From f58aefed68e3cb1d3ba1e1a9dda409c6bab05e50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Krupa?= Date: Wed, 21 Jul 2021 10:29:10 +0200 Subject: [PATCH 01/10] Fix waiting for kind cluster in e2e tests Signed-off-by: paulfantom --- .github/workflows/build.yml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b91261dac..45397af67 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,7 +5,7 @@ on: [push, pull_request] env: QUAY_PATH: quay.io/brancz/kube-rbac-proxy go-version: '1.15' - kind-version: 'v0.9.0' + kind-version: 'v0.11.0' jobs: check-license: @@ -52,14 +52,9 @@ jobs: with: version: ${{ env.kind-version }} config: test/e2e/kind-config/kind-config.yaml - - name: Wait for cluster to finish bootstrapping - run: | - until [ "$(kubectl get pods --all-namespaces --no-headers | grep -cEv '([0-9]+)/\1')" -eq 0 ]; do - sleep 5s - done - kubectl cluster-info - kubectl get pods -A - continue-on-error: false + wait: 300s + - name: Wait for cluster to finish bootstraping + run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s - name: Create container & run tests run: | VERSION=local make container From 6c0e10321494b08f9a27226b97fca74f7d9ff50d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Mon, 19 Jul 2021 18:27:06 +0200 Subject: [PATCH 02/10] Prevent panics on client-cert authenticated requests Setting a nil-value typed object in the `DelegatingAuthenticatorConfig` will cause the generic logic to still evaluate is as non-nil since Golang does not consider `(*type)(nil)` as `nil` in `== nil` comparison unless `type == nil`, too. This leads to a setup of an x509 authenticator that attempts to call `VerifyOptions` on a nil object. --- pkg/authn/delegating.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/pkg/authn/delegating.go b/pkg/authn/delegating.go index ba077a8da..ac2594625 100644 --- a/pkg/authn/delegating.go +++ b/pkg/authn/delegating.go @@ -42,19 +42,20 @@ func NewDelegatingAuthenticator(client authenticationclient.TokenReviewInterface p *dynamiccertificates.DynamicFileCAContent err error ) + + authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{ + Anonymous: false, // always require authentication + CacheTTL: 2 * time.Minute, + TokenAccessReviewClient: client, + APIAudiences: authenticator.Audiences(authn.Token.Audiences), + } + if len(authn.X509.ClientCAFile) > 0 { p, err = dynamiccertificates.NewDynamicCAContentFromFile("client-ca", authn.X509.ClientCAFile) if err != nil { return nil, err } - } - - authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{ - Anonymous: false, // always require authentication - CacheTTL: 2 * time.Minute, - ClientCertificateCAContentProvider: p, - TokenAccessReviewClient: client, - APIAudiences: authenticator.Audiences(authn.Token.Audiences), + authenticatorConfig.ClientCertificateCAContentProvider = p } authenticator, _, err := authenticatorConfig.New() From a2a090a3eb2d6defd56d95ea041cecac50c1db2e Mon Sep 17 00:00:00 2001 From: paulfantom Date: Tue, 27 Jul 2021 12:10:40 +0200 Subject: [PATCH 03/10] .github/workflows: enable golangci-lint --- .github/workflows/build.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 45397af67..947cec18e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -23,6 +23,15 @@ jobs: with: go-version: ${{ env.go-version }} - run: make generate && git diff --exit-code + lint: + runs-on: ubuntu-latest + name: Lint + steps: + - uses: actions/checkout@v2 + - name: golangci-lint + uses: golangci/golangci-lint-action@v2 + with: + version: latest build: runs-on: ubuntu-latest name: Build From 656b2b62712b4ca810f1770822d3a38f3d1fd382 Mon Sep 17 00:00:00 2001 From: paulfantom Date: Tue, 27 Jul 2021 12:15:57 +0200 Subject: [PATCH 04/10] .golangci: configure --- .golangci.yaml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .golangci.yaml diff --git a/.golangci.yaml b/.golangci.yaml new file mode 100644 index 000000000..472842c5b --- /dev/null +++ b/.golangci.yaml @@ -0,0 +1,3 @@ +run: + skip-dirs: + - test/ From 411e2cb941fd61d628888dea7efc78fb8d895a30 Mon Sep 17 00:00:00 2001 From: paulfantom Date: Tue, 27 Jul 2021 12:22:18 +0200 Subject: [PATCH 05/10] *: lint code Signed-off-by: paulfantom --- main.go | 7 +++++-- pkg/proxy/proxy.go | 7 +++++-- pkg/proxy/proxy_test.go | 6 ++---- pkg/tls/reloader_test.go | 5 ++++- 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/main.go b/main.go index cd61e0e91..f55d878c9 100644 --- a/main.go +++ b/main.go @@ -134,7 +134,10 @@ func main() { //Kubeconfig flag flagset.StringVar(&cfg.kubeconfigLocation, "kubeconfig", "", "Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used") - flagset.Parse(os.Args[1:]) + err := flagset.Parse(os.Args[1:]) + if err != nil { + klog.Fatalf("Failed to parse CLI flags: %v", err) + } kcfg := initKubeConfig(cfg.kubeconfigLocation) upstreamURL, err := url.Parse(cfg.upstream) @@ -365,7 +368,7 @@ func main() { } } { - sig := make(chan os.Signal) + sig := make(chan os.Signal, 1) gr.Add(func() error { signal.Notify(sig, os.Interrupt, syscall.SIGTERM) <-sig diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go index ddb9343a9..aaac103cc 100644 --- a/pkg/proxy/proxy.go +++ b/pkg/proxy/proxy.go @@ -82,7 +82,7 @@ func (h *kubeRBACProxy) Handle(w http.ResponseWriter, req *http.Request) bool { // Get authorization attributes allAttrs := h.authorizerAttributesGetter.GetRequestAttributes(u.User, req) if len(allAttrs) == 0 { - msg := fmt.Sprintf("Bad Request. The request or configuration is malformed.") + msg := "Bad Request. The request or configuration is malformed." klog.V(2).Info(msg) http.Error(w, msg, http.StatusBadRequest) return false @@ -259,6 +259,9 @@ func (c *Config) DeepCopy() *Config { func templateWithValue(templateString, value string) string { tmpl, _ := template.New("valueTemplate").Parse(templateString) out := bytes.NewBuffer(nil) - tmpl.Execute(out, struct{ Value string }{Value: value}) + err := tmpl.Execute(out, struct{ Value string }{Value: value}) + if err != nil { + return "" + } return out.String() } diff --git a/pkg/proxy/proxy_test.go b/pkg/proxy/proxy_test.go index 7dbfccc9d..d5afc3622 100644 --- a/pkg/proxy/proxy_test.go +++ b/pkg/proxy/proxy_test.go @@ -246,10 +246,8 @@ func createRequest(queryParams, headers map[string]string) *http.Request { } r.URL.RawQuery = q.Encode() } - if headers != nil { - for k, v := range headers { - r.Header.Set(k, v) - } + for k, v := range headers { + r.Header.Set(k, v) } return r } diff --git a/pkg/tls/reloader_test.go b/pkg/tls/reloader_test.go index 2bacb1ad2..726d3827a 100644 --- a/pkg/tls/reloader_test.go +++ b/pkg/tls/reloader_test.go @@ -193,9 +193,12 @@ func newSelfSignedCert(hostname string) stepFunc { } certPath, err := writeTempFile("cert", certBytes) + if err != nil { + t.Fatalf("error writing cert data: %v", err) + } keyPath, err := writeTempFile("key", keyBytes) if err != nil { - t.Fatalf("error writing cert/key data: %v", err) + t.Fatalf("error writing key data: %v", err) } s.certPath = certPath From d9a579352de3f686ac01a78dde8da83f36d44fdd Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Tue, 27 Jul 2021 14:20:33 +0200 Subject: [PATCH 06/10] VERSION: fix v0.10.0 Signed-off-by: Sergiusz Urbaniak --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index f979adec6..bf057dbfd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.9.0 +v0.10.0 From 2be3123740c640f3b8eadc684c8f247d432028c1 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Tue, 27 Jul 2021 14:34:48 +0200 Subject: [PATCH 07/10] examples: regenerate --- examples/non-resource-url-token-request/README.md | 2 +- examples/non-resource-url-token-request/deployment.yaml | 2 +- examples/non-resource-url/README.md | 2 +- examples/non-resource-url/deployment.yaml | 2 +- examples/oidc/deployment.yaml | 2 +- examples/resource-attributes/README.md | 2 +- examples/resource-attributes/deployment.yaml | 2 +- examples/rewrites/README.md | 2 +- examples/rewrites/deployment.yaml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/non-resource-url-token-request/README.md b/examples/non-resource-url-token-request/README.md index c11ac3327..59dc879b8 100644 --- a/examples/non-resource-url-token-request/README.md +++ b/examples/non-resource-url-token-request/README.md @@ -78,7 +78,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.9.0 + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/non-resource-url-token-request/deployment.yaml b/examples/non-resource-url-token-request/deployment.yaml index 6edd5b882..a985d4e5e 100644 --- a/examples/non-resource-url-token-request/deployment.yaml +++ b/examples/non-resource-url-token-request/deployment.yaml @@ -63,7 +63,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.9.0 + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/non-resource-url/README.md b/examples/non-resource-url/README.md index e592da929..f567a8088 100644 --- a/examples/non-resource-url/README.md +++ b/examples/non-resource-url/README.md @@ -78,7 +78,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.9.0 + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/non-resource-url/deployment.yaml b/examples/non-resource-url/deployment.yaml index 3f9a8d891..9eb6e2a14 100644 --- a/examples/non-resource-url/deployment.yaml +++ b/examples/non-resource-url/deployment.yaml @@ -60,7 +60,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.9.0 + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/oidc/deployment.yaml b/examples/oidc/deployment.yaml index 99fc29086..032dd0649 100644 --- a/examples/oidc/deployment.yaml +++ b/examples/oidc/deployment.yaml @@ -63,7 +63,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.9.0 + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 args: - "--insecure-listen-address=0.0.0.0:8444" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/resource-attributes/README.md b/examples/resource-attributes/README.md index 3e5f2305c..c61954403 100644 --- a/examples/resource-attributes/README.md +++ b/examples/resource-attributes/README.md @@ -92,7 +92,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.9.0 + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/resource-attributes/deployment.yaml b/examples/resource-attributes/deployment.yaml index 87985d12c..2eb55367a 100644 --- a/examples/resource-attributes/deployment.yaml +++ b/examples/resource-attributes/deployment.yaml @@ -74,7 +74,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.9.0 + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/rewrites/README.md b/examples/rewrites/README.md index e871ef016..08fe9ae5a 100644 --- a/examples/rewrites/README.md +++ b/examples/rewrites/README.md @@ -94,7 +94,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.9.0 + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/rewrites/deployment.yaml b/examples/rewrites/deployment.yaml index efd596115..2ae98562e 100644 --- a/examples/rewrites/deployment.yaml +++ b/examples/rewrites/deployment.yaml @@ -76,7 +76,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.9.0 + image: quay.io/brancz/kube-rbac-proxy:v0.10.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" From dd334c69cc9d8050edbd717f50e655a2386d20c1 Mon Sep 17 00:00:00 2001 From: Haoyu Sun Date: Mon, 26 Jul 2021 10:04:15 +0200 Subject: [PATCH 08/10] allow path pattern in --allow-paths and --ignore-paths --- main.go | 33 +++++++++++++++++++++++----- test/e2e/allowpaths/deployment.yaml | 2 +- test/e2e/basics.go | 20 +++++++++++++++++ test/e2e/ignorepaths/deployment.yaml | 2 +- 4 files changed, 49 insertions(+), 8 deletions(-) diff --git a/main.go b/main.go index cd61e0e91..a85ce8f7a 100644 --- a/main.go +++ b/main.go @@ -27,6 +27,7 @@ import ( "net/url" "os" "os/signal" + "path" "strings" "syscall" "time" @@ -217,14 +218,31 @@ func main() { klog.Fatal("Cannot use --allow-paths and --ignore-paths together.") } + for _, pathAllowed := range cfg.allowPaths { + _, err := path.Match(pathAllowed, "") + if err != nil { + klog.Fatalf("Failed to verify allow path: %s", pathAllowed) + } + } + + for _, pathIgnored := range cfg.ignorePaths { + _, err := path.Match(pathIgnored, "") + if err != nil { + klog.Fatalf("Failed to verify ignored path: %s", pathIgnored) + } + } + proxy := httputil.NewSingleHostReverseProxy(upstreamURL) proxy.Transport = upstreamTransport mux := http.NewServeMux() mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { found := len(cfg.allowPaths) == 0 - for _, path := range cfg.allowPaths { - if req.URL.Path == path { - found = true + for _, pathAllowed := range cfg.allowPaths { + found, err = path.Match(pathAllowed, req.URL.Path) + if err != nil { + return + } + if found { break } } @@ -234,9 +252,12 @@ func main() { } ignorePathFound := false - for _, path := range cfg.ignorePaths { - if req.URL.Path == path { - ignorePathFound = true + for _, pathIgnored := range cfg.ignorePaths { + ignorePathFound, err = path.Match(pathIgnored, req.URL.Path) + if err != nil { + return + } + if ignorePathFound { break } } diff --git a/test/e2e/allowpaths/deployment.yaml b/test/e2e/allowpaths/deployment.yaml index fb94173fe..beae63daa 100644 --- a/test/e2e/allowpaths/deployment.yaml +++ b/test/e2e/allowpaths/deployment.yaml @@ -20,7 +20,7 @@ spec: args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - - "--allow-paths=/metrics" + - "--allow-paths=/metrics,/api/v1/label/*/values" - "--logtostderr=true" - "--v=10" ports: diff --git a/test/e2e/basics.go b/test/e2e/basics.go index 4a0667d35..4ef5dc001 100644 --- a/test/e2e/basics.go +++ b/test/e2e/basics.go @@ -355,6 +355,11 @@ func testAllowPathsRegexp(s *kubetest.Suite) kubetest.TestSuite { fmt.Sprintf(command, "/", 404, 404), nil, ), + ClientSucceeds( + s.KubeClient, + fmt.Sprintf(command, "/api/v1/label/name", 404, 404), + nil, + ), ), }.Run(t) @@ -394,6 +399,11 @@ func testAllowPathsRegexp(s *kubetest.Suite) kubetest.TestSuite { fmt.Sprintf(command, "/metrics", 200, 200), nil, ), + ClientSucceeds( + s.KubeClient, + fmt.Sprintf(command, "/api/v1/label/job/values", 200, 200), + nil, + ), ), }.Run(t) } @@ -439,6 +449,11 @@ func testIgnorePaths(s *kubetest.Suite) kubetest.TestSuite { fmt.Sprintf(commandWithoutAuth, "/metrics", 200, 200), nil, ), + ClientSucceeds( + s.KubeClient, + fmt.Sprintf(commandWithoutAuth, "/api/v1/labels", 200, 200), + nil, + ), ), }.Run(t) @@ -478,6 +493,11 @@ func testIgnorePaths(s *kubetest.Suite) kubetest.TestSuite { fmt.Sprintf(commandWithoutAuth, "/", 401, 401), nil, ), + ClientSucceeds( + s.KubeClient, + fmt.Sprintf(commandWithoutAuth, "/api/v1/label/job/values", 401, 401), + nil, + ), ), }.Run(t) } diff --git a/test/e2e/ignorepaths/deployment.yaml b/test/e2e/ignorepaths/deployment.yaml index d50329238..8e1f545b3 100644 --- a/test/e2e/ignorepaths/deployment.yaml +++ b/test/e2e/ignorepaths/deployment.yaml @@ -20,7 +20,7 @@ spec: args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" - - "--ignore-paths=/metrics" + - "--ignore-paths=/metrics,/api/v1/*" - "--logtostderr=true" - "--v=10" ports: From 19a26d087932a4e26e153df90e9f4b5cd872f0dd Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Mon, 2 Aug 2021 12:58:33 +0200 Subject: [PATCH 09/10] *: cut v0.11.0 release Signed-off-by: Sergiusz Urbaniak --- CHANGELOG.md | 6 ++++++ VERSION | 2 +- examples/non-resource-url-token-request/README.md | 2 +- examples/non-resource-url-token-request/deployment.yaml | 2 +- examples/non-resource-url/README.md | 2 +- examples/non-resource-url/deployment.yaml | 2 +- examples/oidc/deployment.yaml | 2 +- examples/resource-attributes/README.md | 2 +- examples/resource-attributes/deployment.yaml | 2 +- examples/rewrites/README.md | 2 +- examples/rewrites/deployment.yaml | 2 +- 11 files changed, 16 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24bb4ad93..165a8779f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.10.0 / 2021-08-02 + +* [FEATURE] Support for path patterns in --allow-paths and --ignore-paths. #135 +* [ENHANCEMENT] Dynamically reload client CA. #127 +* [BUGFIX] Fix panics on client-cert authenticated requests. #132 + ## 0.9.0 / 2021-04-27 * [FEATURE] Support rewrites using HTTP headers in addition to query parameters. #104 diff --git a/VERSION b/VERSION index bf057dbfd..fd2726c91 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.10.0 +v0.11.0 diff --git a/examples/non-resource-url-token-request/README.md b/examples/non-resource-url-token-request/README.md index 59dc879b8..164faf1f0 100644 --- a/examples/non-resource-url-token-request/README.md +++ b/examples/non-resource-url-token-request/README.md @@ -78,7 +78,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/non-resource-url-token-request/deployment.yaml b/examples/non-resource-url-token-request/deployment.yaml index a985d4e5e..66f4d632d 100644 --- a/examples/non-resource-url-token-request/deployment.yaml +++ b/examples/non-resource-url-token-request/deployment.yaml @@ -63,7 +63,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/non-resource-url/README.md b/examples/non-resource-url/README.md index f567a8088..92a464006 100644 --- a/examples/non-resource-url/README.md +++ b/examples/non-resource-url/README.md @@ -78,7 +78,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/non-resource-url/deployment.yaml b/examples/non-resource-url/deployment.yaml index 9eb6e2a14..53c92857b 100644 --- a/examples/non-resource-url/deployment.yaml +++ b/examples/non-resource-url/deployment.yaml @@ -60,7 +60,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/oidc/deployment.yaml b/examples/oidc/deployment.yaml index 032dd0649..bdff95848 100644 --- a/examples/oidc/deployment.yaml +++ b/examples/oidc/deployment.yaml @@ -63,7 +63,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 args: - "--insecure-listen-address=0.0.0.0:8444" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/resource-attributes/README.md b/examples/resource-attributes/README.md index c61954403..9dd072558 100644 --- a/examples/resource-attributes/README.md +++ b/examples/resource-attributes/README.md @@ -92,7 +92,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/resource-attributes/deployment.yaml b/examples/resource-attributes/deployment.yaml index 2eb55367a..5d8ed9bbd 100644 --- a/examples/resource-attributes/deployment.yaml +++ b/examples/resource-attributes/deployment.yaml @@ -74,7 +74,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/rewrites/README.md b/examples/rewrites/README.md index 08fe9ae5a..7217fea05 100644 --- a/examples/rewrites/README.md +++ b/examples/rewrites/README.md @@ -94,7 +94,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" diff --git a/examples/rewrites/deployment.yaml b/examples/rewrites/deployment.yaml index 2ae98562e..868895f2b 100644 --- a/examples/rewrites/deployment.yaml +++ b/examples/rewrites/deployment.yaml @@ -76,7 +76,7 @@ spec: serviceAccountName: kube-rbac-proxy containers: - name: kube-rbac-proxy - image: quay.io/brancz/kube-rbac-proxy:v0.10.0 + image: quay.io/brancz/kube-rbac-proxy:v0.11.0 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8081/" From f93e5a2f20d170ff17906e78a18543b5b6f8d6b3 Mon Sep 17 00:00:00 2001 From: Sergiusz Urbaniak Date: Mon, 2 Aug 2021 13:29:22 +0200 Subject: [PATCH 10/10] CHANGELOG.md: add 0.10.0 release notes --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 165a8779f..738828d51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,13 @@ -## 0.10.0 / 2021-08-02 +## 0.11.0 / 2021-08-02 * [FEATURE] Support for path patterns in --allow-paths and --ignore-paths. #135 * [ENHANCEMENT] Dynamically reload client CA. #127 * [BUGFIX] Fix panics on client-cert authenticated requests. #132 +## 0.10.0 / 2021-05-07 + +* [FEATURE] Support local static authorizer. #125 + ## 0.9.0 / 2021-04-27 * [FEATURE] Support rewrites using HTTP headers in addition to query parameters. #104