Changelog
Versioning
Pomerium uses Semantic Versioning. In practice, this means for a given version number vMAJOR.MINOR.PATCH (for example, v0.1.0):
- MAJOR indicates an incompatible API change
- MINOR indicates a new, backwards-compatible functionality
- PATCH indicates a backwards-compatible bug fix
As Pomerium is still pre-v1.0.0, you should expect breaking changes between releases.
0.27.3
New
- Integrate with FleetDM to support policy enforcement based on device state. With this integration you can ensure that only trusted devices are allowed to access certain routes. See the FleetDM Integration page for more information.
- Improve handling of external data source records. If a data source is removed, or if a data source no longer contains a particular record type, any corresponding data records will be removed as well. This will prevent stale data record types from showing in the policy builder UI.
- Add a “Kubernetes Service Account Token File” route setting.
- Make the “From” URL on the routes list page into a link.
Fixed
- Fix an issue where newly-created entities might not appear right away in the corresponding list page.
- Fix an issue where list page table contents might overlap.
- Fix an issue where hovering over a chart might cause a tooltip to flicker.
- Fix a potential error on the “Runtime” dashboard page.
Changed
- Rename the “Identity Provider” settings tab to “Directory Sync” to clarify its purpose.
0.27.2
Fixed
- Fix a bug with the route “To” option.
0.27.1
Security
- Restrict the debug “DataBroker Browser” page to users with global admin privileges.
Fixed
- Fix the Kubernetes service account token route setting. (Previously this setting was present in the UI but had no effect.)
- Fix the database migration command to synchronize the schema version metadata when rolling back to a previous schema version.
0.27.0
New
- 
The Enterprise Console now includes a “Report issue” feedback widget, allowing you to easily report any problems you may encounter. We look forward to hearing your feedback! This widget is loaded from a third-party service. If you do not wish to include this on your Enterprise Console installation, you can disable the feedback widget by setting the new option --disable-feedback-widget.
- 
IdP directory sync performance has been improved, especially when using Okta. 
- 
The policy builder has a new “Exists” condition for use with external data source records. This condition is true when an incoming request matches any record in the selected external data source. As an example use case: you could maintain an external data source with a list of approved client certificates (keyed by certificate fingerprint), and enforce that incoming requests must match one of the approved client certificates. 
- 
When configuring an external data source, the ”Foreign Key” input will now display all valid choices, making it easier to configure. 
- 
The --disable-validationoption has been expanded to include an additional validation mode. The existing validation modes are now represented by a new option--validation-mode. There are now three modes:- full, the default validation mode
- static, a lighter-weight validation mode that should still catch most potential issues
- none, equivalent to the existing- --disable-validationoption
 Additionally, the nonemode now also disables a safety check related to overlapping certificate domain names.
Fixed
- A few policy builder UI bugs are fixed:
- The “Claim” criterion now correctly displays claim names containing a “/” character.
- The “Record” criterion now correctly displays the value “0”.
 
0.26.0
New
Expanded Pomerium policy builder functionality:
- Policies can now reference a client certificate's Subject Alternative Name. You can specify criteria matching against DNS name, URI, or email address.
- There is a new Require Trusted Client Certificate toggle at the top of the policy builder, for use with the policymTLS enforcement mode. In this mode, you can configure Pomerium to require client certificates only on certain routes. (In the other mTLS enforcement modes, a client certificate is required for all Pomerium routes.)
- Numerical comparison operators (<,<=,=,>=, and>) for use with external data sources. For example, if you have an external data source with a numerical field namedtrust_score, you can now express a condition liketrust_score >= 5.
External data sources can now be keyed based on client certificate fingerprint, using the key request.client_certificate.fingerprint.
Added license metrics mau.usage, mau.limit, and license.expires_in to support monitoring and alerting around license renewal.
Routes can now be configured to serve a static direct response (consisting of an HTTP status code and some fixed body data).
Added support for the Rego print() function, to help when writing custom Rego policies. Anything passed to this function will be logged at the Debug level.
Fixed
- The Deployments page now indicates changes made via user impersonation.
- Improved logout detection.
- Various other UI fixes.
0.25.1
Fixed
- Removes the cookie secure backend logic from the Enterprise Console.
0.25.0
Breaking
- In this release, we removed support for the debugoption in the Enterprise Console.
Fixed
- Various UI improvements and an update to the route import feature to support the following PPL criteria when importing routes into Enterprise:
- allow_public_unauthenticated_access
- allow_any_authenticated_user
- allowed_idp_claims
 
Changed
- Adds an optional, global-level Pass Identity Headers setting, which sends identity headers to all upstream applications when enabled. If you want to forward identity headers only to a specific upstream application, you can still use the per-route Pass Identity Headers setting.
- Removes support for the Secure Cookie setting. It is always enabled by default.
- Improved error messages and multiple Open Telemetry improvements
0.24.0
Breaking
- Removes support for the deprecated set_authorization_headersetting. You can use the Set Request Headers setting to pass IdP tokens to upstream services in any header.
Security
- Previously, the Enterprise Console logged gRPC calls and their payload data. This release removes payload data from the logs.
New
- Now, you can configure device authentication using client certificates in the Enterprise Console's PPL builder.
- Performance improvements with configuration and service account syncs.
Fixed
- Various UI improvements, and a fix that prevents missing policy criteria when migrating routes.
Changed
- Various Telemetry fixes in the Console.
0.23.0
New
- Set Request Headers has three new new token substitution values that it can send to upstream apps or services:
- Client certificate fingerprint (the short-form SHA-256 fingerprint of the presented client certificate)
- ID token (the OIDC ID token from the identity provider)
- Access token (the OAuth access token from the identity provider)
 
- Access Log Fields and Authorize Log Fields settings allow you to customize the values that are logged in the access and authorize logs.
- Cookies SameSite is now configurable in the Enterprise Console.
Breaking
- When using set_request_headers, to prevent a ‘$’ character from being treated as the start of a variable substitution, you may need to replace it with ‘$$’.
0.22.0
Security patch
- Pomerium upgraded to Go v1.20.3 and Envoy v1.24.5 to address security issues exposed in these packages. See the release notes in the links for more information.
New
- Hosted Authenticate Service will now be used by default to handle single-sign-on. Pomerium hosts this service as a convenience to its users; no identity provider configuration or authenticate service url needs to be specified if the hosted authenticate service is used. Self-hosted authenticate service is still available for users who want to configure their own identity provider and authenticate service URL.
- Wildcard From Routes is a Beta support feature that allows you to define a wildcard route that points matching external routes to a single destination.
- RDS changes provide more consistent and linear memory performance that significantly reduces memory consumption, especially in environments with rapidly changing configurations.
Fixed
- Removes user references when a device credential is deleted
- Displays external data source link only if provider exists
Changed
- Adds additional DNS Lookup Families and defaults to V4_PREFERRED
- Requires a name when creating a Namespace
0.21.1
Fixed
- Fixes for UI errors saving empty headers, custom text fields, and more
New
- Pass TLS options to HTTP clients
Updated
- Remove device credential references from the user and session
0.21.0
Breaking
- Re-enroll devices and update device IDs due to non-forward compatible internal change
New
- Auto TLS support for Console and Databroker gRPC endpoints
- Client TLS renegotiation for upstream clusters
Fixed
- Fixes to the Enterprise Console's UI, builds, gRPC calls, and more
0.20.1
Fixed
- UI fixes and improvements to branding settings
0.20.0
Breaking
- Groups & Directory sync now managed and sourced from external data sources. See upgrading for details.
Fixed
- Dozens of UI fixes and improvements
- Fixed a bug in policy builder when using groups
- Performance improvements to generated metrics
Updated
- Envoy updated to v1.23.1
0.19.0
New
- Additional error details and policy debugging for Enterprise
- ACME TLS-ALPN support for autocert
- Branding customization for Enterprise
Updated
- Well-Known endpoint handler for Proxy
- Upgrade to Envoy 1.23.0
- Add virtual host domains for all certificates
- Use generic types for sets and atomics
Fixed
- Add CORS headers to JWKS endpoint
- Add authority header to outbound gRPC requests
- Remove not-null constraint on data column of record changes table
0.18.0
New
- Support for external data sources
- Simplified Kubernetes ingress controller
Updated
- Postgres databroker backend
- Upgrade to Envoy 1.21.1
- Data in the Authorize service is now queried on-demand
Fixed
- Various issues related to internal service URLs
- Error pages for forward auth
- Databroker in-memory backend deadlock
0.17.0
New
- Pomerium Enterprise now requires a valid license to start.
Updated
- Route and Policy screens have been redesigned for better UX.
0.16.0
New
- Devices: It is now possible to manage, enroll, approve, and write authorization policy for device identity.
- Signing keys can now be dynamically pulled from the Authenticate service's JWKS endpoint.
- Added the ability to write PPL policy for HTTP method and path contexts.
Updated
- Policies can now incorporate device identity and approval status.
- Routes certificate UI now shows the matching TLS certificate used.
- Routes now has Kubernetes service account token field
- Metric addresses are now shown in the runtime info dashboard.
- Envoy was upgraded to 1.20.1.
- The code editor now supports dark mode.
- Various UI style improvements and fixes.
Fixed
- --tls-insecure-skip-verifywas not applied to databroker connections.
- Fixed a bug in the host rewrite code (thank you @rankinc for reporting).
- Fixed a bug in the way timeout fields were being displayed.
- Fixed a bug in the way route header fields were being ordered.
Fixed
0.15.2
Fixed
- A regression in the Deploymentspage loading has been corrected.
0.15.1
Fixed
- Tracing settings now persist correctly.
Updated
- Support configuring multiple audiences for the console.
- Improved configuration validation.
- Various UI style improvements.
0.15.0
New
- Telemetry - View real time metrics and status from Pomerium components inside the Enterprise Console.
- More expressive policy syntax: Pomerium's new extended policy language allows more complex policies to be configured, along with non-identity based conditions for access.
- Support for Google Cloud Serverless configuration on routes.
- Support for SPDY configuration on routes.
- More consistent filtering and sorting across resource listing pages.
Updated
- Certificate Management - Certificates with overlapping SAN names are no longer permitted.
- [Policies] - New editing screen supports Wizard based, Text based or Rego based policy.
- Policies - Only global administrators may manage Rego based policies.
- Policies - Support time based criteria.
- [Service Accounts] - Simplified UI.
- Service Accounts - Support token expiration time.
- Service Accounts - Namespace support.
- Impersonation - Impersonation is now done on an individual session basis.
- Various other bug fixes and improvements.