Releases: openshift-online/rh-trex-ai
Releases · openshift-online/rh-trex-ai
Release list
v0.0.30
What's Changed
- fix: use GORM direct DSN connection instead of intermediate sql.Open by @markturansky in #35
Full Changelog: v0.0.29...v0.0.30
v0.0.29
v0.0.28
What's Changed
- feat: support multiple JWK URLs for multi-issuer token validation by @markturansky in #34
Full Changelog: v0.0.26...v0.0.28
v0.0.27
What's Changed
Multi-issuer JWK support
- Multiple JWKS URLs:
NewJWKKeyProvidernow accepts[]string. Keys from all configured endpoints are merged additively into onekid→keymap. A failing URL warns and continues — one bad endpoint does not block others. --jwk-cert-url/--grpc-jwk-cert-urlnow accept comma-separated or repeated values, enabling a single server to validate tokens from multiple issuers (e.g. RH SSO + k8s SA tokens) with no extra middleware.- Full unit test coverage for
JWKKeyProvider— 12 tests added, previously zero.
v0.0.26
What's Changed
gRPC Authentication Improvements
- Per-protocol JWK configuration: New
--grpc-jwk-cert-urland--grpc-jwk-cert-fileflags allow gRPC to validate tokens against a different JWKS endpoint than HTTP. Falls back to--jwk-cert-url/--jwk-cert-filewhen unset. Enables k8s SA token validation via cluster OIDC for service-to-service gRPC while HTTP continues using RH SSO. subclaim fallback:authenticateGRPCRequestnow acceptssubas a final username fallback afterusernameandpreferred_username, supporting k8s service account tokens (sub = system:serviceaccount:<ns>/<sa>).- Extended JWK mock server: Test infrastructure now includes a token endpoint alongside the cert endpoint for more complete authn integration testing.
v0.0.22
Fix all golangci-lint warnings: errcheck, staticcheck, unused (34 issues resolved, 0 remaining)
v0.0.21
BREAKING: Consolidate auth config and fix authn/authz layer bugs
Breaking Changes
EnableAuthz,JwkCertURL,JwkCertFileremoved fromServerConfig— useAuthConfigexclusivelyGetEffectiveAuthConfig()renamed toGetAuthConfig()— direct accessor, no merge logicNewAuthzMiddlewaresignature changed: drops OCMapiclient, takes*config.AuthConfigpkg/config/migration.godeleted
Bug Fixes
routebuilder.go:authzMiddlewarenow controlled by--enable-authz(real vs mock)authz_middleware.go: silent hang on empty identity → proper401 Unauthorized; OCM dependency removedauth_middleware_mock.go: dev mock now sets"dev-user"in context (was leaving username empty)grpc_interceptors.go:AuthStreamInterceptornow bypasses health/reflection endpoints (matching unary)apiserver.go: JWT handler readsauthConfig.JwkCertURL/JwkCertFilefromAuthConfig, notServerConfigtestutil/helper.go:StartJWKCertServerMocksetsAuth.JwkCertURL, notServer.JwkCertURL
Root Cause (migration.go)
MigrateServerConfigToAuthConfig silently reversed --enable-authz=false because ServerConfig.EnableAuthz had no registered CLI flag and always stayed at default true, triggering the migration condition and clobbering the user's setting.
v0.0.20
Upgrade GORM to v1.31.1 for downstream use
- gorm.io/gorm: v1.20.5 → v1.31.1
- gorm.io/driver/postgres: v1.0.5 → v1.6.0
- github.com/go-gormigrate/gormigrate/v2: v2.0.0 → v2.1.5
v0.0.18
What's Changed
- Fix authentication configuration split-brain causing inconsistent auth behavior by @markturansky in #22
Full Changelog: v0.0.17...v0.0.18
v0.0.15
What's Changed
- adds software factory design pattern using generator by @markturansky in #18
Full Changelog: v0.0.14...v0.0.15