Skip to content

v0.15.0

Compare
Choose a tag to compare
@guicassolato guicassolato released this 09 Oct 17:08
· 148 commits to main since this release
15dd344

What's Changed

New features and enhancements

  • AuthConfig v1beta2 (by @guicassolato in #417, #431)
    • This is a big one that we've been cooking for quite some time! The AuthConfig API received a facelift and it now feels a lot more natural and declarative.
    • Example of resource based on the new API:
      apiVersion: authorino.kuadrant.io/v1beta2
      kind: AuthConfig
      metadata:
        name: my-app-protection
      spec:
        hosts:
        - my-app.io
        authentication:
          "friends":
            apiKey:
              selector:
                matchLabels:
                  "app": "my-app"
            credentials:
              authorizationHeader:
                prefix: API-KEY
        authorization:
          "admin-only":
            patternMatching:
              patterns:
              - selector: auth.identity.metadata.annotations.group
                operator: eq
                value: admin
        response:
          unauthenticated:
            message:
              value: Authentication failed
          unauthorized:
            message:
              value: Access denied
          success:
            headers:
              "x-username":
                plain:
                  selector: auth.identity.metadata.annotations.username
    • Highlights:
      • Lists/arrays of named definitions are now structured as objects
      • Dynamic values fetched from the Authorization JSON are now generally called selectors and replace the more complex valueFrom.authJSON.
      • spec.identity renamed as spec.authentication (with no consequence to the resolved identity object, which continues to be referred to as auth.identity in the Authorization JSON)
      • Several auth methods renamed and some slightly restructured for a more seamless UX
        • identity.oidcauthentication.jwt
        • identity.oauth2authentication.oauth2Introspection
        • identity.mtlsauthentication.x509
        • identity.kubernetesauthentication.kubernetesTokenReview
        • identity.credentials{in, keySelector}authentication.credentials{authorizationHeader | customHeader | queryString | cookie}
        • identity.extendedPropertiesauthentication.overrides and authentication.defaults
        • authorization.json{rules}authorization.patternMatching{patterns}
        • authorization.kubernetesauthorization.kubernetesSubjectAccessReview
        • authorization.authzedauthorization.spicedb
      • Restructuring of spec.response
        • response.wrappers restructured as proper properties of new field response.success
        • denyWith{unauthenticated, unauthorized}response{unauthenticated, unauthorized}
      • Few other minor enhancements preparing for the future, e.g.:
        • Unification of the configs for building HTTP clients
        • Full YAML/JSON data type compatibility for setting static values (so it behaves in the same way as when selecting a dynamic value from the Authorization JSON)
    • Backward compatibility:
      • [Deprecation warning] The old v1beta1 API continues to be served and, for at least one version, will be the schema of all stored resources – so users have time to upgrade their automation to v1beta2 before the next release. (More instructions to come soon.)
      • To support both versions of the APIs, a new conversion webhook service has been introduced. (Deployed automatically the Authorino Operator.)
  • OR operator for when conditions (by @guicassolato in #427)
    • Another long-awaited feature! Conditionals now support disjunction (any).
    • E.g., to allow anonymous access (i.e., no authentication required) for all HTTP requests with path =~ '/test*' OR method == 'GET' (occasionally both can be true):
      spec:
        authentication:
          anonymous-request:
            when:
            - any:
              - selector: request.path
                operator: matches
                value: ^/test.*
              - selector: request.method
                operator: eq
                method: GET
            anonymous: {}
    • AND operation can still be enforced by specifying the new field all (default if omitted). E.g., including nested conditions, to express host == 'foo.apis.io' AND ((path =~ '/test*' AND (method == 'POST' OR method == 'PUT')) OR method == 'GET'):
      spec:
        authentication:
          anonymous-request:
            when:
            - selector: context.request.http.host
              operator: eq
              value: foo.apis.io
            - any:
              - all:
                - selector: context.request.http.path
                  operator: matches
                  value: ^/test.*
                - any:
                  - selector: context.request.http.method
                    operator: eq
                    value: POST
                  - selector: context.request.http.method
                    operator: eq
                    value: PUT
              - selector: context.request.http.method
                operator: eq
                value: GET
            anonymous: {}
  • Well-known attributes (by @didierofrivia in #428)
    • Implements Kuadrant's Well-known Attributes for navigating the Authorization JSON
    • This not only enhances the AuthConfig API with more concise and comprehensible selectors, but will also give users of Kuadrant's AuthPolicy CRD a more seamless experience compared to the other APIs of the suite, such as the RateLimitPolicy CRD
    • [Deprecation warning] Deprecation of the context.* paths of the Authorization JSON – to be removed in future releases
  • Enable/disable host name collision prevention for strict host subsets (by @guicassolato in #434)
    • New command-line flag --allow-superseding-host-subsets that disables the host name collision prevention for strict subsets of hosts attempted to be linked after a superset already taken.
    • Allows to create AuthConfigs first for a bigger set of host name domains, then supersede a subset of it with a second AuthConfig applied after
    • Recommended for specific use cases where other measures are in place to avoid users taking partial control of one another's auth schemes.

Dependencies and Tooling

Documentation

Refactoring and Minor fixes

New Contributors

Full Changelog: v0.14.0...v0.15.0