Skip to content

12.0.0
Compare
Choose a tag to compare
@rra rra released this 18 Oct 22:35
· 12 commits to main since this release
12.0.0
This tag was signed with the committer’s verified signature. The key has expired.
rra Russ Allbery
GPG key ID: 7D80315C5736DE75
Expired
Learn about vigilant mode.
ed611fd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Backwards-incompatible changes

  • The /auth and /auth/anonymous routes have moved to /ingress/auth and /ingress/anonymous and are no longer accessible outside of the cluster. These routes may only be accessed by the ingress controller via cluster-internal URLs. This prevents users from creating arbitrary internal tokens for themselves.
  • Drop support and remove documentation for configuring an Ingress to use Gafaelfawr rather than using the GafaelfawrIngress custom resource.
  • The /ingress/auth route now requires X-Original-URL to be set.
  • Since the CADC authentication code no longer requires the sub claim be a UUID, set sub to the username in the response from /auth/cadc/userinfo. This allows the CADC TAP server to store the username in the UWS jobs table.

New features

  • Add support for exporting metrics to Kafka using the new event metrics support in Safir. The initial set of events is limited to login metrics, authentications to services, and counts of active sessions and user tokens.
  • GafaelfawrIngress now accepts a service parameter at the top level of the configuration and uses that to tag authentication metrics by service. This corresponds to the service query parameter to the /auth route. If delegate_to is also set (config.delegate.internal.service in GafaelfawrIngress), it must match the value of service. This parameter is currently optional but will eventually become mandatory.
  • Add config.onlyServices to GafaelfawrIngress, which restricts the ingress to tokens issued to one of the listed services in addition to the other constraints.
  • If a request is authenticated with an internal token, include the service associated with that token in an X-Auth-Request-Service header passed to the protected service.
  • Setting config.baseUrl in a GafaelfawrIngress resource is no longer required. That value will be used if present, but only for constructing the login URL, not the /ingress/auth URL. Instead, a global default is set by the Helm chart. The config.baseUrl setting will be removed entirely in a future release.
  • Add new command gafaelfawr generate-schema, which generates the SQL required to create the Gafaelfawr database schema.

Bug fixes

  • If the user returns from authentication and no longer has login state in their cookie, redirect them to the destination URL without further processing instead of returning an authentication state mismatch error. The most likely cause of this state is that the user authenticated from another browser tab while this authentication is pending, so Gafaelfawr should use their existing token or restart the authentication process.
  • Reset login state after an error so that any subsequent authentication attempt will generate a new, random state parameter.
  • Stop including the required scopes in 403 errors when the request was rejected by a username restriction rather than a scope restriction, since the client cannot fix this problem by obtaining different scopes.
  • Fix an error in configuration validation, introduced in 11.0.0, that caused validation rules to not be applied to any URL or DSN in the Gafaelfawr configuration.
  • Cap the Kubernetes operator worker limit at 5 to avoid overwhelming the API server.
  • Check that tokenLifetime is at least as long as twice the minimum token lifetime.

Other changes

  • Honor the POSTGRES_5432_TCP_PORT, POSTGRES_HOST, REDIS_6379_TCP_PORT, and REDIS_HOST environment variables if they are set and override the configured database URL and Redis URL with them. This is required to work with the latest version of tox-docker for testing and development. These environment variables are not used inside a Phalanx deployment.

What's Changed

  • DM-44567: Update dependencies, adjust for new tox-docker by @rra in #1044
  • DM-45518: Update dependencies by @rra in #1060
  • Bump react-datepicker from 6.9.0 to 7.3.0 in /ui by @dependabot in #1055
  • Bump python from 3.12.3-slim-bookworm to 3.12.4-slim-bookworm by @dependabot in #1047
  • Bump medyagh/setup-minikube from 0.0.16 to 0.0.18 by @dependabot in #1053
  • DM-45518: Update Node and JavaScript dependencies by @rra in #1061
  • Bump python from 3.12.4-slim-bookworm to 3.12.5-slim-bookworm by @dependabot in #1064
  • DM-45518: Update dependencies by @rra in #1065
  • DM-45518: Add support for OpenTelemetry metrics by @rra in #1062
  • DM-45779: Undo the *String variants of Pydantic types by @rra in #1066
  • DM-45779: Use new HumanTimedelta from Safir by @rra in #1067
  • DM-45779: Switch to shared Ruff configuration by @rra in #1068
  • DM-45779: Update GitHub Actions to match current template by @rra in #1069
  • DM-45779: Exclude mobu bot users from metrics by @rra in #1070
  • DM-45768: Set sub to username for CADC reply by @rra in #1071
  • DM-45779: Drop unnecessary get_secret_value() by @rra in #1072
  • DM-45779: Update shared Ruff configuration by @rra in #1073
  • DM-45779: Improve documentation of headers by @rra in #1074
  • DM-44567: Don't upload docs if they haven't changed by @rra in #1075
  • DM-45858: Cap Gafaelfawr Kopf workers at five by @rra in #1076
  • DM-45858: Add service parameter to the auth endpoint by @rra in #1077
  • DM-45858: Update dependencies and fix broken tests by @rra in #1078
  • DM-45858: Document future CRD changes by @rra in #1079
  • DM-46019: Move dependencies, use universal dependencies by @rra in #1080
  • DM-46019: Switch to new documenteer REST API method by @rra in #1081
  • DM-46019: Document the new dependency method by @rra in #1082
  • Bump eslint-config-wesbos from 3.2.3 to 4.3.1 in /ui by @dependabot in #1084
  • Bump eslint-plugin-jsx-a11y from 6.9.0 to 6.10.0 in /ui by @dependabot in #1087
  • Bump eslint-plugin-react from 7.35.0 to 7.35.2 in /ui by @dependabot in #1086
  • Bump eslint-plugin-import from 2.29.1 to 2.30.0 in /ui by @dependabot in #1085
  • Bump styled-components from 6.1.12 to 6.1.13 in /ui by @dependabot in #1083
  • Update dependencies, set pytest-asyncio fixture scope by @rra in #1088
  • DM-46034: Remove test for top-level gafaelfawr module by @rra in #1089
  • DM-46034: Add a test that the database schema hasn't changed by @rra in #1090
  • DM-46034: Convert to the new SQLAlchemy ORM syntax by @rra in #1094
  • DM-46034: Update dependencies by @rra in #1095
  • DM-46034: Update Alembic configuration by @rra in #1096
  • DM-46310: Use uv for Docker build, verify hashes by @rra in #1097
  • fix: typo in gafaelfawringress.rst by @ac6y in #1102
  • DM-46034: Use Alembic support code from Safir by @rra in #1103
  • Bump prettier from 2.8.8 to 3.3.3 in /ui by @dependabot in #1098
  • Bump date-fns from 3.6.0 to 4.0.0 in /ui by @dependabot in #1099
  • Bump eslint from 8.57.0 to 9.10.0 in /ui by @dependabot in #1100
  • Bump python from 3.12.5-slim-bookworm to 3.12.6-slim-bookworm by @dependabot in #1101
  • Revert eslint update by @rra in #1104
  • DM-46399: Check that token lifetime is long enough by @rra in #1105
  • DM-46399: Rework handling of missing state during login by @rra in #1106
  • DM-46399: Overhaul requests from ingress-nginx by @rra in #1112
  • Bump react-datepicker from 7.3.0 to 7.4.0 in /ui by @dependabot in #1111
  • Bump date-fns from 4.0.0 to 4.1.0 in /ui by @dependabot in #1110
  • Bump eslint-plugin-prettier from 4.2.1 to 5.2.1 in /ui by @dependabot in #1108
  • Bump eslint-plugin-html from 8.1.1 to 8.1.2 in /ui by @dependabot in #1107
  • DM-46468: Update Python, pre-commit, and JavaScript dependencies by @rra in #1113
  • DM-46399: Make baseUrl optional in GafaelfawrIngress CRD by @rra in #1114
  • DM-46399: Add service of internal tokens to Redis by @rra in #1115
  • DM-46399: Add X-Auth-Request-Service HTTP header by @rra in #1116
  • DM-46399: Allow restricting ingresses to services by @rra in #1117
  • Bump python from 3.12.6-slim-bookworm to 3.12.7-slim-bookworm by @dependabot in #1124
  • Bump eslint-plugin-import from 2.30.0 to 2.31.0 in /ui by @dependabot in #1123
  • Bump @babel/eslint-parser from 7.25.1 to 7.25.7 in /ui by @dependabot in #1122
  • Bump eslint-plugin-react from 7.36.1 to 7.37.1 in /ui by @dependabot in #1120
  • DM-46821: Update dependencies by @rra in #1125
  • DM-46821: Update dependencies by @rra in #1128
  • DM-46821: Convert to the new Safir Kafka metrics system by @rra in #1127
  • DM-46821: Prepare 12.0.0 release by @rra in #1130

New Contributors

Full Changelog: 11.1.1...12.0.0

Contributors

rra, ac6y, and dependabot
Assets 2
Loading