3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 09:56:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

add v0.29.0 release notes (#5515)

Browse source
This commit is contained in:
Denis Mishin 2025-04-08 11:34:20 -04:00 committed by GitHub
parent a1eb75a8fe
commit c7ffb95483
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 111 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

111
changelogs/v0.29.0.md Normal file
View file

@ -0,0 +1,111 @@
## What's Changed
### Breaking
- Enable seamless request tracing across multiple services with the new OTEL-based tracing system. Users can now easily configure and understand traces, with improved visibility into the flow of requests, even at low sample rates. All previously supported tracing methods are removed. ([@kralicky](https://github.com/kralicky) in [#5388](https://github.com/pomerium/pomerium/pull/5388)) and [#5447](https://github.com/pomerium/pomerium/pull/5447))
## New
- New `jwt_issuer_format` global setting. ([@kenjenkins](https://github.com/kenjenkins) in [#5519](https://github.com/pomerium/pomerium/pull/5519))
- Enable UDP routes with `CONNECT-UDP` tunneling. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5390](https://github.com/pomerium/pomerium/pull/5390))
- HTTP/3 Support ([@calebdoxsey](https://github.com/calebdoxsey) in [#5349](https://github.com/pomerium/pomerium/pull/5349))
- Enable authorization errors to return a JSON response instead of HTML, providing a cleaner and more consistent error format for developers using gRPC services. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5400](https://github.com/pomerium/pomerium/pull/5400) (ENG-1750))
- Prevent false positive vulnerability reports by only generating a fallback certificate when no other certificate is configured, minimizing unnecessary certificate generation. ([@kenjenkins](https://github.com/kenjenkins) in [#5250](https://github.com/pomerium/pomerium/pull/5250))
- Enable precise control over user group claims in JWTs by allowing filtering of groups either globally or per route. This enhancement helps reduce excessive group lists, preventing large headers that can disrupt upstream services while maintaining the integrity of signed JWTs. ([@kenjenkins](https://github.com/kenjenkins) in [#5417](https://github.com/pomerium/pomerium/pull/5417) (ENG-1802))
- Enable core Pomerium to access the original PPL policy by adding a `source_ppl` field to the configuration, ensuring better introspection and compatibility with the Routes Portal. This enhancement allows the raw PPL to be passed alongside the generated Rego, providing more comprehensive policy visibility. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5419](https://github.com/pomerium/pomerium/pull/5419) (ENG-1832))
* importutil: refactor GenerateRouteNames to allow for protobuf or config routes by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5427
- Add names, descriptions, and logos to routes, enhancing route cards with clear identifiers and visual appeal. Enjoy a more informative and engaging interface with route-specific icons and descriptions, and easily connect to services with direct links or command instructions. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5424](https://github.com/pomerium/pomerium/pull/5424) (ENG-1833))
- Enhance Directory Group query performance by introducing a cache warming feature that preloads records, significantly reducing delays and timeouts. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5439](https://github.com/pomerium/pomerium/pull/5439) (ENG-1915))
- Access your available routes through a new JSON endpoint at `/.pomerium/api/v1/routes`, providing a list tailored to your permissions. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5428](https://github.com/pomerium/pomerium/pull/5428) (ENG-1845))
- Discover available routes with a new HTML page that displays each accessible route as a card. This intuitive interface makes navigation and route management simpler and more efficient. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5443](https://github.com/pomerium/pomerium/pull/5443) (ENG-1871))
- Discover and display site logos automatically by fetching and embedding favicons from destination addresses, enhancing visual recognition and user experience. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5448](https://github.com/pomerium/pomerium/pull/5448))
- Enhance user experience with new icons for well-known services, making it easier to identify them at a glance. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5453](https://github.com/pomerium/pomerium/pull/5453))
- Enable dynamic configuration reloading by handling `SIGHUP` signals, allowing updates without restarting the application. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5459](https://github.com/pomerium/pomerium/pull/5459))
- Enable customization of the HTTP/3 advertise port in the `Alt-Svc` header, enhancing flexibility for configurations using protobuf. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5466](https://github.com/pomerium/pomerium/pull/5466))
- Authenticate using IdP access and identity tokens, with initial support for Azure AD access tokens. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5484](https://github.com/pomerium/pomerium/pull/5484) (ENG-2001, ENG-2001))
- Improve file management by setting consistent default directories and logging errors when directory environment variables are unset. Ensure file writes are atomic to prevent redundancy and potential file conflicts, enhancing reliability and reducing clutter in temporary storage. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5477](https://github.com/pomerium/pomerium/pull/5477))
- Enhance performance by reducing redundant session creation for identical IdP tokens. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5491](https://github.com/pomerium/pomerium/pull/5491) (ENG-2025, ENG-2025))
- Enhance PPL logic with new `not` and `exclude` operators, allowing more flexible string and list matching. Define more precise permissions by excluding specific domains or groups in your policy configurations. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5490](https://github.com/pomerium/pomerium/pull/5490) (ENG-2030, ENG-2030))
* Support loading idp token sessions in the proxy service by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5488
* Handle long names in the cards for route portal by @nhayfield in https://github.com/pomerium/pomerium/pull/5514
### Fixes
- Ensure the "groups" claim in JWTs is serialized as an empty list instead of JSON null, improving compatibility with third-party libraries. ([@kenjenkins](https://github.com/kenjenkins) in [#5394](https://github.com/pomerium/pomerium/pull/5394))
- Ensure complete and accurate metrics output by properly flushing the buffered writer. ([@kenjenkins](https://github.com/kenjenkins) in [#5398](https://github.com/pomerium/pomerium/pull/5398))
- Ensure custom branding settings are consistently applied across all pages, even when using multiple configuration sources. This resolves an issue where core pages were not displaying the correct branding when using an ingress controller, ensuring a uniform appearance with your chosen colors and logo. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5401](https://github.com/pomerium/pomerium/pull/5401) (ENG-1766))
- Ensure the HTTP redirect server properly uses the proxy protocol when configured. ([@calebdoxsey](https://github.com/calebdoxsey) in [#5405](https://github.com/pomerium/pomerium/pull/5405))
- Ensure that logo URLs containing `%` signs are correctly processed, preventing configuration errors in Envoy. This fix allows branding options with special characters to be used without causing issues. ([@kenjenkins](https://github.com/kenjenkins) in [#5460](https://github.com/pomerium/pomerium/pull/5460) (ENG-1958))
- Fix the `identity_manager_last_session_refresh_errors` metrics view. ([@kenjenkins](https://github.com/kenjenkins) in [#5543](https://github.com/pomerium/pomerium/pull/5543))
- Reduce memory usage during metrics output by @wasaga in https://github.com/pomerium/pomerium/pull/5530
- Ensure Pomerium in Zero mode can connect to the cloud control plane using `HTTPS_PROXY` egress proxy by @wasaga in https://github.com/pomerium/pomerium/pull/5520
### Changed
* authorize: enable WaitForReady on databroker query requests by @kralicky in https://github.com/pomerium/pomerium/pull/5415
* authorize: filter only by group ID by @kenjenkins in https://github.com/pomerium/pomerium/pull/5437
* authorize: log JWT groups filtering by @kenjenkins in https://github.com/pomerium/pomerium/pull/5432
* authorize: remove audit logging by @wasaga in https://github.com/pomerium/pomerium/pull/5369
* authorize: remove unused mutex by @wasaga in https://github.com/pomerium/pomerium/pull/5442
* authorize: remove wait for ready by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5376
* authorize: return 403 on invalid sessions by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5536
* chore(deps): bump golang.org/x/net from 0.31.0 to 0.33.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5404
* config: add internal_address_config to address deprecation warning by @kralicky in https://github.com/pomerium/pomerium/pull/5425
* config: add new OTLP tracing fields by @kenjenkins in https://github.com/pomerium/pomerium/pull/5421
* config: add options to adjust databroker lease ttl, and retry initial interval by @kralicky in https://github.com/pomerium/pomerium/pull/5391
* config: adjust envoy otel trace batching settings to match go sdk by @kralicky in https://github.com/pomerium/pomerium/pull/5446
* config: fix JWT groups filter option by @kenjenkins in https://github.com/pomerium/pomerium/pull/5429
* config: preserve existing user when creating sessions from idp token by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5502
* config: reimplement file watcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5498
* config: set default tracing sample rate to 1.0 by @kralicky in https://github.com/pomerium/pomerium/pull/5422
* config: support emails from directory user by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5504
* envoy: enable extended connect by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5387
* get-envoy: allow downloading a specific os/arch by @kralicky in https://github.com/pomerium/pomerium/pull/5499
* identity: disable session refresh for idp token sessions, fix query cache invalidation by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5495
* internal: cleanup headers by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5408
* internal: fix dependencies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5450
* internal: fix reporter client context on config change by @kralicky in https://github.com/pomerium/pomerium/pull/5392
* internal: Fix trace client update by @kralicky in https://github.com/pomerium/pomerium/pull/5480
* internal: improve port allocation by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5485
* internal: pgx client tracing by @kralicky in https://github.com/pomerium/pomerium/pull/5438
* internal: remove noisy logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5501
* internal: replace xxhash with xxh3 by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5457
* metrics: restore global registry in unit tests by @kenjenkins in https://github.com/pomerium/pomerium/pull/5399
* proxy: add short timeout for logo discovery by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5506
* proxy: disable HTTP2 `CONNECT` for websockets by @wasaga in https://github.com/pomerium/pomerium/pull/5516
* proxy: fix connect command in routes portal by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5475
* proxy: fix routes portal error message by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5476
* proxy: minor cleanup in GenerateCatchAllCertificate by @kenjenkins in https://github.com/pomerium/pomerium/pull/5397
* proxy: only enable IPv6 addresses in the Envoy if IPv6 is enabled by @wasaga in https://github.com/pomerium/pomerium/pull/5538
* testenv: avoid dns lookups for *.localhost.pomerium.io by @kralicky in https://github.com/pomerium/pomerium/pull/5372
* testenv: embedded envoy cpu/memory profiling config by @kralicky in https://github.com/pomerium/pomerium/pull/5377
* testenv: fix testcontainers docker client using the global tracer provider by @kralicky in https://github.com/pomerium/pomerium/pull/5440
* tests: Fix small timeout causing test flake by @kralicky in https://github.com/pomerium/pomerium/pull/5436
* tests: remove test code from config/options_test.go by @kralicky in https://github.com/pomerium/pomerium/pull/5423
* tracing: add missing check for otel_exporter_otlp_endpoint in envoy trace config by @kralicky in https://github.com/pomerium/pomerium/pull/5472
* tracing: handle empty protocol by @kralicky in https://github.com/pomerium/pomerium/pull/5474
### Dependency Updates
* chore(deps): bump the github-actions group with 4 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5383
* chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5382
* chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5380
* chore(deps): bump github.com/quic-go/quic-go from 0.48.1 to 0.48.2 by @dependabot in https://github.com/pomerium/pomerium/pull/5384
* chore(deps): bump the go group across 1 directory with 26 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5385
* chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5373
* chore(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5396
* chore(deps): bump busybox from `db142d4` to `2919d01` in /.github in the docker group by @dependabot in https://github.com/pomerium/pomerium/pull/5414
* chore(deps): bump the go group with 27 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5412
* chore(deps): bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5413
* chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5464
* chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5463
* chore(deps): bump the github-actions group with 14 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5462
* upgrade x/oauth2 from v0.24.0 to v0.27.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5493
* chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 by @dependabot in https://github.com/pomerium/pomerium/pull/5505
* chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 by @dependabot in https://github.com/pomerium/pomerium/pull/5496
* chore(deps-dev): bump esbuild from 0.21.1 to 0.25.0 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5478
* chore(deps): bump busybox from `a5d0ce4` to `498a000` in /.github in the docker group by @dependabot in https://github.com/pomerium/pomerium/pull/5512
* chore(deps): bump the github-actions group with 7 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5510
* chore(deps): bump the go group across 1 directory with 44 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5511
* chore(deps): bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5509
## New Contributors
* @gaurdro made their first contribution in https://github.com/pomerium/pomerium/pull/5456
**Full Changelog**: https://github.com/pomerium/pomerium/compare/v0.28.0...v0.29.0