deployment: prepare 0.9.0 (#798)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

VERSION

@@ -1 +1 @@
-v0.8.0
+v0.9.0

docs/.vuepress/config.js

@@ -46,10 +46,11 @@ module.exports = {
       { text: "Recipes", link: "/recipes/" },
       { text: "Enterprise", link: "/enterprise/" },
       {
-        text: "v0.8.x", // current tagged version
+        text: "v0.9.x", // current tagged version
         ariaLabel: "Version menu",
         items: [
           { text: "🚧Dev", link: "https://master.docs.pomerium.io/docs" },
+          { text: "v0.9.x", link: "https://0-9-0.docs.pomerium.io/docs" },
           { text: "v0.8.x", link: "https://0-8-0.docs.pomerium.io/docs" },
           { text: "v0.7.x", link: "https://0-7-0.docs.pomerium.io/docs" },
           { text: "v0.6.x", link: "https://0-6-0.docs.pomerium.io/docs" },

docs/docs/CHANGELOG.md

@@ -1,5 +1,73 @@
 # Changelog
 
+## v0.9.0
+
+### New
+
+- proxy: envoy is now used to handle proxying
+- authenticate: add jwks and .well-known endpoint @desimone [GH-745]
+- authorize: add client mTLS support @calebdoxsey [GH-751]
+
+### Fixed
+
+- cache: fix closing too early @calebdoxsey [GH-791]
+- authenticate: fix insecure gRPC connection string default port @calebdoxsey [GH-795]
+- authenticate: fix user-info call for AWS cognito @calebdoxsey [GH-792]
+- authenticate: clear session if ctx fails @desimone [GH-806]
+- telemetry: fix autocache labels @travisgroth [GH-805]
+- telemetry: fix missing/incorrect grpc labels @travisgroth [GH-804]
+- authorize: fix authorization panic caused by logging a nil reference @desimone [[GH-704]]
+
+### Changes
+
+- authenticate: remove authorize url validate check @calebdoxsey [GH-790]
+- authorize: reduce log noise for empty jwt @calebdoxsey [GH-793]
+- authorize: refactor and add additional unit tests @calebdoxsey [GH-757]
+- envoy: add GRPC stats handler to control plane service @travisgroth [GH-744]
+- envoy: enable zipkin tracing @travisgroth [GH-737]
+- envoy: improvements to logging @calebdoxsey [GH-742]
+- envoy: remove 'accept-encoding' header from proxied metric requests @travisgroth [GH-750]
+- envoy: support ports in hosts for routing @calebdoxsey [GH-748]
+- forward-auth: support x-forwarded-uri @calebdoxsey [GH-780]
+- proxy/forward-auth: block expired request prior to 302 @desimone [GH-773]
+- sessions/state: add nickname claim @BenoitKnecht [GH-755]
+- state: infer user (`user`) from subject (`sub`) @desimone [GH-772]
+- telemetry: refactor GRPC Server Handler @travisgroth [GH-756]
+- telemetry: service label updates @travisgroth [GH-802]
+- xds: add catch-all for pomerium routes @calebdoxsey [GH-789]
+- xds: disable cluster validation to handle out-of-order updates @calebdoxsey [GH-783]
+
+### Documentation
+
+- docs: add mTLS recipe @calebdoxsey [GH-807]
+- docs: add argo recipe @calebdoxsey [GH-803]
+- docs: update dockerfiles for v0.9.0 @calebdoxsey [GH-801]
+- docs: typo on configuration doc @kintoandar [GH-800]
+- docs: docs regarding claim headers @strideynet [GH-782]
+- docs: update traefik example and add note about forwarded headers @calebdoxsey [GH-784]
+- docs: add note about unsupported platforms @calebdoxsey [GH-799]
+- docs: expose config parameters in sidebar @travisgroth [GH-797]
+- docs: update examples @travisgroth [GH-796]
+
+## v0.8.3
+
+### Changes
+
+- state: infer user (`user`) from subject (`sub`) @desimone GH-772
+- proxy/forward-auth: block expired request prior to 302 @desimone GH-773
+
+## v0.8.2
+
+### Security
+
+This release includes a fix for a bug that, under certain circumstances, could allow a user with a valid but expired session to resend a request to an upstream application. The repeated request would not return a response, but could reach the upstream application. Thank you to @selaux for reporting this issue! [GH-762]
+
+## v0.8.1
+
+### Fixed
+
+- authorize: fix authorization panic caused by logging a nil reference @desimone [GH-704]
+
 ## v0.8.0
 
 To see a complete list of changes [see the diff](https://github.com/pomerium/pomerium/compare/v0.7.0...v0.8.0).

docs/docs/releases.md

@@ -9,12 +9,13 @@ Official binaries for OSX, Windows, and Linux can be found on our [Github Releas
 Pomerium is also distributed as a [minimal](https://github.com/GoogleContainerTools/distroless) [docker container](https://www.docker.com/resources/what-container). You can find Pomerium's images on [dockerhub](https://hub.docker.com/r/pomerium/pomerium). Pomerium can be pulled in several flavors and architectures.
 
 - `:vX.Y.Z`: which will pull the a [specific tagged release](https://github.com/pomerium/pomerium/tags).
+
   ```bash
   $ docker run pomerium/pomerium:v0.1.0 --version
   v0.1.0+53bfa4e
   ```
 
-* `:latest`: which will pull the [most recent tagged release](https://github.com/pomerium/pomerium/releases).
+- `:latest`: which will pull the [most recent tagged release](https://github.com/pomerium/pomerium/releases).
 
   ```bash
   $ docker pull pomerium/pomerium:latest && docker run pomerium/pomerium:latest --version
@@ -55,6 +56,8 @@ To see difference between releases, please refer to the changelog and upgrading
 For convenience, we maintain hosted documentation for each tagged release. The format for which is `https://{MAJOR}-{MINOR}-{PATCH}.docs.pomerium.io`. For example:
 
 - [github@master](https://master.docs.pomerium.io/)
+- [v0.9.0](https://0-9-0.docs.pomerium.io/)
+- [v0.8.0](https://0-8-0.docs.pomerium.io/)
 - [v0.7.0](https://0-7-0.docs.pomerium.io/)
 - [v0.6.0](https://0-6-0.docs.pomerium.io/)
 - [v0.5.0](https://0-5-0.docs.pomerium.io/)

docs/docs/upgrading.md

@@ -15,20 +15,18 @@ description: >-
 
 ### Observability
 
-- The `service` label on metrics and tracing no longer reflects the `Services` configuration option directly.  `pomerium` will be used for all-in-one mode, and `pomerium-[service]` will
+- The `service` label on metrics and tracing no longer reflects the `Services` configuration option directly. `pomerium` will be used for all-in-one mode, and `pomerium-[service]` will be used for distributed services
-  be used for distributed services
 
 #### Tracing
 
-- Jaeger tracing support is no longer end-to-end in the proxy service. We recommend updating to the Zipkin provider for proper tracing support.  Jaeger will continue to work but will not have coverage in the data plane.
+- Jaeger tracing support is no longer end-to-end in the proxy service. We recommend updating to the Zipkin provider for proper tracing support. Jaeger will continue to work but will not have coverage in the data plane.
 - Option `tracing_debug` is no longer supported. Use `tracing_sampling_rate` instead. [Details](https://www.pomerium.io/configuration/#shared-tracing-settings).
 
 #### Metrics
 
 With this release we now use an embedded [envoy](https://www.envoyproxy.io/) binary as our proxy server.
 
-- Due to this change, data plane metric names and labels have changed to 
+- Due to this change, data plane metric names and labels have changed to adopt envoy's internal data model. [Details](https://www.pomerium.io/configuration/#envoy-proxy-metrics)
-  adopt envoy's internal data model.  [Details](https://www.pomerium.io/configuration/#envoy-proxy-metrics)
 
 # Since 0.7.0
 

docs/recipes/argo.md

@@ -5,13 +5,16 @@ meta:
   - name: keywords
     content: pomerium identity-access-proxy argo argo-cd
 description: >-
-  This guide covers how to add authentication and authorization to an instance of argo.
+  This guide covers how to add authentication and authorization to an instance
+  of argo.
 ---
 
 # Securing Argo
+
 [Argo](https://argoproj.github.io/projects/argo) is an open-source container-native workflow engine for orchestrating parallel jobs on Kubernetes. This guide covers how to add authentication and authorization to Argo using Pomerium.
 
 ## Install Argo
+
 To install Argo in Kubernetes you can either follow the instructions [here](https://github.com/argoproj/argo/blob/master/docs/getting-started.md), or use [Helm](https://github.com/argoproj/argo-helm/tree/master/charts/argo). This guide will use the Helm chart.
 
 Run the following commands:
@@ -29,15 +32,13 @@ kubectly apply \
     --file https://raw.githubusercontent.com/argoproj/argo/master/manifests/base/crds/workflow-crd.yaml
 ```
 
-You should now have a working Argo installation using [Minio](https://min.io/) to store artifacts. Both Argo and Minio
+You should now have a working Argo installation using [Minio](https://min.io/) to store artifacts. Both Argo and Minio provide web-based GUIs. Confirm that Minio is working by running:
-provide web-based GUIs. Confirm that Minio is working by running:
 
 ```bash
 kubectl --namespace kube-system port-forward svc/argo-minio 9000:9000
 ```
 
-You should now be able to reach the Minio UI by accessing [http://localhost:9000/minio](http://localhost:9000/minio).
+You should now be able to reach the Minio UI by accessing <http://localhost:9000/minio>. If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret:
-If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret:
 
 ```bash
 kubectl --namespace=kube-system get secret argo-minio -o yaml
@@ -49,11 +50,11 @@ For now though, let's terminate the Minio `kubectl port-forward` and create one
 kubectl --namespace kube-system port-forward svc/argo-server 2746:2746
 ```
 
-Visiting [http://localhost:2746](http://localhost:2746) should take you to the Argo Workflows dashboard.
+Visiting <http://localhost:2746> should take you to the Argo Workflows dashboard.
 
 ## Install NGINX Ingress Controller
-We will use [NGINX](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) as our ingress controller.
+
-To install it with Helm run the following commands:
+We will use [NGINX](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) as our ingress controller. To install it with Helm run the following commands:
 
 ```bash
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
@@ -62,8 +63,8 @@ helm install --namespace kube-system ingress-nginx ingress-nginx/ingress-nginx
 ```
 
 ## Install Pomerium
-Like with Argo we will install Pomerium using the [Helm chart](https://github.com/pomerium/pomerium-helm). First create
+
-a `values.yaml` file (replacing the `allowed_users` and IDP `provider`/`clientID`/`clientSecret` with your own):
+Like with Argo we will install Pomerium using the [Helm chart](https://github.com/pomerium/pomerium-helm). First create a `values.yaml` file (replacing the `allowed_users` and IDP `provider`/`clientID`/`clientSecret` with your own):
 
 ```yaml
 config:
@@ -103,4 +104,4 @@ You should now be able to reach argo by using `kubectl port-forward` with the NG
 kubectl --namespace kube-system port-forward svc/ingress-nginx-controller 443:443
 ```
 
-And visit: [https://argo.localhost.pomerium.io/](https://argo.localhost.pomerium.io/).
+And visit: <https://argo.localhost.pomerium.io/>.

docs/recipes/mtls.md

@@ -5,9 +5,12 @@ meta:
   - name: keywords
     content: pomerium identity-access-proxy mtls client-certificate
 description: >-
-  This guide covers how to use Pomerium to implement mutual authentication (mTLS) using client certificates with a custom certificate authority.
+  This guide covers how to use Pomerium to implement mutual authentication
+  (mTLS) using client certificates with a custom certificate authority.
 ---
+
 # Implementing mTLS With Pomerium
+
 Secure communication on the web typically refers to using signed server certificates with the TLS protocol. TLS connections are both private and authenticated, preventing eavesdropping and impersonation of the server.
 
 To authenticate clients (users), we typically use an identity provider (IDP). Clients must login before they can access a protected endpoint. However the TLS protocol also supports mutual authenticate (mTLS) via signed client certificates.
@@ -15,6 +18,7 @@ To authenticate clients (users), we typically use an identity provider (IDP). Cl
 As of version 0.9.0, Pomerium supports requiring signed client certificates with the `client_ca`/`client_ca_file` configuration options. This guide covers how to configure Pomerium to implement mutual authentication using client certificates with a custom certificate authority.
 
 ## Creating Certificates
+
 We will use the `mkcert` application to create the certificates. To install `mkcert` follow the instructions on [Github](https://github.com/FiloSottile/mkcert#installation).
 
 For this guide the `localhost.pomerium.io` domain will be our root domain (all subdomains on `localhost.pomerium.io` point to `localhost`). First create a trusted root certificate authority:
@@ -87,7 +91,7 @@ Before visiting the page in your browser we have one final step.
 
 Because `https://httpbin.localhost.pomerium.io:8443` now requires a client certificate to be accessed, we first need to install that client certificate in our browser. The following instructions are for Chrome, but client certificates are supported in all major browsers.
 
-Go to [chrome://settings/certificates](chrome://settings/certificates):
+Go to <chrome://settings/certificates>:
 
 ![chrome settings](./img/mtls/01-chrome-settings-certificates.png)
 
@@ -105,6 +109,6 @@ You should see the `org-mkcert development certificate` in the list of your cert
 
 ## Using the Client Certificate
 
-You can now visit **[https://httpbin.localhost.pomerium.io](https://httpbin.localhost.pomerium.io)** and you should be prompted to choose a client certificate:
+You can now visit **<https://httpbin.localhost.pomerium.io>** and you should be prompted to choose a client certificate:
 
 ![choose client certificate](./img/mtls/05-select-client-certificate.png)

docs/recipes/readme.md

@@ -6,4 +6,4 @@ This section contains applications, and scenario specific guides for Pomerium.
 - The [kubernetes](./kubernetes.md) guide covers how to add authentication and authorization to kubernetes dashboard using helm, and letsencrypt certificates. This guide also shows how third party reverse-proxies like nginx/traefik can be used in conjunction with pomerium using forward-auth.
 - The [visual studio code](./vs-code-server.md) guide demonstrates how pomerium can be used to add access control to third-party applications that don't ship with [fine-grained access control](https://github.com/cdr/code-server/issues/905).
 - The [argo](./argo.md) guide demonstrates how pomerium can be used to add access control to [Argo](https://argoproj.github.io/projects/argo).
-- The [mTLS](./mtls.md) guide demonstates how pomerium can be used to add mutual authentication using client certificates and a custom certificate authority.
+- The [mTLS](./mtls.md) guide demonstrates how pomerium can be used to add mutual authentication using client certificates and a custom certificate authority.