• c7496f1 More validation of delegated OCSP responders (#378)
• cdc4eb2 fix: Normalization IPv6 addresses for ACME challenge (#376)
• 2cf7e08 Revert "Fix HTTP-01 challenge for IPv6 literal addresses (#377)"
• 3e3363f readme: add dark-mode banner for GitHub UI (#379)
• 3229642 go.mod: Upgrade indirect dependencies
• 60d9d8b Fix HTTP-01 challenge for IPv6 literal addresses (#377)
• e03792e Modernize TLSConfig() (close #375)
• fa1257f Unblock ManageAsync() by putting manageOne() in a goroutine (#374)
• b9e85a9 Don't log nil errors when stapling OCSP (fix #362)
• a7a8ce3 logging: Disable stack traces, fix logger name (#372)
• See full diff in compare view

Sourced from github.com/dunglas/mercure's releases.

v0.23.5

A small but important patch release that closes the two known issues we documented in v0.23.4. Hubs that drop ALL capabilities now exec cleanly without the binary's file capability tripping the kernel's bounding-set check, and the chart's /data path is always mounted so Cadd, that writes under caddy.AppDataDir(), works under readOnlyRootFilesystem: true out of the box. With v0.23.5 you can drop every capability, mount nothing extra, and the chart just works.

🐛 Bug Fixes

• Helm: Mount /data unconditionally (emptyDir when persistence is off, PVC when on). Fixes pods crashing with read-only file system when readOnlyRootFilesystem: true (Caddy writes its instance UUID to /data/caddy/instance.uuid). Previously /data only mounted when persistence.enabled: true, which forced PVCs on every Redis/Postgres/Kafka/Pulsar deployment that wanted a hardened rootfs by @​dunglas in #1233
• Docker: Drop the RUN setcap cap_net_bind_service=+ep /usr/bin/caddy line. Modern container runtimes (containerd 1.5+, cri-o, Docker 20.10+) set net.ipv4.ip_unprivileged_port_start=0 inside the container, so any unprivileged process can bind any port without that capability. The setcap was load-bearing on older runtimes but moot today, and the file capability collided with restrictive Kubernetes securityContexts that drop ALL capabilities: the kernel refuses to exec a binary whose file permitted caps are not a subset of the process's bounding set, so drop: [ALL] without a matching add crash-looped pods with exec /usr/bin/caddy: operation not permitted. Removing setcap removes that footgun by @​dunglas in #1234

📖 Documentation

• Helm and install.md: Update the rootless deployment example to recommend the simplest config (drop ALL caps, run non-root, RO rootfs, no targetPort tweak). service.targetPort: 8080 stays documented as a fallback for older runtimes where ip_unprivileged_port_start is still 1024. Bundled into #1234.

---

Mercure Cloud tenants are already running on this release, because we manage the cluster on their behalf, alongside the production transports (Redis, Kafka, Pulsar, Postgres) and an SLA-backed managed offering. Mercure Enterprise brings the same hardening on-premise plus the HA transports and priority support. Contact contact@mercure.rocks for the managed cloud offering, on-premise licenses, custom development, consulting, and training.

Full Changelog: v0.23.4...v0.23.5

v0.23.4

This patch release tightens the Helm chart's defaults for high-availability and multi-tenant Mercure deployments. New opt-in NetworkPolicy and CiliumNetworkPolicy templates keep tenants and infrastructure cleanly separated, readOnlyRootFilesystem: true plus rootless runs work without changing your securityContext, and the chart now lands in line with the restricted PodSecurity Standard out of the box. Also caps the topic-selector cache to 100k entries by default to bound memory usage on busy hubs, and fixes the broken Docker image release that held back v0.23.3 (so this is the v0.23 line you actually want to upgrade to).

✨ New Features

• Helm: Add opt-in NetworkPolicy and CiliumNetworkPolicy templates. Restrict ingress/egress per-tenant without templating policies outside the chart. The Cilium variant supports FQDN-pinned egress and L7 rules. Disabled by default; enable via networkPolicy.enabled / ciliumNetworkPolicy.enabled and supply rule lists by @​dunglas in #1229
• Helm: Support readOnlyRootFilesystem: true out of the box. /config and /tmp now mount as emptyDir unconditionally. With the default BoltDB transport, set persistence.enabled: true so /data is a writable PVC. Other transports work without persistence as long as no Caddy module writes under /data. Also fixes bolt.NewBoltTransport to MkdirAll the parent directory so a fresh empty /data does not crash the hub on first write by @​dunglas in #1226
• Helm: Tighten secure-by-default settings. serviceAccount.automount: false (Mercure does not call the K8s API), enableServiceLinks: false on the hub Pod (no neighbour-Service env leak in shared namespaces), podSecurityContext.seccompProfile.type: RuntimeDefault, and a fully hardened helm test pod so helm test works on PSS-restricted clusters by @​dunglas in #1231
• Helm: Pass through HTTPRoute rule timeouts. Supply timeouts: blocks per rule when you need to bound a specific path (for instance, cap publish POSTs so a slow publisher cannot hold a gateway connection open). The chart's auto-default rule keeps timeouts.request: 0s so SSE subscribers are not cut by the gateway by @​dunglas in #1223
• Helm: Expose HPA customMetrics and behavior. Append Pods/Object/External metrics to spec.metrics and configure scaling behavior (for instance, scaleDown policies tuned for SSE workloads) by @​dunglas in #1217
• Helm: Seed replicas at minReplicas on fresh install with HPA. Avoids the 30 to 90 second under-provisioning window where Kubernetes defaulted spec.replicas: 1 before the HPA caught up by @​dunglas in 8ea6a35
• Docker: Re-apply cap_net_bind_service and ship a transport-aware HEALTHCHECK. Lets docker run --user 1000 bind 80/443 without losing the file capability the upstream caddy:2-alpine binary ships with. The new HEALTHCHECK hits /mercure/health/ready on the admin API instead of the deprecated /healthz by @​dunglas in #1222. (Note: the setcap line is removed in v0.23.5 because modern container runtimes set ip_unprivileged_port_start=0, and the file capability conflicted with restrictive K8s securityContexts — see the known-issues note above.)
• Examples: Harden the chat demo chart and refresh dependencies. Moves to python:3.13-slim + gunicorn (replacing the unmaintained tiangolo/meinheld-gunicorn), bumps Flask to 3.0, PyJWT to 2.10, and uritemplate to 4.1, ships a NetworkPolicy template, runs the pod non-root on a read-only rootfs, and adds an HTTPRoute alongside the Ingress by @​dunglas in #1227, #1228

🐛 Bug Fixes

• Cache: Cap the default topic-selector cache to 100k entries. The previous default (2.56M) could reach ~256MB at ~100B per entry on busy hubs, putting Go's runtime in a gcBgMarkWorker thrashing loop near GOMEMLIMIT. Resize per workload via topic_selector_cache in the Caddyfile (set to -1 to disable entirely) by @​dunglas in 8b24ffd
• CI: Restore the multi-arch Docker image build. v0.23.3's release failed at RUN setcap because the linux/arm64 image build was not getting QEMU registered on the amd64 runner. Heads-up: v0.23.3 is an orphan tag; upgrade directly from v0.23.2 to v0.23.4 by @​dunglas in #1232

📖 Documentation

• Helm: Correct the rootless deployment example. Binding 80/443 from a securityContext with allowPrivilegeEscalation: false requires the binary to bind on an unprivileged port (or on a runtime with ip_unprivileged_port_start=0, which is the default on containerd 1.5+ and Docker 20.10+). Recommend service.targetPort: 8080 as a portable workaround by @​dunglas in #1230

---

The hardening defaults in this release matter most for HA and multi-tenant Mercure deployments, where pod-to-pod isolation, a restricted PodSecurity profile, and conservative cache bounds are not optional. Mercure Cloud tenants already run with every default in this release applied for them, because we manage the cluster on their behalf, alongside the production transports (Redis, Kafka, Pulsar, Postgres) and an SLA-backed managed offering. Mercure Enterprise brings the same hardening on-premise plus the HA transports and priority support. Contact contact@mercure.rocks for the managed cloud offering, on-premise licenses, custom development, consulting, and training.

Full Changelog: v0.23.2...v0.23.4

v0.23.2

This patch release makes rolling updates non-disruptive for production Mercure deployments: SSE subscribers now drain naturally on hub shutdown, the bundled Helm chart ships SSE-friendly rolling-update defaults out of the box, and a subtle BoltDB race that could leak post-subscribe events into the Last-Event-ID header is fixed.

... (truncated)

• 17d6111 chore: prepare release 0.23.5
• 76d9c96 chore(docker): drop the setcap line; rely on ip_unprivileged_port_start=0 (#1...
• 735b74e fix(chart): mount /data unconditionally so non-Bolt transports work under rea...
• 6c7a438 chore: prepare release 0.23.4
• 8a31d23 ci: set up QEMU and Buildx before goreleaser to fix the arm64 image build (#1...
• 2b3dea4 chore: prepare release 0.23.3
• ac6a63c feat(chart): tighten secure-by-default settings (#1231)
• c6832a1 docs(chart): drop NET_BIND_SERVICE from the rootless example, target an unpri...
• db3f75a feat(chart): add opt-in NetworkPolicy and CiliumNetworkPolicy templates (#1229)
• 07af845 chore(examples/chat/chart): scope NetworkPolicy to Deployment pods (#1228)
• Additional commits viewable in compare view

Sourced from github.com/dunglas/mercure/caddy's releases.

v0.23.5

A small but important patch release that closes the two known issues we documented in v0.23.4. Hubs that drop ALL capabilities now exec cleanly without the binary's file capability tripping the kernel's bounding-set check, and the chart's /data path is always mounted so Cadd, that writes under caddy.AppDataDir(), works under readOnlyRootFilesystem: true out of the box. With v0.23.5 you can drop every capability, mount nothing extra, and the chart just works.

🐛 Bug Fixes

• Helm: Mount /data unconditionally (emptyDir when persistence is off, PVC when on). Fixes pods crashing with read-only file system when readOnlyRootFilesystem: true (Caddy writes its instance UUID to /data/caddy/instance.uuid). Previously /data only mounted when persistence.enabled: true, which forced PVCs on every Redis/Postgres/Kafka/Pulsar deployment that wanted a hardened rootfs by @​dunglas in #1233
• Docker: Drop the RUN setcap cap_net_bind_service=+ep /usr/bin/caddy line. Modern container runtimes (containerd 1.5+, cri-o, Docker 20.10+) set net.ipv4.ip_unprivileged_port_start=0 inside the container, so any unprivileged process can bind any port without that capability. The setcap was load-bearing on older runtimes but moot today, and the file capability collided with restrictive Kubernetes securityContexts that drop ALL capabilities: the kernel refuses to exec a binary whose file permitted caps are not a subset of the process's bounding set, so drop: [ALL] without a matching add crash-looped pods with exec /usr/bin/caddy: operation not permitted. Removing setcap removes that footgun by @​dunglas in #1234

📖 Documentation

• Helm and install.md: Update the rootless deployment example to recommend the simplest config (drop ALL caps, run non-root, RO rootfs, no targetPort tweak). service.targetPort: 8080 stays documented as a fallback for older runtimes where ip_unprivileged_port_start is still 1024. Bundled into #1234.

---

Mercure Cloud tenants are already running on this release, because we manage the cluster on their behalf, alongside the production transports (Redis, Kafka, Pulsar, Postgres) and an SLA-backed managed offering. Mercure Enterprise brings the same hardening on-premise plus the HA transports and priority support. Contact contact@mercure.rocks for the managed cloud offering, on-premise licenses, custom development, consulting, and training.

Full Changelog: v0.23.4...v0.23.5

v0.23.4

This patch release tightens the Helm chart's defaults for high-availability and multi-tenant Mercure deployments. New opt-in NetworkPolicy and CiliumNetworkPolicy templates keep tenants and infrastructure cleanly separated, readOnlyRootFilesystem: true plus rootless runs work without changing your securityContext, and the chart now lands in line with the restricted PodSecurity Standard out of the box. Also caps the topic-selector cache to 100k entries by default to bound memory usage on busy hubs, and fixes the broken Docker image release that held back v0.23.3 (so this is the v0.23 line you actually want to upgrade to).

✨ New Features

• Helm: Add opt-in NetworkPolicy and CiliumNetworkPolicy templates. Restrict ingress/egress per-tenant without templating policies outside the chart. The Cilium variant supports FQDN-pinned egress and L7 rules. Disabled by default; enable via networkPolicy.enabled / ciliumNetworkPolicy.enabled and supply rule lists by @​dunglas in #1229
• Helm: Support readOnlyRootFilesystem: true out of the box. /config and /tmp now mount as emptyDir unconditionally. With the default BoltDB transport, set persistence.enabled: true so /data is a writable PVC. Other transports work without persistence as long as no Caddy module writes under /data. Also fixes bolt.NewBoltTransport to MkdirAll the parent directory so a fresh empty /data does not crash the hub on first write by @​dunglas in #1226
• Helm: Tighten secure-by-default settings. serviceAccount.automount: false (Mercure does not call the K8s API), enableServiceLinks: false on the hub Pod (no neighbour-Service env leak in shared namespaces), podSecurityContext.seccompProfile.type: RuntimeDefault, and a fully hardened helm test pod so helm test works on PSS-restricted clusters by @​dunglas in #1231
• Helm: Pass through HTTPRoute rule timeouts. Supply timeouts: blocks per rule when you need to bound a specific path (for instance, cap publish POSTs so a slow publisher cannot hold a gateway connection open). The chart's auto-default rule keeps timeouts.request: 0s so SSE subscribers are not cut by the gateway by @​dunglas in #1223
• Helm: Expose HPA customMetrics and behavior. Append Pods/Object/External metrics to spec.metrics and configure scaling behavior (for instance, scaleDown policies tuned for SSE workloads) by @​dunglas in #1217
• Helm: Seed replicas at minReplicas on fresh install with HPA. Avoids the 30 to 90 second under-provisioning window where Kubernetes defaulted spec.replicas: 1 before the HPA caught up by @​dunglas in 8ea6a35
• Docker: Re-apply cap_net_bind_service and ship a transport-aware HEALTHCHECK. Lets docker run --user 1000 bind 80/443 without losing the file capability the upstream caddy:2-alpine binary ships with. The new HEALTHCHECK hits /mercure/health/ready on the admin API instead of the deprecated /healthz by @​dunglas in #1222. (Note: the setcap line is removed in v0.23.5 because modern container runtimes set ip_unprivileged_port_start=0, and the file capability conflicted with restrictive K8s securityContexts — see the known-issues note above.)
• Examples: Harden the chat demo chart and refresh dependencies. Moves to python:3.13-slim + gunicorn (replacing the unmaintained tiangolo/meinheld-gunicorn), bumps Flask to 3.0, PyJWT to 2.10, and uritemplate to 4.1, ships a NetworkPolicy template, runs the pod non-root on a read-only rootfs, and adds an HTTPRoute alongside the Ingress by @​dunglas in #1227, #1228

🐛 Bug Fixes

• Cache: Cap the default topic-selector cache to 100k entries. The previous default (2.56M) could reach ~256MB at ~100B per entry on busy hubs, putting Go's runtime in a gcBgMarkWorker thrashing loop near GOMEMLIMIT. Resize per workload via topic_selector_cache in the Caddyfile (set to -1 to disable entirely) by @​dunglas in 8b24ffd
• CI: Restore the multi-arch Docker image build. v0.23.3's release failed at RUN setcap because the linux/arm64 image build was not getting QEMU registered on the amd64 runner. Heads-up: v0.23.3 is an orphan tag; upgrade directly from v0.23.2 to v0.23.4 by @​dunglas in #1232

📖 Documentation

• Helm: Correct the rootless deployment example. Binding 80/443 from a securityContext with allowPrivilegeEscalation: false requires the binary to bind on an unprivileged port (or on a runtime with ip_unprivileged_port_start=0, which is the default on containerd 1.5+ and Docker 20.10+). Recommend service.targetPort: 8080 as a portable workaround by @​dunglas in #1230

---

The hardening defaults in this release matter most for HA and multi-tenant Mercure deployments, where pod-to-pod isolation, a restricted PodSecurity profile, and conservative cache bounds are not optional. Mercure Cloud tenants already run with every default in this release applied for them, because we manage the cluster on their behalf, alongside the production transports (Redis, Kafka, Pulsar, Postgres) and an SLA-backed managed offering. Mercure Enterprise brings the same hardening on-premise plus the HA transports and priority support. Contact contact@mercure.rocks for the managed cloud offering, on-premise licenses, custom development, consulting, and training.

Full Changelog: v0.23.2...v0.23.4

v0.23.2

This patch release makes rolling updates non-disruptive for production Mercure deployments: SSE subscribers now drain naturally on hub shutdown, the bundled Helm chart ships SSE-friendly rolling-update defaults out of the box, and a subtle BoltDB race that could leak post-subscribe events into the Last-Event-ID header is fixed.

... (truncated)

• 17d6111 chore: prepare release 0.23.5
• 76d9c96 chore(docker): drop the setcap line; rely on ip_unprivileged_port_start=0 (#1...
• 735b74e fix(chart): mount /data unconditionally so non-Bolt transports work under rea...
• 6c7a438 chore: prepare release 0.23.4
• 8a31d23 ci: set up QEMU and Buildx before goreleaser to fix the arm64 image build (#1...
• 2b3dea4 chore: prepare release 0.23.3
• ac6a63c feat(chart): tighten secure-by-default settings (#1231)
• c6832a1 docs(chart): drop NET_BIND_SERVICE from the rootless example, target an unpri...
• db3f75a feat(chart): add opt-in NetworkPolicy and CiliumNetworkPolicy templates (#1229)
• 07af845 chore(examples/chat/chart): scope NetworkPolicy to Deployment pods (#1228)
• Additional commits viewable in compare view