Releases: Kuadrant/authorino
Releases · Kuadrant/authorino
v0.18.0
What's Changed
New features and Enhancements
-
AuthConfig v1beta2 API version became the new default version stored in the cluster database
Important! After upgrading to Authorino v0.18.0, migrate all your AuthConfigs resources to v1beta2 stored in the cluster database by running the following script:
cat << 'EOF' > /tmp/migrate.sh #!/bin/bash authconfigs=$(kubectl get authconfigs -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers) while IFS=" " read -r namespace name; do kubectl get authconfig "$name" -n "$namespace" -o yaml > "/tmp/${name}.${namespace}.authconfig.yaml" kubectl apply -f "/tmp/${name}.${namespace}.authconfig.yaml" done <<< "$authconfigs" EOF chmod +x /tmp/migrate.sh /tmp/migrate.sh
Related PRs:
- Make v1beta2 the stored version by @alexsnaps in #483
- Use v1beta2 as hub version by @alexsnaps in #482
- V1beta2 by @alexsnaps in #487
-
Version info, commit sha and dirty code flag stamped inside the Authorino binary, by @ehearneRedHat in #473
Check the build info by running:docker run --rm --entrypoint authorino quay.io/kuadrant/authorino:v0.18.0 version
Dependencies and Tooling
- build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by @dependabot in #461
- Upgrade Go version to 1.21 by @guicassolato in #465
- Bump OPA to v0.64.1 (latest) by @guicassolato in #466
- Update controller-gen to v0.15.0 by @adam-cattermole in #476
- Add license scan report and status by @fossabot in #478
Docs
- [docs] avoid false positive openssl-related security flagging by @guicassolato in #472
New Contributors
- @fossabot made their first contribution in #478
- @ehearneRedHat made their first contribution in #473
Full Changelog: v0.17...v0.18.0
v0.17.2
What's Changed
Bug fixes
- Handle invalid ext_authz request (by @guicassolato in #462)
Dependencies and Tooling
- controller-runtime/setup-envtest fixed to version 0.16 (by @guicassolato in 9a4e4d4, as part of #462)
Full Changelog: v0.17.1...v0.17.2
v0.17.1
What's Changed
Bug fixes
- Fixes
/server-metrics
endpoint which was returning404 Not Found
due to a bug introduced in v0.16.0 (by @guicassolato in #458)
Full Changelog: v0.17.0...v0.17.1
v0.17.0
What's Changed
New features and Enhancements
- [Breaking change] 'Client authentication' extended key usage for x.509 certificate authentication method by @guicassolato in #407
- Changes the extended key usage verified by the x.509 certificate authentication method (mTLS) from 'Server authentication' to 'Client authentication'
- This makes the extended key usage required for issuing client certificates more in line with user expectations
- Existing valid X.509 certificates issued with the 'Server authentication' key usage will no longer be accepted after rolling out this change
Bug fixes
- OpenTelemetry Schema URL bumped to 1.21.0 by @guicassolato in #455
- Fixes an error in the initialization of Authorino when tracing services were enabled, by pointing to the correct OpenTelemetry Schema version corresponding to the tracing dependencies in use.
Dependencies and Tooling
- Updated some GitHub Actions related to issue tracking and project management by @alexsnaps in #449 and #453
- Upgraded golang.org/x/crypto from 0.15.0 to 0.17.0 by @dependabot in #450
Documentation
- Multiple docs enhancement (aiming for better rendering at https://docs.kuadrant.io) by @Boomatang in #446
- Fixed some broken links by @jasonmadigan in #456
- Code of Conduct (CoC) updated to match Kuadrant's Community CoC by @guicassolato in #454
- Instructions to release Authorino by @didierofrivia in #457
- Added MAINTAINERS and ADOPTERS files by @guicassolato in #452
New Contributors
- @Boomatang made their first contribution in #446
- @jasonmadigan made their first contribution in #456
Full Changelog: v0.16.0...v0.17.0
v0.16.0
What's Changed
Dependencies and Tooling
- Upgraded golang.org/x/net from 0.9.0 to 0.17.0 by @dependabot in #435
- Upgraded google.golang.org/grpc from 1.54.0 to 1.57.0 by @dependabot in #440
- Upgraded google.golang.org/grpc from 1.57.0 to 1.57.1 by @dependabot in #442
- Upgraded Go to 1.20 by @guicassolato in #443
- Upgraded controller-runtime to 0.16.3 by @KevFan in #444
- Upgraded OpenTelemetry (otel) Contrib dependencies to 0.46.1 by @alexsnaps in #448
- Addresses CVE-2023-47108 and CVE-2023-45142
Tests
- Fixed flaky tests by @guicassolato in #436
Documentation
- Added instructions for Kuadrant users to the user guides by @guicassolato in #439
- Update Keycloak examples to Keycloak v20.0. by @guicassolato in #441
- Flagged markdown content in HTML blocks (for better rendering of the docs at docs.kuadrant.io) by @guicassolato in #445
New Contributors
- @alexsnaps made their first contribution in #448
Full Changelog: v0.15.0...v0.16.0
v0.15.0
What's Changed
New features and enhancements
- AuthConfig
v1beta2
(by @guicassolato in #417, #431)- This is a big one that we've been cooking for quite some time! The AuthConfig API received a facelift and it now feels a lot more natural and declarative.
- Example of resource based on the new API:
apiVersion: authorino.kuadrant.io/v1beta2 kind: AuthConfig metadata: name: my-app-protection spec: hosts: - my-app.io authentication: "friends": apiKey: selector: matchLabels: "app": "my-app" credentials: authorizationHeader: prefix: API-KEY authorization: "admin-only": patternMatching: patterns: - selector: auth.identity.metadata.annotations.group operator: eq value: admin response: unauthenticated: message: value: Authentication failed unauthorized: message: value: Access denied success: headers: "x-username": plain: selector: auth.identity.metadata.annotations.username
- Highlights:
- Lists/arrays of named definitions are now structured as objects
- Dynamic values fetched from the Authorization JSON are now generally called
selector
s and replace the more complexvalueFrom.authJSON
. spec.identity
renamed asspec.authentication
(with no consequence to the resolved identity object, which continues to be referred to asauth.identity
in the Authorization JSON)- Several auth methods renamed and some slightly restructured for a more seamless UX
identity.oidc
→authentication.jwt
identity.oauth2
→authentication.oauth2Introspection
identity.mtls
→authentication.x509
identity.kubernetes
→authentication.kubernetesTokenReview
identity.credentials{in, keySelector}
→authentication.credentials{authorizationHeader | customHeader | queryString | cookie}
identity.extendedProperties
→authentication.overrides
andauthentication.defaults
authorization.json{rules}
→authorization.patternMatching{patterns}
authorization.kubernetes
→authorization.kubernetesSubjectAccessReview
authorization.authzed
→authorization.spicedb
- Restructuring of
spec.response
response.wrapper
s restructured as proper properties of new fieldresponse.success
denyWith{unauthenticated, unauthorized}
→response{unauthenticated, unauthorized}
- Few other minor enhancements preparing for the future, e.g.:
- Unification of the configs for building HTTP clients
- Full YAML/JSON data type compatibility for setting static values (so it behaves in the same way as when selecting a dynamic value from the Authorization JSON)
- Backward compatibility:
- [Deprecation warning] The old
v1beta1
API continues to be served and, for at least one version, will be the schema of all stored resources – so users have time to upgrade their automation tov1beta2
before the next release. (More instructions to come soon.) - To support both versions of the APIs, a new conversion webhook service has been introduced. (Deployed automatically the Authorino Operator.)
- [Deprecation warning] The old
- OR operator for
when
conditions (by @guicassolato in #427)- Another long-awaited feature! Conditionals now support disjunction (
any
). - E.g., to allow anonymous access (i.e., no authentication required) for all HTTP requests with
path =~ '/test*' OR method == 'GET'
(occasionally both can be true):spec: authentication: anonymous-request: when: - any: - selector: request.path operator: matches value: ^/test.* - selector: request.method operator: eq method: GET anonymous: {}
- AND operation can still be enforced by specifying the new field
all
(default if omitted). E.g., including nested conditions, to expresshost == 'foo.apis.io' AND ((path =~ '/test*' AND (method == 'POST' OR method == 'PUT')) OR method == 'GET')
:spec: authentication: anonymous-request: when: - selector: context.request.http.host operator: eq value: foo.apis.io - any: - all: - selector: context.request.http.path operator: matches value: ^/test.* - any: - selector: context.request.http.method operator: eq value: POST - selector: context.request.http.method operator: eq value: PUT - selector: context.request.http.method operator: eq value: GET anonymous: {}
- Another long-awaited feature! Conditionals now support disjunction (
- Well-known attributes (by @didierofrivia in #428)
- Implements Kuadrant's Well-known Attributes for navigating the Authorization JSON
- This not only enhances the AuthConfig API with more concise and comprehensible selectors, but will also give users of Kuadrant's
AuthPolicy
CRD a more seamless experience compared to the other APIs of the suite, such as theRateLimitPolicy
CRD - [Deprecation warning] Deprecation of the
context.*
paths of the Authorization JSON – to be removed in future releases
- Enable/disable host name collision prevention for strict host subsets (by @guicassolato in #434)
- New command-line flag
--allow-superseding-host-subsets
that disables the host name collision prevention for strict subsets of hosts attempted to be linked after a superset already taken. - Allows to create AuthConfigs first for a bigger set of host name domains, then supersede a subset of it with a second AuthConfig applied after
- Recommended for specific use cases where other measures are in place to avoid users taking partial control of one another's auth schemes.
- New command-line flag
Dependencies and Tooling
- Bump kind to v0.20.0 and make sure to use the bin/kind binary in command of the Makefile (by @KevFan in #412)
- Update workflow actions (by @adam-cattermole in #420)
- Add new issues workflow (by @adam-cattermole in #421)
Documentation
- Several minor improvement and fixes in the docs (by @KevFan in #414)
- Updated reference to
#kuadrant
Slack channel, moved to kubernetes.slack.com (by @guicassolato in #413)
Refactoring and Minor fixes
- Lint issues (by @adam-cattermole in #419)
- Added logs for when an AuthConfig is de-indexed (by @adam-cattermole in #426)
New Contributors
- @KevFan made their first contribution in #412
- @adam-cattermole made their first contribution in #420
Full Changelog: v0.14.0...v0.15.0
v0.14.0
New features and Enhancements
- New response method
plain
(#393)- Allows configuring for the injection of HTTP request headers whose value are simple text/plain values.
- This is an alternative to having to stringify a JSON object using the
json
response method.
- Control over overwriting values in the identity object added to the API (#399)
- Adds new property
overwrite: bool
(default:false
) to the extended properties that allows to force extend the identity object or only when the property is missing
- Adds new property
- New tighten-up Permissions over Authorino files within the container (#391)
- Adds a new dedicated home path in the file system within the container for the Authorino binary and any other future Authorino files.
- The directory is owned by a new
authorino
Linux user androot
Linux group. - Allows running Authorino on OpenShift with the default unprivileged user on standard
restricted
security context strategy, without the files having to be owned by root. - In other environments, users can choose to run the container as root or as the less privileged
authorino
user.
- [Breaking change] New escaping of base64-decoded strings (#401)
- Authorino now automatically escapes double quotes within strings extracted from the Authorization JSON and decoded with the
@base64
modifier. - The typical use case for this is to be able to parse base64-encoded strings that represent valid JSON types other than simple strings (e.g. objects and arrays) and navigate those structures with normal JSON paths. For example, for parsing a JWT straight from the Authorization header.
- The new behavior comes with a minor breaking change though, which is the dropping of support for base64 URL-encoded values. As a consequence, base64-encoded strings, passed and extracted from the URL path to be decoded with the
@base64
modifier, for example, must not include the URL-encoded right padding characters (i.e.=
, encoded as%3D
). Authorino will fail to decode such values. To work around this limitation, use the@replace
modifier before decoding with@base64:decode
.
- Authorino now automatically escapes double quotes within strings extracted from the Authorization JSON and decoded with the
- [Breaking change] Simple Kubernetes TokenReview identity object (#403)
- Makes the Kubernetes TokenReview-based identity method to always fill the identity object from the status field of the TokenReview response, as opposed to the current hybrid behaviour of trying to detect whether the verified access token is a JWT or an opaque token.
- Users relying on JWT detection can still extract, decode and parse the JWT directly from the Authorization header. Here’s an example extending the identity object. E.g.
spec: identity: - name: k8s-tokenreview kubernetes: extendedProperties: - name: jwt valueFrom: authJSON: context.request.http.headers.authorization|@extract:{"pos":1}|@extract:{"sep":".","pos":1}|@base64:decode|@fromstr
Dependencies and Tooling
Testing
Documentation
- Fix instructions to extract Kubernetes TokenReview username from the identity object mentioned in the docs (#408)
- Fix wrong metric type mentioned in the docs by @averevki (#410)
Other minor fixes
Full Changelog: v0.13.0...v0.14.0
v0.13.0
New features and Enhancements
- Activated server reflection in the gRPC authorization interface (#388)
- Makes it easy to send authorization requests to Authorino via gRPC without having to supply the proto files - e.g.
grpcurl -plaintext -d @ authorino:50051 envoy.service.auth.v3.Authorization.Check {...}
- Makes it easy to send authorization requests to Authorino via gRPC without having to supply the proto files - e.g.
- Tracing enhancements
- Replaces Jaeger Thrift integration with OpenTelemetry OTLP (#390)
- [Breaking change!] Server command-line
--tracing-service-endpoint
now requires 'rpc' or 'http' - New server command-line option:
--tracing-service-insecure=bool
- disable TLS for the tracing service connection (default:false
)
- [Breaking change!] Server command-line
- Propagate W3C Trace Context in the requests to external services such as when fetching metadata, verifying OAuth2 opaque tokens, and pulling OPA policies from registry (#386 by @Rohith-Raju)
- Ensure the request ID is always present in the traces and logs by retrieving from context or generating random one when not available (#389)
- Replaces Jaeger Thrift integration with OpenTelemetry OTLP (#390)
Full Changelog: v0.12.0...v0.13.0
v0.12.0
New features and Enhancements
- New Auth Pipeline phase:
callbacks
(#368, #371)- Allows to send configurable HTTP requests to external services at the end of Auth Pipeline
- Same API as the HTTP GET/GET-by-POST metadata method
when
conditions and access to the Authorization JSON just like any other evaluator
- Built-in integration with Authzed SpiceDB (#375)
- Configurable check permission requests sent by Authorino to an external SpiceDB instance via GRPC (authorization phase)
- Demo available in this YouTube video: https://youtu.be/lL9YsdDaRXk
- New JSON path
@strip
string modifier for easy removing of non printable characters (#374 by @OperationalDev, #377) - Support for multi-element JSON responses from external sources of metadata (#376)
- Support for OAuth2 client credentials for fetching metadata and callbacks (#379, #381)
- Tracing (#380 by @Rohith-Raju, #384)
- Authorino now emits traces to an external OpenTelemetry tracing service
- Support for W3C Trace Context format and user-defined baggage traces
Dependencies and Tooling
- golang.org/x/net bumped from 0.6.0 to 0.7.0 (#382)
Documentation
- Fixed typo in TokenRequest API link (#383 by @bartoszmajsak)
- Fix broken link and examples in the Edge Authentication guide (#387 by @averevki)
Minor fixes and enhancements
Special thanks to our new contributors 🎉
- @OperationalDev made their first contribution in #374
- @bartoszmajsak made their first contribution in #383
- @Rohith-Raju made their first contribution in #380
- @averevki made their first contribution in #387
Full Changelog: v0.11.0...v0.12.0
v0.11.0
New features and Enhancements
- Health check/readiness probe endpoints (#365)
- Allows to check for the aggregated status of handled AuthConfigs at
/readyz/authconfigs
- Allows to check for the aggregated status of handled AuthConfigs at
- Command-line interface (CLI) (#366)
- Configuration options, including for the authorization server, now passed as command-line arguments
- [Deprecation warning] Deprecation of the old environment variables to configure Authorino
- Version of the Authorino binary can now be verified with the
authorino version
command
Bug fixes
- Safe concurrent access to the Auth Pipeline maps (#358)
Documentation
- Observability (health/readiness probe endpoints) and new CLI (#367)
- Observability section refactored to include in one user guide: metrics, readiness, logging and tracing
- Fixed all references to deprecated environment variables, to favor their corresponding command-line flag substitutes
Dependencies and Tooling
- OPA module upgraded to v0.43.1 (#352)
- General improvements in OPA
- Security patches: CVE-2022-36085, CVE-2022-27664 and CVE-2022-32190
- Golang upgraded to v1.18 (#354, #362)