v0.15.0
What's Changed
New features and enhancements
- AuthConfig
v1beta2
(by @guicassolato in #417, #431)- This is a big one that we've been cooking for quite some time! The AuthConfig API received a facelift and it now feels a lot more natural and declarative.
- Example of resource based on the new API:
apiVersion: authorino.kuadrant.io/v1beta2 kind: AuthConfig metadata: name: my-app-protection spec: hosts: - my-app.io authentication: "friends": apiKey: selector: matchLabels: "app": "my-app" credentials: authorizationHeader: prefix: API-KEY authorization: "admin-only": patternMatching: patterns: - selector: auth.identity.metadata.annotations.group operator: eq value: admin response: unauthenticated: message: value: Authentication failed unauthorized: message: value: Access denied success: headers: "x-username": plain: selector: auth.identity.metadata.annotations.username
- Highlights:
- Lists/arrays of named definitions are now structured as objects
- Dynamic values fetched from the Authorization JSON are now generally called
selector
s and replace the more complexvalueFrom.authJSON
. spec.identity
renamed asspec.authentication
(with no consequence to the resolved identity object, which continues to be referred to asauth.identity
in the Authorization JSON)- Several auth methods renamed and some slightly restructured for a more seamless UX
identity.oidc
→authentication.jwt
identity.oauth2
→authentication.oauth2Introspection
identity.mtls
→authentication.x509
identity.kubernetes
→authentication.kubernetesTokenReview
identity.credentials{in, keySelector}
→authentication.credentials{authorizationHeader | customHeader | queryString | cookie}
identity.extendedProperties
→authentication.overrides
andauthentication.defaults
authorization.json{rules}
→authorization.patternMatching{patterns}
authorization.kubernetes
→authorization.kubernetesSubjectAccessReview
authorization.authzed
→authorization.spicedb
- Restructuring of
spec.response
response.wrapper
s restructured as proper properties of new fieldresponse.success
denyWith{unauthenticated, unauthorized}
→response{unauthenticated, unauthorized}
- Few other minor enhancements preparing for the future, e.g.:
- Unification of the configs for building HTTP clients
- Full YAML/JSON data type compatibility for setting static values (so it behaves in the same way as when selecting a dynamic value from the Authorization JSON)
- Backward compatibility:
- [Deprecation warning] The old
v1beta1
API continues to be served and, for at least one version, will be the schema of all stored resources – so users have time to upgrade their automation tov1beta2
before the next release. (More instructions to come soon.) - To support both versions of the APIs, a new conversion webhook service has been introduced. (Deployed automatically the Authorino Operator.)
- [Deprecation warning] The old
- OR operator for
when
conditions (by @guicassolato in #427)- Another long-awaited feature! Conditionals now support disjunction (
any
). - E.g., to allow anonymous access (i.e., no authentication required) for all HTTP requests with
path =~ '/test*' OR method == 'GET'
(occasionally both can be true):spec: authentication: anonymous-request: when: - any: - selector: request.path operator: matches value: ^/test.* - selector: request.method operator: eq method: GET anonymous: {}
- AND operation can still be enforced by specifying the new field
all
(default if omitted). E.g., including nested conditions, to expresshost == 'foo.apis.io' AND ((path =~ '/test*' AND (method == 'POST' OR method == 'PUT')) OR method == 'GET')
:spec: authentication: anonymous-request: when: - selector: context.request.http.host operator: eq value: foo.apis.io - any: - all: - selector: context.request.http.path operator: matches value: ^/test.* - any: - selector: context.request.http.method operator: eq value: POST - selector: context.request.http.method operator: eq value: PUT - selector: context.request.http.method operator: eq value: GET anonymous: {}
- Another long-awaited feature! Conditionals now support disjunction (
- Well-known attributes (by @didierofrivia in #428)
- Implements Kuadrant's Well-known Attributes for navigating the Authorization JSON
- This not only enhances the AuthConfig API with more concise and comprehensible selectors, but will also give users of Kuadrant's
AuthPolicy
CRD a more seamless experience compared to the other APIs of the suite, such as theRateLimitPolicy
CRD - [Deprecation warning] Deprecation of the
context.*
paths of the Authorization JSON – to be removed in future releases
- Enable/disable host name collision prevention for strict host subsets (by @guicassolato in #434)
- New command-line flag
--allow-superseding-host-subsets
that disables the host name collision prevention for strict subsets of hosts attempted to be linked after a superset already taken. - Allows to create AuthConfigs first for a bigger set of host name domains, then supersede a subset of it with a second AuthConfig applied after
- Recommended for specific use cases where other measures are in place to avoid users taking partial control of one another's auth schemes.
- New command-line flag
Dependencies and Tooling
- Bump kind to v0.20.0 and make sure to use the bin/kind binary in command of the Makefile (by @KevFan in #412)
- Update workflow actions (by @adam-cattermole in #420)
- Add new issues workflow (by @adam-cattermole in #421)
Documentation
- Several minor improvement and fixes in the docs (by @KevFan in #414)
- Updated reference to
#kuadrant
Slack channel, moved to kubernetes.slack.com (by @guicassolato in #413)
Refactoring and Minor fixes
- Lint issues (by @adam-cattermole in #419)
- Added logs for when an AuthConfig is de-indexed (by @adam-cattermole in #426)
New Contributors
- @KevFan made their first contribution in #412
- @adam-cattermole made their first contribution in #420
Full Changelog: v0.14.0...v0.15.0