v0.19.0
What's Changed
New features and Enhancements
- AuthConfig v1beta3, by @KevFan in #493
- This is a new version of the API that is a superset of v1beta2, which means all AuthConfig resources based the older version (v1beta2) will continue to function. However, to be able to leverage the new features only in v1beta3, users should update their resources as soon as possible.
- At some point after upgrading to v0.19.0, users are also invited to migrate their AuthConfigs stored in the cluster's database by running the following script. This will guarantee readiness for upgrading in the future to a newer version of Authorino where v1beta2 is no longer served.
cat << 'EOF' > /tmp/migrate.sh #!/bin/bash authconfigs=$(kubectl get authconfigs -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers) while IFS=" " read -r namespace name; do kubectl get authconfig "$name" -n "$namespace" -o yaml > "/tmp/${name}.${namespace}.authconfig.yaml" kubectl apply -f "/tmp/${name}.${namespace}.authconfig.yaml" done <<< "$authconfigs" EOF chmod +x /tmp/migrate.sh /tmp/migrate.sh
- Removal of AuthConfig v1beta1. Users in a older version of Authorino (< 0.18.0) must upgrade first to v0.18.0 ASAP, run the migration script to get stored resources bumped to v1beta2, and then upgrade to v0.19.0. Attempts to upgrade directly from older versions to v0.19.0 will fail.
- Removal of the conversion webhook (deployed by the Authorino Operator) and therefore cert-manager is no longer a requirement for Authorino.
- Common Expression Language (CEL), by @alexsnaps in #495
when
conditions and dynamic selector of values from the Authorization JSON now accept Common Expression Language (CEL). E.g.:apiVersion: authorino.kuadrant.io/v1beta3 kind: AuthConfig metadata: name: my-authconfig spec: hosts: […] metadata: "authorized-ips": http: urlExpression: | "https://authorized-ips.default.cluster.local?nonce=" + request.id authorization: "acl": patternMatching: patterns: - predicate: source.address.split(":")[0] in auth.metadata["authorized-ips"] cache: key: expression: source.address.split(":")[0] ttl: 600 "max-request-size": when: - predicate: request.method.lowerAscii() == "post" patternMatching: patterns: - predicate: request.size <= 1024
- Supports CEL strings extension, by @alexsnaps in #503
Bug fixes
- Fixes conversion of v1beta2 static values to string, used at the following configs, by @guicassolato in #501
- SubjectAccessReview authorization
- SpiceDB check permissions
- External HTTP requests (metadata, external Rego policies, etc)
Dependencies and Tooling
- build(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.68.0 by @dependabot in #490
Full Changelog: v0.18.0...v0.19.0