v0.21.0

What's Changed

• docs: Common Expression Language (CEL) by @guicassolato in #509
• fix doc paths by @R-Lawton in #511
• add version and fix broken link by @laurafitzgerald in #513
• fix smoketest link by @laurafitzgerald in #512
• kustomize: use patches instead of patchesJson6902 by @KevFan in #514
• Upgrade Go version to 1.22 by @guicassolato in #518
• build(deps): bump golang.org/x/net from 0.28.0 to 0.33.0 by @dependabot in #520
• build(deps): bump golang.org/x/crypto from 0.26.0 to 0.31.0 by @dependabot in #521
• spelling fixes in crs by @laurafitzgerald in #517
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 by @dependabot in #522
• ci: enable merge_group by @KevFan in #524

New Contributors

• @R-Lawton made their first contribution in #511
• @laurafitzgerald made their first contribution in #513

Full Changelog: v0.20.0...v0.21.0

v0.20.0

What's Changed

• Descriptions for the CEL fields of the API by @guicassolato in #508
• fix: add authorizationGroups property to K8s SAR authorization, fixes #506 by @dhirajsb in #507

New Contributors

• @dhirajsb made their first contribution in #507

Full Changelog: v0.19.0...v0.20.0

v0.19.0

What's Changed

New features and Enhancements

• AuthConfig v1beta3, by @KevFan in #493
  • This is a new version of the API that is a superset of v1beta2, which means all AuthConfig resources based the older version (v1beta2) will continue to function. However, to be able to leverage the new features only in v1beta3, users should update their resources as soon as possible.
  • At some point after upgrading to v0.19.0, users are also invited to migrate their AuthConfigs stored in the cluster's database by running the following script. This will guarantee readiness for upgrading in the future to a newer version of Authorino where v1beta2 is no longer served.

    cat << 'EOF' > /tmp/migrate.sh
    #!/bin/bash
    authconfigs=$(kubectl get authconfigs -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers)
    while IFS=" " read -r namespace name; do
      kubectl get authconfig "$name" -n "$namespace" -o yaml > "/tmp/${name}.${namespace}.authconfig.yaml"
      kubectl apply -f "/tmp/${name}.${namespace}.authconfig.yaml"
    done <<< "$authconfigs"
    EOF
    chmod +x /tmp/migrate.sh
    /tmp/migrate.sh

  • Removal of AuthConfig v1beta1. Users in a older version of Authorino (< 0.18.0) must upgrade first to v0.18.0 ASAP, run the migration script to get stored resources bumped to v1beta2, and then upgrade to v0.19.0. Attempts to upgrade directly from older versions to v0.19.0 will fail.
  • Removal of the conversion webhook (deployed by the Authorino Operator) and therefore cert-manager is no longer a requirement for Authorino.
• Common Expression Language (CEL), by @alexsnaps in #495
  • when conditions and dynamic selector of values from the Authorization JSON now accept Common Expression Language (CEL). E.g.:

    apiVersion: authorino.kuadrant.io/v1beta3
    kind: AuthConfig
    metadata:
      name: my-authconfig
    spec:
      hosts: […]
      metadata:
        "authorized-ips":
          http:
            urlExpression: |
              "https://authorized-ips.default.cluster.local?nonce=" + request.id
      authorization:
        "acl":
          patternMatching:
            patterns:
            - predicate: source.address.split(":")[0] in auth.metadata["authorized-ips"]
          cache:
            key:
              expression: source.address.split(":")[0]
            ttl: 600
        "max-request-size":
          when:
          - predicate: request.method.lowerAscii() == "post"
          patternMatching:
            patterns:
            - predicate: request.size <= 1024

  • Supports CEL strings extension, by @alexsnaps in #503

Bug fixes

• Fixes conversion of v1beta2 static values to string, used at the following configs, by @guicassolato in #501
  • SubjectAccessReview authorization
  • SpiceDB check permissions
  • External HTTP requests (metadata, external Rego policies, etc)

Dependencies and Tooling

• build(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.68.0 by @dependabot in #490

Full Changelog: v0.18.0...v0.19.0

v0.18.1

What's Changed

Bug fixes

• Fixes conversion of v1beta2 static values to string, used at the following configs, by @guicassolato in #502
  • SubjectAccessReview authorization
  • SpiceDB check permissions
  • External HTTP requests (metadata, external Rego policies, etc)

Full Changelog: v0.18.0...v0.18.1

v0.18.0

What's Changed

New features and Enhancements

• AuthConfig v1beta2 API version became the new default version stored in the cluster database

  Important! After upgrading to Authorino v0.18.0, users must migrate all AuthConfig resources to v1beta2 stored in the cluster database by running the following script. This can be done at any time before upgrading to newer versions of Authorino post this one, without downtime or any intrinsic risk of breaking deployments before, during or after the migration.

  cat << 'EOF' > /tmp/migrate.sh
  #!/bin/bash
  authconfigs=$(kubectl get authconfigs -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers)
  while IFS=" " read -r namespace name; do
    kubectl get authconfig "$name" -n "$namespace" -o yaml > "/tmp/${name}.${namespace}.authconfig.yaml"
    kubectl apply -f "/tmp/${name}.${namespace}.authconfig.yaml"
  done <<< "$authconfigs"
  EOF
  chmod +x /tmp/migrate.sh
  /tmp/migrate.sh

  Related PRs:

  • Make v1beta2 the stored version by @alexsnaps in #483
  • Use v1beta2 as hub version by @alexsnaps in #482
  • V1beta2 by @alexsnaps in #487

• Version info, commit sha and dirty code flag stamped inside the Authorino binary, by @ehearneRedHat in #473
  Check the build info by running:

  docker run --rm --entrypoint authorino quay.io/kuadrant/authorino:v0.18.0 version

Dependencies and Tooling

• build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by @dependabot in #461
• Upgrade Go version to 1.21 by @guicassolato in #465
• Bump OPA to v0.64.1 (latest) by @guicassolato in #466
• Update controller-gen to v0.15.0 by @adam-cattermole in #476
• Add license scan report and status by @fossabot in #478

Docs

• [docs] avoid false positive openssl-related security flagging by @guicassolato in #472

New Contributors

• @fossabot made their first contribution in #478
• @ehearneRedHat made their first contribution in #473

Full Changelog: v0.17...v0.18.0

v0.17.2

What's Changed

Bug fixes

• Handle invalid ext_authz request (by @guicassolato in #462)

Dependencies and Tooling

• controller-runtime/setup-envtest fixed to version 0.16 (by @guicassolato in 9a4e4d4, as part of #462)

Full Changelog: v0.17.1...v0.17.2

v0.17.1

What's Changed

Bug fixes

• Fixes /server-metrics endpoint which was returning 404 Not Found due to a bug introduced in v0.16.0 (by @guicassolato in #458)

Full Changelog: v0.17.0...v0.17.1

v0.17.0

What's Changed

New features and Enhancements

• [Breaking change] 'Client authentication' extended key usage for x.509 certificate authentication method by @guicassolato in #407
  • Changes the extended key usage verified by the x.509 certificate authentication method (mTLS) from 'Server authentication' to 'Client authentication'
  • This makes the extended key usage required for issuing client certificates more in line with user expectations
  • Existing valid X.509 certificates issued with the 'Server authentication' key usage will no longer be accepted after rolling out this change

Bug fixes

• OpenTelemetry Schema URL bumped to 1.21.0 by @guicassolato in #455
  • Fixes an error in the initialization of Authorino when tracing services were enabled, by pointing to the correct OpenTelemetry Schema version corresponding to the tracing dependencies in use.

Dependencies and Tooling

• Updated some GitHub Actions related to issue tracking and project management by @alexsnaps in #449 and #453
• Upgraded golang.org/x/crypto from 0.15.0 to 0.17.0 by @dependabot in #450

Documentation

• Multiple docs enhancement (aiming for better rendering at https://docs.kuadrant.io) by @Boomatang in #446
• Fixed some broken links by @jasonmadigan in #456
• Code of Conduct (CoC) updated to match Kuadrant's Community CoC by @guicassolato in #454
• Instructions to release Authorino by @didierofrivia in #457
• Added MAINTAINERS and ADOPTERS files by @guicassolato in #452

New Contributors

• @Boomatang made their first contribution in #446
• @jasonmadigan made their first contribution in #456

Full Changelog: v0.16.0...v0.17.0

v0.16.0

What's Changed

Dependencies and Tooling

• Upgraded golang.org/x/net from 0.9.0 to 0.17.0 by @dependabot in #435
• Upgraded google.golang.org/grpc from 1.54.0 to 1.57.0 by @dependabot in #440
• Upgraded google.golang.org/grpc from 1.57.0 to 1.57.1 by @dependabot in #442
• Upgraded Go to 1.20 by @guicassolato in #443
• Upgraded controller-runtime to 0.16.3 by @KevFan in #444
• Upgraded OpenTelemetry (otel) Contrib dependencies to 0.46.1 by @alexsnaps in #448
  • Addresses CVE-2023-47108 and CVE-2023-45142

Tests

• Fixed flaky tests by @guicassolato in #436

Documentation

• Added instructions for Kuadrant users to the user guides by @guicassolato in #439
• Update Keycloak examples to Keycloak v20.0. by @guicassolato in #441
• Flagged markdown content in HTML blocks (for better rendering of the docs at docs.kuadrant.io) by @guicassolato in #445

New Contributors

• @alexsnaps made their first contribution in #448

Full Changelog: v0.15.0...v0.16.0

v0.15.0

What's Changed

New features and enhancements

• AuthConfig v1beta2 (by @guicassolato in #417, #431)
  • This is a big one that we've been cooking for quite some time! The AuthConfig API received a facelift and it now feels a lot more natural and declarative.
  • Example of resource based on the new API:

    apiVersion: authorino.kuadrant.io/v1beta2
    kind: AuthConfig
    metadata:
      name: my-app-protection
    spec:
      hosts:
      - my-app.io
      authentication:
        "friends":
          apiKey:
            selector:
              matchLabels:
                "app": "my-app"
          credentials:
            authorizationHeader:
              prefix: API-KEY
      authorization:
        "admin-only":
          patternMatching:
            patterns:
            - selector: auth.identity.metadata.annotations.group
              operator: eq
              value: admin
      response:
        unauthenticated:
          message:
            value: Authentication failed
        unauthorized:
          message:
            value: Access denied
        success:
          headers:
            "x-username":
              plain:
                selector: auth.identity.metadata.annotations.username

  • Highlights:
    • Lists/arrays of named definitions are now structured as objects
    • Dynamic values fetched from the Authorization JSON are now generally called selectors and replace the more complex valueFrom.authJSON.
    • spec.identity renamed as spec.authentication (with no consequence to the resolved identity object, which continues to be referred to as auth.identity in the Authorization JSON)
    • Several auth methods renamed and some slightly restructured for a more seamless UX
      • identity.oidc → authentication.jwt
      • identity.oauth2 → authentication.oauth2Introspection
      • identity.mtls → authentication.x509
      • identity.kubernetes → authentication.kubernetesTokenReview
      • identity.credentials{in, keySelector} → authentication.credentials{authorizationHeader | customHeader | queryString | cookie}
      • identity.extendedProperties → authentication.overrides and authentication.defaults
      • authorization.json{rules} → authorization.patternMatching{patterns}
      • authorization.kubernetes → authorization.kubernetesSubjectAccessReview
      • authorization.authzed → authorization.spicedb
    • Restructuring of spec.response
      • response.wrappers restructured as proper properties of new field response.success
      • denyWith{unauthenticated, unauthorized} → response{unauthenticated, unauthorized}
    • Few other minor enhancements preparing for the future, e.g.:
      • Unification of the configs for building HTTP clients
      • Full YAML/JSON data type compatibility for setting static values (so it behaves in the same way as when selecting a dynamic value from the Authorization JSON)
  • Backward compatibility:
    • [Deprecation warning] The old v1beta1 API continues to be served and, for at least one version, will be the schema of all stored resources – so users have time to upgrade their automation to v1beta2 before the next release. (More instructions to come soon.)
    • To support both versions of the APIs, a new conversion webhook service has been introduced. (Deployed automatically the Authorino Operator.)
• OR operator for when conditions (by @guicassolato in #427)
  • Another long-awaited feature! Conditionals now support disjunction (any).
  • E.g., to allow anonymous access (i.e., no authentication required) for all HTTP requests with path =~ '/test*' OR method == 'GET' (occasionally both can be true):

    spec:
      authentication:
        anonymous-request:
          when:
          - any:
            - selector: request.path
              operator: matches
              value: ^/test.*
            - selector: request.method
              operator: eq
              method: GET
          anonymous: {}

  • AND operation can still be enforced by specifying the new field all (default if omitted). E.g., including nested conditions, to express host == 'foo.apis.io' AND ((path =~ '/test*' AND (method == 'POST' OR method == 'PUT')) OR method == 'GET'):

    spec:
      authentication:
        anonymous-request:
          when:
          - selector: context.request.http.host
            operator: eq
            value: foo.apis.io
          - any:
            - all:
              - selector: context.request.http.path
                operator: matches
                value: ^/test.*
              - any:
                - selector: context.request.http.method
                  operator: eq
                  value: POST
                - selector: context.request.http.method
                  operator: eq
                  value: PUT
            - selector: context.request.http.method
              operator: eq
              value: GET
          anonymous: {}

• Well-known attributes (by @didierofrivia in #428)
  • Implements Kuadrant's Well-known Attributes for navigating the Authorization JSON
  • This not only enhances the AuthConfig API with more concise and comprehensible selectors, but will also give users of Kuadrant's AuthPolicy CRD a more seamless experience compared to the other APIs of the suite, such as the RateLimitPolicy CRD
  • [Deprecation warning] Deprecation of the context.* paths of the Authorization JSON – to be removed in future releases
• Enable/disable host name collision prevention for strict host subsets (by @guicassolato in #434)
  • New command-line flag --allow-superseding-host-subsets that disables the host name collision prevention for strict subsets of hosts attempted to be linked after a superset already taken.
  • Allows to create AuthConfigs first for a bigger set of host name domains, then supersede a subset of it with a second AuthConfig applied after
  • Recommended for specific use cases where other measures are in place to avoid users taking partial control of one another's auth schemes.

Dependencies and Tooling

• Bump kind to v0.20.0 and make sure to use the bin/kind binary in command of the Makefile (by @KevFan in #412)
• Update workflow actions (by @adam-cattermole in #420)
• Add new issues workflow (by @adam-cattermole in #421)

Documentation

• Several minor improvement and fixes in the docs (by @KevFan in #414)
• Updated reference to #kuadrant Slack channel, moved to kubernetes.slack.com (by @guicassolato in #413)

Refactoring and Minor fixes

• Lint issues (by @adam-cattermole in #419)
• Added logs for when an AuthConfig is de-indexed (by @adam-cattermole in #426)

New Contributors

• @KevFan made their first contribution in #412
• @adam-cattermole made their first contribution in #420

Full Changelog: v0.14.0...v0.15.0