v0.24.0

Release v0.24.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.24.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.24.0	DockerHub

These images can also be referenced by their digest: sha256:82a129cb8b21d34933cea6792af0d1b6fe0ff44ece6229a49d3f5c972dea9d86.

Changes

This release adds new flexibility for LDAP and Active Directory group searches and updates all project dependencies.

Minor Changes

• Added new LDAPIdentityProvider.spec.groupSearch.userAttributeForFilter and ActiveDirectoryIdentityProvider.spec.groupSearch.userAttributeForFilter configuration options (#1534). The additional flexibility for LDAP and AD group searches introduced by this new configuration option can be used to find groups in new ways, such as finding groups defined using the posixGroup objectClass. For backwards compatibility, the group search defaults to the old behavior when this new option is not set. For more details, see the API documentation.
• Update Go to v1.20.4, update Kubernetes libraries to v0.27.2, and update several other project dependencies (#1540, #1537, #1524, #1522, #1520, #1497, #1485, #1482, #1477).
• Documentation updates on the web site (#1538, #1510, #1446).

Diffs

A complete list of changes (56 commits, 316 changed files with 37,598 additions and 965 deletions) can be found here.

Acknowledgements

• Thanks to @smeet07 for contributing to the documentation in #1538.
• Thanks to @pnbrown for updating the documentation search tool in #1446.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.23.0

Release v0.23.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.23.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.23.0	DockerHub

These images can also be referenced by their digest: sha256:3549526b0ecc850469a8cfbaf8701876680b522636bd84d573ed80b54552feb2.

Changes

This release adds some small improvements to the CLI and updates all project dependencies.

Minor Changes

• The pinniped get kubeconfig command now automatically discovers server-side support for username and groups scopes, rather than always defaulting to requesting those scopes (#1466). This makes the new CLI more compatible with old Pinniped Supervisors from before those scopes were introduced in v0.20.0.
• The CLI's login subcommands are no longer hidden and the help messages of several CLI commands are improved (#1395).
• Update Go to v1.20.2, update Kubernetes libraries to v0.26.3, and update several other project dependencies (#1387, #1391, #1420, #1435, #1436, #1463, #1465, #1468).
• Some documentation clarifications on the web site (#1388, #1394, #1453, #1471).
• Some small test and compile improvements (#1389, #1436, #1470, #1469).

Diffs

A complete list of changes (50 commits, 90 changed files with 1,457 additions and 849 deletions) can be found here.

Acknowledgements

• Thanks to @jamieklassen for fixing a mistake in the documentation in #1453.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.22.0

Release v0.22.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.22.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.22.0	DockerHub

These images can also be referenced by their digest: sha256:481b94f4468425542f111143ebb69cd2057b0003e7bee75047892638cf88e135.

Changes

This release adds one new feature, fixes a bug, and updates all project dependencies.

Minor Changes

• Add spec.claims.additionalClaimMappings to OIDCIdentityProvider (#1294). See Pinniped's API documentation for OIDCIdentityProvider for an explanation of this feature.
• Update Go to v1.19.5, update Kubernetes libraries to v0.26.1, and update several other project dependencies (#1371, #1372, #1385).

Bug Fixes

• Reduce memory consumption of pinniped-concierge-kube-cert-agent binary (#1369). If you were having any trouble with the kube cert agent pod getting OOMKilled in your cluster, then you may want to upgrade to this release.

Diffs

A complete list of changes (27 commits, 1,530 changed files with 37,971 additions and 1,809 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.21.0

Release v0.21.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.21.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.21.0	DockerHub

These images can also be referenced by their digest: sha256:89335a2b413345a1fea7ee87bfe5399b7563122b7e1400565cd066b479fe854a.

Changes

• Bumping dependency versions

Major Changes

• None

Minor Changes

• Many version bumps, which required some production and test code updates

Bug Fixes

• None

Diffs

A complete list of changes can be found here.

Acknowledgements

Thanks to these new contributors!

• @benjaminapetersen
• @rooso
• @joshuatcasey

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.20.0

Release v0.20.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.20.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.20.0	DockerHub

These images can also be referenced by their digest: sha256:e16a5bd67e2637ba27a13b5b12f38498aba03799e3fa97f98959c60ae3dbd78f.

Changes

This release adds a new feature which allows administrators of the Pinniped Supervisor to register OIDCClient CRs to provide authentication to web applications.

Major Changes

• Administrators of the Pinniped Supervisor can now register OIDCClient CRs to provide authentication to web applications via the OIDC authorization code flow (#1181). The use of this feature is optional and it not related to providing authentication to kubectl and similar clients. Please refer to the documentation for this feature for more information.

Minor Changes

• Added the appropriate settings to the YAML install manifests to make it possible to install Pinniped onto clusters which have Pod Security Admission policies enabled (#1286).
• Update Go to v1.19.1, update Kubernetes libraries to v0.25.2, and update several other project dependencies (#1302, #1303).

Diffs

A complete list of changes (110 commits, 674 changed files with 210,008 additions and 3,448 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.19.0

Release v0.19.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.19.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.19.0	DockerHub

These images can also be referenced by their digest: sha256:f71d3b973ba111a7b4499a279bf8cdf716e675ab0510645df25969fb2366b209.

Changes

This is a bugfix release for a Pinniped Supervisor bug which could potentially allow a legitimate user to maliciously use their access token to continue their session beyond what proper use of their refresh token might allow.

See GHSA-rp4v-hhm6-rcv9 for more information.

Bug Fixes

• Improve token exchange error messages and error test cases (#1264)

Minor Changes

• Several dependency bumps (#1192, #1193, and #1272). Most notably, the Kubernetes libraries were bumped to v1.25.0 and Golang was bumped to v1.19.0.

Diffs

A complete list of changes (54 commits, 362 changed files with 16,656 additions and 1,110 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.18.0

Release v0.18.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.18.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.18.0	DockerHub

These images can also be referenced by their digest: sha256:95e1f1d62cb00328636ae73758153bd698207e8734f8500949fa4d32c0719b57.

Changes

This release introduces a web UI for authenticating to LDAP and AD identity providers and changes the default Pod log format to be JSON.

Major Changes

• The Supervisor and Concierge logs now default to outputting all log messages in a JSON format (#1145). The previous log format may still be configured, but is now deprecated and will be removed in some future release. The Pinniped CLI's log format has also been improved.

• Users may now optionally log in to LDAPIdentityProviders and ActiveDirectoryIdentityProviders using a new web-based UI hosted by the Supervisor (#1163, #1180). Previously, the only option was to log in via CLI prompts. The new web UI gives flexibility in situations where CLI prompts may be inconvenient, such as in IDE integrations, and will also be used by the upcoming dynamic clients feature which will allow Pinniped to offer authentication to webapps. This implements the proposal from #1116. Usage is described in the login documentation.

For more information about these new features, please see the blog post for this release.

Minor Changes

• Update Go to v1.18.3, update Kubernetes libraries to 0.24.1, and update several other project dependencies (#1186).

Bug Fixes

• Fix a minor bug in how error messages are returned to the client for certain edge cases in the authorization endpoint when the client requests response_mode=form_post and also makes a bad request (#1179).

Diffs

A complete list of changes (63 commits, 295 changed files with 20,824 additions and 2,146 deletions) can be found here.

Acknowledgements

• Thanks to @vrabbi for giving feedback on the proposed user experience of the LDAP/AD login page during design of that feature.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.17.0

Release v0.17.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.17.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.17.0	DockerHub

These images can also be referenced by their digest: sha256:fdd82564c896eb75ef218508f15b21bbcb30fd173af633074b74fad9d6d370f0.

Changes

This is a bug fix release for an LDAP and Active Directory login bug which could prevent end users who have certain special characters in their LDAP distinguished name (DN) from being able to log in using the Pinniped Supervisor.

Note that this bug had certain security implications for users of the Pinniped Supervisor when configured with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource. If the end user somehow had the ability to change their DN in the LDAP or Active Directory server record, then they could take advantage of this bug to, for example, use special characters in the common name (CN) to attempt LDAP query injection on the group search. The group search decides which groups the user belongs to in Kubernetes clusters, so it is important that end users cannot influence this search. Hopefully that would not happen in practice, since end users generally cannot edit their record in an LDAP or AD server. If you use the Pinniped Supervisor with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource, and your end users are able to change any part of their DN in their LDAP record, then you should upgrade Pinniped to this new version immediately. See GHSA-hvrf-5hhv-4348 for more information.

Bug Fixes

• Escape special characters in LDAP DNs when used in group search filters (#1148)

Minor Changes

• Several dependency bumps (#1146, #1140, and #1149)

Diffs

A complete list of changes (21 commits, 23 changed files with 637 additions and 358 deletions) can be found here.

Acknowledgements

• Thank you to @scottd018 for reporting the bug fixed by this release

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.16.0

Release v0.16.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.16.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.16.0	DockerHub

These images can also be referenced by their digest: sha256:e333109a3b6433d24c3477ee3589244cb3239c9e758f2dff22cc0a81cc6bc762.

Changes

This release continues our theme of providing security-hardening for Kubernetes authentication solutions with Pinniped. Users can now build their own FIPS compatible binaries of Pinniped and the Supervisor's HTTP listener is disabled by default.

Major Changes

• Bring-your-own FIPS compliant Pinniped Binaries (#1061, #1106, #1119). Please refer to our FIPS reference documentation for details on how to compile Pinniped with a FIPS validated cryptographic module that adheres to the standards established by FIPS 140-2.

• Supervisor HTTP listener disabled by default and may only bind to loopback interfaces (#1094). This is a breaking change intended to make it difficult to install and configure Pinniped in such a way that the TCP traffic going in and out of the Supervisor pods is not using TLS. That traffic includes credentials and secrets and should be encrypted using TLS. In recognition that it may take some users time to adjust to this breaking change, a new deprecated_insecure_accept_external_unencrypted_http_requests value has been introduced in deploy/supervisor/values.yaml. This can be used to bring back the old behavior by turning the new validation into a warning in the pod logs instead of an error which stops the Supervisor from starting.
  In some future release, this override will be removed and at that time the validation will always be an error. We plan to give sufficient time, probably several releases, before removing this override option.

Minor Changes

• Add custom prefix to downstream access and refresh tokens and authcodes (#1117)
• Added code_challenge_methods_supported to the Supervisor's OIDC discovery documents (#1127)
• JWTAuthenticator distributed claims resolution honors tls config (#1129)
• Update Go to v1.18.1 (#1118)

Bug Fixes

• Fixed bug where the impersonation proxy was accepting HTTP1.1 in situations where we intended to only allow HTTP2 (#1122)

Diffs

A complete list of changes (105 commits, 178 changed files with 2,313 additions and 1,741 deletions) can be found here.

Acknowledgements

• Thanks to @hectorj2f for adding code_challenge_methods_supported to the OIDC discovery doc.
• Thanks to @vicmarbev for fixing our documentation and test setup script to reference vmware-tanzu/carvel rather than the deprecated k14s/tap.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.15.0

Release v0.15.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.15.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.15.0	DockerHub

These images can also be referenced by their digest: sha256:62be9ea6c98760439a4f471963c654fdc789ea839edbfb8102e7022462dcc782.

Changes

The user's group membership in Active Directory and LDAP is now refreshed as they interact with the supervisor to obtain new credentials.

Major Changes

Active Directory and LDAP group refresh allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. This functionality for OIDC was introduced in v0.13.0, and now Active Directory and LDAP identity providers will have the same experience.

Warning

In some Active Directory and LDAP environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set spec.groupSearch.skipGroupRefresh to true in your ActiveDirectoryIdentityProvider or LDAPIdentityProvider. This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login.

skipGroupRefresh is an experimental feature that may be removed or significantly altered in the future. Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.

Minor Changes

• Update Go to v1.17.7 (#999)
• The Pinniped CLI now requires https issuers (#1013)
• Allow alternate deployment mechanisms for integration tests (#1028)
• Add toleration for new "control-plane" node label for Concierge deploy (#1031)
• Add generated code for Kubernetes 1.21, 1.22, and 1.23 (#1040)
• Update Kubernetes dependencies to v0.23.4 (#1041)
• Warn users when their groups have changed upon refresh (#1043)
• Fix rendering of API reference docs when | characters are used (#1044)

Diffs

A complete list of changes (84 commits, 1,344 changed files with 47,336 additions and 1,934 deletions) can be found here.

Acknowledgements

• Thanks to @jvanzyl for altering our helper scripts so that users can run integration tests using deployment mechanisms other than kapp.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.