Skip to content

Release 26.06_1

Choose a tag to compare

@github-actions github-actions released this 07 Jun 07:15
b04e4bb

Zentinel 26.06_1

Cargo version: 0.6.16

What's Changed

Added

  • Standalone Prometheus metrics server. When observability.metrics.enabled is set, the proxy binds a dedicated HTTP listener on observability.metrics.address (default 0.0.0.0:9090) and serves the Prometheus exposition format at observability.metrics.path (default /metrics), logging a Metrics server listening line at startup. Previously address was parsed but never consumed, so nothing bound the port — a silent failure that violated the "fail loudly" principle. (#256)
  • Per-listener route sets. A listener may now serve a distinct set of routes via a namespace "<id>" field. Requests arriving on that listener are matched only against the named namespace's routes — no fallback to the global set — so you can expose, e.g., an internal admin/metrics surface on a separate port. Listeners without a namespace field serve the global routes exactly as before. Modeled on Envoy's listener→route-configuration binding; the referenced namespace must exist or validation fails. (#258)

Fixed

  • Default Docker image starts cleanly as a non-root user. The distroless proxy and proxy-prebuilt images now ship /var/log/zentinel and /var/lib/zentinel owned by uid/gid 65532, and the bundled container config logs to stdout/stderr rather than a file. Previously the default config failed to initialize file logging under /var/log/zentinel (not writable by the non-root user), and a tmpfs mount did not resolve it. (#255)
  • Upstream target syntax is now identical across single-file and multi-file configs. The two KDL parsers previously accepted disjoint target syntaxes — the single-file parser only took the target "host:port" shorthand while the multi-file parser only took the targets { target { address … } } block form — so a config copied between layouts (or from the docs) could fail with "requires at least one target". A single shared parser now accepts the shorthand, block form, property form, the targets { … } wrapper, and the top-level address shorthand in both. This was the root cause behind #254. (#254)

Changed

  • Bump tikv-jemallocator 0.6.1 → 0.7.0. (#265)
  • Bump rust-minor group (10 updates). (#264)
  • Bump busybox Docker base 1.37 → 1.38. (#263)
  • Bump openssl 0.10.79 → 0.10.80. (#252)
  • Bump rust-minor group (5 updates). (#251)
  • Bump wasmtime group. (#250)
  • Bump quick-xml 0.39.4 → 0.40.1. (#249)

Chores

  • Delete defunct docs.yml mdbook workflow. (#253)

Installation

From crates.io

cargo install zentinel-proxy

From binary

Download the appropriate archive for your platform and extract:

tar -xzf zentinel-26.06_1-linux-amd64.tar.gz
sudo mv zentinel /usr/local/bin/

Docker

docker pull ghcr.io/zentinelproxy/zentinel:26.06_1

Supply Chain Security

All release archives are signed with Sigstore cosign using keyless signing tied to GitHub Actions OIDC identity. SLSA v1.0 provenance is attached to this release.

Verify a binary

cosign verify-blob --bundle zentinel-26.06_1-linux-amd64.tar.gz.bundle \
  --certificate-identity-regexp "github.com/zentinelproxy/zentinel" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  zentinel-26.06_1-linux-amd64.tar.gz

Verify the container image

cosign verify ghcr.io/zentinelproxy/zentinel:26.06_1 \
  --certificate-identity-regexp "github.com/zentinelproxy/zentinel" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

Checksums

Verify downloads with the .sha256 files.

Software Bill of Materials

CycloneDX 1.5 and SPDX 2.3 SBOMs are attached as release assets.