v0.26.0

v0.26.0 Changes

v0.26.0 includes improved support for the Pomerium Zero beta.

Breaking

Changes that are expected to cause an incompatibility.

• config: remove deprecated client_ca option by @kenjenkins in #4918
• envoy: set explicit hostname on cluster endpoints by @kenjenkins in #5018

New

• authenticate: apply branding to sign out pages by @kenjenkins in #5044
• authorize: return non-html errors on denied by @calebdoxsey in #4904
• authorize: log service account user ID by @kenjenkins in #4964
• authorize: add support for rego print statements by @calebdoxsey in #5049
• config: implement direct response by @calebdoxsey in #4960
• config: add runtime flags by @wasaga in #5050
• config: disable gRPC ingress when address is the empty string by @calebdoxsey in #5058
• config: add support for TCP proxy chaining by @kenjenkins in #5053
• config: add support for stripping the port for matching routes by @calebdoxsey in #5085
• databroker: disable identity manager user refresh when hosted authenticate is used by @calebdoxsey in #4905
• envoy: only enable port reuse on linux by @calebdoxsey in #5066
• envoy: format envoy local replies by @calebdoxsey in #5067
• envoy: clean up temporary directory on start by @calebdoxsey in #4914
• identity: add enabler by @calebdoxsey in #5084
• identity: refactor identity manager by @calebdoxsey in #5091
• logging: less verbose logs by @calebdoxsey in #5040
• identity: dynamic authenticator registration by @calebdoxsey in #5105
• ppl: add client cert SAN match criteria by @kenjenkins in #4913
• ppl: add groups criterion by @calebdoxsey in #4916
• ui: fix page title by @calebdoxsey in #4957
• zero: add storage health check by @wasaga in #5074
• zero: upgrade oapi-codegen by @calebdoxsey in #4953
• zero: add service accounts support by @wasaga in #5031
• zero: lower log level by @calebdoxsey in #5065
• zero: add route reachability health check by @wasaga in #5093
• zero: health check building config from databroker source by @wasaga in #5104

Fixes

• authenticate: redirect to /.pomerium/signed_out when no signout redirect url is defined by @calebdoxsey in #5060
• envoy: exclude unauthorized access from local replies by @calebdoxsey in #5108
• kubernetes: fix impersonate group header by @calebdoxsey in #5090
• zero: add gRPC keep-alive by @wasaga in #4961
• zero: fix ticker usage by @calebdoxsey in #4969
• zero: fix bootstrap config path by @wasaga in #5035

Changed

• authenticate: rework CORS headers log entry by @kenjenkins in #4900
• authorize: result denied improvements by @calebdoxsey in #4952
• core: use context.WithoutCancel by @calebdoxsey in #4959
• core: switch to uber mock by @calebdoxsey in #5073
• core: move telemetry requestid to pkg directory by @calebdoxsey in #4911
• config: remove cookie secure option by @calebdoxsey in #4907
• config: fix typo by @wasaga in #4963
• envoy: enable TCP keepalive for internal clusters by @kenjenkins in #4902
• envoy: upgrade to v1.30.1 by @kenjenkins in #5080
• envoy: migrate deprecated overload setting by @kenjenkins in #5082
• envoy: address strconv.Atoi warnings by @kenjenkins in #5076
• envoy: preserve Go's max file limit for Envoy by @kenjenkins in #5102
• logging: use standard logger by @wasaga in #5096
• opa: update for rego 1.0 by @calebdoxsey in #4895
• ui: improve frontend build size by @calebdoxsey in #5109
• ui: adds upstream error page by @nhayfield in #5113
• zero: update oapi-codegen by @calebdoxsey in #4898
• zero: remove unused changeset code by @wasaga in #4915
• zero: simplify control loop lease retry code by @wasaga in #4979
• zero: reset back to inmem databroker if connection string is empty by @wasaga in #4955
• zero: add shared secret to the cluster bootstrap params by @wasaga in #5030
• zero: add common healthcheck package, zero reporter and first xds check by @wasaga in #5059
• zero: add checks for ability to save bootstrap parameter and bundle status reporting by @wasaga in #5064
• zero: only report healthcheck transitions by @wasaga in #5068
• zero: add user-agent to requests by @wasaga in #5078
• zero: add connect health check by @wasaga in #5086

Dependency Updates

• chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 by @dependabot in #4919
• chore(deps): bump node from 8d0f16f to fd01154 by @dependabot in #4921
• chore(deps): bump golang from 1.21.5-bookworm to 1.21.6-bookworm by @dependabot in #4920
• chore(deps): bump google.golang.org/api from 0.154.0 to 0.161.0 by @dependabot in #4938
• chore(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @dependabot in #4948
• chore(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 by @dependabot in #4922
• chore(deps): bump docker/metadata-action from 5.4.0 to 5.5.1 by @dependabot in #4923
• chore(deps): bump google-github-actions/setup-gcloud from 2.0.1 to 2.1.0 by @dependabot in #4924
• chore(deps): bump google-github-actions/auth from 2.0.0 to 2.1.0 by @dependabot in #4925
• chore(deps): bump github.com/klauspost/compress from 1.17.4 to 1.17.5 by @dependabot in #4940
• chore(deps): bump busybox from ba76950 to 6d9ac92 in /.github by @dependabot in #4950
• chore(deps): bump github.com/prometheus/common from 0.45.0 to 0.46.0 by @dependabot in #4949
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.44.0 to 0.45.0 by @dependabot in #4947
• chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.21.0 to 1.22.0 by @dependabot in #4946
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.23.12 to 3.24.1 by @dependabot in #4928
• chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 by @dependabot in #4933
• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.0 to 1.24.1 by @dependabot in #4930
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.47.7 to 1.48.1 by @dependabot in #4939
• chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 by @dependabot in #4937
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.2 to 1.26.6 by @dependabot in #4932
• chore(deps): bump github.com/jackc/pgx/v5 from 5.5.1 to 5.5.2 by @dependabot in #4944
• chore(deps): bump github.com/envoyproxy/go-control-plane from 0.11.1 to 0.12.0 by @dependabot in #4935
• chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.0.2 to 1.0.4 by @dependabot in #4945
• chore(deps): bump cloud.google.com/go/storage from 1.36.0 to 1.37.0 by @dependabot in #4926
• chore(deps): bump github.com/docker/docker from 24.0.7+incompatible to 25.0.2+incompatible by @dependabot in #4942
• ci: upgrade to Go 1.22 by @wasaga in #4967
• chore(deps): bump distroless/base-debian12 from 0a93daa to 5eae9ef in /.github by @dependabot in #4970
• chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @kenjenkins in #5009
• chore(deps): bump distroless/base from 6c1e34e to 9d4e568 in /.github by @dependabot in #4971
• chore(deps): bump distroless/base-debian12 from 996c583 to 1d91d5f by @dependabot in #4980
• chore(deps): bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 by @dependabot in #4999
• chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 by @dependabot in #4972
• chore(deps): bump actions/setup-node from 4.0.1 to 4.0.2 by @dependabot in #4974
• chore(deps): bump google-github-actions/auth from 2.1.0 to 2.1.2 by @dependabot in #4976
• chore(deps): bump google.golang.org/grpc from 1.61.0 to 1.62.1 by @dependabot in #5011
• chore(deps): bump github.com/shirou/gopsutil/v3 from 3.24.1 to 3.24.2 by @dependabot in #5001
• chore(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.3 by @dependabot in #5000
• chore(deps): bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in #4978
• chore(deps): bump node from fd01154 to f3299f1 by @dependabot in #4981
• chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in #4975
• chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in #4987
• chore(deps): bump github.com/rs/zerolog from 1.31.0 to 1.32.0 by @dependabot in #5004
• chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.24.1 to 1.25.2 by @dependabot in #4992
• chore(deps): bump mikefarah/yq from 4.40.5 to 4.42.1 by @dependabot in #4977
• chore(deps): bump github.com/go-chi/chi/v5 from 5.0.11 to 5.0.12 by @dependabot in #4986
• chore(deps): bump github.com/minio/minio-go/v7 from 7.0.66 to 7.0.67 by @dependabot in #4996
• chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.3 by @dependabot in #5016
• chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.21.0 by @dependabot in #5013
• chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.18.0 by @dependabot in #5012
• chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.1 by @dependabot in #5017
• chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.6 by @dependabot in #5015
• chore(deps): bump google.golang.org/api from 0.161.0 to 0.168.0 by @dependabot in #5010
• chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.2 by @dependabot in #4984
• chore(deps): bump github.com/prometheus/common from 0.46.0 to 0.49.0 by @dependabot in #4998
• chore(deps): bump go.opentelemetry.io/otel/sdk/metric from 1.22.0 to 1.24.0 by @dependabot in #5003
• chore(deps): bump cloud.google.com/go/storage from 1.37.0 to 1.39.0 by @dependabot in #4989
• chore(deps): bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in #4973
• chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc from 0.45.0 to 1.24.0 by @dependabot in #4983
• chore(deps): bump github.com/klauspost/compress from 1.17.5 to 1.17.7 by @dependabot in #4995
• chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in #4990
• chore(deps): bump the docker group with 2 updates by @dependabot in #5024
• chore(deps): bump the go group with 10 updates by @dependabot in #5026
• chore(deps): bump the github-actions group with 1 update by @dependabot in #5025
• chore(deps): bump the docker group in /.github with 2 updates by @dependabot in #5023
• chore(deps): bump github.com/docker/docker from 25.0.4+incompatible to 25.0.5+incompatible by @dependabot in #5032
• envoy: set to v1.29.2 by @wasaga in #5042
• chore(deps): bump the docker group with 3 updates by @dependabot in #5045
• chore(deps): bump the github-actions group with 6 updates by @dependabot in #5047
• chore(deps): bump the docker group in /.github with 3 updates by @dependabot in #5046
• chore(deps): bump the go group with 15 updates by @dependabot in #5048
• chore(deps): bump @trivago/prettier-plugin-sort-imports from 2.0.4 to 4.3.0 by @kenjenkins in #5054
• envoy: upgrade to v1.29.3 by @wasaga in #5056
• chore(deps): bump @babel/traverse from 7.16.10 to 7.23.2 in /ui by @dependabot in #5055
• update dev Dockerfiles to use Go 1.22.2 by @kenjenkins in #5063
• chore(deps): bump github.com/docker/docker from 26.0.0+incompatible to 26.0.2+incompatible by @dependabot in #5075
• chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #5077
• chore(deps): update UI dependencies by @kenjenkins in #5088
• chore(deps): bump the docker group in /.github with 3 updates by @dependabot in #5095
• chore(deps): bump the docker group with 3 updates by @dependabot in #5098
• core/lint: upgrade golangci-lint, replace interface{} with any by @calebdoxsey in #5099
• chore(deps): bump the go group with 29 updates by @dependabot in #5097
• chore(deps): bump the github-actions group with 5 updates by @dependabot in #5094