Merge pull request #60 from openshift-auth/merg-upstream-into-downstream

Merg upstream into downstream
openshift · Aug 18, 2022 · 513fd32 · 513fd32
2 parents 19f1a94 + 18f13f5
commit 513fd32
Show file tree

Hide file tree

Showing 4,010 changed files with 546,586 additions and 106,095 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,8 +4,8 @@ on: [push, pull_request]
 
 env:
   QUAY_PATH: quay.io/brancz/kube-rbac-proxy
-  go-version: '1.15'
-  kind-version: 'v0.11.0'
+  go-version: '1.18.3'
+  kind-version: 'v0.14.0'
 
 jobs:
   check-license:
@@ -32,6 +32,7 @@ jobs:
       uses: golangci/golangci-lint-action@v2
       with:
         version: latest
+        args: --timeout=5m
   build:
     runs-on: ubuntu-latest
     name: Build
@@ -64,6 +65,10 @@ jobs:
         wait: 300s
     - name: Wait for cluster to finish bootstraping
       run: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s
+    - name: Setup golang for make test-e2e
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ env.go-version }}
     - name: Create container & run tests
       run: |
         VERSION=local make container
@@ -86,6 +91,10 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+      - name: Setup golang for building
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.go-version }}
       - name: Login to Quay.io
         uses: docker/login-action@v1
         with:

diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 _output/
 manifest-tool
 .idea/*
+.vscode
 tmp
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,19 @@
+## 0.13.0 / 2022-06-29
+
+* [ENHANCEMENT] bump k8s to 1.24.2 #178
+* [ENHANCEMENT] bump Go to 1.18.3 #178
+* [ENHANCEMENT] update README.md to be more accurate and up to date #178, #173
+* [ENHANCEMENT] check all headers for rewrites and create additional authz requests #171
+
+## 0.12.0 / 2022-04-08
+
+* [ENHANCEMENT] bump k8s to 1.23.5. #149, #155, #160
+* [ENHANCEMENT] add release documentation, #156
+* [ENHANCEMENT] use supported apiVersion for deployment and authorization. #150
+* [BUGFIX] ppc64le image build which in turn fixed multi-arch build. #147
+* [ENHANCEMENT] Support building on riscv64 architecture. #141
+* [ENHANCEMENT] move --upstream-force-h2c out of --insecure-listen-address. #140
+
 ## 0.11.0 / 2021-08-02
 
 * [FEATURE] Support for path patterns in --allow-paths and --ignore-paths. #135

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
-FROM gcr.io/distroless/static:nonroot
+ARG GOARCH=amd64
+FROM gcr.io/distroless/static:nonroot-$GOARCH
 
 ARG BINARY=kube-rbac-proxy-linux-amd64
 COPY _output/$BINARY /usr/local/bin/kube-rbac-proxy

diff --git a/Makefile b/Makefile
@@ -12,6 +12,7 @@ VERSION?=$(shell cat VERSION)-$(shell git rev-parse --short HEAD)
 PKGS=$(shell go list ./... | grep -v /test/e2e)
 DOCKER_REPO?=quay.io/brancz/kube-rbac-proxy
 KUBECONFIG?=$(HOME)/.kube/config
+CONTAINER_NAME?=$(DOCKER_REPO):$(VERSION)
 
 ALL_ARCH=amd64 arm arm64 ppc64le s390x
 ALL_PLATFORMS=$(addprefix linux/,$(ALL_ARCH))
@@ -42,15 +43,23 @@ $(OUT_DIR)/$(BIN)-%:
 	CGO_ENABLED=0 \
 	go build --installsuffix cgo -o $(OUT_DIR)/$(BIN)-$* $(GITHUB_URL)
 
-build: $(OUT_DIR)/$(BIN)
+clean:
+	-rm -r $(OUT_DIR)
+
+build: clean $(OUT_DIR)/$(BIN)
+
+update-go-deps:
+	@for m in $$(go list -mod=readonly -m -f '{{ if and (not .Indirect) (not .Main)}}{{.Path}}{{end}}' all); do \
+		go get -d $$m; \
+	done
+	go mod tidy
 
 container: $(OUT_DIR)/$(BIN)-$(GOOS)-$(GOARCH) Dockerfile
-	docker build --build-arg BINARY=$(BIN)-$(GOOS)-$(GOARCH) -t $(DOCKER_REPO):$(VERSION)-$(GOARCH) .
+	docker build --build-arg BINARY=$(BIN)-$(GOOS)-$(GOARCH) --build-arg GOARCH=$(GOARCH) -t $(CONTAINER_NAME)-$(GOARCH) .
 ifeq ($(GOARCH), amd64)
-	docker tag $(DOCKER_REPO):$(VERSION)-$(GOARCH) $(DOCKER_REPO):$(VERSION)
+	docker tag $(DOCKER_REPO):$(VERSION)-$(GOARCH) $(CONTAINER_NAME)
 endif
 
-
 manifest-tool:
 	curl -fsSL https://github.com/estesp/manifest-tool/releases/download/v1.0.2/manifest-tool-linux-amd64 > ./manifest-tool
 	chmod +x ./manifest-tool
@@ -85,6 +94,16 @@ test-unit:
 test-e2e:
 	go test -timeout 55m -v ./test/e2e/ $(TEST_RUN_ARGS) --kubeconfig=$(KUBECONFIG)
 
+test-local:
+	@echo 'run: VERSION=local make clean container kind-create-cluster test'
+
+kind-delete-cluster:
+	kind delete cluster
+
+kind-create-cluster: kind-delete-cluster
+	kind create cluster --config ./test/e2e/kind-config/kind-config.yaml
+	kind load docker-image $(CONTAINER_NAME)
+
 generate: build $(EMBEDMD_BINARY)
 	@echo ">> generating examples"
 	@./scripts/generate-examples.sh
@@ -99,4 +118,4 @@ $(TOOLING): $(TOOLS_BIN_DIR)
 	@echo Installing tools from scripts/tools.go
 	@cat scripts/tools.go | grep _ | awk -F'"' '{print $$2}' | GOBIN=$(TOOLS_BIN_DIR) xargs -tI % go install -mod=readonly -modfile=scripts/go.mod %
 
-.PHONY: all check-license crossbuild build container push push-% manifest-push curl-container test test-unit test-e2e generate
+.PHONY: all check-license crossbuild build container push push-% manifest-push curl-container test test-unit test-e2e generate update-go-deps clean kind-delete-cluster kind-create-cluster
diff --git a/README.md b/README.md
@@ -29,22 +29,22 @@ All command line flags:
 $ kube-rbac-proxy -h
 Usage of _output/kube-rbac-proxy:
       --add_dir_header                              If true, adds the file directory to the header of the log messages
-      --allow-paths strings                         Comma-separated list of paths against which kube-rbac-proxy matches the incoming request. If the request doesn't match, kube-rbac-proxy responds with a 404 status code. If omitted, the incoming request path isn't checked. Cannot be used with --ignore-paths.
-      --alsologtostderr                             log to standard error as well as files
+      --allow-paths strings                         Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the request doesn't match, kube-rbac-proxy responds with a 404 status code. If omitted, the incoming request path isn't checked. Cannot be used with --ignore-paths.
+      --alsologtostderr                             log to standard error as well as files (no effect when -logtostderr=true)
       --auth-header-fields-enabled                  When set to true, kube-rbac-proxy adds auth-related fields to the headers of http requests sent to the upstream
       --auth-header-groups-field-name string        The name of the field inside a http(2) request header to tell the upstream server about the user's groups (default "x-remote-groups")
       --auth-header-groups-field-separator string   The separator string used for concatenating multiple group names in a groups header field's value (default "|")
       --auth-header-user-field-name string          The name of the field inside a http(2) request header to tell the upstream server about the user's name (default "x-remote-user")
       --auth-token-audiences strings                Comma-separated list of token audiences to accept. By default a token does not have to have any specific audience. It is recommended to set a specific audience.
       --client-ca-file string                       If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
       --config-file string                          Configuration file to configure kube-rbac-proxy.
-      --ignore-paths strings                        Comma-separated list of paths against which kube-rbac-proxy will proxy without performing an authentication or authorization check. Cannot be used with --allow-paths.
+      --ignore-paths strings                        Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths.
       --insecure-listen-address string              The address the kube-rbac-proxy HTTP server should listen on.
       --kubeconfig string                           Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used
       --log_backtrace_at traceLocation              when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                              If non-empty, write log files in this directory
-      --log_file string                             If non-empty, use this log file
-      --log_file_max_size uint                      Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --log_dir string                              If non-empty, write log files in this directory (no effect when -logtostderr=true)
+      --log_file string                             If non-empty, use this log file (no effect when -logtostderr=true)
+      --log_file_max_size uint                      Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
       --logtostderr                                 log to standard error instead of files (default true)
       --oidc-ca-file string                         If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
       --oidc-clientID string                        The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
@@ -53,10 +53,11 @@ Usage of _output/kube-rbac-proxy:
       --oidc-issuer string                          The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
       --oidc-sign-alg stringArray                   Supported signing algorithms, default RS256 (default [RS256])
       --oidc-username-claim string                  Identifier of the user in JWT claim, by default set to 'email' (default "email")
+      --one_output                                  If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
       --secure-listen-address string                The address the kube-rbac-proxy HTTPs server should listen on.
       --skip_headers                                If true, avoid header prefixes in the log messages
-      --skip_log_headers                            If true, avoid headers when opening log files
-      --stderrthreshold severity                    logs at or above this threshold go to stderr (default 2)
+      --skip_log_headers                            If true, avoid headers when opening log files (no effect when -logtostderr=true)
+      --stderrthreshold severity                    logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
       --tls-cert-file string                        File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert)
       --tls-cipher-suites strings                   Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be used
       --tls-min-version string                      Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants. (default "VersionTLS12")
@@ -69,6 +70,12 @@ Usage of _output/kube-rbac-proxy:
       --vmodule moduleSpec                          comma-separated list of pattern=N settings for file-filtered logging
 ```
 
+### How to update Go dependencies
+
+To update the Go dependencies run `make update-go-deps`.
+
+This might be useful to do during a release.
+
 ## Why?
 
 You may ask yourself, why not just use the Kubernetes apiserver proxy functionality? There are two reasons why this makes sense, the first is to take load off of the Kubernetes API, so it can be used for actual requests serving the cluster components, rather than in order to serve client requests. The second and more important reason is, this proxy is intended to be a sidecar that accepts incoming HTTP requests. This way, one can ensure that a request is truly authorized, instead of being able to access an application simply because an entity has network access to it.
@@ -107,6 +114,12 @@ This projects is not intended to compete with Envoy or IstioMesh. Although on th
 
 Additionally, to my knowledge Envoy neither has nor plans Kubernetes specific RBAC/AuthZ support (maybe it shouldn’t even). My knowledge may very well be incomplete, please point out if it is. After all I'm happy if I don't have to maintain more code, but as long as this serves a purpose to me and no other project can provide it, I'll maintain this.
 
+## Testing
+
+To run tests locally, you need to have [kind](https://kind.sigs.k8s.io/) installed. By default it uses the default cluster, so be aware that it might override your default cluster.
+
+The command to execute the tests is: `VERSION=local make clean container kind-create-cluster test`.
+
 ## Roadmap
 
 PRs are more than welcome!

diff --git a/RELEASE.md b/RELEASE.md
@@ -0,0 +1,135 @@
+# Releases
+
+This page describes the release process and the respective release shepherd.
+Release shepherds are chosen on a voluntary basis.
+
+## Release schedule
+
+| release series | date of release (year-month-day) | release shepherd                            |
+|----------------|----------------------------------|---------------------------------------------|
+| v0.14.0        | TBD                              | Krzysztof Ostrowski (GitHub: @ibihim)       |
+| v0.13.0        | 2022-06-29                       | Krzysztof Ostrowski (GitHub: @ibihim)       |
+| v0.12.0        | 2022-04-08                       | Sergiusz Urbaniak (GitHub: @s-urbaniak)     |
+| v0.11.0        | 2021-08-02                       | Sergiusz Urbaniak (GitHub: @s-urbaniak)     |
+| v0.10.0        | 2021-05-07                       | Sergiusz Urbaniak (GitHub: @s-urbaniak)     |
+| v0.9.0         | 2021-04-27                       | Sergiusz Urbaniak (GitHub: @s-urbaniak)     |
+| v0.8.0         | 2020-11-03                       | Paweł Krupa (GitHub: @paulfantom)           |
+| v0.7.0         | 2020-09-15                       | Paweł Krupa (GitHub: @paulfantom)           |
+| v0.6.0         | 2020-06-11                       | Frederic Branczyk (GitHub: @brancz)         |
+| v0.5.0         | 2020-02-17                       | Frederic Branczyk (GitHub: @brancz)         |
+| v0.4.1         | 2019-01-23                       | Frederic Branczyk (GitHub: @brancz)         |
+| v0.4.0         | 2018-10-24                       | Frederic Branczyk (GitHub: @brancz)         |
+| v0.3.1         | 2018-06-20                       | Frederic Branczyk (GitHub: @brancz)         |
+
+## How to cut a new release
+
+> This guide is strongly based on the [Prometheus release instructions](https://github.com/prometheus/prometheus/blob/main/RELEASE.md).
+
+We maintain a separate branch for each minor release, named release-<major>.<minor>, e.g. release-1.1, release-2.0.
+
+### Branch management and versioning strategy
+
+We use [Semantic Versioning](https://semver.org/).
+
+We maintain a separate branch for each minor release, named `release-<major>.<minor>`, e.g. `release-1.1`, `release-2.0`.
+
+Note that branch protection kicks in automatically for any branches whose name starts with `release-`. Never use names starting with `release-` for branches that are not release branches.
+
+The usual flow is to merge new features and changes into the master branch and
+to merge bug fixes into the latest release branch. Bug fixes are then merged
+into main from the latest release branch. The main branch should always contain
+all commits from the latest release branch. As long as main hasn't deviated from
+the release branch, new commits can also go to main, followed by merging main
+back into the release branch.
+
+If a bug fix got accidentally merged into main after non-bug-fix changes in
+main, the bug-fix commits have to be cherry-picked into the release branch,
+which then have to be merged back into main. Try to avoid that situation.
+
+### 1. Updating dependencies
+
+Before publishing a new release, consider updating the dependencies. Then create
+a pull request against the main branch.
+
+Note that after a dependency update, you should look out for any weirdness that
+might have happened. Such weirdnesses include but are not limited to: flaky
+tests, differences in resource usage, panic.
+
+In case of doubt or issues that can't be solved in a reasonable amount of time,
+you can skip the dependency update or only update select dependencies. In such a
+case, you have to create an issue or pull request in the GitHub project for
+later follow-up.
+
+#### Updating Go dependencies
+
+```
+make update-go-deps
+git add go.mod go.sum
+git commit -m "Update dependencies"
+```
+
+### 2. Prepare your release
+
+At the start of a new major or minor release cycle create the corresponding
+release branch based on the main branch. For example if we're releasing `2.17.0`
+and the previous stable release is `2.16.0` we need to create a `release-2.17`
+branch. Note that all releases are handled in protected release branches, see
+the above `Branch management and versioning` section.
+
+Bump the version in the `VERSION`, update `CHANGELOG.md`, and modify version references in the example deployment manifests.
+Do this in a proper PR pointing to the release branch as this gives others the opportunity to
+chime in on the release in general and on the addition to the changelog in
+particular.
+
+Note that `CHANGELOG.md` should only document changes relevant to users of
+kube-rbac-proxy, including external API changes, performance improvements, and
+new features. Do not document changes of internal interfaces, code refactorings
+and clean-ups, changes to the build process, etc. People interested in these are
+asked to refer to the git history.
+
+Entries in the `CHANGELOG.md` are meant to be in this order:
+
+* `[CHANGE]`
+* `[FEATURE]`
+* `[ENHANCEMENT]`
+* `[BUGFIX]`
+
+Submit a PR against the master branch titled "*: cut vx.y.z release ".
+
+### 3. Draft the new release
+
+Tag the new release via the following commands:
+
+```bash
+$ tag="v$(< VERSION)"
+$ git tag -s "${tag}" -m "${tag}"
+$ git push origin "${tag}"
+```
+
+Optionally, you can use this handy `.gitconfig` alias.
+
+```ini
+[alias]
+  tag-release = "!f() { tag=v${1:-$(cat VERSION)} ; git tag -s ${tag} -m ${tag} && git push origin ${tag}; }; f"
+```
+
+Then release with `git tag-release`.
+
+Signing a tag with a GPG key is appreciated, but in case you can't add a GPG key
+to your Github account using the following
+[procedure](https://help.github.com/articles/generating-a-gpg-key/), you can
+replace the `-s` flag by `-a` flag of the `git tag` command to only annotate the
+tag without signing.
+
+Once a tag is created, the release process through GitHub Actions will be
+triggered for this tag.
+
+Finally, wait for the build step for the tag to finish. The point here is to
+wait for tarballs to be uploaded to the Github release and the container images
+to be pushed to Quay.io.
+
+### 4. Wrapping up
+
+If the release has happened in the latest release branch, merge the changes into
+main.
+
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v0.11.0
+v0.13.0