Upgrading Pomerium Enterprise
When new version of Pomerium Enterprise are released, check back to this page before you upgrade.
0.20.0
Before You Upgrade
Groups & directory sync are managed from external data sources
IdP directory sync has been moved to be part of the External Data Sources integration, in order to provide unification with other external data sources, consolidate job scheduling and monitoring. Setting the below options in Pomerium config file would now result in an error. In Pomerium Enterprise Console, please navigate to Settings > Identity Provider and configure directory sync there.
idp_service_account
: use IdP provider specific options in the UI.idp_refresh_directory_timeout
: use Polling Min Delay.idp_refresh_directory_interval
: replaced by Polling Max Delay.idp_qps
: not required, IdP providers adjust their qps rate.
Pomerium Core would only perform user authentication and session refresh with the IdP provider, and would not try to synchronize user details and groups, which is now part of External Data Sources. Please review your identity provider's docs for instructions specific to your IdP (e.g. Identity Providers
-> Google
-> Directory Sync (Enterprise)
).
0.19.0
No changes required to upgrade
- This release has no breaking changes. Review the v19 Changelog for more information.
0.18.0
Before You Upgrade
- When using
external-data
the Databroker backend for Pomerium should be switched from Redis to Postgres.
0.17.0
Before You Upgrade
- The new
license-key
option is required for starting Pomerium Enterprise. Please contact your account team if you have not been issued one yet.
0.16.0
Before You Upgrade
The
signing-key
has been replaced withauthenticate-service-url
. Instead of manually setting the signing key in the Enterprise Console to match the Authenticate Service, we specify the trusted URL of the Authenticate Service to pull the signing key from.The
signing-key
key will continue to work for existing configurations, but device enrollment will not work until it is replaced byauthenticate-service-url
.
0.15.0
Before You Upgrade
signing-key
is now a required option to improve request security from Pomerium Core. The value should match the one set in Pomerium Core. See the signing key reference page for more information on generating a key.audience
is now a required option to improve request security from Pomerium Core. The value should match the Enterprise Console's external URL hostname, as defined in thefrom
field in the Routes entry (not including the protocol).
Helm Installations
As of v0.15.0, All Helm charts have been consolidated to a single repository. Remove the
pomerium-enterprise
repo and upgrade frompomerium
:helm repo remove pomerium-enterprise
helm upgrade --install pomerium-console pomerium/pomerium-console --values=pomerium-console-values.yamlAs noted above,
signing-key
must be shared between Pomerium and Enterprise. See the Update Pomerium section of Install Pomerium Enterprise in Helm for more information.