New
- databroker: store issued at timestamp with session #2173 (@calebdoxsey)
- config: add support for set_response_headers in a policy #2171 (@calebdoxsey)
- authenticate,proxy: add same site lax to cookies #2159 (@calebdoxsey)
- xds extended event #2158 (@wasaga)
- config: add client_crl #2157 (@calebdoxsey)
- config: add support for codec_type #2156 (@calebdoxsey)
- controlplane: save configuration events to databroker #2153 (@calebdoxsey)
- control plane: add request id to all error pages #2149 (@desimone)
- let pass custom dial opts #2144 (@wasaga)
- envoy: re-implement recommended defaults #2123 (@calebdoxsey)
- Drop tun.cfg.dstHost from jwtCacheKey #2115 (@bl0m1)
- config: remove validate side effects #2109 (@calebdoxsey)
- log context #2107 (@wasaga)
- databroker: add options for maximum capacity #2095 (@calebdoxsey)
- envoyconfig: move most bootstrap config to shared package #2088 (@calebdoxsey)
- envoy: refactor controlplane xds to new envoyconfig package #2086 (@calebdoxsey)
- config: rename headers to set_response_headers #2081 (@calebdoxsey)
- crypto: use actual bytes of shared secret, not the base64 encoded representation #2075 (@calebdoxsey)
- cryptutil: use bytes for hmac #2067 (@calebdoxsey)
- cryptutil: always use kek public id, add x509 support #2066 (@calebdoxsey)
- authorize: additional tracing, add benchmark for encryptor #2059 (@calebdoxsey)
- authorize: audit logging #2050 (@calebdoxsey)
- support host:port in metrics_address #2042 (@wasaga)
- databroker: return server version in Get #2039 (@wasaga)
- authorize: add databroker server and record version to result, force sync via polling #2024 (@calebdoxsey)
- protoutil: add generic transformer #2023 (@calebdoxsey)
- cryptutil: add envelope encryption w/key encryption key and data encryption key #2020 (@calebdoxsey)
- autocert: add metrics for renewal count, total and next expiration #2019 (@calebdoxsey)
- telemetry: add installation id #2017 (@calebdoxsey)
- config: use getters for certificates #2001 (@calebdoxsey)
- config: use getters for authenticate, signout and forward auth urls #2000 (@calebdoxsey)
- xds: use ALPN Auto config for upstream protocol when possible #1995 (@calebdoxsey)
- envoy: upgrade to v1.17.1 #1993 (@calebdoxsey)
- redis: add redis cluster support #1992 (@calebdoxsey)
- redis: add support for redis-sentinel #1991 (@calebdoxsey)
- authorize: set JWT to expire after 5 minutes #1980 (@calebdoxsey)
- identity: infer email from mail claim #1977 (@calebdoxsey)
- ping: identity and directory providers #1975 (@calebdoxsey)
- config: add rewrite_response_headers to protobuf #1962 (@calebdoxsey)
- config: add rewrite_response_headers option #1961 (@calebdoxsey)
- assets: use embed instead of statik #1960 (@calebdoxsey)
- config: log config source changes #1959 (@calebdoxsey)
- config: multiple endpoints for authorize and databroker #1957 (@calebdoxsey)
- telemetry: add process collector for envoy #1948 (@calebdoxsey)
- use build_info as liveness gauge metric #1940 (@wasaga)
- metrics: add TLS options #1939 (@calebdoxsey)
- identity: record metric for last refresh #1936 (@calebdoxsey)
- middleware: basic auth equalize lengths of input #1934 (@desimone)
- autocert: remove non-determinism #1932 (@calebdoxsey)
- config: add metrics_basic_auth option #1917 (@calebdoxsey)
- envoy: validate binary checksum #1908 (@calebdoxsey)
- config: support map of jwt claim headers #1906 (@calebdoxsey)
- Remove internal/protoutil. #1893 (@yegle)
- databroker: refactor databroker to sync all changes #1879 (@calebdoxsey)
- config: add CertificateFiles to FileWatcherSource list #1878 (@travisgroth)
- config: allow customization of envoy boostrap admin options #1872 (@calebdoxsey)
- proxy: implement pass-through for authenticate backend #1870 (@calebdoxsey)
- authorize: move headers and jwt signing to rego #1856 (@calebdoxsey)
Fixed
- deployment: update alpine debug image dependencies #2154 (@travisgroth)
- authorize: refactor store locking #2151 (@calebdoxsey)
- databroker: store server version in backend #2142 (@calebdoxsey)
- authorize: audit log had duplicate "message" key #2141 (@desimone)
- httputil: fix SPDY support with reverse proxy #2134 (@calebdoxsey)
- envoyconfig: fix metrics ingress listener name #2124 (@calebdoxsey)
- authorize: fix empty sub policy arrays #2119 (@calebdoxsey)
- authorize: fix unsigned URL #2118 (@calebdoxsey)
- authorize: support arbitrary jwt claims #2102 (@calebdoxsey)
- authorize: support arbitrary jwt claims #2106 (@github-actions[bot])
- xdsmgr: update resource versions on NACK #2093 (@calebdoxsey)
- config: don't change address value on databroker or authorize #2092 (@travisgroth)
- metrics_address should be optional parameter #2087 (@wasaga)
- propagate changes back from encrypted backend #2079 (@wasaga)
- config: use tls_custom_ca from policy when available #2077 (@calebdoxsey)
- databroker: remove unused installation id, close streams when backend is closed #2062 (@calebdoxsey)
- authenticate: fix default sign out url #2061 (@calebdoxsey)
- change require_proxy_protocol to use_proxy_protocol #2043 (@contrun)
- authorize: bypass data in rego for databroker data #2041 (@calebdoxsey)
- proxy: add nil check for fix-misdirected #2040 (@calebdoxsey)
- config: add headers to config proto #1996 (@calebdoxsey)
- Fix process cpu usage metric #1979 (@wasaga)
- cmd/pomerium: exit 0 for normal shutdown #1958 (@travisgroth)
- proxy: redirect to dashboard for logout #1944 (@calebdoxsey)
- config: fix redirect routes from protobuf #1930 (@travisgroth)
- google: fix default provider URL #1928 (@calebdoxsey)
- fix registry test #1911 (@wasaga)
- ci: pin goreleaser version #1900 (@travisgroth)
- onelogin: fix default scopes for v2 #1896 (@calebdoxsey)
- xds: fix misdirected script #1895 (@calebdoxsey)
- authenticate: validate origin of signout #1876 (@desimone)
- redis: fix deletion versioning #1871 (@calebdoxsey)
- options: header only applies to routes and authN #1862 (@desimone)
- controlplane: add global headers to virtualhost #1861 (@desimone)
- unique envoy cluster ids #1858 (@wasaga)
Security
- ci: remove codecov #2161 (@travisgroth)
- internal/envoy: always extract envoy #2160 (@travisgroth)
- deps: bump envoy to 1.17.2 #2113 (@travisgroth)
- deps: bump envoy to 1.17.2 #2114 (@github-actions[bot])
- proxy: restrict programmatic URLs to localhost #2049 (@travisgroth)
- authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out #2048 (@travisgroth)
Documentation
- docs: add inline instructions to generate signing-key #2164 (@desimone)
- docs: add info note to set_response_headers #2162 (@calebdoxsey)
- docs: mention alternative bearer token header format #2155 (@travisgroth)
- docs: upgrade notes on
allowed\_users
by ID #2133 (@travisgroth) - docs: add threat model to security page #2097 (@desimone)
- docs: update community slack link #2063 (@travisgroth)
- Update local-oidc.md #1994 (@dharmendrakariya)
- ping: add documentation #1976 (@calebdoxsey)
- docs: add JWT Verification w/Envoy guide #1974 (@calebdoxsey)
- Update data-storage.md #1941 (@TanguyPatte)
- docs: fix query param name #1920 (@calebdoxsey)
- docs: add breaking sa changes in v0.13 #1919 (@desimone)
- docs: add v0.13 to docs site menu #1913 (@travisgroth)
- docs: update changelog for v0.13.0 #1909 (@desimone)
- docs: update security policy #1897 (@desimone)
- docs: misc upgrade notes and changelog #1884 (@travisgroth)
- docs: add load balancing weight documentation #1883 (@travisgroth)
- docs: additional load balancing documentation #1875 (@travisgroth)
Dependency
- chore(deps): bump github.com/ory/dockertest/v3 from 3.6.3 to 3.6.5 #2168 (@dependabot[bot])
- chore(deps): bump github.com/prometheus/common from 0.21.0 to 0.23.0 #2167 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.6.0 to 0.6.1 #2166 (@dependabot[bot])
- chore(deps): bump github.com/open-policy-agent/opa from 0.27.1 to 0.28.0 #2165 (@dependabot[bot])
- use cached envoy #2132 (@wasaga)
- chore(deps): bump github.com/prometheus/common from 0.20.0 to 0.21.0 #2130 (@dependabot[bot])
- chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 0.5.1 to 0.6.0 #2129 (@dependabot[bot])
- chore(deps): bump google.golang.org/api from 0.44.0 to 0.45.0 #2128 (@dependabot[bot])
- chore(deps): bump github.com/caddyserver/certmagic from 0.12.0 to 0.13.0 #2074 (@dependabot[bot])
- chore(deps): bump github.com/go-redis/redis/v8 from 8.8.0 to 8.8.2 #2099 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.14.1 to 5.15.0 #2098 (@dependabot[bot])
- do not require project be in GOPATH/src #2078 (@wasaga)
- chore(deps): bump google.golang.org/api from 0.43.0 to 0.44.0 #2073 (@dependabot[bot])
- chore(deps): bump google.golang.org/grpc from 1.36.1 to 1.37.0 #2072 (@dependabot[bot])
- chore(deps): bump gopkg.in/auth0.v5 from 5.13.0 to 5.14.1 #2071 (@dependabot[bot])
- deps: switch from renovate to dependabot #2069 (@travisgroth)
- fix(deps): update module github.com/golang/protobuf to v1.5.2 #2057 (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.1 #2056 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 6c239bb #2054 (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 2e8d934 #2053 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 0fccb6f #2052 (@renovate[bot])
- skip REDIS cluster test if GOOS != linux #2045 (@wasaga)
- fix(deps): update module gopkg.in/auth0.v5 to v5.13.0 #2037 (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.1 #2036 (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.43.0 #2035 (@renovate[bot])
- fix(deps): update module github.com/rs/zerolog to v1.21.0 #2034 (@renovate[bot])
- fix(deps): update module github.com/prometheus/common to v0.20.0 #2033 (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.8.0 #2032 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.3 #2031 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 679c6ae #2030 (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to 22b0ada #2029 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to 61e0566 #2028 (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 0c34fe9 #2027 (@renovate[bot])
- deps: bundle all patch upgrades in a single group #2016 (@travisgroth)
- fix(deps): update module google.golang.org/protobuf to v1.26.0 #2012 (@renovate[bot])
- fix(deps): update module github.com/prometheus/client_golang to v1.10.0 #2011 (@renovate[bot])
- fix(deps): update module github.com/google/btree to v1.0.1 #2010 (@renovate[bot])
- fix(deps): update module github.com/golang/protobuf to v1.5.1 #2009 (@renovate[bot])
- fix(deps): update module github.com/envoyproxy/protoc-gen-validate to v0.5.0 #2008 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.2 #2007 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 5f0e893 #2006 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to d523dce #2005 (@renovate[bot])
- fix(deps): update module google.golang.org/api to v0.42.0 #1989 (@renovate[bot])
- fix(deps): update module github.com/open-policy-agent/opa to v0.27.1 #1988 (@renovate[bot])
- fix(deps): update module github.com/hashicorp/go-multierror to v1.1.1 #1987 (@renovate[bot])
- fix(deps): update module contrib.go.opencensus.io/exporter/prometheus to v0.3.0 #1986 (@renovate[bot])
- chore(deps): update codecov/codecov-action action to v1.3.1 #1985 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 8812039 #1984 (@renovate[bot])
- fix(deps): update golang.org/x/oauth2 commit hash to cd4f82c #1983 (@renovate[bot])
- fix(deps): update golang.org/x/crypto commit hash to 513c2a4 #1982 (@renovate[bot])
- fix(deps): update module github.com/prometheus/procfs to v0.6.0 #1969 (@renovate[bot])
- fix(deps): update module github.com/google/go-cmp to v0.5.5 #1968 (@renovate[bot])
- fix(deps): update module github.com/go-redis/redis/v8 to v8.7.1 #1967 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to 9728d6b #1966 (@renovate[bot])
- fix(deps): update github.com/nsf/jsondiff commit hash to 6ea3239 #1965 (@renovate[bot])
- fix(deps): update module github.com/go-chi/chi to v5 #1956 (@renovate[bot])
- fix(deps): update module google.golang.org/grpc to v1.36.0 #1955 (@renovate[bot])
- fix(deps): update module go.opencensus.io to v0.23.0 #1954 (@renovate[bot])
- fix(deps): update module github.com/lithammer/shortuuid/v3 to v3.0.6 #1953 (@renovate[bot])
- chore(deps): update vuepress monorepo to v1.8.2 #1952 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.6.1 #1951 (@renovate[bot])
- fix(deps): update google.golang.org/genproto commit hash to ab064af #1950 (@renovate[bot])
- fix(deps): update golang.org/x/net commit hash to e18ecbb #1949 (@renovate[bot])
- chore(deps): update yaml v2 to v3 #1927 (@desimone)
- chore(deps): update vuepress monorepo to v1.8.1 #1891 (@renovate[bot])
- chore(deps): update module spf13/cobra to v1.1.3 #1890 (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.40.0 #1889 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.1 #1888 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to e7f2df4 #1887 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 6667018 #1886 (@renovate[bot])
- chore(deps): update module auth0 to v5 #1868 (@renovate[bot])
- chore(deps): update module google.golang.org/api to v0.39.0 #1867 (@renovate[bot])
- chore(deps): update module go-redis/redis/v8 to v8.5.0 #1866 (@renovate[bot])
- chore(deps): update mikefarah/yq action to v4.5.0 #1865 (@renovate[bot])
- chore(deps): update google.golang.org/genproto commit hash to bba0dbe #1864 (@renovate[bot])
- chore(deps): update golang.org/x/oauth2 commit hash to 0101308 #1863 (@renovate[bot])
Deployment
- deployment: update get-envoy script and release hooks #2111 (@travisgroth)
- deployment: Publish OS packages to cloudsmith #2105 (@travisgroth)
- deployment: update get-envoy script and release hooks #2112 (@github-actions[bot])
- deployment: Publish OS packages to cloudsmith #2108 (@github-actions[bot])
- ci: cache build and test binaries #1938 (@desimone)
- ci: go 1.16.x, cached tests #1937 (@desimone)
Changed
- authorize: remove log #2122 (@calebdoxsey)
- config related metrics #2065 (@wasaga)
- proxy: support re-proxying request through control plane for kubernetes #2051 (@calebdoxsey)
- add default gitlab url #2044 (@contrun)
- Updating Doc for Pomerium-Dex Exercise #2018 (@dharmendrakariya)
- Add
xff\_num\_trusted\_hops
config option #2003 (@ntoofu) - envoy: restrict permissions on embedded envoy binary #1999 (@calebdoxsey)
- ci: deploy master to integration environments #1973 (@travisgroth)
- oidc: use groups claim from ID token if present #1970 (@bonifaido)
- config: expose viper policy hooks #1947 (@calebdoxsey)
- ci: deploy latest release to test environment #1916 (@travisgroth)
- logs: strip query string #1894 (@calebdoxsey)
- in-memory service registry #1892 (@wasaga)
- controlplane: maybe fix flaky test #1873 (@calebdoxsey)
- remove generated code from code coverage metrics #1857 (@travisgroth)