Releases: pomerium/pomerium
Releases · pomerium/pomerium
v0.13.1
Fixed
- config: fix redirect routes from protobuf #1931 (@github-actions[bot])
- google: fix default provider URL #1929 (@github-actions[bot])
Documentation
- docs: fix query param name #1923 (@github-actions[bot])
- docs: add breaking sa changes in v0.13 #1921 (@github-actions[bot])
- docs: add v0.13 to docs site menu #1914 (@github-actions[bot])
Changed
- ci: deploy releases to test environment (#1916) #1918 (@travisgroth)
v0.13.0
Breaking
- authorize: remove admin #1833 (@calebdoxsey)
- remove user impersonation and service account cli #1768 (@calebdoxsey)
New
- authorize: allow access by user id #1850 (@calebdoxsey)
- authorize: remove DataBrokerData input #1847 (@calebdoxsey)
- authorize: remove DataBrokerData #1846 (@calebdoxsey)
- opa: format rego files #1845 (@calebdoxsey)
- policy: add new certificate-authority option for downstream mTLS client certificates #1835 (@calebdoxsey)
- metrics: human readable cluster name #1834 (@wasaga)
- upstream endpoints load balancer weights #1830 (@wasaga)
- controlplane: only add listener virtual domains for addresses matching the current TLS domain #1823 (@calebdoxsey)
- authenticate: delay evaluation of OIDC provider #1802 (@calebdoxsey)
- config: require shared key if using redis backed databroker #1801 (@travisgroth)
- upstream health check config #1796 (@wasaga)
- new skip_xff_append option #1788 (@wasaga)
- policy: add outlier_detection #1786 (@calebdoxsey)
- reduce memory usage by handling http/2 coalescing via a lua script #1779 (@calebdoxsey)
- add support for proxy protocol on HTTP listener #1777 (@calebdoxsey)
- config: support redirect actions #1776 (@calebdoxsey)
- config: detect underlying file changes #1775 (@calebdoxsey)
- authenticate: update user info screens #1774 (@desimone)
- jws: remove issuer #1754 (@calebdoxsey)
Fixed
- redis: fix deletion versioning #1874 (@github-actions[bot])
- rego: handle null #1853 (@calebdoxsey)
- config: fix data race #1851 (@calebdoxsey)
- deployment: set maintainer field in packages #1848 (@travisgroth)
- xds: fix always requiring client certificates #1844 (@calebdoxsey)
- fix go:generate for envoy config #1826 (@calebdoxsey)
- controlplane: only enable STATIC dns when all adresses are IP addresses #1822 (@calebdoxsey)
- config: fix databroker policies #1821 (@calebdoxsey)
- config: fix hot-reloading #1820 (@calebdoxsey)
- Revert "reduce memory usage by handling http/2 coalescing via a lua script" #1785 (@calebdoxsey)
- google: fix nil name #1771 (@calebdoxsey)
- autocert: improve logging #1767 (@travisgroth)
Documentation
- docs: update changelog for v0.13.0 #1910 (@github-actions[bot])
- docs: add load balancing weight documentation #1905 (@github-actions[bot])
- docs: misc upgrade notes and changelog #1904 (@github-actions[bot])
- ci: pin goreleaser version #1903 (@github-actions[bot])
- docs: update security policy #1901 (@github-actions[bot])
- docs: additional load balancing documentation #1882 (@github-actions[bot])
- github: add tag suggestion to checklist #1819 (@desimone)
- docs: add reference to the go-sdk #1800 (@desimone)
- updated host rewrite docs #1799 (@vihardesu)
- docs: update menu for v0.12 #1755 (@travisgroth)
- Update GitLab provider docs #1591 (@bradjones1)
Dependency
- chore(deps): update module go.opencensus.io to v0.22.6 #1842 (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.11 #1841 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 44e461b #1840 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to f9ce19e #1839 (@renovate[bot])
- chore(deps): update module stretchr/testify to v1.7.0 #1816 (@renovate[bot])
- chore(deps): update module open-policy-agent/opa to v0.26.0 #1815 (@renovate[bot])
- chore(deps): update module mitchellh/mapstructure to v1.4.1 #1814 (@renovate[bot])
- chore(deps): update module google/uuid to v1.2.0 #1813 (@renovate[bot])
- chore(deps): update module google.golang.org/grpc to v1.35.0 #1812 (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.10 #1811 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.4.1 #1810 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 8081c04 #1809 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to d3ed898 #1808 (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 5f4716e #1807 (@renovate[bot])
- chore(deps): update oidc to v3 #1783 (@desimone)
- chore(deps): update vuepress monorepo to v1.8.0 #1761 (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.8 #1760 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.3.1 #1759 (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.2.1 #1758 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to c7d5778 #1757 (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.38.0 #1656 (@renovate[bot])
Deployment
- ci: fix usage of env variable in latest tag #1791 (@travisgroth)
- databroker: rename cache service #1790 (@calebdoxsey)
- ci: fix deprecated command in latestTag step #1763 (@travisgroth)
Changed
- authenticate: validate origin of signout #1881 (@github-actions[bot])
- config: add CertificateFiles to FileWatcherSource list #1880 (@github-actions[bot])
- ci: enable backporting from forks #1854 (@travisgroth)
- ci: fix version metadata in non-releases #1836 (@travisgroth)
- protobuf: upgrade protoc to 3.14 #1832 (@calebdoxsey)
- Update codeowners #1831 (@travisgroth)
- config: return errors on invalid URLs, fix linting #1829 (@calebdoxsey)
- grpc: use custom resolver #1828 (@calebdoxsey)
- controlplane: return errors in xds build methods #1827 (@calebdoxsey)
- include envoy's proto specs into config.proto #1817 (@wasaga)
- expose all envoy cluster options in policy #1804 (@wasaga)
- autocert: store certificates separately from config certificates #1794 (@calebdoxsey)
- move file change detection before autocert #1793 (@calebdoxsey)
- config: suppo...
v0.12.2
NOTE: Due to a release error, a version of v0.12.2 was briefly published off the incorrect commit. The correct version is 0.12.2-1613583129+2060f4e.
Fixed
- [Backport 0-12-0] deployment: set maintainer field in packages #1849 (@github-actions[bot])
Changed
v0.12.1
Fixed
- [Backport 0-12-0] google: fix nil name #1772 (@github-actions[bot])
- [Backport 0-12-0] autocert: improve logging #1769 (@travisgroth)
Documentation
- [Backport 0-12-0] docs: update menu for v0.12 #1762 (@github-actions[bot])
Deployment
- [Backport 0-12-0] ci: fix deprecated command in latestTag step #1764 (@github-actions[bot])
v0.12.0
New
- tcp: prevent idle stream timeouts for TCP and Websocket routes #1744 (@calebdoxsey)
- telemetry: add support for datadog tracing #1743 (@calebdoxsey)
- use incremental API for envoy xDS #1732 (@calebdoxsey)
- cli: add version command #1726 (@desimone)
- add TLS flags for TCP tunnel #1725 (@calebdoxsey)
- k8s cmd: use authclient package #1722 (@calebdoxsey)
- internal/controlplane: 0s default timeout for tcp routes #1716 (@travisgroth)
- use impersonate groups if impersonate email is set #1701 (@calebdoxsey)
- unimpersonate button #1700 (@calebdoxsey)
- TCP client command #1696 (@calebdoxsey)
- add support for TCP routes #1695 (@calebdoxsey)
- internal/directory: use gitlab provider url option #1689 (@nghnam)
- improve ca cert error message, use GetCertPool for databroker storage #1666 (@calebdoxsey)
- implement new redis storage backend with go-redis package #1649 (@calebdoxsey)
- authenticate: oidc frontchannel-logout endpoint #1586 (@pflipp)
Fixed
- remove :443 or :80 from proxy URLs in authclient #1733 (@calebdoxsey)
- tcptunnel: handle invalid http response codes #1727 (@calebdoxsey)
- update azure docs #1723 (@calebdoxsey)
- config: fix ignored yaml fields #1698 (@travisgroth)
- fix concurrency race #1675 (@calebdoxsey)
- don't create users when updating sessions #1671 (@calebdoxsey)
Documentation
- update google docs #1738 (@calebdoxsey)
- docs: add TCP guide #1714 (@travisgroth)
- docs: tcp support #1712 (@travisgroth)
- docs: replace httpbin with verify #1702 (@desimone)
- docs: fix nginx config #1691 (@desimone)
- remove "see policy" phrase in settings docs #1668 (@calebdoxsey)
- docs: add allowed_idp_claims docs #1665 (@travisgroth)
- docs: add v0.11 link to version menu #1663 (@travisgroth)
Dependency
- chore(deps): update module google/uuid to v1.1.4 #1729 (@renovate[bot])
- dev: update linter #1728 (@desimone)
- chore(deps): update codecov/codecov-action action to v1.1.1 #1720 (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 6772e93 #1719 (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to eec23a3 #1718 (@renovate[bot])
- chore(deps): update precommit hook pre-commit/pre-commit-hooks to v3.4.0 #1710 (@renovate[bot])
- chore(deps): update module prometheus/client_golang to v1.9.0 #1709 (@renovate[bot])
- chore(deps): update module ory/dockertest/v3 to v3.6.3 #1708 (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.4 #1707 (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.1.0 #1706 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 8c77b98 #1705 (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 986b41b #1704 (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 9d13527 #1703 (@renovate[bot])
- chore(deps): update module open-policy-agent/opa to v0.25.2 #1685 (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.4.2 #1684 (@renovate[bot])
- chore(deps): update module envoyproxy/go-control-plane to v0.9.8 #1683 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to 40ec1c2 #1682 (@renovate[bot])
- chore(deps): update golang.org/x/sync commit hash to 09787c9 #1681 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 08078c5 #1680 (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to ac852fb #1679 (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 5f87f34 #1678 (@renovate[bot])
Deployment
- ci: upgrade yq syntax for v4 #1745 (@travisgroth)
- deployment: Fix docker and rpm workflows #1687 (@travisgroth)
- ci: fix pomerium-cli rpm name #1661 (@travisgroth)
Changed
- ci: fix typo in yq image #1746 (@travisgroth)
- fix coverage #1741 (@calebdoxsey)
- fix error wrapping #1737 (@calebdoxsey)
- Revert "set recommended defaults" #1735 (@calebdoxsey)
- set recommended defaults #1734 (@calebdoxsey)
- internal/telemetry/metrics: update redis metrics for go-redis #1694 (@travisgroth)
v0.11.1
Fixed
- [Backport 0-11-0] fix concurrency race #1676 (@github-actions[bot])
- [Backport 0-11-0] don't create users when updating sessions #1672 (@github-actions[bot])
Documentation
- [Backport 0-11-0] remove "see policy" phrase in settings docs #1669 (@github-actions[bot])
- [Backport 0-11-0] docs: add allowed_idp_claims docs #1667 (@github-actions[bot])
- [Backport 0-11-0] docs: add v0.11 link to version menu #1664 (@github-actions[bot])
Deployment
- [Backport 0-11-0] ci: fix pomerium-cli rpm name #1662 (@travisgroth)
v0.11.0
Breaking
- remove deprecated cache_service_url config option #1614 (@calebdoxsey)
- add flag to enable user impersonation #1514 (@calebdoxsey)
New
- microsoft: add support for common endpoint #1648 (@desimone)
- use the directory email when provided for the jwt #1647 (@calebdoxsey)
- fix profile image on dashboard #1637 (@calebdoxsey)
- wait for initial sync to complete before starting control plane #1636 (@calebdoxsey)
- authorize: add signature algo support (RSA / EdDSA) #1631 (@desimone)
- replace GetAllPages with InitialSync, improve merge performance #1624 (@calebdoxsey)
- cryptutil: more explicit decryption error #1607 (@desimone)
- add paging support to GetAll #1601 (@calebdoxsey)
- attach version to gRPC server metadata #1598 (@calebdoxsey)
- use custom default http transport #1576 (@calebdoxsey)
- update user info in addition to refreshing the token #1572 (@calebdoxsey)
- databroker: add audience to session #1557 (@calebdoxsey)
- authorize: implement allowed_idp_claims #1542 (@calebdoxsey)
- autocert: support certificate renewal #1516 (@calebdoxsey)
- add policy to allow any authenticated user #1515 (@pflipp)
- debug: add pprof endpoints #1504 (@calebdoxsey)
- databroker: require JWT for access #1503 (@calebdoxsey)
- authenticate: remove unused paths, generate cipher at startup, remove qp store #1495 (@desimone)
- forward-auth: use envoy's ext_authz check #1482 (@desimone)
- auth0: implement directory provider #1479 (@grounded042)
- azure: incremental sync #1471 (@calebdoxsey)
- auth0: implement identity provider #1470 (@calebdoxsey)
- dashboard: format timestamps #1468 (@calebdoxsey)
- directory: additional user info #1467 (@calebdoxsey)
- directory: add explicit RefreshUser endpoint for faster sync #1460 (@calebdoxsey)
- config: add support for host header rewriting #1457 (@calebdoxsey)
- proxy: preserve path and query string for http->https redirect #1456 (@calebdoxsey)
- redis: use pubsub instead of keyspace events #1450 (@calebdoxsey)
- proxy: add support for /.pomerium/jwt #1446 (@calebdoxsey)
- databroker: add support for querying the databroker #1443 (@calebdoxsey)
- config: add dns_lookup_family option to customize DNS IP resolution #1436 (@calebdoxsey)
- okta: handle deleted groups #1418 (@calebdoxsey)
- controlplane: support P-384 / P-512 EC curves #1409 (@desimone)
- azure: add support for nested groups #1408 (@calebdoxsey)
- authorize: add support for service accounts #1374 (@calebdoxsey)
- Cuonglm/improve timeout error message #1373 (@cuonglm)
- internal/directory/okta: remove rate limiter #1370 (@cuonglm)
- {proxy/controlplane}: make health checks debug level #1368 (@desimone)
- databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source #1367 (@calebdoxsey)
- authorize: use impersonate email/groups in JWT #1364 (@calebdoxsey)
- config: support explicit prefix and regex path rewriting #1363 (@calebdoxsey)
- proxy: support websocket timeouts #1362 (@calebdoxsey)
- proxy: disable control-plane robots.txt for public unauthenticated routes #1361 (@calebdoxsey)
- certmagic: improve logging #1358 (@calebdoxsey)
- logs: add new log scrubber #1346 (@calebdoxsey)
- Allow setting the shared secret via an environment variable. #1337 (@rspier)
- authorize: add jti to JWT payload #1328 (@calebdoxsey)
- all: add signout redirect url #1324 (@cuonglm)
- proxy: remove unused handlers #1317 (@desimone)
- azure: support deriving credentials from client id, client secret and provider url #1300 (@calebdoxsey)
- cache: support databroker option changes #1294 (@calebdoxsey)
- authenticate: move databroker connection to state #1292 (@calebdoxsey)
- authorize: use atomic state for properties #1290 (@calebdoxsey)
- proxy: move properties to atomically updated state #1280 (@calebdoxsey)
- Improving okta API requests #1278 (@cuonglm)
- authenticate: move properties to atomically updated state #1277 (@calebdoxsey)
- authenticate: support reloading IDP settings #1273 (@calebdoxsey)
- Rate limit for okta #1271 (@cuonglm)
- config: allow dynamic configuration of cookie settings #1267 (@calebdoxsey)
- internal/directory/okta: increase default batch size to 200 #1264 (@cuonglm)
- envoy: add support for hot-reloading bootstrap configuration #1259 (@calebdoxsey)
- config: allow reloading of telemetry settings #1255 (@calebdoxsey)
- databroker: add support for config settings #1253 (@calebdoxsey)
- config: warn if custom scopes set for builtin providers #1252 (@cuonglm)
- authorize: add databroker url check #1228 (@desimone)
- internal/databroker: make Sync send data in smaller batches #1226 (@cuonglm)
Fixed
- fix config race #1660 (@calebdoxsey)
- fix ordering of autocert config source #1640 (@calebdoxsey)
- pkg/storage/redis: Prevent connection churn #1603 (@travisgroth)
- forward-auth: fix special character support for nginx #1578 (@desimone)
- proxy/forward_auth: copy response headers as request headers #1577 (@desimone)
- fix querying claim data on the dashboard #1560 (@calebdoxsey)
- github: fix retrieving team id with graphql API (#1554) #1555 (@toshipp)
- store raw id token so it can be passed to the logout url #1543 (@calebdoxsey)
- fix databroker requiring signed jwt #1538 (@calebdoxsey)
- authorize: add redirect url to debug page #1533 (@desimone)
- internal/frontend: resolve authN helper url #1521 (@desimone)
- fwd-auth: match nginx-ingress config #1505 (@desimone)
- authenticate: protect /.pomerium/admin endpoint #1500 (@calebdoxsey)
- ci: ensure systemd unit file is in packages #1481 (@travisgroth)
- identity manager: fix directory sync timing [#1455](https://git...
v0.11.0-rc2
New
- add paging support to GetAll #1601 (@calebdoxsey)
- attach version to gRPC server metadata #1598 (@calebdoxsey)
Fixed
- pkg/storage/redis: Prevent connection churn #1603 (@travisgroth)
Dependency
- chore(deps): update module google/go-cmp to v0.5.3 #1597 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to ce600e9 #1596 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 9fd6049 #1595 (@renovate[bot])
- chore(deps): update golang.org/x/net commit hash to 69a7880 #1594 (@renovate[bot])
- chore(deps): update golang.org/x/crypto commit hash to 0c6587e #1593 (@renovate[bot])
Changed
- ci: improve release snapshot name template #1602 (@travisgroth)
v0.11.0-rc1
Breaking
- add flag to enable user impersonation #1514 (@calebdoxsey)
New
- use custom default http transport #1576 (@calebdoxsey)
- update user info in addition to refreshing the token #1572 (@calebdoxsey)
- databroker: add audience to session #1557 (@calebdoxsey)
- authorize: implement allowed_idp_claims #1542 (@calebdoxsey)
- autocert: support certificate renewal #1516 (@calebdoxsey)
- add policy to allow any authenticated user #1515 (@pflipp)
- debug: add pprof endpoints #1504 (@calebdoxsey)
- databroker: require JWT for access #1503 (@calebdoxsey)
- authenticate: remove unused paths, generate cipher at startup, remove qp store #1495 (@desimone)
- forward-auth: use envoy's ext_authz check #1482 (@desimone)
- auth0: implement directory provider #1479 (@grounded042)
- azure: incremental sync #1471 (@calebdoxsey)
- auth0: implement identity provider #1470 (@calebdoxsey)
- dashboard: format timestamps #1468 (@calebdoxsey)
- directory: additional user info #1467 (@calebdoxsey)
- directory: add explicit RefreshUser endpoint for faster sync #1460 (@calebdoxsey)
- config: add support for host header rewriting #1457 (@calebdoxsey)
- proxy: preserve path and query string for http->https redirect #1456 (@calebdoxsey)
- redis: use pubsub instead of keyspace events #1450 (@calebdoxsey)
- proxy: add support for /.pomerium/jwt #1446 (@calebdoxsey)
- databroker: add support for querying the databroker #1443 (@calebdoxsey)
- config: add dns_lookup_family option to customize DNS IP resolution #1436 (@calebdoxsey)
- okta: handle deleted groups #1418 (@calebdoxsey)
- controlplane: support P-384 / P-512 EC curves #1409 (@desimone)
- azure: add support for nested groups #1408 (@calebdoxsey)
- authorize: add support for service accounts #1374 (@calebdoxsey)
- Cuonglm/improve timeout error message #1373 (@cuonglm)
- internal/directory/okta: remove rate limiter #1370 (@cuonglm)
- {proxy/controlplane}: make health checks debug level #1368 (@desimone)
- databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source #1367 (@calebdoxsey)
- authorize: use impersonate email/groups in JWT #1364 (@calebdoxsey)
- config: support explicit prefix and regex path rewriting #1363 (@calebdoxsey)
- proxy: support websocket timeouts #1362 (@calebdoxsey)
- proxy: disable control-plane robots.txt for public unauthenticated routes #1361 (@calebdoxsey)
- certmagic: improve logging #1358 (@calebdoxsey)
- logs: add new log scrubber #1346 (@calebdoxsey)
- Allow setting the shared secret via an environment variable. #1337 (@rspier)
- authorize: add jti to JWT payload #1328 (@calebdoxsey)
- all: add signout redirect url #1324 (@cuonglm)
- proxy: remove unused handlers #1317 (@desimone)
- azure: support deriving credentials from client id, client secret and provider url #1300 (@calebdoxsey)
- cache: support databroker option changes #1294 (@calebdoxsey)
- authenticate: move databroker connection to state #1292 (@calebdoxsey)
- authorize: use atomic state for properties #1290 (@calebdoxsey)
- proxy: move properties to atomically updated state #1280 (@calebdoxsey)
- Improving okta API requests #1278 (@cuonglm)
- authenticate: move properties to atomically updated state #1277 (@calebdoxsey)
- authenticate: support reloading IDP settings #1273 (@calebdoxsey)
- Rate limit for okta #1271 (@cuonglm)
- config: allow dynamic configuration of cookie settings #1267 (@calebdoxsey)
- internal/directory/okta: increase default batch size to 200 #1264 (@cuonglm)
- envoy: add support for hot-reloading bootstrap configuration #1259 (@calebdoxsey)
- config: allow reloading of telemetry settings #1255 (@calebdoxsey)
- databroker: add support for config settings #1253 (@calebdoxsey)
- config: warn if custom scopes set for builtin providers #1252 (@cuonglm)
- authorize: add databroker url check #1228 (@desimone)
- internal/databroker: make Sync send data in smaller batches #1226 (@cuonglm)
Fixed
- forward-auth: fix special character support for nginx #1578 (@desimone)
- proxy/forward_auth: copy response headers as request headers #1577 (@desimone)
- fix querying claim data on the dashboard #1560 (@calebdoxsey)
- github: fix retrieving team id with graphql API (#1554) #1555 (@toshipp)
- store raw id token so it can be passed to the logout url #1543 (@calebdoxsey)
- fix databroker requiring signed jwt #1538 (@calebdoxsey)
- authorize: add redirect url to debug page #1533 (@desimone)
- internal/frontend: resolve authN helper url #1521 (@desimone)
- fwd-auth: match nginx-ingress config #1505 (@desimone)
- authenticate: protect /.pomerium/admin endpoint #1500 (@calebdoxsey)
- ci: ensure systemd unit file is in packages #1481 (@travisgroth)
- identity manager: fix directory sync timing #1455 (@calebdoxsey)
- proxy/forward_auth: don't reset forward auth path if X-Forwarded-Uri is not set #1447 (@whs)
- httputil: remove retry button #1438 (@desimone)
- proxy: always use https for application callback #1433 (@travisgroth)
- controplane: remove p-521 EC #1420 (@desimone)
- redirect-server: add config headers to responses #1416 (@calebdoxsey)
- proxy: remove impersonate headers for kubernetes #1394 (@calebdoxsey)
- Desimone/authenticate default logout #1390 (@desimone)
- proxy: for filter matches only include bare domain name #1389 (@calebdoxsey)
- internal/envoy: start epoch from 0 #1387 (@travisgroth)
- internal/directory/okta: acceept non-json service account #1359 (@cuonglm)
- internal/controlplane: add telemetry http handler #1353 (@travisgroth)
- autocert: fix locking issue #1310 (@calebdoxsey)
- authorize: log users and groups [#1303](https://...
v0.10.6
Security
Envoy released a security update to addresses the following CVE(s):
- CVE-2020-25017 (CVSS score 6.5, Medium): Incorrect handling of duplicate HTTP headers
This patch updates the underlying embedded version of Envoy to 1.15.1. If you instead are using the Envoy from your local $PATH you are encouraged to upgrade that binary as well.
- deps: envoy 1.15.1 @desimone GH-1473
- deps: update envoy arm64 to v1.15.1 @travisgroth GH-1475