Updates for latest releases #78
Open
+857
−102
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(cherry picked from commit a8803c837b0cc2d43baa35e267d124082a119bcb) Signed-off-by: Flynn <[email protected]>
(cherry picked from commit 3acb3de2b805b443498aa48e9bda0f262fdcdf31) Signed-off-by: Flynn <[email protected]>
…ndpoints. Add support for handling CORS request and CORS preflight request on the known endpoints for `/.ambassador/oauth2/logout` and `/.ambassador/oauth2/multicooke`. The appropriate CORS headers are added to the response. We ensure that the `Access-Control-Allow-Origin` header is set because some browsers are more strict than others. In certain versions of Safari we have witnessed not including the origin to cause Safari to reject the CORS request. While we respond to both CORS preflights and to CORS requests, we generally do _not_ allow configuring the response: when the OAuth2 filter is in play, there's pretty much only one Right Way to Respond. Co-authored-by: Lance Austin <[email protected]> Signed-off-by: Flynn <[email protected]>
(cherry picked from commit a8803c837b0cc2d43baa35e267d124082a119bcb) Signed-off-by: Flynn <[email protected]> (cherry picked from commit 1fc6113f1e9d85353f43298bd1f43d29dfe640ac)
(cherry picked from commit 3acb3de2b805b443498aa48e9bda0f262fdcdf31) Signed-off-by: Flynn <[email protected]> (cherry picked from commit 73826f3812cf63abb5a8f7921553085aa66c68df)
…ndpoints. Add support for handling CORS request and CORS preflight request on the known endpoints for `/.ambassador/oauth2/logout` and `/.ambassador/oauth2/multicooke`. The appropriate CORS headers are added to the response. We ensure that the `Access-Control-Allow-Origin` header is set because some browsers are more strict than others. In certain versions of Safari we have witnessed not including the origin to cause Safari to reject the CORS request. While we respond to both CORS preflights and to CORS requests, we generally do _not_ allow configuring the response: when the OAuth2 filter is in play, there's pretty much only one Right Way to Respond. Co-authored-by: Lance Austin <[email protected]> Signed-off-by: Flynn <[email protected]> (cherry picked from commit d2a22ec493d1d5e3986a93cbaef45eef847875fe)
This adds a dependency on the latest radix v4 library. A dependency on the radix v2 library will still exist until the other areas of the codebase have shifted over to the v4 library. To ensure we are not breaking existing customers, a feature flag will need to be set to opt-in to using the experimental redis driver. Setting `AES_REDIS_EXPERIMENTAL_DRIVER_ENABLED=true` will use the new library for the Auth Filters (OAuth2). Currently, it piggy backs off the original environment config fields for Redis. This has the advantage of keeping doc changes simple, and manifest changes minimal. The tradeoff with this decision is that settings are shared with the v2 redisPools which means they cannot be tuned separately. Note: it will also do it for the `acmeclient.challengerHandler` due to the way that this is created within the FilterMux. Unit tests have been added to ensure behavior and future work will port the other parts of the acmeclient over to the new library. Two other notable items are: 1. poolSize of 0 is not allowed, will fallback to a default 2. These config fields are ignored and have no effect for v4: - SurgePoolSize - SurgePoolDrainInterval - SurgeLimitAfter - SurgeLimitInterval Signed-off-by: Lance Austin <[email protected]>
Signed-off-by: Kévin Lambert <[email protected]>
Signed-off-by: Kévin Lambert <[email protected]>
Signed-off-by: Kévin Lambert <[email protected]>
This updates our dependency to emissary-ingress with the recently back ported kat splits on the oss side. Includes changes from `make generate`. Signed-off-by: Lance Austin <[email protected]>
Updates to the latest rc that pulls in new features that includes the pinned dependencies for golang, python, etc... A bug with the injected acme challenge route was addressed in this RC as well. Signed-off-by: Lance Austin <[email protected]>
Signed-off-by: Lance Austin <[email protected]>
Updates to the latest emissary with pinned golang, python and a fix for the injected acme route in prepartion for RC. Signed-off-by: Lance Austin <[email protected]>
Signed-off-by: Lance Austin <[email protected]>
This pr updates to emissary 3.1.0 in master and pulls in the release commits from the `release/v3.1.0` to keep them in sync with master. Signed-off-by: Lance Austin <[email protected]>
* deps : bumping go to 1.18 Signed-off-by: David Dymko <[email protected]> * deps : update opensource.md with proper go version Signed-off-by: David Dymko <[email protected]> * deps : update emissary to 1.18 PR for testing Signed-off-by: David Dymko <[email protected]> * dep : update emissary sha to master branch Signed-off-by: David Dymko <[email protected]> * make generate * dep : bump aes-ratelimit 1.4 & 1.3 to go 1.18 builds Signed-off-by: David Dymko <[email protected]> * make generate Signed-off-by: David Dymko <[email protected]>
Signed-off-by: AliceProxy <[email protected]>
* bumping emissary to the latest sha off master : ran make go-mod-tidy % generate Signed-off-by: David Dymko <[email protected]> * make generate Signed-off-by: David Dymko <[email protected]> Signed-off-by: David Dymko <[email protected]>
Upgrades Emissary-ingress that is built on envoy 1.23. Ran `make generate` to update charts. Signed-off-by: Lance Austin <[email protected]>
This updates the Host Custom Resource to allow fetching the `tlsSecret` from a different namespace where as previously it could only be fetched from the current namespace. ```yaml tlsSecret: name: my-secret namespace: my-alternative-namespace ``` This allows users to centralize a shared secret that multiple developers can then reference so that it is only maintained in a single place. Signed-off-by: Lance Austin <[email protected]>
Co-authored-by: Lance Austin <[email protected]> Signed-off-by: David Dymko <[email protected]> Signed-off-by: David Dymko <[email protected]> Co-authored-by: Lance Austin <[email protected]>
Signed-off-by: Lance Austin <[email protected]>
Signed-off-by: David Dymko <[email protected]>
Signed-off-by: David Dymko <[email protected]>
Signed-off-by: David Dymko <[email protected]>
Signed-off-by: David Dymko <[email protected]>
By default, Envoy will fail open when it is unable to communicate with the configured service. This adds the `failure_mode_deny` field to the `RateLimitService` so that Envoy can be configured to reject request when it is unable to communicate with the service. A 500 will be returned when this field is enabled. Signed-off-by: Lance Austin <[email protected]>
Signed-off-by: David Dymko <[email protected]>
Signed-off-by: David Dymko <[email protected]>
This commit renames TestConvert to TestConvertThroughHub to make it a little more obvious what it is testing. The round-trip equality checks are moved from a string comparison to a semantic deep equality comparison due to the fact that not all fields convert 1-1. Things like adding default AmbassadorID, mangling it and enums filling default values all caused the existing string comparisons to fail. Fixes for FilterPolicy and ExternalFilters based on visibilty from the failing test were addressed as well. Signed-off-by: Lance Austin <[email protected]>
This commit renames TestConvert to TestConvertThroughHub to make it a little more obvious what it is testing. The round-trip equality checks are moved from a string comparison to a semantic deep equality comparison due to the fact that not all fields convert 1-1. Things like adding default AmbassadorID, mangling it and enums filling default values all caused the existing string comparisons to fail. Fixes for FilterPolicy and ExternalFilters based on visibilty from the failing test were addressed as well. Signed-off-by: Lance Austin <[email protected]> (cherry picked from commit 4c68c518be19f4e4234e4a2b5cba2e6e02bb0f8b)
Signed-off-by: Lance Austin <[email protected]>
Signed-off-by: David Dymko <[email protected]>
Signed-off-by: David Dymko <[email protected]>
Signed-off-by: David Dymko <[email protected]>
In order to add support for `post_logout_redirect_uri` we had to change the logout behavior a bit. If you define `postLogoutRedirectURI` your yaml manifest for a filter this will now be checked during the logout process and not remove session data until after IDP has cleared its session first. This is to prevent issues where we have cleared out our session first but had issues clearing IDP and now we are in this strange drifted state. This will have us introduce a new endpoint that users will have to tell their IDP to point to in order to use the new `postLogoutRedirectURI` field. This new endpoint is `/.ambassador/ouath2/post-logout-redirect` this will handle clearing out your applications session and then doing the redirect to what you have defined. Overview 1. Check if postLogoutRedirectURI is set 2. If it is set then redirect over to IDP IDPs logout endpoint session with the follow params - state : the regular state file we generate but also include the oauth2 filter + ns used - post_logout_redirect_uri: this will point `/.ambassador/oauth2/post-logout-redirect` - id_token_hint: the jwt token 3. IDP will handle it's removal of session data and then redirect to `/.ambassador/oauth2/post-logout-redirect` 4. We will validate that this is a validate request 5. Remove the applications session 6. Redirect to your defined `postLogoutRedirectURI` TLDR `/.ambassador/oauth2/logout` -> IDP -> /.ambassador/oauth2/post-logout-redirect` -> redirect to your `postLogoutRedirectURI` * change: added postLogoutRedirectURI to v2 & v3 crd Signed-off-by: David Dymko <[email protected]> * change: adding post logout redirect uri block Signed-off-by: David Dymko <[email protected]> * change: make generate Signed-off-by: David Dymko <[email protected]> * change: make generate + handwritten conversion Signed-off-by: David Dymko <[email protected]> * change: make generate after handwritten conversion Signed-off-by: David Dymko <[email protected]> * change: create local variable for redirect url Signed-off-by: David Dymko <[email protected]> * change: added new post redirect endpoint for aes to handle sessions properly Signed-off-by: David Dymko <[email protected]> * change: validate state in request matches session Signed-off-by: David Dymko <[email protected]> * change: releasenotes + changelog Signed-off-by: David Dymko <[email protected]> * change: refactor to remove duplicated code in handler around filter info Signed-off-by: David Dymko <[email protected]> * change: grab host + schema information from request not state Signed-off-by: David Dymko <[email protected]> * changes: hardcode schema to https Signed-off-by: David Dymko <[email protected]> * change: change CRD Field for post logout from string to URL Signed-off-by: David Dymko <[email protected]> * change: rename mdState to state as md refers to multidomain Signed-off-by: David Dymko <[email protected]> * change: update error handling to use %w Signed-off-by: David Dymko <[email protected]> * change: adding okta postlogout redirect yaml Signed-off-by: David Dymko <[email protected]> * tests: okta postlogout check cookie count Signed-off-by: David Dymko <[email protected]> * tests: adding testdata for filter + policies Signed-off-by: David Dymko <[email protected]> * tests: adding user to idp_okta and link to okta app Signed-off-by: David Dymko <[email protected]> * tests: update idk_okta to follow auth0 + update URL endpoint for test Signed-off-by: David Dymko <[email protected]> * change: removal of cors for post logout Signed-off-by: David Dymko <[email protected]> * change: change post redirect to use protected origins and updated docs around rp initiated logout Signed-off-by: David Dymko <[email protected]> * change: update filter oauth crd for postlogoutredirect to prefix v3 Signed-off-by: David Dymko <[email protected]> * tests: adding e2e tests for post logout Signed-off-by: David Dymko <[email protected]> * change: reworked e2e tests + doc addition Signed-off-by: David Dymko <[email protected]> Signed-off-by: David Dymko <[email protected]>
[v3.2] Repatriate from v2.4
without it, duplicate or multiple charts could be vendored in the edge-stack chart. Normally this doesn't cause much issues but it can lead to incidents where the right version of the emissary chart isn't installed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
2b1c92e...4348ad8 are the only commits worth caring about because they pertain to 3.2.0 release. Commits before that are commits coming in from other release branches that haven't been merged to master yet.
3.2.0 release:
3.1.0 release:
2.4.2 Release
2.3.2 Release