Release 26.06_1
Zentinel 26.06_1
Cargo version: 0.6.16
What's Changed
Added
- Standalone Prometheus metrics server. When
observability.metrics.enabledis set, the proxy binds a dedicated HTTP listener onobservability.metrics.address(default0.0.0.0:9090) and serves the Prometheus exposition format atobservability.metrics.path(default/metrics), logging aMetrics server listeningline at startup. Previouslyaddresswas parsed but never consumed, so nothing bound the port — a silent failure that violated the "fail loudly" principle. (#256) - Per-listener route sets. A listener may now serve a distinct set of routes via a
namespace "<id>"field. Requests arriving on that listener are matched only against the named namespace's routes — no fallback to the global set — so you can expose, e.g., an internal admin/metrics surface on a separate port. Listeners without anamespacefield serve the globalroutesexactly as before. Modeled on Envoy's listener→route-configuration binding; the referenced namespace must exist or validation fails. (#258)
Fixed
- Default Docker image starts cleanly as a non-root user. The distroless
proxyandproxy-prebuiltimages now ship/var/log/zentineland/var/lib/zentinelowned by uid/gid 65532, and the bundled container config logs to stdout/stderr rather than a file. Previously the default config failed to initialize file logging under/var/log/zentinel(not writable by the non-root user), and atmpfsmount did not resolve it. (#255) - Upstream
targetsyntax is now identical across single-file and multi-file configs. The two KDL parsers previously accepted disjoint target syntaxes — the single-file parser only took thetarget "host:port"shorthand while the multi-file parser only took thetargets { target { address … } }block form — so a config copied between layouts (or from the docs) could fail with "requires at least one target". A single shared parser now accepts the shorthand, block form, property form, thetargets { … }wrapper, and the top-leveladdressshorthand in both. This was the root cause behind #254. (#254)
Changed
- Bump
tikv-jemallocator0.6.1 → 0.7.0. (#265) - Bump rust-minor group (10 updates). (#264)
- Bump
busyboxDocker base 1.37 → 1.38. (#263) - Bump
openssl0.10.79 → 0.10.80. (#252) - Bump rust-minor group (5 updates). (#251)
- Bump
wasmtimegroup. (#250) - Bump
quick-xml0.39.4 → 0.40.1. (#249)
Chores
- Delete defunct
docs.ymlmdbook workflow. (#253)
Installation
From crates.io
cargo install zentinel-proxyFrom binary
Download the appropriate archive for your platform and extract:
tar -xzf zentinel-26.06_1-linux-amd64.tar.gz
sudo mv zentinel /usr/local/bin/Docker
docker pull ghcr.io/zentinelproxy/zentinel:26.06_1Supply Chain Security
All release archives are signed with Sigstore cosign using keyless signing tied to GitHub Actions OIDC identity. SLSA v1.0 provenance is attached to this release.
Verify a binary
cosign verify-blob --bundle zentinel-26.06_1-linux-amd64.tar.gz.bundle \
--certificate-identity-regexp "github.com/zentinelproxy/zentinel" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
zentinel-26.06_1-linux-amd64.tar.gzVerify the container image
cosign verify ghcr.io/zentinelproxy/zentinel:26.06_1 \
--certificate-identity-regexp "github.com/zentinelproxy/zentinel" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"Checksums
Verify downloads with the .sha256 files.
Software Bill of Materials
CycloneDX 1.5 and SPDX 2.3 SBOMs are attached as release assets.