Pomerium 0.9

We are excited to announce the 0.9 release of Pomerium which includes a complete refactor of the proxy service and several security-enhancing features. Those features include:

• Envoy-based data plane — Pomerium now leverages Envoy for request proxying rather than the previous custom-built proxy. This change gives operators confidence that Pomerium will be able to handle any workload.

• Client Certificate Support — A core principle of the zero-trust security model is that every request should be not only authenticated and authorized, but also mutually authenticated and encrypted. With this release, Pomerium adds support for mutually authenticated encryption (mTLS) starting with the user’s device itself.

• JWKS Endpoint — Pomerium now surfaces a JWKS endpoint that can be used by upstream applications as well as other services such as Istio to verify the authenticity of a Pomerium managed request.

Pomerium had 99 commits from 9 authors across 6 organizations in this release. This release also includes additional new features, general improvements, and bug fixes, a complete list of which can be found in the changelog.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any issues, please report them on the Pomerium GitHub issue tracker.