Skip to content

Releases: openshift-online/rh-trex-ai

v0.0.30

Choose a tag to compare

@markturansky markturansky released this 17 Jun 00:10
6f679fa

What's Changed

  • fix: use GORM direct DSN connection instead of intermediate sql.Open by @markturansky in #35

Full Changelog: v0.0.29...v0.0.30

v0.0.29

Choose a tag to compare

@markturansky markturansky released this 15 Jun 20:24
9deac79

What's Changed

  • feat: add post-auth gRPC interceptor registration hooks by @jsell-rh in #36

New Contributors

Full Changelog: v0.0.27...v0.0.29

v0.0.28

Choose a tag to compare

@markturansky markturansky released this 15 Jun 20:17
aa2d632

What's Changed

  • feat: support multiple JWK URLs for multi-issuer token validation by @markturansky in #34

Full Changelog: v0.0.26...v0.0.28

v0.0.27

Choose a tag to compare

@markturansky markturansky released this 27 Mar 03:37
aa2d632

What's Changed

Multi-issuer JWK support

  • Multiple JWKS URLs: NewJWKKeyProvider now accepts []string. Keys from all configured endpoints are merged additively into one kid→key map. A failing URL warns and continues — one bad endpoint does not block others.
  • --jwk-cert-url / --grpc-jwk-cert-url now accept comma-separated or repeated values, enabling a single server to validate tokens from multiple issuers (e.g. RH SSO + k8s SA tokens) with no extra middleware.
  • Full unit test coverage for JWKKeyProvider — 12 tests added, previously zero.

v0.0.26

Choose a tag to compare

@markturansky markturansky released this 26 Mar 22:27
c05233d

What's Changed

gRPC Authentication Improvements

  • Per-protocol JWK configuration: New --grpc-jwk-cert-url and --grpc-jwk-cert-file flags allow gRPC to validate tokens against a different JWKS endpoint than HTTP. Falls back to --jwk-cert-url / --jwk-cert-file when unset. Enables k8s SA token validation via cluster OIDC for service-to-service gRPC while HTTP continues using RH SSO.
  • sub claim fallback: authenticateGRPCRequest now accepts sub as a final username fallback after username and preferred_username, supporting k8s service account tokens (sub = system:serviceaccount:<ns>/<sa>).
  • Extended JWK mock server: Test infrastructure now includes a token endpoint alongside the cert endpoint for more complete authn integration testing.

v0.0.22

Choose a tag to compare

@markturansky markturansky released this 10 Mar 19:23
18c6c4b

Fix all golangci-lint warnings: errcheck, staticcheck, unused (34 issues resolved, 0 remaining)

v0.0.21

Choose a tag to compare

@markturansky markturansky released this 10 Mar 18:22
eb73124

BREAKING: Consolidate auth config and fix authn/authz layer bugs

Breaking Changes

  • EnableAuthz, JwkCertURL, JwkCertFile removed from ServerConfig — use AuthConfig exclusively
  • GetEffectiveAuthConfig() renamed to GetAuthConfig() — direct accessor, no merge logic
  • NewAuthzMiddleware signature changed: drops OCM apiclient, takes *config.AuthConfig
  • pkg/config/migration.go deleted

Bug Fixes

  • routebuilder.go: authzMiddleware now controlled by --enable-authz (real vs mock)
  • authz_middleware.go: silent hang on empty identity → proper 401 Unauthorized; OCM dependency removed
  • auth_middleware_mock.go: dev mock now sets "dev-user" in context (was leaving username empty)
  • grpc_interceptors.go: AuthStreamInterceptor now bypasses health/reflection endpoints (matching unary)
  • apiserver.go: JWT handler reads authConfig.JwkCertURL/JwkCertFile from AuthConfig, not ServerConfig
  • testutil/helper.go: StartJWKCertServerMock sets Auth.JwkCertURL, not Server.JwkCertURL

Root Cause (migration.go)

MigrateServerConfigToAuthConfig silently reversed --enable-authz=false because ServerConfig.EnableAuthz had no registered CLI flag and always stayed at default true, triggering the migration condition and clobbering the user's setting.

v0.0.20

Choose a tag to compare

@markturansky markturansky released this 10 Mar 06:27
39c4000

Upgrade GORM to v1.31.1 for downstream use

  • gorm.io/gorm: v1.20.5 → v1.31.1
  • gorm.io/driver/postgres: v1.0.5 → v1.6.0
  • github.com/go-gormigrate/gormigrate/v2: v2.0.0 → v2.1.5

v0.0.18

Choose a tag to compare

@markturansky markturansky released this 06 Mar 21:32
6af37c7

What's Changed

  • Fix authentication configuration split-brain causing inconsistent auth behavior by @markturansky in #22

Full Changelog: v0.0.17...v0.0.18

v0.0.15

Choose a tag to compare

@markturansky markturansky released this 02 Mar 11:44
7305e91

What's Changed

Full Changelog: v0.0.14...v0.0.15