Changelog

0.15.0 (2024-09-16)

⚠ BREAKING CHANGES

Made the usage of if clauses in authentication & authorization, and error pipelines consistent (#1784)
Deprecated OTEL attributes replaced (#1669)
Configuration of signer moved into jwt finalizer (#1534)
Demo installation removed from the helm chart (#1544)
Subject has been made immutable (#1487)
Rule matching configuration API redesigned (#1358)
Default rule rejects requests with encoded slashes in the path of the URL with 400 Bad Request (#1358)
Support for rule_path_match_prefix on endpoint configurations for http_endpoint and cloud_blob providers has been dropped (#1358)

Features

Glob expressions are context aware and use . for host related expressions and / for path related ones as separators (#1358) (f2f6867)
Multiple rules can be defined for the same path, e.g. to have separate rules for read and write requests (#1358) (f2f6867)
New endpoint auth type to create http message signatures for outbound requests according to RFC 9421 (#1507) (672988d)
Route based matching of rules (#1766) (8ef379d)
Support for backtracking while matching rules (#1358) (f2f6867)
Support for free and single (named) wildcards for request path matching and access of the captured values from the pipeline (#1358) (f2f6867)

Code Refactorings

Configuration of signer moved into jwt finalizer (#1534) (4475745)
Default rule rejects requests with encoded slashes in the path of the URL with 400 Bad Request (#1358) (f2f6867)
Demo installation removed from the helm chart (#1544) (f8770b3)
Deprecated OTEL attributes replaced (#1669) (e5ed3a5)
Made the usage of if clauses in authentication & authorization, and error pipelines consistent (#1784) (2577f56)
Rule matching configuration API redesigned (#1358) (f2f6867)
Subject has been made immutable (#1487) (6c4957f)
Support for rule_path_match_prefix on endpoint configurations for http_endpoint and cloud_blob providers has been dropped (#1358) (f2f6867)

Performance Improvements

O(log(n)) time complexity for lookup of rules (#1358) (f2f6867)

Bug Fixes

Corrected the placement of namespace selector properties in the Helm chart's admission controller configuration (#1752). (4c059b3)
Fixed a nil pointer error in the Helm chart that occurred when a deployment was configured with custom annotations due to an incorrect reference in the deployment template (#1752). (4c059b3)
Taking updates of certificates into account while collecting metrics (#1534) (4475745)
Updated the admission controller configuration in the Helm chart to align with the redesigned structure done in v0.12.0-alpha release of heimdall (#1752). (4c059b3)

Documentation

Guide for First-Party Authentication with OpenID Connect (#1789) (8c6b9c3)
New integration guide for Envoy Gateway (#1412) (526f381)
NGING Ingress Controller guide updated to cover global integration options (#1469) (a710a64)
Traefik guide updated to cover Ingress, IngressRoute and HTTPRoute based integration options (#1420) (303095e)

Dependencies

update golang to v1.23.1 (#1793) (54e6cad)
update golang.org/x/exp digest to 701f63a (#1793) (54e6cad)
update google.golang.org/genproto/googleapis/rpc digest to 8af14fe (#1793) (54e6cad)
update module github.com/go-playground/validator/v10 to v10.22.1 (#1793) (54e6cad)
update module github.com/jellydator/ttlcache/v3 to v3.3.0 (#1793) (54e6cad)
update module github.com/masterminds/sprig/v3 to v3.3.0 (#1793) (54e6cad)
update module github.com/prometheus/client_golang to v1.20.3 (#1793) (54e6cad)
update module github.com/redis/rueidis to v1.0.45 (#1793) (54e6cad)
update module github.com/redis/rueidis/rueidisotel to v1.0.45 (#1793) (54e6cad)
update module github.com/rs/cors to v1.11.1 (#1793) (54e6cad)
update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.55.0 (#1793) (54e6cad)
update module go.opentelemetry.io/contrib/instrumentation/host to v0.55.0 (#1793) (54e6cad)
update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.55.0 (#1793) (54e6cad)
update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.55.0 (#1793) (54e6cad)
update module go.opentelemetry.io/contrib/propagators/autoprop to v0.55.0 (#1793) (54e6cad)
update module gocloud.dev to v0.39.0 (#1774) (4ffa9e4)
update module google.golang.org/grpc to v1.66.2 (#1793) (54e6cad)
update module k8s.io/client-go to v0.31.1 (#1793) (54e6cad)
update opentelemetry-go monorepo to v1.30.0 (#1793) (54e6cad)

0.14.5-alpha (2024-08-25)

Dependencies

update github.com/youmark/pkcs8 digest to a2c0da2 (#1671) (ad37b99)
update golang to v1.23.0 (#1711) (0a67326)
update golang.org/x/exp digest to 9b4947d (#1724) (c9bf5dc)
update google.golang.org/genproto/googleapis/rpc digest to 4ba0660 (#1725) (661716a)
update kubernetes packages to v0.31.0 (#1708) (49a7b18)
update module github.com/dlclark/regexp2 to v1.11.4 (#1686) (e4827de)
update module github.com/envoyproxy/go-control-plane to v0.13.0 (#1716) (a06cb40)
update module github.com/go-jose/go-jose/v4 to v4.0.4 (#1673) (2dfb142)
update module github.com/go-viper/mapstructure/v2 to v2.1.0 (#1702) (0115fe8)
update module github.com/google/cel-go to v0.21.0 (#1684) (0601589)
update module github.com/jellydator/ttlcache/v3 to v3.2.1 (#1734) (161689d)
update module github.com/prometheus/client_golang to v1.20.2 (#1727) (6194d6d)
update module github.com/redis/rueidis to v1.0.44 (#1700) (9b7c43b)
update module github.com/redis/rueidis/rueidisotel to v1.0.44 (#1701) (02731bd)
update module github.com/tidwall/gjson to v1.17.3 (#1681) (f5e1707)
update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.54.0 (#1728) (c66e903)
update module go.opentelemetry.io/contrib/instrumentation/host to v0.54.0 (#1729) (eef6b6e)
update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.54.0 (#1730) (01865ed)
update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.54.0 (#1731) (415953d)
update module go.opentelemetry.io/contrib/propagators/autoprop to v0.54.0 (#1732) (3f6edea)
update module go.uber.org/fx to v1.22.2 (#1694) (810d995)
update module gocloud.dev to v0.38.0 (#1735) (b32d5c0)
update opentelemetry-go monorepo to v1.29.0 (#1733) (e093267)

0.14.4-alpha (2024-07-25)

Bug Fixes

OAuth2 iss claim verification in JWT/OIDC authenticators when used with metadata_endpoint (#1660) by @martin31821 (a9947f2)
Trailing useless bytes ignored while parsing PEM content (#1564) (0c52bd3)

Dependencies

update golang to v1.22.5 (#1592) (1d4de85)
update golang.org/x/exp digest to 8a7402a (#1644) (6fbbf15)
update google.golang.org/genproto/googleapis/rpc digest to e6d459c (#1654) (103c1ac)
update kubernetes packages to v0.30.2 (#1540) (70fdd62)
update module github.com/dlclark/regexp2 to v1.11.2 (#1630) (afd7c92)
update module github.com/go-co-op/gocron/v2 to v2.11.0 (#1645) (42688aa)
update module github.com/go-jose/go-jose/v4 to v4.0.3 (#1625) (59caff8)
update module github.com/go-playground/validator/v10 to v10.22.0 (#1537) (1f6eeaa)
update module github.com/redis/rueidis to v1.0.41 (#1617) (3919aaf)
update module github.com/redis/rueidis/rueidisotel to v1.0.41 (#1619) (69bc2aa)
update module github.com/spf13/cobra to v1.8.1 (#1551) (871ee91)
update module github.com/tonglil/opentelemetry-go-datadog-propagator to v0.1.3 (#1579) (27c1026)
update module github.com/wi2l/jsondiff to v0.6.0 (#1558) (c4cfd07)
update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.53.0 (#1600) (84b330f)
update module go.opentelemetry.io/contrib/instrumentation/host to v0.53.0 (#1601) (31834e0)
update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.53.0 (#1602) (d3d2328)
update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.53.0 (#1603) (b23bc0b)
update module go.opentelemetry.io/contrib/propagators/autoprop to v0.53.0 (#1604) (f8679e9)
update module go.uber.org/fx to v1.22.1 (#1577) (49ab1c2)
update module google.golang.org/grpc to v1.65.0 (#1589) (dad8e53)
update module google.golang.org/protobuf to v1.34.2 (#1535) (12aa205)
update module k8s.io/api to v0.30.3 (#1640) (9b2e072)
update module k8s.io/client-go to v0.30.3 (#1641) (333c81f)
update module k8s.io/klog/v2 to v2.130.1 (#1567) (d16ecbe)
update opentelemetry-go monorepo to v1.28.0 (#1591) (a33f586)

0.14.3-alpha (2024-06-09)

Dependencies

update golang to v1.22.4 (#1517) (a86784a)
update golang.org/x/exp digest to fc45aab (#1515) (f07ae39)
update google.golang.org/genproto/googleapis/rpc digest to ef581f9 (#1516) (acc5740)
update kubernetes packages to v0.30.1 (#1466) (dc68e5e)
update module github.com/go-jose/go-jose/v4 to v4.0.2 (#1450) (1aba621)
update module github.com/go-playground/validator/v10 to v10.21.0 (#1509) (0c9167e)
update module github.com/go-viper/mapstructure/v2 to v2.0.0 (#1510) (d7224ff)
update module github.com/goccy/go-json to v0.10.3 (#1476) (32f5eca)
update module github.com/redis/rueidis to v1.0.38 (#1502) (91569ee)
update module github.com/redis/rueidis/rueidisotel to v1.0.38 (#1503) (63dec15)
update module github.com/rs/zerolog to v1.33.0 (#1490) (9579381)
update module github.com/santhosh-tekuri/jsonschema/v6 to v6.0.1 (#1520) (3648c59)
update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.52.0 (#1478) (535aa2f)
update module go.opentelemetry.io/contrib/instrumentation/host to v0.52.0 (#1480) (509d4b3)
update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.52.0 (#1482) (b112767)
update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.52.0 (#1483) (4c8707c)
update module go.opentelemetry.io/contrib/propagators/autoprop to v0.52.0 (#1484) (57c5a6a)
update module go.opentelemetry.io/otel to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/bridge/opentracing to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttpto to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/exporters/prometheus to v0.49.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/exporters/zipkin to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/metric to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/sdk to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/sdk/metric to v1.27.0 (#1481) (384612e)
update module go.opentelemetry.io/otel/trace to v1.27.0 (#1481) (384612e)
update module go.uber.org/fx to v1.22.0 (#1501) (37ddf79)
update module google.golang.org/grpc to v1.64.0 (#1462) (9d5e47c)

0.14.2-alpha (2024-05-12)

Dependencies

update golang to v1.22.3 (#1428) (524a3d4)
update kubernetes packages to v0.30.0 (#1368) (04cba69)
update module github.com/go-co-op/gocron/v2 to v2.5.0 (#1424) (c3449a0)
update module github.com/go-playground/validator/v10 to v10.20.0 (#1402) (a965ef0)
update module github.com/prometheus/client_golang to v1.19.1 (#1434) (d778e9c)
update module github.com/redis/rueidis to v1.0.37 (#1440) (ce2e65b)
update module github.com/redis/rueidis/rueidisotel to v1.0.37 (#1441) (5c163b5)
update module github.com/rs/cors to v1.11.0 (#1383) (b44b9c0)
update module github.com/wi2l/jsondiff to v0.5.2 (#1370) (fd0cb04)
update module github.com/youmark/pkcs8 to v0.0.0-20240424034433-3c2c7870ae76 (#1407) (587f073)
update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.51.0 (#1387) (ce65b02)
update module go.opentelemetry.io/contrib/instrumentation/host to v0.51.0 (#1389) (5688d8f)
update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.51.0 (#1390) (2357888)
update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.51.0 (#1391) (a58f629)
update module go.opentelemetry.io/contrib/propagators/autoprop to v0.51.0 (#1392) (fc87ef5)
update module go.opentelemetry.io/otel to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/bridge/opentracing to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/exporters/prometheus to v0.48.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/exporters/zipkin to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/metric to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/sdk to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/sdk/metric to v1.26.0 (#1385) (3c531d7)
update module go.opentelemetry.io/otel/trace to v1.26.0 (#1385) (3c531d7)
update module go.uber.org/fx to v1.21.1 (#1384) (614117f)
update module golang.org/x/exp to v0.0.0-20240506185415-9bf2ced13842 (#1422) (561ee65)
update module google.golang.org/genproto/googleapis/rpc to v0.0.0-20240509183442-62759503f434 (#1436) (508e22b)
update module google.golang.org/protobuf to v1.34.1 (#1421) (e25b077)

0.14.1-alpha (2024-04-09)

Dependencies

update golang to v1.22.2 (#1313) (7c37100)
update golang.org/x/exp digest to c0f41cb (#1318) (723ad16)
update module github.com/knadh/koanf/v2 to v2.1.1 (#1308) (502cdcb)
update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.50.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/contrib/instrumentation/host to v0.50.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.50.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.50.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/contrib/propagators/autoprop to v0.50.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/bridge/opentracing to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/exporters/prometheus to v0.47.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/exporters/zipkin to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/metric to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/sdk to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/sdk/metric to v1.25.0 (#1329) (dbb40bd)
update module go.opentelemetry.io/otel/trace to v1.25.0 (#1329) (dbb40bd)
update module google.golang.org/grpc to v1.63.2 (#1339) (8ee3942)

0.14.0-alpha (2024-04-02)

Features

env settings in helm chart extended to support ConfigMaps, Secrets and Pod configuration in addition to string literals (#1128) by @martin31821 (bf75c97)
Helm chart supports setting environment variables by referencing either a ConfigMap or a Secret via envFrom (#1128) by @martin31821 (bf75c97)
Hot reloading of Signer keys store (#1232) (36076e1)
Hot reloading of TLS key stores (#1230) (9abf723)
Redis as (distributed) cache (#999) by @tk-innoq (2f9ba81)

Bug Fixes

audience assertion adheres to RFC-7519, section 4.1.3 (#1237) (560a470)
Rule set, the rule is loaded from, is considered while updating or deleting rules (#1298) (e571248)

Documentation

Contour integration guide updated to cover global configuration in addition to the route based one (#1253) (74bcebd)
Documentation restructured to make it more comprehensive (#1075) by @godrin, @REABMAX, @Ebano and @KieronWiltshire (6612633)
HAProxy guide updated to cover global integration with the Ingress Controller (#1240) (ed27797)
Integration guide for OpenFGA (#1299) (1d8bea2)
Traefik integration guide updated to cover global configuration in addition to the route based one (#1269) (73b1d4c)

Dependencies

update golang to 1.22.1 (#1219) (4449cb7)
update golang.org/x/exp digest to a685a6e (#1245) (41ba4a2)
update google.golang.org/genproto/googleapis/rpc digest to c3f9821 (#1301) (4ccf593)
update kubernetes packages to v0.29.3 (#1249) (43f3233)
update module github.com/dlclark/regexp2 to v1.11.0 (#1209) (c51eda9)
update module github.com/evanphx/json-patch/v5 to v5.9.0 (#1156) (3770509)
update module github.com/go-co-op/gocron/v2 to v2.2.9 (#1292) (3555329)
update module github.com/go-jose/go-jose/v4 to v4.0.1 [security] (#1225) (45e5a46)
update module github.com/go-playground/validator/v10 to v10.19.0 (#1217) (564d256)
update module github.com/google/cel-go to v0.20.1 (#1224) (a0669a8)
update module github.com/google/uuid to v1.6.0 (#1151) (5f9dc9c)
update module github.com/grpc-ecosystem/go-grpc-middleware/v2 to v2.1.0 (#1241) (bff3874)
update module github.com/jellydator/ttlcache/v3 to v3.2.0 (#1198) (7c560d2)
update module github.com/knadh/koanf/v2 to v2.1.0 (#1178) (1e344d3)
update module github.com/ory/ladon to v1.3.0 (#1222) (3ca9ec4)
update module github.com/prometheus/client_golang to v1.19.0 (#1212) (256932f)
update module github.com/rs/zerolog to v1.32.0 (#1165) (d4678f6)
update module github.com/tidwall/gjson to v1.17.1 (#1187) (a1680a1)
update module github.com/tonglil/opentelemetry-go-datadog-propagator to v0.1.2 (#1215) (0d2a6ce)
update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.49.0 (#1209) (c51eda9)
update module go.opentelemetry.io/contrib/instrumentation/host to v0.49.0 (#1209) (c51eda9)
update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.49.0 (#1209) (c51eda9)
update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.49.0 (#1209) (c51eda9)
update module go.opentelemetry.io/contrib/propagators/autoprop to v0.49.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/bridge/opentracing to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/exporters/prometheus to v0.46.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/exporters/zipkin to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/metric to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/sdk to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/sdk/metric to v1.24.0 (#1209) (c51eda9)
update module go.opentelemetry.io/otel/trace to v1.24.0 (#1209) (c51eda9)
update module go.uber.org/fx to v1.21.0 (#1244) (99963e0)
update module gocloud.dev to v0.37.0 (#1236) (8d1c7fe)
update module google.golang.org/genproto/googleapis/rpc to b0ce06b (#1209) (c51eda9)
update module google.golang.org/grpc to v1.62.1 (#1220) (d22d0d2)
update module google.golang.org/protobuf to v1.33.0 (#1221) (e2dab94)
update module k8s.io/klog/v2 to v2.120.1 (#1139) (541828b)

0.13.0-alpha (2024-01-03)

⚠ BREAKING CHANGES

Endpoint specific HTTP cache settings refactored to allow HTTP cache ttl definition (#1043)

Features

OAuth2/OIDC metadata discovery for jwt authenticator (#1043) by @martin31821 (2dbfa5f)
OAuth2/OIDC metadata discovery for oauth2_introspection authenticator (#1043) by @martin31821 (2dbfa5f)

Code Refactorings

Endpoint specific HTTP cache settings refactored to allow HTTP cache ttl definition (#1043) (2dbfa5f)

Bug Fixes

Accept header usage (#1107) (f738ee8)
Setting of binary artifacts version fixed (#1087) (f7dbbee)

Dependencies

update golang to 1.21.5 (#1082) (a996ce7)
update golang.org/x/exp digest to 02704c9 (#1111) (1e18000)
update google.golang.org/genproto/googleapis/rpc digest to 50ed04b (#1115) (eda1d2d)
update kubernetes packages to v0.29.0 (#1100) (65b3619)
update module github.com/envoyproxy/go-control-plane to v0.12.0 (#1117) (7fbb737)
update module github.com/go-co-op/gocron/v2 to v2.1.2 (#1116) (13505da)
update module github.com/google/uuid to v1.5.0 (#1097) (5273ac8)
update module github.com/jellydator/ttlcache/v3 to v3.1.1 (#1102) (90dcc4d)
update module github.com/prometheus/client_golang to v1.18.0 (#1112) (57da7ec)
update module gocloud.dev to v0.36.0 (#1113) (584d51f)
update module google.golang.org/grpc to v1.60.1 (#1105) (329f647)
update module google.golang.org/protobuf to v1.32.0 (#1109) (47d7785)

0.12.0-alpha (2023-11-29)

⚠ BREAKING CHANGES

Support for X-Forwarded-Path header dropped (#1073)
if conditional statements for error pipeline mechanisms (#1055)
Request.ClientIP renamed to Request.ClientIPAddresses to reflect the actual contents (#1066)
The term "scheme" is used properly as defined by RFC9110 (#1042)
Rule(-Set) related configuration properties mechanisms , default and providers moved one level up and renamed (#1028)
Support for noop authenticator removed (#1015)
Endpoint specific client_credentials auth strategy renamed to oauth2_client_credentials (#975)
unifier renamed to finalizer (#956)
Support for OTEL metrics (#948)
Proxy implementation migrated from fiber to stdlib http package (#889)
Support for OpenTelemetry Jaeger exporter dropped (It has been deprecated by Jaeger back in 2022) (#884)

Features

client_credentials authentication strategy for Endpoint enhanced to support the same options as the corresponding finalizer (#971) (ec16d5d)
finalizers are optional (#1027) (864c879)
if conditional statements for error pipeline mechanisms (#1055) (7cf97dc)
Access to request body in templates and CEL expressions (#1069) (69dd7d2)
Container images are published to GHCR in addition to DockerHub (#1041) (04b1066)
Helm chart pulls heimdall container image from ghcr.io instead from DockerHub (#1053) (b3c729a)
HTTP 2.0 support (#889) (ffcccf6)
Kubernetes RuleSet resource deployment/usage status (#987) (738e3ec)
New oauth2_client_credentials finalizer (#959) (4c9f807)
New trace log level allowing dumping HTTP requests, responses and the current Subject contents (#877) (512f1ed)
Opt-In for url-encoded slashes in URL paths (#1071) (96bb188)
Release archive contains an SBOM in CycloneDX (json) format (#867) (d8a7cff)
RuleSet version increased to 1alpha3, respectively to v1alpha3 in k8s CRD (#1054) (943c9ce)
SBOM and attestations for published container images (#868) (3564870)
SSE support (#889) (ffcccf6)
Support for OTEL metrics (#948) (eeb5a82)
Templating support in remote authorizer and generic contextualizer values property (#1047) (2835faa)
Validating admission controller for RuleSet resources (#984) (3357e57)
WebSockets support (#889) (ffcccf6)

Code Refactorings

Request.ClientIP renamed to Request.ClientIPAddresses to reflect the actual contents (#1066) (0f9484f)
unifier renamed to finalizer (#956) (d54e39d)
Endpoint specific client_credentials auth strategy renamed to oauth2_client_credentials (#975) (b11005c)
Proxy implementation migrated from fiber to stdlib http package (#889) (ffcccf6)
Rule(-Set) related configuration properties mechanisms , default and providers moved one level up and renamed (#1028) (f6ce3b8)
Support for noop authenticator removed (#1015) (8cb3bd3)
Support for X-Forwarded-Path header dropped (#1073) (342c11a)
Support for OpenTelemetry Jaeger exporter dropped (It has been deprecated by Jaeger back in 2022) (#884) (97b81b1)

Bug Fixes

HTTP method expansion in k8s RuleSet resources (#1005) (861c2b6)
Kubernetes RuleSet resource is unloaded by heimdall on authClassName mismatch (#987) (738e3ec)
Making use of better constraints in the definition of the RuleSet CRD to not exceed the k8s rule cost budget (#1004) (7d71351)
MIME type decoder covers optional parameters (#1057) (c1c088c)
The term "scheme" is used properly as defined by RFC9110 (#1042) (aaf4bd3)

Documentation

Integration guide and demo for (Ambassador) emissary ingress controller (#838) (456cfd5)
Integration guide and demo for HAProxy ingress controller (#837) (3766fa2)
New landing page (#853) (fc2a337)
New sections describing signature verification of released archives, container images and the SBOM. (#872) (8f42c24)

Dependencies

update golang to 1.21.4 (79a0106)
update golang.org/x/exp digest to 6522937 (#1068) (83827ae)
update google.golang.org/genproto/googleapis/rpc digest to 3a041ad (#1067) (431fd89)
update kubernetes packages to v0.28.4 (#1040) (312ace1)
update module github.com/felixge/httpsnoop to v1.0.4 (#995) (10006e5)
update module github.com/fsnotify/fsnotify to v1.7.0 (#981) (4c7bd90)
update module github.com/go-co-op/gocron to v1.36.0 (#1013) (dd44dc2)
update module github.com/google/cel-go to v0.18.2 (#1016) (d4e6d6f)
update module github.com/google/uuid to v1.4.0 (#985) (0d9666d)
update module github.com/grpc-ecosystem/go-grpc-middleware/v2 to v2.0.1 (#930) (06697fe)
update module github.com/jellydator/ttlcache/v3 to v3.1.0 (#870) (9afd7c4)
update module github.com/rs/zerolog to v1.31.0 (#936) (39f9b30)
update module github.com/spf13/cobra to v1.8.0 (#997) (fb0bbe5)
update module github.com/tidwall/gjson to v1.17.0 (#934) (8866dba)
update module github.com/tonglil/opentelemetry-go-datadog-propagator to v0.1.1 (#890) (92196e1)
update module github.com/wi2l/jsondiff to v0.5.0 (#1024) (db99a7c)
update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.46.1 (#1045) (1615f40)
update module go.opentelemetry.io/contrib/instrumentation/host to v0.46.1 (#1045) (1615f40)
update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.46.1 (#1045) (1615f40)
update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.46.1 (#1045) (1615f40)
update module go.opentelemetry.io/contrib/propagators/autoprop to v0.46.1 (#1045) (1615f40)
update module go.uber.org/fx to v1.20.1 (#978) (98f67a0)
update module gocloud.dev to v0.34.0 (#879) (25ae833)
update module google.golang.org/grpc to v1.59.0 (#977) (9211fae)
update module k8s.io/klog/v2 to v2.110.1 (#994) (e1b655a)
update opentelemetry-go monorepo to v1.21.0 (#1045) (1615f40)

0.11.1-alpha (2023-08-08)

Bug Fixes

Usage of X-Forwarded-* headers enhanced security wise (#839) (cd4f7e8)
Fix for wrong HTTP scheme used while matching the rules if heimdall is operated over TLS (#839) (cd4f7e8)

Documentation

Available integration guides updated to describe secure integration options only (#839) (cd4f7e8

Dependencies

update golang.org/x/exp digest to 050eac2 (#842) (964a867)
update google.golang.org/genproto/googleapis/rpc digest to 1744710 (#841) (8f5c5e3)

0.11.0-alpha (2023-08-04)

⚠ BREAKING CHANGES

values property for endpoint teplating must be configured on the mechanism conf level (#746)

Features

Helm chart allows usage of optionall volumes and volume mounts (#825) (0ed2cf0)
Helm chart enhanced to allow passing optional arguments to heimdall (#824) (9b0149d)
HTTP method expansion with placeholder key words (#774) (d25be3b)
New CEL and template functions to ease access to different parts of the request and beyond (#689) (730b220)
Support of env variables in rule sets loaded by the file_system provider using Bash syntax (#775) (6fa6415)
Values object can be used in payload of generic contextualizer and remote authorizer (#749) (42267cb)

Code Refactorings

values property for endpoint teplating must be configured on the mechanism conf level (#746) (9809fe4)

Bug Fixes

Loading of structured configuration from env variables (#768) (a76c722)
Quoting configured env vars in helm chart (#827) (b4eeb96)
Validation of a self-signed certificate does not require its presence in the system wide trust store any more (#830) (56a2d1f)

Documentation

New integration guide for Contour ingress controller (#828) (ea62e91)
Proxy buffer sizes example fixed (#814) by @vinerich (6867822)

0.10.1-alpha (2023-06-28)

Bug Fixes

Allow url rewrites with only a subset of fields set (proxy mode) (#742) by @netthier (109365f)
Include fullname in Helm RBAC resource names (#737) by @netthier (dff3d4d)
Working authClassName filter if multiple heimdall deployments are present in a cluster (#742) by @netthier (109365f)

0.10.0-alpha (2023-06-28)

⚠ BREAKING CHANGES

Support for URL rewriting while forwarding the processed request to the upstream service (#703)

Features

Support for automatically Helm roll deployments (#731) (bd2d438)
Support for URL rewriting while forwarding the processed request to the upstream service (#703) (be62972)

0.9.1-alpha (2023-06-24)

Bug Fixes

Matcher expressions do not have to cope with url encoded path fragments any more if such are present (#721) (4a8b0a0)
Query parameters are now ignored while matching the request url (#719) (69fce94)
URL encoding fixed while forwarding the request to the upstream in proxy mode (#716) (9234ea1)

0.9.0-alpha (2023-06-23)

Features

Configuration for read and write buffer sizes (#706) (6dcab1f)
Support for X-Original-Method used by nginx ingress controller (#710) (d95b989)

Bug Fixes

Refresh of cached items disabled to avoid retrieval of stale items (#711) (82c869b)

0.8.2-alpha (2023-06-21)

Bug Fixes

fix for panic on request handling if no rules are available (#699) (241f8ae)
leading slash is not added to the URL path anymore during URL path extraction (#695) (33679a6)
nginx controller workaround (#691) (427751d)

0.8.1-alpha (2023-06-12)

Bug Fixes

Proper usage of system trust store for JWT signer certificate validation purposes (#671) (66835b6)

0.8.0-alpha (2023-06-07)

⚠ BREAKING CHANGES

generic authenticator can forward authentication data to the identity_info_endpoint based on custom configuration (#631)

Features

api_key endpoint authentication strategy can add api keys to query parameters (#630) (634c9d9)
generic authenticator can forward authentication data to the identity_info_endpoint based on custom configuration (#631) (0e26596)
jwt unifier supports definition of a custom header and scheme (#666) (9971faa)
Request object is available to header and cookie unifiers (#627) (71b1da5)

Bug Fixes

Proper HTTP hop by hop header handling (#665) (3ef6185)

Performance Improvements

converting byte slice to a string and vice versa without memory allocation (#649) (6a13428)

0.7.0-alpha (2023-04-17)

⚠ BREAKING CHANGES

Version schema for rule sets (#436)
CORS support for decision service removed (#487)

Features

Command for validation of rules (#557) (849ed25)
Conditional execution of authorizers, contextualizers and unifiers in a rule (#562) (72db66e)
Contextualizer can be configured not to cancel the pipeline execution if it runs into an error (#522) (ad0d956)
logging version information on start (#555) (92b6564)
Rule controlled endpoint templating (#572) (41adfb9)
Support for envoy gRPC v3 external authorization API (#469) (666cd07)
Version schema for rule sets (#436) (dba0a87)

Bug Fixes

Configuration of basic_auth authenticator fixed (#556) (8eb5f65)
Initialzation of Subject.Attributes by anonymous authenticator (#566) (425acb8)

Code Refactoring

CORS support for decision service removed (#487) (1339721)

0.6.1-alpha (2023-02-08)

Bug Fixes

Header matching case-sensitivity fixed (#483) (6d31d01)
Header value matching using wildcards fixed (#485) (cf3ed57)

0.6.0-alpha (2023-01-19)

⚠ BREAKING CHANGES

demo.enable in helm chart renamed to demo.enabled (#457)
Metrics service configuration changed (#452)
New type for key store configuration introduced (#434)

Features

Helm chart supports setting of arbitrary environment variables (#444) (80de2ee)
New service exposing CPU, memory, etc profiling information (#446) (2175273)
Remaining validity of configured certificates exposed as metric (#432) (95b24f0)

Bug Fixes

Helm Chart fixed and does neither expect a heimdall config file, nor check for not existing property anymore (#420) (8a0c299)
Memory leak introduced by correlation between metrics & traces fixed (#449) (f00e0ec)

Code Refactoring

demo.enable in helm chart renamed to demo.enabled (#457) (eb9c32e)
Metrics service configuration changed (#452) (1b3a36e)
New type for key store configuration introduced (#434) (b2a9e58)

0.5.0-alpha (2023-01-02)

⚠ BREAKING CHANGES

Rule properties related to url matching moved to an own structure (#402)
Templating support in redirect error handler mechanism (#395)
Objects and functions available in templates and CEL expressions harmonized (#394)
Configuration for keys & certificates harmonized (#392)
Decision service returns 200 OK instead of 202 Accepted on success. (#385)
Used HTTP status codes can be configured (#383)
mutator renamed to unifier (#375)
hydrator renamed to contextualizer (#374)
pipeline config property renamed and moved into rules (#370)
Local ECMAScript based authorizer is not supported any more (#369)
Remote authorizer uses CEL instead of ECMAScript for response verification purposes (#367)

Features

Key material used for TLS can be password protected (#392) (e40c0a2)
New "local" authorizer which uses CEL expressions (#364) (d8988a8)
Provider to load rule sets deployed in Kubernetes environments (incl. Helm Chart update) (#336) (dee229f)
Simple helm chart (#325) (23b4d5d)
Simpler endpoint configuration (#376) (248f483)
Support for environment variables substitution in config file (#381) (5a6ec65)
Support for tracing and metrics correlation, as well as more metrics for go runtime information (#359) (f34998a)
Templating support in redirect error handler mechanism (#395) (7a0eff3)
Used HTTP status codes can be configured (#383) (5d46322)

Bug Fixes

request_headers error condition implementation fixed (#373) (a2d3045)
Signer implementation fixed to take the first key from the key store if no key id was specified (#392) (e40c0a2)

Code Refactoring

hydrator renamed to contextualizer (#374) (f20bc37)
mutator renamed to unifier (#375) (785b956)
pipeline config property renamed and moved into rules (#370) (4234e54)
Configuration for keys & certificates harmonized (#392) (e40c0a2)
Decision service returns 200 OK instead of 202 Accepted on success. (#385) (3460191)
Local ECMAScript based authorizer is not supported any more (#369) (db7febe)
Objects and functions available in templates and CEL expressions harmonized (#394) (4ca9a9d)
Remote authorizer uses CEL instead of ECMAScript for response verification purposes (#367) (92e1ffa)
Rule properties related to url matching moved to an own structure (#402) (f3bd105)

0.4.1-alpha (2022-11-11)

Bug Fixes

User for the heimdall process within the container fixed (#323) (77e36f9)

0.4.0-alpha (2022-11-09)

⚠ BREAKING CHANGES

file system provider rename (#281)
OpenTelemetry tracing support (#246)
Pipeline handler identifier are present in error context to support pipeline handler specific error handling strategies (#239)
ECDSA P-384 key is generated instead of RSA-2048 for JWT signing purposes on startup if no key store has been configured

Features

Configuration of minimal allowed TLS version and the required cipher suites (#303) (76c02bf)
HTTP caching according to RFC 7234 is supported by pipeline handlers and the httpendpoint provider (#307) (c5349c1)
Made all log statements adhering to GELF format (#259) (94bf2f1)
OpenTelemetry tracing support (#246) (c3e81fd)
Pipeline handler identifier are present in error context to support pipeline handler specific error handling strategies (#239) (8a73e86)
Provider to load rule sets from cloud blobs (#283) (6eef3dc)
Provider to load rule sets from HTTP(s) endpoints (#263) (5ff495c)
Support for log, trace and request correlation (#254) (a543230)

Code Refactoring

ECDSA P-384 key is generated instead of RSA-2048 for JWT signing purposes on startup if no key store has been configured (6b62b47)
file system provider rename (#281) (04a33f2)

0.3.0-alpha (2022-09-09)

⚠ BREAKING CHANGES

Prefix for considered environment variables renamed from HEIMDALL_ to HEIMDALLCFG_ and made this prefix configurable via a --env-config-prefix flag (#220)
session property used by some authenticators renamed (incl. its properties) to subject to better reflect its meaning (#200)
jwt_from property of the jwt_authenticator renamed to jwt_source to comply with naming in other authenticators (#199)

Features

generic authenticator updated to consider ttl of the session object received from the identity_info_endpoint and to enable session validation (#201) (42b4e6c)
jwt_authenticator updated to support X.509 certificates (incl validation) in JWKs used for JWT signature verification (#172) (19ef20d)
oauth2_authenticator updated to optionally support token source selection, like specific header, schema, etc (#198) (e7ad797)
If no kid is present in the JWT, the jwt_authenticator can now iterate over the received JWKS and try to verify the signature until one of the keys matches (#196) (488e46f)
x509 certificate support in keystore (#166) (2d9af4c)

Bug Fixes

Prefix for considered environment variables renamed from HEIMDALL_ to HEIMDALLCFG_ and made this prefix configurable via a --env-config-prefix flag (#220) (3bfeff1)

Code Refactoring

jwt_from property of the jwt_authenticator renamed to jwt_source to comply with naming in other authenticators (#199) (29d6bcb)
session property used by some authenticators renamed (incl. its properties) to subject to better reflect its meaning (#200) (869d8ae)

0.2.0-alpha (2022-08-12)

⚠ BREAKING CHANGES

strip_prefix in header authentication data strategy renamed to schema to reflect the actual mening and behavior (#129)
"serve api" command renamed to "serve decision" (incl. wording in docs and logs) (#125)
Make decision endpoint being available directly on the root (/) path of the decision service (#112)
Usage of trusted_proxies is mandatory for Decision API to accept X-Forwarded-* headers (#111)
Returning HTTP 404 instead of HTTP 500 if no default rule is configured and no rule matches (#96)

Features

Access log support (#139) (8387512)
Configurable fallback of authenticators even if the verification of the credentials fails (#134) (1336777)
Make decision endpoint being available directly on the root (/) path of the decision service (#112) (fa1ff5b)
New upstream property introduced for the rule config to support reference of the upstream service for proxy mode (0436a52)
New management service introduced, which exposes the health & jwks endpoints (0436a52)
Not setting HTTP Server header anymore (0436a52)
Remote authorizer optionally supports verification of responses from the remote system via a script (#117) (1ecabf0)
Retrieval of an access token from the request body (#115) (b336ab4)
Returning HTTP 404 instead of HTTP 500 if no default rule is configured and no rule matches (#96) (0436a52)
Reverse proxy support (#90) (0436a52)
Usage of trusted_proxies is mandatory for Decision API to accept X-Forwarded-* headers (#111) (438932b)

Bug Fixes

accesslog handler updated to include information about authenticated subject if present (#162) (3e286db)
Basic Auth authenticator added to the schema and can now be configured (#133) (1336777)
basic_auth authenticator is not responsible for the request any more if the Authorization header does not contain Basic Auth schema (#107) (96136ef)
Bearer token based authenticators do not feel responsible for the request anymore if no "Bearer" scheme is present in the "Authorization" header (db5b773)
Fixed usage of X-Forwarded-Uri header (0436a52)
Handling and usage of the upstream property fixed (before this fix the proxy operation mode could not be used) (#130) (ed61e18)
jwt authenticator to not feel responsible if the bearer token is not in the JWT format (#108) (d8945c4)
Schema fixed to allow TLS key & cert as well as CORS max_age configuration (#122) (58b6bc3)
trusted_proxy support added to the schema file to allow the validation of the corresponding property (#105) (556946e)

Code Refactoring

"serve api" command renamed to "serve decision" (incl. wording in docs and logs) (#125) (e6aad0d)
strip_prefix in header authentication data strategy renamed to schema to reflect the actual mening and behavior (#129) (f8a38ff)

0.1.0-alpha (2022-07-19)

This is a very first release.

Supported Features

Decision API
Loading rules from the file system
Authenticator types (anonymous, basic-auth, generic, jwt, noop, oauth2 introspection, unauthorized)
Authorizers (allow, deny, subject attributes (to evaluate available subject information by using JS) & remote (e.g. to communicate with open policy agent, ory keto, a zanzibar implementation, or any other authorization engine))
Hydrators (generic) - to enrich the subject information retrieved from the authenticator
Mutators (opaque cookie, opaque header, jwt in the Authorization header, noop) to transform the subject information
Error Handlers (default, redirect, www-authenticate), which support accept type negotiation as well
Opentracing support (jaeger & instana)
Prometheus metrics
Key store in pem format for rsa-pss and ecdsa keys (pkcs#1 - plain only & pkcs#8 - plain and encrypted)
Rules URL matching
Flexible pipeline definition: authenticators+ -> any order(authorizer*, hydrator*) -> mutator+ -> error_handler*
Optional default rule taking effect if no rule matches
If Default rule is configured, the actual rule definition can reuse it (less yaml code)
Typical execution time if caches are active is around 300µs (on my laptop)
The configuration is validated on startup. You can also validate it by making use of the "validate config" command.
Health Probe

Files

CHANGELOG.md

Latest commit

History

CHANGELOG.md

File metadata and controls

Changelog

0.15.0 (2024-09-16)

⚠ BREAKING CHANGES

Features

Code Refactorings

Performance Improvements

Bug Fixes

Documentation

Dependencies

0.14.5-alpha (2024-08-25)

Dependencies

0.14.4-alpha (2024-07-25)

Bug Fixes

Dependencies

0.14.3-alpha (2024-06-09)

Dependencies

0.14.2-alpha (2024-05-12)

Dependencies

0.14.1-alpha (2024-04-09)

Dependencies

0.14.0-alpha (2024-04-02)

Features

Bug Fixes

Documentation

Dependencies

0.13.0-alpha (2024-01-03)

⚠ BREAKING CHANGES

Features

Code Refactorings

Bug Fixes

Dependencies

0.12.0-alpha (2023-11-29)

⚠ BREAKING CHANGES

Features

Code Refactorings

Bug Fixes

Documentation

Dependencies

0.11.1-alpha (2023-08-08)

Bug Fixes

Documentation

Dependencies

0.11.0-alpha (2023-08-04)

⚠ BREAKING CHANGES

Features

Code Refactorings

Bug Fixes

Documentation

0.10.1-alpha (2023-06-28)

Bug Fixes

0.10.0-alpha (2023-06-28)

⚠ BREAKING CHANGES

Features

0.9.1-alpha (2023-06-24)

Bug Fixes

0.9.0-alpha (2023-06-23)

Features

Bug Fixes

0.8.2-alpha (2023-06-21)

Bug Fixes

0.8.1-alpha (2023-06-12)

Bug Fixes

0.8.0-alpha (2023-06-07)

⚠ BREAKING CHANGES

Features

Bug Fixes

Performance Improvements

0.7.0-alpha (2023-04-17)

⚠ BREAKING CHANGES

Features

Bug Fixes

Code Refactoring

0.6.1-alpha (2023-02-08)

Bug Fixes