feat: v4.39.0 (#282)

* feat: v4.39.0

* feat: adjustments

* Update charts/authelia/README.md

Co-authored-by: Brynn Crowley <[email protected]>
Signed-off-by: James Elliott <[email protected]>

* fix: syntax

---------

Signed-off-by: James Elliott <[email protected]>
Co-authored-by: Brynn Crowley <[email protected]>

Author: james-d-elliott

charts/authelia/BREAKING.md

@@ -3,6 +3,69 @@
 During the beta we will generally not be documenting breaking chart changes but there are exceptions and they are noted
 below.
 
+## 0.10.0
+
+This chart will be the required version for 4.39.0 and it will have a couple minor changes to the configuration.
+
+### WebAuthn User Verification
+
+**_This change will cause an error when doing a `helm install` for 4.39.0 if you do not fix it._**
+
+A lot of additional options have been added to the helm chart in 4.39.0, this has resulted in a single option being
+reorganized.
+
+Before:
+
+```yaml
+configMap:
+  webauthn:
+    user_verification: 'preferred'
+```
+
+After:
+
+```yaml
+configMap:
+  webauthn:
+    selection_criteria:
+      user_verification: 'preferred'
+```
+
+### Access Control Networks
+
+**_This change will cause an error when doing a `helm install` for 4.39.0 if you do not fix it._**
+
+The networks section in access control has been moved to a definitions section where the networks can be reused in
+multiple places. While automatic mapping is available without the chart, the chart will require this adjustment for
+anyone running 4.39.0.
+
+Before:
+
+```yaml
+configMap:
+  access_control:
+    networks:
+      - name: 'example'
+        networks:
+          - '192.168.1.0/24'
+          - '192.168.2.20'
+          - '2001:db8::/32'
+          - '2001:db8:1234:5678::1'
+```
+
+After:
+
+```yaml
+configMap:
+  definitions:
+    network:
+      example:
+        - '192.168.1.0/24'
+        - '192.168.2.20'
+        - '2001:db8::/32'
+        - '2001:db8:1234:5678::1'
+```
+
 ## 0.9.0
 
 While we have aimed to keep documented backwards compatability for previous versions of Authelia deployed with the chart

charts/authelia/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: authelia
-version: 0.9.17
+version: 0.10.0
 kubeVersion: ">= 1.13.0-0"
 description: Authelia is a Single Sign-On Multi-Factor portal for web apps
 type: application
@@ -38,6 +38,6 @@ maintainers:
     email: [email protected]
     url: https://github.com/james-d-elliott
 icon: https://avatars2.githubusercontent.com/u/59122411?s=200&v=4
-appVersion: 4.38.19
+appVersion: 4.39.0
 deprecated: false
 annotations: {}

charts/authelia/README.md

@@ -12,6 +12,7 @@ Breaking changes with this chart should be expected during the v0.x.x versions a
 breaking changes within minor releases i.e. from v0.1.0 to v0.2.0. The following versions have notable breaking changes
 which users should be aware of:
 
+- [v0.10.0](https://github.com/authelia/chartrepo/blob/master/charts/authelia/BREAKING.md#0100)
 - [v0.9.0](https://github.com/authelia/chartrepo/blob/master/charts/authelia/BREAKING.md#090)
 - [v0.5.0](https://github.com/authelia/chartrepo/blob/master/charts/authelia/BREAKING.md#050)
 

charts/authelia/files/configuration.acl.yaml

@@ -1,6 +1,6 @@
 access_control:
   default_policy: {{ include "authelia.accessControl.defaultPolicy" . | trim | squote }}
-  {{- if .Values.configMap.access_control.networks }}
+  {{- if and .Values.configMap.access_control.networks (semverCompare "<4.39.0" (include "authelia.version" $)) }}
   networks:
   {{- range $network := .Values.configMap.access_control.networks }}
     - name: {{ $network.name }}

charts/authelia/files/configuration.oidc.client.yaml

@@ -47,6 +47,9 @@
   {{- if .Client.lifespan }}
   lifespan: {{ .Client.lifespan | squote }}
   {{- end }}
+  {{- if and .Client.claims_policy (semverCompare ">=4.39.0" (include "authelia.version" $)) }}
+  claims_policy: {{ .Client.claims_policy | squote }}
+  {{- end }}
   {{- if .Client.requested_audience_mode }}
   requested_audience_mode: {{ .Client.requested_audience_mode | squote }}
   {{- end }}
@@ -62,17 +65,54 @@
   pkce_challenge_method: {{ (include "authelia.config.oidc.client.pkce_challenge_method" .Client) | squote }}
   authorization_signed_response_alg: {{ .Client.authorization_signed_response_alg | default "none" | squote }}
   authorization_signed_response_key_id: {{ .Client.authorization_signed_response_key_id | default "" | squote }}
+  {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }}
+  authorization_encrypted_response_key_id: {{ .Client.authorization_encrypted_response_key_id | default "" | squote }}
+  authorization_encrypted_response_alg: {{ .Client.authorization_encrypted_response_alg | default "none" | squote }}
+  authorization_encrypted_response_enc: {{ .Client.authorization_encrypted_response_enc | default "A128CBC-HS256" | squote }}
+  {{- end }}
   id_token_signed_response_alg: {{ .Client.id_token_signed_response_alg | default "RS256" | squote }}
   id_token_signed_response_key_id: {{ .Client.id_token_signed_response_key_id | default "" | squote }}
+  {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }}
+  id_token_encrypted_response_key_id: {{ .Client.id_token_encrypted_response_key_id | default "" | squote }}
+  id_token_encrypted_response_alg: {{ .Client.id_token_encrypted_response_alg | default "none" | squote }}
+  id_token_encrypted_response_enc: {{ .Client.id_token_encrypted_response_enc | default "A128CBC-HS256" | squote }}
+  {{- end }}
   access_token_signed_response_alg: {{ .Client.access_token_signed_response_alg | default "none" | squote }}
   access_token_signed_response_key_id: {{ .Client.access_token_signed_response_key_id | default "" | squote }}
+  {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }}
+  access_token_encrypted_response_key_id: {{ .Client.access_token_encrypted_response_key_id | default "" | squote }}
+  access_token_encrypted_response_alg: {{ .Client.access_token_encrypted_response_alg | default "none" | squote }}
+  access_token_encrypted_response_enc: {{ .Client.access_token_encrypted_response_enc | default "A128CBC-HS256" | squote }}
+  {{- end }}
   userinfo_signed_response_alg: {{ .Client.userinfo_signed_response_alg | default "none" | squote }}
   userinfo_signed_response_key_id: {{ .Client.userinfo_signed_response_key_id | default "" | squote }}
+  {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }}
+  userinfo_encrypted_response_key_id: {{ .Client.userinfo_encrypted_response_key_id | default "" | squote }}
+  userinfo_encrypted_response_alg: {{ .Client.userinfo_encrypted_response_alg | default "none" | squote }}
+  userinfo_encrypted_response_enc: {{ .Client.userinfo_encrypted_response_enc | default "A128CBC-HS256" | squote }}
+  {{- end }}
   introspection_signed_response_alg: {{ .Client.introspection_signed_response_alg | default "none" | squote }}
   introspection_signed_response_key_id: {{ .Client.introspection_signed_response_key_id | default "" | squote }}
+  {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }}
+  introspection_encrypted_response_key_id: {{ .Client.introspection_encrypted_response_key_id | default "" | squote }}
+  introspection_encrypted_response_alg: {{ .Client.introspection_encrypted_response_alg | default "none" | squote }}
+  introspection_encrypted_response_enc: {{ .Client.introspection_encrypted_response_enc | default "A128CBC-HS256" | squote }}
+  introspection_endpoint_auth_method: {{ .Client.introspection_endpoint_auth_method | default "client_secret_basic" | squote }}
+  introspection_endpoint_auth_signing_alg: {{ .Client.introspection_endpoint_auth_signing_alg | default "RS256" | squote }}
+  {{- end }}
   request_object_signing_alg: {{ .Client.request_object_signing_alg | default "" | squote }}
-  token_endpoint_auth_signing_alg: {{ .Client.token_endpoint_auth_signing_alg | default "" | squote }}
+  {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }}
+  request_object_encryption_alg: {{ .Client.request_object_encryption_alg | default "none" | squote }}
+  request_object_encryption_enc: {{ .Client.request_object_encryption_enc | default "A128CBC-HS256" | squote }}
+  {{- end }}
   token_endpoint_auth_method: {{ (include "authelia.config.oidc.client.token_endpoint_auth_method" .Client) | squote }}
+  token_endpoint_auth_signing_alg: {{ .Client.token_endpoint_auth_signing_alg | default "" | squote }}
+  {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }}
+  revocation_endpoint_auth_method: {{ .Client.revocation_endpoint_auth_method | default "client_secret_basic" | squote }}
+  revocation_endpoint_auth_signing_alg: {{ .Client.revocation_endpoint_auth_signing_alg | default "RS256" | squote }}
+  pushed_authorization_request_endpoint_auth_method: {{ .Client.pushed_authorization_request_endpoint_auth_method | default "client_secret_basic" | squote }}
+  pushed_authorization_request_endpoint_auth_signing_alg: {{ .Client.pushed_authorization_request_endpoint_auth_signing_alg | default "RS256" | squote }}
+  {{- end }}
   {{- if .Client.jwks_uri }}
   jwks_uri: {{ .Client.jwks_uri | squote }}
   {{- end }}

charts/authelia/files/configuration.server.endpoints.authz.yaml

@@ -10,5 +10,8 @@
       - {{ . | squote }}
       {{- end }}
       {{- end }}
+      {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }}
+      scheme_basic_cache_lifespan: {{ $strategy.scheme_basic_cache_lifespan | default 0 }}
+      {{- end }}
   {{- end }}
   {{- end }}