Skip to content

v0.11.0
Compare
Choose a tag to compare
@pinniped-ci-bot pinniped-ci-bot released this 31 Aug 23:37
v0.11.0
b19af2e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Release v0.11.0

Release Image

Image Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.11.0 GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.11.0 DockerHub

These images can also be referenced by their digest: sha256:ce59a0d43339b8a234f378613d242986fa7cad9c47cdbd2d0c88085e285e1730.

Changes

This release adds support for Active Directory identity providers in the Pinniped Supervisor, adds a CLI-based login experience for OIDC providers using the OIDC password grant, moves our base container images from Debian to Distroless, and lots of other improvements. See our blog post for more details on these highlights!

🐞 Note that a bug was introduced in this release. Installing using kubectl will result in validation errors unknown field "readOnlyRootFilesystem" and unknown field "readOnly". This will be fixed in the next release. Workarounds for this release include using the --validate=false flag with kubectl, or installing using kapp instead of kubectl.

Major Changes

  • Added ActiveDirectoryIdentityProvider for configuring the Pinniped Supervisor to use Microsoft Active Directory as an identity provider (#695 and #756). See the blog post, how-to guide, documentation for the default values, and the API reference for more information.
  • Add a CLI-based login experience for OIDC providers using the OIDC resource owner password credentials grant (#778). This can optionally be enabled for OIDC providers which support returning an ID token from a resource owner password credentials grant by using the new spec.authorizationConfig.allowPasswordGrant setting of OIDCIdentityProvider. See the blog post and the API reference for more information.
  • Moved our base container images from Debian to Distroless (#738). This reduces the image size and reduces the dependencies contained within the image. See the blog post for more information.

Minor Changes

  • Several dependency bumps, including Go 1.17 (#818), Kubernetes 1.22.1 libraries (#816), go-ldap 3.4.1 (#782).
  • Implements leader election for all Concierge and Supervisor controllers to prevent multiple copies of the same controller running in different pods from all performing writes (#788, #796, #800, #828, #829). Now one Supervisor pod and one Concierge pod will be elected as leaders and will be the only pods allowed to perform write operations from inside controllers. When the leader pods shut down or otherwise disappear, a new leader will be elected automatically.
  • Added https_proxy and no_proxy ytt parameters for the Concierge deployment. See comments in file deploy/concierge/values.yaml for documentation. no_proxy is defaulted to $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local for both the Concierge and the Supervisor (#785).
  • Remove several replace directives in go.mod that we previously needed to make sure we got a working and secure set of Go module dependencies (#786).
  • Various changes to improve the runtime and reliability of our integration tests. Perhaps the most notable change was to run some hand-picked integration tests in parallel with the sequential integration tests (#808 and #815).

Bug Fixes

  • For clusters where the control plane nodes aren't running a CNI, the kube-cert-agent pods deployed by the Concierge could not be scheduled without hostNetwork: true. hostNetwork settings will now be inherited for the kube-cert-agent pod (#814).
  • Fixed a bug in the pinniped CLI that would sometimes cause the first kubectl command after a browser based login to fail with "Unable to connect to the server: getting credentials: decoding stdout: couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value." (#780). Subsequent commands would run successfully since credentials would be cached.

Diffs

A complete list of changes (147 commits, 225 changed files with 17,961 additions and 2,170 deletions) can be found here.

Acknowledgements

  • Thank you, @vrabbi, for sharing your experience with Active Directory which influenced the design of the defaults for ActiveDirectoryIdentityProvider. And thank you for all your valuable feedback on numerous other technical proposals during the time that we were developing this release.
  • Thank you, @mayankbh, for reporting an issue with host networking and also providing the fix for the issue in PR #814.
  • Thank you, @joivo, for reporting and helping to debug the issue which was fixed in PR #780.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

Contributors

mayankbh, joivo, and vrabbi
Assets 9
Loading