Releases: vmware/pinniped
v0.43.0
Release v0.43.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware/pinniped/pinniped-server:v0.43.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.43.0 |
DockerHub |
These images can also be referenced by their digest: sha256:cd16380e1159fea4c1c6d79386548a000ca214e6a09f881af09e9ac59db962e0.
Changes
This release upgrades the project's golang dependencies to the latest versions.
Minor Changes
- Updates the Kubernetes libraries to v0.35.0, Golang to v1.25.5, and updates all other project dependencies. (#2821, #2812, #2806, #2804, #2785, #2780, #2707, #2696, #2701, #2695)
Diffs
A complete list of changes (32 commits, 992 changed files with 20,044 additions and 67,392 deletions) can be found here.
v0.42.0
Release v0.42.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware/pinniped/pinniped-server:v0.42.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.42.0 |
DockerHub |
These images can also be referenced by their digest: sha256:7f901305b659e9ed3c5b32ab273141430202f2b5fa697616574753a96c845537.
Changes
This release adds some more advanced configuration options for the Concierge's kube cert agent Deployment.
Minor Changes
- Adds a new configuration option which can be used in the Concierge's ConfigMap to change the kube cert agent Deployment's strategy type. See PR description for details. (#2690)
- Adds a new configuration option which can be used in the Concierge's ConfigMap to change the kube cert agent Deployment's pod template
runAsUserandrunAsGroup. See PR description for details. (#2683) - Updates the Kubernetes libraries to v0.33.5, Golang to v1.25.3, and updates all other project dependencies. (#2676, #2590)
Diffs
A complete list of changes (15 commits, 32 changed files with 648 additions and 205 deletions) can be found here.
v0.41.0
Release v0.41.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware/pinniped/pinniped-server:v0.41.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.41.0 |
DockerHub |
These images can also be referenced by their digest: sha256:7f8f5822e762396fe964ec4737bb02c3370be1eb7edd087079c80f9b3caaa061.
Changes
This release enables the use of ADFS with the Pinniped Supervisor and upgrades dependencies.
Major Changes
- The Pinniped Supervisor supports OIDC-compliant providers, along with several other identity provider types. However, ADFS does not correctly implement the OIDC specification, so it was not previously supported. This release provides a workaround so that the Pinniped Supervisor can be configured to use ADFS as an OIDCIdentityProvider. See PR #2580's description for more documentation.
Minor Changes
- Updates the Kubernetes libraries to v0.33.4, Golang to v1.25.0, and updates all other project dependencies. (#2588, #2577, #2573, #2536, #2531, #2529)
Diffs
A complete list of changes (20 commits, 112 changed files with 679 additions and 256 deletions) can be found here.
v0.40.0
Release v0.40.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware/pinniped/pinniped-server:v0.40.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.40.0 |
DockerHub |
These images can also be referenced by their digest: sha256:fb3c48175998700ecaaa629e05aacc79c7f1ac47f457655668ca8fb984ae5557.
Changes
This release adds new features to JWTAuthenticator and upgrades dependencies.
Major Changes
- Starting with this release, container images for the release will no longer be pushed to
ghcr.io/vmware-tanzu/pinniped/pinniped-server. For this release and for future releases, container images will be pushed toghcr.io/vmware/pinniped/pinniped-serverinstead. This is because the Pinniped GitHub repository was recently moved from thevmware-tanzuGitHub organization to thevmwareorganization. GitHub automatically redirects most things from the old location to the new location, but not the container image repository. (#2526) - The Pinniped
JWTAuthenticatorhas several new features which are meant to be similar to features found in KubernetesAuthenticationConfiguration. (#2491) These are all expert user features and should be used with caution. See the Pinniped API docs for full documentation. The new features are:spec.claimValidationRules: works likejwt[].claimValidationRulesspec.userValidationRules: works likejwt[].userValidationRulesspec.claims.usernameExpression: works likejwt[].claimMappings.username.expressionspec.claims.groupsExpression: works likejwt[].claimMappings.groups.expressionspec.claims.extra: works likejwt[].claimMappings.extra- Note that while these extras will be added to the client certificate issued by the Pinniped Concierge during end user login, Kubernetes will not respect these extras because Kubernetes has no mechanism for userInfo extras from a client cert. This will probably only be useful if you are using a custom auth proxy in front of Kubernetes.
- Also note that unlike in Kubernetes structured auth, the keys for these extras in Pinniped are not allowed to contain the
=character.
Minor Changes
- Updates the Kubernetes libraries to v0.33.3, Golang to v1.24.4, and updates all other project dependencies. (#2482, #2475, #2473, #2471, #2393, #2525, #2528)
- Makes some minor changes to accommodate Pinniped's CI system moving. (#2514, #2506, #2485, #2461)
Diffs
A complete list of changes (45 commits, 199 changed files with 9,549 additions and 1,229 deletions) can be found here.
v0.39.0
Release v0.39.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.39.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.39.0 |
DockerHub |
These images can also be referenced by their digest: sha256:e05962e09ffcf964184718fb790a6099c2f295897b8e96e95cb8a3f87a9d64c8.
Changes
Add a feature to set spec.priorityClassName for the kube-cert-agent pod created by Concierge.
Major Changes
- Added a feature to set
spec.priorityClassNamefor thekube-cert-agentpod created by Concierge. For more information see the issue #2349 and the PR #2389. It's possible to set thespec.priorityClassNamefor the Concierge and Supervisor pods by changing the manifest (if using the provided./deploydirectory, use ayttoverlay).
Minor Changes
- Updated many golang dependencies. See the
go.modfile for details - Added Pinniped golang codegen for K8s 1.32 and 1.33. Removed Pinniped codegen for K8s 1.25.
Bug Fixes
- N/A
Diffs
A complete list of changes can be found here.
Acknowledgements
Thanks to @luwangVMW for issue #2349
Contributors
Assets 13
v0.38.0
Release v0.38.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.38.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.38.0 |
DockerHub |
These images can also be referenced by their digest: sha256:cc1769112d738ff95a3f8430d254d8546fc254d2cbc065f916b88d83ceb22c65.
Changes
This release includes several new features and upgrades project dependencies.
Minor Changes
- The Pinniped Supervisor now supports using
response_mode=form_postwith an OIDCIdentityProvider. Some versions of ADFS might require this in order for Pinniped to receive certain claims in the ADFS-issued ID token. (#2254) - The
pinniped get kubeconfigCLI command now auto-discovers the issuer's CA bundle from a JWTAuthenticator's spec.TLS.CertificateAuthorityDataSource, and this CA bundle is written into the resulting kubeconfig. (#2193) - The
FederationDomain.spec.issuerfield must start withhttps://. This was previously validated after the resource was created. Now this validation will cause resource creation to fail. (#2167) - The long-deprecated
CredentialIssuer.status.kubeConfigInfofield has been removed. (#2167) - Both the Pinniped Supervisor and the Pinniped Concierge have a new configuration option available in their respective ConfigMaps to disable various types of dynamic admission plugins for their aggregated APIs. It is not typically necessary to disable these admission plugins. This feature was added because having lots of ValidatingAdmissionPolicies on your cluster can cause the Pinniped and Kubernetes API server pods to use lots of memory. For more information, see the description of PR #2269. (#2269)
- When compiling for FIPS compatibility, this release is designed to be used with Go 1.24, which included an updated version of boringcrypto. Note that Pinniped is still designed to be used with
GOEXPERIMENT=boringcrypto, and has not yet been tested with Go 1.24's newfips140GODEBUG setting. When compiled using hack/Dockerfile_fips, the Pinniped Concierge and Supervisor servers will allow the use of both TLS 1.2 and TLS 1.3, because Go 1.24 now supports both with its updated version of boringcrypto. As a result, thefips_enable_tls13_max_for_default_profilebuild tag, which could previously be used to allow the use of TLS 1.3 in FIPS-compatible mode, is no longer needed, as that is now the default behavior. Also drops the use of two insecure ciphers that have been dropped by boringcrypto. (#2203) - Updates the Kubernetes libraries to v0.31.6, Golang to v1.24.1, and updates all other project dependencies. (#2276, #2268, #2266, #2264, #2249, #2239, #2236, #2233, #2228, #2209, #2205, #2197, #2196, #2195, #2192, #2191, #2190, #2189, #2188, #2187, #2186, #2278)
- Some additional changes were made to improve tests. (#2253, #2250)
Diffs
A complete list of changes (81 commits, 179 changed files with 2,049 additions and 1,535 deletions) can be found here.
Acknowledgements
- Thanks to @devantler for reporting the issue fixed by #2193.
- Thanks to @graindcafe for reporting the issue fixed by #2254.
Contributors
Assets 13
v0.37.0
Release v0.37.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.37.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.37.0 |
DockerHub |
These images can also be referenced by their digest: sha256:ec64e6b4b5b4c70740582134bef9e249bdd8760dfde45880a862a4389cd2b809.
Changes
This release makes a small improvement to audit logging. It also includes other enhancements and upgrades project dependencies.
Minor Changes
- The
remoteAddrkey in the Supervisor'sHTTP Request Receivedaudit log event has been removed and replaced with a new key calledsourceIPs. The value ofsourceIPsis always an array of string IP addresses, and the last item in the list is always the address that was previously shown as theremoteAddr. Other items in the list can come from theX-Forwarded-ForandX-Real-Iprequest headers. SeesourceIPsin https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1 for details. (#2174) - Updates the Kubernetes libraries to v0.31.4 and updates most other project dependencies. Note that the Kubernetes libraries were not upgraded to v0.32.0 due to a bug in one of those packages (see kubernetes/kubernetes#128548). (#2182, #2181, #2179, #2176, #2173, #2171, #2170, #2169, #2158, #2156, #2155, #2184, #2185)
- Some documentation and developer tooling improvements. (#2177, #2175, #2166, #2163)
- Introduces new build tags to optionally override some min and max TLS settings, which may be useful to those who build their own custom Pinniped container images. See PR description for details. (#2162)
Diffs
A complete list of changes (46 commits, 125 changed files with 781 additions and 817 deletions) can be found here.
v0.36.0
Release v0.36.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.36.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.36.0 |
DockerHub |
These images can also be referenced by their digest: sha256:e5a1a9e75e41b6f8c978f7466216c6119757305c824a15a346bae19da5f5ada6.
Changes
This release introduces new audit logging capabilities. It also includes other enhancements and upgrades all project dependencies.
Major Changes
- Authentication-related events are now audit-logged into the Supervisor and Concierge pod logs, allowing an administrator to trace a user's authentication journey across multiple clusters. They are marked with the JSON key-value pair
"auditEvent":true. For more information, see the audit logging documentation. (#2009, #2154)
Minor Changes
- The Concierge's controller which creates the "cert agent" Deployment now pays attention to which nodes are marked as unschedulable. When there are multiple running controller-manager pods to choose from, the controller will prefer to co-locate the cert agent pod with one that is running on a node which allows scheduling pods (where
spec.unschedulableis equal to false), if possible. This has the effect of moving the pod away from nodes that are cordoned or are being drained, when another node is available. (#2143) - Updates the Kubernetes libraries to v0.31.3, Golang to v1.23.4, and updates all other project dependencies. (#2153, #2152, #2150, #2147, #2145, #2142, #2139, #2123, #2121, #2119, #2109, #2107, #2100)
- Some small refactors and test improvements. (#2101, #2095, #2094)
Diffs
A complete list of changes (120 commits, 136 changed files with 7,853 additions and 1,258 deletions) can be found here.
Acknowledgements
Thanks to @trouphaz for reporting the issue that led to the improvement made by #2143.
Contributors
Assets 13
v0.35.0
Release v0.35.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.35.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.35.0 |
DockerHub |
These images can also be referenced by their digest: sha256:bf926dfd78ecca75fce0e43e243021dd9c122bd2cd94d38187b3c9f80138fca4.
Changes
This release fixes a bug where updating some spec fields of JWTAuthenticators did not take effect immediately. It also upgrades all project dependencies.
Minor Changes
- Updates the Kubernetes libraries to v0.31.2, and updates all other project dependencies. (#2093, #2088, #2086, #2084, #2082, #2076, #2075, #2074, #2072)
- The configuration and code for Pinniped's CI system and jobs have been made public in the
cibranch of this repo. (#2077)
Bug Fixes
- Fixes a bug introduce in Pinniped v0.33.0 where changing the
spec.audienceand/orspec.claimsfields of an existing JWTAuthenticator (without changing any other spec fields) did not take effect until the next time the Concierge pods are restarted, even though those spec changes should take effect immediately. (#2090)
Diffs
A complete list of changes (31 commits, 116 changed files with 790 additions and 424 deletions) can be found here.
v0.34.0
Release v0.34.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.34.0 |
GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.34.0 |
DockerHub |
These images can also be referenced by their digest: sha256:fe17d873d146347defe440ee53b7b4b31416e56a66c6e73312cc482f93e2c898.
Changes
This release fixes a bug when calculating status conditions for WebhookAuthenticators and GitHubIdentityProviders in the presence of HTTPS_PROXY. It also includes some other minor changes, bug fixes, and upgrades all project dependencies.
Minor Changes
- Updates Go to v1.23.2, updates the Kubernetes libraries to v0.31.1, and updates all other project dependencies. (#2071, #2068, #2067, #2064, #2063, #2059, #2058, #2057, #2052, #2047, #2048, #2046, #2045, #2044, #2042, #2041)
- Some developer tooling, log statements, and comments were improved for the project maintainers and contributors. (#2061, #2049, #2037)
- Some small documentation updates. (#2050, #2038, #2039)
Bug Fixes
- When the
HTTPS_PROXYenvironment variable was set for the Concierge pods, the Concierge would not use the proxy setting while calculating the status conditions of WebhookAuthenticators. This could cause the connection probe to fail and the WebhookAuthenticator to be incorrectly put into an error status, making it unusable. This bug was introduced in v0.30.0 when the WebhookAuthenticator status conditions were introduced. This release fixes the bug by automatically skipping the connection probe when theHTTPS_PROXYandNO_PROXYenvironment variable values would cause requests to the WebhookAuthenticator's configured URL to be made through the proxy. (#2069) Additionally, thetls.Dialused in this connection probe was assigned a timeout. (#2056, #2065) - When the
HTTPS_PROXYenvironment variable was set for the Supervisor pods, the Supervisor would not use the proxy setting while calculating the status conditions of GitHubIdentityProviders. This could cause the connection probe to fail and the GitHubIdentityProvider to be incorrectly put into an error status, making it unusable. This bug was introduced in v0.31.0 when GitHubIdentityProviders were first introduced. This release fixes the bug by respecting the values of theHTTPS_PROXYandNO_PROXYenvironment variables during the connection probe to the configured GitHub server. (#2069) - When the Concierge finds a controller-manager pod and tries to parse its configured command-line flags, it previously looked for the flags
--cluster-signing-cert-fileand--cluster-signing-key-file. Now it will also look for the alternate flags--cluster-signing-kube-apiserver-client-key-fileand--cluster-signing-kube-apiserver-client-cert-file. This could potentially help make the Concierge compatible with more Kubernetes distributions. For more information, please see the PR description. (#2043)
Diffs
A complete list of changes (113 commits, 421 changed files with 25,654 additions and 11,665 deletions) can be found here.