Skip to content

Releases: AetherizeGmbH/harbor-workload-identity-bridge

v0.3.3

Choose a tag to compare

@harbor-workload-identity-bridge harbor-workload-identity-bridge released this 17 Jul 17:09
Immutable release. Only release title and notes can be modified.

0.3.3 (2026-07-17)

v0.3.2

Choose a tag to compare

@harbor-workload-identity-bridge harbor-workload-identity-bridge released this 09 Jul 17:53
Immutable release. Only release title and notes can be modified.

0.3.2 (2026-07-09)

v0.3.1

Choose a tag to compare

@harbor-workload-identity-bridge harbor-workload-identity-bridge released this 21 Jun 11:50
Immutable release. Only release title and notes can be modified.

0.3.1 (2026-06-21)

Bug Fixes

  • deps: update go modules (#21) (602ccdb)
  • deps: update kubernetes go modules to v0.36.2 (#19) (9c784c0)

v0.3.0

Choose a tag to compare

@github-actions github-actions released this 07 Jun 16:08
Immutable release. Only release title and notes can be modified.

0.3.0 (2026-06-07)

⚠ BREAKING CHANGES

  • release: in 0.x is a MINOR bump, not a 1.0.0 release. Map breaking to
    minor so the naming work releases as 0.3.0.

Also drops the erroneous 'chore(release): 1.0.0' commit (no v1.0.0 tag was
ever published; the tag push was rejected, leaving main half-released).

  • bridge: Harbor robot names and robot-password Secret names change
    from dash-delimited to dot-delimited. Safe now (nothing deployed); post
    -release this would require a robot/Secret rename migration.

go build/vet/test and -race all pass.

  • chore(docs): update readme version on release

Signed-off-by: Karsten Siemer karsten.siemer@aetherize.com

  • test(naming): pin cross-package Secret-name contract; refresh stale F2 comments
  • Add TestRobotSecretName_ContractPinned in the data plane: nothing pinned
    dataplane.robotSecretName against controlplane.secretNameFor, and this pass
    changed both. Drift would make the plugin read a Secret the reconciler never
    wrote (every pull 503s); now caught at test time.
  • Update F2/defense-in-depth test comments and a labels_test comment that still
    described the old dash-joined / hyphen-prefix scheme as current.
  • fix(naming): hash-truncate overflowing Secret names; unify overflow separator

Two follow-ups from the self-review of the dot-delimiter change:

  • Secret names had no length handling: "robot-." can exceed the
    253-char Kubernetes object-name limit (ns<=63 + a name up to 253), which made
    the reconciler loop forever on a "name too long" API error and the CR never
    go Ready. Add deterministic hash-truncation mirroring harbor.RobotName's
    overflow path, in a shared controlplane helper (robotSecretNameFor) and its
    byte-identical data-plane mirror (dataplane.robotSecretName, ADR-0015).
  • Robot-name overflow path joined the disambiguating hash with '-' while the
    rest of the scheme uses '.'. Switch to '.' for consistency (budget already
    reserved one separator char; still a valid Harbor name).

Tests: TestRobotSecretNameFor (controlplane) and the extended
TestRobotSecretName_ContractPinned (dataplane) cover overflow (<=253,
deterministic, distinct-inputs-distinct-outputs, prefix preserved). PHASES.md
TODO note removed. go build/vet/test and -race all pass.

  • fix(dataplane): deterministic HarborAccess match, reject empty audience/issuer

findHarborAccess returned whichever CR k8s List yielded first. List order is not
stable across the two HA replicas or restarts, so a duplicate (sub,iss,aud) could
flip a workload between a more- and a less-privileged robot. Collect all matches,
select the namespace/name-sorted first, and log the ambiguity.

Also reject any CR with an empty trustPolicy.audience/issuer and ignore empty aud
token entries: defense-in-depth so the auth decision no longer rests solely on the
CRD MinLength=1 markers. Both changes have negative-control-verified tests.

Bump the go toolchain to 1.26.4 for the GO-2026-5037/5038/5039 stdlib fixes
(govulncheck: 3 vulnerabilities -> 0).

Fold the audit's residual operator decisions into SECURITY.md: HarborAccess
authorship is cluster-privileged (the bridge applies no authz to CR contents),
pin bridge/plugin images by digest, /metrics is unauthenticated on the NodePort
port, and the tls.enabled footgun. Correct stale ADR-0018 ownership-prefix docs in
NOTES.txt and values.yaml and the now-hardened bridge pod-security row.

Remove the working AUDIT.md; its actionable items now live in SECURITY.md.

Bug Fixes

  • bridge: guard HarborAccess naming collisions and bound credentia… (#9) (2e98560)

CI

  • release: bump breaking changes to minor, not major (pre-1.0) (cc82f1c), closes #9

v0.2.8

Choose a tag to compare

@github-actions github-actions released this 06 Jun 15:25
Immutable release. Only release title and notes can be modified.

0.2.8 (2026-06-06)

Bug Fixes

  • ci: bump kind from v0.24.0 to v0.32.0 for containerd 2.x (6183780)

v0.2.7

Choose a tag to compare

@github-actions github-actions released this 06 Jun 14:59
Immutable release. Only release title and notes can be modified.

0.2.7 (2026-06-06)

Bug Fixes

  • e2e: bridge_install pulls from build_images, no silent defaults (0051dd3)

v0.2.6

Choose a tag to compare

@github-actions github-actions released this 06 Jun 14:43
Immutable release. Only release title and notes can be modified.

0.2.6 (2026-06-06)

Bug Fixes

  • deps: update go modules (fc8374d)

v0.2.5

Choose a tag to compare

@github-actions github-actions released this 06 Jun 14:31
Immutable release. Only release title and notes can be modified.

0.2.5 (2026-06-06)

Bug Fixes

  • deps: update kubernetes go modules (9678954)

v0.2.4

Choose a tag to compare

@github-actions github-actions released this 06 Jun 14:19
Immutable release. Only release title and notes can be modified.

0.2.4 (2026-06-06)

Bug Fixes

  • e2e: kind_load must wait for containerd_hosts restart (273c6e6)

v0.2.3

Choose a tag to compare

@github-actions github-actions released this 06 Jun 13:29
Immutable release. Only release title and notes can be modified.

0.2.3 (2026-06-06)

Bug Fixes

  • ci: Renovate uses GitHub App installation token (d289be0)