chore: updates from main branch (#1802)

dadrus · Sep 16, 2024 · 31631c5 · 31631c5
2 parents 05bfe3d + 2131d3b
commit 31631c5
Show file tree

Hide file tree

Showing 388 changed files with 14,349 additions and 7,301 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -109,6 +109,8 @@ jobs:
 
   lint-code:
     runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
     needs:
       - check-changes
     if: >
@@ -204,12 +206,42 @@ jobs:
         run: helm lint ./charts/heimdall
       - name: Kubeconform decision mode deployment
         run: |
-          helm template --set demo.enabled=true ./charts/heimdall > decision-demo.yaml
-          kubeconform --skip RuleSet -kubernetes-version ${{ env.KUBERNETES_API_VERSION }} decision-demo.yaml
+          helm template ./charts/heimdall > decision-config.yaml
+          kubeconform --skip RuleSet -kubernetes-version ${{ env.KUBERNETES_API_VERSION }} decision-config.yaml
       - name: Kubeconform proxy mode deployment
         run: |
-          helm template --set operationMode=proxy --set demo.enabled=true ./charts/heimdall > proxy-demo.yaml
-          kubeconform --skip RuleSet -kubernetes-version ${{ env.KUBERNETES_API_VERSION }} decision-demo.yaml
+          helm template --set operationMode=proxy ./charts/heimdall > proxy-config.yaml
+          kubeconform --skip RuleSet -kubernetes-version ${{ env.KUBERNETES_API_VERSION }} proxy-config.yaml
+
+  unittest-helm-chart:
+    runs-on: ubuntu-22.04
+    needs:
+      - check-changes
+    if: >
+      needs.check-changes.outputs.helm_chart_changed == 'true' || 
+      needs.check-changes.outputs.ci_config_changed == 'true'
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - name: Setup k8s tools
+        uses: yokawasa/action-setup-kube-tools@5fe385031665158529decddddb51d6224422836e # v0.11.1
+        with:
+          setup-tools: |
+            helm
+            kubeconform
+          helm: '${{ env.HELM_VERSION }}'
+          kubeconform: '${{ env.KUBECONFORM_VERSION }}'
+      - name: Install Helm Unittest
+        run: helm plugin install --version v0.6.0 https://github.com/helm-unittest/helm-unittest.git
+      - name: Run tests
+        run: |
+          helm unittest ./charts/heimdall
+  
 
   test:
     runs-on: ubuntu-22.04
@@ -691,16 +723,23 @@ jobs:
           replace: "${{ needs.prepare-release.outputs.tag_name }}"
           regex: false
           include: docs/**
-      - name: Build documentation
-        working-directory: ./docs
-        run: hugo --minify -d ./public
       - name: Update uri for redirecting to new version
         uses: jacobtomlinson/gha-find-replace@099c88fbf2a7da26b083521a8bfa13e4f0886b97 # v3
         with:
           find: "x-released-version"
           replace: "${{ needs.prepare-release.outputs.tag_name }}"
           regex: false
           include: docs/**
+      - name: Update used image tags to the released version
+        uses: jacobtomlinson/gha-find-replace@099c88fbf2a7da26b083521a8bfa13e4f0886b97 # v3
+        with:
+          find: "heimdall:dev"
+          replace: "heimdall:${{ needs.prepare-release.outputs.tag_name }}"
+          regex: false
+          include: docs/**
+      - name: Build documentation
+        working-directory: ./docs
+        run: hugo --minify -d ./public
       - name: Update versions JSON document
         id: update-version-json
         run: |

diff --git a/.golangci.yaml b/.golangci.yaml
@@ -28,12 +28,13 @@ issues:
         - maintidx
         - cyclop
         - gocognit
-        - goerr113
+        - err113
         - lll
         - errcheck
         - canonicalheader
         - mnd
         - err113
+        - forcetypeassert
 
 linters-settings:
   exhaustive:

diff --git a/.release-please-manifest.json b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "0.14.5-alpha"
+  ".": "0.15.0"
 }
diff --git a/ADOPTERS.md b/ADOPTERS.md
@@ -5,4 +5,5 @@ To add your organization to this list, open a pull request that adds your organi
 Please remember to [sign your commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) to comply with our contributors guidelines.
 
 | Name | Since | Website | Use-Case |
-|:-|:-|:-|:-|
+|:-|:-|:-|:-|
+| Éphémère Creative | 2023 | https://ephemerecreative.ca | Heimdall helps us manage access to a portal where users can monitor running services. |
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,84 @@
 # Changelog
 
+## [0.15.0](https://github.com/dadrus/heimdall/compare/v0.14.0-alpha...v0.15.0) (2024-09-16)
+
+
+### ⚠ BREAKING CHANGES
+
+* Made the usage of `if` clauses in authentication & authorization, and error pipelines consistent ([#1784](https://github.com/dadrus/heimdall/issues/1784))
+* Deprecated OTEL attributes replaced ([#1669](https://github.com/dadrus/heimdall/issues/1669))
+* Configuration of `signer` moved into `jwt` finalizer ([#1534](https://github.com/dadrus/heimdall/issues/1534))
+* Demo installation removed from the helm chart ([#1544](https://github.com/dadrus/heimdall/issues/1544))
+* Subject has been made immutable ([#1487](https://github.com/dadrus/heimdall/issues/1487))
+* Rule matching configuration API redesigned ([#1358](https://github.com/dadrus/heimdall/issues/1358))
+* Default rule rejects requests with encoded slashes in the path of the URL with `400 Bad Request` ([#1358](https://github.com/dadrus/heimdall/issues/1358))
+* Support for `rule_path_match_prefix` on endpoint configurations for `http_endpoint` and `cloud_blob` providers has been dropped ([#1358](https://github.com/dadrus/heimdall/issues/1358))
+
+### Features
+
+* Glob expressions are context aware and use `.` for host related expressions and `/` for path related ones as separators ([#1358](https://github.com/dadrus/heimdall/issues/1358)) ([f2f6867](https://github.com/dadrus/heimdall/commit/f2f6867576b758312b1a85dc06fe52be3ae9d2ff))
+* Multiple rules can be defined for the same path, e.g. to have separate rules for read and write requests ([#1358](https://github.com/dadrus/heimdall/issues/1358)) ([f2f6867](https://github.com/dadrus/heimdall/commit/f2f6867576b758312b1a85dc06fe52be3ae9d2ff))
+* New endpoint auth type to create http message signatures for outbound requests according to RFC 9421 ([#1507](https://github.com/dadrus/heimdall/issues/1507)) ([672988d](https://github.com/dadrus/heimdall/commit/672988d2463ddf8abbade7cb9f0656d848682ae3))
+* Route based matching of rules ([#1766](https://github.com/dadrus/heimdall/issues/1766)) ([8ef379d](https://github.com/dadrus/heimdall/commit/8ef379db1d504440b6fa19794b7b38c173a730b0))
+* Support for backtracking while matching rules ([#1358](https://github.com/dadrus/heimdall/issues/1358)) ([f2f6867](https://github.com/dadrus/heimdall/commit/f2f6867576b758312b1a85dc06fe52be3ae9d2ff))
+* Support for free and single (named) wildcards for request path matching and access of the captured values from the pipeline ([#1358](https://github.com/dadrus/heimdall/issues/1358)) ([f2f6867](https://github.com/dadrus/heimdall/commit/f2f6867576b758312b1a85dc06fe52be3ae9d2ff))
+
+
+### Code Refactorings
+
+* Configuration of `signer` moved into `jwt` finalizer ([#1534](https://github.com/dadrus/heimdall/issues/1534)) ([4475745](https://github.com/dadrus/heimdall/commit/447574557d109be7f17844bc743eb9cc625427d9))
+* Default rule rejects requests with encoded slashes in the path of the URL with `400 Bad Request` ([#1358](https://github.com/dadrus/heimdall/issues/1358)) ([f2f6867](https://github.com/dadrus/heimdall/commit/f2f6867576b758312b1a85dc06fe52be3ae9d2ff))
+* Demo installation removed from the helm chart ([#1544](https://github.com/dadrus/heimdall/issues/1544)) ([f8770b3](https://github.com/dadrus/heimdall/commit/f8770b3bfa3599c37290677454baa4f52c12a7a7))
+* Deprecated OTEL attributes replaced ([#1669](https://github.com/dadrus/heimdall/issues/1669)) ([e5ed3a5](https://github.com/dadrus/heimdall/commit/e5ed3a57f5de3164200c285a811908c7a32fbfc8))
+* Made the usage of `if` clauses in authentication & authorization, and error pipelines consistent ([#1784](https://github.com/dadrus/heimdall/issues/1784)) ([2577f56](https://github.com/dadrus/heimdall/commit/2577f560b80c49e3e5a4b3da547245af98844843))
+* Rule matching configuration API redesigned ([#1358](https://github.com/dadrus/heimdall/issues/1358)) ([f2f6867](https://github.com/dadrus/heimdall/commit/f2f6867576b758312b1a85dc06fe52be3ae9d2ff))
+* Subject has been made immutable ([#1487](https://github.com/dadrus/heimdall/issues/1487)) ([6c4957f](https://github.com/dadrus/heimdall/commit/6c4957fd897de55de4b23563be4406423ba26b00))
+* Support for `rule_path_match_prefix` on endpoint configurations for `http_endpoint` and `cloud_blob` providers has been dropped ([#1358](https://github.com/dadrus/heimdall/issues/1358)) ([f2f6867](https://github.com/dadrus/heimdall/commit/f2f6867576b758312b1a85dc06fe52be3ae9d2ff))
+
+
+### Performance Improvements
+
+* O(log(n)) time complexity for lookup of rules ([#1358](https://github.com/dadrus/heimdall/issues/1358)) ([f2f6867](https://github.com/dadrus/heimdall/commit/f2f6867576b758312b1a85dc06fe52be3ae9d2ff))
+
+
+### Bug Fixes
+
+* Corrected the placement of namespace selector properties in the Helm chart's admission controller configuration ([#1752](https://github.com/dadrus/heimdall/issues/1752)). ([4c059b3](https://github.com/dadrus/heimdall/commit/4c059b38510a1aa2d37d9103a3cb8935f4c2043b))
+* Fixed a nil pointer error in the Helm chart that occurred when a deployment was configured with custom annotations due to an incorrect reference in the deployment template ([#1752](https://github.com/dadrus/heimdall/issues/1752)). ([4c059b3](https://github.com/dadrus/heimdall/commit/4c059b38510a1aa2d37d9103a3cb8935f4c2043b))
+* Taking updates of certificates into account while collecting metrics ([#1534](https://github.com/dadrus/heimdall/issues/1534)) ([4475745](https://github.com/dadrus/heimdall/commit/447574557d109be7f17844bc743eb9cc625427d9))
+* Updated the admission controller configuration in the Helm chart to align with the redesigned structure done in v0.12.0-alpha release of heimdall ([#1752](https://github.com/dadrus/heimdall/issues/1752)). ([4c059b3](https://github.com/dadrus/heimdall/commit/4c059b38510a1aa2d37d9103a3cb8935f4c2043b))
+
+
+### Documentation
+
+* Guide for First-Party Authentication with OpenID Connect ([#1789](https://github.com/dadrus/heimdall/issues/1789)) ([8c6b9c3](https://github.com/dadrus/heimdall/commit/8c6b9c3c4fec7cc605fc8a1058e0847e7abb3947))
+* New integration guide for Envoy Gateway ([#1412](https://github.com/dadrus/heimdall/issues/1412)) ([526f381](https://github.com/dadrus/heimdall/commit/526f381c931cd58e9513716a1bc7fa9149c36e3d))
+* NGING Ingress Controller guide updated to cover global integration options ([#1469](https://github.com/dadrus/heimdall/issues/1469)) ([a710a64](https://github.com/dadrus/heimdall/commit/a710a640fc1ce2cadfa37eb59a4fc0fa52c5120b))
+* Traefik guide updated to cover `Ingress`, `IngressRoute` and `HTTPRoute` based integration options ([#1420](https://github.com/dadrus/heimdall/issues/1420)) ([303095e](https://github.com/dadrus/heimdall/commit/303095e204c3ea753b06a2b90171462de19b1eb4))
+
+
+### Dependencies
+
+* update golang to v1.23.1 ([#1793](https://github.com/dadrus/heimdall/issues/1793))  ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update golang.org/x/exp digest to 701f63a ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update google.golang.org/genproto/googleapis/rpc digest to 8af14fe ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module github.com/go-playground/validator/v10 to v10.22.1 ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module github.com/jellydator/ttlcache/v3 to v3.3.0 ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module github.com/masterminds/sprig/v3 to v3.3.0 ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module github.com/prometheus/client_golang to v1.20.3 ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module github.com/redis/rueidis to v1.0.45  ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module github.com/redis/rueidis/rueidisotel to v1.0.45  ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module github.com/rs/cors to v1.11.1 ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.55.0 ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module go.opentelemetry.io/contrib/instrumentation/host to v0.55.0  ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.55.0  ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module go.opentelemetry.io/contrib/instrumentation/runtime to v0.55.0  ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module go.opentelemetry.io/contrib/propagators/autoprop to v0.55.0 ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module gocloud.dev to v0.39.0 ([#1774](https://github.com/dadrus/heimdall/issues/1774)) ([4ffa9e4](https://github.com/dadrus/heimdall/commit/4ffa9e45227c177ba5f729b6111d6551de5a67a8))
+* update module google.golang.org/grpc to v1.66.2 ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update module k8s.io/client-go to v0.31.1  ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+* update opentelemetry-go monorepo to v1.30.0  ([#1793](https://github.com/dadrus/heimdall/issues/1793)) ([54e6cad](https://github.com/dadrus/heimdall/commit/54e6cad5e4e8b909f646e2f0318f94388f793039))
+
 ## [0.14.5-alpha](https://github.com/dadrus/heimdall/compare/v0.14.4-alpha...v0.14.5-alpha) (2024-08-25)
 
 
@@ -34,7 +113,7 @@
 
 ### Bug Fixes
 
-* OAuth2 `iss` claim verification in JWT/OIDC authenticators when used with `metadata_endpoint` ([#1660](https://github.com/dadrus/heimdall/issues/1660)) ([a9947f2](https://github.com/dadrus/heimdall/commit/a9947f20f412ca4133202ee7bc1e7b58f2903766))
+* OAuth2 `iss` claim verification in JWT/OIDC authenticators when used with `metadata_endpoint` ([#1660](https://github.com/dadrus/heimdall/issues/1660)) by [@martin31821](https://github.com/martin31821) ([a9947f2](https://github.com/dadrus/heimdall/commit/a9947f20f412ca4133202ee7bc1e7b58f2903766))
 * Trailing useless bytes ignored while parsing PEM content ([#1564](https://github.com/dadrus/heimdall/issues/1564)) ([0c52bd3](https://github.com/dadrus/heimdall/commit/0c52bd30d308dbd8985f3223ba36180dbb808a24))
 
 

diff --git a/DockerHub-README.md b/DockerHub-README.md
@@ -107,9 +107,6 @@ mechanisms:
     type: jwt
 
 default_rule:
-  methods:
-  - GET
-  - POST
   execute:
   - authenticator: anonymous_authenticator
   - authorizer: deny_all_requests
@@ -124,11 +121,12 @@ providers:
 Create a rule file (`rule.yaml`) with the following contents:
 
 ```yaml
-version: "1alpha3"
+version: "1alpha4"
 rules:
   - id: test-rule
     match: 
-      url: http://<**>/<**>
+      routes:
+        - path: /**
     forward_to:
       host: upstream
     execute:

diff --git a/Justfile b/Justfile
@@ -16,12 +16,12 @@ lint-dockerfile:
 
 lint-helmchart:
   helm lint ./charts/heimdall
-  helm template --set demo.enabled=true ./charts/heimdall > /tmp/decision-demo.yaml
-  helm template --set operationMode=proxy --set demo.enabled=true ./charts/heimdall > /tmp/proxy-demo.yaml
-  kubeconform --skip RuleSet -kubernetes-version 1.27.0 /tmp/decision-demo.yaml
-  kubeconform --skip RuleSet -kubernetes-version 1.27.0 /tmp/proxy-demo.yaml
-  rm /tmp/decision-demo.yaml
-  rm /tmp/proxy-demo.yaml
+  helm template ./charts/heimdall > /tmp/decision-config.yaml
+  helm template --set operationMode=proxy ./charts/heimdall > /tmp/proxy-config.yaml
+  kubeconform --skip RuleSet -kubernetes-version 1.27.0 /tmp/decision-config.yaml
+  kubeconform --skip RuleSet -kubernetes-version 1.27.0 /tmp/proxy-config.yaml
+  rm /tmp/decision-config.yaml
+  rm /tmp/proxy-config.yaml
 
 lint: check-licenses lint-api lint-code lint-dockerfile lint-helmchart
 

diff --git a/README.md b/README.md
@@ -55,7 +55,8 @@ Head over to the [documentation](https://dadrus.github.io/heimdall/) for details
 
 ## Current state
 
-The current implementation is a late alpha version. That means it does not solve all the problems heimdall aims to solve. With other words a lot of functionality is missing. In addition, alpha version means, there will be breaking changes. Nevertheless, the code base is very stable and pretty good tested. Functionality already supported can be found in [Release descriptions](https://github.com/dadrus/heimdall/releases). Planned features can be found in the defined [Milestones](https://github.com/dadrus/heimdall/milestones).
+The project is considered production-ready and is already in use by multiple organizations worldwide. The code base is stable and well-tested. However, some features are still missing, and the development of these features might lead to breaking changes in future updates. For information on the currently supported functionality, please refer to the [Release descriptions](https://github.com/dadrus/heimdall/releases). Planned features can be found in the defined [Milestones](https://github.com/dadrus/heimdall/milestones).
+
 
 ## If you ...