Releases: pomerium/ingress-controller
Releases · pomerium/ingress-controller
v0.28.0
What's Changed
New
- Gateway API support
Changes
- Upgrade to Kubernetes API v0.31.0
Bug Fixes
- Support go durations in annotations
Full Changelog: v0.27.2...v0.28.0
v0.27.2
What's Changed
Core Pomerium changes: https://github.com/pomerium/pomerium/releases/tag/v0.27.2
Changed
- config: support go durations in annotations by @calebdoxsey in #1047
Full Changelog: v0.27.1...v0.27.2
Contributors
calebdoxsey
Assets 2
v0.27.1
What's Changed
Core Pomerium changes: https://github.com/pomerium/pomerium/releases/tag/v0.27.1
Full Changelog: v0.27.0...v0.27.1
v0.27.0
What's Changed
Core Pomerium changes: https://github.com/pomerium/pomerium/releases/tag/v0.27.0
New
Changed
- envoy: upgrade to v1.30.3 by @kenjenkins in #987
- deployment: set proxy service
externalTrafficPolicy: Localby @wasaga in #1030
Dependency Updates
- runtime: upgrade Go to 1.23.0 @wasaga in #1024
- build(deps): bump distroless/base-debian12 from
8aa9165to8c26ef9in the docker group by @dependabot in #967 - build(deps): bump the github-actions group with 4 updates by @dependabot in #964
- build(deps): bump the go group across 1 directory with 7 updates by @dependabot in #970
- build(deps): bump the github-actions group with 3 updates by @dependabot in #995
- build(deps): bump the go group with 4 updates by @dependabot in #996
- build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 by @dependabot in #1007
- build(deps): bump distroless/base-debian12 from
8c26ef9to8d946e4in the docker group by @dependabot in #1019 - build(deps): bump the github-actions group with 7 updates by @dependabot in #1021
- build(deps): bump the go group with 2 updates by @dependabot in #1020
- build(deps): bump the go group with 3 updates by @dependabot in #1028
- build(deps): bump the github-actions group with 2 updates by @dependabot in #1026
Full Changelog: v0.26.2...v0.27.0
Contributors
wasaga, dependabot, and kenjenkins
Assets 2
v0.26.2
v0.26.1
Security
This release includes multiple security updates:
-
The Pomerium user info page (at
/.pomerium) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users, and have now been removed. CVE-2024-39315Credit to Vadim Sheydaev, aka Enr1g for reporting this issue.
-
This release also includes an update from Envoy 1.30.1 to Envoy 1.30.3 to address multiple security issues:
- CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream
- CVE-2024-34363: Crash due to uncaught nlohmann JSON exception
- CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components
- CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
- CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()
- CVE-2024-32976: Endless loop while decompressing Brotli data with extra input
- CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
- CVE-2024-38525: datadog tracer does not handle trace headers with unicode characters
-
The release also removes a transitive dependency on the gopkg.in/square/go-jose.v2 library which is vulnerable to GHSA-c5q2-7r4c-mv6g.
What's Changed
Changed
- envoy: upgrade to v1.30.3 by @kenjenkins in #989
- ci: set core to v0.26.1, set deployment tags by @kenjenkins in #998
Full Changelog: v0.26.0...v0.26.1
Contributors
kenjenkins
Assets 2
v0.26.0
Upgrading
kubectl apply -k github.com/pomerium/ingress-controller/config/default\?ref=v0.26.0
See docs for further details.
What's Changed
Breaking
- remove cookie secure option by @calebdoxsey in #872
- envoy: set explicit hostname on cluster endpoints by @kenjenkins in pomerium/pomerium#5018
New
Fixes
- fix disabled set response headers by @calebdoxsey in #877
Changed
- See summary of Pomerium Core changes: https://github.com/pomerium/pomerium/releases/tag/v0.26.0
- ingress-controller/ci: check docker base images by @calebdoxsey in #871
- docker: use distroless noroot user/group by @wasaga in #878
- logs: set default log level to info by @wasaga in #950
Dependency Updates
- go: upgrade Go to 1.22 by @wasaga in #898
- ingress-controller/mock: switch to uber mock by @calebdoxsey in #939
- envoy: upgrade to v1.30.1 by @kenjenkins in #943
- build(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @dependabot in #883
- build(deps): bump docker/metadata-action from 5.4.0 to 5.5.1 by @dependabot in #893
- build(deps): bump golang.org/x/sync from 0.5.0 to 0.6.0 by @dependabot in #892
- build(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 by @dependabot in #882
- build(deps): bump github.com/go-playground/validator/v10 from 10.16.0 to 10.17.0 by @dependabot in #884
- build(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 by @dependabot in #885
- build(deps): bump actions/cache from 3.3.2 to 4.0.0 by @dependabot in #894
- deps: upgrade k8s api version and controller-runtime by @wasaga in #896
- build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @dependabot in #916
- build(deps): bump github.com/gosimple/slug from 1.13.1 to 1.14.0 by @dependabot in #915
- build(deps): bump google.golang.org/grpc from 1.61.0 to 1.62.0 by @dependabot in #913
- build(deps): bump sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.2 by @dependabot in #912
- build(deps): bump pre-commit/action from 3.0.0 to 3.0.1 by @dependabot in #908
- build(deps): bump actions/cache from 4.0.0 to 4.0.1 by @dependabot in #907
- build(deps): bump k8s.io/apimachinery from 0.29.0 to 0.29.2 by @dependabot in #909
- build(deps): bump github.com/rs/zerolog from 1.31.0 to 1.32.0 by @dependabot in #901
- build(deps): bump distroless/base-debian12 from
8548e30to530b451by @dependabot in #899 - build(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in #911
- build(deps): bump github.com/go-playground/validator/v10 from 10.17.0 to 10.18.0 by @dependabot in #914
- build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @dependabot in #905
- build(deps): bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in #904
- build(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 by @dependabot in #902
- chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @kenjenkins in #917
- build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @dependabot in #918
- build(deps): bump the docker group with 1 update by @dependabot in #920
- build(deps): bump the github-actions group with 2 updates by @dependabot in #921
- build(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.4 by @dependabot in #924
- build(deps): bump the github-actions group with 5 updates by @dependabot in #933
- build(deps): bump the docker group with 1 update by @dependabot in #934
- build(deps): bump the go group with 4 updates by @dependabot in #935
- build(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #940
- build(deps): bump the github-actions group with 3 updates by @dependabot in #948
- build(deps): bump the go group with 6 updates by @dependabot in #946
- build(deps): bump distroless/base-debian12 from
08baf3bto8aa9165in the docker group by @dependabot in #949 - Upgrade controller-runtime to v0.15.0 and k8s api to v0.30.0 by @kralicky in #953
New Contributors
Full Changelog: v0.25.2...v0.26.0
Contributors
calebdoxsey, wasaga, and 3 other contributors
Assets 2
v0.25.2
v0.25.1
What's Changed
Changed
- config: fix disabled set response headers by @calebdoxsey in #877
- set core to v0.25.1 by @wasaga
Full Changelog: v0.25.0...v0.25.1
Contributors
calebdoxsey and wasaga
Assets 2
v0.25.0
Installation
To install, run the following command:
kubectl apply -k github.com/pomerium/ingress-controller/config/default\?ref=v0.25.0
Refer to the Pomerium Configuration Guide to complete your installation.
What's Changed
Breaking
- config: remove redis by @calebdoxsey in #835
New
- config: add global
passIdentityHeadersoption to the CRD by @calebdoxsey in #811
Changed
- docs: update
pass_identity_headersoption documentation link by @wasaga in #837 - manifests: installation manifests use newer Kustomize syntax by @wasaga in #864
Dependency Updates
- upgrade Pomerium Core to v0.25.0
- upgrade Go to 1.21 by @wasaga in #863
- upgrade github.com/spf13/cobra from 1.7.0 to 1.8.0 by @dependabot in #829
- upgrade golang.org/x/sync from 0.3.0 to 0.5.0 by @dependabot in #823
- upgrade github.com/go-playground/validator/v10 from 10.15.4 to 10.16.0 by @dependabot in #822
- upgrade docker/metadata-action from 5.0.0 to 5.2.0 by @dependabot in #821
- upgrade distroless/base-debian12 from
d53efe9tod904990by @dependabot in #819 - upgrade github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in #817
- upgrade docker/build-push-action from 5.0.0 to 5.1.0 by @dependabot in #820
- upgrade github.com/open-policy-agent/opa from 0.57.0 to 0.59.0 by @dependabot in #827
- upgrade github.com/go-logr/zapr from 1.2.4 to 1.3.0 by @dependabot in #830
- upgrade github.com/spf13/viper from 1.16.0 to 1.18.0 by @dependabot in #832
- upgrade golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #838
- upgrade actions/setup-go from 4.1.0 to 5.0.0 by @dependabot in #854
- upgrade actions/setup-python from 4.7.1 to 5.0.0 by @dependabot in #853
- upgrade docker/metadata-action from 5.2.0 to 5.4.0 by @dependabot in #852
- upgrade github.com/go-logr/logr from 1.3.0 to 1.4.1 by @dependabot in #851
- upgrade github.com/spf13/viper from 1.18.0 to 1.18.2 by @dependabot in #849
- upgrade google.golang.org/protobuf from 1.31.0 to 1.32.0 by @dependabot in #847
- upgrade github.com/google/uuid from 1.4.0 to 1.5.0 by @dependabot in #843
- upgrade distroless/base-debian12 from
d904990to8548e30by @dependabot in #841 - upgrade github.com/open-policy-agent/opa from 0.59.0 to 0.60.0 by @dependabot in #844
- upgrade google.golang.org/grpc from 1.59.0 to 1.60.1 by @dependabot in #846
- upgrade github.com/cloudflare/circl from 1.3.6 to 1.3.7 by @dependabot in #859
Full Changelog: v0.24.0...v0.25.0
Contributors
calebdoxsey, wasaga, and dependabot