Changes
-
- New "Admin roles" let you grant users granular permisssions to the admin UI, for example to manage targets/users/roles/tickets. These are separate from the existing "Access roles".
- Migration notes:
- The admin UI is no longer its own "target" but rather a link on the top of the Warpgate landing page
- Any user with an admin role assigned to them is now able to access the admin UI - with the corresponding restrictions
- Existing users that are assigned to the
warpgate:adminrole will have awarpgate:adminsuperuser admin role assigned to them, so that there is no change in access after the update. - You can delete the old
warpgate:adminaccess role if you have never used it for anything other than admin UI access.
-
Added support for disabling the injected menu by @LarsSven in #1852
- The new checkbox under Global Parameters lets you disable the injected session menu for HTTP targets. The users can still manually navigate back to
/@warpgateto switch targets.
- The new checkbox under Global Parameters lets you disable the injected session menu for HTTP targets. The users can still manually navigate back to
-
AWS IAM auth in #1859
- Experimental support for AWS IAM role authentication for SSH (EC2), EKS (Kubernetes) and MySQL and Postgres (RDS) targets.
-
Automatically generate client certificate when using kubernetes targets by @LarsSven in #1795
- The "Access instructions" dialog now offers a quick way to issue a new client certificate for Kubernetes targets as well as an option to store the certificate and the private key in the browser's storage. This allows the Warpgate frontend to generate a fully pre-configured
kubeconfigfile for the user, including the credentials.
- The "Access instructions" dialog now offers a quick way to issue a new client certificate for Kubernetes targets as well as an option to store the certificate and the private key in the browser's storage. This allows the Warpgate frontend to generate a fully pre-configured
-
Rich audit logs in #1832
- Audit-relevant events (such as role or credential changes as well as session start/end) are logged into a separate "audit" log stream - the Log page now offers a filter to view only audit logs. The new
audit_retentionconfig option controls a separate retention period for these log entries (12 months default).
- Audit-relevant events (such as role or credential changes as well as session start/end) are logged into a separate "audit" log stream - the Log page now offers a filter to view only audit logs. The new
-
feat: add user role assignment expiry and history tracking by @mrmm in #1816
- The new "edit" icon next to an active role assignment lets you add an expiry date.
-
Add support for allowed_ip_range for users by @LarsSven in #1846
-
fixed #1497 - separate external host settings per protocol in #1824
-
Extend target search to include descriptions. Closes #1784 by @cvhariharan in #1791
-
feat: Add HTTPRoute template to Helm chart by @solidassassin in #1756
Fixes
- fixed #1087 - detect port knocking in #1862
- fix(http): prioritize ?warpgate-target= query param over host-based domain binding by @aav in #1868
- fixed #1835 - support kubectl logs and portforward in #1875
- fix(ui): resolve config page layout regression caused by flex on main by @mrmm in #1851
- streamline x-forwarded header checks in #1858
- Use constant time comparison for admin tokens by @LarsSven in #1853
- perf(ui): improve admin log page with virtualization, buffer cap, and calmer polling by @pandeysambhi in #1838
- Send messages to SSH terminal synchronously by @LarsSven in #1830
- update Ticket model to use ID relations to user and target in #1839
- improvements(helm chart): fix setup job command line argument parsing failure due to trailing backslash and other improvements by @SachinMaharana in #1819
- fixed #1483 - apply SSH timeout settings to the SSH client as well in #1813
- #1414 - parse warpgate_roles claim from the token itself if present in #1811
- fixed #1785 - log queries fail on PostgreSQL in #1807
- Google sso role mapping fix by @SteezyCougar in #1712
- Warpgate should use subdomain if subdomain binding is enabled by @SteezyCougar in #1777
Misc
- OIDC integration tests in #1766
- ci: add Helm chart publish workflow by @SachinMaharana in #1794
- Dependency bumps & time crate migration in #1840
- Add database migration compatibility tests for PostgreSQL and MySQL by @Copilot in #1863
New Contributors
- @cvhariharan made their first contribution in #1791
- @solidassassin made their first contribution in #1756
- @SachinMaharana made their first contribution in #1794
- @pandeysambhi made their first contribution in #1838
- @aav made their first contribution in #1868
Full Changelog: v0.22.1...v0.23.0