chore(deps): update dependency pomerium/ingress-controller to v0.26.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
pomerium/ingress-controller	Kustomization	minor	v0.25.2 -> v0.26.1
pomerium/ingress-controller		minor	v0.25.2 -> v0.26.1

---

Release Notes

pomerium/ingress-controller (pomerium/ingress-controller)

v0.26.1

Compare Source

Security

This release includes multiple security updates:

• The Pomerium user info page (at /.pomerium) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users, and have now been removed. CVE-2024-39315

  Credit to Vadim Sheydaev, aka Enr1g for reporting this issue.

• This release also includes an update from Envoy 1.30.1 to Envoy 1.30.3 to address multiple security issues:

  • CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream
  • CVE-2024-34363: Crash due to uncaught nlohmann JSON exception
  • CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components
  • CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()
  • CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()
  • CVE-2024-32976: Endless loop while decompressing Brotli data with extra input
  • CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode
  • CVE-2024-38525: datadog tracer does not handle trace headers with unicode characters

• The release also removes a transitive dependency on the gopkg.in/square/go-jose.v2 library which is vulnerable to GHSA-c5q2-7r4c-mv6g.

What's Changed

Changed

• envoy: upgrade to v1.30.3 by @​kenjenkins in https://github.com/pomerium/ingress-controller/pull/989
• ci: set core to v0.26.1, set deployment tags by @​kenjenkins in https://github.com/pomerium/ingress-controller/pull/998

Full Changelog: pomerium/ingress-controller@v0.26.0...v0.26.1

v0.26.0

Compare Source

Upgrading

kubectl apply -k github.com/pomerium/ingress-controller/config/default\?ref=v0.26.0

See docs for further details.

What's Changed

Breaking

• remove cookie secure option by @​calebdoxsey in https://github.com/pomerium/ingress-controller/pull/872
• envoy: set explicit hostname on cluster endpoints by @​kenjenkins in https://github.com/pomerium/pomerium/pull/5018

New

• Support for empty host in ingress rules (#​941) by @​kralicky in https://github.com/pomerium/ingress-controller/pull/945

Fixes

• fix disabled set response headers by @​calebdoxsey in https://github.com/pomerium/ingress-controller/pull/877

Changed

• See summary of Pomerium Core changes: https://github.com/pomerium/pomerium/releases/tag/v0.26.0
• ingress-controller/ci: check docker base images by @​calebdoxsey in https://github.com/pomerium/ingress-controller/pull/871
• docker: use distroless noroot user/group by @​wasaga in https://github.com/pomerium/ingress-controller/pull/878
• logs: set default log level to info by @​wasaga in https://github.com/pomerium/ingress-controller/pull/950

Dependency Updates

• go: upgrade Go to 1.22 by @​wasaga in https://github.com/pomerium/ingress-controller/pull/898
• ingress-controller/mock: switch to uber mock by @​calebdoxsey in https://github.com/pomerium/ingress-controller/pull/939
• envoy: upgrade to v1.30.1 by @​kenjenkins in https://github.com/pomerium/ingress-controller/pull/943
• build(deps): bump google.golang.org/grpc from 1.60.1 to 1.61.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/883
• build(deps): bump docker/metadata-action from 5.4.0 to 5.5.1 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/893
• build(deps): bump golang.org/x/sync from 0.5.0 to 0.6.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/892
• build(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/882
• build(deps): bump github.com/go-playground/validator/v10 from 10.16.0 to 10.17.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/884
• build(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/885
• build(deps): bump actions/cache from 3.3.2 to 4.0.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/894
• deps: upgrade k8s api version and controller-runtime by @​wasaga in https://github.com/pomerium/ingress-controller/pull/896
• build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/916
• build(deps): bump github.com/gosimple/slug from 1.13.1 to 1.14.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/915
• build(deps): bump google.golang.org/grpc from 1.61.0 to 1.62.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/913
• build(deps): bump sigs.k8s.io/controller-runtime from 0.17.0 to 0.17.2 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/912
• build(deps): bump pre-commit/action from 3.0.0 to 3.0.1 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/908
• build(deps): bump actions/cache from 4.0.0 to 4.0.1 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/907
• build(deps): bump k8s.io/apimachinery from 0.29.0 to 0.29.2 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/909
• build(deps): bump github.com/rs/zerolog from 1.31.0 to 1.32.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/901
• build(deps): bump distroless/base-debian12 from 8548e30 to 530b451 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/899
• build(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/911
• build(deps): bump github.com/go-playground/validator/v10 from 10.17.0 to 10.18.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/914
• build(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/905
• build(deps): bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/904
• build(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/902
• chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 by @​kenjenkins in https://github.com/pomerium/ingress-controller/pull/917
• build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/918
• build(deps): bump the docker group with 1 update by @​dependabot in https://github.com/pomerium/ingress-controller/pull/920
• build(deps): bump the github-actions group with 2 updates by @​dependabot in https://github.com/pomerium/ingress-controller/pull/921
• build(deps): bump github.com/jackc/pgx/v5 from 5.5.2 to 5.5.4 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/924
• build(deps): bump the github-actions group with 5 updates by @​dependabot in https://github.com/pomerium/ingress-controller/pull/933
• build(deps): bump the docker group with 1 update by @​dependabot in https://github.com/pomerium/ingress-controller/pull/934
• build(deps): bump the go group with 4 updates by @​dependabot in https://github.com/pomerium/ingress-controller/pull/935
• build(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @​dependabot in https://github.com/pomerium/ingress-controller/pull/940
• build(deps): bump the github-actions group with 3 updates by @​dependabot in https://github.com/pomerium/ingress-controller/pull/948
• build(deps): bump the go group with 6 updates by @​dependabot in https://github.com/pomerium/ingress-controller/pull/946
• build(deps): bump distroless/base-debian12 from 08baf3b to 8aa9165 in the docker group by @​dependabot in https://github.com/pomerium/ingress-controller/pull/949
• Upgrade controller-runtime to v0.15.0 and k8s api to v0.30.0 by @​kralicky in https://github.com/pomerium/ingress-controller/pull/953

New Contributors

• @​kralicky made their first contribution in https://github.com/pomerium/ingress-controller/pull/945

Full Changelog: pomerium/ingress-controller@v0.25.2...v0.26.0

---

Configuration

📅 Schedule: Branch creation - "before 6am" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.