v0.38.0

Release v0.38.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.38.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.38.0	DockerHub

These images can also be referenced by their digest: sha256:cc1769112d738ff95a3f8430d254d8546fc254d2cbc065f916b88d83ceb22c65.

Changes

This release includes several new features and upgrades project dependencies.

Minor Changes

• The Pinniped Supervisor now supports using response_mode=form_post with an OIDCIdentityProvider. Some versions of ADFS might require this in order for Pinniped to receive certain claims in the ADFS-issued ID token. (#2254)
• The pinniped get kubeconfig CLI command now auto-discovers the issuer's CA bundle from a JWTAuthenticator's spec.TLS.CertificateAuthorityDataSource, and this CA bundle is written into the resulting kubeconfig. (#2193)
• The FederationDomain.spec.issuer field must start with https://. This was previously validated after the resource was created. Now this validation will cause resource creation to fail. (#2167)
• The long-deprecated CredentialIssuer.status.kubeConfigInfo field has been removed. (#2167)
• Both the Pinniped Supervisor and the Pinniped Concierge have a new configuration option available in their respective ConfigMaps to disable various types of dynamic admission plugins for their aggregated APIs. It is not typically necessary to disable these admission plugins. This feature was added because having lots of ValidatingAdmissionPolicies on your cluster can cause the Pinniped and Kubernetes API server pods to use lots of memory. For more information, see the description of PR #2269. (#2269)
• When compiling for FIPS compatibility, this release is designed to be used with Go 1.24, which included an updated version of boringcrypto. Note that Pinniped is still designed to be used with GOEXPERIMENT=boringcrypto, and has not yet been tested with Go 1.24's new fips140 GODEBUG setting. When compiled using hack/Dockerfile_fips, the Pinniped Concierge and Supervisor servers will allow the use of both TLS 1.2 and TLS 1.3, because Go 1.24 now supports both with its updated version of boringcrypto. As a result, the fips_enable_tls13_max_for_default_profile build tag, which could previously be used to allow the use of TLS 1.3 in FIPS-compatible mode, is no longer needed, as that is now the default behavior. Also drops the use of two insecure ciphers that have been dropped by boringcrypto. (#2203)
• Updates the Kubernetes libraries to v0.31.6, Golang to v1.24.1, and updates all other project dependencies. (#2276, #2268, #2266, #2264, #2249, #2239, #2236, #2233, #2228, #2209, #2205, #2197, #2196, #2195, #2192, #2191, #2190, #2189, #2188, #2187, #2186, #2278)
• Some additional changes were made to improve tests. (#2253, #2250)

Diffs

A complete list of changes (81 commits, 179 changed files with 2,049 additions and 1,535 deletions) can be found here.

Acknowledgements

• Thanks to @devantler for reporting the issue fixed by #2193.
• Thanks to @graindcafe for reporting the issue fixed by #2254.

v0.37.0

Release v0.37.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.37.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.37.0	DockerHub

These images can also be referenced by their digest: sha256:ec64e6b4b5b4c70740582134bef9e249bdd8760dfde45880a862a4389cd2b809.

Changes

This release makes a small improvement to audit logging. It also includes other enhancements and upgrades project dependencies.

Minor Changes

• The remoteAddr key in the Supervisor's HTTP Request Received audit log event has been removed and replaced with a new key called sourceIPs. The value of sourceIPs is always an array of string IP addresses, and the last item in the list is always the address that was previously shown as the remoteAddr. Other items in the list can come from the X-Forwarded-For and X-Real-Ip request headers. See sourceIPs in https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1 for details. (#2174)
• Updates the Kubernetes libraries to v0.31.4 and updates most other project dependencies. Note that the Kubernetes libraries were not upgraded to v0.32.0 due to a bug in one of those packages (see kubernetes/kubernetes#128548). (#2182, #2181, #2179, #2176, #2173, #2171, #2170, #2169, #2158, #2156, #2155, #2184, #2185)
• Some documentation and developer tooling improvements. (#2177, #2175, #2166, #2163)
• Introduces new build tags to optionally override some min and max TLS settings, which may be useful to those who build their own custom Pinniped container images. See PR description for details. (#2162)

Diffs

A complete list of changes (46 commits, 125 changed files with 781 additions and 817 deletions) can be found here.

v0.36.0

Release v0.36.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.36.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.36.0	DockerHub

These images can also be referenced by their digest: sha256:e5a1a9e75e41b6f8c978f7466216c6119757305c824a15a346bae19da5f5ada6.

Changes

This release introduces new audit logging capabilities. It also includes other enhancements and upgrades all project dependencies.

Major Changes

• Authentication-related events are now audit-logged into the Supervisor and Concierge pod logs, allowing an administrator to trace a user's authentication journey across multiple clusters. They are marked with the JSON key-value pair "auditEvent":true. For more information, see the audit logging documentation. (#2009, #2154)

Minor Changes

• The Concierge's controller which creates the "cert agent" Deployment now pays attention to which nodes are marked as unschedulable. When there are multiple running controller-manager pods to choose from, the controller will prefer to co-locate the cert agent pod with one that is running on a node which allows scheduling pods (where spec.unschedulable is equal to false), if possible. This has the effect of moving the pod away from nodes that are cordoned or are being drained, when another node is available. (#2143)
• Updates the Kubernetes libraries to v0.31.3, Golang to v1.23.4, and updates all other project dependencies. (#2153, #2152, #2150, #2147, #2145, #2142, #2139, #2123, #2121, #2119, #2109, #2107, #2100)
• Some small refactors and test improvements. (#2101, #2095, #2094)

Diffs

A complete list of changes (120 commits, 136 changed files with 7,853 additions and 1,258 deletions) can be found here.

Acknowledgements

Thanks to @trouphaz for reporting the issue that led to the improvement made by #2143.

v0.35.0

Release v0.35.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.35.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.35.0	DockerHub

These images can also be referenced by their digest: sha256:bf926dfd78ecca75fce0e43e243021dd9c122bd2cd94d38187b3c9f80138fca4.

Changes

This release fixes a bug where updating some spec fields of JWTAuthenticators did not take effect immediately. It also upgrades all project dependencies.

Minor Changes

• Updates the Kubernetes libraries to v0.31.2, and updates all other project dependencies. (#2093, #2088, #2086, #2084, #2082, #2076, #2075, #2074, #2072)
• The configuration and code for Pinniped's CI system and jobs have been made public in the ci branch of this repo. (#2077)

Bug Fixes

• Fixes a bug introduce in Pinniped v0.33.0 where changing the spec.audience and/or spec.claims fields of an existing JWTAuthenticator (without changing any other spec fields) did not take effect until the next time the Concierge pods are restarted, even though those spec changes should take effect immediately. (#2090)

Diffs

A complete list of changes (31 commits, 116 changed files with 790 additions and 424 deletions) can be found here.

v0.34.0

Release v0.34.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.34.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.34.0	DockerHub

These images can also be referenced by their digest: sha256:fe17d873d146347defe440ee53b7b4b31416e56a66c6e73312cc482f93e2c898.

Changes

This release fixes a bug when calculating status conditions for WebhookAuthenticators and GitHubIdentityProviders in the presence of HTTPS_PROXY. It also includes some other minor changes, bug fixes, and upgrades all project dependencies.

Minor Changes

• Updates Go to v1.23.2, updates the Kubernetes libraries to v0.31.1, and updates all other project dependencies. (#2071, #2068, #2067, #2064, #2063, #2059, #2058, #2057, #2052, #2047, #2048, #2046, #2045, #2044, #2042, #2041)
• Some developer tooling, log statements, and comments were improved for the project maintainers and contributors. (#2061, #2049, #2037)
• Some small documentation updates. (#2050, #2038, #2039)

Bug Fixes

• When the HTTPS_PROXY environment variable was set for the Concierge pods, the Concierge would not use the proxy setting while calculating the status conditions of WebhookAuthenticators. This could cause the connection probe to fail and the WebhookAuthenticator to be incorrectly put into an error status, making it unusable. This bug was introduced in v0.30.0 when the WebhookAuthenticator status conditions were introduced. This release fixes the bug by automatically skipping the connection probe when the HTTPS_PROXY and NO_PROXY environment variable values would cause requests to the WebhookAuthenticator's configured URL to be made through the proxy. (#2069) Additionally, the tls.Dial used in this connection probe was assigned a timeout. (#2056, #2065)
• When the HTTPS_PROXY environment variable was set for the Supervisor pods, the Supervisor would not use the proxy setting while calculating the status conditions of GitHubIdentityProviders. This could cause the connection probe to fail and the GitHubIdentityProvider to be incorrectly put into an error status, making it unusable. This bug was introduced in v0.31.0 when GitHubIdentityProviders were first introduced. This release fixes the bug by respecting the values of the HTTPS_PROXY and NO_PROXY environment variables during the connection probe to the configured GitHub server. (#2069)
• When the Concierge finds a controller-manager pod and tries to parse its configured command-line flags, it previously looked for the flags --cluster-signing-cert-file and --cluster-signing-key-file. Now it will also look for the alternate flags --cluster-signing-kube-apiserver-client-key-file and --cluster-signing-kube-apiserver-client-cert-file. This could potentially help make the Concierge compatible with more Kubernetes distributions. For more information, please see the PR description. (#2043)

Diffs

A complete list of changes (113 commits, 421 changed files with 25,654 additions and 11,665 deletions) can be found here.

v0.33.0

Release v0.33.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.33.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.33.0	DockerHub

These images can also be referenced by their digest: sha256:0f9591eefa6e865988217c9c1b33312bd48056df1f271ddc8ae8ba7c851a6a0f.

Changes

This release introduces support for dynamically reading CA bundles from ConfigMaps or Secrets. It also includes some minor changes, bug fixes, and upgrades all project dependencies.

Major Changes

• All custom resource types that configure Pinniped to act as an HTTPS client to some external server have been updated to optionally allow the CA bundle used to verify those HTTPS connections to be configured in a ConfigMap or Secret, which will by dynamically watched by Pinniped for updates. (#1984, #1996)
  • This includes the JWTAuthenticator, WebhookAuthenticator, OIDCIdentityProvider, GitHubIdentityProvider, ActiveDirectoryIdentityProvider, and LDAPIdentityProvider resources.
  • This makes it easier for your CA bundles to be configured and managed externally by cert-manager, trust-manager, or any other automation tools.
  • See the API docs for the Concierge TLSSpec and the very similar Supervisor TLSSpec.
  • See the blog post announcing this feature.

Minor Changes

• A new Status printer column was added to the table output for WebhookAuthenticator and JWTAuthenticator. The value shown in the column is the status.Phase of the resource. (#1996)
• To be consistent with other Pinniped custom resources, enhanced OIDCIdentityProvider, LDAPIdentityProvider, and ActiveDirectoryIdentityProvider to report status.conditions with status Unknown when it cannot perform a validation due to a configuration problem already reported on another status condition. (#2034)
• Updates Go to v1.21.5, updates the Kubernetes libraries to v0.30.3, and updates all other project dependencies. (#2036, #2035, #2030, #2026, #2023, #2021, #2020, #2019, #2018, #2015, #2014, #2012, #2008, #2011, #2007, #2005, #2004, #2003, #2001, #1999, #1998, #1997, #1995)
• Some developer tooling, log statements, and comments were improved for the project maintainers and contributors. (#2033, #2024, #2010)
• Some small documentation updates. (#2028, #1993)

Bug Fixes

• Fixes a bug for JWTAuthenticators and WebhookAuthenticators where their status was not always being updated after its initial creation. (#1996)
• Host names with upper case characters were previously considered invalid by several Pinniped custom resources. Now mixed-case host names will be allowed. (#2022)
• When testing connection for GitHubIdentityProvider's default host github.com, actually dial api.github.com for status.conditions validation purposes, because api.github.com is the host that will actually be used during end-user authentication. (#2032)
• WebhookAuthenticators and JWTAuthenticators which were previously validated, and then become invalid due to a spec change, are not considered usable for end-user authentication anymore. To reduce the number of TCP dials to the remote server made during validation, WebhookAuthenticators and JWTAuthenticators that are already validated by a Concierge pod will not be validated again by that same pod unless the spec changes, the specified CA bundle changes, or the pod restarts. (#2013)

Diffs

A complete list of changes (186 commits, 258 changed files with 15,058 additions and 3,036 deletions) can be found here.

v0.32.0

Release v0.32.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.32.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.32.0	DockerHub

These images can also be referenced by their digest: sha256:f76fa757678f1ab2492be698dc33afbec5ce22b32eebb8a648d5196f9e63ce35.

Changes

This release includes a new feature for limiting TLS ciphers and upgrades all project dependencies.

Minor Changes

• The TLS v1.2 cipher suites used by the Pinniped Supervisor and Pinniped Concierge can now be configured to be further limited beyond Pinniped's already limited default lists of ciphers. This is configured by a new setting in the ConfigMap for the Supervisor or Concierge. Refer to the documentation of allowed_ciphers_for_tls_onedottwo in deploy/supervisor/values.yaml and deploy/concierge/values.yaml. (#1952)
• Some small test fixes and linter improvements. (#1992, #1991, #1949, #1947, #1983)
• Updates the Kubernetes libraries to v0.30.2, and updates all other project dependencies. (#1990, #1989, #1988, #1986, #1981)

Diffs

A complete list of changes (45 commits, 250 changed files with 6,589 additions and 4,911 deletions) can be found here.

v0.31.0

Release v0.31.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.31.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.31.0	DockerHub

These images can also be referenced by their digest: sha256:d07ee61c059b36337e17893c91b7bd4ac3c13d0258f9de11759d5b42b7b2060d.

Changes

This release adds support for using GitHub as an identity provider, along with other new features, and upgrades project dependencies.

Major Changes

• The Pinniped Supervisor now supports using GitHub as an identity provider using browser-based authentication, configured via a new custom resource called GitHubIdentityProvider. (#1978)
  • Both github.com and GitHub Enterprise are supported.
  • Administrators can optionally limit authentication by GitHub organization membership.
  • GitHub team membership is automatically mapped to Kubernetes group membership.
  • Frequent session refreshes check that the user's GitHub access token is still valid, revalidate the user's identity, and update the user's group memberships. In a typical setup, any changes to org or team membership will be reflected to end-user sessions within about 5 minutes.
  • As with any identity provider in the Supervisor, the administrator can optionally configure policies to restrict authentication by username and group (GitHub team) membership, and can modify usernames and group memberships by configuring CEL expressions on the FederationDomain.
  • Note that at least v0.31.0 of the Pinniped CLI should be used by end-users for GitHub authentication.
  • End-users of webapp clients configured as OIDCClients in the Supervisor can also authenticate via GitHub.
  • For more information see the blog post for this release, the GitHub configuration guide and the GitHubIdentityProvider resource documentation.
  • Many PRs were merged into the final cumulative PR #1978 for this feature: #1976, #1975, #1963, #1966, #1960, #1958, #1959, #1860, #1946, #1929, #1944, #1910, #1930, #1908, #1925, #1924, #1907, #1912, #1903, #1900.

Minor Changes

• The Pinniped CLI uses Supervisor discovery endpoints to determine the identity provider types that are supported by that particular Supervisor server. (#1928)
• Documentation updates. (#1953, #1970)
• Developer tooling updates and internal refactors. (#1941, #1939, #1950)
• Updates Go to 1.22.4 the Kubernetes libraries to v0.30.1, and updates all other project dependencies. (#1982, #1979, #1977, #1974, #1973, #1969, #1968, #1967, #1965, #1964, #1962, #1961, #1957, #1954, #1951, #1948, #1945)

Diffs

A complete list of changes (177 commits, 494 changed files with 26,750 additions and 2,482 deletions) can be found here.

v0.30.0

Release v0.30.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.30.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.30.0	DockerHub

These images can also be referenced by their digest: sha256:3955ac6e04db6b87fb992e08302ca9080f1dcfc340deacc82f0f0f4687d535b6.

Changes

This release includes several new features and upgrades all project dependencies.

Minor Changes

• Added new option to OIDCClient resource to allow configuration of ID token lifetime for tokens issued by authcode flows and refresh flows. See OIDCClient.spec.tokenLifetimes.idTokenSeconds in the API docs. (#1914)
• Setting the new env var PINNIPED_SKIP_PRINT_LOGIN_URL=true will cause the Pinniped CLI to skip printing the login URL when a browser has launched, which can be useful when using console UIs like k9s. (#1938, #1897)
• WebhookAuthenticator resources will have detailed status written to them automatically, to aid in debugging. (#1894)
• WebhookAuthenticators now honor Pinniped's preferred client TLS configuration, including its preferred allowed TLS v1.2 ciphers. This could be a breaking change if your webhook server is serving requests using only TLS v1.2 (not allowing TLS v1.3) and does not allow any of Pinniped's preferred TLS v1.2 ciphers. Note that Pinniped's preferred TLS v1.2 cipher list is different depending on if it was compiled in FIPS compatibility mode or not. (#1917)
• Removed all deprecated deployment options from ytt templates. (#1926)
• Clarified the text in some error messages. (#1932, #1922)
• Added documentation to provide some debugging tips. (#1936, #1904, #1824)
• Updates Go to v1.22.3, updates the Kubernetes libraries to v0.30.0, and updates all other project dependencies. (#1940, #1937, #1935, #1934, #1933, #1931, #1921, #1916, #1913, #1911, #1902, #1899)

Diffs

A complete list of changes (101 commits, 768 changed files with 33,015 additions and 64,816 deletions) can be found here.

v0.29.0

Release v0.29.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.29.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.29.0	DockerHub

These images can also be referenced by their digest: sha256:c78eb3828a6fe87e449e3e666ec933fa6f770967edc195cb6c92e01daf1f2ade.

Changes

This release includes new features and bug fixes. Starting in this release, and going forward, the container image will be published to ghcr.io instead of projects.registry.vmware.com. This release also upgrades all project dependencies.

Minor Changes

• Get the container image from ghcr.io by default during deployment of the Concierge or Supervisor. (#1883)
• All JWTAuthenticator resources will have detailed status written to them automatically, to aid in debugging. (#1851)
• OIDCClients will now always request user groups from the external identity provider, and provide these groups to the configured FederationDomain identity transformations and policies. See Identity transformations and policies for more details. As before, the final groups list will only be included in the Supervisor-issued ID tokens when that OIDCClient is configured with groups in the list of allowedScopes and that client requests the groups scope at the authorization endpoint. (#1871, #1867)
• Update the CLI's callback listener to prepare for additional CORS preflight checks that may be included in future releases of Chrome. (#1887, #1882)
• For those compiling Pinniped in FIPS compatibility mode, please note that the Go patch release v1.21.6 is not supported. Earlier and later versions are supported. This is because the Go team upgraded the version of goboring included in 1.21.6, and then reverted that change in v1.21.7. Go 1.22 was released at the same time as Go v1.21.7, and Go 1.22 also does not update goboring, so Go 1.22.x also works for compiling Pinniped in FIPS compatibility mode. (#1841, #1863)
• Updates Go to v1.22.1, updates the Kubernetes libraries to v0.29.2, and updates all other project dependencies. (#1892, #1890, #1885, #1881, #1878, #1876, #1875, #1872, #1870, #1869, #1862, #1858, #1856, #1855, #1854, #1853, #1852, #1850, #1836, #1835, #1830, #1829, #1880, #1861, #1879, #1825, #1877, #1891, #1866, #1884)

Bug Fixes

• The pinniped login oidc CLI command checks the lifetime of the access token before performing the RFC8693 token exchange. If needed, it will perform a refresh to get a new access token before the RFC8693 token exchange. (#1864, #1873)

A complete list of changes (121 commits, 1,553 changed files with 54,860 additions and 15,218 deletions) can be found here.