Changelog
0.23.0
New
- Set Request Headers has three new new token substitution values that it can send to upstream apps or services:
- Client certificate fingerprint (the short-form SHA-256 fingerprint of the presented client certificate)
- ID token (the OIDC ID token from the identity provider)
- Access token (the OAuth access token from the identity provider)
- Access Log Fields and Authorize Log Fields settings allow you to customize the values that are logged in the access and authorize logs.
- Cookies SameSite is now configurable in the Enterprise Console.
Breaking
- When using
set_request_headers
, to prevent a ‘$’ character from being treated as the start of a variable substitution, you may need to replace it with ‘$$’.
0.22.0
Security patch
- Pomerium upgraded to Go v1.20.3 and Envoy v1.24.5 to address security issues exposed in these packages. See the release notes in the links for more information.
New
- Hosted Authenticate Service will now be used by default to handle single-sign-on. Pomerium hosts this service as a convenience to its users; no identity provider configuration or authenticate service url needs to be specified if the hosted authenticate service is used. Self-hosted authenticate service is still available for users who want to configure their own identity provider and authenticate service URL.
- Wildcard From Routes is a Beta support feature that allows you to define a wildcard route that points matching external routes to a single destination.
- RDS changes provide more consistent and linear memory performance that significantly reduces memory consumption, especially in environments with rapidly changing configurations.
Fixed
- Removes user references when a device credential is deleted
- Displays external data source link only if provider exists
Changed
- Adds additional DNS Lookup Families and defaults to V4_PREFERRED
- Requires a name when creating a Namespace
0.21.1
Fixed
- Fixes for UI errors saving empty headers, custom text fields, and more
New
- Pass TLS options to HTTP clients
Updated
- Remove device credential references from the user and session
0.21.0
Breaking
- Re-enroll devices and update device IDs due to non-forward compatible internal change
New
- Auto TLS support for Console and Databroker gRPC endpoints
- Client TLS renegotiation for upstream clusters
Fixed
- Fixes to the Enterprise Console's UI, builds, gRPC calls, and more
0.20.1
Fixed
- UI fixes and improvements to branding settings
0.20.0
Breaking
- Groups & Directory sync now managed and sourced from external data sources. See upgrading for details.
Fixed
- Dozens of UI fixes and improvements
- Fixed a bug in policy builder when using groups
- Performance improvements to generated metrics
Updated
- Envoy updated to v1.23.1
0.19.0
New
- Additional error details and policy debugging for Enterprise
- ACME TLS-ALPN support for autocert
- Branding customization for Enterprise
Updated
- Well-Known endpoint handler for Proxy
- Upgrade to Envoy 1.23.0
- Add virtual host domains for all certificates
- Use generic types for sets and atomics
Fixed
- Add CORS headers to JWKS endpoint
- Add authority header to outbound gRPC requests
- Remove not-null constraint on data column of record changes table
0.18.0
New
- Support for external data sources
- Simplified Kubernetes ingress controller
Updated
- Postgres databroker backend
- Upgrade to Envoy 1.21.1
- Data in the Authorize service is now queried on-demand
Fixed
- Various issues related to internal service URLs
- Error pages for forward auth
- Databroker in-memory backend deadlock
0.17.0
New
- Pomerium Enterprise now requires a valid license to start.
Updated
- Route and Policy screens have been redesigned for better UX.
0.16.0
New
- Devices: It is now possible to manage, enroll, approve, and write authorization policy for device identity.
- Signing keys can now be dynamically pulled from the Authenticate service's JWKS endpoint.
- Added the ability to write PPL policy for HTTP method and path contexts.
Updated
- Policies can now incorporate device identity and approval status.
- Routes certificate UI now shows the matching TLS certificate used.
- Routes now has Kubernetes service account token field
- Metric addresses are now shown in the runtime info dashboard.
- Envoy was upgraded to 1.20.1.
- The code editor now supports dark mode.
- Various UI style improvements and fixes.
Fixed
--tls-insecure-skip-verify
was not applied to databroker connections.- Fixed a bug in the host rewrite code (thank you @rankinc for reporting).
- Fixed a bug in the way timeout fields were being displayed.
- Fixed a bug in the way route header fields were being ordered.
Fixed
0.15.2
Fixed
- A regression in the
Deployments
page loading has been corrected.
0.15.1
Fixed
- Tracing settings now persist correctly.
Updated
- Support configuring multiple audiences for the console.
- Improved configuration validation.
- Various UI style improvements.
0.15.0
New
- Telemetry - View real time metrics and status from Pomerium components inside the Enterprise Console.
- More expressive policy syntax: Pomerium's new extended policy language allows more complex policies to be configured, along with non-identity based conditions for access.
- Support for Google Cloud Serverless configuration on routes.
- Support for SPDY configuration on routes.
- More consistent filtering and sorting across resource listing pages.
Updated
- Certificate Management - Certificates with overlapping SAN names are no longer permitted.
- Policies - New editing screen supports Wizard based, Text based or Rego based policy.
- Policies - Only global administrators may manage Rego based policies.
- Policies - Support time based criteria.
- Service Accounts - Simplified UI.
- Service Accounts - Support token expiration time.
- Service Accounts - Namespace support.
- Impersonation - Impersonation is now done on an individual session basis.
- Various other bug fixes and improvements.