pomerium | Go Ecosystem Directory

Bot releases are visible (Hide)

pomerium - v0.13.0

Published by travisgroth over 3 years ago

Full Changelog

Breaking

authorize: remove admin #1833 (@calebdoxsey)
remove user impersonation and service account cli #1768 (@calebdoxsey)

New

authorize: allow access by user id #1850 (@calebdoxsey)
authorize: remove DataBrokerData input #1847 (@calebdoxsey)
authorize: remove DataBrokerData #1846 (@calebdoxsey)
opa: format rego files #1845 (@calebdoxsey)
policy: add new certificate-authority option for downstream mTLS client certificates #1835 (@calebdoxsey)
metrics: human readable cluster name #1834 (@wasaga)
upstream endpoints load balancer weights #1830 (@wasaga)
controlplane: only add listener virtual domains for addresses matching the current TLS domain #1823 (@calebdoxsey)
authenticate: delay evaluation of OIDC provider #1802 (@calebdoxsey)
config: require shared key if using redis backed databroker #1801 (@travisgroth)
upstream health check config #1796 (@wasaga)
new skip_xff_append option #1788 (@wasaga)
policy: add outlier_detection #1786 (@calebdoxsey)
reduce memory usage by handling http/2 coalescing via a lua script #1779 (@calebdoxsey)
add support for proxy protocol on HTTP listener #1777 (@calebdoxsey)
config: support redirect actions #1776 (@calebdoxsey)
config: detect underlying file changes #1775 (@calebdoxsey)
authenticate: update user info screens #1774 (@desimone)
jws: remove issuer #1754 (@calebdoxsey)

Fixed

redis: fix deletion versioning #1874 (@github-actions[bot])
rego: handle null #1853 (@calebdoxsey)
config: fix data race #1851 (@calebdoxsey)
deployment: set maintainer field in packages #1848 (@travisgroth)
xds: fix always requiring client certificates #1844 (@calebdoxsey)
fix go:generate for envoy config #1826 (@calebdoxsey)
controlplane: only enable STATIC dns when all adresses are IP addresses #1822 (@calebdoxsey)
config: fix databroker policies #1821 (@calebdoxsey)
config: fix hot-reloading #1820 (@calebdoxsey)
Revert "reduce memory usage by handling http/2 coalescing via a lua script" #1785 (@calebdoxsey)
google: fix nil name #1771 (@calebdoxsey)
autocert: improve logging #1767 (@travisgroth)

Documentation

docs: update changelog for v0.13.0 #1910 (@github-actions[bot])
docs: add load balancing weight documentation #1905 (@github-actions[bot])
docs: misc upgrade notes and changelog #1904 (@github-actions[bot])
ci: pin goreleaser version #1903 (@github-actions[bot])
docs: update security policy #1901 (@github-actions[bot])
docs: additional load balancing documentation #1882 (@github-actions[bot])
github: add tag suggestion to checklist #1819 (@desimone)
docs: add reference to the go-sdk #1800 (@desimone)
updated host rewrite docs #1799 (@vihardesu)
docs: update menu for v0.12 #1755 (@travisgroth)
Update GitLab provider docs #1591 (@bradjones1)

Dependency

chore(deps): update module go.opencensus.io to v0.22.6 #1842 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.11 #1841 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 44e461b #1840 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to f9ce19e #1839 (@renovate[bot])
chore(deps): update module stretchr/testify to v1.7.0 #1816 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.26.0 #1815 (@renovate[bot])
chore(deps): update module mitchellh/mapstructure to v1.4.1 #1814 (@renovate[bot])
chore(deps): update module google/uuid to v1.2.0 #1813 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.35.0 #1812 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.10 #1811 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.4.1 #1810 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 8081c04 #1809 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to d3ed898 #1808 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 5f4716e #1807 (@renovate[bot])
chore(deps): update oidc to v3 #1783 (@desimone)
chore(deps): update vuepress monorepo to v1.8.0 #1761 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.8 #1760 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.3.1 #1759 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.2.1 #1758 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to c7d5778 #1757 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.38.0 #1656 (@renovate[bot])

Deployment

ci: fix usage of env variable in latest tag #1791 (@travisgroth)
databroker: rename cache service #1790 (@calebdoxsey)
ci: fix deprecated command in latestTag step #1763 (@travisgroth)

Changed

authenticate: validate origin of signout #1881 (@github-actions[bot])
config: add CertificateFiles to FileWatcherSource list #1880 (@github-actions[bot])
ci: enable backporting from forks #1854 (@travisgroth)
ci: fix version metadata in non-releases #1836 (@travisgroth)
protobuf: upgrade protoc to 3.14 #1832 (@calebdoxsey)
Update codeowners #1831 (@travisgroth)
config: return errors on invalid URLs, fix linting #1829 (@calebdoxsey)
grpc: use custom resolver #1828 (@calebdoxsey)
controlplane: return errors in xds build methods #1827 (@calebdoxsey)
include envoy's proto specs into config.proto #1817 (@wasaga)
expose all envoy cluster options in policy #1804 (@wasaga)
autocert: store certificates separately from config certificates #1794 (@calebdoxsey)
move file change detection before autocert #1793 (@calebdoxsey)
config: support multiple destination addresses #1789 (@calebdoxsey)
ci: license check action #1773 (@travisgroth)
authorize: move impersonation into session/service account #1765 (@calebdoxsey)

pomerium - v0.12.2

Published by travisgroth over 3 years ago

NOTE: Due to a release error, a version of v0.12.2 was briefly published off the incorrect commit. The correct version is 0.12.2-1613583129+2060f4e.

Full Changelog

Fixed

[Backport 0-12-0] deployment: set maintainer field in packages #1849 (@github-actions[bot])

Changed

[Backport 0-12-0] ci: fix usage of env variable in latest tag #1806 (@github-actions[bot])
[Backport 0-12-0] docs: add reference to the go-sdk #1803 (@github-actions[bot])

pomerium - v0.12.1

Published by travisgroth over 3 years ago

Full Changelog

Fixed

[Backport 0-12-0] google: fix nil name #1772 (@github-actions[bot])
[Backport 0-12-0] autocert: improve logging #1769 (@travisgroth)

Documentation

[Backport 0-12-0] docs: update menu for v0.12 #1762 (@github-actions[bot])

Deployment

[Backport 0-12-0] ci: fix deprecated command in latestTag step #1764 (@github-actions[bot])

pomerium - v0.12.0

Published by travisgroth almost 4 years ago

Full Changelog

New

tcp: prevent idle stream timeouts for TCP and Websocket routes #1744 (@calebdoxsey)
telemetry: add support for datadog tracing #1743 (@calebdoxsey)
use incremental API for envoy xDS #1732 (@calebdoxsey)
cli: add version command #1726 (@desimone)
add TLS flags for TCP tunnel #1725 (@calebdoxsey)
k8s cmd: use authclient package #1722 (@calebdoxsey)
internal/controlplane: 0s default timeout for tcp routes #1716 (@travisgroth)
use impersonate groups if impersonate email is set #1701 (@calebdoxsey)
unimpersonate button #1700 (@calebdoxsey)
TCP client command #1696 (@calebdoxsey)
add support for TCP routes #1695 (@calebdoxsey)
internal/directory: use gitlab provider url option #1689 (@nghnam)
improve ca cert error message, use GetCertPool for databroker storage #1666 (@calebdoxsey)
implement new redis storage backend with go-redis package #1649 (@calebdoxsey)
authenticate: oidc frontchannel-logout endpoint #1586 (@pflipp)

Fixed

remove :443 or :80 from proxy URLs in authclient #1733 (@calebdoxsey)
tcptunnel: handle invalid http response codes #1727 (@calebdoxsey)
update azure docs #1723 (@calebdoxsey)
config: fix ignored yaml fields #1698 (@travisgroth)
fix concurrency race #1675 (@calebdoxsey)
don't create users when updating sessions #1671 (@calebdoxsey)

Documentation

update google docs #1738 (@calebdoxsey)
docs: add TCP guide #1714 (@travisgroth)
docs: tcp support #1712 (@travisgroth)
docs: replace httpbin with verify #1702 (@desimone)
docs: fix nginx config #1691 (@desimone)
remove "see policy" phrase in settings docs #1668 (@calebdoxsey)
docs: add allowed_idp_claims docs #1665 (@travisgroth)
docs: add v0.11 link to version menu #1663 (@travisgroth)

Dependency

chore(deps): update module google/uuid to v1.1.4 #1729 (@renovate[bot])
dev: update linter #1728 (@desimone)
chore(deps): update codecov/codecov-action action to v1.1.1 #1720 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 6772e93 #1719 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to eec23a3 #1718 (@renovate[bot])
chore(deps): update precommit hook pre-commit/pre-commit-hooks to v3.4.0 #1710 (@renovate[bot])
chore(deps): update module prometheus/client_golang to v1.9.0 #1709 (@renovate[bot])
chore(deps): update module ory/dockertest/v3 to v3.6.3 #1708 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.4 #1707 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.1.0 #1706 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 8c77b98 #1705 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 986b41b #1704 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 9d13527 #1703 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.25.2 #1685 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.4.2 #1684 (@renovate[bot])
chore(deps): update module envoyproxy/go-control-plane to v0.9.8 #1683 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 40ec1c2 #1682 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 09787c9 #1681 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 08078c5 #1680 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to ac852fb #1679 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 5f87f34 #1678 (@renovate[bot])

Deployment

ci: upgrade yq syntax for v4 #1745 (@travisgroth)
deployment: Fix docker and rpm workflows #1687 (@travisgroth)
ci: fix pomerium-cli rpm name #1661 (@travisgroth)

Changed

ci: fix typo in yq image #1746 (@travisgroth)
fix coverage #1741 (@calebdoxsey)
fix error wrapping #1737 (@calebdoxsey)
Revert "set recommended defaults" #1735 (@calebdoxsey)
set recommended defaults #1734 (@calebdoxsey)
internal/telemetry/metrics: update redis metrics for go-redis #1694 (@travisgroth)

pomerium - v0.11.1

Published by travisgroth almost 4 years ago

Full Changelog

Fixed

[Backport 0-11-0] fix concurrency race #1676 (@github-actions[bot])
[Backport 0-11-0] don't create users when updating sessions #1672 (@github-actions[bot])

Documentation

[Backport 0-11-0] remove "see policy" phrase in settings docs #1669 (@github-actions[bot])
[Backport 0-11-0] docs: add allowed_idp_claims docs #1667 (@github-actions[bot])
[Backport 0-11-0] docs: add v0.11 link to version menu #1664 (@github-actions[bot])

Deployment

[Backport 0-11-0] ci: fix pomerium-cli rpm name #1662 (@travisgroth)

pomerium - v0.11.0

Published by travisgroth almost 4 years ago

Full Changelog

Breaking

remove deprecated cache_service_url config option #1614 (@calebdoxsey)
add flag to enable user impersonation #1514 (@calebdoxsey)

New

microsoft: add support for common endpoint #1648 (@desimone)
use the directory email when provided for the jwt #1647 (@calebdoxsey)
fix profile image on dashboard #1637 (@calebdoxsey)
wait for initial sync to complete before starting control plane #1636 (@calebdoxsey)
authorize: add signature algo support (RSA / EdDSA) #1631 (@desimone)
replace GetAllPages with InitialSync, improve merge performance #1624 (@calebdoxsey)
cryptutil: more explicit decryption error #1607 (@desimone)
add paging support to GetAll #1601 (@calebdoxsey)
attach version to gRPC server metadata #1598 (@calebdoxsey)
use custom default http transport #1576 (@calebdoxsey)
update user info in addition to refreshing the token #1572 (@calebdoxsey)
databroker: add audience to session #1557 (@calebdoxsey)
authorize: implement allowed_idp_claims #1542 (@calebdoxsey)
autocert: support certificate renewal #1516 (@calebdoxsey)
add policy to allow any authenticated user #1515 (@pflipp)
debug: add pprof endpoints #1504 (@calebdoxsey)
databroker: require JWT for access #1503 (@calebdoxsey)
authenticate: remove unused paths, generate cipher at startup, remove qp store #1495 (@desimone)
forward-auth: use envoy's ext_authz check #1482 (@desimone)
auth0: implement directory provider #1479 (@grounded042)
azure: incremental sync #1471 (@calebdoxsey)
auth0: implement identity provider #1470 (@calebdoxsey)
dashboard: format timestamps #1468 (@calebdoxsey)
directory: additional user info #1467 (@calebdoxsey)
directory: add explicit RefreshUser endpoint for faster sync #1460 (@calebdoxsey)
config: add support for host header rewriting #1457 (@calebdoxsey)
proxy: preserve path and query string for http->https redirect #1456 (@calebdoxsey)
redis: use pubsub instead of keyspace events #1450 (@calebdoxsey)
proxy: add support for /.pomerium/jwt #1446 (@calebdoxsey)
databroker: add support for querying the databroker #1443 (@calebdoxsey)
config: add dns_lookup_family option to customize DNS IP resolution #1436 (@calebdoxsey)
okta: handle deleted groups #1418 (@calebdoxsey)
controlplane: support P-384 / P-512 EC curves #1409 (@desimone)
azure: add support for nested groups #1408 (@calebdoxsey)
authorize: add support for service accounts #1374 (@calebdoxsey)
Cuonglm/improve timeout error message #1373 (@cuonglm)
internal/directory/okta: remove rate limiter #1370 (@cuonglm)
{proxy/controlplane}: make health checks debug level #1368 (@desimone)
databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source #1367 (@calebdoxsey)
authorize: use impersonate email/groups in JWT #1364 (@calebdoxsey)
config: support explicit prefix and regex path rewriting #1363 (@calebdoxsey)
proxy: support websocket timeouts #1362 (@calebdoxsey)
proxy: disable control-plane robots.txt for public unauthenticated routes #1361 (@calebdoxsey)
certmagic: improve logging #1358 (@calebdoxsey)
logs: add new log scrubber #1346 (@calebdoxsey)
Allow setting the shared secret via an environment variable. #1337 (@rspier)
authorize: add jti to JWT payload #1328 (@calebdoxsey)
all: add signout redirect url #1324 (@cuonglm)
proxy: remove unused handlers #1317 (@desimone)
azure: support deriving credentials from client id, client secret and provider url #1300 (@calebdoxsey)
cache: support databroker option changes #1294 (@calebdoxsey)
authenticate: move databroker connection to state #1292 (@calebdoxsey)
authorize: use atomic state for properties #1290 (@calebdoxsey)
proxy: move properties to atomically updated state #1280 (@calebdoxsey)
Improving okta API requests #1278 (@cuonglm)
authenticate: move properties to atomically updated state #1277 (@calebdoxsey)
authenticate: support reloading IDP settings #1273 (@calebdoxsey)
Rate limit for okta #1271 (@cuonglm)
config: allow dynamic configuration of cookie settings #1267 (@calebdoxsey)
internal/directory/okta: increase default batch size to 200 #1264 (@cuonglm)
envoy: add support for hot-reloading bootstrap configuration #1259 (@calebdoxsey)
config: allow reloading of telemetry settings #1255 (@calebdoxsey)
databroker: add support for config settings #1253 (@calebdoxsey)
config: warn if custom scopes set for builtin providers #1252 (@cuonglm)
authorize: add databroker url check #1228 (@desimone)
internal/databroker: make Sync send data in smaller batches #1226 (@cuonglm)

Fixed

fix config race #1660 (@calebdoxsey)
fix ordering of autocert config source #1640 (@calebdoxsey)
pkg/storage/redis: Prevent connection churn #1603 (@travisgroth)
forward-auth: fix special character support for nginx #1578 (@desimone)
proxy/forward_auth: copy response headers as request headers #1577 (@desimone)
fix querying claim data on the dashboard #1560 (@calebdoxsey)
github: fix retrieving team id with graphql API (#1554) #1555 (@toshipp)
store raw id token so it can be passed to the logout url #1543 (@calebdoxsey)
fix databroker requiring signed jwt #1538 (@calebdoxsey)
authorize: add redirect url to debug page #1533 (@desimone)
internal/frontend: resolve authN helper url #1521 (@desimone)
fwd-auth: match nginx-ingress config #1505 (@desimone)
authenticate: protect /.pomerium/admin endpoint #1500 (@calebdoxsey)
ci: ensure systemd unit file is in packages #1481 (@travisgroth)
identity manager: fix directory sync timing #1455 (@calebdoxsey)
proxy/forward_auth: don't reset forward auth path if X-Forwarded-Uri is not set #1447 (@whs)
httputil: remove retry button #1438 (@desimone)
proxy: always use https for application callback #1433 (@travisgroth)
controplane: remove p-521 EC #1420 (@desimone)
redirect-server: add config headers to responses #1416 (@calebdoxsey)
proxy: remove impersonate headers for kubernetes #1394 (@calebdoxsey)
Desimone/authenticate default logout #1390 (@desimone)
proxy: for filter matches only include bare domain name #1389 (@calebdoxsey)
internal/envoy: start epoch from 0 #1387 (@travisgroth)
internal/directory/okta: acceept non-json service account #1359 (@cuonglm)
internal/controlplane: add telemetry http handler #1353 (@travisgroth)
autocert: fix locking issue #1310 (@calebdoxsey)
authorize: log users and groups #1303 (@desimone)
proxy: fix wrong applied middleware #1298 (@cuonglm)
internal/directory/okta: fix wrong API query filter #1296 (@cuonglm)
autocert: fix bootstrapped cache store path #1283 (@desimone)
config: validate databroker settings #1260 (@calebdoxsey)
internal/autocert: re-use cert if renewing failed but cert not expired #1237 (@cuonglm)

Security

chore(deps): update envoy 1.16.1 #1613 (@desimone)

Documentation

move signing key algorithm documentation into yaml file #1646 (@calebdoxsey)
update docs #1645 (@desimone)
docs: update build badge #1635 (@travisgroth)
docs: add cache_service_url upgrade notice #1621 (@travisgroth)
docs: use standard language for lists #1590 (@desimone)
Fix command in Kubernetes Quick start docs #1582 (@wesleyw72)
move docs to settings.yaml #1579 (@calebdoxsey)
docs: add round logo #1574 (@desimone)
add settings.yaml file #1540 (@calebdoxsey)
update the documentation for auth0 to include group/role information #1502 (@grounded042)
examples: fix nginx example #1478 (@desimone)
docs: add architecture diagram for cloudrun #1444 (@travisgroth)
fix(examples): Use X-Pomerium-Claim headers #1422 (@tdorsey)
chore(docs): Fix typo in example policy #1419 (@tdorsey)
docs: fix grammar #1412 (@shinebayar-g)
docs: Add Traefik + Kubernetes example #1411 (@travisgroth)
Remove typo on remove_request_headers docs #1388 (@whs)
docs: update azure docs #1377 (@desimone)
docs: add nginx example #1329 (@travisgroth)
docs: use .com sitemap hostname #1274 (@desimone)
docs: fix in-action video #1268 (@travisgroth)
docs: image, sitemap and redirect fixes #1263 (@travisgroth)
Fix broken logo link in README.md #1261 (@cuonglm)
docs/docs: fix wrong okta service account field #1251 (@cuonglm)
[Backport latest] Docs/enterprise button #1247 (@github-actions[bot])
Docs/enterprise button #1245 (@desimone)
remove rootDomain from examples #1244 (@karelbilek)
docs: add / redirect #1241 (@desimone)
docs: prepare for enterprise / oss split #1238 (@desimone)

Dependency

chore(deps): update module open-policy-agent/opa to v0.25.1 #1659 (@renovate[bot])
chore(deps): update module lithammer/shortuuid/v3 to v3.0.5 #1658 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.34.0 #1657 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 9ee31aa #1655 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 9317641 #1654 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to c7110b5 #1653 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to be400ae #1652 (@renovate[bot])
deps: update hashstructure v2 #1632 (@desimone)
chore(deps): update precommit hook pre-commit/pre-commit-hooks to v3 #1630 (@renovate[bot])
chore(deps): update module yaml to v2.4.0 #1629 (@renovate[bot])
chore(deps): update module google/go-cmp to v0.5.4 #1628 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to c8d3bf9 #1627 (@renovate[bot])
chore(deps): update module google/go-jsonnet to v0.17.0 #1611 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.0.15 #1610 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 9b1e624 #1609 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to c1f2f97 #1608 (@renovate[bot])
chore(deps): update module google/go-cmp to v0.5.3 #1597 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to ce600e9 #1596 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 9fd6049 #1595 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 69a7880 #1594 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 0c6587e #1593 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.33.2 #1585 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to f9bfe23 #1583 (@renovate[bot])
chore(deps): update mikefarah/yq action to v3.4.1 #1567 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 24207fd #1566 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to ff519b6 #1565 (@renovate[bot])
chore(deps): update olegtarasov/get-tag action to v2 #1552 (@renovate[bot])
chore(deps): update goreleaser/goreleaser-action action to v2 #1551 (@renovate[bot])
chore(deps): update actions/setup-go action to v2 #1550 (@renovate[bot])
chore(deps): update toolmantim/release-drafter action to v5.12.1 #1549 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.33.1 #1548 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.0.14 #1547 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 0ff5f38 #1546 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 67f06af #1545 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to be3efd7 #1544 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.7.1 #1531 (@renovate[bot])
chore(deps): update module spf13/cobra to v1.1.1 #1530 (@renovate[bot])
chore(deps): update module prometheus/client_golang to v1.8.0 #1529 (@renovate[bot])
chore(deps): update module ory/dockertest/v3 to v3.6.2 #1528 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.24.0 #1527 (@renovate[bot])
chore(deps): update module golang/protobuf to v1.4.3 #1525 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 32ed001 #1524 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 7b1cca2 #1523 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 9e8e0b3 #1522 (@renovate[bot])
chore(deps): upgrade envoy to v0.16.0 #1519 (@desimone)
deployment: run go mod tidy #1512 (@desimone)
chore(deps): update module ory/dockertest/v3 to v3.6.1 #1511 (@renovate[bot])
chore(deps): update module go.opencensus.io to v0.22.5 #1510 (@renovate[bot])
chore(deps): update module cenkalti/backoff/v4 to v4.1.0 #1509 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 4d944d3 #1508 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to b3e1573 #1507 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 4f7140c #1506 (@renovate[bot])
deployment: pin /x/sys to fix dockertest #1491 (@desimone)
chore(deps): update module openzipkin/zipkin-go to v0.2.5 #1488 (@renovate[bot])
chore(deps): update module envoyproxy/go-control-plane to v0.9.7 #1487 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to bcad7cf #1486 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 3042136 #1485 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 7f63de1 #1483 (@renovate[bot])
deps: update envoy arm64 to v1.15.1 #1475 (@travisgroth)
chore(deps): envoy 1.15.1 #1473 (@desimone)
chore(deps): update vuepress monorepo to v1.6.0 #1463 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to c2d885f #1462 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 5d4f700 #1461 (@renovate[bot])
deps: go mod tidy #1434 (@travisgroth)
chore(deps): update module rs/zerolog to v1.20.0 #1431 (@renovate[bot])
chore(deps): update module caddyserver/certmagic to v0.12.0 #1429 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to d0d6055 #1428 (@renovate[bot])
chore(deps): update module openzipkin/zipkin-go to v0.2.4 #1407 (@renovate[bot])
chore(deps): update module gorilla/handlers to v1.5.1 #1406 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.32.0 #1405 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 645f7a4 #1404 (@renovate[bot])
Run go mod tidy #1384 (@cuonglm)
chore(deps): update module go.uber.org/zap to v1.16.0 #1381 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 0bd0a95 #1380 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 5d25da1 #1379 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 62affa3 #1378 (@renovate[bot])
deps: ensure renovate runs go mod tidy #1357 (@travisgroth)
deps: go mod tidy #1356 (@travisgroth)
Update module open-policy-agent/opa to v0.23.2 #1351 (@renovate[bot])
Update module google/uuid to v1.1.2 #1350 (@renovate[bot])
Update module google/go-cmp to v0.5.2 #1349 (@renovate[bot])
Update module google.golang.org/grpc to v1.31.1 #1348 (@renovate[bot])
Update google.golang.org/genproto commit hash to 2bf3329 #1347 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.5.4 #1323 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.23.1 #1322 (@renovate[bot])
chore(deps): update module gorilla/mux to v1.8.0 #1321 (@renovate[bot])
chore(deps): update module gorilla/handlers to v1.5.0 #1320 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to c890458 #1319 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 5c72a88 #1318 (@renovate[bot])
Upgrade zipkin-go to v0.2.3 #1288 (@cuonglm)
chore(deps): update google.golang.org/genproto commit hash to f69a880 #1286 (@renovate[bot])
chore(deps): update golang.org/x/time commit hash to 3af7569 #1285 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 3edf25e #1284 (@renovate[bot])
.github/workflows: upgrade to go1.15 #1258 (@cuonglm)
Fix tests failed with go115 #1257 (@cuonglm)
chore(deps): update dependency @vuepress/plugin-google-analytics to v1.5.3 #1236 (@renovate[bot])
Update module google.golang.org/api to v0.30.0 #1235 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to a062522 #1234 (@renovate[bot])

Deployment

deployment: enable multi-arch release images #1643 (@travisgroth)
ci: add bintray publishing #1618 (@travisgroth)
ci: remove bad quoting in publish steps #1617 (@travisgroth)
ci: update tag parsing step #1616 (@travisgroth)
remove memberlist #1615 (@calebdoxsey)
ci: automatically update test environment with master #1562 (@travisgroth)
deployment: add debug build / container / docs #1513 (@travisgroth)
deployment: Generate deb and rpm packages #1458 (@travisgroth)
deployment: bump release go to v1.15.x #1439 (@desimone)
ci: publish cloudrun latest tag #1398 (@travisgroth)
deployment: fully split release archives and brews #1365 (@travisgroth)
Include pomerium-cli in the docker image by default. Fixes #1343. #1345 (@rspier)
Use apt-get instead of apt to eliminate warning. #1344 (@rspier)
deployment: add goimports with path awareness #1316 (@desimone)

Changed

identity/oidc/azure: goimports #1651 (@travisgroth)
fix panic when deleting a record twice from the inmemory data store #1639 (@calebdoxsey)
ci: improve release snapshot name template #1602 (@travisgroth)
ci: fix release workflow syntax #1592 (@travisgroth)
ci: update changelog generation to script #1589 (@travisgroth)
[Backport 0-10-0] docs: add round logo #1575 (@github-actions[bot])
tidy #1494 (@desimone)
dev: add remote container debug configs #1459 (@desimone)
ci: add stale issue automation #1366 (@travisgroth)
internal/urlutil: remove un-used constants #1326 (@cuonglm)
integration: add forward auth test #1312 (@cuonglm)
pkg/storage/redis: update tests to use local certs + upstream image #1306 (@travisgroth)
config: omit empty subpolicies in yaml/json #1229 (@travisgroth)
Cuonglm/increase coverrage 1 #1227 (@cuonglm)

pomerium - v0.11.0-rc2

Published by travisgroth almost 4 years ago

Full Changelog

New

add paging support to GetAll #1601 (@calebdoxsey)
attach version to gRPC server metadata #1598 (@calebdoxsey)

Fixed

pkg/storage/redis: Prevent connection churn #1603 (@travisgroth)

Dependency

chore(deps): update module google/go-cmp to v0.5.3 #1597 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to ce600e9 #1596 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 9fd6049 #1595 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 69a7880 #1594 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 0c6587e #1593 (@renovate[bot])

Changed

ci: improve release snapshot name template #1602 (@travisgroth)

pomerium - v0.11.0-rc1

Published by travisgroth almost 4 years ago

Full Changelog

Breaking

add flag to enable user impersonation #1514 (@calebdoxsey)

New

use custom default http transport #1576 (@calebdoxsey)
update user info in addition to refreshing the token #1572 (@calebdoxsey)
databroker: add audience to session #1557 (@calebdoxsey)
authorize: implement allowed_idp_claims #1542 (@calebdoxsey)
autocert: support certificate renewal #1516 (@calebdoxsey)
add policy to allow any authenticated user #1515 (@pflipp)
debug: add pprof endpoints #1504 (@calebdoxsey)
databroker: require JWT for access #1503 (@calebdoxsey)
authenticate: remove unused paths, generate cipher at startup, remove qp store #1495 (@desimone)
forward-auth: use envoy's ext_authz check #1482 (@desimone)
auth0: implement directory provider #1479 (@grounded042)
azure: incremental sync #1471 (@calebdoxsey)
auth0: implement identity provider #1470 (@calebdoxsey)
dashboard: format timestamps #1468 (@calebdoxsey)
directory: additional user info #1467 (@calebdoxsey)
directory: add explicit RefreshUser endpoint for faster sync #1460 (@calebdoxsey)
config: add support for host header rewriting #1457 (@calebdoxsey)
proxy: preserve path and query string for http->https redirect #1456 (@calebdoxsey)
redis: use pubsub instead of keyspace events #1450 (@calebdoxsey)
proxy: add support for /.pomerium/jwt #1446 (@calebdoxsey)
databroker: add support for querying the databroker #1443 (@calebdoxsey)
config: add dns_lookup_family option to customize DNS IP resolution #1436 (@calebdoxsey)
okta: handle deleted groups #1418 (@calebdoxsey)
controlplane: support P-384 / P-512 EC curves #1409 (@desimone)
azure: add support for nested groups #1408 (@calebdoxsey)
authorize: add support for service accounts #1374 (@calebdoxsey)
Cuonglm/improve timeout error message #1373 (@cuonglm)
internal/directory/okta: remove rate limiter #1370 (@cuonglm)
{proxy/controlplane}: make health checks debug level #1368 (@desimone)
databroker: add tracing for rego evaluation and databroker sync, fix bug in databroker config source #1367 (@calebdoxsey)
authorize: use impersonate email/groups in JWT #1364 (@calebdoxsey)
config: support explicit prefix and regex path rewriting #1363 (@calebdoxsey)
proxy: support websocket timeouts #1362 (@calebdoxsey)
proxy: disable control-plane robots.txt for public unauthenticated routes #1361 (@calebdoxsey)
certmagic: improve logging #1358 (@calebdoxsey)
logs: add new log scrubber #1346 (@calebdoxsey)
Allow setting the shared secret via an environment variable. #1337 (@rspier)
authorize: add jti to JWT payload #1328 (@calebdoxsey)
all: add signout redirect url #1324 (@cuonglm)
proxy: remove unused handlers #1317 (@desimone)
azure: support deriving credentials from client id, client secret and provider url #1300 (@calebdoxsey)
cache: support databroker option changes #1294 (@calebdoxsey)
authenticate: move databroker connection to state #1292 (@calebdoxsey)
authorize: use atomic state for properties #1290 (@calebdoxsey)
proxy: move properties to atomically updated state #1280 (@calebdoxsey)
Improving okta API requests #1278 (@cuonglm)
authenticate: move properties to atomically updated state #1277 (@calebdoxsey)
authenticate: support reloading IDP settings #1273 (@calebdoxsey)
Rate limit for okta #1271 (@cuonglm)
config: allow dynamic configuration of cookie settings #1267 (@calebdoxsey)
internal/directory/okta: increase default batch size to 200 #1264 (@cuonglm)
envoy: add support for hot-reloading bootstrap configuration #1259 (@calebdoxsey)
config: allow reloading of telemetry settings #1255 (@calebdoxsey)
databroker: add support for config settings #1253 (@calebdoxsey)
config: warn if custom scopes set for builtin providers #1252 (@cuonglm)
authorize: add databroker url check #1228 (@desimone)
internal/databroker: make Sync send data in smaller batches #1226 (@cuonglm)

Fixed

forward-auth: fix special character support for nginx #1578 (@desimone)
proxy/forward_auth: copy response headers as request headers #1577 (@desimone)
fix querying claim data on the dashboard #1560 (@calebdoxsey)
github: fix retrieving team id with graphql API (#1554) #1555 (@toshipp)
store raw id token so it can be passed to the logout url #1543 (@calebdoxsey)
fix databroker requiring signed jwt #1538 (@calebdoxsey)
authorize: add redirect url to debug page #1533 (@desimone)
internal/frontend: resolve authN helper url #1521 (@desimone)
fwd-auth: match nginx-ingress config #1505 (@desimone)
authenticate: protect /.pomerium/admin endpoint #1500 (@calebdoxsey)
ci: ensure systemd unit file is in packages #1481 (@travisgroth)
identity manager: fix directory sync timing #1455 (@calebdoxsey)
proxy/forward_auth: don't reset forward auth path if X-Forwarded-Uri is not set #1447 (@whs)
httputil: remove retry button #1438 (@desimone)
proxy: always use https for application callback #1433 (@travisgroth)
controplane: remove p-521 EC #1420 (@desimone)
redirect-server: add config headers to responses #1416 (@calebdoxsey)
proxy: remove impersonate headers for kubernetes #1394 (@calebdoxsey)
Desimone/authenticate default logout #1390 (@desimone)
proxy: for filter matches only include bare domain name #1389 (@calebdoxsey)
internal/envoy: start epoch from 0 #1387 (@travisgroth)
internal/directory/okta: acceept non-json service account #1359 (@cuonglm)
internal/controlplane: add telemetry http handler #1353 (@travisgroth)
autocert: fix locking issue #1310 (@calebdoxsey)
authorize: log users and groups #1303 (@desimone)
proxy: fix wrong applied middleware #1298 (@cuonglm)
internal/directory/okta: fix wrong API query filter #1296 (@cuonglm)
autocert: fix bootstrapped cache store path #1283 (@desimone)
config: validate databroker settings #1260 (@calebdoxsey)
internal/autocert: re-use cert if renewing failed but cert not expired #1237 (@cuonglm)

Documentation

docs: use standard language for lists #1590 (@desimone)
Fix command in Kubernetes Quick start docs #1582 (@wesleyw72)
move docs to settings.yaml #1579 (@calebdoxsey)
docs: add round logo #1574 (@desimone)
add settings.yaml file #1540 (@calebdoxsey)
update the documentation for auth0 to include group/role information #1502 (@grounded042)
examples: fix nginx example #1478 (@desimone)
docs: add architecture diagram for cloudrun #1444 (@travisgroth)
fix(examples): Use X-Pomerium-Claim headers #1422 (@tdorsey)
chore(docs): Fix typo in example policy #1419 (@tdorsey)
docs: fix grammar #1412 (@shinebayar-g)
docs: Add Traefik + Kubernetes example #1411 (@travisgroth)
Remove typo on remove_request_headers docs #1388 (@whs)
docs: update azure docs #1377 (@desimone)
docs: add nginx example #1329 (@travisgroth)
docs: use .com sitemap hostname #1274 (@desimone)
docs: fix in-action video #1268 (@travisgroth)
docs: image, sitemap and redirect fixes #1263 (@travisgroth)
Fix broken logo link in README.md #1261 (@cuonglm)
docs/docs: fix wrong okta service account field #1251 (@cuonglm)
Docs/enterprise button #1245 (@desimone)
remove rootDomain from examples #1244 (@karelbilek)
docs: add / redirect #1241 (@desimone)
docs: prepare for enterprise / oss split #1238 (@desimone)

Dependency

chore(deps): update module google.golang.org/grpc to v1.33.2 #1585 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to f9bfe23 #1583 (@renovate[bot])
chore(deps): update mikefarah/yq action to v3.4.1 #1567 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 24207fd #1566 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to ff519b6 #1565 (@renovate[bot])
chore(deps): update olegtarasov/get-tag action to v2 #1552 (@renovate[bot])
chore(deps): update goreleaser/goreleaser-action action to v2 #1551 (@renovate[bot])
chore(deps): update actions/setup-go action to v2 #1550 (@renovate[bot])
chore(deps): update toolmantim/release-drafter action to v5.12.1 #1549 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.33.1 #1548 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.0.14 #1547 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 0ff5f38 #1546 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 67f06af #1545 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to be3efd7 #1544 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.7.1 #1531 (@renovate[bot])
chore(deps): update module spf13/cobra to v1.1.1 #1530 (@renovate[bot])
chore(deps): update module prometheus/client_golang to v1.8.0 #1529 (@renovate[bot])
chore(deps): update module ory/dockertest/v3 to v3.6.2 #1528 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.24.0 #1527 (@renovate[bot])
chore(deps): update module golang/protobuf to v1.4.3 #1525 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 32ed001 #1524 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 7b1cca2 #1523 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 9e8e0b3 #1522 (@renovate[bot])
chore(deps): upgrade envoy to v0.16.0 #1519 (@desimone)
deployment: run go mod tidy #1512 (@desimone)
chore(deps): update module ory/dockertest/v3 to v3.6.1 #1511 (@renovate[bot])
chore(deps): update module go.opencensus.io to v0.22.5 #1510 (@renovate[bot])
chore(deps): update module cenkalti/backoff/v4 to v4.1.0 #1509 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 4d944d3 #1508 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to b3e1573 #1507 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 4f7140c #1506 (@renovate[bot])
deployment: pin /x/sys to fix dockertest #1491 (@desimone)
chore(deps): update module openzipkin/zipkin-go to v0.2.5 #1488 (@renovate[bot])
chore(deps): update module envoyproxy/go-control-plane to v0.9.7 #1487 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to bcad7cf #1486 (@renovate[bot])
chore(deps): update golang.org/x/sync commit hash to 3042136 #1485 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 7f63de1 #1483 (@renovate[bot])
deps: update envoy arm64 to v1.15.1 #1475 (@travisgroth)
chore(deps): envoy 1.15.1 #1473 (@desimone)
chore(deps): update vuepress monorepo to v1.6.0 #1463 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to c2d885f #1462 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 5d4f700 #1461 (@renovate[bot])
deps: go mod tidy #1434 (@travisgroth)
chore(deps): update module rs/zerolog to v1.20.0 #1431 (@renovate[bot])
chore(deps): update module caddyserver/certmagic to v0.12.0 #1429 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to d0d6055 #1428 (@renovate[bot])
chore(deps): update module openzipkin/zipkin-go to v0.2.4 #1407 (@renovate[bot])
chore(deps): update module gorilla/handlers to v1.5.1 #1406 (@renovate[bot])
chore(deps): update module google.golang.org/grpc to v1.32.0 #1405 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 645f7a4 #1404 (@renovate[bot])
Run go mod tidy #1384 (@cuonglm)
chore(deps): update module go.uber.org/zap to v1.16.0 #1381 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to 0bd0a95 #1380 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 5d25da1 #1379 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 62affa3 #1378 (@renovate[bot])
deps: ensure renovate runs go mod tidy #1357 (@travisgroth)
deps: go mod tidy #1356 (@travisgroth)
Update module open-policy-agent/opa to v0.23.2 #1351 (@renovate[bot])
Update module google/uuid to v1.1.2 #1350 (@renovate[bot])
Update module google/go-cmp to v0.5.2 #1349 (@renovate[bot])
Update module google.golang.org/grpc to v1.31.1 #1348 (@renovate[bot])
Update google.golang.org/genproto commit hash to 2bf3329 #1347 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.5.4 #1323 (@renovate[bot])
chore(deps): update module open-policy-agent/opa to v0.23.1 #1322 (@renovate[bot])
chore(deps): update module gorilla/mux to v1.8.0 #1321 (@renovate[bot])
chore(deps): update module gorilla/handlers to v1.5.0 #1320 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to c890458 #1319 (@renovate[bot])
chore(deps): update golang.org/x/crypto commit hash to 5c72a88 #1318 (@renovate[bot])
Upgrade zipkin-go to v0.2.3 #1288 (@cuonglm)
chore(deps): update google.golang.org/genproto commit hash to f69a880 #1286 (@renovate[bot])
chore(deps): update golang.org/x/time commit hash to 3af7569 #1285 (@renovate[bot])
chore(deps): update golang.org/x/net commit hash to 3edf25e #1284 (@renovate[bot])
.github/workflows: upgrade to go1.15 #1258 (@cuonglm)
Fix tests failed with go115 #1257 (@cuonglm)
chore(deps): update dependency @vuepress/plugin-google-analytics to v1.5.3 #1236 (@renovate[bot])
Update module google.golang.org/api to v0.30.0 #1235 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to a062522 #1234 (@renovate[bot])

Deployment

ci: automatically update test environment with master #1562 (@travisgroth)
deplyoment: add debug build / container / docs #1513 (@travisgroth)
deployment: Generate deb and rpm packages #1458 (@travisgroth)
deployment: bump release go to v1.15.x #1439 (@desimone)
ci: publish cloudrun latest tag #1398 (@travisgroth)
deployment: fully split release archives and brews #1365 (@travisgroth)
Include pomerium-cli in the docker image by default. Fixes #1343. #1345 (@rspier)
Use apt-get instead of apt to eliminate warning. #1344 (@rspier)
deployment: add goimports with path awareness #1316 (@desimone)

Changed

tidy #1494 (@desimone)
dev: add remote container debug configs #1459 (@desimone)
ci: add stale issue automation #1366 (@travisgroth)
internal/urlutil: remove un-used constants #1326 (@cuonglm)
integration: add forward auth test #1312 (@cuonglm)
pkg/storage/redis: update tests to use local certs + upstream image #1306 (@travisgroth)
config: omit empty subpolicies in yaml/json #1229 (@travisgroth)
Cuonglm/increase coverrage 1 #1227 (@cuonglm)

* This Changelog was automatically generated by github_changelog_generator

pomerium - v0.10.6

Published by travisgroth about 4 years ago

Security

Envoy released a security update to addresses the following CVE(s):

CVE-2020-25017 (CVSS score 6.5, Medium): Incorrect handling of duplicate HTTP headers

This patch updates the underlying embedded version of Envoy to 1.15.1. If you instead are using the Envoy from your local $PATH you are encouraged to upgrade that binary as well.

deps: envoy 1.15.1 @desimone GH-1473
deps: update envoy arm64 to v1.15.1 @travisgroth GH-1475

pomerium - v0.10.5

Published by travisgroth about 4 years ago

Changes

redis: use pubsub instead of keyspace events @calebdoxsey GH-1451

pomerium - v0.10.4

Published by travisgroth about 4 years ago

Fixed

controlplane: support P-384 / P-512 EC curves @desimone GH-1409
controlplane: remove p-521 EC @desimone GH-1420
redirect-server: add config headers to responses @calebdoxsey GH-1416
proxy: always use https for application callback @travisgroth GH-1433

Security

httputil: remove retry button @desimone GH-1438

pomerium - v0.10.3

Published by travisgroth about 4 years ago

Changes

ci: publish cloudrun latest tag @travisgroth GH-1398
docs: add nginx example @travisgroth GH-1329
docs: update azure docs @desimone GH-1377
internal/directory/okta: accept non-json service account @cuonglm GH-1359
internal/directory/okta: remove rate limiter @cuonglm GH-1370

Fixed

authenticate: fix unset post_logout_redirect_uri @desimone GH-1390
internal/controlplane: add telemetry http handler @travisgroth GH-1353

Security

proxy: remove impersonate headers for kubernetes @calebdoxsey GH-1394

pomerium - v0.10.2

Published by travisgroth about 4 years ago

Changes

Improving okta API requests @cuonglm GH-1278
internal/directory/okta: fix wrong API query filter @cuonglm GH-1296
Rate limit for okta @cuonglm GH-1271

Fixed

autocert: fix locking issue @calebdoxsey GH-1310

pomerium - v0.10.1

Published by travisgroth about 4 years ago

Changes

config: omit empty subpolicies in yaml/json @travisgroth GH-1230

New

authorize: add databroker url check @desimone GH-1231
azure: support deriving credentials from client id, client secret and provider url @calebdoxsey GH-1300

Fixed

autocert: fix bootstrapped cache store path @desimone GH-1291
authorize: log users and groups @desimone GH-1303

Documentation

docs: prepare for enterprise / oss split @desimone GH-1239
docs: add / redirect @desimone GH-1242
docs: remove enterprise button @desimone GH-1246
docs: image, sitemap and redirect fixes @travisgroth GH-1265
docs: fix in-action video @travisgroth GH-1269
docs: use .com sitemap hostname @desimone GH-1275

pomerium - v0.10.0

Published by desimone about 4 years ago

v0.10.0

Please be sure to review the upgrade guide! This release include many bug fixes and improvements, but also several breaking changes.

Changes

Add storage backend interface @cuonglm GH-1072
all: update outdated comments about OptionsUpdater interface @cuonglm GH-1207
Allow specify go executable in Makefile @cuonglm GH-1008
audit: add protobuf definitions @calebdoxsey GH-1047
authenticate: hide impersonation form from non-admin users @cuonglm GH-979
authenticate: move impersonate from proxy to authenticate @calebdoxsey GH-965
authenticate: remove useless/duplicated code block @cuonglm GH-962
authenticate: revoke current session oauth token before sign out @cuonglm GH-964
authorize,proxy: allow traefik forward auth without uri query @cuonglm GH-1103
authorize: add evaluator store @calebdoxsey GH-1105
authorize: add test for denied response @cuonglm GH-1197
authorize: avoid serializing databroker data map to improve performance @calebdoxsey GH-995
authorize: clear session state if session was deleted in databroker @cuonglm GH-1053
authorize: derive check response message from reply message @cuonglm GH-1193
authorize: include "kid" in JWT header @cuonglm GH-1049
authorize: store policy evaluator on success only @cuonglm GH-1206
authorize/evaluator: add more test cases @cuonglm GH-1198
authorize/evaluator: fix wrong custom policies decision @cuonglm GH-1199
authorize/evaluator/opa: use route policy object instead of array index @cuonglm GH-1001
cache: add client telemetry @travisgroth GH-975
cache: add test for runMemberList @cuonglm GH-1007
cache: attempt to join memberlist cluster for sanity check @travisgroth GH-1004
cache: fix missing parameter @travisgroth GH-1005
cache: only run memberlist for in-memory databroker @travisgroth GH-1224
ci: Add cloudrun build @travisgroth GH-1097
ci: support rc releases @travisgroth GH-1011
cmd/pomerium-cli: do not require terminal with cached creds @travisgroth GH-1196
config: add check to assert service account is required for policies with allowed_groups @desimone GH-997
config: add support for policies stored in the databroker @calebdoxsey GH-1099
config: additional kubernetes token source support @travisgroth GH-1200
config: allow setting directory sync interval and timeout @cuonglm GH-1098
config: default to google idp credentials for serverless @travisgroth GH-1170
config: fix loading storage client cert from wrong location @travisgroth GH-1212
config: Set loopback address by ipv4 IP @travisgroth GH-1116
cryptutil: move to pkg dir, add token generator @calebdoxsey GH-1029
deployment: fix brew creation for pomerium-cli @travisgroth GH-1192
directory.Group entry for groups @calebdoxsey GH-1118
docs/docs: update upgrading to mention redis storage backend @cuonglm GH-1172
envoy: disable idle timeouts to controlplane @travisgroth GH-1000
grpc: rename internal/grpc to pkg/grpc @calebdoxsey GH-1010
grpc: use relative paths in codegen @desimone GH-1106
grpcutil: add functions for JWTs in gRPC metadata @calebdoxsey GH-1165
Increasing authorize coverage @cuonglm GH-1221
integration: add dummy value for idp_service_account @cuonglm GH-1009
internal/controlplane: set envoy prefix rewrite if present @cuonglm GH-1034
internal/controlplane: using envoy strip host port matching @cuonglm GH-1126
internal/databroker: handle new db error @cuonglm GH-1129
internal/databroker: store server version @cuonglm GH-1121
internal/directory: improve google user groups list @cuonglm GH-1092
internal/directory: use both id and name for group @cuonglm GH-1086
internal/directory/google: return both group e-mail and id @travisgroth GH-1083
internal/frontend/assets/html: make timestamp human readable @cuonglm GH-1107
internal/sessions: handle claims "ver" field generally @cuonglm GH-990
internal/urlutil: add tests for GetDomainsForURL @cuonglm GH-1183
memberlist: use bufio reader instead of scanner @calebdoxsey GH-1002
config: options refactor @calebdoxsey GH-1088
pkg: add grpcutil package @calebdoxsey GH-1032
pkg/storage: add package docs @cuonglm GH-1078
pkg/storage: change backend interface to return error @cuonglm GH-1131
pkg/storage: introduce storage.Backend Watch method @cuonglm GH-1135
pkg/storage: make Watch returns receive only channel @cuonglm GH-1211
pkg/storage/redis: do not use timeout to signal redis conn to stop @cuonglm GH-1155
pkg/storage/redis: fix multiple data race @cuonglm GH-1210
pkg/storage/redis: metrics updates @travisgroth GH-1195
pkg/storage/redis: move last version to redis @cuonglm GH-1134
proxy: add support for spdy upgrades @travisgroth GH-1203
proxy: avoid second policy validation @travisgroth GH-1204
proxy: refactor handler setup code @travisgroth GH-1205
set session state expiry @calebdoxsey GH-1215
Sleep longer before running integration tests @cuonglm GH-968
telemetry: add tracing spans to cache and databroker @travisgroth GH-987

New

authenticate: allow hot reloaded admin users config @cuonglm [GH-984]
authenticate: support hot reloaded config @cuonglm GH-984
authorize: custom rego policies @calebdoxsey GH-1123
authorize: include "kid" in JWT headers @cuonglm [GH-1046]
azure: use OID for user id in session @calebdoxsey GH-985
config: add pass_identity_headers @cuonglm [GH-903]
config: add remove_request_headers @cuonglm [GH-822]
config: both base64 and file reference can be used for "certificates" @dmitrif [GH-1055]
config: change config key parsing to attempt Base64 decoding first. @dmitrif GH-1055
config: change default log level to INFO @cuonglm [GH-902]
custom rego in databroker @calebdoxsey GH-1124
databroker server backend config @cuonglm GH-1127
databroker: add encryption for records @calebdoxsey GH-1168
deploy: Add homebrew tap publishing @travisgroth GH-1179
deployment: cut separate archive for cli @desimone GH-1177
directory: add service account struct and parsing method @calebdoxsey GH-971
envoy: enable strip host port matching @cuonglm [GH-1126]
github: implement github directory provider @calebdoxsey GH-963
google: store directory information by user id @calebdoxsey GH-988
identity: support custom code flow request params @desimone GH-998
implement google cloud serverless authentication @calebdoxsey GH-1080
internal/directory/okta: store directory information by user id @cuonglm GH-991
internal/directory/onelogin: store directory information by user id @cuonglm GH-992
kubernetes apiserver integration @calebdoxsey GH-1063
pkg/storage/redis: add authentication support @cuonglm GH-1159
pkg/storage/redis: add redis TLS support @cuonglm GH-1163
pomerium-cli k8s exec-credential @calebdoxsey GH-1073
redis storage backend @cuonglm GH-1082
telmetry: add databroker storage metrics and tracing @travisgroth GH-1161
use custom binary for arm64 linux release @calebdoxsey GH-1065

Fixed

authenticate: fix wrong condition checking in VerifySession @cuonglm GH-1146
authenticate: fix wrong SignIn telemetry name @cuonglm GH-1038
authorize: Force redirect scheme to https @travisgroth GH-1075
authorize: strip port from host header if necessary @cuonglm GH-1175
authorize/evaluator/opa: set client tls cert usage explicitly @travisgroth GH-1026
authorize/evaluator/opa/policy: fix allow rules with impersonate @cuonglm GH-1094
cache: fix data race in NotifyJoin @cuonglm GH-1028
ci: fix arm docker image releases @travisgroth GH-1178
ci: Prevent dirty git state @travisgroth GH-1117
ci: release fixes @travisgroth GH-1181
config: fix deep copy of config @calebdoxsey GH-1089
controlplane: add robots route @desimone GH-966
deploy: ensure pomerium-cli is built correctly @travisgroth GH-1180
deployment: fix pomerium-cli release @desimone GH-1104
envoy: Set ExtAuthz Cluster name to URL Host @travisgroth GH-1132
fix databroker restart versioning, handle missing sessions @calebdoxsey GH-1145
fix lint errors @travisgroth GH-1171
fix redirect loop, remove user/session services, remove duplicate deleted_at fields @calebdoxsey GH-1162
handle example.com and example.com:443 @calebdoxsey GH-1153
internal/controlplane: enable envoy use remote address @cuonglm GH-1023
internal/databroker: fix wrong server version init @cuonglm GH-1125
pkg/grpc: fix wrong audit protoc gen file @cuonglm GH-1048
pkg/storage/redis: handling connection to redis backend failure @cuonglm GH-1174
pomerium-cli: fix kubernetes token caching @calebdoxsey GH-1169
pomerium-cli: kubernetes fixes @calebdoxsey GH-1176
proxy: do not set X-Pomerium-Jwt-Assertion/X-Pomerium-Claim-* headers by default @cuonglm [GH-903]
proxy: fix invalid session after logout in forward auth mode @cuonglm GH-1062
proxy: fix redirect url with traefik forward auth @cuonglm GH-1037
proxy: fix wrong forward auth request @cuonglm GH-1030

Documentation

docs: Update synology.md @roulesse GH-1219
docs: add installation section @travisgroth GH-1223
docs: add kubectl config commands @travisgroth GH-1152
docs: add kubernetes docs @calebdoxsey GH-1087
docs: add recipe for TiddlyWiki on Node.js @favadi GH-1143
docs: add required in cookie_secret @mig4ng GH-1142
docs: add warnings cones around requiring IdP Service Accounts @travisgroth GH-999
docs: cloud Run / GCP Serverless @travisgroth GH-1101
docs: document preserve_host_header with policy routes to static ip @cuonglm GH-1024
docs: fix incorrect example middleware @travisgroth GH-1128
docs: fix links, clarify upgrade guide for v0.10 @desimone GH-1220
docs: fix minor errors @travisgroth GH-1214
docs: Kubernetes topic @travisgroth GH-1222
docs: Move examples repo into main repo @travisgroth GH-1102
docs: Redis and stateful storage docs @travisgroth GH-1173
docs: refactor sections, consolidate examples @desimone GH-1164
docs: rename docs/reference to docs/topics @desimone GH-1182
docs: service account instructions for azure @calebdoxsey GH-969
docs: service account instructions for gitlab @calebdoxsey GH-970
docs: update architecture diagrams + descriptions @travisgroth GH-1218
docs: update GitHub documentation for service account @calebdoxsey GH-967
docs: Update Istio VirtualService example @jeffhubLR GH-1006
docs: update okta service account docs to match new format @calebdoxsey GH-972
Docs: Update README stating specific requirements for SIGNING_KEY @bradjones1 GH-1217
docs: update reference docs @desimone GH-1208
docs: update service account instructions for OneLogin @calebdoxsey GH-973
docs: update upgrading document for breaking changes @calebdoxsey GH-974
docs/.vuepress: fix missing local-oidc recipes section @cuonglm GH-1147
docs/configuration: add doc for trailing slash limitation in "To" field @cuonglm GH-1040
docs/docs: add changelog for #1055 @cuonglm GH-1084
docs/docs/identity-providers: document gitlab default scopes changed @cuonglm GH-980
docs/recipes: add local oidc example @cuonglm GH-1045

Dependency

chore(deps): bump envoy to 1.15.0 @desimone GH-1119
chore(deps): google.golang.org/genproto commit hash to da3ae01 @renovate GH-1138
chore(deps): module google/go-cmp to v0.5.1 @renovate GH-1139
chore(deps): update envoy to 1.14.4 @desimone GH-1076
chore(deps): update github.com/skratchdot/open-golang commit hash to eef8423 @renovate GH-1108
chore(deps): update golang.org/x/crypto commit hash to 123391f @renovate GH-1184
chore(deps): update golang.org/x/crypto commit hash to 948cd5f @renovate GH-1056
chore(deps): update golang.org/x/net commit hash to 4c52546 @renovate GH-1017
chore(deps): update golang.org/x/net commit hash to ab34263 @renovate GH-1057
chore(deps): update golang.org/x/sync commit hash to 6e8e738 @renovate GH-1018
chore(deps): update google.golang.org/genproto commit hash to 11fb19a @renovate GH-1109
chore(deps): update google.golang.org/genproto commit hash to 8145dea @renovate GH-1185
chore(deps): update google.golang.org/genproto commit hash to 8698661 @renovate GH-1058
chore(deps): update google.golang.org/genproto commit hash to 8e8330b @renovate GH-1039
chore(deps): update google.golang.org/genproto commit hash to ee7919e @renovate GH-1019
chore(deps): update google.golang.org/genproto commit hash to fbb79ea @renovate GH-945
chore(deps): update module cenkalti/backoff/v4 to v4.0.2 @renovate GH-946
chore(deps): update module contrib.go.opencensus.io/exporter/jaeger to v0.2.1 @renovate GH-1186
chore(deps): update module contrib.go.opencensus.io/exporter/zipkin to v0.1.2 @renovate GH-1187
chore(deps): update module envoyproxy/go-control-plane to v0.9.6 @renovate GH-1059
chore(deps): update module go.opencensus.io to v0.22.4 @renovate GH-948
chore(deps): update module golang/mock to v1.4.4 @renovate GH-1188
chore(deps): update module google.golang.org/api to v0.28.0 @renovate GH-949
chore(deps): update module google.golang.org/api to v0.29.0 @renovate GH-1060
chore(deps): update module google.golang.org/grpc to v1.30.0 @renovate GH-1020
chore(deps): update module google.golang.org/grpc to v1.31.0 @renovate GH-1189
chore(deps): update module google.golang.org/protobuf to v1.25.0 @renovate GH-1021
chore(deps): update module google/go-cmp to v0.5.0 @renovate GH-950
chore(deps): update module hashicorp/memberlist to v0.2.2 @renovate GH-951
chore(deps): update module open-policy-agent/opa to v0.21.0 @renovate GH-952
chore(deps): update module open-policy-agent/opa to v0.21.1 @renovate GH-1061
chore(deps): update module open-policy-agent/opa to v0.22.0 @renovate GH-1110
chore(deps): update module prometheus/client_golang to v1.7.0 @renovate GH-953
chore(deps): update module prometheus/client_golang to v1.7.1 @renovate GH-1022
chore(deps): update module spf13/cobra to v1 @renovate GH-1111
chore(deps): update module spf13/viper to v1.7.1 @renovate GH-1190
chore(deps):s bump opa v0.21.0 @desimone GH-993

pomerium - v0.10.0-rc3

Published by travisgroth about 4 years ago

Note: This is a release candidate and should not be used for production deployments. Please see up to date documentation at https://master.docs.pomerium.io/

Changes

config: default to google idp credentials for serverless @travisgroth GH-1170
grpcutil: add functions for JWTs in gRPC metadata @calebdoxsey GH-1165
pkg/storage/redis: do not use timeout to signal redis conn to stop @cuonglm GH-1155
pkg/storage: introduce storage.Backend Watch method @cuonglm GH-1135
pkg/storage/redis: move last version to redis @cuonglm GH-1134
pkg/storage: change backend interface to return error @cuonglm GH-1131
internal/databroker: handle new db error @cuonglm GH-1129
directory.Group entry for groups @calebdoxsey GH-1118
internal/controlplane: using envoy strip host port matching @cuonglm GH-1126
internal/databroker: store server version @cuonglm GH-1121
config: Set loopback address by ipv4 IP @travisgroth GH-1116

New

authorize: custom rego policies @calebdoxsey GH-1123
redis storage backend @cuonglm GH-1082
custom rego in databroker @calebdoxsey GH-1124
pkg/storage/redis: add redis TLS support @cuonglm GH-1163
telmetry: add databroker storage metrics and tracing @travisgroth GH-1161
deploy: Add homebrew tap publishing @travisgroth GH-1179
deployment: cut separate archive for cli @desimone GH-1177
databroker: add encryption for records @calebdoxsey GH-1168
pkg/storage/redis: add authentication support @cuonglm GH-1159
databroker server backend config @cuonglm GH-1127

Fixed

pomerium-cli: kubernetes fixes @calebdoxsey GH-1176
envoy: Set ExtAuthz Cluster name to URL Host @travisgroth GH-1132
authenticate: fix wrong condition checking in VerifySession @cuonglm GH-1146
fix databroker restart versioning, handle missing sessions @calebdoxsey GH-1145
authorize: strip port from host header if necessary @cuonglm GH-1175
fix lint errors @travisgroth GH-1171
deploy: ensure pomerium-cli is built correctly @travisgroth GH-1180
ci: fix arm docker image releases @travisgroth GH-1178
pomerium-cli: fix kubernetes token caching @calebdoxsey GH-1169
pkg/storage/redis: handling connection to redis backend failure @cuonglm GH-1174
handle example.com and example.com:443 @calebdoxsey GH-1153
internal/databroker: fix wrong server version init @cuonglm GH-1125
fix redirect loop, remove user/session services, remove duplicate deleted_at fields @calebdoxsey GH-1162
ci: release fixes @travisgroth GH-1181

Documentation

docs: refactor sections, consolidate examples @desimone GH-1164
docs: Add recipe for TiddlyWiki on Node.js @favadi GH-1143
docs: Add kubectl config commands @travisgroth GH-1152
docs: Fix incorrect example middleware @travisgroth GH-1128
docs/.vuepress: fix missing local-oidc recipes section @cuonglm GH-1147
docs: Add required in cookie_secret @mig4ng GH-1142
docs: Redis and stateful storage docs @travisgroth GH-1173

Dependency

Update module google/go-cmp to v0.5.1 @renovate GH-1139
Update google.golang.org/genproto commit hash to da3ae01 @renovate GH-1138
depedency: bump envoy to 1.15.0 @desimone GH-1119
deps: update envoy to 1.14.4 @desimone GH-1076

pomerium - v0.9.6

Published by travisgroth about 4 years ago

This is a bug fix release.

Issues addressed include Istio support and non-standard port handling.

Fixed

Set ExtAuthz Cluster name to URL Host @travisgroth GH-1133
handle example.com and example.com:443 @calebdoxsey GH-1153

pomerium - v0.9.5

Published by travisgroth about 4 years ago

Changes

proxy: remove debug line @cuonglm GH-1095
authorize,proxy: allow traefik forward auth without uri query @cuonglm GH-1103
Set loopback address by ipv4 IP @travisgroth GH-1122

Fixed

Force redirect scheme to https @travisgroth GH-1077
authenticate: hide impersonation form from non-admin users @cuonglm GH-1093

Dependency

deps: update envoy to 1.14.4 @desimone GH-1120

pomerium - v0.10.0-rc2

Published by travisgroth over 4 years ago

Note: This is a release candidate and should not be used for production deployments. Please see up to date documentation at https://master.docs.pomerium.io/

Changes

authorize,proxy: allow traefik forward auth without uri query @cuonglm GH-1103
grpc: use relative paths in codegen @desimone GH-1106
authorize: add evaluator store @calebdoxsey GH-1105
internal/frontend/assets/html: make timestamp human readable @cuonglm GH-1107
config: add support for policies stored in the databroker @calebdoxsey GH-1099
config: allow setting directory sync interval and timeout @cuonglm GH-1098
ci: Add cloudrun build @travisgroth GH-1097
internal/directory: improve google user groups list @cuonglm GH-1092
options refactor @calebdoxsey GH-1088
internal/directory: use both id and name for group @cuonglm GH-1086
internal/directory/google: return both group e-mail and id @travisgroth GH-1083
pkg/storage: add package docs @cuonglm GH-1078
Add storage backend interface @cuonglm GH-1072
authorize: clear session state if session was deleted in databroker @cuonglm GH-1053
authorize: include "kid" in JWT header @cuonglm GH-1049
audit: add protobuf definitions @calebdoxsey GH-1047
internal/controlplane: set envoy prefix rewrite if present @cuonglm GH-1034
pkg: add grpcutil package @calebdoxsey GH-1032
cryptutil: move to pkg dir, add token generator @calebdoxsey GH-1029

New

#1054 - Change config key parsing to attempt Base64 decoding first. @dmitrif GH-1055
pomerium-cli k8s exec-credential @calebdoxsey GH-1073
implement google cloud serverless authentication @calebdoxsey GH-1080
kubernetes apiserver integration @calebdoxsey GH-1063
use custom binary for arm64 linux release @calebdoxsey GH-1065

Fixed

authorize: Force redirect scheme to https @travisgroth GH-1075
proxy: fix wrong forward auth request @cuonglm GH-1030
deployment: fix pomerium-cli release @desimone GH-1104
cache: fix data race in NotifyJoin @cuonglm GH-1028
authorize/evaluator/opa/policy: fix allow rules with impersonate @cuonglm GH-1094
fix deep copy of config @calebdoxsey GH-1089
proxy: fix invalid session after logout in forward auth mode @cuonglm GH-1062
pkg/grpc: fix wrong audit protoc gen file @cuonglm GH-1048
proxy: fix redirect url with traefik forward auth @cuonglm GH-1037
authenticate: fix wrong SignIn telemetry name @cuonglm GH-1038
ci: Prevent dirty git state @travisgroth GH-1117

Documentation

docs: Cloud Run / GCP Serverless @travisgroth GH-1101
docs: Move examples repo into main repo @travisgroth GH-1102
kubernetes docs @calebdoxsey GH-1087
docs/recipes: add local oidc example @cuonglm GH-1045
docs/configuration: add doc for trailing slash limitation in "To" field @cuonglm GH-1040
docs/docs: add changelog for #1055 @cuonglm GH-1084

Dependency

chore(deps): update google.golang.org/genproto commit hash to 11fb19a @renovate GH-1109
chore(deps): update module spf13/cobra to v1 @renovate GH-1111
chore(deps): update module open-policy-agent/opa to v0.22.0 @renovate GH-1110
chore(deps): update github.com/skratchdot/open-golang commit hash to eef8423 @renovate GH-1108
chore(deps): update module google.golang.org/api to v0.29.0 @renovate GH-1060
chore(deps): update module envoyproxy/go-control-plane to v0.9.6 @renovate GH-1059
chore(deps): update golang.org/x/net commit hash to ab34263 @renovate GH-1057
chore(deps): update google.golang.org/genproto commit hash to 8698661 @renovate GH-1058
chore(deps): update golang.org/x/crypto commit hash to 948cd5f @renovate GH-1056
chore(deps): update module open-policy-agent/opa to v0.21.1 @renovate GH-1061
chore(deps): update google.golang.org/genproto commit hash to 8e8330b @renovate GH-1039
chore(deps): update module google.golang.org/protobuf to v1.25.0 @renovate GH-1021

pomerium - v0.9.4

Published by desimone over 4 years ago

v0.9.4

Security

This release addresses vulnerabilities fixed in go version 1.14.5. This update includes security fixes for a data race in ReverseProxy (CVE-2020-15586) and a situation where X.509 verification ignores provided EKUs on Windows (CVE-2020-15586).