CHANGELOG.md

Changelog

0.13.0-alpha (2024-01-03)

⚠ BREAKING CHANGES

• Endpoint specific HTTP cache settings refactored to allow HTTP cache ttl definition (#1043)

Features

• OAuth2/OIDC metadata discovery for jwt authenticator (#1043) by @martin31821 (2dbfa5f)
• OAuth2/OIDC metadata discovery for oauth2_introspection authenticator (#1043) by @martin31821 (2dbfa5f)

Code Refactorings

• Endpoint specific HTTP cache settings refactored to allow HTTP cache ttl definition (#1043) (2dbfa5f)

Bug Fixes

• Accept header usage (#1107) (f738ee8)
• Setting of binary artifacts version fixed (#1087) (f7dbbee)

Dependencies

• update golang to 1.21.5 (#1082) (a996ce7)
• update golang.org/x/exp digest to 02704c9 (#1111) (1e18000)
• update google.golang.org/genproto/googleapis/rpc digest to 50ed04b (#1115) (eda1d2d)
• update kubernetes packages to v0.29.0 (#1100) (65b3619)
• update module github.com/envoyproxy/go-control-plane to v0.12.0 (#1117) (7fbb737)
• update module github.com/go-co-op/gocron/v2 to v2.1.2 (#1116) (13505da)
• update module github.com/google/uuid to v1.5.0 (#1097) (5273ac8)
• update module github.com/jellydator/ttlcache/v3 to v3.1.1 (#1102) (90dcc4d)
• update module github.com/prometheus/client_golang to v1.18.0 (#1112) (57da7ec)
• update module gocloud.dev to v0.36.0 (#1113) (584d51f)
• update module google.golang.org/grpc to v1.60.1 (#1105) (329f647)
• update module google.golang.org/protobuf to v1.32.0 (#1109) (47d7785)

0.12.0-alpha (2023-11-29)

⚠ BREAKING CHANGES

• Support for X-Forwarded-Path header dropped (#1073)
• if conditional statements for error pipeline mechanisms (#1055)
• Request.ClientIP renamed to Request.ClientIPAddresses to reflect the actual contents (#1066)
• The term "scheme" is used properly as defined by RFC9110 (#1042)
• Rule(-Set) related configuration properties mechanisms , default and providers moved one level up and renamed (#1028)
• Support for noop authenticator removed (#1015)
• Endpoint specific client_credentials auth strategy renamed to oauth2_client_credentials (#975)
• unifier renamed to finalizer (#956)
• Support for OTEL metrics (#948)
• Proxy implementation migrated from fiber to stdlib http package (#889)
• Support for OpenTelemetry Jaeger exporter dropped (It has been deprecated by Jaeger back in 2022) (#884)

Features

• client_credentials authentication strategy for Endpoint enhanced to support the same options as the corresponding finalizer (#971) (ec16d5d)
• finalizers are optional (#1027) (864c879)
• if conditional statements for error pipeline mechanisms (#1055) (7cf97dc)
• Access to request body in templates and CEL expressions (#1069) (69dd7d2)
• Container images are published to GHCR in addition to DockerHub (#1041) (04b1066)
• Helm chart pulls heimdall container image from ghcr.io instead from DockerHub (#1053) (b3c729a)
• HTTP 2.0 support (#889) (ffcccf6)
• Kubernetes RuleSet resource deployment/usage status (#987) (738e3ec)
• New oauth2_client_credentials finalizer (#959) (4c9f807)
• New trace log level allowing dumping HTTP requests, responses and the current Subject contents (#877) (512f1ed)
• Opt-In for url-encoded slashes in URL paths (#1071) (96bb188)
• Release archive contains an SBOM in CycloneDX (json) format (#867) (d8a7cff)
• RuleSet version increased to 1alpha3, respectively to v1alpha3 in k8s CRD (#1054) (943c9ce)
• SBOM and attestations for published container images (#868) (3564870)
• SSE support (#889) (ffcccf6)
• Support for OTEL metrics (#948) (eeb5a82)
• Templating support in remote authorizer and generic contextualizer values property (#1047) (2835faa)
• Validating admission controller for RuleSet resources (#984) (3357e57)
• WebSockets support (#889) (ffcccf6)

Code Refactorings

• Request.ClientIP renamed to Request.ClientIPAddresses to reflect the actual contents (#1066) (0f9484f)
• unifier renamed to finalizer (#956) (d54e39d)
• Endpoint specific client_credentials auth strategy renamed to oauth2_client_credentials (#975) (b11005c)
• Proxy implementation migrated from fiber to stdlib http package (#889) (ffcccf6)
• Rule(-Set) related configuration properties mechanisms , default and providers moved one level up and renamed (#1028) (f6ce3b8)
• Support for noop authenticator removed (#1015) (8cb3bd3)
• Support for X-Forwarded-Path header dropped (#1073) (342c11a)
• Support for OpenTelemetry Jaeger exporter dropped (It has been deprecated by Jaeger back in 2022) (#884) (97b81b1)

Bug Fixes

• HTTP method expansion in k8s RuleSet resources (#1005) (861c2b6)
• Kubernetes RuleSet resource is unloaded by heimdall on authClassName mismatch (#987) (738e3ec)
• Making use of better constraints in the definition of the RuleSet CRD to not exceed the k8s rule cost budget (#1004) (7d71351)
• MIME type decoder covers optional parameters (#1057) (c1c088c)
• The term "scheme" is used properly as defined by RFC9110 (#1042) (aaf4bd3)

Documentation

• Integration guide and demo for (Ambassador) emissary ingress controller (#838) (456cfd5)
• Integration guide and demo for HAProxy ingress controller (#837) (3766fa2)
• New landing page (#853) (fc2a337)
• New sections describing signature verification of released archives, container images and the SBOM. (#872) (8f42c24)

Dependencies

• update golang to 1.21.4 (79a0106)
• update golang.org/x/exp digest to 6522937 (#1068) (83827ae)
• update google.golang.org/genproto/googleapis/rpc digest to 3a041ad (#1067) (431fd89)
• update kubernetes packages to v0.28.4 (#1040) (312ace1)
• update module github.com/felixge/httpsnoop to v1.0.4 (#995) (10006e5)
• update module github.com/fsnotify/fsnotify to v1.7.0 (#981) (4c7bd90)
• update module github.com/go-co-op/gocron to v1.36.0 (#1013) (dd44dc2)
• update module github.com/google/cel-go to v0.18.2 (#1016) (d4e6d6f)
• update module github.com/google/uuid to v1.4.0 (#985) (0d9666d)
• update module github.com/grpc-ecosystem/go-grpc-middleware/v2 to v2.0.1 (#930) (06697fe)
• update module github.com/jellydator/ttlcache/v3 to v3.1.0 (#870) (9afd7c4)
• update module github.com/rs/zerolog to v1.31.0 (#936) (39f9b30)
• update module github.com/spf13/cobra to v1.8.0 (#997) (fb0bbe5)
• update module github.com/tidwall/gjson to v1.17.0 (#934) (8866dba)
• update module github.com/tonglil/opentelemetry-go-datadog-propagator to v0.1.1 (#890) (92196e1)
• update module github.com/wi2l/jsondiff to v0.5.0 (#1024) (db99a7c)
• update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.46.1 (#1045) (1615f40)
• update module go.opentelemetry.io/contrib/instrumentation/host to v0.46.1 (#1045) (1615f40)
• update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.46.1 (#1045) (1615f40)
• update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.46.1 (#1045) (1615f40)
• update module go.opentelemetry.io/contrib/propagators/autoprop to v0.46.1 (#1045) (1615f40)
• update module go.uber.org/fx to v1.20.1 (#978) (98f67a0)
• update module gocloud.dev to v0.34.0 (#879) (25ae833)
• update module google.golang.org/grpc to v1.59.0 (#977) (9211fae)
• update module k8s.io/klog/v2 to v2.110.1 (#994) (e1b655a)
• update opentelemetry-go monorepo to v1.21.0 (#1045) (1615f40)

0.11.1-alpha (2023-08-08)

Bug Fixes

• Usage of X-Forwarded-* headers enhanced security wise (#839) (cd4f7e8)
• Fix for wrong HTTP scheme used while matching the rules if heimdall is operated over TLS (#839) (cd4f7e8)

Documentation

• Available integration guides updated to describe secure integration options only (#839) (cd4f7e8

Dependencies

• update golang.org/x/exp digest to 050eac2 (#842) (964a867)
• update google.golang.org/genproto/googleapis/rpc digest to 1744710 (#841) (8f5c5e3)

0.11.0-alpha (2023-08-04)

⚠ BREAKING CHANGES

• values property for endpoint teplating must be configured on the mechanism conf level (#746)

Features

• Helm chart allows usage of optionall volumes and volume mounts (#825) (0ed2cf0)
• Helm chart enhanced to allow passing optional arguments to heimdall (#824) (9b0149d)
• HTTP method expansion with placeholder key words (#774) (d25be3b)
• New CEL and template functions to ease access to different parts of the request and beyond (#689) (730b220)
• Support of env variables in rule sets loaded by the file_system provider using Bash syntax (#775) (6fa6415)
• Values object can be used in payload of generic contextualizer and remote authorizer (#749) (42267cb)

Code Refactorings

• values property for endpoint teplating must be configured on the mechanism conf level (#746) (9809fe4)

Bug Fixes

• Loading of structured configuration from env variables (#768) (a76c722)
• Quoting configured env vars in helm chart (#827) (b4eeb96)
• Validation of a self-signed certificate does not require its presence in the system wide trust store any more (#830) (56a2d1f)

Documentation

• New integration guide for Contour ingress controller (#828) (ea62e91)
• Proxy buffer sizes example fixed (#814) by @vinerich (6867822)

0.10.1-alpha (2023-06-28)

Bug Fixes

• Allow url rewrites with only a subset of fields set (proxy mode) (#742) by @netthier (109365f)
• Include fullname in Helm RBAC resource names (#737) by @netthier (dff3d4d)
• Working authClassName filter if multiple heimdall deployments are present in a cluster (#742) by @netthier (109365f)

0.10.0-alpha (2023-06-28)

⚠ BREAKING CHANGES

• Support for URL rewriting while forwarding the processed request to the upstream service (#703)

Features

• Support for automatically Helm roll deployments (#731) (bd2d438)
• Support for URL rewriting while forwarding the processed request to the upstream service (#703) (be62972)

0.9.1-alpha (2023-06-24)

Bug Fixes

• Matcher expressions do not have to cope with url encoded path fragments any more if such are present (#721) (4a8b0a0)
• Query parameters are now ignored while matching the request url (#719) (69fce94)
• URL encoding fixed while forwarding the request to the upstream in proxy mode (#716) (9234ea1)

0.9.0-alpha (2023-06-23)

Features

• Configuration for read and write buffer sizes (#706) (6dcab1f)
• Support for X-Original-Method used by nginx ingress controller (#710) (d95b989)

Bug Fixes

• Refresh of cached items disabled to avoid retrieval of stale items (#711) (82c869b)

0.8.2-alpha (2023-06-21)

Bug Fixes

• fix for panic on request handling if no rules are available (#699) (241f8ae)
• leading slash is not added to the URL path anymore during URL path extraction (#695) (33679a6)
• nginx controller workaround (#691) (427751d)

0.8.1-alpha (2023-06-12)

Bug Fixes

• Proper usage of system trust store for JWT signer certificate validation purposes (#671) (66835b6)

0.8.0-alpha (2023-06-07)

⚠ BREAKING CHANGES

• generic authenticator can forward authentication data to the identity_info_endpoint based on custom configuration (#631)

Features

• api_key endpoint authentication strategy can add api keys to query parameters (#630) (634c9d9)
• generic authenticator can forward authentication data to the identity_info_endpoint based on custom configuration (#631) (0e26596)
• jwt unifier supports definition of a custom header and scheme (#666) (9971faa)
• Request object is available to header and cookie unifiers (#627) (71b1da5)

Bug Fixes

• Proper HTTP hop by hop header handling (#665) (3ef6185)

Performance Improvements

• converting byte slice to a string and vice versa without memory allocation (#649) (6a13428)

0.7.0-alpha (2023-04-17)

⚠ BREAKING CHANGES

• Version schema for rule sets (#436)
• CORS support for decision service removed (#487)

Features

• Command for validation of rules (#557) (849ed25)
• Conditional execution of authorizers, contextualizers and unifiers in a rule (#562) (72db66e)
• Contextualizer can be configured not to cancel the pipeline execution if it runs into an error (#522) (ad0d956)
• logging version information on start (#555) (92b6564)
• Rule controlled endpoint templating (#572) (41adfb9)
• Support for envoy gRPC v3 external authorization API (#469) (666cd07)
• Version schema for rule sets (#436) (dba0a87)

Bug Fixes

• Configuration of basic_auth authenticator fixed (#556) (8eb5f65)
• Initialzation of Subject.Attributes by anonymous authenticator (#566) (425acb8)

Code Refactoring

• CORS support for decision service removed (#487) (1339721)

0.6.1-alpha (2023-02-08)

Bug Fixes

• Header matching case-sensitivity fixed (#483) (6d31d01)
• Header value matching using wildcards fixed (#485) (cf3ed57)

0.6.0-alpha (2023-01-19)

⚠ BREAKING CHANGES

• demo.enable in helm chart renamed to demo.enabled (#457)
• Metrics service configuration changed (#452)
• New type for key store configuration introduced (#434)

Features

• Helm chart supports setting of arbitrary environment variables (#444) (80de2ee)
• New service exposing CPU, memory, etc profiling information (#446) (2175273)
• Remaining validity of configured certificates exposed as metric (#432) (95b24f0)

Bug Fixes

• Helm Chart fixed and does neither expect a heimdall config file, nor check for not existing property anymore (#420) (8a0c299)
• Memory leak introduced by correlation between metrics & traces fixed (#449) (f00e0ec)

Code Refactoring

• demo.enable in helm chart renamed to demo.enabled (#457) (eb9c32e)
• Metrics service configuration changed (#452) (1b3a36e)
• New type for key store configuration introduced (#434) (b2a9e58)

0.5.0-alpha (2023-01-02)

⚠ BREAKING CHANGES

• Rule properties related to url matching moved to an own structure (#402)
• Templating support in redirect error handler mechanism (#395)
• Objects and functions available in templates and CEL expressions harmonized (#394)
• Configuration for keys & certificates harmonized (#392)
• Decision service returns 200 OK instead of 202 Accepted on success. (#385)
• Used HTTP status codes can be configured (#383)
• mutator renamed to unifier (#375)
• hydrator renamed to contextualizer (#374)
• pipeline config property renamed and moved into rules (#370)
• Local ECMAScript based authorizer is not supported any more (#369)
• Remote authorizer uses CEL instead of ECMAScript for response verification purposes (#367)

Features

• Key material used for TLS can be password protected (#392) (e40c0a2)
• New "local" authorizer which uses CEL expressions (#364) (d8988a8)
• Provider to load rule sets deployed in Kubernetes environments (incl. Helm Chart update) (#336) (dee229f)
• Simple helm chart (#325) (23b4d5d)
• Simpler endpoint configuration (#376) (248f483)
• Support for environment variables substitution in config file (#381) (5a6ec65)
• Support for tracing and metrics correlation, as well as more metrics for go runtime information (#359) (f34998a)
• Templating support in redirect error handler mechanism (#395) (7a0eff3)
• Used HTTP status codes can be configured (#383) (5d46322)

Bug Fixes

• request_headers error condition implementation fixed (#373) (a2d3045)
• Signer implementation fixed to take the first key from the key store if no key id was specified (#392) (e40c0a2)

Code Refactoring

• hydrator renamed to contextualizer (#374) (f20bc37)
• mutator renamed to unifier (#375) (785b956)
• pipeline config property renamed and moved into rules (#370) (4234e54)
• Configuration for keys & certificates harmonized (#392) (e40c0a2)
• Decision service returns 200 OK instead of 202 Accepted on success. (#385) (3460191)
• Local ECMAScript based authorizer is not supported any more (#369) (db7febe)
• Objects and functions available in templates and CEL expressions harmonized (#394) (4ca9a9d)
• Remote authorizer uses CEL instead of ECMAScript for response verification purposes (#367) (92e1ffa)
• Rule properties related to url matching moved to an own structure (#402) (f3bd105)

0.4.1-alpha (2022-11-11)

Bug Fixes

• User for the heimdall process within the container fixed (#323) (77e36f9)

0.4.0-alpha (2022-11-09)

⚠ BREAKING CHANGES

• file system provider rename (#281)
• OpenTelemetry tracing support (#246)
• Pipeline handler identifier are present in error context to support pipeline handler specific error handling strategies (#239)
• ECDSA P-384 key is generated instead of RSA-2048 for JWT signing purposes on startup if no key store has been configured

Features

• Configuration of minimal allowed TLS version and the required cipher suites (#303) (76c02bf)
• HTTP caching according to RFC 7234 is supported by pipeline handlers and the httpendpoint provider (#307) (c5349c1)
• Made all log statements adhering to GELF format (#259) (94bf2f1)
• OpenTelemetry tracing support (#246) (c3e81fd)
• Pipeline handler identifier are present in error context to support pipeline handler specific error handling strategies (#239) (8a73e86)
• Provider to load rule sets from cloud blobs (#283) (6eef3dc)
• Provider to load rule sets from HTTP(s) endpoints (#263) (5ff495c)
• Support for log, trace and request correlation (#254) (a543230)

Code Refactoring

• ECDSA P-384 key is generated instead of RSA-2048 for JWT signing purposes on startup if no key store has been configured (6b62b47)
• file system provider rename (#281) (04a33f2)

0.3.0-alpha (2022-09-09)

⚠ BREAKING CHANGES

• Prefix for considered environment variables renamed from HEIMDALL_ to HEIMDALLCFG_ and made this prefix configurable via a --env-config-prefix flag (#220)
• session property used by some authenticators renamed (incl. its properties) to subject to better reflect its meaning (#200)
• jwt_from property of the jwt_authenticator renamed to jwt_source to comply with naming in other authenticators (#199)

Features

• generic authenticator updated to consider ttl of the session object received from the identity_info_endpoint and to enable session validation (#201) (42b4e6c)
• jwt_authenticator updated to support X.509 certificates (incl validation) in JWKs used for JWT signature verification (#172) (19ef20d)
• oauth2_authenticator updated to optionally support token source selection, like specific header, schema, etc (#198) (e7ad797)
• If no kid is present in the JWT, the jwt_authenticator can now iterate over the received JWKS and try to verify the signature until one of the keys matches (#196) (488e46f)
• x509 certificate support in keystore (#166) (2d9af4c)

Bug Fixes

• Prefix for considered environment variables renamed from HEIMDALL_ to HEIMDALLCFG_ and made this prefix configurable via a --env-config-prefix flag (#220) (3bfeff1)

Code Refactoring

• jwt_from property of the jwt_authenticator renamed to jwt_source to comply with naming in other authenticators (#199) (29d6bcb)
• session property used by some authenticators renamed (incl. its properties) to subject to better reflect its meaning (#200) (869d8ae)

0.2.0-alpha (2022-08-12)

⚠ BREAKING CHANGES

• strip_prefix in header authentication data strategy renamed to schema to reflect the actual mening and behavior (#129)
• "serve api" command renamed to "serve decision" (incl. wording in docs and logs) (#125)
• Make decision endpoint being available directly on the root (/) path of the decision service (#112)
• Usage of trusted_proxies is mandatory for Decision API to accept X-Forwarded-* headers (#111)
• Returning HTTP 404 instead of HTTP 500 if no default rule is configured and no rule matches (#96)

Features

• Access log support (#139) (8387512)
• Configurable fallback of authenticators even if the verification of the credentials fails (#134) (1336777)
• Make decision endpoint being available directly on the root (/) path of the decision service (#112) (fa1ff5b)
• New upstream property introduced for the rule config to support reference of the upstream service for proxy mode (0436a52)
• New management service introduced, which exposes the health & jwks endpoints (0436a52)
• Not setting HTTP Server header anymore (0436a52)
• Remote authorizer optionally supports verification of responses from the remote system via a script (#117) (1ecabf0)
• Retrieval of an access token from the request body (#115) (b336ab4)
• Returning HTTP 404 instead of HTTP 500 if no default rule is configured and no rule matches (#96) (0436a52)
• Reverse proxy support (#90) (0436a52)
• Usage of trusted_proxies is mandatory for Decision API to accept X-Forwarded-* headers (#111) (438932b)

Bug Fixes

• accesslog handler updated to include information about authenticated subject if present (#162) (3e286db)
• Basic Auth authenticator added to the schema and can now be configured (#133) (1336777)
• basic_auth authenticator is not responsible for the request any more if the Authorization header does not contain Basic Auth schema (#107) (96136ef)
• Bearer token based authenticators do not feel responsible for the request anymore if no "Bearer" scheme is present in the "Authorization" header (db5b773)
• Fixed usage of X-Forwarded-Uri header (0436a52)
• Handling and usage of the upstream property fixed (before this fix the proxy operation mode could not be used) (#130) (ed61e18)
• jwt authenticator to not feel responsible if the bearer token is not in the JWT format (#108) (d8945c4)
• Schema fixed to allow TLS key & cert as well as CORS max_age configuration (#122) (58b6bc3)
• trusted_proxy support added to the schema file to allow the validation of the corresponding property (#105) (556946e)

Code Refactoring

• "serve api" command renamed to "serve decision" (incl. wording in docs and logs) (#125) (e6aad0d)
• strip_prefix in header authentication data strategy renamed to schema to reflect the actual mening and behavior (#129) (f8a38ff)

0.1.0-alpha (2022-07-19)

This is a very first release.

Supported Features

• Decision API
• Loading rules from the file system
• Authenticator types (anonymous, basic-auth, generic, jwt, noop, oauth2 introspection, unauthorized)
• Authorizers (allow, deny, subject attributes (to evaluate available subject information by using JS) & remote (e.g. to communicate with open policy agent, ory keto, a zanzibar implementation, or any other authorization engine))
• Hydrators (generic) - to enrich the subject information retrieved from the authenticator
• Mutators (opaque cookie, opaque header, jwt in the Authorization header, noop) to transform the subject information
• Error Handlers (default, redirect, www-authenticate), which support accept type negotiation as well
• Opentracing support (jaeger & instana)
• Prometheus metrics
• Key store in pem format for rsa-pss and ecdsa keys (pkcs#1 - plain only & pkcs#8 - plain and encrypted)
• Rules URL matching
• Flexible pipeline definition: authenticators+ -> any order(authorizer*, hydrator*) -> mutator+ -> error_handler*
• Optional default rule taking effect if no rule matches
• If Default rule is configured, the actual rule definition can reuse it (less yaml code)
• Typical execution time if caches are active is around 300µs (on my laptop)
• The configuration is validated on startup. You can also validate it by making use of the "validate config" command.
• Health Probe