Changelog
v0.17.2 (2022-04-22)
Fixed
- authorize: pass idp id for webauthn url, allow unauthenticated access to static files [#3284] (@calebdoxsey)
- config: fix DefaultTransport so it is still a *http.Transport [#3260] (@calebdoxsey)
Dependency
- chore(deps): bump actions/setup-python from 3.1.0 to 3.1.2 [#3266]
Docs
- Add UUID to docs yaml blocks (#3251) [#3259] (@alexfornuto)
v0.17.1 (2022-03-30)
Security Notice
This release includes a fix to a medium severity security issue.
We recommend that all users upgrade.
Security
- authenticate: fix debug and metrics endpoints #3215 (@backport-actions-token[bot])
Fixed
- authenticate: fix internal url with webauthn #3195 (@backport-actions-token[bot])
- github: fix missing groups #3176 (@backport-actions-token[bot])
v0.17.0 (2022-03-04)
New
- adds pomerium version to the user info endpoint #3093 (@nhayfield)
- grpc: remove ptypes references #3078 (@calebdoxsey)
- userinfo: add webauthn buttons to user info page #3075 (@calebdoxsey)
- Style update for User Info Endpoint #3055 (@nhayfield)
- session: remove unused session state properties #3022 (@calebdoxsey)
- frontend: react+mui #3004 (@calebdoxsey)
- controlplane: add compression middleware #3000 (@calebdoxsey)
- authenticate: fix expiring user info endpoint #2976 (@calebdoxsey)
- last known metric error #2974 (@wasaga)
- directory: save IDP errors to databroker, put event handling in dedicated package #2957 (@calebdoxsey)
- google: support groups for users outside of the organization #2950 (@calebdoxsey)
- return explicit error when directory sync is disabled #2949 (@wasaga)
- authenticate: add device-enrolled page #2892 (@calebdoxsey)
- remove deprecated ioutil usages #2877 (@cfanbo)
Fixed
- databroker: use contextual logging for errors, use original record type for encryption #3096 (@calebdoxsey)
- fix link for picture in avatar #3066 (@nhayfield)
- userinfo: fix logout button, add sign out confirm page #3058 (@calebdoxsey)
- config: fix httptest local certificate #3056 (@calebdoxsey)
- proxy: fix error page #3020 (@calebdoxsey)
- deployment: only include pomerium binary #3007 (@travisgroth)
- auth0: support explicit domains in the service account #2996 (@backport-actions-token[bot])
- auth0: support explicit domains in the service account #2980 (@calebdoxsey)
- config: fix TLS config when address and grpc_address are the same #2975 (@calebdoxsey)
- deployment: enable goreleaser buildx #2968 (@travisgroth)
- config: fix policy matching for regular expressions #2966 (@calebdoxsey)
- fix: frontend html tag mismatch #2954 (@cfanbo)
- devices: shrink credentials by removing unnecessary data #2951 (@calebdoxsey)
- Remove spurious \</ul> tags #2946 (@sylr)
- authenticate: support webauthn redirects to non-pomerium domains #2936 (@calebdoxsey)
- webauthn: use absolute URL for delete redirect #2935 (@calebdoxsey)
- authenticate: add callback endpoint #2931 (@calebdoxsey)
- devices: treat undefined device types as any #2927 (@calebdoxsey)
- deployment: fix distroless base arch #2925 (@travisgroth)
- handle device states in deny block, fix default device type #2919 (@calebdoxsey)
- envoy: check certificates for must-staple flag and drop them if they are missing the response #2909 (@calebdoxsey)
- integration: fix default port for verify service #2895 (@calebdoxsey)
Dependency
- chore(deps): bump actions/setup-node from 2 to 3 #3089 (@dependabot[bot])
- chore(deps): bump actions/setup-python from 2 to 3 #3088 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.20.2 to 4.21.1 #3087 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.69.0 to 0.70.0 #3086 (@dependabot[bot])
- chore(deps): bump url-parse from 1.5.7 to 1.5.10 #3085 (@dependabot[bot])
- chore(deps): bump prismjs from 1.26.0 to 1.27.0 #3084 (@dependabot[bot])
- deps: bump envoy to v1.20.2 #3082 (@travisgroth)
- chore(deps): bump mikefarah/yq from 4.20.1 to 4.20.2 #3072 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.68.0 to 0.69.0 #3071 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.44.0 to 1.44.2 #3070 (@dependabot[bot])
- chore(deps): bump url-parse from 1.5.1 to 1.5.7 #3068 (@dependabot[bot])
- chore(deps): bump github.com/gorilla/websocket from 1.4.2 to 1.5.0 #3052 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.18.1 to 4.20.1 #3051 (@dependabot[bot])
- chore(deps): bump follow-redirects from 1.14.7 to 1.14.8 #3043 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 #3041 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.37.1 to 0.37.2 #3040 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.66.0 to 0.68.0 #3033 (@dependabot[bot])
- deps: increase yarn network timeout #3018 (@travisgroth)
- chore(deps): bump github.com/caddyserver/certmagic from 0.15.2 to 0.15.3 #3014 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.37.1 #3013 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.12 to 3.22.1 #3012 (@dependabot[bot])
- chore(deps): bump github.com/mholt/acmez from 1.0.1 to 1.0.2 #3011 (@dependabot[bot])
- chore(deps): bump mermaid from 8.12.1 to 8.13.10 #3010 (@dependabot[bot])
- chore(deps): bump follow-redirects from 1.14.1 to 1.14.7 #3009 (@dependabot[bot])
- chore(deps): bump prismjs from 1.24.1 to 1.26.0 #3008 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.17.2 to 4.18.1 #2989 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.43.0 to 1.44.0 #2988 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.43.0 to 1.44.0 #2987 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.65.0 to 0.66.0 #2986 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 #2985 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.16.2 to 4.17.2 #2963 (@dependabot[bot])
- chore(deps): bump github.com/google/go-cmp from 0.5.6 to 0.5.7 #2962 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 #2961 (@dependabot[bot])
- chore(deps): bump github.com/openzipkin/zipkin-go from 0.3.0 to 0.4.0 #2942 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.64.0 to 0.65.0 #2941 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.2 to 0.6.3 #2940 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.36.0 to 0.36.1 #2939 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.63.0 to 0.64.0 #2913 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0 #2912 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.35.0 to 0.36.0 #2911 (@dependabot[bot])
- chore(deps): bump github.com/go-chi/chi from 1.5.4 to 4.1.2+incompatible #2910 (@dependabot[bot])
- envoy: upgrade to 1.20.1 #2902 (@calebdoxsey)
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.11 to 3.21.12 #2886 (@dependabot[bot])
- chore(deps): bump github.com/rs/cors from 1.8.0 to 1.8.2 #2855 (@dependabot[bot])
- chore(deps): bump github.com/google/go-jsonnet from 0.17.0 to 0.18.0 #2854 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.16.1 to 4.16.2 #2853 (@dependabot[bot])
Deployment
- deployment: remove DST cert workaround from debug image #2958 (@travisgroth)
- deployment: multi-arch master images #2896 (@travisgroth)
Changed
- config: add idp_client_id and idp_client_secret to protobuf #3060 (@calebdoxsey)
- Extract email for active directory users that don't have access to exchange #3053 (@JBodkin-Amphora)
- disable blank github issues #2898 (@travisgroth)
v0.16.4 (2022-02-25)
Dependency
- deps: update envoy to v1.19.3 #3083 (@travisgroth)
v0.16.3 (2022-02-11)
Fixed
- deployment: only include pomerium binary #3007 (@travisgroth)
- auth0: support explicit domains in the service account #2996 (@backport-actions-token[bot])
v0.16.2 (2022-01-25)
Fixed
- config: fix policy matching for regular expressions #2969 (@backport-actions-token[bot])
v0.16.1 (2022-01-19)
Fixed
- webauthn: use absolute URL for delete redirect #2937 (@backport-actions-token[bot])
- handle device states in deny block, fix default device type #2924 (@backport-actions-token[bot])
- integration: fix default port for verify service #2908 (@backport-actions-token[bot])
v0.16.0 (2021-12-22)
Breaking
- identity: only assign
access\_type
uri params to google. #2782 (@desimone) - tls: fallback to self-signed certificate #2760 (@calebdoxsey)
- github: use GraphQL API to reduce number of API calls for directory sync #2715 (@calebdoxsey)
New
- more idp metrics #2842 (@wasaga)
- devices: add experimental icon #2836 (@calebdoxsey)
- devices: switch "default" device type to two built-in default device types #2835 (@calebdoxsey)
- dashboard: improve display of device credentials, allow deletion #2829 (@calebdoxsey)
- ppl: add support for http_path and http_method #2813 (@calebdoxsey)
- config: add internal service URLs #2801 (@calebdoxsey)
- envoy: add hash policy and routing key for hash-based load balancers #2791 (@calebdoxsey)
- authorize: support X-Pomerium-Authorization in addition to Authorization #2780 (@calebdoxsey)
- envoy: treat configuration errors as fatal #2777 (@calebdoxsey)
- envoy: add support for bind_config bootstrap options #2772 (@calebdoxsey)
- authenticate: redirect / to /.pomerium/ #2770 (@calebdoxsey)
- device: add type id and credential id to enrollment for easier referencing #2749 (@calebdoxsey)
- databroker: add additional log for config source #2718 (@calebdoxsey)
- grpc: remove peer field from logs #2712 (@calebdoxsey)
- desktop client api #2711 (@wasaga)
- telemetry: improve zipkin error logs #2710 (@calebdoxsey)
- authorize: add support for webauthn device policy enforcement #2700 (@calebdoxsey)
- webauthn: update session to support device credentials per type #2699 (@calebdoxsey)
- ppl: add support for additional data #2696 (@calebdoxsey)
- Add additional ACME CA (autocert) options #2695 (@hslatman)
- skip configuration updates to the most recent one #2690 (@wasaga)
- authenticate: add support for webauthn #2688 (@calebdoxsey)
- webauthnutil: add helpers for webauthn #2686 (@calebdoxsey)
- devices: add device protobuf types #2682 (@calebdoxsey)
- cryptutil: add SecureToken #2681 (@calebdoxsey)
- config/envoyconfig: better duplicate message #2661 (@desimone)
- pomerium-cli: add support for a custom browser command #2617 (@calebdoxsey)
- ppl: pass contextual information through policy #2612 (@calebdoxsey)
- add description to service accounts #2611 (@nhayfield)
- DOCS: Add copy button to code snippets #2597 (@alexfornuto)
- pomerium-cli: use cache dir instead of config dir #2588 (@calebdoxsey)
- cli: update tcp log output format #2586 (@travisgroth)
- directory: implement exponential backoff for refresh #2570 (@calebdoxsey)
- google: support provider URL #2567 (@calebdoxsey)
- config: remove signature_key_algorithm #2557 (@calebdoxsey)
- allow pomerium to start without certs #2555 (@wasaga)
- integration: kubernetes support #2536 (@calebdoxsey)
- integration: nginx #2532 (@calebdoxsey)
- integration: add traefik tests #2530 (@calebdoxsey)
- envoy: remove deprecated access_log_path #2523 (@calebdoxsey)
- config: remove headers #2522 (@calebdoxsey)
- integration: add multi test #2519 (@calebdoxsey)
- Remove api from GitLab defaultScope #2518 (@alexfornuto)
- integration: add single-cluster integration tests #2516 (@calebdoxsey)
- integration: remove tests #2514 (@calebdoxsey)
- github: support provider URL #2490 (@calebdoxsey)
- protoutil: add NewAny method for deterministic serialization #2462 (@calebdoxsey)
- fix go get, improve redis test #2450 (@calebdoxsey)
- all: remove unused handler code #2439 (@desimone)
Security
Fixed
- config: allow specifying auto codec type in all-in-one mode #2846 (@calebdoxsey)
- dashboard: add confirmation dialog, fix button in firefox #2841 (@calebdoxsey)
- fix: Fixed return description error #2825 (@cfanbo)
- internal/telemetry: fix grpc server metrics #2811 (@travisgroth)
- Fix IdP client metrics #2810 (@travisgroth)
- envoyconfig: fix tls_downstream_client_ca for non-standard ports #2802 (@calebdoxsey)
- config: detect changes to the kubernetes service account token file #2767 (@calebdoxsey)
- deps: update goreleaser #2757 (@travisgroth)
Documentation
- add docs for ingress regex path #2822 (@wasaga)
- fix typo in docs #2819 (@wasaga)
- DOCS: add Grafana to Guides index #2808 (@alexfornuto)
- DOCS: Fix indentation in API doc #2798 (@alexfornuto)
- DOCS: Create Consolidated Troubleshooting Guide and Replace FAQ #2797 (@alexfornuto)
- docs: update pomerium-cli location #2790 (@travisgroth)
- Document Pomerium Policy Language #2789 (@backport-actions-token[bot])
- Copy edit to changelog entry #2786 (@alexfornuto)
- Document Pomerium Policy Language #2784 (@alexfornuto)
- Remove forward_auth_url from Enterprise #2779 (@alexfornuto)
- Docs: Update Kubernetes Dashboard Guide #2759 (@alexfornuto)
- Docs: Update Securing Kubernetes Guide #2758 (@alexfornuto)
- Docs: Add spdy annotation #2747 (@alexfornuto)
- Docs: Update JWT Verification Guide #2746 (@alexfornuto)
- Docs: Add Grafana Integration Guide #2742 (@alexfornuto)
- Docs: Update Traefik Example Headers #2732 (@alexfornuto)
- Docs: Reference gRPC API Docs #2717 (@alexfornuto)
- Minor fix in routes documentation #2714 (@Kerwood)
- Docs: Update Community Page #2713 (@cmo-pomerium)
- Update overview/architecture.md #2701 (@cmo-pomerium)
- Update create TLS command to quote strings. #2694 (@FutureMatt)
- Docs: Correct Claim Example #2689 (@alexfornuto)
- Fix typo in docs #2683 (@nihaals)
- Fixed 'kubtctl' typo on releases page #2673 (@ChaosInTheCRD)
- add service account redirects #2664 (@alexfornuto)
- DOCS: Standardize Relative Links #2651 (@alexfornuto)
- Docs: cross-reference links between concepts and reference #2648 (@alexfornuto)
- adjust sidebarDepths and document Desktop Client releases #2645 (@backport-actions-token[bot])
- typo #2644 (@alexfornuto)
- adjust sidebarDepths and document Desktop Client releases #2643 (@alexfornuto)
- DOCS: CORS preflight in console #2642 (@alexfornuto)
- DOCS: Collapse IDP Header #2641 (@alexfornuto)
- docs: remove extra word / updated docs link #2638 (@cmo-pomerium)
- Docs: Batch Updates #2628 (@alexfornuto)
- Refresh and Update TCP documentation #2627 (@alexfornuto)
- DOC: Copy edits to Okta IdP doc. #2623 (@alexfornuto)
- Docs/batch link fixes #2621 (@alexfornuto)
- Add redirect for installation #2618 (@alexfornuto)
- Add docs team as a code owner of packages.json #2605 (@alexfornuto)
- Update CODEOWNERS #2603 (@alexfornuto)
- DOCS: Update Enterprise Reference Docs #2599 (@alexfornuto)
- Document Enterprise API #2595 (@alexfornuto)
- docs: rename updated icon image #2582 (@travisgroth)
- docs: add updated icon asset #2580 (@travisgroth)
- Document recovery token generation #2579 (@alexfornuto)
- New Topic Page: Original Request Context #2569 (@alexfornuto)
- docs: enterprise console v0.15.2 changelog #2564 (@travisgroth)
- TCP Client Doc #2561 (@alexfornuto)
- Docs: Fix merged PR #2546 (@alexfornuto)
- docs: enterprise v0.15.1 changelog #2542 (@travisgroth)
- Update Ping Identity IdP #2537 (@alexfornuto)
- update OneLogin IdP doc #2533 (@alexfornuto)
- Update GitLab IdP doc #2520 (@alexfornuto)
- update GitHub IdP doc #2503 (@alexfornuto)
- Update AWS cognito IdP doc #2498 (@alexfornuto)
- Update Azure IdP Doc #2497 (@alexfornuto)
- Auth0 Doc Refresh #2494 (@alexfornuto)
- Update IdP Overview Page #2493 (@alexfornuto)
- Update Okta IdP doc #2491 (@alexfornuto)
- adjust comment blocking #2488 (@alexfornuto)
- document binding service to 443 #2487 (@alexfornuto)
- docs: use generic email #2484 (@alexfornuto)
- Update Docker Quickstart #2482 (@alexfornuto)
- Wrap mkcert command in quotes #2481 (@alexfornuto)
- Updates to Enterprise Quickstart instructions #2480 (@alexfornuto)
- wrap header example values as inline code. #2474 (@alexfornuto)
- docs: clarify custom request header limitations #2471 (@desimone)
- Update Helm Instructions #2467 (@alexfornuto)
- docs: update enterprise helm instructions to use main repo #2463 (@travisgroth)
- Document tracing sample rate in console #2461 (@alexfornuto)
- Document moving routes #2460 (@alexfornuto)
- Enterprise Upgrade & Changelog Pages #2453 (@alexfornuto)
- docs: update codeowners #2451 (@travisgroth)
- Update binary install doc #2447 (@alexfornuto)
- docs: update branding, concepts #2445 (@desimone)
- specify expected audience in Console config #2442 (@alexfornuto)
- docs: update default version to v0.15 #2437 (@travisgroth)
- docs: update branding #2435 (@desimone)
Dependency
- chore(deps): bump google.golang.org/api from 0.62.0 to 0.63.0 #2834 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.26.0 to 1.26.1 #2833 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.10.0 to 1.10.1 #2832 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 #2831 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.11+incompatible to 20.10.12+incompatible #2817 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.9.0 to 1.10.0 #2816 (@dependabot[bot])
- dev build support for darwin-arm64 from envoy tip #2815 (@wasaga)
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.10 to 3.21.11 #2807 (@dependabot[bot])
- chore(deps): bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 #2806 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.60.0 to 0.61.0 #2805 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.34.2 to 0.35.0 #2804 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.15.1 to 4.16.1 #2803 (@dependabot[bot])
- chore(deps): bump github.com/ory/dockertest/v3 from 3.8.0 to 3.8.1 #2785 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.14.2 to 4.15.1 #2783 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.10+incompatible to 20.10.11+incompatible #2776 (@dependabot[bot])
- chore(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3 #2775 (@dependabot[bot])
- chore(deps): bump mikefarah/yq from 4.6.3 to 4.14.2 #2774 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.15.1 to 0.15.2 #2769 (@dependabot[bot])
- chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.1 to 4.1.2 #2768 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.34.1 to 0.34.2 #2765 (@dependabot[bot])
- chore(deps): bump github.com/mholt/acmez from 1.0.0 to 1.0.1 #2764 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.21.0 to 5.21.1 #2763 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.42.1 to 1.43.0 #2756 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.34.0 to 0.34.1 #2755 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0 #2754 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.25.0 to 1.26.0 #2753 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.20.0 to 5.21.0 #2752 (@dependabot[bot])
- dependencies: vendor base58, remove shortuuid #2739 (@calebdoxsey)
- chore(deps): bump google.golang.org/api from 0.58.0 to 0.60.0 #2737 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.9 to 3.21.10 #2736 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.33.1 to 0.34.0 #2735 (@dependabot[bot])
- chore(deps): bump github.com/openzipkin/zipkin-go from 0.2.5 to 0.3.0 #2734 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.31.1 to 0.32.1 #2706 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.9+incompatible to 20.10.10+incompatible #2705 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.19.2 to 5.20.0 #2704 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.1 to 0.6.2 #2703 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.5 to 0.15.1 #2685 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.0 to 3.1.2 #2672 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.8 to 3.21.9 #2671 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.8+incompatible to 20.10.9+incompatible #2670 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.57.0 to 0.58.0 #2660 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.3 to 8.11.4 #2659 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.32.1 to 0.33.1 #2658 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.31.0 to 0.31.1 #2656 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.32.0 to 0.32.1 #2633 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 #2632 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.30.0 to 0.31.0 #2631 (@dependabot[bot])
- chore(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 #2630 (@dependabot[bot])
- chore(deps): bump github.com/ory/dockertest/v3 from 3.7.0 to 3.8.0 #2629 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.9.0 #2616 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.56.0 to 0.57.0 #2615 (@dependabot[bot])
- chore(deps): bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 #2614 (@dependabot[bot])
- bump protoc-validate #2606 (@wasaga)
- chore(deps): bump go.uber.org/zap from 1.19.0 to 1.19.1 #2592 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0 #2591 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.7 to 3.21.8 #2577 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 #2576 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.4 to 0.14.5 #2575 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.54.0 to 0.56.0 #2574 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.31.0 to 0.32.0 #2573 (@dependabot[bot])
- chore(deps): bump github.com/fsnotify/fsnotify from 1.5.0 to 1.5.1 #2554 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.3 to 0.14.4 #2553 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 #2552 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.7+incompatible to 20.10.8+incompatible #2551 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.1 to 0.14.3 #2550 (@dependabot[bot])
- chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.3.0 to 0.4.0 #2549 (@dependabot[bot])
- chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.1 to 2.1.2 #2548 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.7.2 to 0.7.3 #2512 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 #2511 (@dependabot[bot])
- chore(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.0 #2510 (@dependabot[bot])
- ci: use go 1.17.x #2492 (@desimone)
- chore(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 #2478 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.2 to 8.11.3 #2477 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.52.0 to 0.54.0 #2476 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.18.1 to 1.19.0 #2475 (@dependabot[bot])
- ci: support darwn/arm64 aka m1 for cli #2473 (@desimone)
- chore(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 #2457 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.7.1 to 0.7.2 #2456 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2455 (@dependabot[bot])
- Hadolint #2363 (@stephengroat)
Deployment
- deployment: migrate pomerium-cli automation to new repo #2771 (@travisgroth)
- deployment: remove DST_Root_CA_X3 from docker images #2677 (@travisgroth)
- deployment: update goreleaser syntax #2524 (@travisgroth)
Changed
- move NewGRPCClientConn to public package #2826 (@wasaga)
- rm cli code #2824 (@wasaga)
- ci: remove hadolint #2726 (@travisgroth)
- ci: ignore multiple run commands #2566 (@travisgroth)
- redirect logo to the marketing site #2441 (@alexfornuto)
- ci: use github app for backport credentials #2369 (@travisgroth)
v0.15.8 (2021-12-17)
Fixed
- authorize: fix nginx infinite redirect #2812 (@calebdoxsey)
Documentation
- DOCS: add Grafana to Guides index #2809 (@backport-actions-token[bot])
- DOCS: Fix indentation in API doc #2799 (@backport-actions-token[bot])
- Docs: Update Kubernetes Dashboard Guide #2795 (@backport-actions-token[bot])
- Docs: Update Securing Kubernetes Guide #2792 (@backport-actions-token[bot])
- Docs: Update JWT Verification Guide #2787 (@backport-actions-token[bot])
Dependency
- deps: pin release to latest go version #2827 (@travisgroth)
v0.15.7 (2021-11-15)
Fixed
- autocert: remove log #2750 (@backport-actions-token[bot])
Security
- identity: fix user refresh #2725 (@backport-actions-token[bot])
Documentation
- Docs: Add Grafana Integration Guide #2762 (@backport-actions-token[bot])
- Docs: Add spdy annotation #2751 (@backport-actions-token[bot])
- Docs: Ingress Controller #2745 (@backport-actions-token[bot])
- Docs: Update Traefik Example Headers #2741 (@backport-actions-token[bot])
- Docs: Update Community Page #2731 (@backport-actions-token[bot])
- Minor fix in routes documentation #2721 (@backport-actions-token[bot])
- Docs: Reference gRPC API Docs #2720 (@backport-actions-token[bot])
- Update overview/architecture.md #2707 (@backport-actions-token[bot])
v0.15.6 (2021-11-04)
Breaking
- github: use GraphQL API to reduce number of API calls for directory sync #2715 (@calebdoxsey)
New
- databroker: add additional log for config source #2718 (@calebdoxsey)
- grpc: remove peer field from logs #2712 (@calebdoxsey)
- desktop client api #2711 (@wasaga)
- telemetry: improve zipkin error logs #2710 (@calebdoxsey)
- authorize: add support for webauthn device policy enforcement #2700 (@calebdoxsey)
- webauthn: update session to support device credentials per type #2699 (@calebdoxsey)
- ppl: add support for additional data #2696 (@calebdoxsey)
- Add additional ACME CA (autocert) options #2695 (@hslatman)
- skip configuration updates to the most recent one #2690 (@wasaga)
- authenticate: add support for webauthn #2688 (@calebdoxsey)
- webauthnutil: add helpers for webauthn #2686 (@calebdoxsey)
- devices: add device protobuf types #2682 (@calebdoxsey)
- cryptutil: add SecureToken #2681 (@calebdoxsey)
- config/envoyconfig: better duplicate message #2661 (@desimone)
- pomerium-cli: add support for a custom browser command #2617 (@calebdoxsey)
- ppl: pass contextual information through policy #2612 (@calebdoxsey)
- add description to service accounts #2611 (@nhayfield)
- DOCS: Add copy button to code snippets #2597 (@alexfornuto)
- pomerium-cli: use cache dir instead of config dir #2588 (@calebdoxsey)
- cli: update tcp log output format #2586 (@travisgroth)
- directory: implement exponential backoff for refresh #2570 (@calebdoxsey)
- google: support provider URL #2567 (@calebdoxsey)
- allow pomerium to start without certs #2555 (@wasaga)
- integration: kubernetes support #2536 (@calebdoxsey)
- integration: nginx #2532 (@calebdoxsey)
- integration: add traefik tests #2530 (@calebdoxsey)
- envoy: remove deprecated access_log_path #2523 (@calebdoxsey)
- config: remove headers #2522 (@calebdoxsey)
- integration: add multi test #2519 (@calebdoxsey)
- Remove api from GitLab defaultScope #2518 (@alexfornuto)
- integration: add single-cluster integration tests #2516 (@calebdoxsey)
- integration: remove tests #2514 (@calebdoxsey)
- github: support provider URL #2490 (@calebdoxsey)
- protoutil: add NewAny method for deterministic serialization #2462 (@calebdoxsey)
- fix go get, improve redis test #2450 (@calebdoxsey)
- all: remove unused handler code #2439 (@desimone)
Fixed
- deployment: relocate pomerium-cli to /usr/bin #2727 (@travisgroth)
- authenticate: always update user record on login #2719 (@calebdoxsey)
- authenticate: add databroker versions to session cookie #2709 (@calebdoxsey)
- protoc: add xds repo #2687 (@calebdoxsey)
- add host-rewrite options to config.proto #2668 (@wasaga)
- authclient: clone TLS configuration to prevent overriding NextProtos #2594 (@calebdoxsey)
- tcptunnel: force the use of HTTP/1.1 during ALPN #2593 (@calebdoxsey)
- userinfo: format exp, iat and updated_at #2585 (@calebdoxsey)
- autocert: remove log #2584 (@calebdoxsey)
- authorize: use session.user_id in headers #2571 (@calebdoxsey)
- ppl: use session.user_id instead of user.id for user criterion #2562 (@calebdoxsey)
- authorize: fix google cloudrun header audience #2558 (@calebdoxsey)
- authorize: fix X-Pomerium-Claim-Groups #2539 (@calebdoxsey)
- grpc: disable gRPC connection re-use across services #2515 (@calebdoxsey)
- fix forward-auth, logging #2509 (@calebdoxsey)
- grpc: send client traffic through envoy #2469 (@calebdoxsey)
- options: remove refresh_cooldown, add allow_spdy to proto #2446 (@calebdoxsey)
Security
Documentation
- Docs: Update Traefik Example Headers #2732 (@alexfornuto)
- Docs: Reference gRPC API Docs #2717 (@alexfornuto)
- Minor fix in routes documentation #2714 (@Kerwood)
- Docs: Update Community Page #2713 (@cmo-pomerium)
- Update overview/architecture.md #2701 (@cmo-pomerium)
- Update create TLS command to quote strings. #2694 (@FutureMatt)
- Docs: Correct Claim Example #2689 (@alexfornuto)
- Fix typo in docs #2683 (@nihaals)
- Fixed 'kubtctl' typo on releases page #2673 (@ChaosInTheCRD)
- Docs: Ingress Controller #2667 (@alexfornuto)
- add service account redirects #2664 (@alexfornuto)
- DOCS: Standardize Relative Links #2651 (@alexfornuto)
- Docs: cross-reference links between concepts and reference #2648 (@alexfornuto)
- typo #2644 (@alexfornuto)
- adjust sidebarDepths and document Desktop Client releases #2643 (@alexfornuto)
- DOCS: CORS preflight in console #2642 (@alexfornuto)
- DOCS: Collapse IDP Header #2641 (@alexfornuto)
- docs: remove extra word / updated docs link #2638 (@cmo-pomerium)
- Docs: Batch Updates #2628 (@alexfornuto)
- Refresh and Update TCP documentation #2627 (@alexfornuto)
- DOC: Copy edits to Okta IdP doc. #2623 (@alexfornuto)
- Docs/batch link fixes #2621 (@alexfornuto)
- Add redirect for installation #2618 (@alexfornuto)
- Add docs team as a code owner of packages.json #2605 (@alexfornuto)
- Update CODEOWNERS #2603 (@alexfornuto)
- DOCS: Update Enterprise Reference Docs #2599 (@alexfornuto)
- Document Enterprise API #2595 (@alexfornuto)
- docs: rename updated icon image #2582 (@travisgroth)
- docs: add updated icon asset #2580 (@travisgroth)
- Document recovery token generation #2579 (@alexfornuto)
- New Topic Page: Original Request Context #2569 (@alexfornuto)
- docs: enterprise console v0.15.2 changelog #2564 (@travisgroth)
- TCP Client Doc #2561 (@alexfornuto)
- Docs: Fix merged PR #2546 (@alexfornuto)
- docs: enterprise v0.15.1 changelog #2542 (@travisgroth)
- Update Ping Identity IdP #2537 (@alexfornuto)
- update OneLogin IdP doc #2533 (@alexfornuto)
- Update GitLab IdP doc #2520 (@alexfornuto)
- update GitHub IdP doc #2503 (@alexfornuto)
- Update AWS cognito IdP doc #2498 (@alexfornuto)
- Update Azure IdP Doc #2497 (@alexfornuto)
- Auth0 Doc Refresh #2494 (@alexfornuto)
- Update IdP Overview Page #2493 (@alexfornuto)
- Update Okta IdP doc #2491 (@alexfornuto)
- adjust comment blocking #2488 (@alexfornuto)
- document binding service to 443 #2487 (@alexfornuto)
- docs: use generic email #2484 (@alexfornuto)
- Update Docker Quickstart #2482 (@alexfornuto)
- Wrap mkcert command in quotes #2481 (@alexfornuto)
- Updates to Enterprise Quickstart instructions #2480 (@alexfornuto)
- wrap header example values as inline code. #2474 (@alexfornuto)
- docs: clarify custom request header limitations #2471 (@desimone)
- Update Helm Instructions #2467 (@alexfornuto)
- docs: update enterprise helm instructions to use main repo #2463 (@travisgroth)
- Document tracing sample rate in console #2461 (@alexfornuto)
- Document moving routes #2460 (@alexfornuto)
- Enterprise Upgrade & Changelog Pages #2453 (@alexfornuto)
- docs: update codeowners #2451 (@travisgroth)
- Update binary install doc #2447 (@alexfornuto)
- docs: update branding, concepts #2445 (@desimone)
- specify expected audience in Console config #2442 (@alexfornuto)
- docs: update default version to v0.15 #2437 (@travisgroth)
- docs: update branding #2435 (@desimone)
Dependency
- dependencies: vendor base58, remove shortuuid #2739 (@calebdoxsey)
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.9 to 3.21.10 #2736 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.33.1 to 0.34.0 #2735 (@dependabot[bot])
- chore(deps): bump github.com/openzipkin/zipkin-go from 0.2.5 to 0.3.0 #2734 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.31.1 to 0.32.1 #2706 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.9+incompatible to 20.10.10+incompatible #2705 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.19.2 to 5.20.0 #2704 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.1 to 0.6.2 #2703 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.5 to 0.15.1 #2685 (@dependabot[bot])
- chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.0 to 3.1.2 #2672 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.8 to 3.21.9 #2671 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.8+incompatible to 20.10.9+incompatible #2670 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.57.0 to 0.58.0 #2660 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.3 to 8.11.4 #2659 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.32.1 to 0.33.1 #2658 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.31.0 to 0.31.1 #2656 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.32.0 to 0.32.1 #2633 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 #2632 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.30.0 to 0.31.0 #2631 (@dependabot[bot])
- chore(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 #2630 (@dependabot[bot])
- chore(deps): bump github.com/ory/dockertest/v3 from 3.7.0 to 3.8.0 #2629 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.9.0 #2616 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.56.0 to 0.57.0 #2615 (@dependabot[bot])
- chore(deps): bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 #2614 (@dependabot[bot])
- bump protoc-validate #2606 (@wasaga)
- chore(deps): bump go.uber.org/zap from 1.19.0 to 1.19.1 #2592 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0 #2591 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.7 to 3.21.8 #2577 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 #2576 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.4 to 0.14.5 #2575 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.54.0 to 0.56.0 #2574 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.31.0 to 0.32.0 #2573 (@dependabot[bot])
- chore(deps): bump github.com/fsnotify/fsnotify from 1.5.0 to 1.5.1 #2554 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.3 to 0.14.4 #2553 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 #2552 (@dependabot[bot])
- chore(deps): bump github.com/docker/docker from 20.10.7+incompatible to 20.10.8+incompatible #2551 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.1 to 0.14.3 #2550 (@dependabot[bot])
- chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.3.0 to 0.4.0 #2549 (@dependabot[bot])
- chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.1 to 2.1.2 #2548 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.7.2 to 0.7.3 #2512 (@dependabot[bot])
- chore(deps): bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 #2511 (@dependabot[bot])
- chore(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.0 #2510 (@dependabot[bot])
- ci: use go 1.17.x #2492 (@desimone)
- chore(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 #2478 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.2 to 8.11.3 #2477 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.52.0 to 0.54.0 #2476 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.18.1 to 1.19.0 #2475 (@dependabot[bot])
- ci: support darwn/arm64 aka m1 for cli #2473 (@desimone)
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2459 (@backport-actions-token[bot])
- chore(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 #2457 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.7.1 to 0.7.2 #2456 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2455 (@dependabot[bot])
- Hadolint #2363 (@stephengroat)
Deployment
- deployment: remove DST_Root_CA_X3 from docker images #2677 (@travisgroth)
- deployment: update goreleaser syntax #2524 (@travisgroth)
Changed
- ci: remove hadolint #2726 (@travisgroth)
- ci: ignore multiple run commands #2566 (@travisgroth)
- redirect logo to the marketing site #2441 (@alexfornuto)
v0.15.5 (2021-10-22)
New
- skip configuration updates to the most recent one #2692 (@backport-actions-token[bot])
Documentation
- Update create TLS command to quote strings. #2697 (@backport-actions-token[bot])
- DOCS: CORS preflight in console #2693 (@backport-actions-token[bot])
- Docs: Correct Claim Example #2691 (@backport-actions-token[bot])
- Fix typo in docs #2684 (@backport-actions-token[bot])
Deployment
- deployment: remove DST_Root_CA_X3 from docker images #2698 (@travisgroth)
v0.15.4 (2021-10-14)
New
- protoutil: add NewAny method for deterministic serialization #2662 (@backport-actions-token[bot])
Fixed
- backport: host rewrite #2669 (@wasaga)
Documentation
- Fixed 'kubtctl' typo on releases page #2680 (@backport-actions-token[bot])
- Refresh and Update TCP documentation #2679 (@backport-actions-token[bot])
- Docs: Ingress Controller #2667 (@alexfornuto)
- add service account redirects #2665 (@backport-actions-token[bot])
- DOCS: Standardize Relative Links (#2651) #2654 (@alexfornuto)
- Docs: cross-reference links between concepts and reference #2650 (@backport-actions-token[bot])
- DOCS: Collapse IDP Header #2649 (@backport-actions-token[bot])
- typo #2646 (@backport-actions-token[bot])
- Docs: Batch Updates #2640 (@backport-actions-token[bot])
- docs: remove extra word / updated docs link #2639 (@backport-actions-token[bot])
- TCP Client Doc #2626 (@backport-actions-token[bot])
- DOC: Copy edits to Okta IdP doc. #2625 (@backport-actions-token[bot])
- DOCS: Update Enterprise Reference Docs #2624 (@backport-actions-token[bot])
- Docs/batch link fixes #2622 (@backport-actions-token[bot])
- Add redirect for installation #2620 (@backport-actions-token[bot])
- Document Enterprise API #2619 (@backport-actions-token[bot])
v0.15.3 (2021-09-17)
New
- cli: update tcp log output format #2587 (@travisgroth)
Fixed
- backport 2593 and 2594 to 0.15 #2598 (@calebdoxsey)
Documentation
- Add docs team as a code owner of packages.json #2607 (@backport-actions-token[bot])
- New Topic Page: Original Request Context #2602 (@backport-actions-token[bot])
- Document recovery token generation #2601 (@backport-actions-token[bot])
- DOCS: Add copy button to code snippets #2600 (@backport-actions-token[bot])
- docs: rename updated icon image #2583 (@backport-actions-token[bot])
- docs: add updated icon asset #2581 (@backport-actions-token[bot])
Changed
- Update CODEOWNERS #2604 (@backport-actions-token[bot])
v0.15.2 (2021-09-03)
New
- allow pomerium to start without certs #2556 (@backport-actions-token[bot])
Fixed
- authorize: use session.user_id in headers #2572 (@backport-actions-token[bot])
- ppl: use session.user_id instead of user.id for user criterion #2563 (@backport-actions-token[bot])
- authorize: fix google cloudrun header audience #2560 (@backport-actions-token[bot])
- authorize: fix X-Pomerium-Claim-Groups #2540 (@backport-actions-token[bot])
Documentation
- docs: enterprise console v0.15.2 changelog #2565 (@backport-actions-token[bot])
- Docs: Fix merged PR #2547 (@backport-actions-token[bot])
- Update Ping Identity IdP #2545 (@backport-actions-token[bot])
- update OneLogin IdP doc #2544 (@backport-actions-token[bot])
- docs: enterprise v0.15.1 changelog #2543 (@backport-actions-token[bot])
- Updates to Enterprise Quickstart instructions #2531 (@backport-actions-token[bot])
v0.15.0 (2021-08-05)
Breaking
- config: remove support for ed25519 signing keys #2430 (@calebdoxsey)
New
- telemetry: add nonce and make explicit ack/nack #2434 (@wasaga)
- authorize: log additional session details #2419 (@calebdoxsey)
- telemetry: try guess hostname or external IP addr for metrics #2412 (@wasaga)
- sessions: add impersonate_session_id, remove legacy impersonation #2407 (@calebdoxsey)
- envoyconfig: improvements #2402 (@calebdoxsey)
- config: add support for embedded PPL policy #2401 (@calebdoxsey)
- ppl: remove support for aliases #2400 (@calebdoxsey)
- directory: add logging http client to help with debugging outbound http requests #2385 (@calebdoxsey)
- evaluator: use
cryptutil.Hash
for script spans #2384 (@desimone) - authorize: add additional tracing for rego evaluation #2381 (@calebdoxsey)
- k8s: add flush-credentials command #2379 (@calebdoxsey)
- urlutil: improve error message for urls with port in path #2377 (@calebdoxsey)
- ci: use revive instead of golint #2370 (@calebdoxsey)
- authorize: remove service account impersonate user id, email and groups #2365 (@calebdoxsey)
- envoyconfig: default zipkin path to / when empty #2359 (@calebdoxsey)
- config: add warning about http URLs #2358 (@calebdoxsey)
- authorize: log service account and impersonation details #2354 (@calebdoxsey)
- tools: add tools.go to pin go run apps #2344 (@calebdoxsey)
- envoyconfig: add bootstrap layered runtime configuration #2343 (@calebdoxsey)
- registry/redis: call publish from within lua function #2337 (@calebdoxsey)
Fixed
- config: remove grpc server max connection age options #2427 (@calebdoxsey)
- authorize: add sid to JWT claims #2420 (@calebdoxsey)
- disable http/2 for websockets #2399 (@calebdoxsey)
- ci: update gcloud action #2393 (@travisgroth)
- google: remove WithHTTPClient #2391 (@calebdoxsey)
- telemetry: support b3 headers on gRPC server calls #2376 (@calebdoxsey)
- authorize: allow redirects on deny #2361 (@calebdoxsey)
- authorize: decode CheckRequest path for redirect #2357 (@calebdoxsey)
- envoyconfig: only delete cached files, ignore noisy error #2356 (@calebdoxsey)
- envoy: only check for pid with monitor #2355 (@calebdoxsey)
- fix: timeout in protobuf #2341 (@wasaga)
- authorize: support boolean deny results #2338 (@calebdoxsey)
Security
- envoy: only allow embedding #2368 (@calebdoxsey)
Documentation
- update v0.15 changelog #2436 (@travisgroth)
- doc updates #2433 (@calebdoxsey)
- Update Console installs to match signing_key #2432 (@alexfornuto)
- docs/reference: Clarify use of idp_service_account #2431 (@the-maldridge)
- docs: clarify device identity, not state via client certs #2428 (@desimone)
- v0.15 release notes #2409 (@travisgroth)
- docs: only secure schemes are supported #2408 (@desimone)
- Installation Docs Restructuring #2406 (@alexfornuto)
- symlink security policy to root of project #2396 (@desimone)
- Enterprise Docs #2390 (@alexfornuto)
- Docs bug fixes #2362 (@alexfornuto)
- Docs sorting #2346 (@alexfornuto)
- Update installation source for mkcert #2340 (@alexfornuto)
Dependency
- chore(deps): bump gopkg.in/auth0.v5 from 5.19.1 to 5.19.2 #2422 (@dependabot[bot])
- chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0-rc.1 to 3.0.0 #2421 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.29.0 to 0.30.0 #2417 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.30.2 to 0.31.0 #2416 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.51.0 to 0.52.0 #2415 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.6 to 3.21.7 #2414 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.0 to 8.11.1 #2413 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.7.0 to 0.7.1 #2395 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.50.0 to 0.51.0 #2394 (@dependabot[bot])
- chore(deps): bump github.com/google/uuid from 1.2.0 to 1.3.0 #2374 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.30.1 to 0.30.2 #2373 (@dependabot[bot])
- ci: convert to FOSSA scan #2371 (@travisgroth)
- chore(deps): bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 #2353 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.0 to 0.14.1 #2352 (@dependabot[bot])
- chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0 #2334 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.49.0 to 0.50.0 #2333 (@dependabot[bot])
- chore(deps): upgrade kind action to v1.2.0 #2331 (@travisgroth)
- chore(deps): bump github.com/spf13/cobra from 1.1.3 to 1.2.1 #2330 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.10.0 to 8.11.0 #2329 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.6.0 to 0.7.0 #2328 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.6 #2326 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.17.0 to 1.18.1 #2325 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.38.0 to 1.39.0 #2324 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.29.4 to 0.30.1 #2323 (@dependabot[bot])
Changed
- redis: increase timeout on test #2425 (@calebdoxsey)
- build: add envoy files to
make clean
#2411 (@travisgroth) - envoy: bump to 1.19 #2392 (@travisgroth)
- ci: use github app for backport credentials #2369 (@travisgroth)
- databroker: tests #2367 (@calebdoxsey)
- storage/inmemory: add tests for close behavior #2336 (@calebdoxsey)
- redis: refactor change signal test to be more deterministic #2335 (@calebdoxsey)
v0.14.8 (2021-08-26)
Security
- deps: bump envoy to v0.17.4 #2535 (@travisgroth)
Documentation
- docs: only secure schemes are supported #2410 (@backport-actions-token[bot])
- Docs bug fixes #2364 (@github-actions[bot])
- Docs backporting #2351 (@alexfornuto)
- docs: google gcp / workspace instructions #2350 (@github-actions[bot])
Dependency
- chore(deps): upgrade kind action to v1.2.0 (#2281) #2366 (@travisgroth)
Changed
- ci: update gcloud action #2538 (@backport-actions-token[bot])
v0.15.1 (2021-08-25)
Fixed
- options: remove refresh_cooldown, add allow_spdy to proto #2448 (@backport-actions-token[bot])
Security
- deps: update envoy to 1.19.1 #2527 (@backport-actions-token[bot])
Documentation
- Update GitLab IdP doc #2529 (@backport-actions-token[bot])
- Remove api from GitLab defaultScope #2528 (@backport-actions-token[bot])
- update GitHub IdP doc #2508 (@backport-actions-token[bot])
- docs: update codeowners #2506 (@backport-actions-token[bot])
- Update Helm Instructions #2505 (@backport-actions-token[bot])
- Update Azure IdP Doc #2504 (@backport-actions-token[bot])
- Update IdP Overview Page #2502 (@backport-actions-token[bot])
- Update AWS cognito IdP doc #2501 (@backport-actions-token[bot])
- Auth0 Doc Refresh #2500 (@backport-actions-token[bot])
- document binding service to 443 #2499 (@backport-actions-token[bot])
- Update Okta IdP doc #2495 (@backport-actions-token[bot])
- adjust comment blocking #2489 (@backport-actions-token[bot])
- Update Docker Quickstart (#2482) #2486 (@alexfornuto)
- docs: use generic email #2485 (@backport-actions-token[bot])
- wrap header example values as inline code. #2479 (@backport-actions-token[bot])
- docs: clarify custom request header limitations #2472 (@backport-actions-token[bot])
- Document moving routes #2466 (@backport-actions-token[bot])
- Document tracing sample rate in console #2465 (@backport-actions-token[bot])
- docs: update enterprise helm instructions to use main repo #2464 (@backport-actions-token[bot])
- Enterprise Upgrade & Changelog Pages #2458 (@backport-actions-token[bot])
- Update binary install doc #2452 (@backport-actions-token[bot])
- docs: update branding, concepts #2449 (@backport-actions-token[bot])
- specify expected audience in Console config #2444 (@backport-actions-token[bot])
- redirect logo to the marketing site #2443 (@backport-actions-token[bot])
- docs: update branding #2440 (@backport-actions-token[bot])
- docs: update default version to v0.15 #2438 (@backport-actions-token[bot])
Dependency
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2459 (@backport-actions-token[bot])
Deployment
- deployment: update goreleaser syntax #2525 (@backport-actions-token[bot])
- ci: support darwn/arm64 aka m1 for cli #2521 (@travisgroth)
v0.15.0 (2021-08-05)
Breaking
- config: remove support for ed25519 signing keys #2430 (@calebdoxsey)
New
- telemetry: add nonce and make explicit ack/nack #2434 (@wasaga)
- authorize: log additional session details #2419 (@calebdoxsey)
- telemetry: try guess hostname or external IP addr for metrics #2412 (@wasaga)
- sessions: add impersonate_session_id, remove legacy impersonation #2407 (@calebdoxsey)
- envoyconfig: improvements #2402 (@calebdoxsey)
- config: add support for embedded PPL policy #2401 (@calebdoxsey)
- ppl: remove support for aliases #2400 (@calebdoxsey)
- directory: add logging http client to help with debugging outbound http requests #2385 (@calebdoxsey)
- evaluator: use
cryptutil.Hash
for script spans #2384 (@desimone) - authorize: add additional tracing for rego evaluation #2381 (@calebdoxsey)
- k8s: add flush-credentials command #2379 (@calebdoxsey)
- urlutil: improve error message for urls with port in path #2377 (@calebdoxsey)
- ci: use revive instead of golint #2370 (@calebdoxsey)
- authorize: remove service account impersonate user id, email and groups #2365 (@calebdoxsey)
- envoyconfig: default zipkin path to / when empty #2359 (@calebdoxsey)
- config: add warning about http URLs #2358 (@calebdoxsey)
- authorize: log service account and impersonation details #2354 (@calebdoxsey)
- tools: add tools.go to pin go run apps #2344 (@calebdoxsey)
- envoyconfig: add bootstrap layered runtime configuration #2343 (@calebdoxsey)
- registry/redis: call publish from within lua function #2337 (@calebdoxsey)
- proxy: add idle timeout #2319 (@wasaga)
- cli: use proxy from environment #2316 (@tskinn)
- authorize: do not send redirects to gRPC #2314 (@wasaga)
- certs: reject certs from databroker if they conflict with local #2309 (@wasaga)
- config: add enable_google_cloud_serverless_authentication to config protobuf #2306 (@calebdoxsey)
- envoy: refactor envoy embedding #2296 (@calebdoxsey)
- envoy: add full version #2287 (@calebdoxsey)
- authorize: handle grpc-web content types like json #2268 (@calebdoxsey)
- xds: retry storing configuration events #2266 (@calebdoxsey)
- envoyconfig: use zipkin tracer #2265 (@calebdoxsey)
- authorize: preserve original context #2247 (@wasaga)
- ppl: add data type, implement string and list matchers #2228 (@calebdoxsey)
- ppl: refactor authorize to evaluate PPL #2224 (@calebdoxsey)
- ppl: convert config policy to ppl #2218 (@calebdoxsey)
- Pomerium Policy Language #2202 (@calebdoxsey)
- telemetry: add hostname tag to metrics #2191 (@wasaga)
- envoy: disable timeouts for kubernetes #2189 (@calebdoxsey)
- registry: implement redis backend #2179 (@calebdoxsey)
- report instance hostname in xds events #2175 (@wasaga)
- databroker: implement leases #2172 (@calebdoxsey)
Fixed
- config: remove grpc server max connection age options #2427 (@calebdoxsey)
- authorize: add sid to JWT claims #2420 (@calebdoxsey)
- disable http/2 for websockets #2399 (@calebdoxsey)
- ci: update gcloud action #2393 (@travisgroth)
- google: remove WithHTTPClient #2391 (@calebdoxsey)
- telemetry: support b3 headers on gRPC server calls #2376 (@calebdoxsey)
- authorize: allow redirects on deny #2361 (@calebdoxsey)
- authorize: decode CheckRequest path for redirect #2357 (@calebdoxsey)
- envoyconfig: only delete cached files, ignore noisy error #2356 (@calebdoxsey)
- envoy: only check for pid with monitor #2355 (@calebdoxsey)
- fix: timeout in protobuf #2341 (@wasaga)
- authorize: support boolean deny results #2338 (@calebdoxsey)
- ppl: fix not/nor rules #2313 (@calebdoxsey)
- directory/azure: add paging support to user group members call #2311 (@calebdoxsey)
- ocsp: reload on response changes #2286 (@wasaga)
- envoy: fix usage of codec_type with alpn #2277 (@calebdoxsey)
- databroker: only tag contexts used for UpdateRecords #2269 (@wasaga)
- redis: enforce capacity via ZREVRANGE to avoid race #2267 (@calebdoxsey)
- authorize: only redirect for HTML pages #2264 (@calebdoxsey)
- tracing: support dynamic reloading, more aggressive envoy restart #2262 (@calebdoxsey)
- envoy: always set jwt claim headers even if no value is available #2261 (@calebdoxsey)
- envoy: disable hot-reload for macos #2259 (@calebdoxsey)
- authorize: round timestamp #2258 (@wasaga)
- options: s/shared-key/shared secret #2257 (@desimone)
- config: warn about unrecognized keys #2256 (@wasaga)
- darwin: use gopsutil v3 to fix arm issue #2245 (@calebdoxsey)
- policy: fix allowed idp claims PPL generation #2243 (@calebdoxsey)
- envoy: exit if envoy exits #2240 (@calebdoxsey)
- envoyconfig: fallback to global custom ca when no policy ca is defined #2235 (@calebdoxsey)
- envoy: add global response headers to local replies #2217 (@calebdoxsey)
- forward auth: don't strip query parameters #2216 (@wasaga)
- PPL: bubble up values, bug fixes #2213 (@calebdoxsey)
- Revert "authenticate,proxy: add same site lax to cookies" #2203 (@desimone)
- authorize: grpc health check #2200 (@wasaga)
- proxy / controplane: use old upstream cipher suite #2196 (@desimone)
- deployment: fix empty version on master builds #2193 (@travisgroth)
Security
Documentation
- doc updates #2433 (@calebdoxsey)
- Update Console installs to match signing_key #2432 (@alexfornuto)
- docs/reference: Clarify use of idp_service_account #2431 (@the-maldridge)
- docs: clarify device identity, not state via client certs #2428 (@desimone)
- v0.15 release notes #2409 (@travisgroth)
- docs: only secure schemes are supported #2408 (@desimone)
- Installation Docs Restructuring #2406 (@alexfornuto)
- symlink security policy to root of project #2396 (@desimone)
- Enterprise Docs #2390 (@alexfornuto)
- Helm Quickstart Update #2380 (@alexfornuto)
- Docs bug fixes #2362 (@alexfornuto)
- Docs sorting #2346 (@alexfornuto)
- Update installation source for mkcert #2340 (@alexfornuto)
- Update kubernetes-dashboard.md #2285 (@WeeHong)
- Transmission BitTorrent Client Guide #2281 (@alexfornuto)
- docs: google gcp / workspace instructions #2272 (@desimone)
- docs: update helm values for chart v20.0.0 #2242 (@travisgroth)
- docs: update _redirects #2237 (@desimone)
- add support for latest version of code-server #2229 (@bpmct)
- fix(docs): use correct name for code-server #2223 (@jsjoeio)
- docs: rm broken link #2215 (@alexfornuto)
- docs: Match Tenses #2214 (@alexfornuto)
- Update programmatic-access.md #2190 (@yyolk)
- docs: add v0.14 feature highlights #2184 (@github-actions[bot])
- docs: add v0.14 feature highlights #2183 (@travisgroth)
- docs: update slack link to vanity url #2177 (@travisgroth)
Dependency
- chore(deps): bump gopkg.in/auth0.v5 from 5.19.1 to 5.19.2 #2422 (@dependabot[bot])
- chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0-rc.1 to 3.0.0 #2421 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.29.0 to 0.30.0 #2417 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.30.2 to 0.31.0 #2416 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.51.0 to 0.52.0 #2415 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.6 to 3.21.7 #2414 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.11.0 to 8.11.1 #2413 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.7.0 to 0.7.1 #2395 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.50.0 to 0.51.0 #2394 (@dependabot[bot])
- chore(deps): bump github.com/google/uuid from 1.2.0 to 1.3.0 #2374 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.30.1 to 0.30.2 #2373 (@dependabot[bot])
- ci: convert to FOSSA scan #2371 (@travisgroth)
- chore(deps): bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 #2353 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.14.0 to 0.14.1 #2352 (@dependabot[bot])
- chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0 #2334 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.49.0 to 0.50.0 #2333 (@dependabot[bot])
- chore(deps): upgrade kind action to v1.2.0 #2331 (@travisgroth)
- chore(deps): bump github.com/spf13/cobra from 1.1.3 to 1.2.1 #2330 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.10.0 to 8.11.0 #2329 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/procfs from 0.6.0 to 0.7.0 #2328 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.6 #2326 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.17.0 to 1.18.1 #2325 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.38.0 to 1.39.0 #2324 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.29.4 to 0.30.1 #2323 (@dependabot[bot])
- chore(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.0 #2318 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.8.0 to 1.8.1 #2317 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.48.0 to 0.49.0 #2315 (@dependabot[bot])
- chore(deps): bump github.com/spf13/viper from 1.7.1 to 1.8.0 #2305 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.18.0 to 5.19.1 #2304 (@dependabot[bot])
- chore(deps): bump github.com/ory/dockertest/v3 from 3.6.5 to 3.7.0 #2303 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.47.0 to 0.48.0 #2295 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/client_golang from 1.10.0 to 1.11.0 #2294 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.22.0 to 1.23.0 #2293 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.17.0 to 5.18.0 #2292 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.13.1 to 0.14.0 #2291 (@dependabot[bot])
- chore(deps): bump github.com/golang/mock from 1.5.0 to 1.6.0 #2290 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.25.0 to 0.29.0 #2289 (@dependabot[bot])
- deps: upgrade to go-jose v3 #2284 (@calebdoxsey)
- chore(deps): bump github.com/go-redis/redis/v8 from 8.9.0 to 8.10.0 #2276 (@dependabot[bot])
- chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.4 to 3.21.5 #2274 (@dependabot[bot])
- chore(deps): bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0 #2273 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.28.0 to 0.29.4 #2255 (@dependabot[bot])
- chore(deps): bump go.uber.org/zap from 1.16.0 to 1.17.0 #2254 (@dependabot[bot])
- chore(deps): bump github.com/google/go-cmp from 0.5.5 to 0.5.6 #2253 (@dependabot[bot])
- chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 #2252 (@dependabot[bot])
- chore(deps): bump github.com/mitchellh/hashstructure/v2 from 2.0.1 to 2.0.2 #2251 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.8.3 to 8.9.0 #2249 (@dependabot[bot])
- darwin: use x86 envoy build for arm64 #2246 (@calebdoxsey)
- chore(deps): bump github.com/prometheus/common from 0.24.0 to 0.25.0 #2234 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.46.0 to 0.47.0 #2233 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.8.2 to 8.8.3 #2232 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.37.1 to 1.38.0 #2231 (@dependabot[bot])
- dependency: update /x/net #2227 (@desimone)
- chore(deps): bump github.com/lithammer/shortuuid/v3 from 3.0.6 to 3.0.7 #2211 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.23.0 to 0.24.0 #2210 (@dependabot[bot])
- chore(deps): bump github.com/rs/zerolog from 1.21.0 to 1.22.0 #2209 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.16.0 to 5.17.0 #2208 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.37.0 to 1.37.1 #2207 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.13.0 to 0.13.1 #2188 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.15.0 to 5.16.0 #2187 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.45.0 to 0.46.0 #2186 (@dependabot[bot])
Changed
- redis: increase timeout on test #2425 (@calebdoxsey)
- build: add envoy files to
make clean
#2411 (@travisgroth) - envoy: bump to 1.19 #2392 (@travisgroth)
- ci: use github app for backport credentials #2369 (@travisgroth)
- databroker: tests #2367 (@calebdoxsey)
- storage/inmemory: add tests for close behavior #2336 (@calebdoxsey)
- redis: refactor change signal test to be more deterministic #2335 (@calebdoxsey)
- internal/envoy: add debugging information if envoy is no longer running #2320 (@travisgroth)
- ci: add coveralls #2279 (@travisgroth)
v0.14.7 (2021-06-24)
Fixed
- directory/azure: add paging support to user group members call #2312 (@github-actions[bot])
v0.14.6 (2021-06-16)
Fixed
- authorize: only redirect for HTML pages (#2264) #2298 (@calebdoxsey)
v0.14.5 (2021-06-07)
Fixed
- envoy: fix usage of codec_type with alpn #2278 (@github-actions[bot])
- authorize: round JWT claim timestamps #2260 (@wasaga)
Documentation
- docs: update helm values for chart v20.0.0 #2244 (@github-actions[bot])
- docs: update _redirects #2238 (@github-actions[bot])
v0.14.4 (2021-05-24)
Fixed
- authorize: add rego functions to custom evaluator #2236 (@calebdoxsey)
v0.14.3 (2021-05-21)
Fixed
- authorize: fix custom rego panic #2226 (@calebdoxsey)
Changed
- envoy: add global response headers to local replies #2225 (@github-actions[bot])
v0.14.2 (2021-05-17)
Fixed
- Revert "authenticate,proxy: add same site lax to cookies" #2204 (@github-actions[bot])
Documentation
- Update programmatic-access.md #2205 (@github-actions[bot])
v0.14.1 (2021-05-13)
Fixed
- proxy / controplane: use old upstream cipher suite #2197 (@github-actions[bot])
Security
- deps: bump envoy to v1.17.3 #2199 (@github-actions[bot])
Documentation
- docs: update slack link to vanity url #2178 (@github-actions[bot])
v0.14.0 (2021-05-04)
New
- databroker: store issued at timestamp with session #2173 (@calebdoxsey)
- config: add support for set_response_headers in a policy #2171 (@calebdoxsey)
- authenticate,proxy: add same site lax to cookies #2159 (@calebdoxsey)
- xds extended event #2158 (@wasaga)
- config: add client_crl #2157 (@calebdoxsey)
- config: add support for codec_type #2156 (@calebdoxsey)
- controlplane: save configuration events to databroker #2153 (@calebdoxsey)
- control plane: add request id to all error pages #2149 (@desimone)
- let pass custom dial opts #2144 (@wasaga)
- envoy: re-implement recommended defaults #2123 (@calebdoxsey)
- Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
- config: remove validate side effects #2109 (@calebdoxsey)
- log context #2107 (@wasaga)
- databroker: add options for maximum capacity #2095 (@calebdoxsey)
- envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
- envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
- config: rename headers to set_response_headers #2081 (@calebdoxsey)
- crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
- cryptutil: use bytes for hmac #2067 (@calebdoxsey)
- cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
- authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
- authorize: audit logging #2050 (@calebdoxsey)
- support host:port in metrics_address #2042 (@wasaga)
- databroker: return server version in Get #2039 (@wasaga)
- authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
- protoutil: add generic transformer #2023 (@calebdoxsey)
- cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
- autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
- telemetry: add installation id #2017 (@calebdoxsey)
- config: use getters for certificates #2001 (@calebdoxsey)
- config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
- xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
- envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
- redis: add redis cluster support #1992 (@calebdoxsey)
- redis: add support for redis-sentinel #1991 (@calebdoxsey)
- authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
- identity: infer email from mail claim #1977 (@calebdoxsey)
- ping: identity and directory providers #1975 (@calebdoxsey)
- config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
- config: add rewrite_response_headers option #1961 (@calebdoxsey)
- assets: use embed instead of statik #1960 (@calebdoxsey)
- config: log config source changes #1959 (@calebdoxsey)
- config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
- telemetry: add process collector for envoy #1948 (@calebdoxsey)
- use build_info as liveness gauge metric #1940 (@wasaga)
- metrics: add TLS options #1939 (@calebdoxsey)
- identity: record metric for last refresh #1936 (@calebdoxsey)
- middleware: basic auth equalize lengths of input #1934 (@desimone)
- autocert: remove non-determinism #1932 (@calebdoxsey)
- config: add metrics_basic_auth option #1917 (@calebdoxsey)
- envoy: validate binary checksum #1908 (@calebdoxsey)
- config: support map of jwt claim headers #1906 (@calebdoxsey)
- Remove internal/protoutil. #1893 (@yegle)
- databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
- config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
- config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
- proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
- authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)
Fixed
- deployment: update alpine debug image dependencies #2154 (@travisgroth)
- authorize: refactor store locking #2151 (@calebdoxsey)
- databroker: store server version in backend #2142 (@calebdoxsey)
- authorize: audit log had duplicate "message" key #2141 (@desimone)
- httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
- envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
- authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
- authorize: fix unsigned URL #2118 (@calebdoxsey)
- authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
- authorize: support arbitrary jwt claims #2106 (@github-actions[bot])
- xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)
- config: don't change address value on databroker or authorize #2092 (@travisgroth)
- metrics_address should be optional parameter #2087 (@wasaga)
- propagate changes back from encrypted backend #2079 (@wasaga)
- config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
- databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
- authenticate: fix default sign out url #2061 (@calebdoxsey)
- change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
- authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
- proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
- config: add headers to config proto #1996 (@calebdoxsey)
- Fix process cpu usage metric #1979 (@wasaga)
- cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
- proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
- config: fix redirect routes from protobuf #1930 (@travisgroth)
- google: fix default provider URL #1928 (@calebdoxsey)
- fix registry test #1911 (@wasaga)
- ci: pin goreleaser version #1900 (@travisgroth)
- onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
- xds: fix misdirected script #1895 (@calebdoxsey)
- authenticate: validate origin of signout #1876 (@desimone)
- redis: fix deletion versioning #1871 (@calebdoxsey)
- options: header only applies to routes and authN #1862 (@desimone)
- controlplane: add global headers to virtualhost #1861 (@desimone)
- unique envoy cluster ids #1858 (@wasaga)
Security
- ci: remove codecov #2161 (@travisgroth)
- internal/envoy: always extract envoy #2160 (@travisgroth)
- deps: bump envoy to 1.17.2 #2113 (@travisgroth)
- deps: bump envoy to 1.17.2 #2114 (@github-actions[bot])
- proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)
- authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)
Documentation
- docs: add inline instructions to generate signing-key #2164 (@desimone)
- docs: add info note to set_response_headers #2162 (@calebdoxsey)
- docs: mention alternative bearer token header format #2155 (@travisgroth)
- docs: upgrade notes on
allowed\_users
by ID #2133 (@travisgroth) - docs: add threat model to security page #2097 (@desimone)
- docs: update community slack link #2063 (@travisgroth)
- Update local-oidc.md #1994 (@dharmendrakariya)
- ping: add documentation #1976 (@calebdoxsey)
- docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
- Update data-storage.md #1941 (@TanguyPatte)
- docs: fix query param name #1920 (@calebdoxsey)
- docs: add breaking sa changes in v0.13 #1919 (@desimone)
- docs: add v0.13 to docs site menu #1913 (@travisgroth)
- docs: update changelog for v0.13.0 #1909 (@desimone)
- docs: update security policy #1897 (@desimone)
- docs: misc upgrade notes and changelog #1884 (@travisgroth)
- docs: add load balancing weight documentation #1883 (@travisgroth)
- docs: additional load balancing documentation #1875 (@travisgroth)
Dependency
- chore(deps): bump github.com/ory/dockertest/v3 from 3.6.3 to 3.6.5 #2168 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.21.0 to 0.23.0 #2167 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.0 to 0.6.1 #2166 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.27.1 to 0.28.0 #2165 (@dependabot[bot])
- use cached envoy #2132 (@wasaga)
- chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (@dependabot[bot])
- do not require project be in GOPATH/src #2078 (@wasaga)
- chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (@dependabot[bot])
- deps: switch from renovate to dependabot #2069 (@travisgroth)
- fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (@renovate[bot])
- skip REDIS cluster test if GOOS != linux #2045 (@wasaga)
- fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.43.0 #2035 (@renovate[bot])
- fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (@renovate[bot])
- fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.3 #2031 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (@renovate[bot])
- deps: bundle all patch upgrades in a single group #2016 (@travisgroth)
- fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (@renovate[bot])
- fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (@renovate[bot])
- fix(deps): update module github.com/google/btree to v1.0.1 #2010 (@renovate[bot])
- fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.2 #2007 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to d523dce #2005 (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.42.0 #1989 (@renovate[bot])
- fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (@renovate[bot])
- fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (@renovate[bot])
- fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (@renovate[bot])
- fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (@renovate[bot])
- fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (@renovate[bot])
- fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (@renovate[bot])
- fix(deps): update module github.com/go-chi/chi to v5 #1956 (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (@renovate[bot])
- fix(deps): update module go.opencensus.io to v0.23.0 #1954 (@renovate[bot])
- fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (@renovate[bot])
- chore(deps): update vuepress monorepo to v1.8.2 #1952 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.1 #1951 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (@renovate[bot])
- chore(deps): update yaml v2 to v3 #1927 (@desimone)
- chore(deps): update vuepress monorepo to v1.8.1 #1891 (@renovate[bot])
- chore(deps): update module spf13/cobra to v1.1.3 #1890 (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.40.0 #1889 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.1 #1888 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (@renovate[bot])
- chore(deps): update module auth0 to v5 #1868 (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.39.0 #1867 (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.0 #1865 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (@renovate[bot])
Deployment
- deployment: update get-envoy script and release hooks #2111 (@travisgroth)
- deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)
- deployment: update get-envoy script and release hooks #2112 (@github-actions[bot])
- deployment: Publish OS packages to cloudsmith #2108 (@github-actions[bot])
- ci: cache build and test binaries #1938 (@desimone)
- ci: go 1.16.x, cached tests #1937 (@desimone)
Changed
- authorize: remove log #2122 (@calebdoxsey)
- config related metrics #2065 (@wasaga)
- proxy: support re-proxying request through control plane for kubernetes #2051 (@calebdoxsey)
- add default gitlab url #2044 (@contrun)
- Updating Doc for Pomerium-Dex Exercise #2018 (@dharmendrakariya)
- Add
xff\_num\_trusted\_hops
config option #2003 (@ntoofu) - envoy: restrict permissions on embedded envoy binary #1999 (@calebdoxsey)
- ci: deploy master to integration environments #1973 (@travisgroth)
- oidc: use groups claim from ID token if present #1970 (@bonifaido)
- config: expose viper policy hooks #1947 (@calebdoxsey)
- ci: deploy latest release to test environment #1916 (@travisgroth)
- logs: strip query string #1894 (@calebdoxsey)
- in-memory service registry #1892 (@wasaga)
- controlplane: maybe fix flaky test #1873 (@calebdoxsey)
- remove generated code from code coverage metrics #1857 (@travisgroth)
v0.14.0-rc2 (2021-04-29)
New
- controlplane: save configuration events to databroker #2153 (@calebdoxsey)
- control plane: add request id to all error pages #2149 (@desimone)
- let pass custom dial opts #2144 (@wasaga)
- envoy: re-implement recommended defaults #2123 (@calebdoxsey)
- Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
- config: remove validate side effects #2109 (@calebdoxsey)
- log context #2107 (@wasaga)
- databroker: add options for maximum capacity #2095 (@calebdoxsey)
Fixed
- deployment: update alpine debug image dependencies #2154 (@travisgroth)
- authorize: refactor store locking #2151 (@calebdoxsey)
- databroker: store server version in backend #2142 (@calebdoxsey)
- authorize: audit log had duplicate "message" key #2141 (@desimone)
- httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
- envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
- authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
- authorize: fix unsigned URL #2118 (@calebdoxsey)
- authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
Security
- deps: bump envoy to 1.17.2 #2113 (@travisgroth)
Documentation
- docs: mention alternative bearer token header format #2155 (@travisgroth)
- docs: upgrade notes on
allowed\_users
by ID #2133 (@travisgroth)
Dependency
- use cached envoy #2132 (@wasaga)
- chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])
Deployment
- deployment: update get-envoy script and release hooks #2111 (@travisgroth)
- deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)
Changed
- authorize: remove log #2122 (@calebdoxsey)
v0.14.0-rc1 (2021-04-22)
Breaking
- directory: remove provider from user id #2068 (@calebdoxsey)
New
- envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
- envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
- config: rename headers to set_response_headers #2081 (@calebdoxsey)
- crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
- cryptutil: use bytes for hmac #2067 (@calebdoxsey)
- cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
- authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
- authorize: audit logging #2050 (@calebdoxsey)
- support host:port in metrics_address #2042 (@wasaga)
- databroker: return server version in Get #2039 (@wasaga)
- authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
- protoutil: add generic transformer #2023 (@calebdoxsey)
- cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
- autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
- telemetry: add installation id #2017 (@calebdoxsey)
- config: use getters for certificates #2001 (@calebdoxsey)
- config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
- xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
- envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
- redis: add redis cluster support #1992 (@calebdoxsey)
- redis: add support for redis-sentinel #1991 (@calebdoxsey)
- authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
- identity: infer email from mail claim #1977 (@calebdoxsey)
- ping: identity and directory providers #1975 (@calebdoxsey)
- config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
- config: add rewrite_response_headers option #1961 (@calebdoxsey)
- assets: use embed instead of statik #1960 (@calebdoxsey)
- config: log config source changes #1959 (@calebdoxsey)
- config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
- telemetry: add process collector for envoy #1948 (@calebdoxsey)
- use build_info as liveness gauge metric #1940 (@wasaga)
- metrics: add TLS options #1939 (@calebdoxsey)
- identity: record metric for last refresh #1936 (@calebdoxsey)
- middleware: basic auth equalize lengths of input #1934 (@desimone)
- autocert: remove non-determinism #1932 (@calebdoxsey)
- config: add metrics_basic_auth option #1917 (@calebdoxsey)
- envoy: validate binary checksum #1908 (@calebdoxsey)
- config: support map of jwt claim headers #1906 (@calebdoxsey)
- Remove internal/protoutil. #1893 (@yegle)
- databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
- config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
- config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
- proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
- authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)
Fixed
- authorize: support arbitrary jwt claims #2106 (@github-actions[bot])
- xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)
- config: don't change address value on databroker or authorize #2092 (@travisgroth)
- metrics_address should be optional parameter #2087 (@wasaga)
- propagate changes back from encrypted backend #2079 (@wasaga)
- config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
- databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
- authenticate: fix default sign out url #2061 (@calebdoxsey)
- change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
- authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
- proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
- config: add headers to config proto #1996 (@calebdoxsey)
- Fix process cpu usage metric #1979 (@wasaga)
- cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
- proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
- config: fix redirect routes from protobuf #1930 (@travisgroth)
- google: fix default provider URL #1928 (@calebdoxsey)
- fix registry test #1911 (@wasaga)
- ci: pin goreleaser version #1900 (@travisgroth)
- onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
- xds: fix misdirected script #1895 (@calebdoxsey)
- authenticate: validate origin of signout #1876 (@desimone)
- redis: fix deletion versioning #1871 (@calebdoxsey)
- options: header only applies to routes and authN #1862 (@desimone)
- controlplane: add global headers to virtualhost #1861 (@desimone)
- unique envoy cluster ids #1858 (@wasaga)
Security
- deps: bump envoy to 1.17.2 #2114 (@github-actions[bot])
- proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)
- authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)
Documentation
- docs: add threat model to security page #2097 (@desimone)
- docs: update community slack link #2063 (@travisgroth)
- Update local-oidc.md #1994 (@dharmendrakariya)
- ping: add documentation #1976 (@calebdoxsey)
- docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
- Update data-storage.md #1941 (@TanguyPatte)
- docs: fix query param name #1920 (@calebdoxsey)
- docs: add breaking sa changes in v0.13 #1919 (@desimone)
- docs: add v0.13 to docs site menu #1913 (@travisgroth)
- docs: update changelog for v0.13.0 #1909 (@desimone)
- docs: update security policy #1897 (@desimone)
- docs: misc upgrade notes and changelog #1884 (@travisgroth)
- docs: add load balancing weight documentation #1883 (@travisgroth)
- docs: additional load balancing documentation #1875 (@travisgroth)
Dependency
- chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (@dependabot[bot])
- do not require project be in GOPATH/src #2078 (@wasaga)
- chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (@dependabot[bot])
- deps: switch from renovate to dependabot #2069 (@travisgroth)
- fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (@renovate[bot])
- skip REDIS cluster test if GOOS != linux #2045 (@wasaga)
- fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.43.0 #2035 (@renovate[bot])
- fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (@renovate[bot])
- fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.3 #2031 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (@renovate[bot])
- deps: bundle all patch upgrades in a single group #2016 (@travisgroth)
- fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (@renovate[bot])
- fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (@renovate[bot])
- fix(deps): update module github.com/google/btree to v1.0.1 #2010 (@renovate[bot])
- fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.2 #2007 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to d523dce #2005 (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.42.0 #1989 (@renovate[bot])
- fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (@renovate[bot])
- fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (@renovate[bot])
- fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (@renovate[bot])
- fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (@renovate[bot])
- fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (@renovate[bot])
- fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (@renovate[bot])
- fix(deps): update module github.com/go-chi/chi to v5 #1956 (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (@renovate[bot])
- fix(deps): update module go.opencensus.io to v0.23.0 #1954 (@renovate[bot])
- fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (@renovate[bot])
- chore(deps): update vuepress monorepo to v1.8.2 #1952 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.1 #1951 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (@renovate[bot])
- chore(deps): update yaml v2 to v3 #1927 (@desimone)
- chore(deps): update vuepress monorepo to v1.8.1 #1891 (@renovate[bot])
- chore(deps): update module spf13/cobra to v1.1.3 #1890 (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.40.0 #1889 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.1 #1888 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (@renovate[bot])
- chore(deps): update module auth0 to v5 #1868 (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.39.0 #1867 (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.0 #1865 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (@renovate[bot])
Deployment
- deployment: update get-envoy script and release hooks #2112 (@github-actions[bot])
- deployment: Publish OS packages to cloudsmith #2108 (@github-actions[bot])
- ci: cache build and test binaries #1938 (@desimone)
- ci: go 1.16.x, cached tests #1937 (@desimone)
Changed
- config related metrics #2065 (@wasaga)
- proxy: support re-proxying request through control plane for kubernetes #2051 (@calebdoxsey)
- add default gitlab url #2044 (@contrun)
- Updating Doc for Pomerium-Dex Exercise #2018 (@dharmendrakariya)
- Add
xff\_num\_trusted\_hops
config option #2003 (@ntoofu) - envoy: restrict permissions on embedded envoy binary #1999 (@calebdoxsey)
- ci: deploy master to integration environments #1973 (@travisgroth)
- oidc: use groups claim from ID token if present #1970 (@bonifaido)
- config: expose viper policy hooks #1947 (@calebdoxsey)
- ci: deploy latest release to test environment #1916 (@travisgroth)
- logs: strip query string #1894 (@calebdoxsey)
- in-memory service registry #1892 (@wasaga)
- controlplane: maybe fix flaky test #1873 (@calebdoxsey)
- remove generated code from code coverage metrics #1857 (@travisgroth)