Merge pull request #22 from lilic/bump-version

Bump to 0.5.0 release

.travis.yml

@@ -1,7 +1,7 @@
 language: go
 
 go:
-  - '1.12.x'
+  - '1.13.x'
 
 go_import_path: github.com/brancz/kube-rbac-proxy
 
@@ -20,9 +20,8 @@ jobs:
   include:
     - stage: Integration Tests
       before_script:
-        - curl -Lo kind https://github.com/kubernetes-sigs/kind/releases/download/0.2.1/kind-linux-amd64 && chmod +x kind && sudo mv kind /usr/local/bin/
-        - kind create cluster
-        - export KUBECONFIG="$(kind get kubeconfig-path)"
+        - curl -Lo kind https://github.com/kubernetes-sigs/kind/releases/download/v0.7.0/kind-linux-amd64 && chmod +x kind && sudo mv kind /usr/local/bin/
+        - kind create cluster --config test/e2e/kind-config/kind-config.yaml
       script:
         - VERSION=local make container
         - kind load docker-image quay.io/brancz/kube-rbac-proxy:local

CHANGELOG.md

@@ -1,5 +1,13 @@
 ## Next release
 
+## 0.5.0 / 2020-02-17
+
+* [CHANGE] Move from glog to klog for logging. #57
+* [FEATURE] Support token audience reviews. #56
+* [FEATURE] Support custom upstream CAs. #34
+* [ENHANCEMENT] Reload TLS certificates at runtime. #47
+* [ENHANCEMENT] Add host in self-signed certs. #43
+
 ## 0.4.1 / 2019-01-23
 
 * [ENHANCEMENT] Use golang.org/x/net http2 server. #29

Dockerfile

@@ -1,10 +1,11 @@
-FROM golang:1.12-alpine AS build
+FROM golang:1.13-alpine AS build
+ENV GOFLAGS="-mod=vendor"
 RUN apk add --update make && apk add --no-cache git
 WORKDIR /go/src/github.com/brancz/kube-rbac-proxy
 COPY . .
 RUN make build && cp /go/src/github.com/brancz/kube-rbac-proxy/_output/linux/$(go env GOARCH)/kube-rbac-proxy /usr/local/bin
 
-FROM alpine:3.8
+FROM alpine:3.11
 RUN apk add -U --no-cache ca-certificates && rm -rf /var/cache/apk/*
 COPY --from=build /usr/local/bin/kube-rbac-proxy .
 ENTRYPOINT ["./kube-rbac-proxy"]

Makefile

@@ -8,9 +8,10 @@ GOOS?=$(shell uname -s | tr A-Z a-z)
 GOARCH?=$(shell go env GOARCH)
 OUT_DIR=_output
 BIN?=kube-rbac-proxy
-VERSION?=$(shell cat VERSION)
+VERSION?=$(shell cat VERSION)-$(shell git rev-parse --short HEAD)
 PKGS=$(shell go list ./... | grep -v /vendor/)
 DOCKER_REPO?=quay.io/brancz/kube-rbac-proxy
+KUBECONFIG?=$(HOME)/.kube/config
 
 check-license:
 	@echo ">> checking license headers"
@@ -50,7 +51,7 @@ test:
 test-e2e:
 	go test -timeout 55m -v ./test/e2e/ $(TEST_RUN_ARGS) --kubeconfig=$(KUBECONFIG)
 
-generate: embedmd
+generate: build embedmd
 	@echo ">> generating examples"
 	@./scripts/generate-examples.sh
 	@echo ">> generating docs"

README.md

@@ -28,18 +28,22 @@ All command line flags:
 ```txt
 $ kube-rbac-proxy -h
 Usage of _output/linux/amd64/kube-rbac-proxy:
+      --add_dir_header                              If true, adds the file directory to the header
       --alsologtostderr                             log to standard error as well as files
       --auth-header-fields-enabled                  When set to true, kube-rbac-proxy adds auth-related fields to the headers of http requests sent to the upstream
       --auth-header-groups-field-name string        The name of the field inside a http(2) request header to tell the upstream server about the user's groups (default "x-remote-groups")
       --auth-header-groups-field-separator string   The separator string used for concatenating multiple group names in a groups header field's value (default "|")
       --auth-header-user-field-name string          The name of the field inside a http(2) request header to tell the upstream server about the user's name (default "x-remote-user")
+      --auth-token-audiences strings                Comma-separated list of token audiences to accept. By default a token does not have to have any specific audience. It is recommended to set a specific audience.
       --client-ca-file string                       If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
       --config-file string                          Configuration file to configure kube-rbac-proxy.
       --insecure-listen-address string              The address the kube-rbac-proxy HTTP server should listen on.
       --kubeconfig string                           Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used
       --log_backtrace_at traceLocation              when logging hits line file:N, emit a stack trace (default :0)
       --log_dir string                              If non-empty, write log files in this directory
-      --logtostderr                                 log to standard error instead of files
+      --log_file string                             If non-empty, use this log file
+      --log_file_max_size uint                      Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                                 log to standard error instead of files (default true)
       --oidc-ca-file string                         If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
       --oidc-clientID string                        The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
       --oidc-groups-claim string                    Identifier of groups in JWT claim, by default set to 'groups' (default "groups")
@@ -48,15 +52,18 @@ Usage of _output/linux/amd64/kube-rbac-proxy:
       --oidc-sign-alg stringArray                   Supported signing algorithms, default RS256 (default [RS256])
       --oidc-username-claim string                  Identifier of the user in JWT claim, by default set to 'email' (default "email")
       --secure-listen-address string                The address the kube-rbac-proxy HTTPs server should listen on.
+      --skip_headers                                If true, avoid header prefixes in the log messages
+      --skip_log_headers                            If true, avoid headers when opening log files
       --stderrthreshold severity                    logs at or above this threshold go to stderr (default 2)
       --tls-cert-file string                        File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert)
       --tls-cipher-suites strings                   Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be used
       --tls-min-version string                      Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants. (default "VersionTLS12")
       --tls-private-key-file string                 File containing the default x509 private key matching --tls-cert-file.
+      --tls-reload-interval duration                The interval at which to watch for TLS certificate changes, by default set to 1 minute. (default 1m0s)
       --upstream string                             The upstream URL to proxy to once requests have successfully been authenticated and authorized.
       --upstream-ca-file string                     The CA the upstream uses for TLS connection. This is required when the upstream uses TLS and its own CA certificate
       --upstream-force-h2c                          Force h2c to communiate with the upstream. This is required when the upstream speaks h2c(http/2 cleartext - insecure variant of http/2) only. For example, go-grpc server in the insecure mode, such as helm's tiller w/o TLS, speaks h2c only
-  -v, --v Level                                     log level for V logs
+  -v, --v Level                                     number for the log level verbosity
       --vmodule moduleSpec                          comma-separated list of pattern=N settings for file-filtered logging
 ```
 

VERSION

@@ -1 +1 @@
-v0.4.1
+v0.5.0