v0.7.0

See (#576) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-05-10 15:47:36 +02:00 · 2020-04-04 20:45:48 -07:00 · 2020-04-04 20:45:48 -07:00 · d780281fc0
commit d780281fc0
parent d0acad597d
13 changed files with 177 additions and 74 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-v0.6.0
+v0.7.0
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@ -28,10 +28,11 @@ module.exports = {
      { text: "Enterprise", link: "/enterprise/" },
      {
-        text: "🚧Dev", // current tagged version
+        text: "v0.7.x", // current tagged version
        ariaLabel: "Version menu",
        items: [
          { text: "🚧Dev", link: "https://master.docs.pomerium.io/docs" },
          { text: "v0.7.x", link: "https://0-7-0.docs.pomerium.io/docs" },
          { text: "v0.6.x", link: "https://0-6-0.docs.pomerium.io/docs" },
          { text: "v0.5.x", link: "https://0-5-0.docs.pomerium.io/docs" },
          { text: "v0.4.x", link: "https://0-4-0.docs.pomerium.io/docs" },
--- a/docs/.vuepress/theme/components/Home.vue
+++ b/docs/.vuepress/theme/components/Home.vue
@ -3,24 +3,36 @@
    <header class="hero">
      <div class="section">
        <div class="content">
-          <h1 v-if="data.heroText !== null" id="main-title">{{ data.heroText || $title || 'Hello' }}</h1>
+          <h1 v-if="data.heroText !== null" id="main-title">
            {{ data.heroText || $title || "Hello" }}
          </h1>
-          <p
+          <p class="description">
-            class="description"
+            {{
-          >{{ data.tagline || $description || 'Welcome to your VuePress site' }}</p>
+              data.tagline || $description || "Welcome to your VuePress site"
            }}
          </p>
          <p class="action" v-if="data.actionText && data.actionLink">
            <NavLink class="action-button" :item="actionLink" />
          </p>
        </div>
-        <video v-if="data.heroImage" class="media" autoplay loop muted playsinline>
+        <video
          v-if="data.heroImage"
          class="media"
          autoplay
          loop
          muted
          playsinline
        >
          <source
            v-if="data.heroImage"
            :src="$withBase(data.heroImage)"
            :alt="data.heroAlt"
            type="video/mp4"
-          />Your browser does not support the video tag.
+          />
          Your browser does not support the video tag.
        </video>
        <form
          v-if="data.contactForm === true"
@ -45,13 +57,19 @@
              <input name="company" class="field" />
            </label>
          </fieldset>
-          <button class="nav-link action-button" type="submit">Get in touch</button>
+          <button class="nav-link action-button" type="submit">
            Get in touch
          </button>
        </form>
      </div>
    </header>
    <div class v-if="data.features && data.features.length">
-      <div class="features section" v-for="(feature, index) in data.features" :key="index">
+      <div
        class="features section"
        v-for="(feature, index) in data.features"
        :key="index"
      >
        <div class="feature">
          <img class="media" :src="$withBase(feature.src)" />
          <div class="content">
@ -65,7 +83,11 @@
    <div class v-if="data.triples && data.triples.length">
      <div class="triples">
        <div class="feature">
-          <div class="content" v-for="(feature, index) in data.triples" :key="index">
+          <div
            class="content"
            v-for="(feature, index) in data.triples"
            :key="index"
          >
            <img class="media" :src="$withBase(feature.src)" />
            <h2>{{ feature.title }}</h2>
            <p>{{ feature.text }}</p>
@ -75,7 +97,14 @@
    </div>
    <Content class="theme-default-content custom" />
-    <div class="footer" v-if="data.footer">{{ data.footer }}</div>
+    <div class="footer">
      <a href="https://www.netlify.com/">
        <img
          src="https://api.netlify.com/api/v1/badges/1853c996-a1f7-4545-b60c-612e8fca557c/deploy-status"
          alt="Deploy status badge"
        />
      </a>
    </div>
  </main>
 </template>
@ -358,13 +387,11 @@ export default {
      }
    }
  }
-
+}
 .footer {
-    padding: 2.5rem;
+    padding: 0.75rem;
    border-top: 1px solid $borderColor;
    text-align: center;
    color: lighten($textColor, 25%);
  }
  }
@media (max-width: $MQMobile) {
--- a/docs/configuration/examples/docker/basic.docker-compose.yml
+++ b/docs/configuration/examples/docker/basic.docker-compose.yml
@ -1,7 +1,7 @@
 version: "3"
 services:
  pomerium:
-    image: pomerium/pomerium:latest
+    image: pomerium/pomerium:v0.7.0
    environment:
      # Generate new secret keys. e.g. `head -c32 /dev/urandom | base64`
      - COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
--- a/docs/configuration/examples/docker/nginx.docker-compose.yml
+++ b/docs/configuration/examples/docker/nginx.docker-compose.yml
@ -12,7 +12,7 @@ services:
      - /var/run/docker.sock:/tmp/docker.sock:ro
  pomerium-authenticate:
-    image: pomerium/pomerium:latest # or `build: .` to build from source
+    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=authenticate
@ -39,7 +39,7 @@ services:
      - 443
  pomerium-proxy:
-    image: pomerium/pomerium:latest # or `build: .` to build from source
+    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=proxy
@ -61,7 +61,7 @@ services:
      - 443
  pomerium-authorize:
-    image: pomerium/pomerium:latest # or `build: .` to build from source
+    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=authorize
@ -77,7 +77,7 @@ services:
      - 443
  pomerium-cache:
-    image: pomerium/pomerium:latest # or `build: .` to build from source
+    image: pomerium/pomerium:v0.7.0 # or `build: .` to build from source
    restart: always
    environment:
      - SERVICES=cache
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@ -1,5 +1,79 @@
 # Changelog
 ## v0.7.0
 ### New
 - \*: remove import path comments @desimone (#545)
 - authenticate: make callback path configurable @desimone (#493)
 - authenticate: return 401 for some specific error codes @cuonglm (#561)
 - authorization: log audience claim failure @desimone (#553)
 - authorize: use jwt instead of state struct @desimone (#514)
 - authorize: use opa for policy engine @desimone (#474)
 - cmd: add cli to generate service accounts @desimone (#552)
 - config: Expose and set default GRPC Server Keepalive Parameters @travisgroth (#509)
 - config: Make IDP_PROVIDER env var mandatory @mihaitodor (#536)
 - config: Remove superfluous Options.Checksum type conversions @travisgroth (#522)
 - gitlab/identity: change group unique identifier to ID @Lumexralph (#571)
 - identity: support oidc UserInfo Response @desimone (#529)
 - internal/cryptutil: standardize leeway to 5 mins @desimone (#476)
 - metrics: Add storage metrics @travisgroth (#554)
 ### Fixed
 - cache: add option validations @desimone (#468)
 - config: Add proper yaml tag to Options.Policies @travisgroth (#475)
 - ensure correct service name on GRPC related metrics @travisgroth (#510)
 - fix group impersonation @desimone (#569)
 - fix sign-out bug , fixes #530 @desimone (#544)
 - proxy: move set request headers before handle allow public access @ohdarling (#479)
 - use service port for session audiences @travisgroth (#562)
 ### Documentation
 - fix `the` typo @ilgooz (#566)
 - fix kubernetes dashboard recipe docs @desimone (#504)
 - make from source quickstart @desimone (#519)
 - update background @desimone (#505)
 - update helm for v3 @desimone (#469)
 - various fixes @desimone (#478)
 - fix cookie_domain @nitper (#472)
 ### Dependency
 - chore(deps): update github.com/pomerium/autocache commit hash to 6c66ed5 @renovate (#480)
 - chore(deps): update github.com/pomerium/autocache commit hash to 227c993 @renovate (#537)
 - chore(deps): update golang.org/x/crypto commit hash to 0ec3e99 @renovate (#574)
 - chore(deps): update golang.org/x/crypto commit hash to 1b76d66 @renovate (#538)
 - chore(deps): update golang.org/x/crypto commit hash to 78000ba @renovate (#481)
 - chore(deps): update golang.org/x/crypto commit hash to 891825f @renovate (#556)
 - chore(deps): update module fatih/color to v1.9.0 @renovate (#575)
 - chore(deps): update module fsnotify/fsnotify to v1.4.9 @renovate (#539)
 - chore(deps): update module go.etcd.io/bbolt to v1.3.4 @renovate (#557)
 - chore(deps): update module go.opencensus.io to v0.22.3 @renovate (#483)
 - chore(deps): update module golang/mock to v1.4.0 @renovate (#470)
 - chore(deps): update module golang/mock to v1.4.3 @renovate (#540)
 - chore(deps): update module golang/protobuf to v1.3.4 @renovate (#485)
 - chore(deps): update module golang/protobuf to v1.3.5 @renovate (#541)
 - chore(deps): update module google.golang.org/api to v0.20.0 @renovate (#495)
 - chore(deps): update module google.golang.org/grpc to v1.27.1 @renovate (#496)
 - chore(deps): update module gorilla/mux to v1.7.4 @renovate (#506)
 - chore(deps): update module open-policy-agent/opa to v0.17.1 @renovate (#497)
 - chore(deps): update module open-policy-agent/opa to v0.17.3 @renovate (#513)
 - chore(deps): update module open-policy-agent/opa to v0.18.0 @renovate (#558)
 - chore(deps): update module prometheus/client_golang to v1.4.1 @renovate (#498)
 - chore(deps): update module prometheus/client_golang to v1.5.0 @renovate (#531)
 - chore(deps): update module prometheus/client_golang to v1.5.1 @renovate (#543)
 - chore(deps): update module rakyll/statik to v0.1.7 @renovate (#517)
 - chore(deps): update module rs/zerolog to v1.18.0 @renovate (#507)
 - chore(deps): update module yaml to v2.2.8 @renovate (#471)
 - ci: Consolidate matrix build parameters @travisgroth (#521)
 - dependency: use go mod redis @desimone (#528)
 - deployment: throw away golanglint-ci defaults @desimone (#439)
 - deployment: throw away golanglint-ci defaults @desimone (#439)
 - deps: enable automerge and set labels on renovate PRs @travisgroth (#527)
 - Roll back grpc to v1.25.1 @travisgroth (#484)
 ## v0.6.0
 ### New
--- a/docs/docs/identity-providers/azure.md
+++ b/docs/docs/identity-providers/azure.md
@ -58,7 +58,7 @@ Click on **Save** and the key will be displayed. **Make sure to copy the value o
 ![Creating a Key](./img/azure-create-key.png)
-Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example, `https://authenticate.corp.beyondperimeter.com/oauth2/callback`.
+Next you need to ensure that the Pomerium's Redirect URL is listed in allowed reply URLs for the created application. Navigate to **Azure Active Directory** -> **Apps registrations** and select your app. Then click **Settings** -> **Reply URLs** and add Pomerium's redirect URL. For example, `https://${authenticate_service_url}/oauth2/callback`.
 ![Add Reply URL](./img/azure-redirect-url.png)
--- a/docs/docs/identity-providers/google.md
+++ b/docs/docs/identity-providers/google.md
@ -28,9 +28,9 @@ Click the button on the banner to go to the consent screen configuration. If all
 On the **Create [Client ID]** page, select **Web application**. In the new fields that display, set the following parameters:
 | Field        | Description                                                              |
-| ------------------------ | -------------------------------------------------------------------------- |
+| ------------ | ------------------------------------------------------------------------ |
 | Name         | The name of your web app                                                 |
-| Authorized redirect URIs | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`) |
+| Redirect URI | Redirect URL (e.g.`https://${authenticate_service_url}/oauth2/callback`) |
 ![Web App Credentials Configuration](./img/google-create-client-id-config.png)
--- a/docs/docs/identity-providers/okta.md
+++ b/docs/docs/identity-providers/okta.md
@ -22,10 +22,10 @@ On the **Create New Application** page, select the **Web** for your application.
 Next, provide the following information for your application settings:
 | Field                        | Description                                                               |
-| ---------------------------- | --------------------------------------------------------------------------- |
+| ---------------------------- | ------------------------------------------------------------------------- |
 | Name                         | The name of your application.                                             |
 | Base URIs (optional)         | The domain(s) of your application.                                        |
-| Login redirect URIs          | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`). |
+| Login redirect URIs          | Redirect URL (e.g.`https://${authenticate_service_url}/oauth2/callback`). |
 | Group assignments (optional) | The user groups that can sign in to this application.                     |
 | Grant type allowed           | **You must enable Refresh Token.**                                        |
--- a/docs/docs/identity-providers/one-login.md
+++ b/docs/docs/identity-providers/one-login.md
@ -16,7 +16,7 @@ On the App Configuration page, **name the app** and **select a logo**. Select **
 ![One Login select logo](./img/one-login-select-logo.png)
-Next, set set the **Redirect URI's** setting to be Pomerium's redirect url `https://${AUTHENTICATE_SERVICE_URL}/oauth2/callback`.
+Next, set set the **Redirect URI's** setting to be Pomerium's redirect url `https://${authenticate_service_url}/oauth2/callback`.
 ![One Login set callback url](./img/one-login-callback-url.png)
--- a/docs/docs/identity-providers/readme.md
+++ b/docs/docs/identity-providers/readme.md
@ -14,7 +14,7 @@ There are a few configuration steps required for identity provider integration.
 In this guide we'll cover how to do the following for each identity provider:
-1. Set a **[Redirect URL](https://www.oauth.com/oauth2-servers/redirect-uris/)** pointing back to Pomerium.
+1. Set a **[Redirect URL](https://www.oauth.com/oauth2-servers/redirect-uris/)** pointing back to Pomerium. For example, `https://${authenticate_service_url}/oauth2/callback`.
 2. Generate a **[Client ID]** and **[Client Secret]**.
 3. Configure Pomerium to use the **[Client ID]** and **[Client Secret]** keys.
--- a/docs/docs/releases.md
+++ b/docs/docs/releases.md
@ -55,6 +55,7 @@ To see difference between releases, please refer to the changelog and upgrading
 For convenience, we maintain hosted documentation for each tagged release. The format for which is `https://{MAJOR}-{MINOR}-{PATCH}.docs.pomerium.io`. For example:
 - [github@master](https://master.docs.pomerium.io/)
 - [v0.7.0](https://0-7-0.docs.pomerium.io/)
 - [v0.6.0](https://0-6-0.docs.pomerium.io/)
 - [v0.5.0](https://0-5-0.docs.pomerium.io/)
 - [v0.4.0](https://0-4-0.docs.pomerium.io/)
--- a/docs/docs/upgrading.md
+++ b/docs/docs/upgrading.md
@ -5,22 +5,23 @@ description: >-
  for Pomerium. Please read it carefully.
 ---
-# Upgrade Guide
+# Since 0.6.0
-## Since 0.6.0
+## Breaking
-### Breaking
+### Getting user's identity
-#### Getting user's identity
+User detail headers ( `x-pomerium-authenticated-user-id` / `x-pomerium-authenticated-user-email` / `x-pomerium-authenticated-user-groups`) have been removed in favor of using the more secure, more data rich attestation jwt header (`x-pomerium-jwt-assertion`).
-User detail headers
+### Non-standard port users
 ( `x-pomerium-authenticated-user-id` / `x-pomerium-authenticated-user-email` / `x-pomerium-authenticated-user-groups`) have been removed in favor of using the more secure, more data rich attestation jwt header (`x-pomerium-jwt-assertion`).
-## Since 0.5.0
+Non-standard port users (e.g. those not using `443`/`80` where the port _would_ be part of the client's request) will have to clear their user's session before upgrading. Starting with version v0.7.0, audience (`aud`) and issuer (`iss`) claims will be port specific.
-### Breaking
+# Since 0.5.0
-#### New cache service
+## Breaking
 ### New cache service
 A back-end cache service was added to support session refreshing from [single-page-apps](https://en.wikipedia.org/wiki/Single-page_application).
@ -48,37 +49,37 @@ For a concrete example of the required changes, consider the following changes f
 Please see the updated examples, and [cache service docs] as a reference and for the available cache stores. For more details as to why this was necessary, please see [PR438](https://github.com/pomerium/pomerium/pull/438) and [PR457](https://github.com/pomerium/pomerium/pull/457).
-## Since 0.4.0
+# Since 0.4.0
-### Breaking
+## Breaking
-#### Subdomain requirement dropped
+### Subdomain requirement dropped
 - Pomerium services and managed routes are no longer required to be on the same domain-tree root. Access can be delegated to any route, on any domain (that you have access to, of course).
-#### Azure AD
+### Azure AD
 - Azure Active Directory now uses the globally unique and immutable`ID` instead of `group name` to attest a user's [group membership](https://docs.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http). Please update your policies to use group `ID` instead of group name.
-#### Okta
+### Okta
 - Okta no longer uses tokens to retrieve group membership. [Group membership](https://developer.okta.com/docs/reference/api/groups/) is now fetched using Okta's API.
 - Okta's group membership is now determined by the globally unique and immutable ID field. Please update your policies to use group `ID` instead of group name.
 - Okta now requires an additional set of credentials to be used to query for group membership set as a [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account).
-#### OneLogin
+### OneLogin
 - OneLogin [group membership](https://developers.onelogin.com/openid-connect/api/user-info) is now determined by the globally unique and immutable ID field. Please update your policies to use group `ID` instead of group name.
-#### Force Refresh Removed
+### Force Refresh Removed
 Force refresh has been removed from the dashboard. Logging out and back in again should have the equivalent desired effect.
-#### Programmatic Access API changed
+### Programmatic Access API changed
 Previous programmatic authentication endpoints (`/api/v1/token`) has been removed and has been replaced by a per-route, oauth2 based auth flow. Please see updated [programmatic documentation](https://www.pomerium.io/docs/reference/programmatic-access.html) how to use the new programmatic access api.
-#### Forward-auth route change
+### Forward-auth route change
 Previously, routes were verified by taking the downstream applications hostname in the form of a path `(e.g. ${forwardauth}/.pomerium/verify/httpbin.some.example`) variable. The new method for verifying a route using forward authentication is to pass the entire requested url in the form of a query string `(e.g. ${forwardauth}/.pomerium/verify?url=https://httpbin.some.example)` where the routed domain is the value of the `uri` key.
@ -91,14 +92,13 @@ For example, in nginx this would look like:
 -    nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com
 +    nginx.ingress.kubernetes.io/auth-url: https://forwardauth.corp.example.com/verify?uri=$scheme://$host$request_uri
 +    nginx.ingress.kubernetes.io/auth-signin: https://forwardauth.corp.example.com?uri=$scheme://$host$request_uri
 ```
-## Since 0.3.0
+# Since 0.3.0
-### Breaking
+## Breaking
-#### Authorize Service URL no longer used in all-in-one mode
+### Authorize Service URL no longer used in all-in-one mode
 Pomerium no longer handles both gRPC and HTTPS traffic from the same network listener (port). As a result, all-in-one mode configurations will default to serving gRPC traffic over loopback on port `5443` and will serve HTTPS traffic as before on port `443`. In previous versions, it was recommended to configure authorize in this mode which will now break. The error will typically look something like:
@ -108,15 +108,15 @@ rpc error: code = DeadlineExceeded desc = latest connection error: connection cl
 To upgrade, simply remove the `AUTHORIZE_SERVICE_URL` setting.
-#### Removed Authenticate Internal URL
+### Removed Authenticate Internal URL
 The authenticate service no longer uses gRPC to do back channel communication. As a result, `AUTHENTICATE_INTERNAL_URL`/`authenticate_internal_url` is no longer required.
-#### No default certificate location
+### No default certificate location
 In previous versions, if no explicit certificate pair (in base64 or file form) was set, Pomerium would make a last ditch effort to check for certificate files (`cert.key`/`privkey.pem`) in the root directory. With the introduction of insecure server configuration, we've removed that functionality. If there settings for certificates and insecure server mode are unset, pomerium will give a appropriate error instead of a failed to find/open certificate error.
-#### Authorize service health-check is non-http
+### Authorize service health-check is non-http
 The Authorize service will no longer respond to `HTTP`-based healthcheck queries when run as a distinct service (vs all-in-one). As an alternative, you can used on TCP based checks. For example, if using [Kubernetes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-tcp-liveness-probe):
@ -134,31 +134,31 @@ livenessProbe:
  periodSeconds: 20
 ```
-### Non-breaking changes
+## Non-breaking changes
-#### All-in-one
+### All-in-one
 If service mode (`SERVICES`/`services`) is set to `all`, gRPC communication with the authorize service will by default occur over localhost, on port `:5443`.
-## Since 0.2.0
+# Since 0.2.0
 Pomerium `v0.3.0` has no known breaking changes compared to `v0.2.0`.
-## Since 0.1.0
+# Since 0.1.0
 Pomerium `v0.2.0` has no known breaking changes compared to `v0.1.0`.
-## Since 0.0.5
+# Since 0.0.5
 This page contains the list of deprecations and important or breaking changes for pomerium `v0.1.0` compared to `v0.0.5`. Please read it carefully.
-### Semantic versioning changes
+## Semantic versioning changes
 Starting with `v0.1.0` we've changed our [releases](https://semver.org/) are versioned (`MAJOR.MINOR.PATCH+GITHASH`). Planned, monthly releases will now bump `MINOR` and any security or stability releases required prior will bump `PATCH`.
 Please note however that we are still pre `1.0.0` so breaking changes can and will happen at any release though we will do our best to document them.
-### Breaking: Policy must be valid URLs
+## Breaking: Policy must be valid URLs
 Previously, it was allowable to define a policy without a schema (e.g. `http`/`https`). Starting with version `v0.1.0` all `to` and `from` [policy] URLS must contain valid schema and host-names. For example:
@ -186,15 +186,15 @@ policy:
    allow_public_unauthenticated_access: true
 ```
-## Since 0.0.4
+# Since 0.0.4
 This page contains the list of deprecations and important or breaking changes for pomerium `v0.0.5` compared to `v0.0.4`. Please read it carefully.
-### Breaking: POLICY_FILE removed
+## Breaking: POLICY_FILE removed
 Usage of the POLICY_FILE envvar is no longer supported. Support for file based policy configuration has been shifted into the new unified config file.
-### Important: Configuration file support added
+## Important: Configuration file support added
 - Pomerium now supports an optional -config flag. This flag specifies a file from which to read all configuration options. It supports yaml, json, toml and properties formats.
 - All options which can be specified via MY_SETTING style envvars can now be specified within your configuration file as key/value. The key is generally the same as the envvar name, but lower cased. See Reference Documentation for exact names.
@ -224,11 +224,11 @@ Usage of the POLICY_FILE envvar is no longer supported. Support for file based p
      timeout: 30s
  ```
-### Authenticate Internal Service Address
+## Authenticate Internal Service Address
 The configuration variable [Authenticate Internal Service URL] must now be a valid [URL](https://golang.org/pkg/net/url/#URL) type and contain both a hostname and valid `https` schema.
 [policy]: ../configuration/readme.md#policy
 [authenticate internal service url]: ../configuration/readme.md#authenticate-service-url
 [cache service docs]: ../configuration/readme.md#cache-service
 [policy]: ../configuration/readme.md#policy
 [split service example]: ../configuration/examples.md#distinct-services