Releases: vmware-tanzu/pinniped
v0.35.0
Release v0.35.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.35.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.35.0 |
DockerHub |
These images can also be referenced by their digest: sha256:bf926dfd78ecca75fce0e43e243021dd9c122bd2cd94d38187b3c9f80138fca4
.
Changes
This release fixes a bug where updating some spec fields of JWTAuthenticators did not take effect immediately. It also upgrades all project dependencies.
Minor Changes
- Updates the Kubernetes libraries to v0.31.2, and updates all other project dependencies. (#2093, #2088, #2086, #2084, #2082, #2076, #2075, #2074, #2072)
- The configuration and code for Pinniped's CI system and jobs have been made public in the
ci
branch of this repo. (#2077)
Bug Fixes
- Fixes a bug introduce in Pinniped v0.33.0 where changing the
spec.audience
and/orspec.claims
fields of an existing JWTAuthenticator (without changing any other spec fields) did not take effect until the next time the Concierge pods are restarted, even though those spec changes should take effect immediately. (#2090)
Diffs
A complete list of changes (31 commits, 116 changed files with 790 additions and 424 deletions) can be found here.
v0.34.0
Release v0.34.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.34.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.34.0 |
DockerHub |
These images can also be referenced by their digest: sha256:fe17d873d146347defe440ee53b7b4b31416e56a66c6e73312cc482f93e2c898
.
Changes
This release fixes a bug when calculating status conditions for WebhookAuthenticators and GitHubIdentityProviders in the presence of HTTPS_PROXY
. It also includes some other minor changes, bug fixes, and upgrades all project dependencies.
Minor Changes
- Updates Go to v1.23.2, updates the Kubernetes libraries to v0.31.1, and updates all other project dependencies. (#2071, #2068, #2067, #2064, #2063, #2059, #2058, #2057, #2052, #2047, #2048, #2046, #2045, #2044, #2042, #2041)
- Some developer tooling, log statements, and comments were improved for the project maintainers and contributors. (#2061, #2049, #2037)
- Some small documentation updates. (#2050, #2038, #2039)
Bug Fixes
- When the
HTTPS_PROXY
environment variable was set for the Concierge pods, the Concierge would not use the proxy setting while calculating the status conditions of WebhookAuthenticators. This could cause the connection probe to fail and the WebhookAuthenticator to be incorrectly put into an error status, making it unusable. This bug was introduced in v0.30.0 when the WebhookAuthenticator status conditions were introduced. This release fixes the bug by automatically skipping the connection probe when theHTTPS_PROXY
andNO_PROXY
environment variable values would cause requests to the WebhookAuthenticator's configured URL to be made through the proxy. (#2069) Additionally, thetls.Dial
used in this connection probe was assigned a timeout. (#2056, #2065) - When the
HTTPS_PROXY
environment variable was set for the Supervisor pods, the Supervisor would not use the proxy setting while calculating the status conditions of GitHubIdentityProviders. This could cause the connection probe to fail and the GitHubIdentityProvider to be incorrectly put into an error status, making it unusable. This bug was introduced in v0.31.0 when GitHubIdentityProviders were first introduced. This release fixes the bug by respecting the values of theHTTPS_PROXY
andNO_PROXY
environment variables during the connection probe to the configured GitHub server. (#2069) - When the Concierge finds a controller-manager pod and tries to parse its configured command-line flags, it previously looked for the flags
--cluster-signing-cert-file
and--cluster-signing-key-file
. Now it will also look for the alternate flags--cluster-signing-kube-apiserver-client-key-file
and--cluster-signing-kube-apiserver-client-cert-file
. This could potentially help make the Concierge compatible with more Kubernetes distributions. For more information, please see the PR description. (#2043)
Diffs
A complete list of changes (113 commits, 421 changed files with 25,654 additions and 11,665 deletions) can be found here.
v0.33.0
Release v0.33.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.33.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.33.0 |
DockerHub |
These images can also be referenced by their digest: sha256:0f9591eefa6e865988217c9c1b33312bd48056df1f271ddc8ae8ba7c851a6a0f
.
Changes
This release introduces support for dynamically reading CA bundles from ConfigMaps or Secrets. It also includes some minor changes, bug fixes, and upgrades all project dependencies.
Major Changes
- All custom resource types that configure Pinniped to act as an HTTPS client to some external server have been updated to optionally allow the CA bundle used to verify those HTTPS connections to be configured in a ConfigMap or Secret, which will by dynamically watched by Pinniped for updates. (#1984, #1996)
- This includes the JWTAuthenticator, WebhookAuthenticator, OIDCIdentityProvider, GitHubIdentityProvider, ActiveDirectoryIdentityProvider, and LDAPIdentityProvider resources.
- This makes it easier for your CA bundles to be configured and managed externally by cert-manager, trust-manager, or any other automation tools.
- See the API docs for the Concierge TLSSpec and the very similar Supervisor TLSSpec.
- See the blog post announcing this feature.
Minor Changes
- A new
Status
printer column was added to the table output for WebhookAuthenticator and JWTAuthenticator. The value shown in the column is thestatus.Phase
of the resource. (#1996) - To be consistent with other Pinniped custom resources, enhanced OIDCIdentityProvider, LDAPIdentityProvider, and ActiveDirectoryIdentityProvider to report
status.conditions
with statusUnknown
when it cannot perform a validation due to a configuration problem already reported on another status condition. (#2034) - Updates Go to v1.21.5, updates the Kubernetes libraries to v0.30.3, and updates all other project dependencies. (#2036, #2035, #2030, #2026, #2023, #2021, #2020, #2019, #2018, #2015, #2014, #2012, #2008, #2011, #2007, #2005, #2004, #2003, #2001, #1999, #1998, #1997, #1995)
- Some developer tooling, log statements, and comments were improved for the project maintainers and contributors. (#2033, #2024, #2010)
- Some small documentation updates. (#2028, #1993)
Bug Fixes
- Fixes a bug for JWTAuthenticators and WebhookAuthenticators where their status was not always being updated after its initial creation. (#1996)
- Host names with upper case characters were previously considered invalid by several Pinniped custom resources. Now mixed-case host names will be allowed. (#2022)
- When testing connection for GitHubIdentityProvider's default host
github.com
, actually dialapi.github.com
forstatus.conditions
validation purposes, becauseapi.github.com
is the host that will actually be used during end-user authentication. (#2032) - WebhookAuthenticators and JWTAuthenticators which were previously validated, and then become invalid due to a spec change, are not considered usable for end-user authentication anymore. To reduce the number of TCP dials to the remote server made during validation, WebhookAuthenticators and JWTAuthenticators that are already validated by a Concierge pod will not be validated again by that same pod unless the spec changes, the specified CA bundle changes, or the pod restarts. (#2013)
Diffs
A complete list of changes (186 commits, 258 changed files with 15,058 additions and 3,036 deletions) can be found here.
v0.32.0
Release v0.32.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.32.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.32.0 |
DockerHub |
These images can also be referenced by their digest: sha256:f76fa757678f1ab2492be698dc33afbec5ce22b32eebb8a648d5196f9e63ce35
.
Changes
This release includes a new feature for limiting TLS ciphers and upgrades all project dependencies.
Minor Changes
- The TLS v1.2 cipher suites used by the Pinniped Supervisor and Pinniped Concierge can now be configured to be further limited beyond Pinniped's already limited default lists of ciphers. This is configured by a new setting in the ConfigMap for the Supervisor or Concierge. Refer to the documentation of
allowed_ciphers_for_tls_onedottwo
indeploy/supervisor/values.yaml
anddeploy/concierge/values.yaml
. (#1952) - Some small test fixes and linter improvements. (#1992, #1991, #1949, #1947, #1983)
- Updates the Kubernetes libraries to v0.30.2, and updates all other project dependencies. (#1990, #1989, #1988, #1986, #1981)
Diffs
A complete list of changes (45 commits, 250 changed files with 6,589 additions and 4,911 deletions) can be found here.
v0.31.0
Release v0.31.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.31.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.31.0 |
DockerHub |
These images can also be referenced by their digest: sha256:d07ee61c059b36337e17893c91b7bd4ac3c13d0258f9de11759d5b42b7b2060d
.
Changes
This release adds support for using GitHub as an identity provider, along with other new features, and upgrades project dependencies.
Major Changes
- The Pinniped Supervisor now supports using GitHub as an identity provider using browser-based authentication, configured via a new custom resource called GitHubIdentityProvider. (#1978)
- Both github.com and GitHub Enterprise are supported.
- Administrators can optionally limit authentication by GitHub organization membership.
- GitHub team membership is automatically mapped to Kubernetes group membership.
- Frequent session refreshes check that the user's GitHub access token is still valid, revalidate the user's identity, and update the user's group memberships. In a typical setup, any changes to org or team membership will be reflected to end-user sessions within about 5 minutes.
- As with any identity provider in the Supervisor, the administrator can optionally configure policies to restrict authentication by username and group (GitHub team) membership, and can modify usernames and group memberships by configuring CEL expressions on the FederationDomain.
- Note that at least v0.31.0 of the Pinniped CLI should be used by end-users for GitHub authentication.
- End-users of webapp clients configured as OIDCClients in the Supervisor can also authenticate via GitHub.
- For more information see the blog post for this release, the GitHub configuration guide and the GitHubIdentityProvider resource documentation.
- Many PRs were merged into the final cumulative PR #1978 for this feature: #1976, #1975, #1963, #1966, #1960, #1958, #1959, #1860, #1946, #1929, #1944, #1910, #1930, #1908, #1925, #1924, #1907, #1912, #1903, #1900.
Minor Changes
- The Pinniped CLI uses Supervisor discovery endpoints to determine the identity provider types that are supported by that particular Supervisor server. (#1928)
- Documentation updates. (#1953, #1970)
- Developer tooling updates and internal refactors. (#1941, #1939, #1950)
- Updates Go to 1.22.4 the Kubernetes libraries to v0.30.1, and updates all other project dependencies. (#1982, #1979, #1977, #1974, #1973, #1969, #1968, #1967, #1965, #1964, #1962, #1961, #1957, #1954, #1951, #1948, #1945)
Diffs
A complete list of changes (177 commits, 494 changed files with 26,750 additions and 2,482 deletions) can be found here.
v0.30.0
Release v0.30.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.30.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.30.0 |
DockerHub |
These images can also be referenced by their digest: sha256:3955ac6e04db6b87fb992e08302ca9080f1dcfc340deacc82f0f0f4687d535b6
.
Changes
This release includes several new features and upgrades all project dependencies.
Minor Changes
- Added new option to
OIDCClient
resource to allow configuration of ID token lifetime for tokens issued by authcode flows and refresh flows. SeeOIDCClient.spec.tokenLifetimes.idTokenSeconds
in the API docs. (#1914) - Setting the new env var
PINNIPED_SKIP_PRINT_LOGIN_URL=true
will cause the Pinniped CLI to skip printing the login URL when a browser has launched, which can be useful when using console UIs like k9s. (#1938, #1897) WebhookAuthenticator
resources will have detailedstatus
written to them automatically, to aid in debugging. (#1894)WebhookAuthenticators
now honor Pinniped's preferred client TLS configuration, including its preferred allowed TLS v1.2 ciphers. This could be a breaking change if your webhook server is serving requests using only TLS v1.2 (not allowing TLS v1.3) and does not allow any of Pinniped's preferred TLS v1.2 ciphers. Note that Pinniped's preferred TLS v1.2 cipher list is different depending on if it was compiled in FIPS compatibility mode or not. (#1917)- Removed all deprecated deployment options from ytt templates. (#1926)
- Clarified the text in some error messages. (#1932, #1922)
- Added documentation to provide some debugging tips. (#1936, #1904, #1824)
- Updates Go to v1.22.3, updates the Kubernetes libraries to v0.30.0, and updates all other project dependencies. (#1940, #1937, #1935, #1934, #1933, #1931, #1921, #1916, #1913, #1911, #1902, #1899)
Diffs
A complete list of changes (101 commits, 768 changed files with 33,015 additions and 64,816 deletions) can be found here.
v0.29.0
Release v0.29.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.29.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.29.0 |
DockerHub |
These images can also be referenced by their digest: sha256:c78eb3828a6fe87e449e3e666ec933fa6f770967edc195cb6c92e01daf1f2ade
.
Changes
This release includes new features and bug fixes. Starting in this release, and going forward, the container image will be published to ghcr.io
instead of projects.registry.vmware.com
. This release also upgrades all project dependencies.
Minor Changes
- Get the container image from
ghcr.io
by default during deployment of the Concierge or Supervisor. (#1883) - All
JWTAuthenticator
resources will have detailedstatus
written to them automatically, to aid in debugging. (#1851) OIDCClients
will now always request user groups from the external identity provider, and provide these groups to the configuredFederationDomain
identity transformations and policies. See Identity transformations and policies for more details. As before, the final groups list will only be included in the Supervisor-issued ID tokens when thatOIDCClient
is configured withgroups
in the list ofallowedScopes
and that client requests thegroups
scope at the authorization endpoint. (#1871, #1867)- Update the CLI's callback listener to prepare for additional CORS preflight checks that may be included in future releases of Chrome. (#1887, #1882)
- For those compiling Pinniped in FIPS compatibility mode, please note that the Go patch release v1.21.6 is not supported. Earlier and later versions are supported. This is because the Go team upgraded the version of goboring included in 1.21.6, and then reverted that change in v1.21.7. Go 1.22 was released at the same time as Go v1.21.7, and Go 1.22 also does not update goboring, so Go 1.22.x also works for compiling Pinniped in FIPS compatibility mode. (#1841, #1863)
- Updates Go to v1.22.1, updates the Kubernetes libraries to v0.29.2, and updates all other project dependencies. (#1892, #1890, #1885, #1881, #1878, #1876, #1875, #1872, #1870, #1869, #1862, #1858, #1856, #1855, #1854, #1853, #1852, #1850, #1836, #1835, #1830, #1829, #1880, #1861, #1879, #1825, #1877, #1891, #1866, #1884)
Bug Fixes
- The
pinniped login oidc
CLI command checks the lifetime of the access token before performing the RFC8693 token exchange. If needed, it will perform a refresh to get a new access token before the RFC8693 token exchange. (#1864, #1873)
A complete list of changes (121 commits, 1,553 changed files with 54,860 additions and 15,218 deletions) can be found here.
v0.28.0
Release v0.28.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.28.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.28.0 |
DockerHub |
These images can also be referenced by their digest: sha256:069df550a71db7acb41eda1922fe5997c72fab26939c6fd0a0fb544e461c0ac8
.
Changes
This release includes security improvements, new features, and bug fixes. It also upgrades all project dependencies.
Minor Changes
- The Concierge will no longer create a long-lived service account token upon installation, which was previously contained in a Secret in the Concierge's namespace. Instead, it will dynamically fetch short-lived tokens and hold them in-memory in the Pods. Upon upgrade, the old Secret will be automatically deleted. This improves security posture by making it impossible for an RBAC configuration or similar mistake to make this token readable to non-admins, and also by making the token short-lived. Other Secrets in the namespace must still be protected against read by non-admins. (#1733)
- The Supervisor will now show an interstitial web page to allow the end-user to choose one of the configured IDPs, when multiple IDPs are configured, and when the query parameters to the OIDC authorize endpoint do not specify which IDP to use. (#1742)
- A new debugging tool has been added to aid in debugging your LDAPIdentityProvider settings. See hack/debug-ldapidentityprovider.sh. (#1594)
- The
values.yaml
files in theytt
template directories have been converted to useytt
's schema feature. This makes it easier for users or 3rd parties to create Carvel packages using the Dockerfile andytt
templates from the Pinniped repo. At this time, the Pinniped releases on GitHub do not include Carvel packages. (#1701) - The project's Dockerfiles have been updated to add build
ARG
s to choose theBUILD_IMAGE
(golang image used to compile) and theBASE_IMAGE
(base layer of the resulting container image). This will make it easier for users and 3rd parties to choose alternate images when building the project. The default values are the latest golang image and the latestgcr.io/distroless/static
image. The project maintainers will continue to bump the default values when updates of those images are available. (#1776) - Updates Go to v1.21.5, updates the Kubernetes libraries to v0.28.4, and updates all other project dependencies. (#1815, #1808, #1807, #1804, #1803, #1801, #1793, #1791, #1788, #1779, #1775, #1772, #1771, #1767, #1763, #1755, #1751, #1748, #1741, #1738, #1735, #1734, #1732, #1721, #1752)
Bug Fixes
pinniped whoami
has a new--timeout
parameter, which defaults to no timeout. This replaces a hardcoded timeout which causedpinniped whoami
to fail when a user took more than 20 seconds to complete a fresh interactive login. (#1774)
Diffs
A complete list of changes (111 commits, 188 changed files with 6,808 additions and 2,382 deletions) can be found here.
Updates
The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server
instead of projects.registry.vmware.com/pinniped/pinniped-server
.
v0.27.0
Release v0.27.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.27.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.27.0 |
DockerHub |
These images can also be referenced by their digest: sha256:8bfe6fe313bf915da228579e48a7f2575aaea0fd9c27385735cb807d701d0131
.
Changes
This release introduces support for ARM64. It also includes some minor changes, bug fixes, and upgrades all project dependencies.
Major Changes
- Pinniped's GitHub releases will now include support for arm64 going forward. (#1699, #1702, #1703)
- The Pinniped Concierge and Supervisor container images used in these GitHub releases are now multi-arch amd64/arm64 images. These deployments can now run seamlessly on either linux/amd64 or linux/arm64 Kubernetes nodes.
- The Pinniped CLI binaries attached to these GitHub releases will now also include arm64 binaries.
Minor Changes
- The Pinniped CLI will now show a login banner before prompting for username and password at the CLI prompt during LDAP, AD, or OIDC password grant login via the Supervisor. The banner will show the configured display name of the identity provider from the FederationDomain. (#1691)
- The
pinniped get kubeconfig
CLI command has a new optional argument--pinniped-cli-path
. This can be used to set the full path or executable name for the Pinniped CLI in the resulting kubeconfig. For example, using--pinniped-cli-path=pinniped
will usepinniped
as the path, and during login the binary namedpinniped
will be found via the user's path. This allows kubeconfigs to be more easily shared between users compared to the default behavior, which is to include the full path to the Pinniped CLI binary that was used to invokepinnniped get kubeconfig
. (#1690) - Updates Go to v1.21.2 and updates all other project dependencies. (#1715, #1714, #1713, #1711, #1698, #1685)
- Some developer tooling was improved for the project maintainers and contributors. (#1696, #1692)
- Some small documentation updates. (#1661, #1687, #1716)
Bug Fixes
- Fix a bug introduced in v0.18.0 which slowed down the shutdown of the Pinniped pods and prevented the leader pod from releasing its lease, which caused it take take several minutes before replacement Pinniped pods could regain the lease and become fully operational. (#1688, #1695)
- Certain uncommon errors during login that were previously only shown in the CLI's output will now also be shown in the browser. (#1694, #1697) Note that these changes will make this version of the Supervisor incompatible with with very old versions of the Pinniped CLI (prior to v0.14.0) for Chrome and Edge browsers (due to them sending CORS preflight requests).
- Stop using the
scheduler.alpha.kubernetes.io/critical-pod
annotation to avoid seeing warnings that it has been removed from Kubernetes. (#1693)
Diffs
A complete list of changes (51 commits, 151 changed files with 1,640 additions and 1,543 deletions) can be found here.
Updates
The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server
instead of projects.registry.vmware.com/pinniped/pinniped-server
.
v0.26.0
Release v0.26.0
Release Image
Image | Registry |
---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.26.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.26.0 |
DockerHub |
These images can also be referenced by their digest: sha256:a92183de893eb0b1850cc3a1d33306b96ba2cdb72a8a49c6493a58c01b4fa9cd
.
Changes
This release introduces new features for using multiple identity providers, and identity transformation and policy expressions. It also includes some minor changes and upgrades all project dependencies.
Major Changes
- The Pinniped Supervisor can now be configured to source user identities from multiple identity providers (#1660). It can also be configured to transform usernames and group names using CEL expressions, and to reject authentication based on usernames and group names using CEL expressions. For more information, see the blog post for this release.
Minor Changes
- Updates the output of the
pinniped version
CLI command and the procedure for setting the version number at build time (#1634). Thepinniped version
CLI command also now accepts new optional arguments-o json
and-o yaml
to set an alternate output format. Note that this PR changes how to inject the version number into the CLI and server binaries at build time. Anyone who is doing their own Docker build, or using their own custom Dockerfile, or building the CLI, may need to change how the version number is injected at build time, if they choose to have a version number for their server and CLI binaries. Export theKUBE_GIT_VERSION
environment variable to set the semver version number before callinghack/get-ldflags.sh
to set the ldflags for thego build
command. For example, set theKUBE_GIT_VERSION
variable tov0.26.0
. When using the project's Dockerfile, this value can be passed as a build ARG. When building the CLI, useexport KUBE_GIT_VERSION=v0.26.0 && CGO_ENABLED=0 GOOS="darwin" GOARCH="amd64" go build -trimpath -ldflags "$(hack/get-ldflags.sh)" ./cmd/pinniped
. - Refactors to use
Conditions
type from the Kubernetes library (#1644). If you are using the generated client code in a Golang project, you may need to change yourimport
statements for theConditions
type used by several Pinniped types to import it from thek8s.io/apimachinery/pkg/apis/meta/v1
library. - Updates Go to v1.21.1, update Kubernetes libraries to v0.28.2, and updates all other project dependencies (#1630, #1646, #1647, #1664, #1674, #1675, #1676, #1677).
- Improves logging for debugging Pinniped Supervisor ingress and TLS certificate configuration problems at the default log level (#1662).
- Documentation and minor web site updates (#1419, #1621, #1631, #1654, #1663)
Bug Fixes
- Fix an error that can occur in the Concierge when the cluster has been configured to automatically inject sidecar containers into every pod, including the kube cert agent pod (#1682).
Diffs
A complete list of changes (148 commits, 1,179 changed files with 27,130 additions and 108,272 deletions) can be found here.
Acknowledgements
Thanks to @djpbessems for providing suggestions and feedback for one of the docs PRs (#1631).
Updates
The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server
instead of projects.registry.vmware.com/pinniped/pinniped-server
.