Changelog

v0.21.0 (2023-01-18)

Full Changelog

Breaking

• proxy: add userinfo and webauthn endpoints #3755 (@calebdoxsey)
• remove forward auth #3628 (@calebdoxsey)

New

• scripts: update get-envoy script to download all binaries #3886 (@calebdoxsey)
• authenticate: add additional error details for hmac errors #3878 (@calebdoxsey)
• config: add support for extended TCP route URLs #3845 (@calebdoxsey)
• authenticate: implement hpke-based login flow #3779 (@calebdoxsey)
• identity: add identity profile #3777 (@calebdoxsey)
• urlutil: add time validation functions #3776 (@calebdoxsey)
• httputil: add cookie chunker #3775 (@calebdoxsey)
• config: add option for tls renegotiation #3773 (@calebdoxsey)
• hpke: add HPKE key to JWKS endpoint #3762 (@calebdoxsey)
• hpke: add hpke package #3761 (@calebdoxsey)

Fixed

• config: add missing options #3882 (@calebdoxsey)
• postgres: return unknown records instead of skipping them #3876 (@calebdoxsey)
• config: use insecure skip verify if derived certificates are not used #3861 (@calebdoxsey)
• config: generate derived certificates instead of self-signed certificates #3860 (@calebdoxsey)
• identity: fix expired session deletion #3855 (@calebdoxsey)
• proxy: fix sign out redirect #3827 (@calebdoxsey)
• dashboard: fix missing avatar and logout menu #3819 (@calebdoxsey)
• autocert: use atomic pointer to allow nil #3816 (@calebdoxsey)
• webauthn: require session when accessing /.pomerium/webauthn #3814 (@calebdoxsey)
• oidc: fix token revocation #3810 (@calebdoxsey)
• jwt: require logged in user to return .pomerium/jwt #3807 (@calebdoxsey)
• storage: ignore removed fields when deserializing the data #3768 (@wasaga)

Dependency

• chore(deps): bump debian from 7ca0fec to 12931ad #3904 (@dependabot[bot])
• chore(deps): bump distroless/base from 8ee3d86 to 9eeffdc #3903 (@dependabot[bot])
• chore(deps): bump golang from 1.19.4-buster to 1.19.5-buster #3902 (@dependabot[bot])
• chore(deps): bump alpine from 8914eb5 to f271e74 #3901 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.7 to 1.18.8 #3900 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.46 to 7.0.47 #3899 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.47.4 to 0.48.0 #3898 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.105.0 to 0.107.0 #3897 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 4.4.0 to 4.5.0 #3896 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.30.6 to 4.30.8 #3895 (@dependabot[bot])
• chore(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 #3894 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.51.0 to 1.52.0 #3893 (@dependabot[bot])
• chore(deps): bump distroless/base from 8848703 to 8ee3d86 #3874 (@dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.4.0 to 0.5.0 #3873 (@dependabot[bot])
• chore(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 #3872 (@dependabot[bot])
• chore(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 #3871 (@dependabot[bot])
• chore(deps): bump actions/cache from 3.2.2 to 3.2.3 #3870 (@dependabot[bot])
• chore(deps): bump actions/setup-node from 3.5.1 to 3.6.0 #3869 (@dependabot[bot])
• chore(deps): bump github.com/coreos/go-oidc/v3 from 3.4.0 to 3.5.0 #3868 (@dependabot[bot])
• chore(deps): bump actions/checkout from 3.2.0 to 3.3.0 #3867 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.6 to 1.30.0 #3866 (@dependabot[bot])
• chore(deps): bump golang.org/x/oauth2 from 0.3.0 to 0.4.0 #3865 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.45 to 7.0.46 #3864 (@dependabot[bot])
• chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 #3863 (@dependabot[bot])
• chore(deps): bump luxon from 2.3.0 to 2.5.2 in /ui #3862 (@dependabot[bot])
• chore(deps): bump json5 from 2.2.0 to 2.2.3 in /ui #3853 (@dependabot[bot])
• chore(deps): bump actions/stale from 6.0.1 to 7.0.0 #3852 (@dependabot[bot])
• chore(deps): bump actions/cache from 3.0.11 to 3.2.2 #3851 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/procfs from 0.8.0 to 0.9.0 #3850 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.11 to 3.22.12 #3849 (@dependabot[bot])
• chore(deps): bump github.com/rs/cors from 1.8.2 to 1.8.3 #3848 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.29.5 to 1.29.6 #3847 (@dependabot[bot])
• chore(deps): bump golang from e464bb0 to 7c97bae #3843 (@dependabot[bot])
• chore(deps): bump distroless/base from 9283685 to 8848703 #3842 (@dependabot[bot])
• chore(deps): bump debian from 880aa5f to 7ca0fec #3841 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.104.0 to 0.105.0 #3840 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.22+incompatible #3839 (@dependabot[bot])
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.5 to 1.18.7 #3838 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.30.5 to 4.30.6 #3837 (@dependabot[bot])
• chore(deps): bump actions/setup-go from 3.4.0 to 3.5.0 #3836 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 4.3.1 to 4.4.0 #3834 (@dependabot[bot])
• chore(deps): bump actions/checkout from 3.1.0 to 3.2.0 #3833 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.47.3 to 0.47.4 #3832 (@dependabot[bot])
• chore(deps): bump github.com/cloudflare/circl from 1.3.0 to 1.3.1 #3831 (@dependabot[bot])
• postgres: upgrade to pgx v5 #3826 (@calebdoxsey)
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.4 to 1.18.5 #3825 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.47.0 to 0.47.3 #3824 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.37.0 to 0.39.0 #3823 (@dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.4.0 #3822 (@dependabot[bot])
• chore(deps): bump distroless/base from cd1bf87 to 9283685 #3804 (@dependabot[bot])
• chore(deps): bump debian from 9583740 to 880aa5f #3803 (@dependabot[bot])
• chore(deps): bump alpine from b95359c to 8914eb5 #3802 (@dependabot[bot])
• chore(deps): bump golang from 1.19.3-buster to 1.19.4-buster #3801 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 4.3.0 to 4.3.1 #3800 (@dependabot[bot])
• chore(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 #3799 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.9.0 to 0.9.1 #3798 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.103.0 to 0.104.0 #3797 (@dependabot[bot])
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.39 to 7.0.45 #3796 (@dependabot[bot])
• chore(deps): bump github.com/go-chi/chi/v5 from 5.0.7 to 5.0.8 #3795 (@dependabot[bot])
• chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.4 to 4.16.0 #3791 (@dependabot[bot])
• chore(deps): bump actions/stale from 5.1.1 to 6.0.1 #3790 (@dependabot[bot])
• chore(deps): bump tibdex/github-app-token from 1.6.0 to 1.7.0 #3789 (@dependabot[bot])
• chore(deps): bump actions/setup-go from 3.3.1 to 3.4.0 #3788 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.30.2 to 4.30.5 #3787 (@dependabot[bot])
• chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.2 to 2.2.0 #3786 (@dependabot[bot])
• chore(deps): bump go.uber.org/zap from 1.23.0 to 1.24.0 #3785 (@dependabot[bot])
• chore(deps): bump github.com/jackc/pgtype from 1.12.0 to 1.13.0 #3784 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.10 to 3.22.11 #3783 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.46.1 to 0.47.0 #3782 (@dependabot[bot])
• upgrade to golang-lru v2 #3771 (@calebdoxsey)
• chore(deps): bump azure/docker-login from 81744f9799e7eaa418697cb168452a2882ae844a to 1.0.1 #3770 (@dependabot[bot])
• chore(deps): bump minimatch from 3.0.4 to 3.1.2 in /ui #3760 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 #3759 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.102.0 to 0.103.0 #3758 (@dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.2.0 to 0.3.0 #3757 (@dependabot[bot])
• chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.3 to 4.2.0 #3756 (@dependabot[bot])
• chore(deps): bump alpine from bc41182 to b95359c #3751 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.29.2 to 4.30.2 #3749 (@dependabot[bot])
• chore(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 #3748 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.9 to 3.22.10 #3747 (@dependabot[bot])
• chore(deps): bump golang.org/x/crypto from 0.1.0 to 0.2.0 #3746 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 #3745 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.8.0 to 0.9.0 #3744 (@dependabot[bot])

Changed

• tls_derive: rename for consistency #3905 (@wasaga)
• explicitly list gRPC services accessible via the gRPC listener #3879 (@wasaga)
• auto tls #3856 (@wasaga)
• mTLS: allow gRPC TLS for all in one #3854 (@wasaga)
• authorize: log check() error #3846 (@wasaga)
• envoyconfig: clean up filter chain construction #3844 (@calebdoxsey)
• use tlsClientConfig instead of custom dialer #3830 (@wasaga)
• derive CA from pre-shared key #3815 (@wasaga)
• controlplane: remove gorilla handlers dependency #3813 (@calebdoxsey)
• events: remove xds configuraton update #3792 (@wasaga)
• httputil: ignore errors < 400 #3781 (@calebdoxsey)

v0.20.0

Please refer to the upgrade guide before upgrading.

v0.20.0 (2022-11-14)

Full Changelog

Breaking

• envoyconfig: add all routes to all filter chains #3596 (@calebdoxsey)
• groups via directory sync are no longer supported #3633 (@calebdoxsey)

Security

• httputil: remove error details #3703 (@calebdoxsey)

New

• config: disable Strict-Transport-Security when using a self-signed certificate #3743 (@calebdoxsey)
• config: generate cookie secret if not set in all-in-one mode #3742 (@calebdoxsey)
• authorize: fix user caching #3734 (@calebdoxsey)
• authorize: performance improvements #3723 (@calebdoxsey)
• postgres: increase record batch size #3708 (@calebdoxsey)
• sessions: check idp id to detect provider changes to force session invalidation #3707 (@calebdoxsey)
• controlplane: move jwks.json endpoint to control plane #3691 (@calebdoxsey)
• config: default to http2 #3660 (@calebdoxsey)

Fixed

• authenticate: get/set identity provider id for all sessions #3597 (@calebdoxsey)
• authorize: enforce service account expiration #3661 (@calebdoxsey)
• config: allow blank identity providers when loading sessions for service account support #3709 (@calebdoxsey)
• config: disable envoy admin by default, expose stats via envoy route #3677 (@calebdoxsey)
• controlplane: fix /.well-known/pomerium missing CORS headers #3738 (@calebdoxsey)
• fileutil: update watcher to use fsnotify and polling #3663 (@calebdoxsey)
• postgres: return an empty list of addresses on dns errors #3637 (@calebdoxsey)
• ppl: support special characters in claim keys #3639 (@calebdoxsey)

Changed

• add config option check logging #3722 (@wasaga)
• authenticate: remove ecjson #3688 (@calebdoxsey)
• authenticate: update user info dashboard to show group info for enterprise #3736 (@calebdoxsey)
• device: add generic methods for working with user+session devices #3710 (@calebdoxsey)
• envoyconfig: fix databroker health checks #3706 (@calebdoxsey)
• fix unused key warnings in routes #3711 (@wasaga)
• keep trace span context #3724 (@wasaga)
• postgres: handle unknown types #3632 (@calebdoxsey)
• test: use T.TempDir to create temporary test directory #3725 (@Juneezee)
• upgrade envoy to v1.23.1 #3599 (@calebdoxsey)

Dependency

• bump Envoy to 1.23.2 #3739 (@wasaga)
• bump protoc to 3.21.7 #3646 (@wasaga)
• chore(deps): bump actions/cache from 3.0.10 to 3.0.11 #3671 (@dependabot[bot])
• chore(deps): bump actions/cache from 3.0.8 to 3.0.10 #3642 (@dependabot[bot])
• chore(deps): bump actions/checkout from 3.0.2 to 3.1.0 #3652 (@dependabot[bot])
• chore(deps): bump actions/download-artifact from 3.0.0 to 3.0.1 #3700 (@dependabot[bot])
• chore(deps): bump actions/setup-go from 3.3.0 to 3.3.1 #3681 (@dependabot[bot])
• chore(deps): bump actions/setup-node from 3.4.1 to 3.5.0 #3641 (@dependabot[bot])
• chore(deps): bump actions/setup-node from 3.5.0 to 3.5.1 #3672 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 4.2.0 to 4.3.0 #3651 (@dependabot[bot])
• chore(deps): bump actions/upload-artifact from 3.1.0 to 3.1.1 #3698 (@dependabot[bot])
• chore(deps): bump alpine from bc41182 to b95359c #3751 (@dependabot[bot])
• chore(deps): bump debian from 1b1d158 to 9583740 #3719 (@dependabot[bot])
• chore(deps): bump debian from 3d2aa50 to 6005bd9 #3625 (@dependabot[bot])
• chore(deps): bump debian from 6005bd9 to 1b1d158 #3656 (@dependabot[bot])
• chore(deps): bump distroless/base from 4689543 to 6ef742b #3654 (@dependabot[bot])
• chore(deps): bump distroless/base from 59fe963 to 8a7afd5 #3627 (@dependabot[bot])
• chore(deps): bump distroless/base from 65afaf8 to 59fe963 #3616 (@dependabot[bot])
• chore(deps): bump distroless/base from 6ef742b to 9681f07 #3676 (@dependabot[bot])
• chore(deps): bump distroless/base from 856944e to cd1bf87 #3732 (@dependabot[bot])
• chore(deps): bump distroless/base from 8a7afd5 to 4689543 #3647 (@dependabot[bot])
• chore(deps): bump distroless/base from 9681f07 to 856944e #3702 (@dependabot[bot])
• chore(deps): bump docker/build-push-action from 3.1.1 to 3.2.0 #3673 (@dependabot[bot])
• chore(deps): bump docker/login-action from 2.0.0 to 2.1.0 #3682 (@dependabot[bot])
• chore(deps): bump docker/setup-buildx-action from 2.0.0 to 2.2.1 #3679 (@dependabot[bot])
• chore(deps): bump docker/setup-qemu-action from 2.0.0 to 2.1.0 #3675 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.16.3 to 0.17.0 #3604 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.17.0 to 0.17.1 #3619 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.17.1 to 0.17.2 #3644 (@dependabot[bot])
• chore(deps): bump github.com/coreos/go-oidc/v3 from 3.2.0 to 3.3.0 #3605 (@dependabot[bot])
• chore(deps): bump github.com/coreos/go-oidc/v3 from 3.3.0 to 3.4.0 #3612 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.17+incompatible to 20.10.18+incompatible #3614 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.18+incompatible to 20.10.19+incompatible #3666 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.19+incompatible to 20.10.20+incompatible #3694 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.20+incompatible to 20.10.21+incompatible #3712 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.10 to 0.6.13 #3648 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.13 to 0.8.0 #3731 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.7 to 0.6.8 #3624 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.8 to 0.6.10 #3630 (@dependabot[bot])
• chore(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 #3713 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.48.0 to 1.50.0 #3667 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.50.0 to 1.50.1 #3697 (@dependabot[bot])
• chore(deps): bump github.com/google/go-cmp from 0.5.8 to 0.5.9 #3611 (@dependabot[bot])
• chore(deps): bump github.com/google/go-jsonnet from 0.18.0 to 0.19.1 #3715 (@dependabot[bot])
• chore(deps): bump github.com/jackc/pgx/v4 from 4.17.1 to 4.17.2 #3603 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.44.0 #3620 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.44.0 to 0.45.0 #3650 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.45.0 to 0.46.1 #3729 (@dependabot[bot])
• chore(deps): bump github.com/openzipkin/zipkin-go from 0.4.0 to 0.4.1 #3668 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 #3696 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.7 to 3.22.8 #3606 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.8 to 3.22.9 #3643 (@dependabot[bot])
• chore(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 #3613 (@dependabot[bot])
• chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 #3728 (@dependabot[bot])
• chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 #3695 (@dependabot[bot])
• chore(deps): bump github.com/VictoriaMetrics/fastcache from 1.10.0 to 1.12.0 #3623 (@dependabot[bot])
• chore(deps): bump go.opencensus.io from 0.23.0 to 0.24.0 #3727 (@dependabot[bot])
• chore(deps): bump golang from 403f389 to b448089 #3718 (@dependabot[bot])
• chore(deps): bump golang from d71125b to 4b2498d #3626 (@dependabot[bot])
• chore(deps): bump golang from 1.19.0-buster to 1.19.1-buster #3617 (@dependabot[bot])
• chore(deps): bump golang from 1.19.1-buster to 1.19.2-buster #3655 (@dependabot[bot])
• chore(deps): bump golang from 1.19.2-buster to 1.19.3-buster #3733 (@dependabot[bot])
• chore(deps): bump golang.org/x/net from 0.1.0 to 0.2.0 #3748 (@dependabot[bot])
• chore(deps): bump google-github-actions/setup-gcloud from 0.6.0 to 0.6.2 #3674 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.100.0 to 0.101.0 #3714 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.94.0 to 0.95.0 #3618 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.95.0 to 0.96.0 #3622 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.96.0 to 0.97.0 #3629 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.97.0 to 0.98.0 #3645 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.98.0 to 0.99.0 #3670 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.99.0 to 0.100.0 #3693 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.49.0 to 1.50.0 #3649 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.50.0 to 1.50.1 #3669 (@dependabot[bot])
• chore(deps): bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 #3680 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.27.3 to 4.27.5 #3615 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.27.5 to 4.28.1 #3653 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.28.1 to 4.28.2 #3690 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.28.2 to 4.29.2 #3717 (@dependabot[bot])
• chore(deps): bump stefanzweifel/git-auto-commit-action from 4.14.1 to 4.15.0 #3631 (@dependabot[bot])
• chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.0 to 4.15.1 #3658 (@dependabot[bot])
• chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.1 to 4.15.2 #3699 (@dependabot[bot])
• chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.2 to 4.15.3 #3716 (@dependabot[bot])
• chore(deps): bump stefanzweifel/git-auto-commit-action from 4.15.3 to 4.15.4 #3726 (@dependabot[bot])

Changelog

c0a88707 authenticate: get/set identity provider id for all sessions (#3608)
c3ef43cd upgrade envoy to v1.23.1 (#3600)

Docker images

• docker pull pomerium/pomerium:v0.19.1
• docker pull pomerium/pomerium:nonroot-v0.19.1
• docker pull pomerium/pomerium:debug-v0.19.1
• docker pull pomerium/pomerium:debug-nonroot-v0.19.1

Changelog

v0.19.0 (2022-09-01)

Full Changelog

New

• add the traces error details #3557 (@nhayfield)
• authorize: add policy error details for custom error messages #3542 (@calebdoxsey)
• autocert: add support for ACME TLS-ALPN #3590 (@calebdoxsey)
• config: add branding settings #3558 (@calebdoxsey)
• controlplane: add well-known endpoint to the controlplane http handler #3555 (@calebdoxsey)
• Dynamic style changes #3544 (@nhayfield)
• envoy: upgrade to 1.23.0 #3560 (@calebdoxsey)
• envoyconfig: add virtual host domains for certificates in addition to routes #3593 (@calebdoxsey)

Fixed

• authenticate: add CORS headers to jwks endpoint #3574 (@calebdoxsey)
• envoyconfig: add authority header to outbound gRPC requests #3545 (@calebdoxsey)
• postgres: remove not null constraint on data column of record changes table #3594 (@calebdoxsey)

Changed

• Fix typos #3575 (@alexrudd2)
• authenticate: fix branding for webauthn device registration page #3572 (@calebdoxsey)
• publish to any-distro #3570 (@calebdoxsey)
• Update README.md #3569 (@cmo-pomerium)
• authorize: handle user-unauthenticated response for deny blocks #3559 (@calebdoxsey)
• add front end support for optional first paragraph of markdown on err... #3546 (@nhayfield)
• sets: convert set types to generics #3519 (@calebdoxsey)
• atomicutil: use atomicutil.Value wherever possible #3517 (@calebdoxsey)

Dependency

• chore(deps): bump actions/cache from 3.0.5 to 3.0.6 #3537 (@dependabot[bot])
• chore(deps): bump actions/cache from 3.0.6 to 3.0.7 #3552 (@dependabot[bot])
• chore(deps): bump actions/cache from 3.0.7 to 3.0.8 #3565 (@dependabot[bot])
• chore(deps): bump actions/setup-go from 3.2.1 to 3.3.0 #3583 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 4.1.0 to 4.2.0 #3535 (@dependabot[bot])
• chore(deps): bump actions/stale from 5.1.0 to 5.1.1 #3513 (@dependabot[bot])
• chore(deps): bump alpine from 6af1b11 to 7580ece #3512 (@dependabot[bot])
• chore(deps): bump alpine from 7580ece to bc41182 #3553 (@dependabot[bot])
• chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.4.1 to 0.4.2 #3586 (@dependabot[bot])
• chore(deps): bump debian from 1c34464 to 4567e1e #3508 (@dependabot[bot])
• chore(deps): bump debian from 4567e1e to b9b1f4a #3538 (@dependabot[bot])
• chore(deps): bump debian from b9b1f4a to 3d2aa50 #3588 (@dependabot[bot])
• chore(deps): bump distroless/base from 3a62194 to ec73486 #3554 (@dependabot[bot])
• chore(deps): bump distroless/base from d6db599 to 3a62194 #3511 (@dependabot[bot])
• chore(deps): bump distroless/base from ec73486 to 65afaf8 #3568 (@dependabot[bot])
• chore(deps): bump docker/build-push-action from 3.1.0 to 3.1.1 #3536 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.16.0 to 0.16.2 #3532 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.16.2 to 0.16.3 #3563 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.46.2 to 1.47.2 #3499 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.47.2 to 1.47.3 #3522 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.47.3 to 1.48.0 #3541 (@dependabot[bot])
• chore(deps): bump github.com/jackc/pgx/v4 from 4.16.1 to 4.17.0 #3533 (@dependabot[bot])
• chore(deps): bump github.com/jackc/pgx/v4 from 4.17.0 to 4.17.1 #3582 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 #3523 (@dependabot[bot])
• chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.2 to 3.3.0 #3540 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_golang from 1.12.2 to 1.13.0 #3530 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/procfs from 0.7.3 to 0.8.0 #3516 (@dependabot[bot])
• chore(deps): bump github.com/rs/zerolog from 1.27.0 to 1.28.0 #3587 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.6 to 3.22.7 #3524 (@dependabot[bot])
• chore(deps): bump go.uber.org/zap from 1.21.0 to 1.22.0 #3551 (@dependabot[bot])
• chore(deps): bump go.uber.org/zap from 1.22.0 to 1.23.0 #3581 (@dependabot[bot])
• chore(deps): bump golang from 6960d62 to 477b10a #3527 (@dependabot[bot])
• chore(deps): bump golang from a7a23f1 to d84495e #3589 (@dependabot[bot])
• chore(deps): bump golang from 1.18-buster to 1.18.4-buster #3509 (@dependabot[bot])
• chore(deps): bump golang from 1.18.4-buster to 1.19.0-buster #3539 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.88.0 to 0.89.0 #3514 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.89.0 to 0.90.0 #3525 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.90.0 to 0.91.0 #3531 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.91.0 to 0.92.0 #3550 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.92.0 to 0.93.0 #3562 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.93.0 to 0.94.0 #3580 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.48.0 to 1.49.0 #3579 (@dependabot[bot])
• chore(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 #3515 (@dependabot[bot])
• chore(deps): bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 #3585 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.26.1 to 4.27.2 #3526 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.27.2 to 4.27.3 #3584 (@dependabot[bot])
• chore(deps): bump pomerium/backport from a2e620de9fc4166f774ee2a389e170046cfad426 to 1.1.1 #3564 (@dependabot[bot])
• chore(deps): bump pre-commit/action from 876132a3c26aa072b09eab6c5395b4749eeb2435 to 3.0.0 #3567 (@dependabot[bot])
• chore(deps): bump tibdex/github-app-token from 1.5.1 to 1.6 #3566 (@dependabot[bot])
• deployment: update RELEASING.md #3503 (@desimone)

Changelog

v0.18.0 (2022-07-27)

Full Changelog

New

• add databroker multi lease handlers #3255 (@wasaga)
• add lease name to the log #3498 (@wasaga)
• add metrics aggregation #3452 (@wasaga)
• add x-request-id in responses #3366 (@wasaga)
• allow pomerium to be embedded as a library #3415 (@wasaga)
• authenticate: allow changing the authenticate service URL at runtime #3378 (@calebdoxsey)
• authenticate: show the device enrolled page as the user info page #3151 (@calebdoxsey)
• authorize: add name claim #3238 (@calebdoxsey)
• authorize: track session and service account access date #3220 (@calebdoxsey)
• authorize: use query instead of sync for databroker data #3377 (@calebdoxsey)
• databroker: add support for field masks on Put #3210 (@calebdoxsey)
• databroker: add support for putting multiple records #3291 (@calebdoxsey)
• databroker: add support for query filtering #3369 (@calebdoxsey)
• databroker: add support for syncing by type #3412 (@calebdoxsey)
• directory: support non-base64 encoded service accounts #3150 (@calebdoxsey)
• do not require idp set in the bootstrap config, as it may be later configured via the databroker #3386 (@wasaga)
• eliminate global events manager #3422 (@wasaga)
• envoy: upgrade to 1.21.1 #3186 (@calebdoxsey)
• envoy: use typed extension protocol options for static bootstrap cluster #3268 (@calebdoxsey)
• Expand PR template #3403 (@alexfornuto)
• github: pin github actions #3183 (@calebdoxsey)
• grpc: regenerate protobuf code #3208 (@calebdoxsey)
• grpc: wait for connect to be ready before making calls #3253 (@calebdoxsey)
• identity: batch directory updates #3411 (@calebdoxsey)
• integration: add test for query string params #3302 (@calebdoxsey)
• postgres: databroker storage backend #3370 (@calebdoxsey)
• postgres: registry support #3454 (@calebdoxsey)
• storage: add filter expressions, upgrade go to 1.18.1 #3365 (@calebdoxsey)
• storage: add filtering to SyncLatest #3368 (@calebdoxsey)
• try pinning docker dependency #3185 (@calebdoxsey)
• ui: remove version #3184 (@calebdoxsey)

Fixed

• authenticate: fix debug and metrics endpoints #3212 (@calebdoxsey)

• authenticate: fix internal service URL CORS check #3279 (@calebdoxsey)

• authenticate: fix internal service URL dashboard redirect #3305 (@calebdoxsey)

• authenticate: fix internal url with webauthn #3194 (@calebdoxsey)

• authenticate: save session for bare webauthn redirects, consider external service URL to be a pomerium url #3280 (@calebdoxsey)

• authorize: add request id to context #3497 (@calebdoxsey)

• authorize: allow missing user for authorization #3421 (@calebdoxsey)

• authorize: fix device synchronization #3482 (@calebdoxsey)

• authorize: fix not found check #3410 (@calebdoxsey)

• authorize: fix x-forwarded-uri #3479 (@calebdoxsey)

• authorize: pass idp id for webauthn url, allow unauthenticated access to static files #3282 (@calebdoxsey)

• authorize: show plain text error page for traefik and nginx #3477 (@calebdoxsey)

• autocert: continue on error #3476 (@calebdoxsey)

• config: fix DefaultTransport so it is still a *http.Transport #3257 (@calebdoxsey)

• databroker: fix in-memory backend deadlock #3300 (@calebdoxsey)

• deployment: update syntax installing dlv in debug image #3179 (@travisgroth)

• device enrollment: fix ip address #3430 (@calebdoxsey)

• envoyconfig: prevent nil reproxy handler #3345 (@wasaga)

• fix: close the ticker after opened #3318 (@clwluvw)

• fix: The built binary file is missing "ui/dist/index.js" and "ui/dist... #3391 (@cfanbo)

• github: fix missing groups #3171 (@calebdoxsey)

• httputil/reproxy: fix policy transport #3322 (@calebdoxsey)

• options: fix overlapping certificate test #3492 (@calebdoxsey)

• postgres: fix CIDR query #3389 (@calebdoxsey)

• postgres: fix record deletion #3446 (@calebdoxsey)

• userinfo: embed assets as data URLs for forward auth #3460 (@calebdoxsey)

• userinfo: fix missing profile picture #3154 (@calebdoxsey)

  Dependency

• bump envoy to 1.21.3 #3413 (@wasaga)

• chore(deps): bump actions/cache from 2 to 3 #3167 (@dependabot[bot])

• chore(deps): bump actions/cache from 3.0.0 to 3.0.1 #3235 (@dependabot[bot])

• chore(deps): bump actions/cache from 3.0.1 to 3.0.2 #3265 (@dependabot[bot])

• chore(deps): bump actions/cache from 3.0.2 to 3.0.3 #3399 (@dependabot[bot])

• chore(deps): bump actions/cache from 3.0.3 to 3.0.4 #3440 (@dependabot[bot])

• chore(deps): bump actions/cache from 3.0.4 to 3.0.5 #3489 (@dependabot[bot])

• chore(deps): bump actions/checkout from 3.0.0 to 3.0.1 #3275 (@dependabot[bot])

• chore(deps): bump actions/checkout from 3.0.1 to 3.0.2 #3297 (@dependabot[bot])

• chore(deps): bump actions/download-artifact from 2.1.0 to 3 #3202 (@dependabot[bot])

• chore(deps): bump actions/setup-go from 2.2.0 to 3 #3204 (@dependabot[bot])

• chore(deps): bump actions/setup-go from 3.0.0 to 3.1.0 #3362 (@dependabot[bot])

• chore(deps): bump actions/setup-go from 3.1.0 to 3.2.0 #3384 (@dependabot[bot])

• chore(deps): bump actions/setup-go from 3.2.0 to 3.2.1 #3470 (@dependabot[bot])

• chore(deps): bump actions/setup-node from 3.0.0 to 3.1.0 #3236 (@dependabot[bot])

• chore(deps): bump actions/setup-node from 3.1.0 to 3.1.1 #3267 (@dependabot[bot])

• chore(deps): bump actions/setup-node from 3.1.1 to 3.2.0 #3363 (@dependabot[bot])

• chore(deps): bump actions/setup-node from 3.2.0 to 3.3.0 #3400 (@dependabot[bot])

• chore(deps): bump actions/setup-node from 3.3.0 to 3.4.0 #3471 (@dependabot[bot])

• chore(deps): bump actions/setup-node from 3.4.0 to 3.4.1 #3490 (@dependabot[bot])

• chore(deps): bump actions/setup-python from 3.0.0 to 3.1.0 #3234 (@dependabot[bot])

• chore(deps): bump actions/setup-python from 3.1.0 to 3.1.2 #3266 (@dependabot[bot])

• chore(deps): bump actions/setup-python from 3.1.2 to 4 #3439 (@dependabot[bot])

• chore(deps): bump actions/setup-python from 4.0.0 to 4.1.0 #3472 (@dependabot[bot])

• chore(deps): bump actions/stale from 5.0.0 to 5.1.0 #3488 (@dependabot[bot])

• chore(deps): bump actions/upload-artifact from 2.3.1 to 3 #3203 (@dependabot[bot])

• chore(deps): bump actions/upload-artifact from 3.0.0 to 3.1.0 #3374 (@dependabot[bot])

• chore(deps): bump async from 2.6.3 to 2.6.4 #3278 (@dependabot[bot])

• chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.4.0 to 0.4.1 #3164 (@dependabot[bot])

• chore(deps): bump docker/build-push-action from 2.10.0 to 3 #3336 (@dependabot[bot])

• chore(deps): bump docker/build-push-action from 3.0.0 to 3.1.0 #3501 (@dependabot[bot])

• chore(deps): bump docker/login-action from 1.14.1 to 2 #3338 (@dependabot[bot])

• chore(deps): bump docker/setup-buildx-action from 1.6.0 to 1.7.0 #3317 (@dependabot[bot])

• chore(deps): bump docker/setup-buildx-action from 1.7.0 to 2 #3337 (@dependabot[bot])

• chore(deps): bump docker/setup-qemu-action from 1.2.0 to 2 #3339 (@dependabot[bot])

• chore(deps): bump eventsource from 1.1.0 to 1.1.1 #3388 (@dependabot[bot])

• chore(deps): bump github.com/caddyserver/certmagic from 0.15.3 to 0.15.4 #3143 (@dependabot[bot])

• chore(deps): bump github.com/caddyserver/certmagic from 0.15.4 to 0.16.0 #3198 (@dependabot[bot])

• chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.2 to 4.1.3 #3264 (@dependabot[bot])

• chore(deps): bump github.com/coreos/go-oidc/v3 from 3.1.0 to 3.2.0 #3360 (@dependabot[bot])

• chore(deps): bump github.com/docker/docker from 20.10.12+incompatible to 20.10.13+incompatible #3142 (@dependabot[bot])

• chore(deps): bump github.com/docker/docker from 20.10.13+incompatible to 20.10.14+incompatible #3199 (@dependabot[bot])

• chore(deps): bump github.com/docker/docker from 20.10.14+incompatible to 20.10.15+incompatible #3335 (@dependabot[bot])

• chore(deps): bump github.com/docker/docker from 20.10.15+incompatible to 20.10.16+incompatible #3359 (@dependabot[bot])

• chore(deps): bump github.com/docker/docker from 20.10.16+incompatible to 20.10.17+incompatible #3417 (@dependabot[bot])

• chore(deps): bump github.com/fsnotify/fsnotify from 1.5.1 to 1.5.4 #3312 (@dependabot[bot])

• chore(deps): bump github.com/go-redis/redis/v8 from 8.11.4 to 8.11.5 #3166 (@dependabot[bot])

• chore(deps): bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 #3162 (@dependabot[bot])

• chore(deps): bump github.com/golangci/golangci-lint from 1.45.0 to 1.45.2 #3200 (@dependabot[bot])

• chore(deps): bump github.com/golangci/golangci-lint from 1.45.2 to 1.46.0 #3334 (@dependabot[bot])

• chore(deps): bump github.com/golangci/golangci-lint from 1.46.0 to 1.46.1 #3357 (@dependabot[bot])

• chore(deps): bump github.com/golangci/golangci-lint from 1.46.1 to 1.46.2 #3373 (@dependabot[bot])

• chore(deps): bump github.com/google/btree from 1.0.1 to 1.1.1 #3402 (@dependabot[bot])

• chore(deps): bump github.com/google/btree from 1.1.1 to 1.1.2 #3434 (@dependabot[bot])

• chore(deps): bump github.com/google/go-cmp from 0.5.7 to 0.5.8 #3315 (@dependabot[bot])

• chore(deps): bump github.com/martinlindhe/base36 from 1.1.0 to 1.1.1 #3437 (@dependabot[bot])

• chore(deps): bump github.com/mholt/acmez from 1.0.2 to 1.0.3 #3469 (@dependabot[bot])

• chore(deps): bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 #3292 (@dependabot[bot])

• chore(deps): bump github.com/open-policy-agent/opa from 0.38.0 to 0.38.1 #3144 (@dependabot[bot])

• chore(deps): bump github.com/open-policy-agent/opa from 0.38.1 to 0.39.0 #3232 (@dependabot[bot])

• chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 #3311 (@dependabot[bot])

• chore(deps): bump github.com/open-policy-agent/opa from 0.40.0 to 0.41.0 #3395 (@dependabot[bot])

• chore(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.1 #3468 (@dependabot[bot])

• chore(deps): bump github.com/open-policy-agent/opa from 0.42.1 to 0.42.2 #3483 (@dependabot[bot])

• chore(deps): bump github.com/ory/dockertest/v3 from 3.8.1 to 3.9.1 #3381 (@dependabot[bot])

• chore(deps): bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 #3358 (@dependabot[bot])

• chore(deps): bump github.com/prometheus/common from 0.32.1 to 0.33.0 #3230 (@dependabot[bot])

• chore(deps): bump github.com/prometheus/common from 0.33.0 to 0.34.0 #3298 (@dependabot[bot])

• chore(deps): bump github.com/prometheus/common from 0.34.0 to 0.35.0 #3438 (@dependabot[bot])

• chore(deps): bump github.com/prometheus/common from 0.35.0 to 0.37.0 #3486 (@dependabot[bot])

• chore(deps): bump github.com/rs/zerolog from 1.26.1 to 1.27.0 #3418 (@dependabot[bot])

• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.2 to 3.22.3 #3231 (@dependabot[bot])

• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.3 to 3.22.4 #3313 (@dependabot[bot])

• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.4 to 3.22.5 #3396 (@dependabot[bot])

• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.22.5 to 3.22.6 #3464 (@dependabot[bot])

• chore(deps): bump github.com/spf13/viper from 1.10.1 to 1.11.0 #3273 (@dependabot[bot])

• chore(deps): bump github.com/spf13/viper from 1.11.0 to 1.12.0 #3380 (@dependabot[bot])

• chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 #3165 (@dependabot[bot])

• chore(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 #3397 (@dependabot[bot])

• chore(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.3 #3435 (@dependabot[bot])

• chore(deps): bump github.com/stretchr/testify from 1.7.3 to 1.7.5 #3448 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.70.0 to 0.72.0 #3152 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.72.0 to 0.73.0 #3163 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.73.0 to 0.74.0 #3233 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.74.0 to 0.75.0 #3296 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.75.0 to 0.77.0 #3314 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.77.0 to 0.79.0 #3347 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.79.0 to 0.80.0 #3372 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.80.0 to 0.81.0 #3382 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.81.0 to 0.82.0 #3401 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.82.0 to 0.83.0 #3416 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.83.0 to 0.84.0 #3436 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.84.0 to 0.85.0 #3447 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.85.0 to 0.86.0 #3463 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.86.0 to 0.87.0 #3484 (@dependabot[bot])

• chore(deps): bump google.golang.org/api from 0.87.0 to 0.88.0 #3500 (@dependabot[bot])

• chore(deps): bump google.golang.org/grpc from 1.44.0 to 1.45.0 #3141 (@dependabot[bot])

• chore(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 #3294 (@dependabot[bot])

• chore(deps): bump google.golang.org/grpc from 1.46.0 to 1.46.2 #3361 (@dependabot[bot])

• chore(deps): bump google.golang.org/grpc from 1.46.2 to 1.47.0 #3393 (@dependabot[bot])

• chore(deps): bump google.golang.org/grpc from 1.47.0 to 1.48.0 #3487 (@dependabot[bot])

• chore(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0 #3197 (@dependabot[bot])

• chore(deps): bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 #3394 (@dependabot[bot])

• chore(deps): bump goreleaser/goreleaser-action from 2.9.1 to 3 #3375 (@dependabot[bot])

• chore(deps): bump jandelgado/gcov2lcov-action from 1.0.8 to 1.0.9 #3376 (@dependabot[bot])

• chore(deps): bump jandelgado/gcov2lcov-action from fc567b789b78d676959759edfb9b7a30e884fc1d to 1.0.9 #3385 (@dependabot[bot])

• chore(deps): bump mikefarah/yq from 4.21.1 to 4.22.1 #3145 (@dependabot[bot])

• chore(deps): bump mikefarah/yq from 4.22.1 to 4.23.1 #3168 (@dependabot[bot])

• chore(deps): bump mikefarah/yq from 4.23.1 to 4.24.2 #3201 (@dependabot[bot])

• chore(deps): bump mikefarah/yq from 4.24.2 to 4.24.5 #3276 (@dependabot[bot])

• chore(deps): bump mikefarah/yq from 4.24.5 to 4.25.1 #3316 (@dependabot[bot])

• chore(deps): bump mikefarah/yq from 4.25.1 to 4.25.2 #3383 (@dependabot[bot])

• chore(deps): bump mikefarah/yq from 4.25.2 to 4.25.3 #3449 (@dependabot[bot])

• chore(deps): bump mikefarah/yq from 4.25.3 to 4.26.1 #3491 (@dependabot[bot])

• chore(deps): bump minimist from 1.2.5 to 1.2.6 #3189 (@dependabot[bot])

• chore(deps): bump minimist from 1.2.5 to 1.2.6 in /ui #3188 (@dependabot[bot])

• chore(deps): bump stefanzweifel/git-auto-commit-action from 4.14.0 to 4.14.1 #3274 (@dependabot[bot])

• deps: bump backport action version #3224 (@travisgroth)

• use generic version of btree #3404 (@wasaga)

  Deployment

• deployment: remove vals based entrypoint #3254 (@travisgroth)

Changed

• databroker: support rotating shared secret #3502 (@calebdoxsey)
• Revert "userinfo: embed assets as data URLs for forward auth" #3474 (@calebdoxsey)
• github-actions: build docker platforms together #3426 (@calebdoxsey)
• replace fmt.Sprintf with net.JoinHostPort #3407 (@cfanbo)
• docs: fix a typo in auth0 config example #3332 (@imlonghao)
• Allow docs changes without review #3242 (@alexfornuto)
• ci: use forked backport to copy original PR labels #3223 (@travisgroth)
• Revert "databroker: add support for field masks on Put" #3217 (@calebdoxsey)
• docs: update changelog and upgrade notes for enterprise v0.17 #3105 (@travisgroth)

Changes

• authenticate: fix internal service URL dashboard redirect by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3306
• fix: close the ticker after opened by @clwluvw https://github.com/pomerium/pomerium/pull/3323
• httputil/reproxy: fix policy transport by @calebdoxsey https://github.com/pomerium/pomerium/pull/3324
• authenticate: fix internal service URL CORS check by @calebdoxsey in https://github.com/pomerium/pomerium/pull/3328

Docs

• DOCS: update helm values file https://github.com/pomerium/pomerium/pull/3287
• DOCS: Add device identity video https://github.com/pomerium/pomerium/pull/3307
• DOCS: Update changelog https://github.com/pomerium/pomerium/pull/3308
• Update docs for supported Ingress annotations https://github.com/pomerium/pomerium/pull/3325

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.17.2...v0.17.3

Changelog

v0.17.2 (2022-04-22)

Full Changelog

Fixed

• authorize: pass idp id for webauthn url, allow unauthenticated access to static files [#3284] (@calebdoxsey)
• config: fix DefaultTransport so it is still a *http.Transport [#3260] (@calebdoxsey)

Dependency

• chore(deps): bump actions/setup-python from 3.1.0 to 3.1.2 [#3266]

Docs

• Add UUID to docs yaml blocks (#3251) [#3259] (@alexfornuto)

Full Changelog

Security Notice

This release includes a fix to a medium severity security issue.

We recommend that all users upgrade.

Security

• authenticate: fix debug and metrics endpoints #3215 (@backport-actions-token[bot])

Fixed

• authenticate: fix internal url with webauthn #3195 (@backport-actions-token[bot])
• github: fix missing groups #3176 (@backport-actions-token[bot])

Full Changelog

New

• adds pomerium version to the user info endpoint #3093 (@nhayfield)
• grpc: remove ptypes references #3078 (@calebdoxsey)
• userinfo: add webauthn buttons to user info page #3075 (@calebdoxsey)
• Style update for User Info Endpoint #3055 (@nhayfield)
• session: remove unused session state properties #3022 (@calebdoxsey)
• frontend: react+mui #3004 (@calebdoxsey)
• controlplane: add compression middleware #3000 (@calebdoxsey)
• authenticate: fix expiring user info endpoint #2976 (@calebdoxsey)
• last known metric error #2974 (@wasaga)
• directory: save IDP errors to databroker, put event handling in dedicated package #2957 (@calebdoxsey)
• google: support groups for users outside of the organization #2950 (@calebdoxsey)
• return explicit error when directory sync is disabled #2949 (@wasaga)
• authenticate: add device-enrolled page #2892 (@calebdoxsey)
• remove deprecated ioutil usages #2877 (@cfanbo)

Fixed

• databroker: use contextual logging for errors, use original record type for encryption #3096 (@calebdoxsey)
• fix link for picture in avatar #3066 (@nhayfield)
• userinfo: fix logout button, add sign out confirm page #3058 (@calebdoxsey)
• config: fix httptest local certificate #3056 (@calebdoxsey)
• proxy: fix error page #3020 (@calebdoxsey)
• deployment: only include pomerium binary #3007 (@travisgroth)
• auth0: support explicit domains in the service account #2996 (@backport-actions-token[bot])
• auth0: support explicit domains in the service account #2980 (@calebdoxsey)
• config: fix TLS config when address and grpc_address are the same #2975 (@calebdoxsey)
• deployment: enable goreleaser buildx #2968 (@travisgroth)
• config: fix policy matching for regular expressions #2966 (@calebdoxsey)
• fix: frontend html tag mismatch #2954 (@cfanbo)
• devices: shrink credentials by removing unnecessary data #2951 (@calebdoxsey)
• Remove spurious </ul> tags #2946 (@sylr)
• authenticate: support webauthn redirects to non-pomerium domains #2936 (@calebdoxsey)
• webauthn: use absolute URL for delete redirect #2935 (@calebdoxsey)
• authenticate: add callback endpoint #2931 (@calebdoxsey)
• devices: treat undefined device types as any #2927 (@calebdoxsey)
• deployment: fix distroless base arch #2925 (@travisgroth)
• handle device states in deny block, fix default device type #2919 (@calebdoxsey)
• envoy: check certificates for must-staple flag and drop them if they are missing the response #2909 (@calebdoxsey)
• integration: fix default port for verify service #2895 (@calebdoxsey)

Dependency

• chore(deps): bump actions/setup-node from 2 to 3 #3089 (@dependabot[bot])
• chore(deps): bump actions/setup-python from 2 to 3 #3088 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.20.2 to 4.21.1 #3087 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.69.0 to 0.70.0 #3086 (@dependabot[bot])
• chore(deps): bump url-parse from 1.5.7 to 1.5.10 #3085 (@dependabot[bot])
• chore(deps): bump prismjs from 1.26.0 to 1.27.0 #3084 (@dependabot[bot])
• deps: bump envoy to v1.20.2 #3082 (@travisgroth)
• chore(deps): bump mikefarah/yq from 4.20.1 to 4.20.2 #3072 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.68.0 to 0.69.0 #3071 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.44.0 to 1.44.2 #3070 (@dependabot[bot])
• chore(deps): bump url-parse from 1.5.1 to 1.5.7 #3068 (@dependabot[bot])
• chore(deps): bump github.com/gorilla/websocket from 1.4.2 to 1.5.0 #3052 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.18.1 to 4.20.1 #3051 (@dependabot[bot])
• chore(deps): bump follow-redirects from 1.14.7 to 1.14.8 #3043 (@dependabot[bot])
• chore(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 #3041 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.37.1 to 0.37.2 #3040 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.66.0 to 0.68.0 #3033 (@dependabot[bot])
• deps: increase yarn network timeout #3018 (@travisgroth)
• chore(deps): bump github.com/caddyserver/certmagic from 0.15.2 to 0.15.3 #3014 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.37.1 #3013 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.12 to 3.22.1 #3012 (@dependabot[bot])
• chore(deps): bump github.com/mholt/acmez from 1.0.1 to 1.0.2 #3011 (@dependabot[bot])
• chore(deps): bump mermaid from 8.12.1 to 8.13.10 #3010 (@dependabot[bot])
• chore(deps): bump follow-redirects from 1.14.1 to 1.14.7 #3009 (@dependabot[bot])
• chore(deps): bump prismjs from 1.24.1 to 1.26.0 #3008 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.17.2 to 4.18.1 #2989 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.43.0 to 1.44.0 #2988 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.43.0 to 1.44.0 #2987 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.65.0 to 0.66.0 #2986 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 #2985 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.16.2 to 4.17.2 #2963 (@dependabot[bot])
• chore(deps): bump github.com/google/go-cmp from 0.5.6 to 0.5.7 #2962 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 #2961 (@dependabot[bot])
• chore(deps): bump github.com/openzipkin/zipkin-go from 0.3.0 to 0.4.0 #2942 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.64.0 to 0.65.0 #2941 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.2 to 0.6.3 #2940 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.36.0 to 0.36.1 #2939 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.63.0 to 0.64.0 #2913 (@dependabot[bot])
• chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0 #2912 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.35.0 to 0.36.0 #2911 (@dependabot[bot])
• chore(deps): bump github.com/go-chi/chi from 1.5.4 to 4.1.2+incompatible #2910 (@dependabot[bot])
• envoy: upgrade to 1.20.1 #2902 (@calebdoxsey)
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.11 to 3.21.12 #2886 (@dependabot[bot])
• chore(deps): bump github.com/rs/cors from 1.8.0 to 1.8.2 #2855 (@dependabot[bot])
• chore(deps): bump github.com/google/go-jsonnet from 0.17.0 to 0.18.0 #2854 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.16.1 to 4.16.2 #2853 (@dependabot[bot])

Deployment

• deployment: remove DST cert workaround from debug image #2958 (@travisgroth)
• deployment: multi-arch master images #2896 (@travisgroth)

Changed

• config: add idp_client_id and idp_client_secret to protobuf #3060 (@calebdoxsey)
• Extract email for active directory users that don't have access to exchange #3053 (@JBodkin-Amphora)
• disable blank github issues #2898 (@travisgroth)

Full Changelog

Dependency

• deps: update envoy to v1.19.3 #3083 (@travisgroth)

Full Changelog

Fixed

• deployment: only include pomerium binary #3007 (@travisgroth)
• auth0: support explicit domains in the service account #2996 (@backport-actions-token[bot])

Full Changelog

Fixed

• config: fix policy matching for regular expressions #2969 (@backport-actions-token[bot])

Documentation

• DOCS: New page: Glossary #2970 (@backport-actions-token[bot])
• Docs: code-server guide refresh #2964 (@backport-actions-token[bot])
• Update security.md #2960 (@backport-actions-token[bot])

Full Changelog

Fixed

• webauthn: use absolute URL for delete redirect #2937 (@backport-actions-token[bot])
• handle device states in deny block, fix default device type #2924 (@backport-actions-token[bot])
• envoy: check certificates for must-staple flag and drop them if they are missing the response #2917 (@backport-actions-token[bot])
• integration: fix default port for verify service #2908 (@backport-actions-token[bot])

Documentation

• Docs: Crosslinks on Upstream mTLS #2948 (@backport-actions-token[bot])
• Docs: Update Cache to Databroker #2944 (@backport-actions-token[bot])
• document service_proxy_upstream ingress annotation #2928 (@backport-actions-token[bot])
• DOCS: keyword tag updates #2923 (@backport-actions-token[bot])
• docs: fix argo link #2921 (@backport-actions-token[bot])
• Docs: Manual Backport: update and align reference settings (#2905) #2914 (@alexfornuto)
• Docs: Mutual Auth Hotfix #2907 (@backport-actions-token[bot])
• DOCS: GitLab Integration guide #2900 (@backport-actions-token[bot])
• DOCS: Fix ToC #2890 (@backport-actions-token[bot])
• DOCS: Crosslink Mutual Auth and Background pages #2885 (@backport-actions-token[bot])
• Docs: Mutual Auth Topic page #2881 (@backport-actions-token[bot])
• DOCS: Link Cleanup & Checker Workaround #2879 (@backport-actions-token[bot])
• DOCS: Cherry-Pick from #2867 #2875 (@backport-actions-token[bot])
• DOCS: Fixes to 16 release #2872 (@backport-actions-token[bot])
• Rephrase Discussion around Discuss #2871 (@backport-actions-token[bot])
• DOCS: Document webauthn with device ID #2868 (@backport-actions-token[bot])
• docs: fix generation of the public key #2865 (@backport-actions-token[bot])
• Fix typo #2863 (@backport-actions-token[bot])
• DOCS: New Guide: Upstream mTLS #2860 (@backport-actions-token[bot])
• Update mTLS guide #2858 (@backport-actions-token[bot])
• docs: update version menu for v0.16 #2848 (@backport-actions-token[bot])

Full Changelog

Breaking

• identity: only assign access\_type uri params to google. #2782 (@desimone)
• tls: fallback to self-signed certificate #2760 (@calebdoxsey)
• github: use GraphQL API to reduce number of API calls for directory sync #2715 (@calebdoxsey)

New

• more idp metrics #2842 (@wasaga)
• devices: add experimental icon #2836 (@calebdoxsey)
• devices: switch "default" device type to two built-in default device types #2835 (@calebdoxsey)
• dashboard: improve display of device credentials, allow deletion #2829 (@calebdoxsey)
• ppl: add support for http_path and http_method #2813 (@calebdoxsey)
• config: add internal service URLs #2801 (@calebdoxsey)
• envoy: add hash policy and routing key for hash-based load balancers #2791 (@calebdoxsey)
• authorize: support X-Pomerium-Authorization in addition to Authorization #2780 (@calebdoxsey)
• envoy: treat configuration errors as fatal #2777 (@calebdoxsey)
• envoy: add support for bind_config bootstrap options #2772 (@calebdoxsey)
• authenticate: redirect / to /.pomerium/ #2770 (@calebdoxsey)
• device: add type id and credential id to enrollment for easier referencing #2749 (@calebdoxsey)
• databroker: add additional log for config source #2718 (@calebdoxsey)
• grpc: remove peer field from logs #2712 (@calebdoxsey)
• desktop client api #2711 (@wasaga)
• telemetry: improve zipkin error logs #2710 (@calebdoxsey)
• authorize: add support for webauthn device policy enforcement #2700 (@calebdoxsey)
• webauthn: update session to support device credentials per type #2699 (@calebdoxsey)
• ppl: add support for additional data #2696 (@calebdoxsey)
• Add additional ACME CA (autocert) options #2695 (@hslatman)
• skip configuration updates to the most recent one #2690 (@wasaga)
• authenticate: add support for webauthn #2688 (@calebdoxsey)
• webauthnutil: add helpers for webauthn #2686 (@calebdoxsey)
• devices: add device protobuf types #2682 (@calebdoxsey)
• cryptutil: add SecureToken #2681 (@calebdoxsey)
• config/envoyconfig: better duplicate message #2661 (@desimone)
• pomerium-cli: add support for a custom browser command #2617 (@calebdoxsey)
• ppl: pass contextual information through policy #2612 (@calebdoxsey)
• add description to service accounts #2611 (@nhayfield)
• DOCS: Add copy button to code snippets #2597 (@alexfornuto)
• pomerium-cli: use cache dir instead of config dir #2588 (@calebdoxsey)
• cli: update tcp log output format #2586 (@travisgroth)
• directory: implement exponential backoff for refresh #2570 (@calebdoxsey)
• google: support provider URL #2567 (@calebdoxsey)
• config: remove signature_key_algorithm #2557 (@calebdoxsey)
• allow pomerium to start without certs #2555 (@wasaga)
• integration: kubernetes support #2536 (@calebdoxsey)
• integration: nginx #2532 (@calebdoxsey)
• integration: add traefik tests #2530 (@calebdoxsey)
• envoy: remove deprecated access_log_path #2523 (@calebdoxsey)
• config: remove headers #2522 (@calebdoxsey)
• integration: add multi test #2519 (@calebdoxsey)
• Remove api from GitLab defaultScope #2518 (@alexfornuto)
• integration: add single-cluster integration tests #2516 (@calebdoxsey)
• integration: remove tests #2514 (@calebdoxsey)
• github: support provider URL #2490 (@calebdoxsey)
• protoutil: add NewAny method for deterministic serialization #2462 (@calebdoxsey)
• fix go get, improve redis test #2450 (@calebdoxsey)
• all: remove unused handler code #2439 (@desimone)

Security

• identity: fix user refresh #2724 (@calebdoxsey)
• deps: update envoy to 1.19.1 #2526 (@travisgroth)

Fixed

• config: allow specifying auto codec type in all-in-one mode #2846 (@calebdoxsey)
• dashboard: add confirmation dialog, fix button in firefox #2841 (@calebdoxsey)
• fix: Fixed return description error #2825 (@cfanbo)
• internal/telemetry: fix grpc server metrics #2811 (@travisgroth)
• Fix IdP client metrics #2810 (@travisgroth)
• envoyconfig: fix tls_downstream_client_ca for non-standard ports #2802 (@calebdoxsey)
• config: detect changes to the kubernetes service account token file #2767 (@calebdoxsey)
• deps: update goreleaser #2757 (@travisgroth)

Documentation

• add docs for ingress regex path #2822 (@wasaga)
• fix typo in docs #2819 (@wasaga)
• DOCS: add Grafana to Guides index #2808 (@alexfornuto)
• DOCS: Fix indentation in API doc #2798 (@alexfornuto)
• DOCS: Create Consolidated Troubleshooting Guide and Replace FAQ #2797 (@alexfornuto)
• docs: update pomerium-cli location #2790 (@travisgroth)
• Document Pomerium Policy Language #2789 (@backport-actions-token[bot])
• Copy edit to changelog entry #2786 (@alexfornuto)
• Document Pomerium Policy Language #2784 (@alexfornuto)
• Remove forward_auth_url from Enterprise #2779 (@alexfornuto)
• Docs: Update Kubernetes Dashboard Guide #2759 (@alexfornuto)
• Docs: Update Securing Kubernetes Guide #2758 (@alexfornuto)
• Docs: Add spdy annotation #2747 (@alexfornuto)
• Docs: Update JWT Verification Guide #2746 (@alexfornuto)
• Docs: Add Grafana Integration Guide #2742 (@alexfornuto)
• Docs: Update Traefik Example Headers #2732 (@alexfornuto)
• Docs: Reference gRPC API Docs #2717 (@alexfornuto)
• Minor fix in routes documentation #2714 (@Kerwood)
• Docs: Update Community Page #2713 (@cmo-pomerium)
• Update architecture.md #2701 (@cmo-pomerium)
• Update create TLS command to quote strings. #2694 (@FutureMatt)
• Docs: Correct Claim Example #2689 (@alexfornuto)
• Fix typo in docs #2683 (@nihaals)
• Fixed 'kubtctl' typo on releases page #2673 (@ChaosInTheCRD)
• add service account redirects #2664 (@alexfornuto)
• DOCS: Standardize Relative Links #2651 (@alexfornuto)
• Docs: cross-reference links between concepts and reference #2648 (@alexfornuto)
• adjust sidebarDepths and document Desktop Client releases #2645 (@backport-actions-token[bot])
• typo #2644 (@alexfornuto)
• adjust sidebarDepths and document Desktop Client releases #2643 (@alexfornuto)
• DOCS: CORS preflight in console #2642 (@alexfornuto)
• DOCS: Collapse IDP Header #2641 (@alexfornuto)
• docs: remove extra word / updated docs link #2638 (@cmo-pomerium)
• Docs: Batch Updates #2628 (@alexfornuto)
• Refresh and Update TCP documentation #2627 (@alexfornuto)
• DOC: Copy edits to Okta IdP doc. #2623 (@alexfornuto)
• Docs/batch link fixes #2621 (@alexfornuto)
• Add redirect for installation #2618 (@alexfornuto)
• Add docs team as a code owner of packages.json #2605 (@alexfornuto)
• Update CODEOWNERS #2603 (@alexfornuto)
• DOCS: Update Enterprise Reference Docs #2599 (@alexfornuto)
• Document Enterprise API #2595 (@alexfornuto)
• docs: rename updated icon image #2582 (@travisgroth)
• docs: add updated icon asset #2580 (@travisgroth)
• Document recovery token generation #2579 (@alexfornuto)
• New Topic Page: Original Request Context #2569 (@alexfornuto)
• docs: enterprise console v0.15.2 changelog #2564 (@travisgroth)
• TCP Client Doc #2561 (@alexfornuto)
• Docs: Fix merged PR #2546 (@alexfornuto)
• docs: enterprise v0.15.1 changelog #2542 (@travisgroth)
• Update Ping Identity IdP #2537 (@alexfornuto)
• update OneLogin IdP doc #2533 (@alexfornuto)
• Update GitLab IdP doc #2520 (@alexfornuto)
• update GitHub IdP doc #2503 (@alexfornuto)
• Update AWS cognito IdP doc #2498 (@alexfornuto)
• Update Azure IdP Doc #2497 (@alexfornuto)
• Auth0 Doc Refresh #2494 (@alexfornuto)
• Update IdP Overview Page #2493 (@alexfornuto)
• Update Okta IdP doc #2491 (@alexfornuto)
• adjust comment blocking #2488 (@alexfornuto)
• document binding service to 443 #2487 (@alexfornuto)
• docs: use generic email #2484 (@alexfornuto)
• Update Docker Quickstart #2482 (@alexfornuto)
• Wrap mkcert command in quotes #2481 (@alexfornuto)
• Updates to Enterprise Quickstart instructions #2480 (@alexfornuto)
• wrap header example values as inline code. #2474 (@alexfornuto)
• docs: clarify custom request header limitations #2471 (@desimone)
• Update Helm Instructions #2467 (@alexfornuto)
• docs: update enterprise helm instructions to use main repo #2463 (@travisgroth)
• Document tracing sample rate in console #2461 (@alexfornuto)
• Document moving routes #2460 (@alexfornuto)
• Enterprise Upgrade & Changelog Pages #2453 (@alexfornuto)
• docs: update codeowners #2451 (@travisgroth)
• Update binary install doc #2447 (@alexfornuto)
• docs: update branding, concepts #2445 (@desimone)
• specify expected audience in Console config #2442 (@alexfornuto)
• docs: update default version to v0.15 #2437 (@travisgroth)
• docs: update branding #2435 (@desimone)

Dependency

• chore(deps): bump google.golang.org/api from 0.62.0 to 0.63.0 #2834 (@dependabot[bot])
• chore(deps): bump github.com/rs/zerolog from 1.26.0 to 1.26.1 #2833 (@dependabot[bot])
• chore(deps): bump github.com/spf13/viper from 1.10.0 to 1.10.1 #2832 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 #2831 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.11+incompatible to 20.10.12+incompatible #2817 (@dependabot[bot])
• chore(deps): bump github.com/spf13/viper from 1.9.0 to 1.10.0 #2816 (@dependabot[bot])
• dev build support for darwin-arm64 from envoy tip #2815 (@wasaga)
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.10 to 3.21.11 #2807 (@dependabot[bot])
• chore(deps): bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 #2806 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.60.0 to 0.61.0 #2805 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.34.2 to 0.35.0 #2804 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.15.1 to 4.16.1 #2803 (@dependabot[bot])
• chore(deps): bump github.com/ory/dockertest/v3 from 3.8.0 to 3.8.1 #2785 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.14.2 to 4.15.1 #2783 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.10+incompatible to 20.10.11+incompatible #2776 (@dependabot[bot])
• chore(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3 #2775 (@dependabot[bot])
• chore(deps): bump mikefarah/yq from 4.6.3 to 4.14.2 #2774 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.15.1 to 0.15.2 #2769 (@dependabot[bot])
• chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.1 to 4.1.2 #2768 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.34.1 to 0.34.2 #2765 (@dependabot[bot])
• chore(deps): bump github.com/mholt/acmez from 1.0.0 to 1.0.1 #2764 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.21.0 to 5.21.1 #2763 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.42.1 to 1.43.0 #2756 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.34.0 to 0.34.1 #2755 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0 #2754 (@dependabot[bot])
• chore(deps): bump github.com/rs/zerolog from 1.25.0 to 1.26.0 #2753 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.20.0 to 5.21.0 #2752 (@dependabot[bot])
• dependencies: vendor base58, remove shortuuid #2739 (@calebdoxsey)
• chore(deps): bump google.golang.org/api from 0.58.0 to 0.60.0 #2737 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.9 to 3.21.10 #2736 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.33.1 to 0.34.0 #2735 (@dependabot[bot])
• chore(deps): bump github.com/openzipkin/zipkin-go from 0.2.5 to 0.3.0 #2734 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.31.1 to 0.32.1 #2706 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.9+incompatible to 20.10.10+incompatible #2705 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.19.2 to 5.20.0 #2704 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.1 to 0.6.2 #2703 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.14.5 to 0.15.1 #2685 (@dependabot[bot])
• chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.0 to 3.1.2 #2672 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.8 to 3.21.9 #2671 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.8+incompatible to 20.10.9+incompatible #2670 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.57.0 to 0.58.0 #2660 (@dependabot[bot])
• chore(deps): bump github.com/go-redis/redis/v8 from 8.11.3 to 8.11.4 #2659 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.32.1 to 0.33.1 #2658 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.31.0 to 0.31.1 #2656 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.32.0 to 0.32.1 #2633 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 #2632 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.30.0 to 0.31.0 #2631 (@dependabot[bot])
• chore(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 #2630 (@dependabot[bot])
• chore(deps): bump github.com/ory/dockertest/v3 from 3.7.0 to 3.8.0 #2629 (@dependabot[bot])
• chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.9.0 #2616 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.56.0 to 0.57.0 #2615 (@dependabot[bot])
• chore(deps): bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 #2614 (@dependabot[bot])
• bump protoc-validate #2606 (@wasaga)
• chore(deps): bump go.uber.org/zap from 1.19.0 to 1.19.1 #2592 (@dependabot[bot])
• chore(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0 #2591 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.7 to 3.21.8 #2577 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 #2576 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.14.4 to 0.14.5 #2575 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.54.0 to 0.56.0 #2574 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.31.0 to 0.32.0 #2573 (@dependabot[bot])
• chore(deps): bump github.com/fsnotify/fsnotify from 1.5.0 to 1.5.1 #2554 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.14.3 to 0.14.4 #2553 (@dependabot[bot])
• chore(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 #2552 (@dependabot[bot])
• chore(deps): bump github.com/docker/docker from 20.10.7+incompatible to 20.10.8+incompatible #2551 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.14.1 to 0.14.3 #2550 (@dependabot[bot])
• chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.3.0 to 0.4.0 #2549 (@dependabot[bot])
• chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.1 to 2.1.2 #2548 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/procfs from 0.7.2 to 0.7.3 #2512 (@dependabot[bot])
• chore(deps): bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 #2511 (@dependabot[bot])
• chore(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.0 #2510 (@dependabot[bot])
• ci: use go 1.17.x #2492 (@desimone)
• chore(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 #2478 (@dependabot[bot])
• chore(deps): bump github.com/go-redis/redis/v8 from 8.11.2 to 8.11.3 #2477 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.52.0 to 0.54.0 #2476 (@dependabot[bot])
• chore(deps): bump go.uber.org/zap from 1.18.1 to 1.19.0 #2475 (@dependabot[bot])
• ci: support darwn/arm64 aka m1 for cli #2473 (@desimone)
• chore(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 #2457 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/procfs from 0.7.1 to 0.7.2 #2456 (@dependabot[bot])
• chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2455 (@dependabot[bot])
• Hadolint #2363 (@stephengroat)

Deployment

• deployment: migrate pomerium-cli automation to new repo #2771 (@travisgroth)
• deployment: remove DST_Root_CA_X3 from docker images #2677 (@travisgroth)
• deployment: update goreleaser syntax #2524 (@travisgroth)

Changed

• move NewGRPCClientConn to public package #2826 (@wasaga)
• rm cli code #2824 (@wasaga)
• ci: remove hadolint #2726 (@travisgroth)
• ci: ignore multiple run commands #2566 (@travisgroth)
• redirect logo to the marketing site #2441 (@alexfornuto)
• ci: use github app for backport credentials #2369 (@travisgroth)

Full Changelog

Fixed

• authorize: fix nginx infinite redirect #2812 (@calebdoxsey)

Documentation

• DOCS: add Grafana to Guides index #2809 (@backport-actions-token[bot])
• DOCS: Fix indentation in API doc #2799 (@backport-actions-token[bot])
• Docs: Update Kubernetes Dashboard Guide #2795 (@backport-actions-token[bot])
• Docs: Update Securing Kubernetes Guide #2792 (@backport-actions-token[bot])
• Document Pomerium Policy Language #2789 (@backport-actions-token[bot])
• Docs: Update JWT Verification Guide #2787 (@backport-actions-token[bot])

Dependency

• deps: pin release to latest go version #2827 (@travisgroth)

Full Changelog

Notice

This release supersedes v0.15.6. It was discovered that v0.15.6 includes changes not intended for a patch release and can cause compatibility issues in some environments.

New

• protoutil: add NewAny method for deterministic serialization #2662 (@backport-actions-token[bot])

Fixed

• backport: host rewrite #2669 (@wasaga)
• autocert: remove log #2750 (@backport-actions-token[bot])

Security

• identity: fix user refresh #2725 (@backport-actions-token[bot])

Docs

• docs: Ingress Controller #2745 (@backport-actions-token[bot])
• add spdy annotation #2751 (@backport-actions-token[bot])
• Docs: Add Grafana Integration Guide #2762 (@backport-actions-token[bot])
• Docs: Update Traefik Example Headers #2741 (@backport-actions-token[bot])
• Docs: Update Community Page #2731 (@backport-actions-token[bot])
• Minor fix in routes documentation #2721 (@backport-actions-token[bot])
• Docs: Reference gRPC API Docs #2720 (@backport-actions-token[bot])
• Update architecture.md #2707 (@backport-actions-token[bot])

Full Changelog

Security Notice

This release includes a fix to a medium severity security issue.

We recommend that all users upgrade.

Security

• identity: fix user refresh #2725 (@backport-actions-token[bot])

Documentation

• Docs: Ingress Controller #2745 (@backport-actions-token[bot])
• Docs: Update Traefik Example Headers #2741 (@backport-actions-token[bot])
• Docs: Update Community Page #2731 (@backport-actions-token[bot])
• Minor fix in routes documentation #2721 (@backport-actions-token[bot])
• Docs: Reference gRPC API Docs #2720 (@backport-actions-token[bot])
• Update architecture.md #2707 (@backport-actions-token[bot])

Full Changelog

New

• skip configuration updates to the most recent one #2692 (@backport-actions-token[bot])

Documentation

• Update create TLS command to quote strings. #2697 (@backport-actions-token[bot])
• DOCS: CORS preflight in console #2693 (@backport-actions-token[bot])
• Docs: Correct Claim Example #2691 (@backport-actions-token[bot])
• Fix typo in docs #2684 (@backport-actions-token[bot])

Deployment

• deployment: remove DST_Root_CA_X3 from docker images #2698 (@travisgroth)

Full Changelog

New

• protoutil: add NewAny method for deterministic serialization #2662 (@backport-actions-token[bot])

Fixed

• backport: host rewrite #2669 (@wasaga)

Documentation

• Fixed 'kubtctl' typo on releases page #2680 (@backport-actions-token[bot])
• Refresh and Update TCP documentation #2679 (@backport-actions-token[bot])
• DOCS: Standardize Relative Links (#2651) #2654 (@alexfornuto)
• Docs: cross-reference links between concepts and reference #2650 (@backport-actions-token[bot])
• DOCS: Collapse IDP Header #2649 (@backport-actions-token[bot])
• typo #2646 (@backport-actions-token[bot])
• adjust sidebarDepths and document Desktop Client releases #2645 (@backport-actions-token[bot])
• Docs: Batch Updates #2640 (@backport-actions-token[bot])
• docs: remove extra word / updated docs link #2639 (@backport-actions-token[bot])
• TCP Client Doc #2626 (@backport-actions-token[bot])
• DOC: Copy edits to Okta IdP doc. #2625 (@backport-actions-token[bot])
• DOCS: Update Enterprise Reference Docs #2624 (@backport-actions-token[bot])
• Docs/batch link fixes #2622 (@backport-actions-token[bot])
• Add redirect for installation #2620 (@backport-actions-token[bot])
• Document Enterprise API #2619 (@backport-actions-token[bot])

Full Changelog

New

• cli: update tcp log output format #2587 (@travisgroth)

Fixed

• backport 2593 and 2594 to 0.15 #2598 (@calebdoxsey)

Documentation

• Add docs team as a code owner of packages.json #2607 (@backport-actions-token[bot])
• New Topic Page: Original Request Context #2602 (@backport-actions-token[bot])
• Document recovery token generation #2601 (@backport-actions-token[bot])
• DOCS: Add copy button to code snippets #2600 (@backport-actions-token[bot])
• docs: rename updated icon image #2583 (@backport-actions-token[bot])
• docs: add updated icon asset #2581 (@backport-actions-token[bot])

Changed

• Update CODEOWNERS #2604 (@backport-actions-token[bot])