Releases: pomerium/pomerium
Releases · pomerium/pomerium
v0.15.2
New
- allow pomerium to start without certs #2556 (@backport-actions-token[bot])
Fixed
- authorize: use session.user_id in headers #2572 (@backport-actions-token[bot])
- ppl: use session.user_id instead of user.id for user criterion #2563 (@backport-actions-token[bot])
- authorize: fix google cloudrun header audience #2560 (@backport-actions-token[bot])
- authorize: fix X-Pomerium-Claim-Groups #2540 (@backport-actions-token[bot])
Documentation
- docs: enterprise console v0.15.2 changelog #2565 (@backport-actions-token[bot])
- Docs: Fix merged PR #2547 (@backport-actions-token[bot])
- Update Ping Identity IdP #2545 (@backport-actions-token[bot])
- update OneLogin IdP doc #2544 (@backport-actions-token[bot])
- docs: enterprise v0.15.1 changelog #2543 (@backport-actions-token[bot])
- Updates to Enterprise Quickstart instructions #2531 (@backport-actions-token[bot])
v0.14.8
Security Notice
This release includes fixes to several high severity security issues in one of our dependencies, envoy.
We recommend that all users upgrade.
Security
- deps: bump envoy to v0.17.4 #2535 (@travisgroth)
Documentation
- docs: only secure schemes are supported #2410 (@backport-actions-token[bot])
- Docs bug fixes #2364 (@github-actions[bot])
- Docs backporting #2351 (@alexfornuto)
- docs: google gcp / workspace instructions #2350 (@github-actions[bot])
Changed
- chore(deps): upgrade kind action to v1.2.0 (#2281) #2366 (@travisgroth)
v0.15.1
Security Notice
This release includes fixes to several high severity security issues in one of our dependencies, envoy.
We recommend that all users upgrade.
Fixed
- options: remove refresh_cooldown, add allow_spdy to proto #2448 (@backport-actions-token[bot])
Security
- deps: update envoy to 1.19.1 #2527 (@backport-actions-token[bot])
Documentation
- update GitHub IdP doc #2508 (@backport-actions-token[bot])
- docs: update codeowners #2506 (@backport-actions-token[bot])
- Update Helm Instructions #2505 (@backport-actions-token[bot])
- Update Azure IdP Doc #2504 (@backport-actions-token[bot])
- Update IdP Overview Page #2502 (@backport-actions-token[bot])
- Update AWS cognito IdP doc #2501 (@backport-actions-token[bot])
- Auth0 Doc Refresh #2500 (@backport-actions-token[bot])
- document binding service to 443 #2499 (@backport-actions-token[bot])
- Update Okta IdP doc #2495 (@backport-actions-token[bot])
- adjust comment blocking #2489 (@backport-actions-token[bot])
- Update Docker Quickstart (#2482) #2486 (@alexfornuto)
- docs: use generic email #2485 (@backport-actions-token[bot])
- wrap header example values as inline code. #2479 (@backport-actions-token[bot])
- docs: clarify custom request header limitations #2472 (@backport-actions-token[bot])
- Document moving routes #2466 (@backport-actions-token[bot])
- Document tracing sample rate in console #2465 (@backport-actions-token[bot])
- docs: update enterprise helm instructions to use main repo #2464 (@backport-actions-token[bot])
- Enterprise Upgrade & Changelog Pages #2458 (@backport-actions-token[bot])
- Update binary install doc #2452 (@backport-actions-token[bot])
- docs: update branding, concepts #2449 (@backport-actions-token[bot])
- specify expected audience in Console config #2444 (@backport-actions-token[bot])
- redirect logo to the marketing site #2443 (@backport-actions-token[bot])
- docs: update branding #2440 (@backport-actions-token[bot])
- docs: update default version to v0.15 #2438 (@backport-actions-token[bot])
Dependency
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2459 (@backport-actions-token[bot])
Deployment
- deployment: update goreleaser syntax #2525 (@backport-actions-token[bot])
- ci: support darwn/arm64 aka m1 for cli #2521 (@travisgroth)
v0.15.0
Breaking
- config: remove support for ed25519 signing keys #2430 (@calebdoxsey)
New
- telemetry: add nonce and make explicit ack/nack #2434 (@wasaga)
- authorize: log additional session details #2419 (@calebdoxsey)
- telemetry: try guess hostname or external IP addr for metrics #2412 (@wasaga)
- sessions: add impersonate_session_id, remove legacy impersonation #2407 (@calebdoxsey)
- envoyconfig: improvements #2402 (@calebdoxsey)
- config: add support for embedded PPL policy #2401 (@calebdoxsey)
- ppl: remove support for aliases #2400 (@calebdoxsey)
- directory: add logging http client to help with debugging outbound http requests #2385 (@calebdoxsey)
- evaluator: use
cryptutil.Hash
for script spans #2384 (@desimone) - authorize: add additional tracing for rego evaluation #2381 (@calebdoxsey)
- k8s: add flush-credentials command #2379 (@calebdoxsey)
- urlutil: improve error message for urls with port in path #2377 (@calebdoxsey)
- ci: use revive instead of golint #2370 (@calebdoxsey)
- authorize: remove service account impersonate user id, email and groups #2365 (@calebdoxsey)
- envoyconfig: default zipkin path to / when empty #2359 (@calebdoxsey)
- config: add warning about http URLs #2358 (@calebdoxsey)
- authorize: log service account and impersonation details #2354 (@calebdoxsey)
- tools: add tools.go to pin go run apps #2344 (@calebdoxsey)
- envoyconfig: add bootstrap layered runtime configuration #2343 (@calebdoxsey)
- registry/redis: call publish from within lua function #2337 (@calebdoxsey)
- proxy: add idle timeout #2319 (@wasaga)
- cli: use proxy from environment #2316 (@tskinn)
- authorize: do not send redirects to gRPC #2314 (@wasaga)
- certs: reject certs from databroker if they conflict with local #2309 (@wasaga)
- config: add enable_google_cloud_serverless_authentication to config protobuf #2306 (@calebdoxsey)
- envoy: refactor envoy embedding #2296 (@calebdoxsey)
- envoy: add full version #2287 (@calebdoxsey)
- authorize: handle grpc-web content types like json #2268 (@calebdoxsey)
- xds: retry storing configuration events #2266 (@calebdoxsey)
- envoyconfig: use zipkin tracer #2265 (@calebdoxsey)
- authorize: preserve original context #2247 (@wasaga)
- ppl: add data type, implement string and list matchers #2228 (@calebdoxsey)
- ppl: refactor authorize to evaluate PPL #2224 (@calebdoxsey)
- ppl: convert config policy to ppl #2218 (@calebdoxsey)
- Pomerium Policy Language #2202 (@calebdoxsey)
- telemetry: add hostname tag to metrics #2191 (@wasaga)
- envoy: disable timeouts for kubernetes #2189 (@calebdoxsey)
- registry: implement redis backend #2179 (@calebdoxsey)
- report instance hostname in xds events #2175 (@wasaga)
- databroker: implement leases #2172 (@calebdoxsey)
Fixed
- config: remove grpc server max connection age options #2427 (@calebdoxsey)
- authorize: add sid to JWT claims #2420 (@calebdoxsey)
- disable http/2 for websockets #2399 (@calebdoxsey)
- ci: update gcloud action #2393 (@travisgroth)
- google: remove WithHTTPClient #2391 (@calebdoxsey)
- telemetry: support b3 headers on gRPC server calls #2376 (@calebdoxsey)
- authorize: allow redirects on deny #2361 (@calebdoxsey)
- authorize: decode CheckRequest path for redirect #2357 (@calebdoxsey)
- envoyconfig: only delete cached files, ignore noisy error #2356 (@calebdoxsey)
- envoy: only check for pid with monitor #2355 (@calebdoxsey)
- fix: timeout in protobuf #2341 (@wasaga)
- authorize: support boolean deny results #2338 (@calebdoxsey)
- ppl: fix not/nor rules #2313 (@calebdoxsey)
- directory/azure: add paging support to user group members call #2311 (@calebdoxsey)
- ocsp: reload on response changes #2286 (@wasaga)
- envoy: fix usage of codec_type with alpn #2277 (@calebdoxsey)
- databroker: only tag contexts used for UpdateRecords #2269 (@wasaga)
- redis: enforce capacity via ZREVRANGE to avoid race #2267 (@calebdoxsey)
- authorize: only redirect for HTML pages #2264 (@calebdoxsey)
- tracing: support dynamic reloading, more aggressive envoy restart #2262 (@calebdoxsey)
- envoy: always set jwt claim headers even if no value is available #2261 (@calebdoxsey)
- envoy: disable hot-reload for macos #2259 (@calebdoxsey)
- authorize: round timestamp #2258 (@wasaga)
- options: s/shared-key/shared secret #2257 (@desimone)
- config: warn about unrecognized keys #2256 (@wasaga)
- darwin: use gopsutil v3 to fix arm issue #2245 (@calebdoxsey)
- policy: fix allowed idp claims PPL generation #2243 (@calebdoxsey)
- envoy: exit if envoy exits #2240 (@calebdoxsey)
- envoyconfig: fallback to global custom ca when no policy ca is defined #2235 (@calebdoxsey)
- envoy: add global response headers to local replies #2217 (@calebdoxsey)
- forward auth: don't strip query parameters #2216 (@wasaga)
- PPL: bubble up values, bug fixes #2213 (@calebdoxsey)
- Revert "authenticate,proxy: add same site lax to cookies" #2203 (@desimone)
- authorize: grpc health check #2200 (@wasaga)
- proxy / controplane: use old upstream cipher suite #2196 (@desimone)
- deployment: fix empty version on master builds #2193 (@travisgroth)
Security
- envoy: only allow embedding #2368 (@calebdoxsey)
- deps: bump envoy to v1.17.3 #2198 (@travisgroth)
Documentation
- doc updates #2433 (@calebdoxsey)
- Update Console installs to match signing_key #2432 (@alexfornuto)
- docs/reference: Clarify use of idp_service_account #2431 (@the-maldridge)
- docs: clarify device identity, not state via client certs #2428 (@desimone)
- v0.15 release notes #2409 (@travisgroth)
- d...
v0.14.7
Fixed
- directory/azure: add paging support to user group members call #2312 (@github-actions[bot])
v0.14.6
v0.14.5
v0.14.4
v0.14.3
Fixed
- authorize: fix custom rego panic #2226 (@calebdoxsey)
Changed
- envoy: add global response headers to local replies #2225 (@github-actions[bot])