Announcing Pomerium v0.30.x Patch Releases
5 views
Skip to first unread message
pomerium-announce
Sep 17, 2025, 11:15:11 AMSep 17
to pomerium-announce
Hello Pomerium community,
This summer, we have been refining Pomerium based on your feedback. Many of these improvements come directly from organizations running Pomerium at scale to secure high traffic applications and services that demand reliable security.
We are highlighting a series of patch releases in the 0.30.x line, culminating in v0.30.6. We recommend all users upgrade to the latest version to take advantage of the improvements.
Early community feedback on our Native SSH capability led to improvements that make SSH access smoother and more reliable.
We are highlighting a series of patch releases in the 0.30.x line, culminating in v0.30.6. We recommend all users upgrade to the latest version to take advantage of the improvements.
v0.30.1 – SSH Refinements
v0.30.2 – Smarter CPU Handling in Kubernetes
We fixed an issue where Envoy could be configured with too many worker threads in environments where the process had fewer available CPUs than the host machine. This occurred most often in Kubernetes clusters with cgroup CPU limits. The fix ensures stable and efficient thread utilization under constrained environments.
v0.30.3 – Correct Credential Use for Token Refresh
Global Identity Provider credentials were being used to refresh tokens instead of route-specific client ID and secret values. This patch ensures Pomerium respects per-route configuration for secure and predictable token handling.
v0.30.4 – Authentication and Stability Improvements
We fixed an issue where Envoy could be configured with too many worker threads in environments where the process had fewer available CPUs than the host machine. This occurred most often in Kubernetes clusters with cgroup CPU limits. The fix ensures stable and efficient thread utilization under constrained environments.
v0.30.3 – Correct Credential Use for Token Refresh
Global Identity Provider credentials were being used to refresh tokens instead of route-specific client ID and secret values. This patch ensures Pomerium respects per-route configuration for secure and predictable token handling.
v0.30.4 – Authentication and Stability Improvements
This release included several key fixes and enhancements:
- Direct IdP Token Authentication now caches OIDC discovery docs and JWKS keys, improving performance and reducing the risk of IdP rate limiting.
- Fixed TLS certificate provisioning errors for SSH routes.
- Resolved false positives for duplicate ingress controllers during bootstrap restarts.
- Session refresh now accounts for ID token expiration, maintaining validity across the session lifetime if the IdP supports refresh.
- Added configurability for healthy_panic_threshold in Envoy.
- Fixed IPv6 connection errors caused by upstream source address binding.
- Eliminated deadlocks in Postgres databroker record pruning.
We introduced new DNS configuration options for Envoy:
- dns_udp_max_queries: Limit UDP queries before a new port is used (default 100 in Pomerium).
- dns_use_tcp: Enable TCP queries instead of UDP.
- dns_query_tries: Control DNS retry attempts (default 4).
- dns_query_timeout: Adjust query timeout (default 5 seconds).
We added more DNS flexibility in this release:
---
All of these patch releases were completed in parallel with new features planned for v0.31.0 next month.
Thank you to everyone in the community who helped shape these updates. Your feedback drives each improvement.
- dns_refresh_rate: Override DNS refresh rate per route.
- dns_failure_refresh_rate: Set a separate refresh rate when lookups are failing.
---
All of these patch releases were completed in parallel with new features planned for v0.31.0 next month.
Thank you to everyone in the community who helped shape these updates. Your feedback drives each improvement.
Happy upgrading,
The Pomerium Team
Reply all
Reply to author
Forward
0 new messages