Skip to content

v0.16.0

Compare
Choose a tag to compare
@pinniped-ci-bot pinniped-ci-bot released this 20 Apr 18:52
52341f4

Release v0.16.0

Release Image

Image Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.16.0 GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.16.0 DockerHub

These images can also be referenced by their digest: sha256:e333109a3b6433d24c3477ee3589244cb3239c9e758f2dff22cc0a81cc6bc762.

Changes

This release continues our theme of providing security-hardening for Kubernetes authentication solutions with Pinniped. Users can now build their own FIPS compatible binaries of Pinniped and the Supervisor's HTTP listener is disabled by default.

Major Changes

  • Bring-your-own FIPS compliant Pinniped Binaries (#1061, #1106, #1119). Please refer to our FIPS reference documentation for details on how to compile Pinniped with a FIPS validated cryptographic module that adheres to the standards established by FIPS 140-2.

  • Supervisor HTTP listener disabled by default and may only bind to loopback interfaces (#1094). This is a breaking change intended to make it difficult to install and configure Pinniped in such a way that the TCP traffic going in and out of the Supervisor pods is not using TLS. That traffic includes credentials and secrets and should be encrypted using TLS. In recognition that it may take some users time to adjust to this breaking change, a new deprecated_insecure_accept_external_unencrypted_http_requests value has been introduced in deploy/supervisor/values.yaml. This can be used to bring back the old behavior by turning the new validation into a warning in the pod logs instead of an error which stops the Supervisor from starting.
    In some future release, this override will be removed and at that time the validation will always be an error. We plan to give sufficient time, probably several releases, before removing this override option.

Minor Changes

  • Add custom prefix to downstream access and refresh tokens and authcodes (#1117)
  • Added code_challenge_methods_supported to the Supervisor's OIDC discovery documents (#1127)
  • JWTAuthenticator distributed claims resolution honors tls config (#1129)
  • Update Go to v1.18.1 (#1118)

Bug Fixes

  • Fixed bug where the impersonation proxy was accepting HTTP1.1 in situations where we intended to only allow HTTP2 (#1122)

Diffs

A complete list of changes (105 commits, 178 changed files with 2,313 additions and 1,741 deletions) can be found here.

Acknowledgements

  • Thanks to @hectorj2f for adding code_challenge_methods_supported to the OIDC discovery doc.
  • Thanks to @vicmarbev for fixing our documentation and test setup script to reference vmware-tanzu/carvel rather than the deprecated k14s/tap.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.