Releases: AetherizeGmbH/harbor-workload-identity-bridge
Release list
v0.3.3
v0.3.2
0.3.2 (2026-07-09)
v0.3.1
v0.3.0
0.3.0 (2026-06-07)
⚠ BREAKING CHANGES
- release: in 0.x is a MINOR bump, not a 1.0.0 release. Map breaking to
minor so the naming work releases as 0.3.0.
Also drops the erroneous 'chore(release): 1.0.0' commit (no v1.0.0 tag was
ever published; the tag push was rejected, leaving main half-released).
- bridge: Harbor robot names and robot-password Secret names change
from dash-delimited to dot-delimited. Safe now (nothing deployed); post
-release this would require a robot/Secret rename migration.
go build/vet/test and -race all pass.
- chore(docs): update readme version on release
Signed-off-by: Karsten Siemer karsten.siemer@aetherize.com
- test(naming): pin cross-package Secret-name contract; refresh stale F2 comments
- Add TestRobotSecretName_ContractPinned in the data plane: nothing pinned
dataplane.robotSecretName against controlplane.secretNameFor, and this pass
changed both. Drift would make the plugin read a Secret the reconciler never
wrote (every pull 503s); now caught at test time. - Update F2/defense-in-depth test comments and a labels_test comment that still
described the old dash-joined / hyphen-prefix scheme as current.
- fix(naming): hash-truncate overflowing Secret names; unify overflow separator
Two follow-ups from the self-review of the dot-delimiter change:
- Secret names had no length handling: "robot-." can exceed the
253-char Kubernetes object-name limit (ns<=63 + a name up to 253), which made
the reconciler loop forever on a "name too long" API error and the CR never
go Ready. Add deterministic hash-truncation mirroring harbor.RobotName's
overflow path, in a shared controlplane helper (robotSecretNameFor) and its
byte-identical data-plane mirror (dataplane.robotSecretName, ADR-0015). - Robot-name overflow path joined the disambiguating hash with '-' while the
rest of the scheme uses '.'. Switch to '.' for consistency (budget already
reserved one separator char; still a valid Harbor name).
Tests: TestRobotSecretNameFor (controlplane) and the extended
TestRobotSecretName_ContractPinned (dataplane) cover overflow (<=253,
deterministic, distinct-inputs-distinct-outputs, prefix preserved). PHASES.md
TODO note removed. go build/vet/test and -race all pass.
- fix(dataplane): deterministic HarborAccess match, reject empty audience/issuer
findHarborAccess returned whichever CR k8s List yielded first. List order is not
stable across the two HA replicas or restarts, so a duplicate (sub,iss,aud) could
flip a workload between a more- and a less-privileged robot. Collect all matches,
select the namespace/name-sorted first, and log the ambiguity.
Also reject any CR with an empty trustPolicy.audience/issuer and ignore empty aud
token entries: defense-in-depth so the auth decision no longer rests solely on the
CRD MinLength=1 markers. Both changes have negative-control-verified tests.
Bump the go toolchain to 1.26.4 for the GO-2026-5037/5038/5039 stdlib fixes
(govulncheck: 3 vulnerabilities -> 0).
Fold the audit's residual operator decisions into SECURITY.md: HarborAccess
authorship is cluster-privileged (the bridge applies no authz to CR contents),
pin bridge/plugin images by digest, /metrics is unauthenticated on the NodePort
port, and the tls.enabled footgun. Correct stale ADR-0018 ownership-prefix docs in
NOTES.txt and values.yaml and the now-hardened bridge pod-security row.
Remove the working AUDIT.md; its actionable items now live in SECURITY.md.