Merge branch 'main' into feat/secure_config_enforcement

dadrus · Jan 7, 2025 · 2c598ae · 2c598ae
2 parents 7d637f8 + f626c16
commit 2c598ae
Show file tree

Hide file tree

Showing 80 changed files with 939 additions and 39,963 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -266,7 +266,7 @@ jobs:
       - name: Test
         run: go test -v -coverprofile=coverage.cov -coverpkg=./... ./...
       - name: Code Coverage
-        uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
+        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
         with:
           files: coverage.cov
           verbose: true
@@ -323,7 +323,7 @@ jobs:
           go-version: "${{ env.GO_VERSION }}"
       - name: Build
         run: CGO_ENABLED=0 GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} go build -trimpath -ldflags="-buildid= -w -s -X github.com/dadrus/heimdall/version.Version=${{ github.sha }}" -o ./build/
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         if: github.ref == 'refs/heads/main'
         with:
           name: build-result-${{ matrix.goos }}-${{ matrix.goarch }}
@@ -408,7 +408,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       - name: Collect container meta-info
         id: meta
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
@@ -520,7 +520,7 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       - name: Login to DockerHub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
@@ -764,7 +764,7 @@ jobs:
           publish_dir: ./docs/versions
           keep_files: true
       - name: Setup GitSign
-        uses: chainguard-dev/actions/setup-gitsign@906ed9cc1377f6d67967f35308628f8845ee065f # main
+        uses: chainguard-dev/actions/setup-gitsign@0c26ac0ebfc8e53f8c2debe657cc2c5f6fe26663 # main
       - name: Create a PR for the updated versions JSON document
         if: steps.update-version-json.outcome == 'success'
         uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -65,7 +65,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: SARIF file
           path: results.sarif

diff --git a/.golangci.yaml b/.golangci.yaml
@@ -74,6 +74,7 @@ linters-settings:
     replace-allow-list:
       # to avoid having a CVE in the used version
       - golang.org/x/crypto
+      - golang.org/x/net
   mnd:
     ignored-functions:
       - '^make'

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,22 @@
 # Changelog
 
+## [0.15.4](https://github.com/dadrus/heimdall/compare/v0.15.3...v0.15.4) (2024-12-19)
+
+
+### Bug Fixes
+
+* Correlation of OTEL Traces and Logs ([#2049](https://github.com/dadrus/heimdall/issues/2049)) ([69c657c](https://github.com/dadrus/heimdall/commit/69c657cda83f8379775d8b9ef82927d9fff15d71))
+
+
+### Dependencies
+
+* update golang.org/x/exp digest to b2144cd ([#2041](https://github.com/dadrus/heimdall/issues/2041)) ([40deb32](https://github.com/dadrus/heimdall/commit/40deb328769d3d06e282a74d8a0037b8ae6d3806))
+* update google.golang.org/genproto/googleapis/rpc digest to 9240e9c ([#2037](https://github.com/dadrus/heimdall/issues/2037)) ([0f5d17c](https://github.com/dadrus/heimdall/commit/0f5d17c5da9dec9b8753a8131b5fafa65d620716))
+* update module github.com/go-co-op/gocron/v2 to v2.14.0 ([#2043](https://github.com/dadrus/heimdall/issues/2043)) ([dbe861c](https://github.com/dadrus/heimdall/commit/dbe861cd07d345a7eba29a83b43c7ee324d94a26))
+* update module golang.org/x/net to v0.33.0 ([#2052](https://github.com/dadrus/heimdall/issues/2052)) ([7d28110](https://github.com/dadrus/heimdall/commit/7d281109f0ea18ac1eb38795d80f4b4fd5088f4e))
+* update module google.golang.org/grpc to v1.69.2 ([#2046](https://github.com/dadrus/heimdall/issues/2046)) ([2a639c0](https://github.com/dadrus/heimdall/commit/2a639c04d50b700611926666a69ed9c585bb9de9))
+* update module google.golang.org/protobuf to v1.36.0 ([#2038](https://github.com/dadrus/heimdall/issues/2038)) ([55eb060](https://github.com/dadrus/heimdall/commit/55eb060545f1f61bfead8c3f28456ec96683efc6))
+
 ## [0.15.3](https://github.com/dadrus/heimdall/compare/v0.15.2...v0.15.3) (2024-12-15)
 
 

diff --git a/DockerHub-README.md b/DockerHub-README.md
@@ -133,8 +133,6 @@ rules:
 Create a `docker-compose.yaml` file with the following contents and modify it to include the correct paths to your `config.yaml` and `rule.yaml` files:
 
 ```yaml
-version: "3"
-
 services:
   heimdall:
     image: dadrus/heimdall:latest
@@ -154,7 +152,7 @@ services:
 Start the docker compose environment:
 
 ```bash
-docker-compose up
+docker compose up
 ```
 
 Call the proxy service endpoint to emulate behavior of a client application:

diff --git a/charts/heimdall/Chart.yaml b/charts/heimdall/Chart.yaml
@@ -17,7 +17,7 @@
 apiVersion: v2
 name: heimdall
 description: A cloud native Identity Aware Proxy and Access Control Decision Service
-version: 0.14.3
+version: 0.14.4
 appVersion: latest
 kubeVersion: ^1.27.0
 type: application

diff --git a/docker/docker-compose.template.dbg b/docker/docker-compose.template.dbg
@@ -1,5 +1,3 @@
-version: '3.7'
-
 services:
   ${SERVICE_NAME}:
     build:

diff --git a/docs/content/docs/getting_started/protect_an_app.adoc b/docs/content/docs/getting_started/protect_an_app.adoc
@@ -241,8 +241,6 @@ We will add it to the above referenced `/var/www/nginx` folder, when we define o
 +
 [source, yaml]
 ----
-version: '3.7'
-
 services:
   heimdall: # <1>
     image: dadrus/heimdall:dev
@@ -280,8 +278,6 @@ services:
 +
 [source, yaml]
 ----
-version: "3"
-
 services:
   proxy: # <1>
     image: traefik:2.11.0
@@ -345,7 +341,7 @@ Open your terminal and start the services in the directory, the above `docker-co
 
 [source, bash]
 ----
-$ docker-compose up
+$ docker compose up
 ----
 
 == Consume the API
@@ -448,5 +444,5 @@ Just stop the environment with `CTRL-C` and delete the created files. If you sta
 
 [source, bash]
 ----
-$ docker-compose down
+$ docker compose down
 ----
diff --git a/docs/content/guides/authn/oidc_first_party_auth.adoc b/docs/content/guides/authn/oidc_first_party_auth.adoc
@@ -227,8 +227,6 @@ EOSQL
 +
 [source, yaml]
 ----
-version: '3.7'
-
 services:
   heimdall: # <1>
     image: dadrus/heimdall:dev
@@ -321,7 +319,7 @@ volumes:
 
 With the above configuration in place, follow these steps to start Keycloak and the database, initialize both, and create the OAuth2-Proxy client:
 
-. In the root directory, run `docker-compose up postgresql keycloak`. Wait until the database is initialized and Keycloak has started.
+. In the root directory, run `docker compose up postgresql keycloak`. Wait until the database is initialized and Keycloak has started.
 . Open your browser and go to `\http://127.0.0.1:8080`. Log in using the admin credentials (both the username and password are set to `admin` in our setup).
 . Create a Realm named `test`. For detailed instructions, refer to the Keycloak documentation on https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-a-realm_server_administration_guide[ creating a realm].
 . Within the `test` realm, create an OpenID Client. Follow the Keycloak documentation on https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-oidc-client_server_administration_guide[creating an OIDC client]. Enable "Client authentication" and "Standard Flow", set `\http://127.0.0.1:9090/oauth2/callback` as the "Valid Redirect URI" and `\http://127.0.0.1:9090/` as the "Home URL" and "Valid post logout redirect URIs" and note the "Client ID" and "Client Secret" (later can be found under the "Credentials" tab after completing the client creation wizard); we will use these to complete the OAuth2-Proxy configuration in our Docker Compose file.
@@ -337,7 +335,7 @@ We can now finalize the configuration and use the proper client id and secret fo
 
 We now have almost everything set up. The final step is to create a few users, including at least one with the `admin` role assigned.
 
-. In the root directory, run `docker-compose up`. Wait until all services are up and running.
+. In the root directory, run `docker compose up`. Wait until all services are up and running.
 . Open your browser and navigate to `\http://127.0.0.1:8080`. Log in using the admin credentials (both username and password are set to `admin`).
 . Select the `test` realm and create an `admin` group with a role named `admin` assigned to it. For guidance, refer to the Keycloak documentation on creating https://www.keycloak.org/docs/latest/server_admin/index.html#proc-managing-groups_server_administration_guide[Groups] and https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-realm-roles_server_administration_guide[Roles].
 . Create several users following the Keycloak documentation on  https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-user_server_administration_guide[managing users], and assign some of them to the `admin` group. Disable email verification during user creation to avoid sending verification emails to potentially non-existent addresses.

diff --git a/docs/content/guides/authz/openfga.adoc b/docs/content/guides/authz/openfga.adoc
@@ -40,8 +40,6 @@ To be able to follow this guide, you'll need the following tools installed local
 +
 [source, yaml]
 ----
-version: '3.7'
-
 services:
   heimdall: # <1>
     image: dadrus/heimdall:dev
@@ -211,7 +209,7 @@ In addition, create a file named `jwks.json` with the public key required to ver
 
 The static configuration of our services is in place. Let us now create the actual authorization model and based on it the required heimdall rules.
 
-. Start our setup with `docker-compose up` and wait until all services are up and running.
+. Start our setup with `docker compose up` and wait until all services are up and running.
 
 . Create the OpenFGA store as also described in https://openfga.dev/docs/getting-started/create-store[Create Store] with
 +
@@ -434,5 +432,5 @@ Just stop the environment with `CTRL-C` and delete the created files. If you sta
 
 [source, bash]
 ----
-$ docker-compose down
+$ docker compose down
 ----
diff --git a/docs/content/guides/proxies/traefik.adoc b/docs/content/guides/proxies/traefik.adoc
@@ -111,8 +111,6 @@ The following `docker-compose.yaml` file shows a minimal required configuration.
 
 [source, yaml]
 ----
-version: '3.7'
-
 services:
   proxy:
     image: traefik:2.11.0

diff --git a/docs/versions/data.json b/docs/versions/data.json
@@ -118,5 +118,9 @@
   {
     "version": "v0.15.3",
     "path": "/heimdall/v0.15.3"
+  },
+  {
+    "version": "v0.15.4",
+    "path": "/heimdall/v0.15.4"
   }
 ]
diff --git a/examples/docker-compose/quickstarts/README.md b/examples/docker-compose/quickstarts/README.md
@@ -12,7 +12,7 @@ In that setup heimdall is not integrated with any other reverse proxy.
 1. Start the environment with
 
    ```bash
-   docker-compose -f docker-compose.yaml -f docker-compose-proxy.yaml up
+   docker compose -f docker-compose.yaml -f docker-compose-proxy.yaml up
    ```
 
 2. Play with it
@@ -31,10 +31,12 @@ In that setup heimdall is not integrated with any other reverse proxy.
 
 In that setup heimdall is integrated with Traefik. All requests are sent to traefik, which then contacts heimdall as external authorization middleware and depending on the response from heimdall either forwards the request to the upstream service, or directly responses with an error from heimdall.
 
+*NOTE:* This setup uses Traefik's Docker provider and mounts the `docker.sock` file into the Traefik container. Your docker installation may differ requiring a modification of the configured volume mount in the `docker-compose-traefik.yaml` file.
+
 1. Start the environment with
 
    ```bash
-   docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml up
+   docker compose -f docker-compose.yaml -f docker-compose-traefik.yaml up
    ```
 
 2. Play with it
@@ -57,13 +59,13 @@ In that setup heimdall is integrated with Envoy Proxy. All requests are sent to
    ether
 
    ```bash
-   docker-compose -f docker-compose.yaml -f docker-compose-envoy-http.yaml up
+   docker compose -f docker-compose.yaml -f docker-compose-envoy-http.yaml up
    ```
 
    to see integration using the HTTP decision service in action, or
 
    ```bash
-   docker-compose -f docker-compose.yaml -f docker-compose-envoy-grpc.yaml up
+   docker compose -f docker-compose.yaml -f docker-compose-envoy-grpc.yaml up
    ```
 
    to see integration using the envoy GRPC extauthz decision service in action (not available before v0.7.0-alpha).

diff --git a/examples/docker-compose/quickstarts/docker-compose-envoy-grpc.yaml b/examples/docker-compose/quickstarts/docker-compose-envoy-grpc.yaml
@@ -1,5 +1,3 @@
-version: '3.7'
-
 services:
   proxy:
     image: envoyproxy/envoy:v1.29.1

diff --git a/examples/docker-compose/quickstarts/docker-compose-envoy-http.yaml b/examples/docker-compose/quickstarts/docker-compose-envoy-http.yaml
@@ -1,5 +1,3 @@
-version: '3.7'
-
 services:
   edge-router:
     image: envoyproxy/envoy:v1.29.1

diff --git a/examples/docker-compose/quickstarts/docker-compose-proxy.yaml b/examples/docker-compose/quickstarts/docker-compose-proxy.yaml
@@ -1,5 +1,3 @@
-version: '3.7'
-
 services:
   heimdall:
     ports:

diff --git a/examples/docker-compose/quickstarts/docker-compose-traefik.yaml b/examples/docker-compose/quickstarts/docker-compose-traefik.yaml
@@ -1,8 +1,6 @@
-version: '3.7'
-
 services:
   proxy:
-    image: traefik:3.0.0
+    image: traefik:3.2.3
     ports:
     - "9090:9090"
     command: >

diff --git a/examples/docker-compose/quickstarts/docker-compose.yaml b/examples/docker-compose/quickstarts/docker-compose.yaml
@@ -1,5 +1,3 @@
-version: '3.7'
-
 services:
   heimdall-init:
     image: finalgene/openssh