v0.24.0

What's Changed

• Add CLAUDE.md by @guicassolato in #565
• Claude Code Slash command /protect-with-authorino by @guicassolato in #566
• go: bump to v1.25.3 by @KevFan in #570
• feat: isolates TokenReview and SAR traffic with per-client rate limits by @bartoszmajsak in #569
• go: v1.25.5 by @KevFan in #575
• feat: control plane tracing by @KevFan in #574
• docs: control plane tracing by @KevFan in #576
• chore(log): improve panic message for invalid log mode by @bartoszmajsak in #571
• build(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 by @dependabot[bot] in #567

Full Changelog: v0.23.0...v0.24.0

v0.23.0

What's Changed

• refactor: cross compile and distribute build image by @KevFan in #544
• doc: sign tag when creating release by @KevFan in #550
• gha: use go version from go.mod by @KevFan in #551
• refactor: remove needing to use ROOT user in dockerfile by @KevFan in #548
• feat: custom labels on metrics via heuiristic path by @KevFan in #554
• feat: allow cel optional syntax by @KevFan in #559
• dep: go 1.24.6 by @KevFan in #560
• fix build images for semantically versioned tags by @eguzki in #561

Full Changelog: v0.22.0...v0.23.0

v0.22.0

What's Changed

• Explicitly state Z stream go version in go.mod, version set to 1.22.5 by @Patryk-Stefanski in #527
• Upgrade Go version to 1.23 by @guicassolato in #529
• build(deps): bump golang.org/x/net from 0.33.0 to 0.38.0 by @dependabot[bot] in #530
• fix: tracing - conflicting Schema URL by @KevFan in #532
• Support for Podman by @guicassolato in #533
• Fix e2e tests for Authorino OIDC endpoint with TLS disabled by @guicassolato in #534
• fix: use ubuntu-latest for image build action by @KevFan in #535
• JWKS URI by @guicassolato in #536
• makefile: refactor dependency tooling install by @KevFan in #542
• fix: nil pointer from typed nil of auth.OpenIdConfigStore for UserInfo by @KevFan in #538
• Fix broken link in 'Getting Started' docs by @tommyc2 in #541
• workflow: enable golangci by @KevFan in #537
• dep: upgrade to jwt/v5 by @KevFan in #543
• build(deps): bump github.com/open-policy-agent/opa from 0.68.0 to 1.4.0 by @dependabot[bot] in #531

New Contributors

• @Patryk-Stefanski made their first contribution in #527
• @tommyc2 made their first contribution in #541

Full Changelog: v0.21.0...v0.22.0

v0.21.0

What's Changed

• docs: Common Expression Language (CEL) by @guicassolato in #509
• fix doc paths by @R-Lawton in #511
• add version and fix broken link by @laurafitzgerald in #513
• fix smoketest link by @laurafitzgerald in #512
• kustomize: use patches instead of patchesJson6902 by @KevFan in #514
• Upgrade Go version to 1.22 by @guicassolato in #518
• build(deps): bump golang.org/x/net from 0.28.0 to 0.33.0 by @dependabot in #520
• build(deps): bump golang.org/x/crypto from 0.26.0 to 0.31.0 by @dependabot in #521
• spelling fixes in crs by @laurafitzgerald in #517
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5 by @dependabot in #522
• ci: enable merge_group by @KevFan in #524

New Contributors

• @R-Lawton made their first contribution in #511
• @laurafitzgerald made their first contribution in #513

Full Changelog: v0.20.0...v0.21.0

v0.20.0

What's Changed

• Descriptions for the CEL fields of the API by @guicassolato in #508
• fix: add authorizationGroups property to K8s SAR authorization, fixes #506 by @dhirajsb in #507

New Contributors

• @dhirajsb made their first contribution in #507

Full Changelog: v0.19.0...v0.20.0

v0.19.0

What's Changed

New features and Enhancements

• AuthConfig v1beta3, by @KevFan in #493
  • This is a new version of the API that is a superset of v1beta2, which means all AuthConfig resources based the older version (v1beta2) will continue to function. However, to be able to leverage the new features only in v1beta3, users should update their resources as soon as possible.
  • At some point after upgrading to v0.19.0, users are also invited to migrate their AuthConfigs stored in the cluster's database by running the following script. This will guarantee readiness for upgrading in the future to a newer version of Authorino where v1beta2 is no longer served.

    cat << 'EOF' > /tmp/migrate.sh
    #!/bin/bash
    authconfigs=$(kubectl get authconfigs -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers)
    while IFS=" " read -r namespace name; do
      kubectl get authconfig "$name" -n "$namespace" -o yaml > "/tmp/${name}.${namespace}.authconfig.yaml"
      kubectl apply -f "/tmp/${name}.${namespace}.authconfig.yaml"
    done <<< "$authconfigs"
    EOF
    chmod +x /tmp/migrate.sh
    /tmp/migrate.sh

  • Removal of AuthConfig v1beta1. Users in a older version of Authorino (< 0.18.0) must upgrade first to v0.18.0 ASAP, run the migration script to get stored resources bumped to v1beta2, and then upgrade to v0.19.0. Attempts to upgrade directly from older versions to v0.19.0 will fail.
  • Removal of the conversion webhook (deployed by the Authorino Operator) and therefore cert-manager is no longer a requirement for Authorino.
• Common Expression Language (CEL), by @alexsnaps in #495
  • when conditions and dynamic selector of values from the Authorization JSON now accept Common Expression Language (CEL). E.g.:

    apiVersion: authorino.kuadrant.io/v1beta3
    kind: AuthConfig
    metadata:
      name: my-authconfig
    spec:
      hosts: […]
      metadata:
        "authorized-ips":
          http:
            urlExpression: |
              "https://authorized-ips.default.cluster.local?nonce=" + request.id
      authorization:
        "acl":
          patternMatching:
            patterns:
            - predicate: source.address.split(":")[0] in auth.metadata["authorized-ips"]
          cache:
            key:
              expression: source.address.split(":")[0]
            ttl: 600
        "max-request-size":
          when:
          - predicate: request.method.lowerAscii() == "post"
          patternMatching:
            patterns:
            - predicate: request.size <= 1024

  • Supports CEL strings extension, by @alexsnaps in #503

Bug fixes

• Fixes conversion of v1beta2 static values to string, used at the following configs, by @guicassolato in #501
  • SubjectAccessReview authorization
  • SpiceDB check permissions
  • External HTTP requests (metadata, external Rego policies, etc)

Dependencies and Tooling

• build(deps): bump github.com/open-policy-agent/opa from 0.64.1 to 0.68.0 by @dependabot in #490

Full Changelog: v0.18.0...v0.19.0

v0.18.1

What's Changed

Bug fixes

• Fixes conversion of v1beta2 static values to string, used at the following configs, by @guicassolato in #502
  • SubjectAccessReview authorization
  • SpiceDB check permissions
  • External HTTP requests (metadata, external Rego policies, etc)

Full Changelog: v0.18.0...v0.18.1

v0.18.0

What's Changed

New features and Enhancements

• AuthConfig v1beta2 API version became the new default version stored in the cluster database

  Important! After upgrading to Authorino v0.18.0, users must migrate all AuthConfig resources to v1beta2 stored in the cluster database by running the following script. This can be done at any time before upgrading to newer versions of Authorino post this one, without downtime or any intrinsic risk of breaking deployments before, during or after the migration.

  cat << 'EOF' > /tmp/migrate.sh
  #!/bin/bash
  authconfigs=$(kubectl get authconfigs -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name' --no-headers)
  while IFS=" " read -r namespace name; do
    kubectl get authconfig "$name" -n "$namespace" -o yaml > "/tmp/${name}.${namespace}.authconfig.yaml"
    kubectl apply -f "/tmp/${name}.${namespace}.authconfig.yaml"
  done <<< "$authconfigs"
  EOF
  chmod +x /tmp/migrate.sh
  /tmp/migrate.sh

  Related PRs:

  • Make v1beta2 the stored version by @alexsnaps in #483
  • Use v1beta2 as hub version by @alexsnaps in #482
  • V1beta2 by @alexsnaps in #487

• Version info, commit sha and dirty code flag stamped inside the Authorino binary, by @ehearneRedHat in #473
  Check the build info by running:

  docker run --rm --entrypoint authorino quay.io/kuadrant/authorino:v0.18.0 version

Dependencies and Tooling

• build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 by @dependabot in #461
• Upgrade Go version to 1.21 by @guicassolato in #465
• Bump OPA to v0.64.1 (latest) by @guicassolato in #466
• Update controller-gen to v0.15.0 by @adam-cattermole in #476
• Add license scan report and status by @fossabot in #478

Docs

• [docs] avoid false positive openssl-related security flagging by @guicassolato in #472

New Contributors

• @fossabot made their first contribution in #478
• @ehearneRedHat made their first contribution in #473

Full Changelog: v0.17...v0.18.0

v0.17.2

What's Changed

Bug fixes

• Handle invalid ext_authz request (by @guicassolato in #462)

Dependencies and Tooling

• controller-runtime/setup-envtest fixed to version 0.16 (by @guicassolato in 9a4e4d4, as part of #462)

Full Changelog: v0.17.1...v0.17.2

v0.17.1

What's Changed

Bug fixes

• Fixes /server-metrics endpoint which was returning 404 Not Found due to a bug introduced in v0.16.0 (by @guicassolato in #458)

Full Changelog: v0.17.0...v0.17.1