Skip to content

v0.19.0

Latest
Latest
Compare
Choose a tag to compare
@guicassolato guicassolato released this 05 Nov 13:06
v0.19.0
25c9702
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What's Changed

New features and Enhancements

  • AuthConfig v1beta3, by @KevFan in #493
    • This is a new version of the API that is a superset of v1beta2, which means all AuthConfig resources based the older version (v1beta2) will continue to function. However, to be able to leverage the new features only in v1beta3, users should update their resources as soon as possible.
    • At some point after upgrading to v0.19.0, users are also invited to migrate their AuthConfigs stored in the cluster's database by running the following script. This will guarantee readiness for upgrading in the future to a newer version of Authorino where v1beta2 is no longer served. 
      cat << 'EOF' > /tmp/migrate.sh
#!/bin/bash
authconfigs=$(kubectl get authconfigs -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers)
while IFS=" " read -r namespace name; do
  kubectl get authconfig "$name" -n "$namespace" -o yaml > "/tmp/${name}.${namespace}.authconfig.yaml"
  kubectl apply -f "/tmp/${name}.${namespace}.authconfig.yaml"
done <<< "$authconfigs"
EOF
chmod +x /tmp/migrate.sh
/tmp/migrate.sh
    • Removal of AuthConfig v1beta1. Users in a older version of Authorino (< 0.18.0) must upgrade first to v0.18.0 ASAP, run the migration script to get stored resources bumped to v1beta2, and then upgrade to v0.19.0. Attempts to upgrade directly from older versions to v0.19.0 will fail.
    • Removal of the conversion webhook (deployed by the Authorino Operator) and therefore cert-manager is no longer a requirement for Authorino.
  • Common Expression Language (CEL), by @alexsnaps in #495
    • when conditions and dynamic selector of values from the Authorization JSON now accept Common Expression Language (CEL). E.g.: 
      apiVersion: authorino.kuadrant.io/v1beta3
kind: AuthConfig
metadata:
  name: my-authconfig
spec:
  hosts: […]
  metadata:
    "authorized-ips":
      http:
        urlExpression: |
          "https://authorized-ips.default.cluster.local?nonce=" + request.id
  authorization:
    "acl":
      patternMatching:
        patterns:
        - predicate: source.address.split(":")[0] in auth.metadata["authorized-ips"]
      cache:
        key:
          expression: source.address.split(":")[0]
        ttl: 600
    "max-request-size":
      when:
      - predicate: request.method.lowerAscii() == "post"
      patternMatching:
        patterns:
        - predicate: request.size <= 1024
    • Supports CEL strings extension, by @alexsnaps in #503

Bug fixes

  • Fixes conversion of v1beta2 static values to string, used at the following configs, by @guicassolato in #501
    • SubjectAccessReview authorization
    • SpiceDB check permissions
    • External HTTP requests (metadata, external Rego policies, etc)

Dependencies and Tooling

  • build(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.68.0 by @dependabot in #490

Full Changelog: v0.18.0...v0.19.0

Contributors

alexsnaps, guicassolato, and 2 other contributors
Assets 2
Loading