketing site #2443 (@backport-actions-token[bot])
- docs: update branding #2440 (@backport-actions-token[bot])
- docs: update default version to v0.15 #2438 (@backport-actions-token[bot])
Dependency
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2459 (@backport-actions-token[bot])
Deployment
- deployment: update goreleaser syntax #2525 (@backport-actions-token[bot])
- ci: support darwn/arm64 aka m1 for cli #2521 (@travisgroth)
Contributors
alexfornuto and travisgroth
Assets 28
v0.15.0
Breaking
- config: remove support for ed25519 signing keys #2430 (@calebdoxsey)
New
- telemetry: add nonce and make explicit ack/nack #2434 (@wasaga)
- authorize: log additional session details #2419 (@calebdoxsey)
- telemetry: try guess hostname or external IP addr for metrics #2412 (@wasaga)
- sessions: add impersonate_session_id, remove legacy impersonation #2407 (@calebdoxsey)
- envoyconfig: improvements #2402 (@calebdoxsey)
- config: add support for embedded PPL policy #2401 (@calebdoxsey)
- ppl: remove support for aliases #2400 (@calebdoxsey)
- directory: add logging http client to help with debugging outbound http requests #2385 (@calebdoxsey)
- evaluator: use
cryptutil.Hashfor script spans #2384 (@desimone) - authorize: add additional tracing for rego evaluation #2381 (@calebdoxsey)
- k8s: add flush-credentials command #2379 (@calebdoxsey)
- urlutil: improve error message for urls with port in path #2377 (@calebdoxsey)
- ci: use revive instead of golint #2370 (@calebdoxsey)
- authorize: remove service account impersonate user id, email and groups #2365 (@calebdoxsey)
- envoyconfig: default zipkin path to / when empty #2359 (@calebdoxsey)
- config: add warning about http URLs #2358 (@calebdoxsey)
- authorize: log service account and impersonation details #2354 (@calebdoxsey)
- tools: add tools.go to pin go run apps #2344 (@calebdoxsey)
- envoyconfig: add bootstrap layered runtime configuration #2343 (@calebdoxsey)
- registry/redis: call publish from within lua function #2337 (@calebdoxsey)
- proxy: add idle timeout #2319 (@wasaga)
- cli: use proxy from environment #2316 (@tskinn)
- authorize: do not send redirects to gRPC #2314 (@wasaga)
- certs: reject certs from databroker if they conflict with local #2309 (@wasaga)
- config: add enable_google_cloud_serverless_authentication to config protobuf #2306 (@calebdoxsey)
- envoy: refactor envoy embedding #2296 (@calebdoxsey)
- envoy: add full version #2287 (@calebdoxsey)
- authorize: handle grpc-web content types like json #2268 (@calebdoxsey)
- xds: retry storing configuration events #2266 (@calebdoxsey)
- envoyconfig: use zipkin tracer #2265 (@calebdoxsey)
- authorize: preserve original context #2247 (@wasaga)
- ppl: add data type, implement string and list matchers #2228 (@calebdoxsey)
- ppl: refactor authorize to evaluate PPL #2224 (@calebdoxsey)
- ppl: convert config policy to ppl #2218 (@calebdoxsey)
- Pomerium Policy Language #2202 (@calebdoxsey)
- telemetry: add hostname tag to metrics #2191 (@wasaga)
- envoy: disable timeouts for kubernetes #2189 (@calebdoxsey)
- registry: implement redis backend #2179 (@calebdoxsey)
- report instance hostname in xds events #2175 (@wasaga)
- databroker: implement leases #2172 (@calebdoxsey)
Fixed
- config: remove grpc server max connection age options #2427 (@calebdoxsey)
- authorize: add sid to JWT claims #2420 (@calebdoxsey)
- disable http/2 for websockets #2399 (@calebdoxsey)
- ci: update gcloud action #2393 (@travisgroth)
- google: remove WithHTTPClient #2391 (@calebdoxsey)
- telemetry: support b3 headers on gRPC server calls #2376 (@calebdoxsey)
- authorize: allow redirects on deny #2361 (@calebdoxsey)
- authorize: decode CheckRequest path for redirect #2357 (@calebdoxsey)
- envoyconfig: only delete cached files, ignore noisy error #2356 (@calebdoxsey)
- envoy: only check for pid with monitor #2355 (@calebdoxsey)
- fix: timeout in protobuf #2341 (@wasaga)
- authorize: support boolean deny results #2338 (@calebdoxsey)
- ppl: fix not/nor rules #2313 (@calebdoxsey)
- directory/azure: add paging support to user group members call #2311 (@calebdoxsey)
- ocsp: reload on response changes #2286 (@wasaga)
- envoy: fix usage of codec_type with alpn #2277 (@calebdoxsey)
- databroker: only tag contexts used for UpdateRecords #2269 (@wasaga)
- redis: enforce capacity via ZREVRANGE to avoid race #2267 (@calebdoxsey)
- authorize: only redirect for HTML pages #2264 (@calebdoxsey)
- tracing: support dynamic reloading, more aggressive envoy restart #2262 (@calebdoxsey)
- envoy: always set jwt claim headers even if no value is available #2261 (@calebdoxsey)
- envoy: disable hot-reload for macos #2259 (@calebdoxsey)
- authorize: round timestamp #2258 (@wasaga)
- options: s/shared-key/shared secret #2257 (@desimone)
- config: warn about unrecognized keys #2256 (@wasaga)
- darwin: use gopsutil v3 to fix arm issue #2245 (@calebdoxsey)
- policy: fix allowed idp claims PPL generation #2243 (@calebdoxsey)
- envoy: exit if envoy exits #2240 (@calebdoxsey)
- envoyconfig: fallback to global custom ca when no policy ca is defined #2235 (@calebdoxsey)
- envoy: add global response headers to local replies #2217 (@calebdoxsey)
- forward auth: don't strip query parameters #2216 (@wasaga)
- PPL: bubble up values, bug fixes #2213 (@calebdoxsey)
- Revert "authenticate,proxy: add same site lax to cookies" #2203 (@desimone)
- authorize: grpc health check #2200 (@wasaga)
- proxy / controplane: use old upstream cipher suite #2196 (@desimone)
- deployment: fix empty version on master builds #2193 (@travisgroth)
Security
- envoy: only allow embedding #2368 (@calebdoxsey)
- deps: bump envoy to v1.17.3 #2198 (@travisgroth)
Documentation
- doc updates #2433 (@calebdoxsey)
- Update Console installs to match signing_key #2432 (@alexfornuto)
- docs/reference: Clarify use of idp_service_account #2431 (@the-maldridge)
- docs: clarify device identity, not state via client certs #2428 (@desimone)
- v0.15 release notes #2409 (@travisgroth)
- d...
Contributors
yyolk, calebdoxsey, and 10 other contributors
Assets 25
v0.14.7
Fixed
- directory/azure: add paging support to user group members call #2312 (@github-actions[bot])
v0.14.6
v0.14.5
v0.14.4
v0.14.3
Fixed
- authorize: fix custom rego panic #2226 (@calebdoxsey)
Changed
- envoy: add global response headers to local replies #2225 (@github-actions[bot])