Full Changelog

New

• allow pomerium to start without certs #2556 (@backport-actions-token[bot])

Fixed

• authorize: use session.user_id in headers #2572 (@backport-actions-token[bot])
• ppl: use session.user_id instead of user.id for user criterion #2563 (@backport-actions-token[bot])
• authorize: fix google cloudrun header audience #2560 (@backport-actions-token[bot])
• authorize: fix X-Pomerium-Claim-Groups #2540 (@backport-actions-token[bot])

Documentation

• docs: enterprise console v0.15.2 changelog #2565 (@backport-actions-token[bot])
• Docs: Fix merged PR #2547 (@backport-actions-token[bot])
• Update Ping Identity IdP #2545 (@backport-actions-token[bot])
• update OneLogin IdP doc #2544 (@backport-actions-token[bot])
• docs: enterprise v0.15.1 changelog #2543 (@backport-actions-token[bot])
• Updates to Enterprise Quickstart instructions #2531 (@backport-actions-token[bot])

Full Changelog

Security Notice

This release includes fixes to several high severity security issues in one of our dependencies, envoy.

We recommend that all users upgrade.

Security

• deps: bump envoy to v0.17.4 #2535 (@travisgroth)

Documentation

• docs: only secure schemes are supported #2410 (@backport-actions-token[bot])
• Docs bug fixes #2364 (@github-actions[bot])
• Docs backporting #2351 (@alexfornuto)
• docs: google gcp / workspace instructions #2350 (@github-actions[bot])

Changed

• chore(deps): upgrade kind action to v1.2.0 (#2281) #2366 (@travisgroth)

Full Changelog

Security Notice

This release includes fixes to several high severity security issues in one of our dependencies, envoy.

We recommend that all users upgrade.

Fixed

• options: remove refresh_cooldown, add allow_spdy to proto #2448 (@backport-actions-token[bot])

Security

• deps: update envoy to 1.19.1 #2527 (@backport-actions-token[bot])

Documentation

• update GitHub IdP doc #2508 (@backport-actions-token[bot])
• docs: update codeowners #2506 (@backport-actions-token[bot])
• Update Helm Instructions #2505 (@backport-actions-token[bot])
• Update Azure IdP Doc #2504 (@backport-actions-token[bot])
• Update IdP Overview Page #2502 (@backport-actions-token[bot])
• Update AWS cognito IdP doc #2501 (@backport-actions-token[bot])
• Auth0 Doc Refresh #2500 (@backport-actions-token[bot])
• document binding service to 443 #2499 (@backport-actions-token[bot])
• Update Okta IdP doc #2495 (@backport-actions-token[bot])
• adjust comment blocking #2489 (@backport-actions-token[bot])
• Update Docker Quickstart (#2482) #2486 (@alexfornuto)
• docs: use generic email #2485 (@backport-actions-token[bot])
• wrap header example values as inline code. #2479 (@backport-actions-token[bot])
• docs: clarify custom request header limitations #2472 (@backport-actions-token[bot])
• Document moving routes #2466 (@backport-actions-token[bot])
• Document tracing sample rate in console #2465 (@backport-actions-token[bot])
• docs: update enterprise helm instructions to use main repo #2464 (@backport-actions-token[bot])
• Enterprise Upgrade & Changelog Pages #2458 (@backport-actions-token[bot])
• Update binary install doc #2452 (@backport-actions-token[bot])
• docs: update branding, concepts #2449 (@backport-actions-token[bot])
• specify expected audience in Console config #2444 (@backport-actions-token[bot])
• redirect logo to the marketing site #2443 (@backport-actions-token[bot])
• docs: update branding #2440 (@backport-actions-token[bot])
• docs: update default version to v0.15 #2438 (@backport-actions-token[bot])

Dependency

• chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2459 (@backport-actions-token[bot])

Deployment

• deployment: update goreleaser syntax #2525 (@backport-actions-token[bot])
• ci: support darwn/arm64 aka m1 for cli #2521 (@travisgroth)

Full Changelog

Breaking

• config: remove support for ed25519 signing keys #2430 (@calebdoxsey)

New

• telemetry: add nonce and make explicit ack/nack #2434 (@wasaga)
• authorize: log additional session details #2419 (@calebdoxsey)
• telemetry: try guess hostname or external IP addr for metrics #2412 (@wasaga)
• sessions: add impersonate_session_id, remove legacy impersonation #2407 (@calebdoxsey)
• envoyconfig: improvements #2402 (@calebdoxsey)
• config: add support for embedded PPL policy #2401 (@calebdoxsey)
• ppl: remove support for aliases #2400 (@calebdoxsey)
• directory: add logging http client to help with debugging outbound http requests #2385 (@calebdoxsey)
• evaluator: use cryptutil.Hash for script spans #2384 (@desimone)
• authorize: add additional tracing for rego evaluation #2381 (@calebdoxsey)
• k8s: add flush-credentials command #2379 (@calebdoxsey)
• urlutil: improve error message for urls with port in path #2377 (@calebdoxsey)
• ci: use revive instead of golint #2370 (@calebdoxsey)
• authorize: remove service account impersonate user id, email and groups #2365 (@calebdoxsey)
• envoyconfig: default zipkin path to / when empty #2359 (@calebdoxsey)
• config: add warning about http URLs #2358 (@calebdoxsey)
• authorize: log service account and impersonation details #2354 (@calebdoxsey)
• tools: add tools.go to pin go run apps #2344 (@calebdoxsey)
• envoyconfig: add bootstrap layered runtime configuration #2343 (@calebdoxsey)
• registry/redis: call publish from within lua function #2337 (@calebdoxsey)
• proxy: add idle timeout #2319 (@wasaga)
• cli: use proxy from environment #2316 (@tskinn)
• authorize: do not send redirects to gRPC #2314 (@wasaga)
• certs: reject certs from databroker if they conflict with local #2309 (@wasaga)
• config: add enable_google_cloud_serverless_authentication to config protobuf #2306 (@calebdoxsey)
• envoy: refactor envoy embedding #2296 (@calebdoxsey)
• envoy: add full version #2287 (@calebdoxsey)
• authorize: handle grpc-web content types like json #2268 (@calebdoxsey)
• xds: retry storing configuration events #2266 (@calebdoxsey)
• envoyconfig: use zipkin tracer #2265 (@calebdoxsey)
• authorize: preserve original context #2247 (@wasaga)
• ppl: add data type, implement string and list matchers #2228 (@calebdoxsey)
• ppl: refactor authorize to evaluate PPL #2224 (@calebdoxsey)
• ppl: convert config policy to ppl #2218 (@calebdoxsey)
• Pomerium Policy Language #2202 (@calebdoxsey)
• telemetry: add hostname tag to metrics #2191 (@wasaga)
• envoy: disable timeouts for kubernetes #2189 (@calebdoxsey)
• registry: implement redis backend #2179 (@calebdoxsey)
• report instance hostname in xds events #2175 (@wasaga)
• databroker: implement leases #2172 (@calebdoxsey)

Fixed

• config: remove grpc server max connection age options #2427 (@calebdoxsey)
• authorize: add sid to JWT claims #2420 (@calebdoxsey)
• disable http/2 for websockets #2399 (@calebdoxsey)
• ci: update gcloud action #2393 (@travisgroth)
• google: remove WithHTTPClient #2391 (@calebdoxsey)
• telemetry: support b3 headers on gRPC server calls #2376 (@calebdoxsey)
• authorize: allow redirects on deny #2361 (@calebdoxsey)
• authorize: decode CheckRequest path for redirect #2357 (@calebdoxsey)
• envoyconfig: only delete cached files, ignore noisy error #2356 (@calebdoxsey)
• envoy: only check for pid with monitor #2355 (@calebdoxsey)
• fix: timeout in protobuf #2341 (@wasaga)
• authorize: support boolean deny results #2338 (@calebdoxsey)
• ppl: fix not/nor rules #2313 (@calebdoxsey)
• directory/azure: add paging support to user group members call #2311 (@calebdoxsey)
• ocsp: reload on response changes #2286 (@wasaga)
• envoy: fix usage of codec_type with alpn #2277 (@calebdoxsey)
• databroker: only tag contexts used for UpdateRecords #2269 (@wasaga)
• redis: enforce capacity via ZREVRANGE to avoid race #2267 (@calebdoxsey)
• authorize: only redirect for HTML pages #2264 (@calebdoxsey)
• tracing: support dynamic reloading, more aggressive envoy restart #2262 (@calebdoxsey)
• envoy: always set jwt claim headers even if no value is available #2261 (@calebdoxsey)
• envoy: disable hot-reload for macos #2259 (@calebdoxsey)
• authorize: round timestamp #2258 (@wasaga)
• options: s/shared-key/shared secret #2257 (@desimone)
• config: warn about unrecognized keys #2256 (@wasaga)
• darwin: use gopsutil v3 to fix arm issue #2245 (@calebdoxsey)
• policy: fix allowed idp claims PPL generation #2243 (@calebdoxsey)
• envoy: exit if envoy exits #2240 (@calebdoxsey)
• envoyconfig: fallback to global custom ca when no policy ca is defined #2235 (@calebdoxsey)
• envoy: add global response headers to local replies #2217 (@calebdoxsey)
• forward auth: don't strip query parameters #2216 (@wasaga)
• PPL: bubble up values, bug fixes #2213 (@calebdoxsey)
• Revert "authenticate,proxy: add same site lax to cookies" #2203 (@desimone)
• authorize: grpc health check #2200 (@wasaga)
• proxy / controplane: use old upstream cipher suite #2196 (@desimone)
• deployment: fix empty version on master builds #2193 (@travisgroth)

Security

• envoy: only allow embedding #2368 (@calebdoxsey)
• deps: bump envoy to v1.17.3 #2198 (@travisgroth)

Documentation

• doc updates #2433 (@calebdoxsey)
• Update Console installs to match signing_key #2432 (@alexfornuto)
• docs/reference: Clarify use of idp_service_account #2431 (@the-maldridge)
• docs: clarify device identity, not state via client certs #2428 (@desimone)
• v0.15 release notes #2409 (@travisgroth)
• docs: only secure schemes are supported #2408 (@desimone)
• Installation Docs Restructuring #2406 (@alexfornuto)
• symlink security policy to root of project #2396 (@desimone)
• Enterprise Docs #2390 (@alexfornuto)
• Helm Quickstart Update #2380 (@alexfornuto)
• Docs bug fixes #2362 (@alexfornuto)
• Docs sorting #2346 (@alexfornuto)
• Update installation source for mkcert #2340 (@alexfornuto)
• Update kubernetes-dashboard.md #2285 (@WeeHong)
• Transmission BitTorrent Client Guide #2281 (@alexfornuto)
• docs: google gcp / workspace instructions #2272 (@desimone)
• docs: update helm values for chart v20.0.0 #2242 (@travisgroth)
• docs: update _redirects #2237 (@desimone)
• add support for latest version of code-server #2229 (@bpmct)
• fix(docs): use correct name for code-server #2223 (@jsjoeio)
• docs: rm broken link #2215 (@alexfornuto)
• docs: Match Tenses #2214 (@alexfornuto)
• Update programmatic-access.md #2190 (@yyolk)
• docs: add v0.14 feature highlights #2184 (@github-actions[bot])
• docs: add v0.14 feature highlights #2183 (@travisgroth)
• docs: update slack link to vanity url #2177 (@travisgroth)

Dependency

• chore(deps): bump gopkg.in/auth0.v5 from 5.19.1 to 5.19.2 #2422 (@dependabot[bot])
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0-rc.1 to 3.0.0 #2421 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.29.0 to 0.30.0 #2417 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.30.2 to 0.31.0 #2416 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.51.0 to 0.52.0 #2415 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.6 to 3.21.7 #2414 (@dependabot[bot])
• chore(deps): bump github.com/go-redis/redis/v8 from 8.11.0 to 8.11.1 #2413 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/procfs from 0.7.0 to 0.7.1 #2395 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.50.0 to 0.51.0 #2394 (@dependabot[bot])
• chore(deps): bump github.com/google/uuid from 1.2.0 to 1.3.0 #2374 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.30.1 to 0.30.2 #2373 (@dependabot[bot])
• ci: convert to FOSSA scan #2371 (@travisgroth)
• chore(deps): bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 #2353 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.14.0 to 0.14.1 #2352 (@dependabot[bot])
• chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0 #2334 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.49.0 to 0.50.0 #2333 (@dependabot[bot])
• chore(deps): upgrade kind action to v1.2.0 #2331 (@travisgroth)
• chore(deps): bump github.com/spf13/cobra from 1.1.3 to 1.2.1 #2330 (@dependabot[bot])
• chore(deps): bump github.com/go-redis/redis/v8 from 8.10.0 to 8.11.0 #2329 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/procfs from 0.6.0 to 0.7.0 #2328 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.6 #2326 (@dependabot[bot])
• chore(deps): bump go.uber.org/zap from 1.17.0 to 1.18.1 #2325 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.38.0 to 1.39.0 #2324 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.29.4 to 0.30.1 #2323 (@dependabot[bot])
• chore(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.0 #2318 (@dependabot[bot])
• chore(deps): bump github.com/spf13/viper from 1.8.0 to 1.8.1 #2317 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.48.0 to 0.49.0 #2315 (@dependabot[bot])
• chore(deps): bump github.com/spf13/viper from 1.7.1 to 1.8.0 #2305 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.18.0 to 5.19.1 #2304 (@dependabot[bot])
• chore(deps): bump github.com/ory/dockertest/v3 from 3.6.5 to 3.7.0 #2303 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.47.0 to 0.48.0 #2295 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/client_golang from 1.10.0 to 1.11.0 #2294 (@dependabot[bot])
• chore(deps): bump github.com/rs/zerolog from 1.22.0 to 1.23.0 #2293 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.17.0 to 5.18.0 #2292 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.13.1 to 0.14.0 #2291 (@dependabot[bot])
• chore(deps): bump github.com/golang/mock from 1.5.0 to 1.6.0 #2290 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.25.0 to 0.29.0 #2289 (@dependabot[bot])
• deps: upgrade to go-jose v3 #2284 (@calebdoxsey)
• chore(deps): bump github.com/go-redis/redis/v8 from 8.9.0 to 8.10.0 #2276 (@dependabot[bot])
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.4 to 3.21.5 #2274 (@dependabot[bot])
• chore(deps): bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0 #2273 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.28.0 to 0.29.4 #2255 (@dependabot[bot])
• chore(deps): bump go.uber.org/zap from 1.16.0 to 1.17.0 #2254 (@dependabot[bot])
• chore(deps): bump github.com/google/go-cmp from 0.5.5 to 0.5.6 #2253 (@dependabot[bot])
• chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 #2252 (@dependabot[bot])
• chore(deps): bump github.com/mitchellh/hashstructure/v2 from 2.0.1 to 2.0.2 #2251 (@dependabot[bot])
• chore(deps): bump github.com/go-redis/redis/v8 from 8.8.3 to 8.9.0 #2249 (@dependabot[bot])
• darwin: use x86 envoy build for arm64 #2246 (@calebdoxsey)
• chore(deps): bump github.com/prometheus/common from 0.24.0 to 0.25.0 #2234 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.46.0 to 0.47.0 #2233 (@dependabot[bot])
• chore(deps): bump github.com/go-redis/redis/v8 from 8.8.2 to 8.8.3 #2232 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.37.1 to 1.38.0 #2231 (@dependabot[bot])
• dependency: update /x/net #2227 (@desimone)
• chore(deps): bump github.com/lithammer/shortuuid/v3 from 3.0.6 to 3.0.7 #2211 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.23.0 to 0.24.0 #2210 (@dependabot[bot])
• chore(deps): bump github.com/rs/zerolog from 1.21.0 to 1.22.0 #2209 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.16.0 to 5.17.0 #2208 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.37.0 to 1.37.1 #2207 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.13.0 to 0.13.1 #2188 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.15.0 to 5.16.0 #2187 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.45.0 to 0.46.0 #2186 (@dependabot[bot])

Changed

• redis: increase timeout on test #2425 (@calebdoxsey)
• build: add envoy files to make clean #2411 (@travisgroth)
• envoy: bump to 1.19 #2392 (@travisgroth)
• ci: use github app for backport credentials #2369 (@travisgroth)
• databroker: tests #2367 (@calebdoxsey)
• storage/inmemory: add tests for close behavior #2336 (@calebdoxsey)
• redis: refactor change signal test to be more deterministic #2335 (@calebdoxsey)
• internal/envoy: add debugging information if envoy is no longer running #2320 (@travisgroth)
• ci: add coveralls #2279 (@travisgroth)

Full Changelog

Fixed

• directory/azure: add paging support to user group members call #2312 (@github-actions[bot])

Full Changelog

Fixed

• authorize: only redirect for HTML pages (#2264) #2298 (@calebdoxsey)

Full Changelog

Fixed

• envoy: fix usage of codec_type with alpn #2278 (@github-actions[bot])
• authorize: round JWT claim timestamps #2260 (@wasaga)

Documentation

• docs: update helm values for chart v20.0.0 #2244 (@github-actions[bot])
• docs: update _redirects #2238 (@github-actions[bot])

Full Changelog

Fixed

• authorize: add rego functions to custom evaluator #2236 (@calebdoxsey)

Full Changelog

Fixed

• authorize: fix custom rego panic #2226 (@calebdoxsey)

Changed

• envoy: add global response headers to local replies #2225 (@github-actions[bot])

Full Changelog

Fixed

• Revert "authenticate,proxy: add same site lax to cookies" #2204 (@github-actions[bot])

Documentation

• Update programmatic-access.md #2205 (@github-actions[bot])

Full Changelog

Fixed

• proxy / controplane: use old upstream cipher suite #2197 (@github-actions[bot])

Security

• deps: bump envoy to v1.17.3 #2199 (@github-actions[bot])

Documentation

• docs: update slack link to vanity url #2178 (@github-actions[bot])
• docs: add v0.14 feature highlights #2184 (@github-actions[bot])

Full Changelog

New

• databroker: store issued at timestamp with session #2173 (@calebdoxsey)
• config: add support for set_response_headers in a policy #2171 (@calebdoxsey)
• authenticate,proxy: add same site lax to cookies #2159 (@calebdoxsey)
• xds extended event #2158 (@wasaga)
• config: add client_crl #2157 (@calebdoxsey)
• config: add support for codec_type #2156 (@calebdoxsey)
• controlplane: save configuration events to databroker #2153 (@calebdoxsey)
• control plane: add request id to all error pages #2149 (@desimone)
• let pass custom dial opts #2144 (@wasaga)
• envoy: re-implement recommended defaults #2123 (@calebdoxsey)
• Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
• config: remove validate side effects #2109 (@calebdoxsey)
• log context #2107 (@wasaga)
• databroker: add options for maximum capacity #2095 (@calebdoxsey)
• envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
• envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
• config: rename headers to set_response_headers #2081 (@calebdoxsey)
• crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
• cryptutil: use bytes for hmac #2067 (@calebdoxsey)
• cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
• authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
• authorize: audit logging #2050 (@calebdoxsey)
• support host:port in metrics_address #2042 (@wasaga)
• databroker: return server version in Get #2039 (@wasaga)
• authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
• protoutil: add generic transformer #2023 (@calebdoxsey)
• cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
• autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
• telemetry: add installation id #2017 (@calebdoxsey)
• config: use getters for certificates #2001 (@calebdoxsey)
• config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
• xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
• envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
• redis: add redis cluster support #1992 (@calebdoxsey)
• redis: add support for redis-sentinel #1991 (@calebdoxsey)
• authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
• identity: infer email from mail claim #1977 (@calebdoxsey)
• ping: identity and directory providers #1975 (@calebdoxsey)
• config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
• config: add rewrite_response_headers option #1961 (@calebdoxsey)
• assets: use embed instead of statik #1960 (@calebdoxsey)
• config: log config source changes #1959 (@calebdoxsey)
• config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
• telemetry: add process collector for envoy #1948 (@calebdoxsey)
• use build_info as liveness gauge metric #1940 (@wasaga)
• metrics: add TLS options #1939 (@calebdoxsey)
• identity: record metric for last refresh #1936 (@calebdoxsey)
• middleware: basic auth equalize lengths of input #1934 (@desimone)
• autocert: remove non-determinism #1932 (@calebdoxsey)
• config: add metrics_basic_auth option #1917 (@calebdoxsey)
• envoy: validate binary checksum #1908 (@calebdoxsey)
• config: support map of jwt claim headers #1906 (@calebdoxsey)
• Remove internal/protoutil. #1893 (@yegle)
• databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
• config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
• config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
• proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
• authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)

Fixed

• deployment: update alpine debug image dependencies #2154 (@travisgroth)
• authorize: refactor store locking #2151 (@calebdoxsey)
• databroker: store server version in backend #2142 (@calebdoxsey)
• authorize: audit log had duplicate "message" key #2141 (@desimone)
• httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
• envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
• authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
• authorize: fix unsigned URL #2118 (@calebdoxsey)
• authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
• authorize: support arbitrary jwt claims #2106 (@github-actions[bot])
• xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)
• config: don't change address value on databroker or authorize #2092 (@travisgroth)
• metrics_address should be optional parameter #2087 (@wasaga)
• propagate changes back from encrypted backend #2079 (@wasaga)
• config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
• databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
• authenticate: fix default sign out url #2061 (@calebdoxsey)
• change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
• authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
• proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
• config: add headers to config proto #1996 (@calebdoxsey)
• Fix process cpu usage metric #1979 (@wasaga)
• cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
• proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
• config: fix redirect routes from protobuf #1930 (@travisgroth)
• google: fix default provider URL #1928 (@calebdoxsey)
• fix registry test #1911 (@wasaga)
• ci: pin goreleaser version #1900 (@travisgroth)
• onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
• xds: fix misdirected script #1895 (@calebdoxsey)
• authenticate: validate origin of signout #1876 (@desimone)
• redis: fix deletion versioning #1871 (@calebdoxsey)
• options: header only applies to routes and authN #1862 (@desimone)
• controlplane: add global headers to virtualhost #1861 (@desimone)
• unique envoy cluster ids #1858 (@wasaga)

Security

• ci: remove codecov #2161 (@travisgroth)
• internal/envoy: always extract envoy #2160 (@travisgroth)
• deps: bump envoy to 1.17.2 #2113 (@travisgroth)
• deps: bump envoy to 1.17.2 #2114 (@github-actions[bot])
• proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)
• authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)

Documentation

• docs: add inline instructions to generate signing-key #2164 (@desimone)
• docs: add info note to set_response_headers #2162 (@calebdoxsey)
• docs: mention alternative bearer token header format #2155 (@travisgroth)
• docs: upgrade notes on allowed\_users by ID #2133 (@travisgroth)
• docs: add threat model to security page #2097 (@desimone)
• docs: update community slack link #2063 (@travisgroth)
• Update local-oidc.md #1994 (@dharmendrakariya)
• ping: add documentation #1976 (@calebdoxsey)
• docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
• Update data-storage.md #1941 (@TanguyPatte)
• docs: fix query param name #1920 (@calebdoxsey)
• docs: add breaking sa changes in v0.13 #1919 (@desimone)
• docs: add v0.13 to docs site menu #1913 (@travisgroth)
• docs: update changelog for v0.13.0 #1909 (@desimone)
• docs: update security policy #1897 (@desimone)
• docs: misc upgrade notes and changelog #1884 (@travisgroth)
• docs: add load balancing weight documentation #1883 (@travisgroth)
• docs: additional load balancing documentation #1875 (@travisgroth)

Dependency

• chore(deps): bump github.com/ory/dockertest/v3 from 3.6.3 to 3.6.5 #2168 (@dependabot[bot])
• chore(deps): bump github.com/prometheus/common from 0.21.0 to 0.23.0 #2167 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.0 to 0.6.1 #2166 (@dependabot[bot])
• chore(deps): bump github.com/open-policy-agent/opa from 0.27.1 to 0.28.0 #2165 (@dependabot[bot])
• use cached envoy #2132 (@wasaga)
• chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])
• chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (@dependabot[bot])
• do not require project be in GOPATH/src #2078 (@wasaga)
• chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (@dependabot[bot])
• deps: switch from renovate to dependabot #2069 (@travisgroth)
• fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (@renovate[bot])
• fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (@renovate[bot])
• fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (@renovate[bot])
• fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (@renovate[bot])
• skip REDIS cluster test if GOOS != linux #2045 (@wasaga)
• fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (@renovate[bot])
• fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (@renovate[bot])
• fix(deps): update module google.golang.org/api to v0.43.0 #2035 (@renovate[bot])
• fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (@renovate[bot])
• fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (@renovate[bot])
• fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.6.3 #2031 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (@renovate[bot])
• fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (@renovate[bot])
• fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (@renovate[bot])
• fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (@renovate[bot])
• deps: bundle all patch upgrades in a single group #2016 (@travisgroth)
• fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (@renovate[bot])
• fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (@renovate[bot])
• fix(deps): update module github.com/google/btree to v1.0.1 #2010 (@renovate[bot])
• fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (@renovate[bot])
• fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.6.2 #2007 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (@renovate[bot])
• fix(deps): update golang.org/x/net commit hash to d523dce #2005 (@renovate[bot])
• fix(deps): update module google.golang.org/api to v0.42.0 #1989 (@renovate[bot])
• fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (@renovate[bot])
• fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (@renovate[bot])
• fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (@renovate[bot])
• chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (@renovate[bot])
• fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (@renovate[bot])
• fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (@renovate[bot])
• fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (@renovate[bot])
• fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (@renovate[bot])
• fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (@renovate[bot])
• fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (@renovate[bot])
• fix(deps): update module github.com/go-chi/chi to v5 #1956 (@renovate[bot])
• fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (@renovate[bot])
• fix(deps): update module go.opencensus.io to v0.23.0 #1954 (@renovate[bot])
• fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (@renovate[bot])
• chore(deps): update vuepress monorepo to v1.8.2 #1952 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.6.1 #1951 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (@renovate[bot])
• fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (@renovate[bot])
• chore(deps): update yaml v2 to v3 #1927 (@desimone)
• chore(deps): update vuepress monorepo to v1.8.1 #1891 (@renovate[bot])
• chore(deps): update module spf13/cobra to v1.1.3 #1890 (@renovate[bot])
• chore(deps): update module google.golang.org/api to v0.40.0 #1889 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.5.1 #1888 (@renovate[bot])
• chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (@renovate[bot])
• chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (@renovate[bot])
• chore(deps): update module auth0 to v5 #1868 (@renovate[bot])
• chore(deps): update module google.golang.org/api to v0.39.0 #1867 (@renovate[bot])
• chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.5.0 #1865 (@renovate[bot])
• chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (@renovate[bot])
• chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (@renovate[bot])

Deployment

• deployment: update get-envoy script and release hooks #2111 (@travisgroth)
• deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)
• deployment: update get-envoy script and release hooks #2112 (@github-actions[bot])
• deployment: Publish OS packages to cloudsmith #2108 (@github-actions[bot])
• ci: cache build and test binaries #1938 (@desimone)
• ci: go 1.16.x, cached tests #1937 (@desimone)

Changed

• authorize: remove log #2122 (@calebdoxsey)
• config related metrics #2065 (@wasaga)
• proxy: support re-proxying request through control plane for kubernetes #2051 (@calebdoxsey)
• add default gitlab url #2044 (@contrun)
• Updating Doc for Pomerium-Dex Exercise #2018 (@dharmendrakariya)
• Add xff\_num\_trusted\_hops config option #2003 (@ntoofu)
• envoy: restrict permissions on embedded envoy binary #1999 (@calebdoxsey)
• ci: deploy master to integration environments #1973 (@travisgroth)
• oidc: use groups claim from ID token if present #1970 (@bonifaido)
• config: expose viper policy hooks #1947 (@calebdoxsey)
• ci: deploy latest release to test environment #1916 (@travisgroth)
• logs: strip query string #1894 (@calebdoxsey)
• in-memory service registry #1892 (@wasaga)
• controlplane: maybe fix flaky test #1873 (@calebdoxsey)
• remove generated code from code coverage metrics #1857 (@travisgroth)

Full Changelog

New

• controlplane: save configuration events to databroker #2153 (@calebdoxsey)
• control plane: add request id to all error pages #2149 (@desimone)
• let pass custom dial opts #2144 (@wasaga)
• envoy: re-implement recommended defaults #2123 (@calebdoxsey)
• Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
• config: remove validate side effects #2109 (@calebdoxsey)
• log context #2107 (@wasaga)
• databroker: add options for maximum capacity #2095 (@calebdoxsey)

Fixed

• deployment: update alpine debug image dependencies #2154 (@travisgroth)
• authorize: refactor store locking #2151 (@calebdoxsey)
• databroker: store server version in backend #2142 (@calebdoxsey)
• authorize: audit log had duplicate "message" key #2141 (@desimone)
• httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
• envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
• authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
• authorize: fix unsigned URL #2118 (@calebdoxsey)
• authorize: support arbitrary jwt claims #2102 (@calebdoxsey)

Security

• deps: bump envoy to 1.17.2 #2113 (@travisgroth)

Documentation

• docs: mention alternative bearer token header format #2155 (@travisgroth)
• docs: upgrade notes on allowed\_users by ID #2133 (@travisgroth)

Dependency

• use cached envoy #2132 (@wasaga)
• chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
• chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
• chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])

Deployment

• deployment: update get-envoy script and release hooks #2111 (@travisgroth)
• deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)

Changed

• authorize: remove log #2122 (@calebdoxsey)

Changelog

Full Changelog

New

• envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
• envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
• config: rename headers to set_response_headers #2081 (@calebdoxsey)
• crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
• directory: remove provider from user id #2068 (@calebdoxsey)
• cryptutil: use bytes for hmac #2067 (@calebdoxsey)
• cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
• authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
• authorize: audit logging #2050 (@calebdoxsey)
• support host:port in metrics_address #2042 (@wasaga)
• databroker: return server version in Get #2039 (@wasaga)
• authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
• protoutil: add generic transformer #2023 (@calebdoxsey)
• cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
• autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
• telemetry: add installation id #2017 (@calebdoxsey)
• config: use getters for certificates #2001 (@calebdoxsey)
• config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
• xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
• envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
• redis: add redis cluster support #1992 (@calebdoxsey)
• redis: add support for redis-sentinel #1991 (@calebdoxsey)
• authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
• identity: infer email from mail claim #1977 (@calebdoxsey)
• ping: identity and directory providers #1975 (@calebdoxsey)
• config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
• config: add rewrite_response_headers option #1961 (@calebdoxsey)
• assets: use embed instead of statik #1960 (@calebdoxsey)
• config: log config source changes #1959 (@calebdoxsey)
• config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
• telemetry: add process collector for envoy #1948 (@calebdoxsey)
• use build_info as liveness gauge metric #1940 (@wasaga)
• metrics: add TLS options #1939 (@calebdoxsey)
• identity: record metric for last refresh #1936 (@calebdoxsey)
• middleware: basic auth equalize lengths of input #1934 (@desimone)
• autocert: remove non-determinism #1932 (@calebdoxsey)
• config: add metrics_basic_auth option #1917 (@calebdoxsey)
• envoy: validate binary checksum #1908 (@calebdoxsey)
• config: support map of jwt claim headers #1906 (@calebdoxsey)
• Remove internal/protoutil. #1893 (@yegle)
• databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
• config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
• config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
• proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
• authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)

Fixed

• authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
• xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)
• config: don't change address value on databroker or authorize #2092 (@travisgroth)
• metrics_address should be optional parameter #2087 (@wasaga)
• propagate changes back from encrypted backend #2079 (@wasaga)
• config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
• databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
• authenticate: fix default sign out url #2061 (@calebdoxsey)
• change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
• authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
• proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
• config: add headers to config proto #1996 (@calebdoxsey)
• Fix process cpu usage metric #1979 (@wasaga)
• cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
• proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
• config: fix redirect routes from protobuf #1930 (@travisgroth)
• google: fix default provider URL #1928 (@calebdoxsey)
• fix registry test #1911 (@wasaga)
• ci: pin goreleaser version #1900 (@travisgroth)
• onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
• xds: fix misdirected script #1895 (@calebdoxsey)
• authenticate: validate origin of signout #1876 (@desimone)
• redis: fix deletion versioning #1871 (@calebdoxsey)
• options: header only applies to routes and authN #1862 (@desimone)
• controlplane: add global headers to virtualhost #1861 (@desimone)
• unique envoy cluster ids #1858 (@wasaga)

Security

• deps: bump envoy to 1.17.2 #2113 (@travisgroth)
• proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)
• authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)

Documentation

• docs: add threat model to security page #2097 (@desimone)
• docs: update community slack link #2063 (@travisgroth)
• Update local-oidc.md #1994 (@dharmendrakariya)
• ping: add documentation #1976 (@calebdoxsey)
• docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
• Update data-storage.md #1941 (@TanguyPatte)
• docs: fix query param name #1920 (@calebdoxsey)
• docs: add breaking sa changes in v0.13 #1919 (@desimone)
• docs: add v0.13 to docs site menu #1913 (@travisgroth)
• docs: update changelog for v0.13.0 #1909 (@desimone)
• docs: update security policy #1897 (@desimone)
• docs: misc upgrade notes and changelog #1884 (@travisgroth)
• docs: add load balancing weight documentation #1883 (@travisgroth)
• docs: additional load balancing documentation #1875 (@travisgroth)

Dependency

• chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (@dependabot[bot])
• do not require project be in GOPATH/src #2078 (@wasaga)
• chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (@dependabot[bot])
• chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (@dependabot[bot])
• chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (@dependabot[bot])
• deps: switch from renovate to dependabot #2069 (@travisgroth)
• fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (@renovate[bot])
• fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (@renovate[bot])
• fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (@renovate[bot])
• fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (@renovate[bot])
• skip REDIS cluster test if GOOS != linux #2045 (@wasaga)
• fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (@renovate[bot])
• fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (@renovate[bot])
• fix(deps): update module google.golang.org/api to v0.43.0 #2035 (@renovate[bot])
• fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (@renovate[bot])
• fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (@renovate[bot])
• fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.6.3 #2031 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (@renovate[bot])
• fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (@renovate[bot])
• fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (@renovate[bot])
• fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (@renovate[bot])
• deps: bundle all patch upgrades in a single group #2016 (@travisgroth)
• fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (@renovate[bot])
• fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (@renovate[bot])
• fix(deps): update module github.com/google/btree to v1.0.1 #2010 (@renovate[bot])
• fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (@renovate[bot])
• fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.6.2 #2007 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (@renovate[bot])
• fix(deps): update golang.org/x/net commit hash to d523dce #2005 (@renovate[bot])
• fix(deps): update module google.golang.org/api to v0.42.0 #1989 (@renovate[bot])
• fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (@renovate[bot])
• fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (@renovate[bot])
• fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (@renovate[bot])
• chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (@renovate[bot])
• fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (@renovate[bot])
• fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (@renovate[bot])
• fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (@renovate[bot])
• fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (@renovate[bot])
• fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (@renovate[bot])
• fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (@renovate[bot])
• fix(deps): update module github.com/go-chi/chi to v5 #1956 (@renovate[bot])
• fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (@renovate[bot])
• fix(deps): update module go.opencensus.io to v0.23.0 #1954 (@renovate[bot])
• fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (@renovate[bot])
• chore(deps): update vuepress monorepo to v1.8.2 #1952 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.6.1 #1951 (@renovate[bot])
• fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (@renovate[bot])
• fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (@renovate[bot])
• chore(deps): update yaml v2 to v3 #1927 (@desimone)
• chore(deps): update vuepress monorepo to v1.8.1 #1891 (@renovate[bot])
• chore(deps): update module spf13/cobra to v1.1.3 #1890 (@renovate[bot])
• chore(deps): update module google.golang.org/api to v0.40.0 #1889 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.5.1 #1888 (@renovate[bot])
• chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (@renovate[bot])
• chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (@renovate[bot])
• chore(deps): update module auth0 to v5 #1868 (@renovate[bot])
• chore(deps): update module google.golang.org/api to v0.39.0 #1867 (@renovate[bot])
• chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (@renovate[bot])
• chore(deps): update mikefarah/yq action to v4.5.0 #1865 (@renovate[bot])
• chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (@renovate[bot])
• chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (@renovate[bot])

Deployment

• deployment: update get-envoy script and release hooks #2111 (@travisgroth)
• deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)
• ci: cache build and test binaries #1938 (@desimone)
• ci: go 1.16.x, cached tests #1937 (@desimone)

Changed

• config related metrics #2065 (@wasaga)
• proxy: support re-proxying request through control plane for kubernetes #2051 (@calebdoxsey)
• add default gitlab url #2044 (@contrun)
• Updating Doc for Pomerium-Dex Exercise #2018 (@dharmendrakariya)
• Add xff\_num\_trusted\_hops config option #2003 (@ntoofu)
• envoy: restrict permissions on embedded envoy binary #1999 (@calebdoxsey)
• ci: deploy master to integration environments #1973 (@travisgroth)
• oidc: use groups claim from ID token if present #1970 (@bonifaido)
• config: expose viper policy hooks #1947 (@calebdoxsey)
• ci: deploy latest release to test environment #1916 (@travisgroth)
• logs: strip query string #1894 (@calebdoxsey)
• in-memory service registry #1892 (@wasaga)
• controlplane: maybe fix flaky test #1873 (@calebdoxsey)
• remove generated code from code coverage metrics #1857 (@travisgroth)

Envoy has released an update to fix several CVEs:

• CVE-2021-28682 (CVSS score 7.5, High): Envoy through 1.17.1, 1.16.2, 1.15.3, and 1.14.6 contains a remotely exploitable integer overflow via a very large grpc-timeout value causes undefined behavior.
• CVE-2021-28683 (CVSS score 7.5, High): Envoy through 1.17.1 and 1.16.2 contains a remotely exploitable crash in TLS when an unknown TLS alert code is received.
• CVE-2021-29258 (CVSS score 7.5, High): Envoy through 1.17.1, 1.16.2, 1.15.3, and 1.14.6 contains a remotely exploitable crash in Envoy's HTTP2 Metadata, when an empty METADATA map is sent.

This Pomerium patch updates the embedded version of envoy to 1.16.3.

Full Changelog

Security

• deps: upgrade envoy to 1.16.3 #2096 (@travisgroth)

Documentation

• docs: update community slack link #2064 (@github-actions[bot])

Full Changelog

Fixed

• change require_proxy_protocol to use_proxy_protocol #2058 (@github-actions[bot])

Full Changelog

This release addresses two security issues in Pomerium:

https://github.com/pomerium/pomerium/security/advisories/GHSA-35vc-w93w-75c2 (CVE-2021-29651)
https://github.com/pomerium/pomerium/security/advisories/GHSA-fv82-r8qv-ch4v (CVE-2021-29652)

Security

• proxy: restrict programmatic URLs to localhost #2047 (@travisgroth)
• authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2046 (@travisgroth)

Full Changelog

New

• identity: infer email from mail claim #1978 (@github-actions[bot])

Full Changelog

Documentation

• Update data-storage.md #1942 (@github-actions[bot])

Changed

• proxy: redirect to dashboard for logout #1945 (@github-actions[bot])

Full Changelog

Fixed

• config: fix redirect routes from protobuf #1931 (@github-actions[bot])
• google: fix default provider URL #1929 (@github-actions[bot])

Documentation

• docs: fix query param name #1923 (@github-actions[bot])
• docs: add breaking sa changes in v0.13 #1921 (@github-actions[bot])
• docs: add v0.13 to docs site menu #1914 (@github-actions[bot])

Changed

• ci: deploy releases to test environment (#1916) #1918 (@travisgroth)