Releases: pomerium/ingress-controller
v0.27.0
What's Changed
Core Pomerium changes: https://github.com/pomerium/pomerium/releases/tag/v0.27.0
New
Changed
- envoy: upgrade to v1.30.3 by @kenjenkins in #987
- deployment: set proxy service
externalTrafficPolicy: Local
by @wasaga in #1030
Dependency Updates
- runtime: upgrade Go to 1.23.0 @wasaga in #1024
- build(deps): bump distroless/base-debian12 from
8aa9165
to8c26ef9
in the docker group by @dependabot in #967 - build(deps): bump the github-actions group with 4 updates by @dependabot in #964
- build(deps): bump the go group across 1 directory with 7 updates by @dependabot in #970
- build(deps): bump the github-actions group with 3 updates by @dependabot in #995
- build(deps): bump the go group with 4 updates by @dependabot in #996
- build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 by @dependabot in #1007
- build(deps): bump distroless/base-debian12 from
8c26ef9
to8d946e4
in the docker group by @dependabot in #1019 - build(deps): bump the github-actions group with 7 updates by @dependabot in #1021
- build(deps): bump the go group with 2 updates by @dependabot in #1020
- build(deps): bump the go group with 3 updates by @dependabot in #1028
- build(deps): bump the github-actions group with 2 updates by @dependabot in #1026
Full Changelog: v0.26.2...v0.27.0
v0.26.2
v0.26.1
Security
This release includes multiple security updates:
-
The Pomerium user info page (at
/.pomerium
) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users, and have now been removed. CVE-2024-39315Credit to Vadim Sheydaev, aka Enr1g for reporting this issue.
-
This release also includes an update from Envoy 1.30.1 to Envoy 1.30.3 to address multiple security issues:
- CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream
- CVE-2024-34363: Crash due to uncaught nlohmann JSON exception
- CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components
- CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
- CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()
- CVE-2024-32976: Endless loop while decompressing Brotli data with extra input
- CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
- CVE-2024-38525: datadog tracer does not handle trace headers with unicode characters
-
The release also removes a transitive dependency on the gopkg.in/square/go-jose.v2 library which is vulnerable to GHSA-c5q2-7r4c-mv6g.
What's Changed
Changed
- envoy: upgrade to v1.30.3 by @kenjenkins in #989
- ci: set core to v0.26.1, set deployment tags by @kenjenkins in #998
Full Changelog: v0.26.0...v0.26.1
v0.26.0
Upgrading
kubectl apply -k github.com/pomerium/ingress-controller/config/default\?ref=v0.26.0
See docs for further details.
What's Changed
Breaking
- remove cookie secure option by @calebdoxsey in #872
- envoy: set explicit hostname on cluster endpoints by @kenjenkins in pomerium/pomerium#5018
New
Fixes
- fix disabled set response headers by @calebdoxsey in #877
Changed
- See summary of Pomerium Core changes: https://github.com/pomerium/pomerium/releases/tag/v0.26.0
- ingress-controller/ci: check docker base images by @calebdoxsey in #871
- docker: use distroless noroot user/group by @wasaga in #878
- logs: set default log level to info by @wasaga in #950
Dependency Updates
- go: upgrade Go to 1.22 by @wasaga in #898
- ingress-controller/mock: switch to uber mock by @calebdoxsey in #939
- envoy: upgrade to v1.30.1 by @kenjenkins in #943
- build(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @dependabot in #883
- build(deps): bump docker/metadata-action from 5.4.0 to 5.5.1 by @dependabot in #893
- build(deps): bump golang.org/x/sync from 0.5.0 to 0.6.0 by @dependabot in #892
- build(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 by @dependabot in #882
- build(deps): bump github.com/go-playground/validator/v10 from 10.16.0 to 10.17.0 by @dependabot in #884
- build(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 by @dependabot in #885
- build(deps): bump actions/cache from 3.3.2 to 4.0.0 by @dependabot in #894
- deps: upgrade k8s api version and controller-runtime by @wasaga in #896
- build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in #916
- build(deps): bump github.com/gosimple/slug from 1.13.1 to 1.14.0 by @dependabot in #915
- build(deps): bump google.golang.org/grpc from 1.61.0 to 1.62.0 by @dependabot in #913
- build(deps): bump sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.2 by @dependabot in #912
- build(deps): bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in #908
- build(deps): bump actions/cache from 4.0.0 to 4.0.1 by @dependabot in #907
- build(deps): bump k8s.io/apimachinery from 0.29.0 to 0.29.2 by @dependabot in #909
- build(deps): bump github.com/rs/zerolog from 1.31.0 to 1.32.0 by @dependabot in #901
- build(deps): bump distroless/base-debian12 from
8548e30
to530b451
by @dependabot in #899 - build(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in #911
- build(deps): bump github.com/go-playground/validator/v10 from 10.17.0 to 10.18.0 by @dependabot in #914
- build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in #905
- build(deps): bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in #904
- build(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 by @dependabot in #902
- chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @kenjenkins in #917
- build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @dependabot in #918
- build(deps): bump the docker group with 1 update by @dependabot in #920
- build(deps): bump the github-actions group with 2 updates by @dependabot in #921
- build(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.4 by @dependabot in #924
- build(deps): bump the github-actions group with 5 updates by @dependabot in #933
- build(deps): bump the docker group with 1 update by @dependabot in #934
- build(deps): bump the go group with 4 updates by @dependabot in #935
- build(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #940
- build(deps): bump the github-actions group with 3 updates by @dependabot in #948
- build(deps): bump the go group with 6 updates by @dependabot in #946
- build(deps): bump distroless/base-debian12 from
08baf3b
to8aa9165
in the docker group by @dependabot in #949 - Upgrade controller-runtime to v0.15.0 and k8s api to v0.30.0 by @kralicky in #953
New Contributors
Full Changelog: v0.25.2...v0.26.0
v0.25.2
v0.25.1
What's Changed
Changed
- config: fix disabled set response headers by @calebdoxsey in #877
- set core to v0.25.1 by @wasaga
Full Changelog: v0.25.0...v0.25.1
v0.25.0
Installation
To install, run the following command:
kubectl apply -k github.com/pomerium/ingress-controller/config/default\?ref=v0.25.0
Refer to the Pomerium Configuration Guide to complete your installation.
What's Changed
Breaking
- config: remove redis by @calebdoxsey in #835
New
- config: add global
passIdentityHeaders
option to the CRD by @calebdoxsey in #811
Changed
- docs: update
pass_identity_headers
option documentation link by @wasaga in #837 - manifests: installation manifests use newer Kustomize syntax by @wasaga in #864
Dependency Updates
- upgrade Pomerium Core to v0.25.0
- upgrade Go to 1.21 by @wasaga in #863
- upgrade github.com/spf13/cobra from 1.7.0 to 1.8.0 by @dependabot in #829
- upgrade golang.org/x/sync from 0.3.0 to 0.5.0 by @dependabot in #823
- upgrade github.com/go-playground/validator/v10 from 10.15.4 to 10.16.0 by @dependabot in #822
- upgrade docker/metadata-action from 5.0.0 to 5.2.0 by @dependabot in #821
- upgrade distroless/base-debian12 from
d53efe9
tod904990
by @dependabot in #819 - upgrade github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in #817
- upgrade docker/build-push-action from 5.0.0 to 5.1.0 by @dependabot in #820
- upgrade github.com/open-policy-agent/opa from 0.57.0 to 0.59.0 by @dependabot in #827
- upgrade github.com/go-logr/zapr from 1.2.4 to 1.3.0 by @dependabot in #830
- upgrade github.com/spf13/viper from 1.16.0 to 1.18.0 by @dependabot in #832
- upgrade golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #838
- upgrade actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #854
- upgrade actions/setup-python from 4.7.1 to 5.0.0 by @dependabot in #853
- upgrade docker/metadata-action from 5.2.0 to 5.4.0 by @dependabot in #852
- upgrade github.com/go-logr/logr from 1.3.0 to 1.4.1 by @dependabot in #851
- upgrade github.com/spf13/viper from 1.18.0 to 1.18.2 by @dependabot in #849
- upgrade google.golang.org/protobuf from 1.31.0 to 1.32.0 by @dependabot in #847
- upgrade github.com/google/uuid from 1.4.0 to 1.5.0 by @dependabot in #843
- upgrade distroless/base-debian12 from
d904990
to8548e30
by @dependabot in #841 - upgrade github.com/open-policy-agent/opa from 0.59.0 to 0.60.0 by @dependabot in #844
- upgrade google.golang.org/grpc from 1.59.0 to 1.60.1 by @dependabot in #846
- upgrade github.com/cloudflare/circl from 1.3.6 to 1.3.7 by @dependabot in #859
Full Changelog: v0.24.0...v0.25.0
v0.24.0
Installation
To install, run the following command:
kubectl apply -k github.com/pomerium/ingress-controller/config/default\?ref=v0.24.0
Refer to the Pomerium Configuration Guide to complete your installation.
What's Changed
Core Update
This release upgrades the core to v0.24. Performance improvements are observed specifically when configurations are driven by the Pomerium Enterprise. These enhancements are particularly beneficial in environments with a high number of routes, certificates, and policies, or in dynamically changing configurations.
Memory Usage Reduction
Most users should observe less memory used compared to v0.23. Please see the related GitHub issue: pomerium/pomerium#4652.
Fixes
Dependency Updates
- Bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #749
- Bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #748
- Bump tibdex/github-app-token from 1.8.0 to 1.8.2 by @dependabot in #746
- Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 by @dependabot in #747
- Bump github.com/open-policy-agent/opa from 0.55.0 to 0.56.0 by @dependabot in #741
- Bump github.com/go-playground/validator/v10 from 10.15.1 to 10.15.3 by @dependabot in #738
- Bump distroless/base from
de8fb01
to6691be5
by @dependabot in #737 - Bump golang from 1.20.6 to 1.21.0 by @dependabot in #736
- Bump node from
3801c22
tof41231b
by @dependabot in #735 - Bump node from
f41231b
to2daec43
by @dependabot in #770 - Bump docker/build-push-action from 4.1.1 to 5.0.0 by @dependabot in #769
- Bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in #767
- Bump docker/setup-qemu-action from 2.2.0 to 3.0.0 by @dependabot in #766
- Bump tibdex/github-app-token from 1.8.2 to 2.1.0 by @dependabot in #764
- Bump github.com/go-playground/validator/v10 from 10.15.3 to 10.15.4 by @dependabot in #756
- Bump google.golang.org/grpc from 1.57.0 to 1.58.2 by @dependabot in #753
- Bump docker/metadata-action from 4.6.0 to 5.0.0 by @dependabot in #768
- Bump actions/cache from 3.3.1 to 3.3.2 by @dependabot in #765
- Bump actions/checkout from 3.6.0 to 4.1.0 by @dependabot in #763
- Bump github.com/rs/zerolog from 1.30.0 to 1.31.0 by @dependabot in #760
- Bump docker/setup-buildx-action from 2.10.0 to 3.0.0 by @dependabot in #762
- Bump go.uber.org/zap from 1.25.0 to 1.26.0 by @dependabot in #759
- Bump github.com/open-policy-agent/opa from 0.56.0 to 0.57.0 by @dependabot in #758
- Bump golang.org/x/net from 0.15.0 to 0.17.0 by @dependabot in #772
- Bump golang from 1.21.0 to 1.21.1 by @dependabot in #771
- upgrade envoy to v1.28.0 by @kenjenkins in #774
- Bump google.golang.org/grpc from 1.58.2 to 1.58.3 by @dependabot in #777
- Bump golang from 1.21.1 to 1.21.3 by @dependabot in #796
- upgrade go to 1.21 by @calebdoxsey in #799
- Bump actions/setup-python from 4.7.0 to 4.7.1 by @dependabot in #797
New Contributors
- @kenjenkins made their first contribution in #773
Full Changelog: v0.23.1...v0.24.0
v0.23.1
v0.23.0
Changelog
v0.23.0 (2023-08-29)
New
- settings: add access_log_fields and authorize_log_fields #701 (@calebdoxsey)
- config: add cookie_same_site option #620 (@calebdoxsey)
- add global timeout customization #651 (@wasaga)
Dependency
- Bump github.com/golangci/golangci-lint from 1.53.3 to 1.54.2 #724 (@dependabot[bot])
- Bump go.uber.org/zap from 1.24.0 to 1.25.0 #722 (@dependabot[bot])
- Bump github.com/google/uuid from 1.3.0 to 1.3.1 #720 (@dependabot[bot])
- Bump github.com/go-playground/validator/v10 from 10.14.1 to 10.15.1 #719 (@dependabot[bot])
- Bump docker/setup-buildx-action from 2.8.0 to 2.9.1 #716 (@dependabot[bot])
- Bump actions/setup-python from 4.6.1 to 4.7.0 #715 (@dependabot[bot])
- Bump golang from 1.20.5 to 1.20.6 #714 (@dependabot[bot])
- Bump github.com/rs/zerolog from 1.29.1 to 1.30.0 #713 (@dependabot[bot])
- Bump github.com/open-policy-agent/opa from 0.54.0 to 0.55.0 #709 (@dependabot[bot])
- Bump google.golang.org/grpc from 1.56.1 to 1.57.0 #706 (@dependabot[bot])
- Bump github.com/iancoleman/strcase from 0.2.0 to 0.3.0 #704 (@dependabot[bot])
- dependencies: upgrade core #702 (@calebdoxsey)
- Bump github.com/open-policy-agent/opa from 0.53.1 to 0.54.0 #691 (@dependabot[bot])
- Bump google.golang.org/protobuf from 1.30.0 to 1.31.0 #689 (@dependabot[bot])
- Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 #688 (@dependabot[bot])
- Bump node from
05824f7
to3801c22
#687 (@dependabot[bot]) - Bump golang from
6b3fa4b
to344193a
#686 (@dependabot[bot]) - Bump golang.org/x/sync from 0.2.0 to 0.3.0 #680 (@dependabot[bot])
- Bump github.com/golangci/golangci-lint from 1.52.2 to 1.53.3 #679 (@dependabot[bot])
- Bump k8s.io/apimachinery from 0.27.2 to 0.27.3 #676 (@dependabot[bot])
- Bump google.golang.org/grpc from 1.55.0 to 1.56.0 #675 (@dependabot[bot])
- Bump docker/build-push-action from 4.1.0 to 4.1.1 #674 (@dependabot[bot])
- Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 #673 (@dependabot[bot])
- Bump docker/metadata-action from 4.4.0 to 4.6.0 #672 (@dependabot[bot])
- Bump node from
df5a66e
to05824f7
#671 (@dependabot[bot]) - Bump golang from
4b1fc02
to6b3fa4b
#670 (@dependabot[bot]) - Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 #667 (@dependabot[bot])
- Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 #666 (@dependabot[bot])
- Bump github.com/open-policy-agent/opa from 0.53.0 to 0.53.1 #665 (@dependabot[bot])
- Bump github.com/spf13/viper from 1.15.0 to 1.16.0 #664 (@dependabot[bot])
- Bump golang from 1.20.4 to 1.20.5 #663 (@dependabot[bot])
- Bump docker/login-action from 2.1.0 to 2.2.0 #662 (@dependabot[bot])
- Bump actions/checkout from 3.5.2 to 3.5.3 #661 (@dependabot[bot])
- Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 #660 (@dependabot[bot])
- Bump docker/build-push-action from 4.0.0 to 4.1.0 #659 (@dependabot[bot])
- Bump github.com/envoyproxy/go-control-plane from 0.11.0 to 0.11.1 #657 (@dependabot[bot])
- Bump github.com/golangci/golangci-lint from 1.52.2 to 1.53.2 #656 (@dependabot[bot])
- Bump k8s.io/apimachinery from 0.26.3 to 0.27.2 #655 (@dependabot[bot])
- Bump github.com/go-playground/validator/v10 from 10.14.0 to 10.14.1 #654 (@dependabot[bot])
- Bump distroless/base from
bff68ce
tode8fb01
#653 (@dependabot[bot]) - pin node to lts #652 (@wasaga)
- Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 #648 (@dependabot[bot])
- Bump github.com/open-policy-agent/opa from 0.52.0 to 0.53.0 #645 (@dependabot[bot])
- Bump golang from
685a22e
to690e413
#644 (@dependabot[bot]) - Bump actions/setup-python from 4.6.0 to 4.6.1 #643 (@dependabot[bot])
- Bump github.com/go-playground/validator/v10 from 10.13.0 to 10.14.0 #637 (@dependabot[bot])
- Bump github.com/go-logr/zapr from 1.2.3 to 1.2.4 #634 (@dependabot[bot])
- Bump golang from
31a8f92
to685a22e
#633 (@dependabot[bot]) - Bump actions/setup-go from 4.0.0 to 4.0.1 #632 (@dependabot[bot])
- Bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 #631 (@dependabot[bot])
- Bump google.golang.org/grpc from 1.54.0 to 1.55.0 #628 (@dependabot[bot])
- Bump golang.org/x/sync from 0.1.0 to 0.2.0 #627 (@dependabot[bot])
- Bump golang from 1.20.3 to 1.20.4 #625 (@dependabot[bot])
- Bump distroless/base from
766c538
tobff68ce
#624 (@dependabot[bot])
Changed
- ci: another place to increase yarn timeout #734 (@backport-actions-token[bot])
- ci: increase yarn network timeout #732 (@backport-actions-token[bot])
- add docs refs to log fields options #718 (@wasaga)
- fix manifests, fix publish docs action #693 (@wasaga)
- update dependabot #669 (@calebdoxsey)
- remove depguard #668 (@calebdoxsey)
- bump core main reference #642 (@wasaga)
- upgrade core to current main branch, including #4192, #4187, #4186, #4190 #639 (@wasaga)