Releases: winhowes/AuthTranslator
Releases · winhowes/AuthTranslator
v0.3.2
Changelog
v0.3.2 is a focused XFCC logging-scope patch that narrows auth failure diagnostics to the configured XFCC header values only.
Highlights
- Restricted
envoy_xfccauth failure logs to the configured XFCC header instead of logging the full request header map. - Kept the structured
reasonandconfigured_headerfields so failed XFCC authentication remains debuggable. - Added coverage that asserts unrelated request headers are omitted from the XFCC auth failure log.
Included PRs
- #648 Log only configured XFCC header
v0.3.1
Changelog
v0.3.1 is a correctness, auth-plugin, and performance maintenance release that tightens request authorization behavior, improves auth failure diagnostics, and preserves the 100% coverage baseline.
Highlights
- Added
envoy_xfccauth failure logging that records the full incoming request headers when XFCC authentication fails, using the service logger configuration. - Fixed outgoing auth destination rewriting so outbound auth plugins operate on the final upstream request target.
- Fixed request-body cache handling after find/replace auth and preserved request body size limits when auth plugins replace bodies.
- Fixed allowlist and denylist correctness paths, including case-insensitive allowlist lookup and clearing denylist state when integrations are deleted.
- Improved path-matcher and Twilio signature performance without changing authorization or signature verification semantics.
- Made reload rollback safer when policy publication fails, updated Go version documentation, and kept test coverage at 100.0%.
Included PRs
- #647 Log XFCC auth failure headers
- #644 Fix outgoing auth destination rewriting
- #645 Fix path matcher performance
- #642 Fix allowlist case-insensitive lookup
- #641 Clear denylist when deleting integration
- #640 Fix Twilio signature canonicalization performance
- #639 Fix cached body after find-replace auth
- #638 Fix plugin capability definitions
- #637 Raise test coverage to 100%
- #635 Make reload rollback policy failures
v0.3.0
Changelog
v0.3.0 is an observability and Kubernetes hot-reload release that introduces phase-specific latency metrics, fixes ConfigMap reload behavior for Kubernetes projected volumes, and updates Helm defaults for live config watching.
Breaking Changes
- Replaced
authtranslator_request_duration_secondswith phase-specific latency histograms. Dashboards and alerts using the old metric should migrate toauthtranslator_upstream_roundtrip_duration_seconds,authtranslator_end_to_end_duration_seconds,authtranslator_pre_proxy_duration_seconds, orauthtranslator_response_processing_duration_seconds. authtranslator_requests_totalnow counts all requests that resolve to an integration, including local rejections such as auth failures, rate limits, denylist/allowlist blocks, invalid destinations, and missing proxy configuration. Requests that do not match a configured integration continue to use theunknownintegration label.
Highlights
- Added separate latency histograms for upstream roundtrip time, end-to-end handler latency, pre-proxy processing time, and response-side AuthTranslator processing time.
- Fixed Kubernetes config hot reloads by watching containing directories and debouncing projected-volume symlink swaps.
- Updated the Helm chart to mount configuration at
/conf, pass/conf/*.yamlexplicitly, and enable-watchby default. - Removed the default request-counter metrics plugin registration so built-in request counting happens exactly once per handled request.
- Expanded proxy, metrics, and file-watch tests for the new latency boundaries, request-count semantics, and Kubernetes-style config reload behavior.
Included PRs
v0.2.11
Changelog
v0.2.11 is a platform secret-store and toolchain maintenance release that adds OS-native desktop secret backends, hardens their edge-case handling, and updates AuthTranslator's CI and release toolchain.
Highlights
- Added OS-native secret backends for macOS Keychain (
keychain:), Linux Secret Service (secretservice:), and Windows Credential Manager (wincred:), with documentation and unit coverage. - Fixed CLI-backed secret handling so macOS Keychain output drops only the command-added final LF while preserving valid trailing secret bytes, and Linux Secret Service preserves exact
secret-tooloutput bytes. - Added Windows Credential Manager decoding coverage and non-Windows unsupported-path coverage so the backend behaves predictably across platforms.
- Updated GitHub Actions dependencies to Node 24-compatible pinned versions.
- Bumped the module, test workflow, and release workflow to Go 1.26.2.
Included PRs
v0.2.10
Changelog
v0.2.10 is a focused observability follow-up release that makes AuthTranslator’s Prometheus metrics self-describing so Grafana and PromQL treat them with the right counter and histogram semantics.
Highlights
- Declared the built-in
authtranslator_*_totalmetric families as Prometheus counters in the exporter output. - Declared
authtranslator_request_duration_secondsas a Prometheus histogram in the exporter output. - Added regression coverage to ensure metric type metadata is emitted alongside the existing metrics samples.
- Updated the example metrics plugin and metrics plugin docs so custom counters emit matching
# TYPElines too.
Included PRs
- #625 Declare Prometheus metric types
v0.2.9
Changelog
v0.2.9 is a targeted observability release focused on making proxy-generated failures easier to track without adding tracing overhead.
Highlights
- Added
authtranslator_internal_responses_total{integration,code,reason}to expose proxy-generated non-upstream responses with bounded reason
labels. - Expanded
authtranslator_auth_failures_totalto count outgoing auth failures in addition to incoming auth failures. - Documented the new metrics and added PromQL/Grafana guidance for monitoring internal proxy failures.
- Added regression coverage across the metrics exporter and proxy rejection paths.
Included PRs
- #624 Add metrics for proxy-generated responses
v0.2.8
Changelog
v0.2.8 is a hardening and bugfix release focused on authorization, rate limiting, TLS verification, transport behavior, metrics handling, and safer config error reporting.
Highlights
- Hardened Redis-backed rate limiting with atomic bucket updates, better key scoping, idle bucket eviction, and timestamp handling fixes.
- Enforced Redis TLS certificate verification.
- Fixed mTLS outgoing transport behavior to preserve default transport settings and handle wrapped transports correctly.
- Tightened authorization behavior around wildcard allowlist matching, token auth prefix enforcement, and dynamically expanded capability rules.
- Improved operational safety by redacting sensitive remote config URLs and config source details in error paths and reload logs.
- Hardened the metrics handler and expanded regression coverage.
- Pinned the Codecov GitHub Action to an immutable commit SHA.
- Cleaned up integration test fixtures and stabilized a flaky transport-related test.
Included PRs
- #623 Redact sensitive parts of remote config URLs in errors and improve fetch error messages
- #622 Clean up integration fixtures with
DeleteIntegration - #621 Normalize dynamically expanded capability rules
- #620 Fix flaky transport mutation assertion in integration tests
- #619 Redact config source in reload failure logs
- #618 Enforce token auth prefix handling
- #617 Restrict wildcard allowlist matching to anonymous callers
- #616 Harden metrics handler behavior
- #615 Fix Redis rate limiter race and bucket handling
- #614 Enforce Redis TLS certificate verification
- #613 Fix mTLS transport behavior
- #612 Fix Redis rate-limiting behavior
- #611 Pin Codecov GitHub Action to an immutable commit SHA
- #610 Fix token-bucket handling issues
- #609 Fix authentication/authorization confusion bug