Skip to content

v0.28.0
Compare
Choose a tag to compare
@pinniped-ci-bot pinniped-ci-bot released this 15 Dec 18:55
v0.28.0
2c52147
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release v0.28.0

Release Image

Image Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.28.0 GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.28.0 DockerHub

These images can also be referenced by their digest: sha256:069df550a71db7acb41eda1922fe5997c72fab26939c6fd0a0fb544e461c0ac8.

Changes

This release includes security improvements, new features, and bug fixes. It also upgrades all project dependencies.

Minor Changes

  • The Concierge will no longer create a long-lived service account token upon installation, which was previously contained in a Secret in the Concierge's namespace. Instead, it will dynamically fetch short-lived tokens and hold them in-memory in the Pods. Upon upgrade, the old Secret will be automatically deleted. This improves security posture by making it impossible for an RBAC configuration or similar mistake to make this token readable to non-admins, and also by making the token short-lived. Other Secrets in the namespace must still be protected against read by non-admins. (#1733)
  • The Supervisor will now show an interstitial web page to allow the end-user to choose one of the configured IDPs, when multiple IDPs are configured, and when the query parameters to the OIDC authorize endpoint do not specify which IDP to use. (#1742)
  • A new debugging tool has been added to aid in debugging your LDAPIdentityProvider settings. See hack/debug-ldapidentityprovider.sh. (#1594)
  • The values.yaml files in the ytt template directories have been converted to use ytt's schema feature. This makes it easier for users or 3rd parties to create Carvel packages using the Dockerfile and ytt templates from the Pinniped repo. At this time, the Pinniped releases on GitHub do not include Carvel packages. (#1701)
  • The project's Dockerfiles have been updated to add build ARGs to choose the BUILD_IMAGE (golang image used to compile) and the BASE_IMAGE (base layer of the resulting container image). This will make it easier for users and 3rd parties to choose alternate images when building the project. The default values are the latest golang image and the latest gcr.io/distroless/static image. The project maintainers will continue to bump the default values when updates of those images are available. (#1776)
  • Updates Go to v1.21.5, updates the Kubernetes libraries to v0.28.4, and updates all other project dependencies. (#1815, #1808, #1807, #1804, #1803, #1801, #1793, #1791, #1788, #1779, #1775, #1772, #1771, #1767, #1763, #1755, #1751, #1748, #1741, #1738, #1735, #1734, #1732, #1721, #1752)

Bug Fixes

  • pinniped whoami has a new --timeout parameter, which defaults to no timeout. This replaces a hardcoded timeout which caused pinniped whoami to fail when a user took more than 20 seconds to complete a fresh interactive login. (#1774)

Diffs

A complete list of changes (111 commits, 188 changed files with 6,808 additions and 2,382 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

Assets 13
Loading