pomerium/changelogs/v0.29.0.md

What's Changed

Breaking

• Enable seamless request tracing across multiple services with the new OTEL-based tracing system. Users can now easily configure and understand traces, with improved visibility into the flow of requests, even at low sample rates. All previously supported tracing methods are removed. (@kralicky in #5388) and #5447)

New

• New jwt_issuer_format global setting. (@kenjenkins in #5519)
• Enable UDP routes with CONNECT-UDP tunneling. (@calebdoxsey in #5390)
• HTTP/3 Support (@calebdoxsey in #5349)
• Enable authorization errors to return a JSON response instead of HTML, providing a cleaner and more consistent error format for developers using gRPC services. (@calebdoxsey in #5400 (ENG-1750))
• Prevent false positive vulnerability reports by only generating a fallback certificate when no other certificate is configured, minimizing unnecessary certificate generation. (@kenjenkins in #5250)
• Enable precise control over user group claims in JWTs by allowing filtering of groups either globally or per route. This enhancement helps reduce excessive group lists, preventing large headers that can disrupt upstream services while maintaining the integrity of signed JWTs. (@kenjenkins in #5417 (ENG-1802))
• Enable core Pomerium to access the original PPL policy by adding a source_ppl field to the configuration, ensuring better introspection and compatibility with the Routes Portal. This enhancement allows the raw PPL to be passed alongside the generated Rego, providing more comprehensive policy visibility. (@calebdoxsey in #5419 (ENG-1832))

• importutil: refactor GenerateRouteNames to allow for protobuf or config routes by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5427

• Add names, descriptions, and logos to routes, enhancing route cards with clear identifiers and visual appeal. Enjoy a more informative and engaging interface with route-specific icons and descriptions, and easily connect to services with direct links or command instructions. (@calebdoxsey in #5424 (ENG-1833))
• Enhance Directory Group query performance by introducing a cache warming feature that preloads records, significantly reducing delays and timeouts. (@calebdoxsey in #5439 (ENG-1915))
• Access your available routes through a new JSON endpoint at /.pomerium/api/v1/routes, providing a list tailored to your permissions. (@calebdoxsey in #5428 (ENG-1845))
• Discover available routes with a new HTML page that displays each accessible route as a card. This intuitive interface makes navigation and route management simpler and more efficient. (@calebdoxsey in #5443 (ENG-1871))
• Discover and display site logos automatically by fetching and embedding favicons from destination addresses, enhancing visual recognition and user experience. (@calebdoxsey in #5448)
• Enhance user experience with new icons for well-known services, making it easier to identify them at a glance. (@calebdoxsey in #5453)
• Enable dynamic configuration reloading by handling SIGHUP signals, allowing updates without restarting the application. (@calebdoxsey in #5459)
• Enable customization of the HTTP/3 advertise port in the Alt-Svc header, enhancing flexibility for configurations using protobuf. (@calebdoxsey in #5466)
• Authenticate using IdP access and identity tokens, with initial support for Azure AD access tokens. (@calebdoxsey in #5484 (ENG-2001, ENG-2001))
• Improve file management by setting consistent default directories and logging errors when directory environment variables are unset. Ensure file writes are atomic to prevent redundancy and potential file conflicts, enhancing reliability and reducing clutter in temporary storage. (@calebdoxsey in #5477)
• Enhance performance by reducing redundant session creation for identical IdP tokens. (@calebdoxsey in #5491 (ENG-2025, ENG-2025))
• Enhance PPL logic with new not and exclude operators, allowing more flexible string and list matching. Define more precise permissions by excluding specific domains or groups in your policy configurations. (@calebdoxsey in #5490 (ENG-2030, ENG-2030))

• Support loading idp token sessions in the proxy service by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5488
• Handle long names in the cards for route portal by @nhayfield in https://github.com/pomerium/pomerium/pull/5514

Fixes

• Ensure the "groups" claim in JWTs is serialized as an empty list instead of JSON null, improving compatibility with third-party libraries. (@kenjenkins in #5394)
• Ensure complete and accurate metrics output by properly flushing the buffered writer. (@kenjenkins in #5398)
• Ensure custom branding settings are consistently applied across all pages, even when using multiple configuration sources. This resolves an issue where core pages were not displaying the correct branding when using an ingress controller, ensuring a uniform appearance with your chosen colors and logo. (@calebdoxsey in #5401 (ENG-1766))
• Ensure the HTTP redirect server properly uses the proxy protocol when configured. (@calebdoxsey in #5405)
• Ensure that logo URLs containing % signs are correctly processed, preventing configuration errors in Envoy. This fix allows branding options with special characters to be used without causing issues. (@kenjenkins in #5460 (ENG-1958))
• Fix the identity_manager_last_session_refresh_errors metrics view. (@kenjenkins in #5543)
• Reduce memory usage during metrics output by @wasaga in https://github.com/pomerium/pomerium/pull/5530
• Ensure Pomerium in Zero mode can connect to the cloud control plane using HTTPS_PROXY egress proxy by @wasaga in https://github.com/pomerium/pomerium/pull/5520

Changed

• authorize: enable WaitForReady on databroker query requests by @kralicky in https://github.com/pomerium/pomerium/pull/5415
• authorize: filter only by group ID by @kenjenkins in https://github.com/pomerium/pomerium/pull/5437
• authorize: log JWT groups filtering by @kenjenkins in https://github.com/pomerium/pomerium/pull/5432
• authorize: remove audit logging by @wasaga in https://github.com/pomerium/pomerium/pull/5369
• authorize: remove unused mutex by @wasaga in https://github.com/pomerium/pomerium/pull/5442
• authorize: remove wait for ready by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5376
• authorize: return 403 on invalid sessions by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5536
• chore(deps): bump golang.org/x/net from 0.31.0 to 0.33.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5404
• config: add internal_address_config to address deprecation warning by @kralicky in https://github.com/pomerium/pomerium/pull/5425
• config: add new OTLP tracing fields by @kenjenkins in https://github.com/pomerium/pomerium/pull/5421
• config: add options to adjust databroker lease ttl, and retry initial interval by @kralicky in https://github.com/pomerium/pomerium/pull/5391
• config: adjust envoy otel trace batching settings to match go sdk by @kralicky in https://github.com/pomerium/pomerium/pull/5446
• config: fix JWT groups filter option by @kenjenkins in https://github.com/pomerium/pomerium/pull/5429
• config: preserve existing user when creating sessions from idp token by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5502
• config: reimplement file watcher by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5498
• config: set default tracing sample rate to 1.0 by @kralicky in https://github.com/pomerium/pomerium/pull/5422
• config: support emails from directory user by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5504
• envoy: enable extended connect by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5387
• get-envoy: allow downloading a specific os/arch by @kralicky in https://github.com/pomerium/pomerium/pull/5499
• identity: disable session refresh for idp token sessions, fix query cache invalidation by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5495
• internal: cleanup headers by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5408
• internal: fix dependencies by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5450
• internal: fix reporter client context on config change by @kralicky in https://github.com/pomerium/pomerium/pull/5392
• internal: Fix trace client update by @kralicky in https://github.com/pomerium/pomerium/pull/5480
• internal: improve port allocation by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5485
• internal: pgx client tracing by @kralicky in https://github.com/pomerium/pomerium/pull/5438
• internal: remove noisy logs by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5501
• internal: replace xxhash with xxh3 by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5457
• metrics: restore global registry in unit tests by @kenjenkins in https://github.com/pomerium/pomerium/pull/5399
• proxy: add short timeout for logo discovery by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5506
• proxy: disable HTTP2 CONNECT for websockets by @wasaga in https://github.com/pomerium/pomerium/pull/5516
• proxy: fix connect command in routes portal by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5475
• proxy: fix routes portal error message by @calebdoxsey in https://github.com/pomerium/pomerium/pull/5476
• proxy: minor cleanup in GenerateCatchAllCertificate by @kenjenkins in https://github.com/pomerium/pomerium/pull/5397
• proxy: only enable IPv6 addresses in the Envoy if IPv6 is enabled by @wasaga in https://github.com/pomerium/pomerium/pull/5538
• testenv: avoid dns lookups for *.localhost.pomerium.io by @kralicky in https://github.com/pomerium/pomerium/pull/5372
• testenv: embedded envoy cpu/memory profiling config by @kralicky in https://github.com/pomerium/pomerium/pull/5377
• testenv: fix testcontainers docker client using the global tracer provider by @kralicky in https://github.com/pomerium/pomerium/pull/5440
• tests: Fix small timeout causing test flake by @kralicky in https://github.com/pomerium/pomerium/pull/5436
• tests: remove test code from config/options_test.go by @kralicky in https://github.com/pomerium/pomerium/pull/5423
• tracing: add missing check for otel_exporter_otlp_endpoint in envoy trace config by @kralicky in https://github.com/pomerium/pomerium/pull/5472
• tracing: handle empty protocol by @kralicky in https://github.com/pomerium/pomerium/pull/5474

Dependency Updates

• chore(deps): bump the github-actions group with 4 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5383
• chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5382
• chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5380
• chore(deps): bump github.com/quic-go/quic-go from 0.48.1 to 0.48.2 by @dependabot in https://github.com/pomerium/pomerium/pull/5384
• chore(deps): bump the go group across 1 directory with 26 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5385
• chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5373
• chore(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 by @dependabot in https://github.com/pomerium/pomerium/pull/5396
• chore(deps): bump busybox from db142d4 to 2919d01 in /.github in the docker group by @dependabot in https://github.com/pomerium/pomerium/pull/5414
• chore(deps): bump the go group with 27 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5412
• chore(deps): bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5413
• chore(deps): bump the docker group in /.github with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5464
• chore(deps): bump the docker group with 3 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5463
• chore(deps): bump the github-actions group with 14 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5462
• upgrade x/oauth2 from v0.24.0 to v0.27.0 by @kenjenkins in https://github.com/pomerium/pomerium/pull/5493
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 by @dependabot in https://github.com/pomerium/pomerium/pull/5505
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 by @dependabot in https://github.com/pomerium/pomerium/pull/5496
• chore(deps-dev): bump esbuild from 0.21.1 to 0.25.0 in /ui by @dependabot in https://github.com/pomerium/pomerium/pull/5478
• chore(deps): bump busybox from a5d0ce4 to 498a000 in /.github in the docker group by @dependabot in https://github.com/pomerium/pomerium/pull/5512
• chore(deps): bump the github-actions group with 7 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5510
• chore(deps): bump the go group across 1 directory with 44 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5511
• chore(deps): bump the docker group with 2 updates by @dependabot in https://github.com/pomerium/pomerium/pull/5509

New Contributors

• @gaurdro made their first contribution in https://github.com/pomerium/pomerium/pull/5456

Full Changelog: https://github.com/pomerium/pomerium/compare/v0.28.0...v0.29.0