Changelog

v0.17.2 (2022-04-22)

Full Changelog

Fixed

authorize: pass idp id for webauthn url, allow unauthenticated access to static files [#3284] (@calebdoxsey)
config: fix DefaultTransport so it is still a *http.Transport [#3260] (@calebdoxsey)

Dependency

chore(deps): bump actions/setup-python from 3.1.0 to 3.1.2 [#3266]

Docs

Add UUID to docs yaml blocks (#3251) [#3259] (@alexfornuto)

v0.17.1 (2022-03-30)

Full Changelog

Security Notice

This release includes a fix to a medium severity security issue.

We recommend that all users upgrade.

Security

authenticate: fix debug and metrics endpoints #3215 (@backport-actions-token[bot])

Fixed

authenticate: fix internal url with webauthn #3195 (@backport-actions-token[bot])
github: fix missing groups #3176 (@backport-actions-token[bot])

v0.17.0 (2022-03-04)

Full Changelog

New

adds pomerium version to the user info endpoint #3093 (@nhayfield)
grpc: remove ptypes references #3078 (@calebdoxsey)
userinfo: add webauthn buttons to user info page #3075 (@calebdoxsey)
Style update for User Info Endpoint #3055 (@nhayfield)
session: remove unused session state properties #3022 (@calebdoxsey)
frontend: react+mui #3004 (@calebdoxsey)
controlplane: add compression middleware #3000 (@calebdoxsey)
authenticate: fix expiring user info endpoint #2976 (@calebdoxsey)
last known metric error #2974 (@wasaga)
directory: save IDP errors to databroker, put event handling in dedicated package #2957 (@calebdoxsey)
google: support groups for users outside of the organization #2950 (@calebdoxsey)
return explicit error when directory sync is disabled #2949 (@wasaga)
authenticate: add device-enrolled page #2892 (@calebdoxsey)
remove deprecated ioutil usages #2877 (@cfanbo)

Fixed

databroker: use contextual logging for errors, use original record type for encryption #3096 (@calebdoxsey)
fix link for picture in avatar #3066 (@nhayfield)
userinfo: fix logout button, add sign out confirm page #3058 (@calebdoxsey)
config: fix httptest local certificate #3056 (@calebdoxsey)
proxy: fix error page #3020 (@calebdoxsey)
deployment: only include pomerium binary #3007 (@travisgroth)
auth0: support explicit domains in the service account #2996 (@backport-actions-token[bot])
auth0: support explicit domains in the service account #2980 (@calebdoxsey)
config: fix TLS config when address and grpc_address are the same #2975 (@calebdoxsey)
deployment: enable goreleaser buildx #2968 (@travisgroth)
config: fix policy matching for regular expressions #2966 (@calebdoxsey)
fix: frontend html tag mismatch #2954 (@cfanbo)
devices: shrink credentials by removing unnecessary data #2951 (@calebdoxsey)
Remove spurious \</ul> tags #2946 (@sylr)
authenticate: support webauthn redirects to non-pomerium domains #2936 (@calebdoxsey)
webauthn: use absolute URL for delete redirect #2935 (@calebdoxsey)
authenticate: add callback endpoint #2931 (@calebdoxsey)
devices: treat undefined device types as any #2927 (@calebdoxsey)
deployment: fix distroless base arch #2925 (@travisgroth)
handle device states in deny block, fix default device type #2919 (@calebdoxsey)
envoy: check certificates for must-staple flag and drop them if they are missing the response #2909 (@calebdoxsey)
integration: fix default port for verify service #2895 (@calebdoxsey)

Dependency

chore(deps): bump actions/setup-node from 2 to 3 #3089 (@dependabot[bot])
chore(deps): bump actions/setup-python from 2 to 3 #3088 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.20.2 to 4.21.1 #3087 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.69.0 to 0.70.0 #3086 (@dependabot[bot])
chore(deps): bump url-parse from 1.5.7 to 1.5.10 #3085 (@dependabot[bot])
chore(deps): bump prismjs from 1.26.0 to 1.27.0 #3084 (@dependabot[bot])
deps: bump envoy to v1.20.2 #3082 (@travisgroth)
chore(deps): bump mikefarah/yq from 4.20.1 to 4.20.2 #3072 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.68.0 to 0.69.0 #3071 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.44.0 to 1.44.2 #3070 (@dependabot[bot])
chore(deps): bump url-parse from 1.5.1 to 1.5.7 #3068 (@dependabot[bot])
chore(deps): bump github.com/gorilla/websocket from 1.4.2 to 1.5.0 #3052 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.18.1 to 4.20.1 #3051 (@dependabot[bot])
chore(deps): bump follow-redirects from 1.14.7 to 1.14.8 #3043 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.20.0 to 1.21.0 #3041 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.37.1 to 0.37.2 #3040 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.66.0 to 0.68.0 #3033 (@dependabot[bot])
deps: increase yarn network timeout #3018 (@travisgroth)
chore(deps): bump github.com/caddyserver/certmagic from 0.15.2 to 0.15.3 #3014 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.36.1 to 0.37.1 #3013 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.12 to 3.22.1 #3012 (@dependabot[bot])
chore(deps): bump github.com/mholt/acmez from 1.0.1 to 1.0.2 #3011 (@dependabot[bot])
chore(deps): bump mermaid from 8.12.1 to 8.13.10 #3010 (@dependabot[bot])
chore(deps): bump follow-redirects from 1.14.1 to 1.14.7 #3009 (@dependabot[bot])
chore(deps): bump prismjs from 1.24.1 to 1.26.0 #3008 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.17.2 to 4.18.1 #2989 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.43.0 to 1.44.0 #2988 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.43.0 to 1.44.0 #2987 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.65.0 to 0.66.0 #2986 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 #2985 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.16.2 to 4.17.2 #2963 (@dependabot[bot])
chore(deps): bump github.com/google/go-cmp from 0.5.6 to 0.5.7 #2962 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 #2961 (@dependabot[bot])
chore(deps): bump github.com/openzipkin/zipkin-go from 0.3.0 to 0.4.0 #2942 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.64.0 to 0.65.0 #2941 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.2 to 0.6.3 #2940 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.36.0 to 0.36.1 #2939 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.63.0 to 0.64.0 #2913 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0 #2912 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.35.0 to 0.36.0 #2911 (@dependabot[bot])
chore(deps): bump github.com/go-chi/chi from 1.5.4 to 4.1.2+incompatible #2910 (@dependabot[bot])
envoy: upgrade to 1.20.1 #2902 (@calebdoxsey)
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.11 to 3.21.12 #2886 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.8.0 to 1.8.2 #2855 (@dependabot[bot])
chore(deps): bump github.com/google/go-jsonnet from 0.17.0 to 0.18.0 #2854 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.16.1 to 4.16.2 #2853 (@dependabot[bot])

Deployment

deployment: remove DST cert workaround from debug image #2958 (@travisgroth)
deployment: multi-arch master images #2896 (@travisgroth)

Changed

config: add idp_client_id and idp_client_secret to protobuf #3060 (@calebdoxsey)
Extract email for active directory users that don't have access to exchange #3053 (@JBodkin-Amphora)
disable blank github issues #2898 (@travisgroth)

v0.16.4 (2022-02-25)

Full Changelog

Dependency

deps: update envoy to v1.19.3 #3083 (@travisgroth)

v0.16.3 (2022-02-11)

Full Changelog

Fixed

deployment: only include pomerium binary #3007 (@travisgroth)
auth0: support explicit domains in the service account #2996 (@backport-actions-token[bot])

v0.16.2 (2022-01-25)

Full Changelog

Fixed

config: fix policy matching for regular expressions #2969 (@backport-actions-token[bot])

v0.16.1 (2022-01-19)

Full Changelog

Fixed

webauthn: use absolute URL for delete redirect #2937 (@backport-actions-token[bot])
handle device states in deny block, fix default device type #2924 (@backport-actions-token[bot])
integration: fix default port for verify service #2908 (@backport-actions-token[bot])

v0.16.0 (2021-12-22)

Full Changelog

Breaking

identity: only assign access\_type uri params to google. #2782 (@desimone)
tls: fallback to self-signed certificate #2760 (@calebdoxsey)
github: use GraphQL API to reduce number of API calls for directory sync #2715 (@calebdoxsey)

New

more idp metrics #2842 (@wasaga)
devices: add experimental icon #2836 (@calebdoxsey)
devices: switch "default" device type to two built-in default device types #2835 (@calebdoxsey)
dashboard: improve display of device credentials, allow deletion #2829 (@calebdoxsey)
ppl: add support for http_path and http_method #2813 (@calebdoxsey)
config: add internal service URLs #2801 (@calebdoxsey)
envoy: add hash policy and routing key for hash-based load balancers #2791 (@calebdoxsey)
authorize: support X-Pomerium-Authorization in addition to Authorization #2780 (@calebdoxsey)
envoy: treat configuration errors as fatal #2777 (@calebdoxsey)
envoy: add support for bind_config bootstrap options #2772 (@calebdoxsey)
authenticate: redirect / to /.pomerium/ #2770 (@calebdoxsey)
device: add type id and credential id to enrollment for easier referencing #2749 (@calebdoxsey)
databroker: add additional log for config source #2718 (@calebdoxsey)
grpc: remove peer field from logs #2712 (@calebdoxsey)
desktop client api #2711 (@wasaga)
telemetry: improve zipkin error logs #2710 (@calebdoxsey)
authorize: add support for webauthn device policy enforcement #2700 (@calebdoxsey)
webauthn: update session to support device credentials per type #2699 (@calebdoxsey)
ppl: add support for additional data #2696 (@calebdoxsey)
Add additional ACME CA (autocert) options #2695 (@hslatman)
skip configuration updates to the most recent one #2690 (@wasaga)
authenticate: add support for webauthn #2688 (@calebdoxsey)
webauthnutil: add helpers for webauthn #2686 (@calebdoxsey)
devices: add device protobuf types #2682 (@calebdoxsey)
cryptutil: add SecureToken #2681 (@calebdoxsey)
config/envoyconfig: better duplicate message #2661 (@desimone)
pomerium-cli: add support for a custom browser command #2617 (@calebdoxsey)
ppl: pass contextual information through policy #2612 (@calebdoxsey)
add description to service accounts #2611 (@nhayfield)
DOCS: Add copy button to code snippets #2597 (@alexfornuto)
pomerium-cli: use cache dir instead of config dir #2588 (@calebdoxsey)
cli: update tcp log output format #2586 (@travisgroth)
directory: implement exponential backoff for refresh #2570 (@calebdoxsey)
google: support provider URL #2567 (@calebdoxsey)
config: remove signature_key_algorithm #2557 (@calebdoxsey)
allow pomerium to start without certs #2555 (@wasaga)
integration: kubernetes support #2536 (@calebdoxsey)
integration: nginx #2532 (@calebdoxsey)
integration: add traefik tests #2530 (@calebdoxsey)
envoy: remove deprecated access_log_path #2523 (@calebdoxsey)
config: remove headers #2522 (@calebdoxsey)
integration: add multi test #2519 (@calebdoxsey)
Remove api from GitLab defaultScope #2518 (@alexfornuto)
integration: add single-cluster integration tests #2516 (@calebdoxsey)
integration: remove tests #2514 (@calebdoxsey)
github: support provider URL #2490 (@calebdoxsey)
protoutil: add NewAny method for deterministic serialization #2462 (@calebdoxsey)
fix go get, improve redis test #2450 (@calebdoxsey)
all: remove unused handler code #2439 (@desimone)

Security

identity: fix user refresh #2724 (@calebdoxsey)
deps: update envoy to 1.19.1 #2526 (@travisgroth)

Fixed

config: allow specifying auto codec type in all-in-one mode #2846 (@calebdoxsey)
dashboard: add confirmation dialog, fix button in firefox #2841 (@calebdoxsey)
fix: Fixed return description error #2825 (@cfanbo)
internal/telemetry: fix grpc server metrics #2811 (@travisgroth)
Fix IdP client metrics #2810 (@travisgroth)
envoyconfig: fix tls_downstream_client_ca for non-standard ports #2802 (@calebdoxsey)
config: detect changes to the kubernetes service account token file #2767 (@calebdoxsey)
deps: update goreleaser #2757 (@travisgroth)

Documentation

add docs for ingress regex path #2822 (@wasaga)
fix typo in docs #2819 (@wasaga)
DOCS: add Grafana to Guides index #2808 (@alexfornuto)
DOCS: Fix indentation in API doc #2798 (@alexfornuto)
DOCS: Create Consolidated Troubleshooting Guide and Replace FAQ #2797 (@alexfornuto)
docs: update pomerium-cli location #2790 (@travisgroth)
Document Pomerium Policy Language #2789 (@backport-actions-token[bot])
Copy edit to changelog entry #2786 (@alexfornuto)
Document Pomerium Policy Language #2784 (@alexfornuto)
Remove forward_auth_url from Enterprise #2779 (@alexfornuto)
Docs: Update Kubernetes Dashboard Guide #2759 (@alexfornuto)
Docs: Update Securing Kubernetes Guide #2758 (@alexfornuto)
Docs: Add spdy annotation #2747 (@alexfornuto)
Docs: Update JWT Verification Guide #2746 (@alexfornuto)
Docs: Add Grafana Integration Guide #2742 (@alexfornuto)
Docs: Update Traefik Example Headers #2732 (@alexfornuto)
Docs: Reference gRPC API Docs #2717 (@alexfornuto)
Minor fix in routes documentation #2714 (@Kerwood)
Docs: Update Community Page #2713 (@cmo-pomerium)
Update overview/architecture.md #2701 (@cmo-pomerium)
Update create TLS command to quote strings. #2694 (@FutureMatt)
Docs: Correct Claim Example #2689 (@alexfornuto)
Fix typo in docs #2683 (@nihaals)
Fixed 'kubtctl' typo on releases page #2673 (@ChaosInTheCRD)
add service account redirects #2664 (@alexfornuto)
DOCS: Standardize Relative Links #2651 (@alexfornuto)
Docs: cross-reference links between concepts and reference #2648 (@alexfornuto)
adjust sidebarDepths and document Desktop Client releases #2645 (@backport-actions-token[bot])
typo #2644 (@alexfornuto)
adjust sidebarDepths and document Desktop Client releases #2643 (@alexfornuto)
DOCS: CORS preflight in console #2642 (@alexfornuto)
DOCS: Collapse IDP Header #2641 (@alexfornuto)
docs: remove extra word / updated docs link #2638 (@cmo-pomerium)
Docs: Batch Updates #2628 (@alexfornuto)
Refresh and Update TCP documentation #2627 (@alexfornuto)
DOC: Copy edits to Okta IdP doc. #2623 (@alexfornuto)
Docs/batch link fixes #2621 (@alexfornuto)
Add redirect for installation #2618 (@alexfornuto)
Add docs team as a code owner of packages.json #2605 (@alexfornuto)
Update CODEOWNERS #2603 (@alexfornuto)
DOCS: Update Enterprise Reference Docs #2599 (@alexfornuto)
Document Enterprise API #2595 (@alexfornuto)
docs: rename updated icon image #2582 (@travisgroth)
docs: add updated icon asset #2580 (@travisgroth)
Document recovery token generation #2579 (@alexfornuto)
New Topic Page: Original Request Context #2569 (@alexfornuto)
docs: enterprise console v0.15.2 changelog #2564 (@travisgroth)
TCP Client Doc #2561 (@alexfornuto)
Docs: Fix merged PR #2546 (@alexfornuto)
docs: enterprise v0.15.1 changelog #2542 (@travisgroth)
Update Ping Identity IdP #2537 (@alexfornuto)
update OneLogin IdP doc #2533 (@alexfornuto)
Update GitLab IdP doc #2520 (@alexfornuto)
update GitHub IdP doc #2503 (@alexfornuto)
Update AWS cognito IdP doc #2498 (@alexfornuto)
Update Azure IdP Doc #2497 (@alexfornuto)
Auth0 Doc Refresh #2494 (@alexfornuto)
Update IdP Overview Page #2493 (@alexfornuto)
Update Okta IdP doc #2491 (@alexfornuto)
adjust comment blocking #2488 (@alexfornuto)
document binding service to 443 #2487 (@alexfornuto)
docs: use generic email #2484 (@alexfornuto)
Update Docker Quickstart #2482 (@alexfornuto)
Wrap mkcert command in quotes #2481 (@alexfornuto)
Updates to Enterprise Quickstart instructions #2480 (@alexfornuto)
wrap header example values as inline code. #2474 (@alexfornuto)
docs: clarify custom request header limitations #2471 (@desimone)
Update Helm Instructions #2467 (@alexfornuto)
docs: update enterprise helm instructions to use main repo #2463 (@travisgroth)
Document tracing sample rate in console #2461 (@alexfornuto)
Document moving routes #2460 (@alexfornuto)
Enterprise Upgrade & Changelog Pages #2453 (@alexfornuto)
docs: update codeowners #2451 (@travisgroth)
Update binary install doc #2447 (@alexfornuto)
docs: update branding, concepts #2445 (@desimone)
specify expected audience in Console config #2442 (@alexfornuto)
docs: update default version to v0.15 #2437 (@travisgroth)
docs: update branding #2435 (@desimone)

Dependency

chore(deps): bump google.golang.org/api from 0.62.0 to 0.63.0 #2834 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.26.0 to 1.26.1 #2833 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.10.0 to 1.10.1 #2832 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.42.0 to 1.43.0 #2831 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.11+incompatible to 20.10.12+incompatible #2817 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.9.0 to 1.10.0 #2816 (@dependabot[bot])
dev build support for darwin-arm64 from envoy tip #2815 (@wasaga)
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.10 to 3.21.11 #2807 (@dependabot[bot])
chore(deps): bump github.com/mitchellh/mapstructure from 1.4.2 to 1.4.3 #2806 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.60.0 to 0.61.0 #2805 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.34.2 to 0.35.0 #2804 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.15.1 to 4.16.1 #2803 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.8.0 to 3.8.1 #2785 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.14.2 to 4.15.1 #2783 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.10+incompatible to 20.10.11+incompatible #2776 (@dependabot[bot])
chore(deps): bump coverallsapp/github-action from 1.1.2 to 1.1.3 #2775 (@dependabot[bot])
chore(deps): bump mikefarah/yq from 4.6.3 to 4.14.2 #2774 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.15.1 to 0.15.2 #2769 (@dependabot[bot])
chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.1 to 4.1.2 #2768 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.34.1 to 0.34.2 #2765 (@dependabot[bot])
chore(deps): bump github.com/mholt/acmez from 1.0.0 to 1.0.1 #2764 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.21.0 to 5.21.1 #2763 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.42.1 to 1.43.0 #2756 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.34.0 to 0.34.1 #2755 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.41.0 to 1.42.0 #2754 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.25.0 to 1.26.0 #2753 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.20.0 to 5.21.0 #2752 (@dependabot[bot])
dependencies: vendor base58, remove shortuuid #2739 (@calebdoxsey)
chore(deps): bump google.golang.org/api from 0.58.0 to 0.60.0 #2737 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.9 to 3.21.10 #2736 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.33.1 to 0.34.0 #2735 (@dependabot[bot])
chore(deps): bump github.com/openzipkin/zipkin-go from 0.2.5 to 0.3.0 #2734 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.31.1 to 0.32.1 #2706 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.9+incompatible to 20.10.10+incompatible #2705 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.19.2 to 5.20.0 #2704 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.1 to 0.6.2 #2703 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.5 to 0.15.1 #2685 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.0 to 3.1.2 #2672 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.8 to 3.21.9 #2671 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.8+incompatible to 20.10.9+incompatible #2670 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.57.0 to 0.58.0 #2660 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.3 to 8.11.4 #2659 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.32.1 to 0.33.1 #2658 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.31.0 to 0.31.1 #2656 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.32.0 to 0.32.1 #2633 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 #2632 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.30.0 to 0.31.0 #2631 (@dependabot[bot])
chore(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 #2630 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.7.0 to 3.8.0 #2629 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.9.0 #2616 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.56.0 to 0.57.0 #2615 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 #2614 (@dependabot[bot])
bump protoc-validate #2606 (@wasaga)
chore(deps): bump go.uber.org/zap from 1.19.0 to 1.19.1 #2592 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0 #2591 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.7 to 3.21.8 #2577 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 #2576 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.4 to 0.14.5 #2575 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.54.0 to 0.56.0 #2574 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.31.0 to 0.32.0 #2573 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.5.0 to 1.5.1 #2554 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.3 to 0.14.4 #2553 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 #2552 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.7+incompatible to 20.10.8+incompatible #2551 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.1 to 0.14.3 #2550 (@dependabot[bot])
chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.3.0 to 0.4.0 #2549 (@dependabot[bot])
chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.1 to 2.1.2 #2548 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.2 to 0.7.3 #2512 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 #2511 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.0 #2510 (@dependabot[bot])
ci: use go 1.17.x #2492 (@desimone)
chore(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 #2478 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.2 to 8.11.3 #2477 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.52.0 to 0.54.0 #2476 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.18.1 to 1.19.0 #2475 (@dependabot[bot])
ci: support darwn/arm64 aka m1 for cli #2473 (@desimone)
chore(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 #2457 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.1 to 0.7.2 #2456 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2455 (@dependabot[bot])
Hadolint #2363 (@stephengroat)

Deployment

deployment: migrate pomerium-cli automation to new repo #2771 (@travisgroth)
deployment: remove DST_Root_CA_X3 from docker images #2677 (@travisgroth)
deployment: update goreleaser syntax #2524 (@travisgroth)

Changed

move NewGRPCClientConn to public package #2826 (@wasaga)
rm cli code #2824 (@wasaga)
ci: remove hadolint #2726 (@travisgroth)
ci: ignore multiple run commands #2566 (@travisgroth)
redirect logo to the marketing site #2441 (@alexfornuto)
ci: use github app for backport credentials #2369 (@travisgroth)

v0.15.8 (2021-12-17)

Full Changelog

Fixed

authorize: fix nginx infinite redirect #2812 (@calebdoxsey)

Documentation

DOCS: add Grafana to Guides index #2809 (@backport-actions-token[bot])
DOCS: Fix indentation in API doc #2799 (@backport-actions-token[bot])
Docs: Update Kubernetes Dashboard Guide #2795 (@backport-actions-token[bot])
Docs: Update Securing Kubernetes Guide #2792 (@backport-actions-token[bot])
Docs: Update JWT Verification Guide #2787 (@backport-actions-token[bot])

Dependency

deps: pin release to latest go version #2827 (@travisgroth)

v0.15.7 (2021-11-15)

Full Changelog

Fixed

autocert: remove log #2750 (@backport-actions-token[bot])

Security

identity: fix user refresh #2725 (@backport-actions-token[bot])

Documentation

Docs: Add Grafana Integration Guide #2762 (@backport-actions-token[bot])
Docs: Add spdy annotation #2751 (@backport-actions-token[bot])
Docs: Ingress Controller #2745 (@backport-actions-token[bot])
Docs: Update Traefik Example Headers #2741 (@backport-actions-token[bot])
Docs: Update Community Page #2731 (@backport-actions-token[bot])
Minor fix in routes documentation #2721 (@backport-actions-token[bot])
Docs: Reference gRPC API Docs #2720 (@backport-actions-token[bot])
Update overview/architecture.md #2707 (@backport-actions-token[bot])

v0.15.6 (2021-11-04)

Full Changelog

Breaking

github: use GraphQL API to reduce number of API calls for directory sync #2715 (@calebdoxsey)

New

databroker: add additional log for config source #2718 (@calebdoxsey)
grpc: remove peer field from logs #2712 (@calebdoxsey)
desktop client api #2711 (@wasaga)
telemetry: improve zipkin error logs #2710 (@calebdoxsey)
authorize: add support for webauthn device policy enforcement #2700 (@calebdoxsey)
webauthn: update session to support device credentials per type #2699 (@calebdoxsey)
ppl: add support for additional data #2696 (@calebdoxsey)
Add additional ACME CA (autocert) options #2695 (@hslatman)
skip configuration updates to the most recent one #2690 (@wasaga)
authenticate: add support for webauthn #2688 (@calebdoxsey)
webauthnutil: add helpers for webauthn #2686 (@calebdoxsey)
devices: add device protobuf types #2682 (@calebdoxsey)
cryptutil: add SecureToken #2681 (@calebdoxsey)
config/envoyconfig: better duplicate message #2661 (@desimone)
pomerium-cli: add support for a custom browser command #2617 (@calebdoxsey)
ppl: pass contextual information through policy #2612 (@calebdoxsey)
add description to service accounts #2611 (@nhayfield)
DOCS: Add copy button to code snippets #2597 (@alexfornuto)
pomerium-cli: use cache dir instead of config dir #2588 (@calebdoxsey)
cli: update tcp log output format #2586 (@travisgroth)
directory: implement exponential backoff for refresh #2570 (@calebdoxsey)
google: support provider URL #2567 (@calebdoxsey)
allow pomerium to start without certs #2555 (@wasaga)
integration: kubernetes support #2536 (@calebdoxsey)
integration: nginx #2532 (@calebdoxsey)
integration: add traefik tests #2530 (@calebdoxsey)
envoy: remove deprecated access_log_path #2523 (@calebdoxsey)
config: remove headers #2522 (@calebdoxsey)
integration: add multi test #2519 (@calebdoxsey)
Remove api from GitLab defaultScope #2518 (@alexfornuto)
integration: add single-cluster integration tests #2516 (@calebdoxsey)
integration: remove tests #2514 (@calebdoxsey)
github: support provider URL #2490 (@calebdoxsey)
protoutil: add NewAny method for deterministic serialization #2462 (@calebdoxsey)
fix go get, improve redis test #2450 (@calebdoxsey)
all: remove unused handler code #2439 (@desimone)

Fixed

deployment: relocate pomerium-cli to /usr/bin #2727 (@travisgroth)
authenticate: always update user record on login #2719 (@calebdoxsey)
authenticate: add databroker versions to session cookie #2709 (@calebdoxsey)
protoc: add xds repo #2687 (@calebdoxsey)
add host-rewrite options to config.proto #2668 (@wasaga)
authclient: clone TLS configuration to prevent overriding NextProtos #2594 (@calebdoxsey)
tcptunnel: force the use of HTTP/1.1 during ALPN #2593 (@calebdoxsey)
userinfo: format exp, iat and updated_at #2585 (@calebdoxsey)
autocert: remove log #2584 (@calebdoxsey)
authorize: use session.user_id in headers #2571 (@calebdoxsey)
ppl: use session.user_id instead of user.id for user criterion #2562 (@calebdoxsey)
authorize: fix google cloudrun header audience #2558 (@calebdoxsey)
authorize: fix X-Pomerium-Claim-Groups #2539 (@calebdoxsey)
grpc: disable gRPC connection re-use across services #2515 (@calebdoxsey)
fix forward-auth, logging #2509 (@calebdoxsey)
grpc: send client traffic through envoy #2469 (@calebdoxsey)
options: remove refresh_cooldown, add allow_spdy to proto #2446 (@calebdoxsey)

Security

identity: fix user refresh #2724 (@calebdoxsey)
deps: update envoy to 1.19.1 #2526 (@travisgroth)

Documentation

Docs: Update Traefik Example Headers #2732 (@alexfornuto)
Docs: Reference gRPC API Docs #2717 (@alexfornuto)
Minor fix in routes documentation #2714 (@Kerwood)
Docs: Update Community Page #2713 (@cmo-pomerium)
Update overview/architecture.md #2701 (@cmo-pomerium)
Update create TLS command to quote strings. #2694 (@FutureMatt)
Docs: Correct Claim Example #2689 (@alexfornuto)
Fix typo in docs #2683 (@nihaals)
Fixed 'kubtctl' typo on releases page #2673 (@ChaosInTheCRD)
Docs: Ingress Controller #2667 (@alexfornuto)
add service account redirects #2664 (@alexfornuto)
DOCS: Standardize Relative Links #2651 (@alexfornuto)
Docs: cross-reference links between concepts and reference #2648 (@alexfornuto)
typo #2644 (@alexfornuto)
adjust sidebarDepths and document Desktop Client releases #2643 (@alexfornuto)
DOCS: CORS preflight in console #2642 (@alexfornuto)
DOCS: Collapse IDP Header #2641 (@alexfornuto)
docs: remove extra word / updated docs link #2638 (@cmo-pomerium)
Docs: Batch Updates #2628 (@alexfornuto)
Refresh and Update TCP documentation #2627 (@alexfornuto)
DOC: Copy edits to Okta IdP doc. #2623 (@alexfornuto)
Docs/batch link fixes #2621 (@alexfornuto)
Add redirect for installation #2618 (@alexfornuto)
Add docs team as a code owner of packages.json #2605 (@alexfornuto)
Update CODEOWNERS #2603 (@alexfornuto)
DOCS: Update Enterprise Reference Docs #2599 (@alexfornuto)
Document Enterprise API #2595 (@alexfornuto)
docs: rename updated icon image #2582 (@travisgroth)
docs: add updated icon asset #2580 (@travisgroth)
Document recovery token generation #2579 (@alexfornuto)
New Topic Page: Original Request Context #2569 (@alexfornuto)
docs: enterprise console v0.15.2 changelog #2564 (@travisgroth)
TCP Client Doc #2561 (@alexfornuto)
Docs: Fix merged PR #2546 (@alexfornuto)
docs: enterprise v0.15.1 changelog #2542 (@travisgroth)
Update Ping Identity IdP #2537 (@alexfornuto)
update OneLogin IdP doc #2533 (@alexfornuto)
Update GitLab IdP doc #2520 (@alexfornuto)
update GitHub IdP doc #2503 (@alexfornuto)
Update AWS cognito IdP doc #2498 (@alexfornuto)
Update Azure IdP Doc #2497 (@alexfornuto)
Auth0 Doc Refresh #2494 (@alexfornuto)
Update IdP Overview Page #2493 (@alexfornuto)
Update Okta IdP doc #2491 (@alexfornuto)
adjust comment blocking #2488 (@alexfornuto)
document binding service to 443 #2487 (@alexfornuto)
docs: use generic email #2484 (@alexfornuto)
Update Docker Quickstart #2482 (@alexfornuto)
Wrap mkcert command in quotes #2481 (@alexfornuto)
Updates to Enterprise Quickstart instructions #2480 (@alexfornuto)
wrap header example values as inline code. #2474 (@alexfornuto)
docs: clarify custom request header limitations #2471 (@desimone)
Update Helm Instructions #2467 (@alexfornuto)
docs: update enterprise helm instructions to use main repo #2463 (@travisgroth)
Document tracing sample rate in console #2461 (@alexfornuto)
Document moving routes #2460 (@alexfornuto)
Enterprise Upgrade & Changelog Pages #2453 (@alexfornuto)
docs: update codeowners #2451 (@travisgroth)
Update binary install doc #2447 (@alexfornuto)
docs: update branding, concepts #2445 (@desimone)
specify expected audience in Console config #2442 (@alexfornuto)
docs: update default version to v0.15 #2437 (@travisgroth)
docs: update branding #2435 (@desimone)

Dependency

dependencies: vendor base58, remove shortuuid #2739 (@calebdoxsey)
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.9 to 3.21.10 #2736 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.33.1 to 0.34.0 #2735 (@dependabot[bot])
chore(deps): bump github.com/openzipkin/zipkin-go from 0.2.5 to 0.3.0 #2734 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.31.1 to 0.32.1 #2706 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.9+incompatible to 20.10.10+incompatible #2705 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.19.2 to 5.20.0 #2704 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.1 to 0.6.2 #2703 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.5 to 0.15.1 #2685 (@dependabot[bot])
chore(deps): bump github.com/peterbourgon/ff/v3 from 3.1.0 to 3.1.2 #2672 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.8 to 3.21.9 #2671 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.8+incompatible to 20.10.9+incompatible #2670 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.57.0 to 0.58.0 #2660 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.3 to 8.11.4 #2659 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.32.1 to 0.33.1 #2658 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.31.0 to 0.31.1 #2656 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.32.0 to 0.32.1 #2633 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.40.0 to 1.41.0 #2632 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.30.0 to 0.31.0 #2631 (@dependabot[bot])
chore(deps): bump sigs.k8s.io/yaml from 1.2.0 to 1.3.0 #2630 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.7.0 to 3.8.0 #2629 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.9.0 #2616 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.56.0 to 0.57.0 #2615 (@dependabot[bot])
chore(deps): bump github.com/coreos/go-oidc/v3 from 3.0.0 to 3.1.0 #2614 (@dependabot[bot])
bump protoc-validate #2606 (@wasaga)
chore(deps): bump go.uber.org/zap from 1.19.0 to 1.19.1 #2592 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.24.0 to 1.25.0 #2591 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.7 to 3.21.8 #2577 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.42.0 to 1.42.1 #2576 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.4 to 0.14.5 #2575 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.54.0 to 0.56.0 #2574 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.31.0 to 0.32.0 #2573 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.5.0 to 1.5.1 #2554 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.3 to 0.14.4 #2553 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.23.0 to 1.24.0 #2552 (@dependabot[bot])
chore(deps): bump github.com/docker/docker from 20.10.7+incompatible to 20.10.8+incompatible #2551 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.1 to 0.14.3 #2550 (@dependabot[bot])
chore(deps): bump contrib.go.opencensus.io/exporter/prometheus from 0.3.0 to 0.4.0 #2549 (@dependabot[bot])
chore(deps): bump github.com/cespare/xxhash/v2 from 2.1.1 to 2.1.2 #2548 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.2 to 0.7.3 #2512 (@dependabot[bot])
chore(deps): bump github.com/golangci/golangci-lint from 1.41.1 to 1.42.0 #2511 (@dependabot[bot])
chore(deps): bump github.com/fsnotify/fsnotify from 1.4.9 to 1.5.0 #2510 (@dependabot[bot])
ci: use go 1.17.x #2492 (@desimone)
chore(deps): bump google.golang.org/grpc from 1.39.1 to 1.40.0 #2478 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.2 to 8.11.3 #2477 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.52.0 to 0.54.0 #2476 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.18.1 to 1.19.0 #2475 (@dependabot[bot])
ci: support darwn/arm64 aka m1 for cli #2473 (@desimone)
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2459 (@backport-actions-token[bot])
chore(deps): bump google.golang.org/grpc from 1.39.0 to 1.39.1 #2457 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.1 to 0.7.2 #2456 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2455 (@dependabot[bot])
Hadolint #2363 (@stephengroat)

Deployment

deployment: remove DST_Root_CA_X3 from docker images #2677 (@travisgroth)
deployment: update goreleaser syntax #2524 (@travisgroth)

Changed

ci: remove hadolint #2726 (@travisgroth)
ci: ignore multiple run commands #2566 (@travisgroth)
redirect logo to the marketing site #2441 (@alexfornuto)

v0.15.5 (2021-10-22)

Full Changelog

New

skip configuration updates to the most recent one #2692 (@backport-actions-token[bot])

Documentation

Update create TLS command to quote strings. #2697 (@backport-actions-token[bot])
DOCS: CORS preflight in console #2693 (@backport-actions-token[bot])
Docs: Correct Claim Example #2691 (@backport-actions-token[bot])
Fix typo in docs #2684 (@backport-actions-token[bot])

Deployment

deployment: remove DST_Root_CA_X3 from docker images #2698 (@travisgroth)

v0.15.4 (2021-10-14)

Full Changelog

New

protoutil: add NewAny method for deterministic serialization #2662 (@backport-actions-token[bot])

Fixed

backport: host rewrite #2669 (@wasaga)

Documentation

Fixed 'kubtctl' typo on releases page #2680 (@backport-actions-token[bot])
Refresh and Update TCP documentation #2679 (@backport-actions-token[bot])
Docs: Ingress Controller #2667 (@alexfornuto)
add service account redirects #2665 (@backport-actions-token[bot])
DOCS: Standardize Relative Links (#2651) #2654 (@alexfornuto)
Docs: cross-reference links between concepts and reference #2650 (@backport-actions-token[bot])
DOCS: Collapse IDP Header #2649 (@backport-actions-token[bot])
typo #2646 (@backport-actions-token[bot])
Docs: Batch Updates #2640 (@backport-actions-token[bot])
docs: remove extra word / updated docs link #2639 (@backport-actions-token[bot])
TCP Client Doc #2626 (@backport-actions-token[bot])
DOC: Copy edits to Okta IdP doc. #2625 (@backport-actions-token[bot])
DOCS: Update Enterprise Reference Docs #2624 (@backport-actions-token[bot])
Docs/batch link fixes #2622 (@backport-actions-token[bot])
Add redirect for installation #2620 (@backport-actions-token[bot])
Document Enterprise API #2619 (@backport-actions-token[bot])

v0.15.3 (2021-09-17)

Full Changelog

New

cli: update tcp log output format #2587 (@travisgroth)

Fixed

backport 2593 and 2594 to 0.15 #2598 (@calebdoxsey)

Documentation

Add docs team as a code owner of packages.json #2607 (@backport-actions-token[bot])
New Topic Page: Original Request Context #2602 (@backport-actions-token[bot])
Document recovery token generation #2601 (@backport-actions-token[bot])
DOCS: Add copy button to code snippets #2600 (@backport-actions-token[bot])
docs: rename updated icon image #2583 (@backport-actions-token[bot])
docs: add updated icon asset #2581 (@backport-actions-token[bot])

Changed

Update CODEOWNERS #2604 (@backport-actions-token[bot])

v0.15.2 (2021-09-03)

Full Changelog

New

allow pomerium to start without certs #2556 (@backport-actions-token[bot])

Fixed

authorize: use session.user_id in headers #2572 (@backport-actions-token[bot])
ppl: use session.user_id instead of user.id for user criterion #2563 (@backport-actions-token[bot])
authorize: fix google cloudrun header audience #2560 (@backport-actions-token[bot])
authorize: fix X-Pomerium-Claim-Groups #2540 (@backport-actions-token[bot])

Documentation

docs: enterprise console v0.15.2 changelog #2565 (@backport-actions-token[bot])
Docs: Fix merged PR #2547 (@backport-actions-token[bot])
Update Ping Identity IdP #2545 (@backport-actions-token[bot])
update OneLogin IdP doc #2544 (@backport-actions-token[bot])
docs: enterprise v0.15.1 changelog #2543 (@backport-actions-token[bot])
Updates to Enterprise Quickstart instructions #2531 (@backport-actions-token[bot])

v0.15.0 (2021-08-05)

Full Changelog

Breaking

config: remove support for ed25519 signing keys #2430 (@calebdoxsey)

New

telemetry: add nonce and make explicit ack/nack #2434 (@wasaga)
authorize: log additional session details #2419 (@calebdoxsey)
telemetry: try guess hostname or external IP addr for metrics #2412 (@wasaga)
sessions: add impersonate_session_id, remove legacy impersonation #2407 (@calebdoxsey)
envoyconfig: improvements #2402 (@calebdoxsey)
config: add support for embedded PPL policy #2401 (@calebdoxsey)
ppl: remove support for aliases #2400 (@calebdoxsey)
directory: add logging http client to help with debugging outbound http requests #2385 (@calebdoxsey)
evaluator: use cryptutil.Hash for script spans #2384 (@desimone)
authorize: add additional tracing for rego evaluation #2381 (@calebdoxsey)
k8s: add flush-credentials command #2379 (@calebdoxsey)
urlutil: improve error message for urls with port in path #2377 (@calebdoxsey)
ci: use revive instead of golint #2370 (@calebdoxsey)
authorize: remove service account impersonate user id, email and groups #2365 (@calebdoxsey)
envoyconfig: default zipkin path to / when empty #2359 (@calebdoxsey)
config: add warning about http URLs #2358 (@calebdoxsey)
authorize: log service account and impersonation details #2354 (@calebdoxsey)
tools: add tools.go to pin go run apps #2344 (@calebdoxsey)
envoyconfig: add bootstrap layered runtime configuration #2343 (@calebdoxsey)
registry/redis: call publish from within lua function #2337 (@calebdoxsey)

Fixed

config: remove grpc server max connection age options #2427 (@calebdoxsey)
authorize: add sid to JWT claims #2420 (@calebdoxsey)
disable http/2 for websockets #2399 (@calebdoxsey)
ci: update gcloud action #2393 (@travisgroth)
google: remove WithHTTPClient #2391 (@calebdoxsey)
telemetry: support b3 headers on gRPC server calls #2376 (@calebdoxsey)
authorize: allow redirects on deny #2361 (@calebdoxsey)
authorize: decode CheckRequest path for redirect #2357 (@calebdoxsey)
envoyconfig: only delete cached files, ignore noisy error #2356 (@calebdoxsey)
envoy: only check for pid with monitor #2355 (@calebdoxsey)
fix: timeout in protobuf #2341 (@wasaga)
authorize: support boolean deny results #2338 (@calebdoxsey)

Security

envoy: only allow embedding #2368 (@calebdoxsey)

Documentation

update v0.15 changelog #2436 (@travisgroth)
doc updates #2433 (@calebdoxsey)
Update Console installs to match signing_key #2432 (@alexfornuto)
docs/reference: Clarify use of idp_service_account #2431 (@the-maldridge)
docs: clarify device identity, not state via client certs #2428 (@desimone)
v0.15 release notes #2409 (@travisgroth)
docs: only secure schemes are supported #2408 (@desimone)
Installation Docs Restructuring #2406 (@alexfornuto)
symlink security policy to root of project #2396 (@desimone)
Enterprise Docs #2390 (@alexfornuto)
Docs bug fixes #2362 (@alexfornuto)
Docs sorting #2346 (@alexfornuto)
Update installation source for mkcert #2340 (@alexfornuto)

Dependency

chore(deps): bump gopkg.in/auth0.v5 from 5.19.1 to 5.19.2 #2422 (@dependabot[bot])
chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0-rc.1 to 3.0.0 #2421 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.29.0 to 0.30.0 #2417 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.30.2 to 0.31.0 #2416 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.51.0 to 0.52.0 #2415 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.6 to 3.21.7 #2414 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.0 to 8.11.1 #2413 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.0 to 0.7.1 #2395 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.50.0 to 0.51.0 #2394 (@dependabot[bot])
chore(deps): bump github.com/google/uuid from 1.2.0 to 1.3.0 #2374 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.30.1 to 0.30.2 #2373 (@dependabot[bot])
ci: convert to FOSSA scan #2371 (@travisgroth)
chore(deps): bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 #2353 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.0 to 0.14.1 #2352 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0 #2334 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.49.0 to 0.50.0 #2333 (@dependabot[bot])
chore(deps): upgrade kind action to v1.2.0 #2331 (@travisgroth)
chore(deps): bump github.com/spf13/cobra from 1.1.3 to 1.2.1 #2330 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.10.0 to 8.11.0 #2329 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.6.0 to 0.7.0 #2328 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.6 #2326 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.17.0 to 1.18.1 #2325 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.38.0 to 1.39.0 #2324 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.29.4 to 0.30.1 #2323 (@dependabot[bot])

Changed

redis: increase timeout on test #2425 (@calebdoxsey)
build: add envoy files to make clean #2411 (@travisgroth)
envoy: bump to 1.19 #2392 (@travisgroth)
ci: use github app for backport credentials #2369 (@travisgroth)
databroker: tests #2367 (@calebdoxsey)
storage/inmemory: add tests for close behavior #2336 (@calebdoxsey)
redis: refactor change signal test to be more deterministic #2335 (@calebdoxsey)

v0.14.8 (2021-08-26)

Full Changelog

Security

deps: bump envoy to v0.17.4 #2535 (@travisgroth)

Documentation

docs: only secure schemes are supported #2410 (@backport-actions-token[bot])
Docs bug fixes #2364 (@github-actions[bot])
Docs backporting #2351 (@alexfornuto)
docs: google gcp / workspace instructions #2350 (@github-actions[bot])

Dependency

chore(deps): upgrade kind action to v1.2.0 (#2281) #2366 (@travisgroth)

Changed

ci: update gcloud action #2538 (@backport-actions-token[bot])

v0.15.1 (2021-08-25)

Full Changelog

Fixed

options: remove refresh_cooldown, add allow_spdy to proto #2448 (@backport-actions-token[bot])

Security

deps: update envoy to 1.19.1 #2527 (@backport-actions-token[bot])

Documentation

Update GitLab IdP doc #2529 (@backport-actions-token[bot])
Remove api from GitLab defaultScope #2528 (@backport-actions-token[bot])
update GitHub IdP doc #2508 (@backport-actions-token[bot])
docs: update codeowners #2506 (@backport-actions-token[bot])
Update Helm Instructions #2505 (@backport-actions-token[bot])
Update Azure IdP Doc #2504 (@backport-actions-token[bot])
Update IdP Overview Page #2502 (@backport-actions-token[bot])
Update AWS cognito IdP doc #2501 (@backport-actions-token[bot])
Auth0 Doc Refresh #2500 (@backport-actions-token[bot])
document binding service to 443 #2499 (@backport-actions-token[bot])
Update Okta IdP doc #2495 (@backport-actions-token[bot])
adjust comment blocking #2489 (@backport-actions-token[bot])
Update Docker Quickstart (#2482) #2486 (@alexfornuto)
docs: use generic email #2485 (@backport-actions-token[bot])
wrap header example values as inline code. #2479 (@backport-actions-token[bot])
docs: clarify custom request header limitations #2472 (@backport-actions-token[bot])
Document moving routes #2466 (@backport-actions-token[bot])
Document tracing sample rate in console #2465 (@backport-actions-token[bot])
docs: update enterprise helm instructions to use main repo #2464 (@backport-actions-token[bot])
Enterprise Upgrade & Changelog Pages #2458 (@backport-actions-token[bot])
Update binary install doc #2452 (@backport-actions-token[bot])
docs: update branding, concepts #2449 (@backport-actions-token[bot])
specify expected audience in Console config #2444 (@backport-actions-token[bot])
redirect logo to the marketing site #2443 (@backport-actions-token[bot])
docs: update branding #2440 (@backport-actions-token[bot])
docs: update default version to v0.15 #2438 (@backport-actions-token[bot])

Dependency

chore(deps): bump github.com/go-redis/redis/v8 from 8.11.1 to 8.11.2 #2459 (@backport-actions-token[bot])

Deployment

deployment: update goreleaser syntax #2525 (@backport-actions-token[bot])
ci: support darwn/arm64 aka m1 for cli #2521 (@travisgroth)

v0.15.0 (2021-08-05)

Full Changelog

Breaking

config: remove support for ed25519 signing keys #2430 (@calebdoxsey)

New

telemetry: add nonce and make explicit ack/nack #2434 (@wasaga)
authorize: log additional session details #2419 (@calebdoxsey)
telemetry: try guess hostname or external IP addr for metrics #2412 (@wasaga)
sessions: add impersonate_session_id, remove legacy impersonation #2407 (@calebdoxsey)
envoyconfig: improvements #2402 (@calebdoxsey)
config: add support for embedded PPL policy #2401 (@calebdoxsey)
ppl: remove support for aliases #2400 (@calebdoxsey)
directory: add logging http client to help with debugging outbound http requests #2385 (@calebdoxsey)
evaluator: use cryptutil.Hash for script spans #2384 (@desimone)
authorize: add additional tracing for rego evaluation #2381 (@calebdoxsey)
k8s: add flush-credentials command #2379 (@calebdoxsey)
urlutil: improve error message for urls with port in path #2377 (@calebdoxsey)
ci: use revive instead of golint #2370 (@calebdoxsey)
authorize: remove service account impersonate user id, email and groups #2365 (@calebdoxsey)
envoyconfig: default zipkin path to / when empty #2359 (@calebdoxsey)
config: add warning about http URLs #2358 (@calebdoxsey)
authorize: log service account and impersonation details #2354 (@calebdoxsey)
tools: add tools.go to pin go run apps #2344 (@calebdoxsey)
envoyconfig: add bootstrap layered runtime configuration #2343 (@calebdoxsey)
registry/redis: call publish from within lua function #2337 (@calebdoxsey)
proxy: add idle timeout #2319 (@wasaga)
cli: use proxy from environment #2316 (@tskinn)
authorize: do not send redirects to gRPC #2314 (@wasaga)
certs: reject certs from databroker if they conflict with local #2309 (@wasaga)
config: add enable_google_cloud_serverless_authentication to config protobuf #2306 (@calebdoxsey)
envoy: refactor envoy embedding #2296 (@calebdoxsey)
envoy: add full version #2287 (@calebdoxsey)
authorize: handle grpc-web content types like json #2268 (@calebdoxsey)
xds: retry storing configuration events #2266 (@calebdoxsey)
envoyconfig: use zipkin tracer #2265 (@calebdoxsey)
authorize: preserve original context #2247 (@wasaga)
ppl: add data type, implement string and list matchers #2228 (@calebdoxsey)
ppl: refactor authorize to evaluate PPL #2224 (@calebdoxsey)
ppl: convert config policy to ppl #2218 (@calebdoxsey)
Pomerium Policy Language #2202 (@calebdoxsey)
telemetry: add hostname tag to metrics #2191 (@wasaga)
envoy: disable timeouts for kubernetes #2189 (@calebdoxsey)
registry: implement redis backend #2179 (@calebdoxsey)
report instance hostname in xds events #2175 (@wasaga)
databroker: implement leases #2172 (@calebdoxsey)

Fixed

config: remove grpc server max connection age options #2427 (@calebdoxsey)
authorize: add sid to JWT claims #2420 (@calebdoxsey)
disable http/2 for websockets #2399 (@calebdoxsey)
ci: update gcloud action #2393 (@travisgroth)
google: remove WithHTTPClient #2391 (@calebdoxsey)
telemetry: support b3 headers on gRPC server calls #2376 (@calebdoxsey)
authorize: allow redirects on deny #2361 (@calebdoxsey)
authorize: decode CheckRequest path for redirect #2357 (@calebdoxsey)
envoyconfig: only delete cached files, ignore noisy error #2356 (@calebdoxsey)
envoy: only check for pid with monitor #2355 (@calebdoxsey)
fix: timeout in protobuf #2341 (@wasaga)
authorize: support boolean deny results #2338 (@calebdoxsey)
ppl: fix not/nor rules #2313 (@calebdoxsey)
directory/azure: add paging support to user group members call #2311 (@calebdoxsey)
ocsp: reload on response changes #2286 (@wasaga)
envoy: fix usage of codec_type with alpn #2277 (@calebdoxsey)
databroker: only tag contexts used for UpdateRecords #2269 (@wasaga)
redis: enforce capacity via ZREVRANGE to avoid race #2267 (@calebdoxsey)
authorize: only redirect for HTML pages #2264 (@calebdoxsey)
tracing: support dynamic reloading, more aggressive envoy restart #2262 (@calebdoxsey)
envoy: always set jwt claim headers even if no value is available #2261 (@calebdoxsey)
envoy: disable hot-reload for macos #2259 (@calebdoxsey)
authorize: round timestamp #2258 (@wasaga)
options: s/shared-key/shared secret #2257 (@desimone)
config: warn about unrecognized keys #2256 (@wasaga)
darwin: use gopsutil v3 to fix arm issue #2245 (@calebdoxsey)
policy: fix allowed idp claims PPL generation #2243 (@calebdoxsey)
envoy: exit if envoy exits #2240 (@calebdoxsey)
envoyconfig: fallback to global custom ca when no policy ca is defined #2235 (@calebdoxsey)
envoy: add global response headers to local replies #2217 (@calebdoxsey)
forward auth: don't strip query parameters #2216 (@wasaga)
PPL: bubble up values, bug fixes #2213 (@calebdoxsey)
Revert "authenticate,proxy: add same site lax to cookies" #2203 (@desimone)
authorize: grpc health check #2200 (@wasaga)
proxy / controplane: use old upstream cipher suite #2196 (@desimone)
deployment: fix empty version on master builds #2193 (@travisgroth)

Security

envoy: only allow embedding #2368 (@calebdoxsey)
deps: bump envoy to v1.17.3 #2198 (@travisgroth)

Documentation

doc updates #2433 (@calebdoxsey)
Update Console installs to match signing_key #2432 (@alexfornuto)
docs/reference: Clarify use of idp_service_account #2431 (@the-maldridge)
docs: clarify device identity, not state via client certs #2428 (@desimone)
v0.15 release notes #2409 (@travisgroth)
docs: only secure schemes are supported #2408 (@desimone)
Installation Docs Restructuring #2406 (@alexfornuto)
symlink security policy to root of project #2396 (@desimone)
Enterprise Docs #2390 (@alexfornuto)
Helm Quickstart Update #2380 (@alexfornuto)
Docs bug fixes #2362 (@alexfornuto)
Docs sorting #2346 (@alexfornuto)
Update installation source for mkcert #2340 (@alexfornuto)
Update kubernetes-dashboard.md #2285 (@WeeHong)
Transmission BitTorrent Client Guide #2281 (@alexfornuto)
docs: google gcp / workspace instructions #2272 (@desimone)
docs: update helm values for chart v20.0.0 #2242 (@travisgroth)
docs: update _redirects #2237 (@desimone)
add support for latest version of code-server #2229 (@bpmct)
fix(docs): use correct name for code-server #2223 (@jsjoeio)
docs: rm broken link #2215 (@alexfornuto)
docs: Match Tenses #2214 (@alexfornuto)
Update programmatic-access.md #2190 (@yyolk)
docs: add v0.14 feature highlights #2184 (@github-actions[bot])
docs: add v0.14 feature highlights #2183 (@travisgroth)
docs: update slack link to vanity url #2177 (@travisgroth)

Dependency

chore(deps): bump gopkg.in/auth0.v5 from 5.19.1 to 5.19.2 #2422 (@dependabot[bot])
chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0-rc.1 to 3.0.0 #2421 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.29.0 to 0.30.0 #2417 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.30.2 to 0.31.0 #2416 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.51.0 to 0.52.0 #2415 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.6 to 3.21.7 #2414 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.11.0 to 8.11.1 #2413 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.7.0 to 0.7.1 #2395 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.50.0 to 0.51.0 #2394 (@dependabot[bot])
chore(deps): bump github.com/google/uuid from 1.2.0 to 1.3.0 #2374 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.30.1 to 0.30.2 #2373 (@dependabot[bot])
ci: convert to FOSSA scan #2371 (@travisgroth)
chore(deps): bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.1 #2353 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.14.0 to 0.14.1 #2352 (@dependabot[bot])
chore(deps): bump github.com/rs/cors from 1.7.0 to 1.8.0 #2334 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.49.0 to 0.50.0 #2333 (@dependabot[bot])
chore(deps): upgrade kind action to v1.2.0 #2331 (@travisgroth)
chore(deps): bump github.com/spf13/cobra from 1.1.3 to 1.2.1 #2330 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.10.0 to 8.11.0 #2329 (@dependabot[bot])
chore(deps): bump github.com/prometheus/procfs from 0.6.0 to 0.7.0 #2328 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.5 to 3.21.6 #2326 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.17.0 to 1.18.1 #2325 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.38.0 to 1.39.0 #2324 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.29.4 to 0.30.1 #2323 (@dependabot[bot])
chore(deps): bump google.golang.org/protobuf from 1.26.0 to 1.27.0 #2318 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.8.0 to 1.8.1 #2317 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.48.0 to 0.49.0 #2315 (@dependabot[bot])
chore(deps): bump github.com/spf13/viper from 1.7.1 to 1.8.0 #2305 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.18.0 to 5.19.1 #2304 (@dependabot[bot])
chore(deps): bump github.com/ory/dockertest/v3 from 3.6.5 to 3.7.0 #2303 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.47.0 to 0.48.0 #2295 (@dependabot[bot])
chore(deps): bump github.com/prometheus/client_golang from 1.10.0 to 1.11.0 #2294 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.22.0 to 1.23.0 #2293 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.17.0 to 5.18.0 #2292 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.13.1 to 0.14.0 #2291 (@dependabot[bot])
chore(deps): bump github.com/golang/mock from 1.5.0 to 1.6.0 #2290 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.25.0 to 0.29.0 #2289 (@dependabot[bot])
deps: upgrade to go-jose v3 #2284 (@calebdoxsey)
chore(deps): bump github.com/go-redis/redis/v8 from 8.9.0 to 8.10.0 #2276 (@dependabot[bot])
chore(deps): bump github.com/shirou/gopsutil/v3 from 3.21.4 to 3.21.5 #2274 (@dependabot[bot])
chore(deps): bump gopkg.in/square/go-jose.v2 from 2.5.1 to 2.6.0 #2273 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.28.0 to 0.29.4 #2255 (@dependabot[bot])
chore(deps): bump go.uber.org/zap from 1.16.0 to 1.17.0 #2254 (@dependabot[bot])
chore(deps): bump github.com/google/go-cmp from 0.5.5 to 0.5.6 #2253 (@dependabot[bot])
chore(deps): bump github.com/cenkalti/backoff/v4 from 4.1.0 to 4.1.1 #2252 (@dependabot[bot])
chore(deps): bump github.com/mitchellh/hashstructure/v2 from 2.0.1 to 2.0.2 #2251 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.8.3 to 8.9.0 #2249 (@dependabot[bot])
darwin: use x86 envoy build for arm64 #2246 (@calebdoxsey)
chore(deps): bump github.com/prometheus/common from 0.24.0 to 0.25.0 #2234 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.46.0 to 0.47.0 #2233 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.8.2 to 8.8.3 #2232 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.37.1 to 1.38.0 #2231 (@dependabot[bot])
dependency: update /x/net #2227 (@desimone)
chore(deps): bump github.com/lithammer/shortuuid/v3 from 3.0.6 to 3.0.7 #2211 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.23.0 to 0.24.0 #2210 (@dependabot[bot])
chore(deps): bump github.com/rs/zerolog from 1.21.0 to 1.22.0 #2209 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.16.0 to 5.17.0 #2208 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.37.0 to 1.37.1 #2207 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.13.0 to 0.13.1 #2188 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.15.0 to 5.16.0 #2187 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.45.0 to 0.46.0 #2186 (@dependabot[bot])

Changed

redis: increase timeout on test #2425 (@calebdoxsey)
build: add envoy files to make clean #2411 (@travisgroth)
envoy: bump to 1.19 #2392 (@travisgroth)
ci: use github app for backport credentials #2369 (@travisgroth)
databroker: tests #2367 (@calebdoxsey)
storage/inmemory: add tests for close behavior #2336 (@calebdoxsey)
redis: refactor change signal test to be more deterministic #2335 (@calebdoxsey)
internal/envoy: add debugging information if envoy is no longer running #2320 (@travisgroth)
ci: add coveralls #2279 (@travisgroth)

v0.14.7 (2021-06-24)

Full Changelog

Fixed

directory/azure: add paging support to user group members call #2312 (@github-actions[bot])

v0.14.6 (2021-06-16)

Full Changelog

Fixed

authorize: only redirect for HTML pages (#2264) #2298 (@calebdoxsey)

v0.14.5 (2021-06-07)

Full Changelog

Fixed

envoy: fix usage of codec_type with alpn #2278 (@github-actions[bot])
authorize: round JWT claim timestamps #2260 (@wasaga)

Documentation

docs: update helm values for chart v20.0.0 #2244 (@github-actions[bot])
docs: update _redirects #2238 (@github-actions[bot])

v0.14.4 (2021-05-24)

Full Changelog

Fixed

authorize: add rego functions to custom evaluator #2236 (@calebdoxsey)

v0.14.3 (2021-05-21)

Full Changelog

Fixed

authorize: fix custom rego panic #2226 (@calebdoxsey)

Changed

envoy: add global response headers to local replies #2225 (@github-actions[bot])

v0.14.2 (2021-05-17)

Full Changelog

Fixed

Revert "authenticate,proxy: add same site lax to cookies" #2204 (@github-actions[bot])

Documentation

Update programmatic-access.md #2205 (@github-actions[bot])

v0.14.1 (2021-05-13)

Full Changelog

Fixed

proxy / controplane: use old upstream cipher suite #2197 (@github-actions[bot])

Security

deps: bump envoy to v1.17.3 #2199 (@github-actions[bot])

Documentation

docs: update slack link to vanity url #2178 (@github-actions[bot])

v0.14.0 (2021-05-04)

Full Changelog

New

databroker: store issued at timestamp with session #2173 (@calebdoxsey)
config: add support for set_response_headers in a policy #2171 (@calebdoxsey)
authenticate,proxy: add same site lax to cookies #2159 (@calebdoxsey)
xds extended event #2158 (@wasaga)
config: add client_crl #2157 (@calebdoxsey)
config: add support for codec_type #2156 (@calebdoxsey)
controlplane: save configuration events to databroker #2153 (@calebdoxsey)
control plane: add request id to all error pages #2149 (@desimone)
let pass custom dial opts #2144 (@wasaga)
envoy: re-implement recommended defaults #2123 (@calebdoxsey)
Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
config: remove validate side effects #2109 (@calebdoxsey)
log context #2107 (@wasaga)
databroker: add options for maximum capacity #2095 (@calebdoxsey)
envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
config: rename headers to set_response_headers #2081 (@calebdoxsey)
crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
cryptutil: use bytes for hmac #2067 (@calebdoxsey)
cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
authorize: audit logging #2050 (@calebdoxsey)
support host:port in metrics_address #2042 (@wasaga)
databroker: return server version in Get #2039 (@wasaga)
authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
protoutil: add generic transformer #2023 (@calebdoxsey)
cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
telemetry: add installation id #2017 (@calebdoxsey)
config: use getters for certificates #2001 (@calebdoxsey)
config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
redis: add redis cluster support #1992 (@calebdoxsey)
redis: add support for redis-sentinel #1991 (@calebdoxsey)
authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
identity: infer email from mail claim #1977 (@calebdoxsey)
ping: identity and directory providers #1975 (@calebdoxsey)
config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
config: add rewrite_response_headers option #1961 (@calebdoxsey)
assets: use embed instead of statik #1960 (@calebdoxsey)
config: log config source changes #1959 (@calebdoxsey)
config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
telemetry: add process collector for envoy #1948 (@calebdoxsey)
use build_info as liveness gauge metric #1940 (@wasaga)
metrics: add TLS options #1939 (@calebdoxsey)
identity: record metric for last refresh #1936 (@calebdoxsey)
middleware: basic auth equalize lengths of input #1934 (@desimone)
autocert: remove non-determinism #1932 (@calebdoxsey)
config: add metrics_basic_auth option #1917 (@calebdoxsey)
envoy: validate binary checksum #1908 (@calebdoxsey)
config: support map of jwt claim headers #1906 (@calebdoxsey)
Remove internal/protoutil. #1893 (@yegle)
databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)

Fixed

deployment: update alpine debug image dependencies #2154 (@travisgroth)
authorize: refactor store locking #2151 (@calebdoxsey)
databroker: store server version in backend #2142 (@calebdoxsey)
authorize: audit log had duplicate "message" key #2141 (@desimone)
httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
authorize: fix unsigned URL #2118 (@calebdoxsey)
authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
authorize: support arbitrary jwt claims #2106 (@github-actions[bot])
xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)
config: don't change address value on databroker or authorize #2092 (@travisgroth)
metrics_address should be optional parameter #2087 (@wasaga)
propagate changes back from encrypted backend #2079 (@wasaga)
config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
authenticate: fix default sign out url #2061 (@calebdoxsey)
change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
config: add headers to config proto #1996 (@calebdoxsey)
Fix process cpu usage metric #1979 (@wasaga)
cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
config: fix redirect routes from protobuf #1930 (@travisgroth)
google: fix default provider URL #1928 (@calebdoxsey)
fix registry test #1911 (@wasaga)
ci: pin goreleaser version #1900 (@travisgroth)
onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
xds: fix misdirected script #1895 (@calebdoxsey)
authenticate: validate origin of signout #1876 (@desimone)
redis: fix deletion versioning #1871 (@calebdoxsey)
options: header only applies to routes and authN #1862 (@desimone)
controlplane: add global headers to virtualhost #1861 (@desimone)
unique envoy cluster ids #1858 (@wasaga)

Security

ci: remove codecov #2161 (@travisgroth)
internal/envoy: always extract envoy #2160 (@travisgroth)
deps: bump envoy to 1.17.2 #2113 (@travisgroth)
deps: bump envoy to 1.17.2 #2114 (@github-actions[bot])
proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)
authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)

Documentation

docs: add inline instructions to generate signing-key #2164 (@desimone)
docs: add info note to set_response_headers #2162 (@calebdoxsey)
docs: mention alternative bearer token header format #2155 (@travisgroth)
docs: upgrade notes on allowed\_users by ID #2133 (@travisgroth)
docs: add threat model to security page #2097 (@desimone)
docs: update community slack link #2063 (@travisgroth)
Update local-oidc.md #1994 (@dharmendrakariya)
ping: add documentation #1976 (@calebdoxsey)
docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
Update data-storage.md #1941 (@TanguyPatte)
docs: fix query param name #1920 (@calebdoxsey)
docs: add breaking sa changes in v0.13 #1919 (@desimone)
docs: add v0.13 to docs site menu #1913 (@travisgroth)
docs: update changelog for v0.13.0 #1909 (@desimone)
docs: update security policy #1897 (@desimone)
docs: misc upgrade notes and changelog #1884 (@travisgroth)
docs: add load balancing weight documentation #1883 (@travisgroth)
docs: additional load balancing documentation #1875 (@travisgroth)

Dependency

chore(deps): bump github.com/ory/dockertest/v3 from 3.6.3 to 3.6.5 #2168 (@dependabot[bot])
chore(deps): bump github.com/prometheus/common from 0.21.0 to 0.23.0 #2167 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.0 to 0.6.1 #2166 (@dependabot[bot])
chore(deps): bump github.com/open-policy-agent/opa from 0.27.1 to 0.28.0 #2165 (@dependabot[bot])
use cached envoy #2132 (@wasaga)
chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])
chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (@dependabot[bot])
do not require project be in GOPATH/src #2078 (@wasaga)
chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (@dependabot[bot])
deps: switch from renovate to dependabot #2069 (@travisgroth)
fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (@renovate[bot])
fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (@renovate[bot])
skip REDIS cluster test if GOOS != linux #2045 (@wasaga)
fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (@renovate[bot])
fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (@renovate[bot])
fix(deps): update module google.golang.org/api to v0.43.0 #2035 (@renovate[bot])
fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (@renovate[bot])
fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (@renovate[bot])
fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.3 #2031 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (@renovate[bot])
fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (@renovate[bot])
deps: bundle all patch upgrades in a single group #2016 (@travisgroth)
fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (@renovate[bot])
fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (@renovate[bot])
fix(deps): update module github.com/google/btree to v1.0.1 #2010 (@renovate[bot])
fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (@renovate[bot])
fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.2 #2007 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to d523dce #2005 (@renovate[bot])
fix(deps): update module google.golang.org/api to v0.42.0 #1989 (@renovate[bot])
fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (@renovate[bot])
fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (@renovate[bot])
fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (@renovate[bot])
fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (@renovate[bot])
fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (@renovate[bot])
fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (@renovate[bot])
fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (@renovate[bot])
fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (@renovate[bot])
fix(deps): update module github.com/go-chi/chi to v5 #1956 (@renovate[bot])
fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (@renovate[bot])
fix(deps): update module go.opencensus.io to v0.23.0 #1954 (@renovate[bot])
fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.8.2 #1952 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.1 #1951 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (@renovate[bot])
chore(deps): update yaml v2 to v3 #1927 (@desimone)
chore(deps): update vuepress monorepo to v1.8.1 #1891 (@renovate[bot])
chore(deps): update module spf13/cobra to v1.1.3 #1890 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.40.0 #1889 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.5.1 #1888 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (@renovate[bot])
chore(deps): update module auth0 to v5 #1868 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.39.0 #1867 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.5.0 #1865 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (@renovate[bot])

Deployment

deployment: update get-envoy script and release hooks #2111 (@travisgroth)
deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)
deployment: update get-envoy script and release hooks #2112 (@github-actions[bot])
deployment: Publish OS packages to cloudsmith #2108 (@github-actions[bot])
ci: cache build and test binaries #1938 (@desimone)
ci: go 1.16.x, cached tests #1937 (@desimone)

Changed

authorize: remove log #2122 (@calebdoxsey)
config related metrics #2065 (@wasaga)
proxy: support re-proxying request through control plane for kubernetes #2051 (@calebdoxsey)
add default gitlab url #2044 (@contrun)
Updating Doc for Pomerium-Dex Exercise #2018 (@dharmendrakariya)
Add xff\_num\_trusted\_hops config option #2003 (@ntoofu)
envoy: restrict permissions on embedded envoy binary #1999 (@calebdoxsey)
ci: deploy master to integration environments #1973 (@travisgroth)
oidc: use groups claim from ID token if present #1970 (@bonifaido)
config: expose viper policy hooks #1947 (@calebdoxsey)
ci: deploy latest release to test environment #1916 (@travisgroth)
logs: strip query string #1894 (@calebdoxsey)
in-memory service registry #1892 (@wasaga)
controlplane: maybe fix flaky test #1873 (@calebdoxsey)
remove generated code from code coverage metrics #1857 (@travisgroth)

v0.14.0-rc2 (2021-04-29)

Full Changelog

New

controlplane: save configuration events to databroker #2153 (@calebdoxsey)
control plane: add request id to all error pages #2149 (@desimone)
let pass custom dial opts #2144 (@wasaga)
envoy: re-implement recommended defaults #2123 (@calebdoxsey)
Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
config: remove validate side effects #2109 (@calebdoxsey)
log context #2107 (@wasaga)
databroker: add options for maximum capacity #2095 (@calebdoxsey)

Fixed

deployment: update alpine debug image dependencies #2154 (@travisgroth)
authorize: refactor store locking #2151 (@calebdoxsey)
databroker: store server version in backend #2142 (@calebdoxsey)
authorize: audit log had duplicate "message" key #2141 (@desimone)
httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
authorize: fix unsigned URL #2118 (@calebdoxsey)
authorize: support arbitrary jwt claims #2102 (@calebdoxsey)

Security

deps: bump envoy to 1.17.2 #2113 (@travisgroth)

Documentation

docs: mention alternative bearer token header format #2155 (@travisgroth)
docs: upgrade notes on allowed\_users by ID #2133 (@travisgroth)

Dependency

use cached envoy #2132 (@wasaga)
chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])

Deployment

deployment: update get-envoy script and release hooks #2111 (@travisgroth)
deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)

Changed

authorize: remove log #2122 (@calebdoxsey)

v0.14.0-rc1 (2021-04-22)

Full Changelog

Breaking

directory: remove provider from user id #2068 (@calebdoxsey)

New

envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
config: rename headers to set_response_headers #2081 (@calebdoxsey)
crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
cryptutil: use bytes for hmac #2067 (@calebdoxsey)
cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
authorize: audit logging #2050 (@calebdoxsey)
support host:port in metrics_address #2042 (@wasaga)
databroker: return server version in Get #2039 (@wasaga)
authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
protoutil: add generic transformer #2023 (@calebdoxsey)
cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
telemetry: add installation id #2017 (@calebdoxsey)
config: use getters for certificates #2001 (@calebdoxsey)
config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
redis: add redis cluster support #1992 (@calebdoxsey)
redis: add support for redis-sentinel #1991 (@calebdoxsey)
authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
identity: infer email from mail claim #1977 (@calebdoxsey)
ping: identity and directory providers #1975 (@calebdoxsey)
config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
config: add rewrite_response_headers option #1961 (@calebdoxsey)
assets: use embed instead of statik #1960 (@calebdoxsey)
config: log config source changes #1959 (@calebdoxsey)
config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
telemetry: add process collector for envoy #1948 (@calebdoxsey)
use build_info as liveness gauge metric #1940 (@wasaga)
metrics: add TLS options #1939 (@calebdoxsey)
identity: record metric for last refresh #1936 (@calebdoxsey)
middleware: basic auth equalize lengths of input #1934 (@desimone)
autocert: remove non-determinism #1932 (@calebdoxsey)
config: add metrics_basic_auth option #1917 (@calebdoxsey)
envoy: validate binary checksum #1908 (@calebdoxsey)
config: support map of jwt claim headers #1906 (@calebdoxsey)
Remove internal/protoutil. #1893 (@yegle)
databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)

Fixed

authorize: support arbitrary jwt claims #2106 (@github-actions[bot])
xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)
config: don't change address value on databroker or authorize #2092 (@travisgroth)
metrics_address should be optional parameter #2087 (@wasaga)
propagate changes back from encrypted backend #2079 (@wasaga)
config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
authenticate: fix default sign out url #2061 (@calebdoxsey)
change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
config: add headers to config proto #1996 (@calebdoxsey)
Fix process cpu usage metric #1979 (@wasaga)
cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
config: fix redirect routes from protobuf #1930 (@travisgroth)
google: fix default provider URL #1928 (@calebdoxsey)
fix registry test #1911 (@wasaga)
ci: pin goreleaser version #1900 (@travisgroth)
onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
xds: fix misdirected script #1895 (@calebdoxsey)
authenticate: validate origin of signout #1876 (@desimone)
redis: fix deletion versioning #1871 (@calebdoxsey)
options: header only applies to routes and authN #1862 (@desimone)
controlplane: add global headers to virtualhost #1861 (@desimone)
unique envoy cluster ids #1858 (@wasaga)

Security

deps: bump envoy to 1.17.2 #2114 (@github-actions[bot])
proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)
authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)

Documentation

docs: add threat model to security page #2097 (@desimone)
docs: update community slack link #2063 (@travisgroth)
Update local-oidc.md #1994 (@dharmendrakariya)
ping: add documentation #1976 (@calebdoxsey)
docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
Update data-storage.md #1941 (@TanguyPatte)
docs: fix query param name #1920 (@calebdoxsey)
docs: add breaking sa changes in v0.13 #1919 (@desimone)
docs: add v0.13 to docs site menu #1913 (@travisgroth)
docs: update changelog for v0.13.0 #1909 (@desimone)
docs: update security policy #1897 (@desimone)
docs: misc upgrade notes and changelog #1884 (@travisgroth)
docs: add load balancing weight documentation #1883 (@travisgroth)
docs: additional load balancing documentation #1875 (@travisgroth)

Dependency

chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (@dependabot[bot])
do not require project be in GOPATH/src #2078 (@wasaga)
chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (@dependabot[bot])
chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (@dependabot[bot])
chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (@dependabot[bot])
deps: switch from renovate to dependabot #2069 (@travisgroth)
fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (@renovate[bot])
fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (@renovate[bot])
skip REDIS cluster test if GOOS != linux #2045 (@wasaga)
fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (@renovate[bot])
fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (@renovate[bot])
fix(deps): update module google.golang.org/api to v0.43.0 #2035 (@renovate[bot])
fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (@renovate[bot])
fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (@renovate[bot])
fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.3 #2031 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (@renovate[bot])
fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (@renovate[bot])
deps: bundle all patch upgrades in a single group #2016 (@travisgroth)
fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (@renovate[bot])
fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (@renovate[bot])
fix(deps): update module github.com/google/btree to v1.0.1 #2010 (@renovate[bot])
fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (@renovate[bot])
fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.2 #2007 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to d523dce #2005 (@renovate[bot])
fix(deps): update module google.golang.org/api to v0.42.0 #1989 (@renovate[bot])
fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (@renovate[bot])
fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (@renovate[bot])
fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (@renovate[bot])
chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (@renovate[bot])
fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (@renovate[bot])
fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (@renovate[bot])
fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (@renovate[bot])
fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (@renovate[bot])
fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (@renovate[bot])
fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (@renovate[bot])
fix(deps): update module github.com/go-chi/chi to v5 #1956 (@renovate[bot])
fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (@renovate[bot])
fix(deps): update module go.opencensus.io to v0.23.0 #1954 (@renovate[bot])
fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (@renovate[bot])
chore(deps): update vuepress monorepo to v1.8.2 #1952 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.6.1 #1951 (@renovate[bot])
fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (@renovate[bot])
fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (@renovate[bot])
chore(deps): update yaml v2 to v3 #1927 (@desimone)
chore(deps): update vuepress monorepo to v1.8.1 #1891 (@renovate[bot])
chore(deps): update module spf13/cobra to v1.1.3 #1890 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.40.0 #1889 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.5.1 #1888 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (@renovate[bot])
chore(deps): update module auth0 to v5 #1868 (@renovate[bot])
chore(deps): update module google.golang.org/api to v0.39.0 #1867 (@renovate[bot])
chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (@renovate[bot])
chore(deps): update mikefarah/yq action to v4.5.0 #1865 (@renovate[bot])
chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (@renovate[bot])
chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (@renovate[bot])

Deployment

deployment: update get-envoy script and release hooks #2112 (@github-actions[bot])
deployment: Publish OS packages to cloudsmith #2108 (@github-actions[bot])
ci: cache build and test binaries #1938 (@desimone)
ci: go 1.16.x, cached tests #1937 (@desimone)

Changed

config related metrics #2065 (@wasaga)
proxy: support re-proxying request through control plane for kubernetes #2051 (@calebdoxsey)
add default gitlab url #2044 (@contrun)
Updating Doc for Pomerium-Dex Exercise #2018 (@dharmendrakariya)
Add xff\_num\_trusted\_hops config option #2003 (@ntoofu)
envoy: restrict permissions on embedded envoy binary #1999 (@calebdoxsey)
ci: deploy master to integration environments #1973 (@travisgroth)
oidc: use groups claim from ID token if present #1970 (@bonifaido)
config: expose viper policy hooks #1947 (@calebdoxsey)
ci: deploy latest release to test environment #1916 (@travisgroth)
logs: strip query string #1894 (@calebdoxsey)
in-memory service registry #1892 (@wasaga)
controlplane: maybe fix flaky test #1873 (@calebdoxsey)
remove generated code from code coverage metrics #1857 (@travisgroth)

v0.17.2 (2022-04-22)​

Fixed​

Dependency​

Docs​

v0.17.1 (2022-03-30)​

Security Notice​

Security​

Fixed​

v0.17.0 (2022-03-04)​

New​

Fixed​

Dependency​

Deployment​

Changed​

v0.16.4 (2022-02-25)​

Dependency​

v0.16.3 (2022-02-11)​

Fixed​

v0.16.2 (2022-01-25)​

Fixed​

v0.16.1 (2022-01-19)​

Fixed​

v0.16.0 (2021-12-22)​

Breaking​

New​

Security​

Fixed​

Documentation​

Dependency​

Deployment​

Changed​

v0.15.8 (2021-12-17)​

Fixed​

Documentation​

Dependency​

v0.15.7 (2021-11-15)​

Fixed​

Security​

Documentation​

v0.15.6 (2021-11-04)​

Breaking​

New​

Fixed​

Security​

Documentation​

Dependency​

Deployment​

Changed​

v0.15.5 (2021-10-22)​

New​

Documentation​

Deployment​

v0.15.4 (2021-10-14)​

New​

Fixed​

Documentation​

v0.15.3 (2021-09-17)​

New​

Fixed​

Documentation​

Changed​

v0.15.2 (2021-09-03)​

New​

Fixed​

Documentation​

v0.15.0 (2021-08-05)​

Breaking​

New​

Fixed​

Security​

Documentation​

Dependency​

Changed​

v0.14.8 (2021-08-26)​

Security​

Documentation​

Dependency​

Changed​

v0.15.1 (2021-08-25)​

Fixed​

v0.17.2 (2022-04-22)

Fixed

Dependency

Docs

v0.17.1 (2022-03-30)

Security Notice

Security

Fixed

v0.17.0 (2022-03-04)

New

Fixed

Dependency

Deployment

Changed

v0.16.4 (2022-02-25)

Dependency

v0.16.3 (2022-02-11)

Fixed

v0.16.2 (2022-01-25)

Fixed

v0.16.1 (2022-01-19)

Fixed

v0.16.0 (2021-12-22)

Breaking

New

Security

Fixed

Documentation

Dependency

Deployment

Changed

v0.15.8 (2021-12-17)

Fixed

Documentation

Dependency

v0.15.7 (2021-11-15)

Fixed

Security

Documentation

v0.15.6 (2021-11-04)

Breaking

New

Fixed

Security

Documentation

Dependency

Deployment

Changed

v0.15.5 (2021-10-22)

New

Documentation

Deployment

v0.15.4 (2021-10-14)

New

Fixed

Documentation

v0.15.3 (2021-09-17)

New

Fixed

Documentation

Changed

v0.15.2 (2021-09-03)

New

Fixed

Documentation

v0.15.0 (2021-08-05)

Breaking

New

Fixed

Security

Documentation

Dependency

Changed

v0.14.8 (2021-08-26)

Security

Documentation

Dependency

Changed

v0.15.1 (2021-08-25)

Fixed