v0.17.0

What's Changed

New features and Enhancements

• [Breaking change] 'Client authentication' extended key usage for x.509 certificate authentication method by @guicassolato in #407
  • Changes the extended key usage verified by the x.509 certificate authentication method (mTLS) from 'Server authentication' to 'Client authentication'
  • This makes the extended key usage required for issuing client certificates more in line with user expectations
  • Existing valid X.509 certificates issued with the 'Server authentication' key usage will no longer be accepted after rolling out this change

Bug fixes

• OpenTelemetry Schema URL bumped to 1.21.0 by @guicassolato in #455
  • Fixes an error in the initialization of Authorino when tracing services were enabled, by pointing to the correct OpenTelemetry Schema version corresponding to the tracing dependencies in use.

Dependencies and Tooling

• Updated some GitHub Actions related to issue tracking and project management by @alexsnaps in #449 and #453
• Upgraded golang.org/x/crypto from 0.15.0 to 0.17.0 by @dependabot in #450

Documentation

• Multiple docs enhancement (aiming for better rendering at https://docs.kuadrant.io) by @Boomatang in #446
• Fixed some broken links by @jasonmadigan in #456
• Code of Conduct (CoC) updated to match Kuadrant's Community CoC by @guicassolato in #454
• Instructions to release Authorino by @didierofrivia in #457
• Added MAINTAINERS and ADOPTERS files by @guicassolato in #452

New Contributors

• @Boomatang made their first contribution in #446
• @jasonmadigan made their first contribution in #456

Full Changelog: v0.16.0...v0.17.0

v0.16.0

What's Changed

Dependencies and Tooling

• Upgraded golang.org/x/net from 0.9.0 to 0.17.0 by @dependabot in #435
• Upgraded google.golang.org/grpc from 1.54.0 to 1.57.0 by @dependabot in #440
• Upgraded google.golang.org/grpc from 1.57.0 to 1.57.1 by @dependabot in #442
• Upgraded Go to 1.20 by @guicassolato in #443
• Upgraded controller-runtime to 0.16.3 by @KevFan in #444
• Upgraded OpenTelemetry (otel) Contrib dependencies to 0.46.1 by @alexsnaps in #448
  • Addresses CVE-2023-47108 and CVE-2023-45142

Tests

• Fixed flaky tests by @guicassolato in #436

Documentation

• Added instructions for Kuadrant users to the user guides by @guicassolato in #439
• Update Keycloak examples to Keycloak v20.0. by @guicassolato in #441
• Flagged markdown content in HTML blocks (for better rendering of the docs at docs.kuadrant.io) by @guicassolato in #445

New Contributors

• @alexsnaps made their first contribution in #448

Full Changelog: v0.15.0...v0.16.0

v0.15.0

What's Changed

New features and enhancements

• AuthConfig v1beta2 (by @guicassolato in #417, #431)
  • This is a big one that we've been cooking for quite some time! The AuthConfig API received a facelift and it now feels a lot more natural and declarative.
  • Example of resource based on the new API:

    apiVersion: authorino.kuadrant.io/v1beta2
    kind: AuthConfig
    metadata:
      name: my-app-protection
    spec:
      hosts:
      - my-app.io
      authentication:
        "friends":
          apiKey:
            selector:
              matchLabels:
                "app": "my-app"
          credentials:
            authorizationHeader:
              prefix: API-KEY
      authorization:
        "admin-only":
          patternMatching:
            patterns:
            - selector: auth.identity.metadata.annotations.group
              operator: eq
              value: admin
      response:
        unauthenticated:
          message:
            value: Authentication failed
        unauthorized:
          message:
            value: Access denied
        success:
          headers:
            "x-username":
              plain:
                selector: auth.identity.metadata.annotations.username

  • Highlights:
    • Lists/arrays of named definitions are now structured as objects
    • Dynamic values fetched from the Authorization JSON are now generally called selectors and replace the more complex valueFrom.authJSON.
    • spec.identity renamed as spec.authentication (with no consequence to the resolved identity object, which continues to be referred to as auth.identity in the Authorization JSON)
    • Several auth methods renamed and some slightly restructured for a more seamless UX
      • identity.oidc → authentication.jwt
      • identity.oauth2 → authentication.oauth2Introspection
      • identity.mtls → authentication.x509
      • identity.kubernetes → authentication.kubernetesTokenReview
      • identity.credentials{in, keySelector} → authentication.credentials{authorizationHeader | customHeader | queryString | cookie}
      • identity.extendedProperties → authentication.overrides and authentication.defaults
      • authorization.json{rules} → authorization.patternMatching{patterns}
      • authorization.kubernetes → authorization.kubernetesSubjectAccessReview
      • authorization.authzed → authorization.spicedb
    • Restructuring of spec.response
      • response.wrappers restructured as proper properties of new field response.success
      • denyWith{unauthenticated, unauthorized} → response{unauthenticated, unauthorized}
    • Few other minor enhancements preparing for the future, e.g.:
      • Unification of the configs for building HTTP clients
      • Full YAML/JSON data type compatibility for setting static values (so it behaves in the same way as when selecting a dynamic value from the Authorization JSON)
  • Backward compatibility:
    • [Deprecation warning] The old v1beta1 API continues to be served and, for at least one version, will be the schema of all stored resources – so users have time to upgrade their automation to v1beta2 before the next release. (More instructions to come soon.)
    • To support both versions of the APIs, a new conversion webhook service has been introduced. (Deployed automatically the Authorino Operator.)
• OR operator for when conditions (by @guicassolato in #427)
  • Another long-awaited feature! Conditionals now support disjunction (any).
  • E.g., to allow anonymous access (i.e., no authentication required) for all HTTP requests with path =~ '/test*' OR method == 'GET' (occasionally both can be true):

    spec:
      authentication:
        anonymous-request:
          when:
          - any:
            - selector: request.path
              operator: matches
              value: ^/test.*
            - selector: request.method
              operator: eq
              method: GET
          anonymous: {}

  • AND operation can still be enforced by specifying the new field all (default if omitted). E.g., including nested conditions, to express host == 'foo.apis.io' AND ((path =~ '/test*' AND (method == 'POST' OR method == 'PUT')) OR method == 'GET'):

    spec:
      authentication:
        anonymous-request:
          when:
          - selector: context.request.http.host
            operator: eq
            value: foo.apis.io
          - any:
            - all:
              - selector: context.request.http.path
                operator: matches
                value: ^/test.*
              - any:
                - selector: context.request.http.method
                  operator: eq
                  value: POST
                - selector: context.request.http.method
                  operator: eq
                  value: PUT
            - selector: context.request.http.method
              operator: eq
              value: GET
          anonymous: {}

• Well-known attributes (by @didierofrivia in #428)
  • Implements Kuadrant's Well-known Attributes for navigating the Authorization JSON
  • This not only enhances the AuthConfig API with more concise and comprehensible selectors, but will also give users of Kuadrant's AuthPolicy CRD a more seamless experience compared to the other APIs of the suite, such as the RateLimitPolicy CRD
  • [Deprecation warning] Deprecation of the context.* paths of the Authorization JSON – to be removed in future releases
• Enable/disable host name collision prevention for strict host subsets (by @guicassolato in #434)
  • New command-line flag --allow-superseding-host-subsets that disables the host name collision prevention for strict subsets of hosts attempted to be linked after a superset already taken.
  • Allows to create AuthConfigs first for a bigger set of host name domains, then supersede a subset of it with a second AuthConfig applied after
  • Recommended for specific use cases where other measures are in place to avoid users taking partial control of one another's auth schemes.

Dependencies and Tooling

• Bump kind to v0.20.0 and make sure to use the bin/kind binary in command of the Makefile (by @KevFan in #412)
• Update workflow actions (by @adam-cattermole in #420)
• Add new issues workflow (by @adam-cattermole in #421)

Documentation

• Several minor improvement and fixes in the docs (by @KevFan in #414)
• Updated reference to #kuadrant Slack channel, moved to kubernetes.slack.com (by @guicassolato in #413)

Refactoring and Minor fixes

• Lint issues (by @adam-cattermole in #419)
• Added logs for when an AuthConfig is de-indexed (by @adam-cattermole in #426)

New Contributors

• @KevFan made their first contribution in #412
• @adam-cattermole made their first contribution in #420

Full Changelog: v0.14.0...v0.15.0

v0.14.0

New features and Enhancements

• New response method plain (#393)
  • Allows configuring for the injection of HTTP request headers whose value are simple text/plain values.
  • This is an alternative to having to stringify a JSON object using the json response method.
• Control over overwriting values in the identity object added to the API (#399)
  • Adds new property overwrite: bool (default: false) to the extended properties that allows to force extend the identity object or only when the property is missing
• New tighten-up Permissions over Authorino files within the container (#391)
  • Adds a new dedicated home path in the file system within the container for the Authorino binary and any other future Authorino files.
  • The directory is owned by a new authorino Linux user and root Linux group.
  • Allows running Authorino on OpenShift with the default unprivileged user on standard restricted security context strategy, without the files having to be owned by root.
  • In other environments, users can choose to run the container as root or as the less privileged authorino user.
• [Breaking change] New escaping of base64-decoded strings (#401)
  • Authorino now automatically escapes double quotes within strings extracted from the Authorization JSON and decoded with the @base64 modifier.
  • The typical use case for this is to be able to parse base64-encoded strings that represent valid JSON types other than simple strings (e.g. objects and arrays) and navigate those structures with normal JSON paths. For example, for parsing a JWT straight from the Authorization header.
  • The new behavior comes with a minor breaking change though, which is the dropping of support for base64 URL-encoded values. As a consequence, base64-encoded strings, passed and extracted from the URL path to be decoded with the @base64 modifier, for example, must not include the URL-encoded right padding characters (i.e. =, encoded as %3D). Authorino will fail to decode such values. To work around this limitation, use the @replace modifier before decoding with @base64:decode.
• [Breaking change] Simple Kubernetes TokenReview identity object (#403)
  • Makes the Kubernetes TokenReview-based identity method to always fill the identity object from the status field of the TokenReview response, as opposed to the current hybrid behaviour of trying to detect whether the verified access token is a JWT or an opaque token.
  • Users relying on JWT detection can still extract, decode and parse the JWT directly from the Authorization header. Here’s an example extending the identity object. E.g.

    spec:
      identity:
      - name: k8s-tokenreview
        kubernetes:
          extendedProperties:
          - name: jwt
            valueFrom:
              authJSON: context.request.http.headers.authorization|@extract:{"pos":1}|@extract:{"sep":".","pos":1}|@base64:decode|@fromstr

Dependencies and Tooling

• Upgrade to Golang v1.19.x (#409)
• Bump OPA to v0.52.0 (#398)

Testing

• Update client certificates used in the automated tests (#405, #406)

Documentation

• Fix instructions to extract Kubernetes TokenReview username from the identity object mentioned in the docs (#408)
• Fix wrong metric type mentioned in the docs by @averevki (#410)

Other minor fixes

• Fix several one-of constraints of the AuthConfig API (#396, #404)

Full Changelog: v0.13.0...v0.14.0

v0.13.0

New features and Enhancements

• Activated server reflection in the gRPC authorization interface (#388)
  • Makes it easy to send authorization requests to Authorino via gRPC without having to supply the proto files - e.g.

    grpcurl -plaintext -d @ authorino:50051 envoy.service.auth.v3.Authorization.Check {...}
    

• Tracing enhancements
  • Replaces Jaeger Thrift integration with OpenTelemetry OTLP (#390)
    • [Breaking change!] Server command-line --tracing-service-endpoint now requires 'rpc' or 'http'
    • New server command-line option: --tracing-service-insecure=bool - disable TLS for the tracing service connection (default: false)
  • Propagate W3C Trace Context in the requests to external services such as when fetching metadata, verifying OAuth2 opaque tokens, and pulling OPA policies from registry (#386 by @Rohith-Raju)
  • Ensure the request ID is always present in the traces and logs by retrieving from context or generating random one when not available (#389)

Full Changelog: v0.12.0...v0.13.0

v0.12.0

New features and Enhancements

• New Auth Pipeline phase: callbacks (#368, #371)
  • Allows to send configurable HTTP requests to external services at the end of Auth Pipeline
  • Same API as the HTTP GET/GET-by-POST metadata method
  • when conditions and access to the Authorization JSON just like any other evaluator
• Built-in integration with Authzed SpiceDB (#375)
  • Configurable check permission requests sent by Authorino to an external SpiceDB instance via GRPC (authorization phase)
  • Demo available in this YouTube video: https://youtu.be/lL9YsdDaRXk
• New JSON path @strip string modifier for easy removing of non printable characters (#374 by @OperationalDev, #377)
• Support for multi-element JSON responses from external sources of metadata (#376)
• Support for OAuth2 client credentials for fetching metadata and callbacks (#379, #381)
• Tracing (#380 by @Rohith-Raju, #384)
  • Authorino now emits traces to an external OpenTelemetry tracing service
  • Support for W3C Trace Context format and user-defined baggage traces

Dependencies and Tooling

• golang.org/x/net bumped from 0.6.0 to 0.7.0 (#382)

Documentation

• Fixed typo in TokenRequest API link (#383 by @bartoszmajsak)
• Fix broken link and examples in the Edge Authentication guide (#387 by @averevki)

Minor fixes and enhancements

• [ci] Fixed unit benchmarks (#370)
• Fixed spacing in comments (#378)

Special thanks to our new contributors 🎉

• @OperationalDev made their first contribution in #374
• @bartoszmajsak made their first contribution in #383
• @Rohith-Raju made their first contribution in #380
• @averevki made their first contribution in #387

Full Changelog: v0.11.0...v0.12.0

v0.11.0

New features and Enhancements

• Health check/readiness probe endpoints (#365)
  • Allows to check for the aggregated status of handled AuthConfigs at /readyz/authconfigs
• Command-line interface (CLI) (#366)
  • Configuration options, including for the authorization server, now passed as command-line arguments
  • [Deprecation warning] Deprecation of the old environment variables to configure Authorino
  • Version of the Authorino binary can now be verified with the authorino version command

Bug fixes

• Safe concurrent access to the Auth Pipeline maps (#358)

Documentation

• Observability (health/readiness probe endpoints) and new CLI (#367)
  • Observability section refactored to include in one user guide: metrics, readiness, logging and tracing
  • Fixed all references to deprecated environment variables, to favor their corresponding command-line flag substitutes

Dependencies and Tooling

• OPA module upgraded to v0.43.1 (#352)
  • General improvements in OPA
  • Security patches: CVE-2022-36085, CVE-2022-27664 and CVE-2022-32190
• Golang upgraded to v1.18 (#354, #362)

v0.10.0

New features and Enhancements

• All valid hosts added to cache (#324)
  • Instead of aborting at the first host in the list of hosts in an AuthConfig (spec.hosts) that cannot be added to the index of AuthConfigs due to being already taken, Authorino now ensures all valid hosts in the list are added, despite presence of invalid (taken) ones among them. Only the invalid ones will be rejected.
• Improved AuthConfig status – This is a big one!
  • Now the AuthConfig Status sub-resource is divided in summary and conditions (#318). The former summarizes info about the status of the resource, including readiness state, hosts accepted, evaluator counters, etc. The latter provides fine-grained info in the form of "conditions", to infer availability and full-readiness of the resource, described in the table below:

    Type	Status	Reason	Message	Meaning
    Available	True	HostsLinked	N/A	At least one host from spec.hosts was linked to the AuthConfig in the index. Requests sent to the linked host can be expected to be protected by this AuthConfig. User can check status.summary.hostsReady for the list of host names that did succeed being linked to the AuthConfig in the index.
    Available	False	HostsNotLinked	No hosts linked to the resource.	No host from spec.hosts was linked to the AuthConfig in the index. No request will cause this AuthConfig to be evaluated by Authorino. Only possible status for Ready is False in this case.
    Ready	True	Reconciled	N/A	The AuthConfig is indexed for all host names listed in spec.hosts.
    Ready	False	HostsNotLinked	One or more hosts not linked to the resource	Failed to index the AuthConfig for one or more host names in spec.hosts. User should check status.summary.hostsReady for the list of host names that did succeed being linked to the AuthConfig in the index; occasionally none.

  • Reconciliation errors and proper reason to failing reconciling an AuthConfig reflected in the status. The table below summarizes all the reasons for an AuthConfig to be cnsidered "ready" or "not ready".

    Reason	Description	Ready?
    Reconciling	Transient state between reconciliation started and finished (due to success or terminal failure)	N
    Invalid	Invalid resource. AuthConfig cannot be added to cache for any of the hosts listed. Message will reflect the exact error (e.g. broken ref).	N
    HostsNotLinked	One or more hosts not linked to the resource	N
    CachingError	Failed to add the AuthConfig to the index	N
    Reconciled	Resource reconciled	Y
    Unknown	Should never happen 🙂	N

• Support for host names with wildcards (#312) - Another big one!
  • Now you can use wildcards in the host names you add to spec.hosts. E.g. *.pets.com, which matches authorization requests for dogs.pets.com, cats.pets.com and even snakes.pets.com (if you are that kind of person).
  • More specific host names take precedence. E.g. when evaluating for a request that is sent for dogs.pets.com, an AuthConfig A that links dogs.pets.com will be favored before an AuthConfig B that links the more generic host with wildcard *.pets.com; in case of an authorization request sent for cats.pets.com, Authorino would fall back to AuthConfig B (wildcard).
  • You can have as many levels as you want between more specific to more generic host names with wildcards. E.g. api.pets.com → *.pets.com → *.com → *.
  • Important! Keep in mind that due to the mechanism that prevents inattentive/malicious users from fully (or now also partially) taking control over someone else's auth scheme, by applying another AuthConfig that links identical (or now also more specific) host names previously accepted for another resource, and where both AuthConfigs are in the scope of the same Authorino instance, the support for host names with wildcards redefines the concept of host collision, from a relation of equality (host1 == host2) to a relation of sets and subsets (host1 ⊆ host2). This imposes a constraint regarding the order that legit AuthConfigs have to be applied to the cluster – always starting with the ones for more specific host names first, to the more generic ones (with wildcards) second.
• Prevention of host name collisions in all cases (#343)
  • Authorino now rejects linking AuthConfigs to hosts already taken regardless of namespace. This is a policy we used to enforce in the past only across different namespaces (with Authorino deployed in cluster-wide reconciliation mode only). It is now enforced in all cases, including with Authorino in namespaced mode, for AuthConfigs in the same Kubernetes namespace. This implies that users who get hosts in their AuthConfigs rejected to be linked will have to coordinate who actually owns the auth scheme for that host and, if necessary, remove it from an AuthConfig where the host was previously taken and/or reapplying the sequence of AuthConfigs in an acceptable order.
• [Breaking change] Kube notation for API key and MTLS Secret label selectors (#341, #344)
  • Authorino now complies with the new Kubernetes syntax to express the label selectors used for API key and MTLS Kubernetes secrets scoped with an AuthConfig. The API changed as follows:
    
    Before:

    spec:
      identity:
      - name: friends
        apiKey:
          labelSelectors:
            group: friends

    Now:

    spec:
      identity:
      - name: friends
        apiKey:
          selector:
            matchLabels:
              group: friends

  • Apart from making the AuthConfig more seamless to use by users familiar with this API of Kubernetes, we all also get as bonus support for label expressions. E.g.:

    spec:
      identity:
      - name: friends
        apiKey:
          selector:
            matchExpressions:
              key: group
              operator: NotIn
              values:
              - enemies

• Improvements to the raw HTTP external authorization interface
  • Protection against large body content (#313)
    • Set to a maximum of 8192 (8KB) by default
    • Returns an HTTP status 413 Request Entity Too Large when exceeded
    • Can be configured by setting the MAX_REQUEST_BYTES environment variable in the Authorino pod - support by the Operator via spec.maxHttpRequestBodySize field of the Authorino CR
  • Improvements in the log messages (debug level) (#325)
• Authorino version info embedded into the binary (#345)
  • You no longer need to trust only on the tag of the container image to check the exact version of the Authorino binary you are running. You can now find it right in the very second message in the logs:

    {"level":"info","ts":1634674939.7563884,"logger":"authorino","msg":"setting instance base logger","min level":"debug","mode":"production"}
    {"level":"info","ts":1634674939.7567484,"logger":"authorino","msg":"booting up authorino","version":"v0.10.0"}
    

• Red Hat Universal Base Image (UBI) 8 (#332)
  • Container images are now based on Red Hat Universal Base Image (UBI) 8 instead of Google's distroless images. This enables better security scans and support on community images released in the upstream.

Bug fixes

• No more phantom host associations (#327)
  • Oops. This is awkward. We discovered that host names removed from an AuthConfig were refusing to leave the index. It looks like they loved Authorino so much that they wanted to continue to be linked to the AuthConfig that once brought them to the party. But not anymore! Now we ensure deleted hosts vanish from the index for good.
  • This didn't affect the deletion of AuthConfigs as a whole, but only when editing existing ones. Either way, it's now fixed.
• Respect the creation order of the resources when bootstrapping the index of AuthConfigs (#330, #338, #349)
  • When a new Authorino pod started, it bootstraped the index of AuthConfigs by reconciling again all pre-existing resources marked as available in whatever order the reconciliation events were picked by the runtime controller. Since the ordering of the events cannot be guaranteed, this behavior led to a probabilistic situation of error where multiple pods (multiple generations of a pod) could exist with different states between them regarding which AuthConfigs and corresponding hosts were accepted in the index. This is now fixed and Authorino will always respect the order of the resources based on creationTimestamp whenever bootstrapping the index for the first time. This should be enough to prevent inconsistent states, ensuring the same sequence of decisions of the past.
  • While bootstrapping the index for the first time, AuthConfigs in the process of being reconciled might momentarily return a 503 Busy status code when requested, until they are fully operable. We put our best efforts to make this step as efficient and quick as possible, so it's almost never perceived by the user.
• Avoid panicking when external OPA response misses the Content-Type header (#347)
• Use RWMutex for all the cases where multiple concurrent reads and writes are expected (status updater, API key and MTLS loading and access) (#348)

Dependencies and Tooling

• A couple of improvements to the Developer's Makefile
  • Check if GNU sed is insta...

v0.9.1

Security

• Security patch for CVE-2022-28946 - Denial of Service (DoS) vulnerability found in OPA v0.37.2 (#311)
  • Bumps github.com/open-policy-agent/opa to v0.41.0 (latest)
  • Bumps github.com/go-redis/redis/v8 to v8.11.5 (latest)
  • Bumps sigs.k8s.io/controller-tools/cmd/controller-gen to v0.9.0 (latest)

v0.9.0

New features and Enhancements

• New Raw HTTP external authorization interface (#273, #286, #309)
  • Additional interface for raw HTTP authorization requests, suitable use cases such as:
    • using Authorino as Kubernetes ValidatingWebhook service (example)
    • integration with other HTTP proxies and API gateways
    • integration with old versions of Envoy incompatible with the latest version of gRPC external authorization protocol (Authorino is based on v3.19.1 of Envoy external authorization API)
  • Added option to disable any of the listeners (gRPC auth server, raw HTTP auth server, and OIDC Festival Wristband HTTP server), by setting the corresponding port number to "0" or any value that fails to cast to an integer number
  • New TIMEOUT env var to allow controlling the maximum duration of external authorization requests (both gRPC and raw HTTP interfaces) before context is cancelled by the service. Integrations via proxy which prefer to control the timeout at client-side (i.e. by the proxy) can disable the internal service timeout by leaving TIMEOUT=0 (default).
• Mutual Transport Layer Security (mTLS) authentication method (#305, #307)
  • Adds support for client TLS certificate validation at application layer in Authorino
  • Works for peer certificated supplied by Envoy in the payload and with the new raw HTTP authorization interface
• Plain identity method (#276)
• Adds a new identity mode called 'plain' that allows identity objects to be injected in the payload to Authorino and then fetched from the Authorization JSON without implicit verification.
  • Make the user experience more seamless when combining ext-authz with identity verification done beforehand by other means (e.g. using Envoy built-in authentication filters)
• Default to Anonymous access when no identity configs are stated in an AuthConfig (#275)
• New field 'body' to HTTP GET/GET-by-POST metadata (#293)
  • Adds a new field spec.metadata.body as an alternative to spec.metadata.bodyParameters
  • Allows to generate raw HTTP bodies with proper content encoding of dynamic JSON objects containing multiple levels
• Reconciliation of individual API key secrets within an AuthConfig (#297)
  • Avoids reconciling the entire AuthConfig when a new API Key secret is reconciled
  • Improves performance
• Make TLSv1.2 minimum version required to all interfaces (#267)
• Replace any usage of MD5 algorithm for SHA-256 instead → helps make Authorino FIPS compliant (#270)
• Cleanup unnecessary RBAC definitions (#272)

Dependencies and Tooling

• Made possible to deploy (dev tools) to a namespace that already exists in the cluster (#287)
• New make help target added, together with other enhancements for devs (#289, #294, #295)
  • New make targets ‘uninstall-operator', ‘mockgen’, 'keycloak' and 'dex'
  • Old make target renamed: 'manager' -> 'build' and 'example-apps' -> 'user-apps'
  • Added go-get-tool function to install controller-gen, kustomize, kind and setup-envtest under in $PROJECT_DIR/bin
  • kustomize bumped to v4.5.5
  • Reference to setup-envtest binary fixed
• Multi-Platform auto builds → amd64 and arm64 built and pushed automatically to quay.io/kuadrant/authorino, which now supersedes the old image repo quay.io/3scale/authorino (#277, #278, #279, #280, #281, #283)
• Enhancements regarding image tagging for builds triggered manually (#282)

Documentation

• Several enhancements and minor fixes to the docs (#262, #263, #308)
• User guide: Using Authorino as ValidatingWebhook service (#288)
• Developer’s guide updated (#296)
• Now using Kubernetes namespace default for the main workload in most examples and tutorials (#292)
• More information about runtime evaluator caching added to the Feature description page (#300)

Testing

• Avoids using static IP addresses in the tests → prevents false-positives on static code analysis pointing to vulnerabilities such as CVE-2006-5901 and CVE-2005-3725 (#261)
• Removed a few unfinished broken API tests (#274)
• Lots of improvements to end-to-end tests (#284, #299, #302, #303, #304)
  • Fail fast when missing required commands
  • Verbose option
  • Create the TokenRequest with kubectl create --raw
  • Test OIDC Festival Wristband well-known endpoints
  • Test case: revoke API key
  • Remove no longer needed kubectl proxy command
  • New timeout added to avoid getting stuck indefinitely when condition do not match (default: 10 minutes, can be changed by supplying TIMEOUT=x)
• New automated smoke tests → e2e tests run on public community images published to quay.io/kuadrant/authorino (#238, #285)