diff --git a/VERSION b/VERSION index 4ea5cafac..7965b36d6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.8.0 \ No newline at end of file +v0.9.0 \ No newline at end of file diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js index ffe6f1059..c95b1db6b 100644 --- a/docs/.vuepress/config.js +++ b/docs/.vuepress/config.js @@ -46,10 +46,11 @@ module.exports = { { text: "Recipes", link: "/recipes/" }, { text: "Enterprise", link: "/enterprise/" }, { - text: "v0.8.x", // current tagged version + text: "v0.9.x", // current tagged version ariaLabel: "Version menu", items: [ { text: "🚧Dev", link: "https://master.docs.pomerium.io/docs" }, + { text: "v0.9.x", link: "https://0-9-0.docs.pomerium.io/docs" }, { text: "v0.8.x", link: "https://0-8-0.docs.pomerium.io/docs" }, { text: "v0.7.x", link: "https://0-7-0.docs.pomerium.io/docs" }, { text: "v0.6.x", link: "https://0-6-0.docs.pomerium.io/docs" }, diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index f69414904..058a72b46 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -1,5 +1,73 @@ # Changelog +## v0.9.0 + +### New + +- proxy: envoy is now used to handle proxying +- authenticate: add jwks and .well-known endpoint @desimone [GH-745] +- authorize: add client mTLS support @calebdoxsey [GH-751] + +### Fixed + +- cache: fix closing too early @calebdoxsey [GH-791] +- authenticate: fix insecure gRPC connection string default port @calebdoxsey [GH-795] +- authenticate: fix user-info call for AWS cognito @calebdoxsey [GH-792] +- authenticate: clear session if ctx fails @desimone [GH-806] +- telemetry: fix autocache labels @travisgroth [GH-805] +- telemetry: fix missing/incorrect grpc labels @travisgroth [GH-804] +- authorize: fix authorization panic caused by logging a nil reference @desimone [[GH-704]] + +### Changes + +- authenticate: remove authorize url validate check @calebdoxsey [GH-790] +- authorize: reduce log noise for empty jwt @calebdoxsey [GH-793] +- authorize: refactor and add additional unit tests @calebdoxsey [GH-757] +- envoy: add GRPC stats handler to control plane service @travisgroth [GH-744] +- envoy: enable zipkin tracing @travisgroth [GH-737] +- envoy: improvements to logging @calebdoxsey [GH-742] +- envoy: remove 'accept-encoding' header from proxied metric requests @travisgroth [GH-750] +- envoy: support ports in hosts for routing @calebdoxsey [GH-748] +- forward-auth: support x-forwarded-uri @calebdoxsey [GH-780] +- proxy/forward-auth: block expired request prior to 302 @desimone [GH-773] +- sessions/state: add nickname claim @BenoitKnecht [GH-755] +- state: infer user (`user`) from subject (`sub`) @desimone [GH-772] +- telemetry: refactor GRPC Server Handler @travisgroth [GH-756] +- telemetry: service label updates @travisgroth [GH-802] +- xds: add catch-all for pomerium routes @calebdoxsey [GH-789] +- xds: disable cluster validation to handle out-of-order updates @calebdoxsey [GH-783] + +### Documentation + +- docs: add mTLS recipe @calebdoxsey [GH-807] +- docs: add argo recipe @calebdoxsey [GH-803] +- docs: update dockerfiles for v0.9.0 @calebdoxsey [GH-801] +- docs: typo on configuration doc @kintoandar [GH-800] +- docs: docs regarding claim headers @strideynet [GH-782] +- docs: update traefik example and add note about forwarded headers @calebdoxsey [GH-784] +- docs: add note about unsupported platforms @calebdoxsey [GH-799] +- docs: expose config parameters in sidebar @travisgroth [GH-797] +- docs: update examples @travisgroth [GH-796] + +## v0.8.3 + +### Changes + +- state: infer user (`user`) from subject (`sub`) @desimone GH-772 +- proxy/forward-auth: block expired request prior to 302 @desimone GH-773 + +## v0.8.2 + +### Security + +This release includes a fix for a bug that, under certain circumstances, could allow a user with a valid but expired session to resend a request to an upstream application. The repeated request would not return a response, but could reach the upstream application. Thank you to @selaux for reporting this issue! [GH-762] + +## v0.8.1 + +### Fixed + +- authorize: fix authorization panic caused by logging a nil reference @desimone [GH-704] + ## v0.8.0 To see a complete list of changes [see the diff](https://github.com/pomerium/pomerium/compare/v0.7.0...v0.8.0). diff --git a/docs/docs/releases.md b/docs/docs/releases.md index 3c41052e8..4a33b339d 100644 --- a/docs/docs/releases.md +++ b/docs/docs/releases.md @@ -9,12 +9,13 @@ Official binaries for OSX, Windows, and Linux can be found on our [Github Releas Pomerium is also distributed as a [minimal](https://github.com/GoogleContainerTools/distroless) [docker container](https://www.docker.com/resources/what-container). You can find Pomerium's images on [dockerhub](https://hub.docker.com/r/pomerium/pomerium). Pomerium can be pulled in several flavors and architectures. - `:vX.Y.Z`: which will pull the a [specific tagged release](https://github.com/pomerium/pomerium/tags). + ```bash $ docker run pomerium/pomerium:v0.1.0 --version v0.1.0+53bfa4e ``` -* `:latest`: which will pull the [most recent tagged release](https://github.com/pomerium/pomerium/releases). +- `:latest`: which will pull the [most recent tagged release](https://github.com/pomerium/pomerium/releases). ```bash $ docker pull pomerium/pomerium:latest && docker run pomerium/pomerium:latest --version @@ -55,6 +56,8 @@ To see difference between releases, please refer to the changelog and upgrading For convenience, we maintain hosted documentation for each tagged release. The format for which is `https://{MAJOR}-{MINOR}-{PATCH}.docs.pomerium.io`. For example: - [github@master](https://master.docs.pomerium.io/) +- [v0.9.0](https://0-9-0.docs.pomerium.io/) +- [v0.8.0](https://0-8-0.docs.pomerium.io/) - [v0.7.0](https://0-7-0.docs.pomerium.io/) - [v0.6.0](https://0-6-0.docs.pomerium.io/) - [v0.5.0](https://0-5-0.docs.pomerium.io/) diff --git a/docs/docs/upgrading.md b/docs/docs/upgrading.md index 668c70ef3..1a5c21b7b 100644 --- a/docs/docs/upgrading.md +++ b/docs/docs/upgrading.md @@ -15,20 +15,18 @@ description: >- ### Observability -- The `service` label on metrics and tracing no longer reflects the `Services` configuration option directly. `pomerium` will be used for all-in-one mode, and `pomerium-[service]` will - be used for distributed services +- The `service` label on metrics and tracing no longer reflects the `Services` configuration option directly. `pomerium` will be used for all-in-one mode, and `pomerium-[service]` will be used for distributed services #### Tracing -- Jaeger tracing support is no longer end-to-end in the proxy service. We recommend updating to the Zipkin provider for proper tracing support. Jaeger will continue to work but will not have coverage in the data plane. +- Jaeger tracing support is no longer end-to-end in the proxy service. We recommend updating to the Zipkin provider for proper tracing support. Jaeger will continue to work but will not have coverage in the data plane. - Option `tracing_debug` is no longer supported. Use `tracing_sampling_rate` instead. [Details](https://www.pomerium.io/configuration/#shared-tracing-settings). #### Metrics -With this release we now use an embedded [envoy](https://www.envoyproxy.io/) binary as our proxy server. +With this release we now use an embedded [envoy](https://www.envoyproxy.io/) binary as our proxy server. -- Due to this change, data plane metric names and labels have changed to - adopt envoy's internal data model. [Details](https://www.pomerium.io/configuration/#envoy-proxy-metrics) +- Due to this change, data plane metric names and labels have changed to adopt envoy's internal data model. [Details](https://www.pomerium.io/configuration/#envoy-proxy-metrics) # Since 0.7.0 diff --git a/docs/recipes/argo.md b/docs/recipes/argo.md index 5731be701..688dda9b7 100644 --- a/docs/recipes/argo.md +++ b/docs/recipes/argo.md @@ -5,13 +5,16 @@ meta: - name: keywords content: pomerium identity-access-proxy argo argo-cd description: >- - This guide covers how to add authentication and authorization to an instance of argo. + This guide covers how to add authentication and authorization to an instance + of argo. --- # Securing Argo + [Argo](https://argoproj.github.io/projects/argo) is an open-source container-native workflow engine for orchestrating parallel jobs on Kubernetes. This guide covers how to add authentication and authorization to Argo using Pomerium. ## Install Argo + To install Argo in Kubernetes you can either follow the instructions [here](https://github.com/argoproj/argo/blob/master/docs/getting-started.md), or use [Helm](https://github.com/argoproj/argo-helm/tree/master/charts/argo). This guide will use the Helm chart. Run the following commands: @@ -29,15 +32,13 @@ kubectly apply \ --file https://raw.githubusercontent.com/argoproj/argo/master/manifests/base/crds/workflow-crd.yaml ``` -You should now have a working Argo installation using [Minio](https://min.io/) to store artifacts. Both Argo and Minio -provide web-based GUIs. Confirm that Minio is working by running: +You should now have a working Argo installation using [Minio](https://min.io/) to store artifacts. Both Argo and Minio provide web-based GUIs. Confirm that Minio is working by running: ```bash kubectl --namespace kube-system port-forward svc/argo-minio 9000:9000 ``` -You should now be able to reach the Minio UI by accessing [http://localhost:9000/minio](http://localhost:9000/minio). -If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret: +You should now be able to reach the Minio UI by accessing . If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret: ```bash kubectl --namespace=kube-system get secret argo-minio -o yaml @@ -49,11 +50,11 @@ For now though, let's terminate the Minio `kubectl port-forward` and create one kubectl --namespace kube-system port-forward svc/argo-server 2746:2746 ``` -Visiting [http://localhost:2746](http://localhost:2746) should take you to the Argo Workflows dashboard. +Visiting should take you to the Argo Workflows dashboard. ## Install NGINX Ingress Controller -We will use [NGINX](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) as our ingress controller. -To install it with Helm run the following commands: + +We will use [NGINX](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) as our ingress controller. To install it with Helm run the following commands: ```bash helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx @@ -62,8 +63,8 @@ helm install --namespace kube-system ingress-nginx ingress-nginx/ingress-nginx ``` ## Install Pomerium -Like with Argo we will install Pomerium using the [Helm chart](https://github.com/pomerium/pomerium-helm). First create -a `values.yaml` file (replacing the `allowed_users` and IDP `provider`/`clientID`/`clientSecret` with your own): + +Like with Argo we will install Pomerium using the [Helm chart](https://github.com/pomerium/pomerium-helm). First create a `values.yaml` file (replacing the `allowed_users` and IDP `provider`/`clientID`/`clientSecret` with your own): ```yaml config: @@ -103,4 +104,4 @@ You should now be able to reach argo by using `kubectl port-forward` with the NG kubectl --namespace kube-system port-forward svc/ingress-nginx-controller 443:443 ``` -And visit: [https://argo.localhost.pomerium.io/](https://argo.localhost.pomerium.io/). +And visit: . diff --git a/docs/recipes/mtls.md b/docs/recipes/mtls.md index e33266bf6..3204abaf7 100644 --- a/docs/recipes/mtls.md +++ b/docs/recipes/mtls.md @@ -5,9 +5,12 @@ meta: - name: keywords content: pomerium identity-access-proxy mtls client-certificate description: >- - This guide covers how to use Pomerium to implement mutual authentication (mTLS) using client certificates with a custom certificate authority. + This guide covers how to use Pomerium to implement mutual authentication + (mTLS) using client certificates with a custom certificate authority. --- + # Implementing mTLS With Pomerium + Secure communication on the web typically refers to using signed server certificates with the TLS protocol. TLS connections are both private and authenticated, preventing eavesdropping and impersonation of the server. To authenticate clients (users), we typically use an identity provider (IDP). Clients must login before they can access a protected endpoint. However the TLS protocol also supports mutual authenticate (mTLS) via signed client certificates. @@ -15,6 +18,7 @@ To authenticate clients (users), we typically use an identity provider (IDP). Cl As of version 0.9.0, Pomerium supports requiring signed client certificates with the `client_ca`/`client_ca_file` configuration options. This guide covers how to configure Pomerium to implement mutual authentication using client certificates with a custom certificate authority. ## Creating Certificates + We will use the `mkcert` application to create the certificates. To install `mkcert` follow the instructions on [Github](https://github.com/FiloSottile/mkcert#installation). For this guide the `localhost.pomerium.io` domain will be our root domain (all subdomains on `localhost.pomerium.io` point to `localhost`). First create a trusted root certificate authority: @@ -87,7 +91,7 @@ Before visiting the page in your browser we have one final step. Because `https://httpbin.localhost.pomerium.io:8443` now requires a client certificate to be accessed, we first need to install that client certificate in our browser. The following instructions are for Chrome, but client certificates are supported in all major browsers. -Go to [chrome://settings/certificates](chrome://settings/certificates): +Go to : ![chrome settings](./img/mtls/01-chrome-settings-certificates.png) @@ -105,6 +109,6 @@ You should see the `org-mkcert development certificate` in the list of your cert ## Using the Client Certificate -You can now visit **[https://httpbin.localhost.pomerium.io](https://httpbin.localhost.pomerium.io)** and you should be prompted to choose a client certificate: +You can now visit **** and you should be prompted to choose a client certificate: ![choose client certificate](./img/mtls/05-select-client-certificate.png) diff --git a/docs/recipes/readme.md b/docs/recipes/readme.md index 8a5719f43..a2d026962 100644 --- a/docs/recipes/readme.md +++ b/docs/recipes/readme.md @@ -6,4 +6,4 @@ This section contains applications, and scenario specific guides for Pomerium. - The [kubernetes](./kubernetes.md) guide covers how to add authentication and authorization to kubernetes dashboard using helm, and letsencrypt certificates. This guide also shows how third party reverse-proxies like nginx/traefik can be used in conjunction with pomerium using forward-auth. - The [visual studio code](./vs-code-server.md) guide demonstrates how pomerium can be used to add access control to third-party applications that don't ship with [fine-grained access control](https://github.com/cdr/code-server/issues/905). - The [argo](./argo.md) guide demonstrates how pomerium can be used to add access control to [Argo](https://argoproj.github.io/projects/argo). -- The [mTLS](./mtls.md) guide demonstates how pomerium can be used to add mutual authentication using client certificates and a custom certificate authority. +- The [mTLS](./mtls.md) guide demonstrates how pomerium can be used to add mutual authentication using client certificates and a custom certificate authority.