Skip to main content

Changelog

0.24.0

Breaking

  • Removes support for the deprecated set_authorization_header setting. You can use the Set Request Headers setting to pass IdP tokens to upstream services in any header.

Security

  • Previously, the Enterprise Console logged gRPC calls and their payload data. This release removes payload data from the logs.

New

  • Now, you can configure device authentication using client certificates in the Enterprise Console's PPL builder.
  • Performance improvements with configuration and service account syncs.

Fixed

  • Various UI improvements, and a fix that prevents missing policy criteria when migrating routes.

Changed

  • Various Telemetry fixes in the Console.

0.23.0

New

  • Set Request Headers has three new new token substitution values that it can send to upstream apps or services:
    • Client certificate fingerprint (the short-form SHA-256 fingerprint of the presented client certificate)
    • ID token (the OIDC ID token from the identity provider)
    • Access token (the OAuth access token from the identity provider)
  • Access Log Fields and Authorize Log Fields settings allow you to customize the values that are logged in the access and authorize logs.
  • Cookies SameSite is now configurable in the Enterprise Console.

Breaking

  • When using set_request_headers, to prevent a ‘$’ character from being treated as the start of a variable substitution, you may need to replace it with ‘$$’.

0.22.0

Security patch

  • Pomerium upgraded to Go v1.20.3 and Envoy v1.24.5 to address security issues exposed in these packages. See the release notes in the links for more information.

New

  • Hosted Authenticate Service will now be used by default to handle single-sign-on. Pomerium hosts this service as a convenience to its users; no identity provider configuration or authenticate service url needs to be specified if the hosted authenticate service is used. Self-hosted authenticate service is still available for users who want to configure their own identity provider and authenticate service URL.
  • Wildcard From Routes is a Beta support feature that allows you to define a wildcard route that points matching external routes to a single destination.
  • RDS changes provide more consistent and linear memory performance that significantly reduces memory consumption, especially in environments with rapidly changing configurations.

Fixed

  • Removes user references when a device credential is deleted
  • Displays external data source link only if provider exists

Changed

  • Adds additional DNS Lookup Families and defaults to V4_PREFERRED
  • Requires a name when creating a Namespace

0.21.1

Fixed

  • Fixes for UI errors saving empty headers, custom text fields, and more

New

  • Pass TLS options to HTTP clients

Updated

  • Remove device credential references from the user and session

0.21.0

Breaking

  • Re-enroll devices and update device IDs due to non-forward compatible internal change

New

  • Auto TLS support for Console and Databroker gRPC endpoints
  • Client TLS renegotiation for upstream clusters

Fixed

  • Fixes to the Enterprise Console's UI, builds, gRPC calls, and more

0.20.1

Fixed

  • UI fixes and improvements to branding settings

0.20.0

Breaking

  • Groups & Directory sync now managed and sourced from external data sources. See upgrading for details.

Fixed

  • Dozens of UI fixes and improvements
  • Fixed a bug in policy builder when using groups
  • Performance improvements to generated metrics

Updated

  • Envoy updated to v1.23.1

0.19.0

New

  • Additional error details and policy debugging for Enterprise
  • ACME TLS-ALPN support for autocert
  • Branding customization for Enterprise

Updated

  • Well-Known endpoint handler for Proxy
  • Upgrade to Envoy 1.23.0
  • Add virtual host domains for all certificates
  • Use generic types for sets and atomics

Fixed

  • Add CORS headers to JWKS endpoint
  • Add authority header to outbound gRPC requests
  • Remove not-null constraint on data column of record changes table

0.18.0

New

  • Support for external data sources
  • Simplified Kubernetes ingress controller

Updated

  • Postgres databroker backend
  • Upgrade to Envoy 1.21.1
  • Data in the Authorize service is now queried on-demand

Fixed

  • Various issues related to internal service URLs
  • Error pages for forward auth
  • Databroker in-memory backend deadlock

0.17.0

New

  • Pomerium Enterprise now requires a valid license to start.

Updated

  • Route and Policy screens have been redesigned for better UX.

0.16.0

New

  • Devices: It is now possible to manage, enroll, approve, and write authorization policy for device identity.
  • Signing keys can now be dynamically pulled from the Authenticate service's JWKS endpoint.
  • Added the ability to write PPL policy for HTTP method and path contexts.

Updated

  • Policies can now incorporate device identity and approval status.
  • Routes certificate UI now shows the matching TLS certificate used.
  • Routes now has Kubernetes service account token field
  • Metric addresses are now shown in the runtime info dashboard.
  • Envoy was upgraded to 1.20.1.
  • The code editor now supports dark mode.
  • Various UI style improvements and fixes.

Fixed

  • --tls-insecure-skip-verify was not applied to databroker connections.
  • Fixed a bug in the host rewrite code (thank you @rankinc for reporting).
  • Fixed a bug in the way timeout fields were being displayed.
  • Fixed a bug in the way route header fields were being ordered.

Fixed

0.15.2

Fixed

  • A regression in the Deployments page loading has been corrected.

0.15.1

Fixed

  • Tracing settings now persist correctly.

Updated

  • Support configuring multiple audiences for the console.
  • Improved configuration validation.
  • Various UI style improvements.

0.15.0

New

  • Telemetry - View real time metrics and status from Pomerium components inside the Enterprise Console.
  • More expressive policy syntax: Pomerium's new extended policy language allows more complex policies to be configured, along with non-identity based conditions for access.
  • Support for Google Cloud Serverless configuration on routes.
  • Support for SPDY configuration on routes.
  • More consistent filtering and sorting across resource listing pages.

Updated

  • Certificate Management - Certificates with overlapping SAN names are no longer permitted.
  • Policies - New editing screen supports Wizard based, Text based or Rego based policy.
  • Policies - Only global administrators may manage Rego based policies.
  • Policies - Support time based criteria.
  • Service Accounts - Simplified UI.
  • Service Accounts - Support token expiration time.
  • Service Accounts - Namespace support.
  • Impersonation - Impersonation is now done on an individual session basis.
  • Various other bug fixes and improvements.