v0.27.0

Release v0.27.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.27.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.27.0	DockerHub

These images can also be referenced by their digest: sha256:8bfe6fe313bf915da228579e48a7f2575aaea0fd9c27385735cb807d701d0131.

Changes

This release introduces support for ARM64. It also includes some minor changes, bug fixes, and upgrades all project dependencies.

Major Changes

• Pinniped's GitHub releases will now include support for arm64 going forward. (#1699, #1702, #1703)
  • The Pinniped Concierge and Supervisor container images used in these GitHub releases are now multi-arch amd64/arm64 images. These deployments can now run seamlessly on either linux/amd64 or linux/arm64 Kubernetes nodes.
  • The Pinniped CLI binaries attached to these GitHub releases will now also include arm64 binaries.

Minor Changes

• The Pinniped CLI will now show a login banner before prompting for username and password at the CLI prompt during LDAP, AD, or OIDC password grant login via the Supervisor. The banner will show the configured display name of the identity provider from the FederationDomain. (#1691)
• The pinniped get kubeconfig CLI command has a new optional argument --pinniped-cli-path. This can be used to set the full path or executable name for the Pinniped CLI in the resulting kubeconfig. For example, using --pinniped-cli-path=pinniped will use pinniped as the path, and during login the binary named pinniped will be found via the user's path. This allows kubeconfigs to be more easily shared between users compared to the default behavior, which is to include the full path to the Pinniped CLI binary that was used to invoke pinnniped get kubeconfig. (#1690)
• Updates Go to v1.21.2 and updates all other project dependencies. (#1715, #1714, #1713, #1711, #1698, #1685)
• Some developer tooling was improved for the project maintainers and contributors. (#1696, #1692)
• Some small documentation updates. (#1661, #1687, #1716)

Bug Fixes

• Fix a bug introduced in v0.18.0 which slowed down the shutdown of the Pinniped pods and prevented the leader pod from releasing its lease, which caused it take take several minutes before replacement Pinniped pods could regain the lease and become fully operational. (#1688, #1695)
• Certain uncommon errors during login that were previously only shown in the CLI's output will now also be shown in the browser. (#1694, #1697) Note that these changes will make this version of the Supervisor incompatible with with very old versions of the Pinniped CLI (prior to v0.14.0) for Chrome and Edge browsers (due to them sending CORS preflight requests).
• Stop using the scheduler.alpha.kubernetes.io/critical-pod annotation to avoid seeing warnings that it has been removed from Kubernetes. (#1693)

Diffs

A complete list of changes (51 commits, 151 changed files with 1,640 additions and 1,543 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.26.0

Release v0.26.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.26.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.26.0	DockerHub

These images can also be referenced by their digest: sha256:a92183de893eb0b1850cc3a1d33306b96ba2cdb72a8a49c6493a58c01b4fa9cd.

Changes

This release introduces new features for using multiple identity providers, and identity transformation and policy expressions. It also includes some minor changes and upgrades all project dependencies.

Major Changes

• The Pinniped Supervisor can now be configured to source user identities from multiple identity providers (#1660). It can also be configured to transform usernames and group names using CEL expressions, and to reject authentication based on usernames and group names using CEL expressions. For more information, see the blog post for this release.

Minor Changes

• Updates the output of the pinniped version CLI command and the procedure for setting the version number at build time (#1634). The pinniped version CLI command also now accepts new optional arguments -o json and -o yaml to set an alternate output format. Note that this PR changes how to inject the version number into the CLI and server binaries at build time. Anyone who is doing their own Docker build, or using their own custom Dockerfile, or building the CLI, may need to change how the version number is injected at build time, if they choose to have a version number for their server and CLI binaries. Export the KUBE_GIT_VERSION environment variable to set the semver version number before calling hack/get-ldflags.sh to set the ldflags for the go build command. For example, set the KUBE_GIT_VERSION variable to v0.26.0. When using the project's Dockerfile, this value can be passed as a build ARG. When building the CLI, use export KUBE_GIT_VERSION=v0.26.0 && CGO_ENABLED=0 GOOS="darwin" GOARCH="amd64" go build -trimpath -ldflags "$(hack/get-ldflags.sh)" ./cmd/pinniped.
• Refactors to use Conditions type from the Kubernetes library (#1644). If you are using the generated client code in a Golang project, you may need to change your import statements for the Conditions type used by several Pinniped types to import it from the k8s.io/apimachinery/pkg/apis/meta/v1 library.
• Updates Go to v1.21.1, update Kubernetes libraries to v0.28.2, and updates all other project dependencies (#1630, #1646, #1647, #1664, #1674, #1675, #1676, #1677).
• Improves logging for debugging Pinniped Supervisor ingress and TLS certificate configuration problems at the default log level (#1662).
• Documentation and minor web site updates (#1419, #1621, #1631, #1654, #1663)

Bug Fixes

• Fix an error that can occur in the Concierge when the cluster has been configured to automatically inject sidecar containers into every pod, including the kube cert agent pod (#1682).

Diffs

A complete list of changes (148 commits, 1,179 changed files with 27,130 additions and 108,272 deletions) can be found here.

Acknowledgements

Thanks to @djpbessems for providing suggestions and feedback for one of the docs PRs (#1631).

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.25.0

Release v0.25.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.25.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.25.0	DockerHub

These images can also be referenced by their digest: sha256:50989db714555e375f68f0424bec3ad752d2658f624e5abd12cca3a4a7a46000.

Changes

Add external certificate management for the Concierge Impersonation Proxy (#1582)

Minor Changes

• #1590 kube cert agent pod requests 0 cpu to avoid scheduling failures
• #1598 Replace agouti and chromedriver with chromedp across the whole project (test code refactor)
• #1582 Add external certificate management for the Concierge Impersonation Proxy
• The generated Kubernetes files were updated with the most recent Kubernetes versions (#1540)
• All direct go dependencies were bumped to the latest version (various PRs, see the complete list of changes for details)

Diffs

A complete list of changes can be found here.

Acknowledgements

• Thanks to @antoineozenne for issue #1104 and to @nickperry for issue #1397 which led to the design for #1547

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.24.0

Release v0.24.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.24.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.24.0	DockerHub

These images can also be referenced by their digest: sha256:82a129cb8b21d34933cea6792af0d1b6fe0ff44ece6229a49d3f5c972dea9d86.

Changes

This release adds new flexibility for LDAP and Active Directory group searches and updates all project dependencies.

Minor Changes

• Added new LDAPIdentityProvider.spec.groupSearch.userAttributeForFilter and ActiveDirectoryIdentityProvider.spec.groupSearch.userAttributeForFilter configuration options (#1534). The additional flexibility for LDAP and AD group searches introduced by this new configuration option can be used to find groups in new ways, such as finding groups defined using the posixGroup objectClass. For backwards compatibility, the group search defaults to the old behavior when this new option is not set. For more details, see the API documentation.
• Update Go to v1.20.4, update Kubernetes libraries to v0.27.2, and update several other project dependencies (#1540, #1537, #1524, #1522, #1520, #1497, #1485, #1482, #1477).
• Documentation updates on the web site (#1538, #1510, #1446).

Diffs

A complete list of changes (56 commits, 316 changed files with 37,598 additions and 965 deletions) can be found here.

Acknowledgements

• Thanks to @smeet07 for contributing to the documentation in #1538.
• Thanks to @pnbrown for updating the documentation search tool in #1446.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.23.0

Release v0.23.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.23.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.23.0	DockerHub

These images can also be referenced by their digest: sha256:3549526b0ecc850469a8cfbaf8701876680b522636bd84d573ed80b54552feb2.

Changes

This release adds some small improvements to the CLI and updates all project dependencies.

Minor Changes

• The pinniped get kubeconfig command now automatically discovers server-side support for username and groups scopes, rather than always defaulting to requesting those scopes (#1466). This makes the new CLI more compatible with old Pinniped Supervisors from before those scopes were introduced in v0.20.0.
• The CLI's login subcommands are no longer hidden and the help messages of several CLI commands are improved (#1395).
• Update Go to v1.20.2, update Kubernetes libraries to v0.26.3, and update several other project dependencies (#1387, #1391, #1420, #1435, #1436, #1463, #1465, #1468).
• Some documentation clarifications on the web site (#1388, #1394, #1453, #1471).
• Some small test and compile improvements (#1389, #1436, #1470, #1469).

Diffs

A complete list of changes (50 commits, 90 changed files with 1,457 additions and 849 deletions) can be found here.

Acknowledgements

• Thanks to @jamieklassen for fixing a mistake in the documentation in #1453.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.22.0

Release v0.22.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.22.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.22.0	DockerHub

These images can also be referenced by their digest: sha256:481b94f4468425542f111143ebb69cd2057b0003e7bee75047892638cf88e135.

Changes

This release adds one new feature, fixes a bug, and updates all project dependencies.

Minor Changes

• Add spec.claims.additionalClaimMappings to OIDCIdentityProvider (#1294). See Pinniped's API documentation for OIDCIdentityProvider for an explanation of this feature.
• Update Go to v1.19.5, update Kubernetes libraries to v0.26.1, and update several other project dependencies (#1371, #1372, #1385).

Bug Fixes

• Reduce memory consumption of pinniped-concierge-kube-cert-agent binary (#1369). If you were having any trouble with the kube cert agent pod getting OOMKilled in your cluster, then you may want to upgrade to this release.

Diffs

A complete list of changes (27 commits, 1,530 changed files with 37,971 additions and 1,809 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.21.0

Release v0.21.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.21.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.21.0	DockerHub

These images can also be referenced by their digest: sha256:89335a2b413345a1fea7ee87bfe5399b7563122b7e1400565cd066b479fe854a.

Changes

• Bumping dependency versions

Major Changes

• None

Minor Changes

• Many version bumps, which required some production and test code updates

Bug Fixes

• None

Diffs

A complete list of changes can be found here.

Acknowledgements

Thanks to these new contributors!

• @benjaminapetersen
• @rooso
• @joshuatcasey

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.20.0

Release v0.20.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.20.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.20.0	DockerHub

These images can also be referenced by their digest: sha256:e16a5bd67e2637ba27a13b5b12f38498aba03799e3fa97f98959c60ae3dbd78f.

Changes

This release adds a new feature which allows administrators of the Pinniped Supervisor to register OIDCClient CRs to provide authentication to web applications.

Major Changes

• Administrators of the Pinniped Supervisor can now register OIDCClient CRs to provide authentication to web applications via the OIDC authorization code flow (#1181). The use of this feature is optional and it not related to providing authentication to kubectl and similar clients. Please refer to the documentation for this feature for more information.

Minor Changes

• Added the appropriate settings to the YAML install manifests to make it possible to install Pinniped onto clusters which have Pod Security Admission policies enabled (#1286).
• Update Go to v1.19.1, update Kubernetes libraries to v0.25.2, and update several other project dependencies (#1302, #1303).

Diffs

A complete list of changes (110 commits, 674 changed files with 210,008 additions and 3,448 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.19.0

Release v0.19.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.19.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.19.0	DockerHub

These images can also be referenced by their digest: sha256:f71d3b973ba111a7b4499a279bf8cdf716e675ab0510645df25969fb2366b209.

Changes

This is a bugfix release for a Pinniped Supervisor bug which could potentially allow a legitimate user to maliciously use their access token to continue their session beyond what proper use of their refresh token might allow.

See GHSA-rp4v-hhm6-rcv9 for more information.

Bug Fixes

• Improve token exchange error messages and error test cases (#1264)

Minor Changes

• Several dependency bumps (#1192, #1193, and #1272). Most notably, the Kubernetes libraries were bumped to v1.25.0 and Golang was bumped to v1.19.0.

Diffs

A complete list of changes (54 commits, 362 changed files with 16,656 additions and 1,110 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.18.0

Release v0.18.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.18.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.18.0	DockerHub

These images can also be referenced by their digest: sha256:95e1f1d62cb00328636ae73758153bd698207e8734f8500949fa4d32c0719b57.

Changes

This release introduces a web UI for authenticating to LDAP and AD identity providers and changes the default Pod log format to be JSON.

Major Changes

• The Supervisor and Concierge logs now default to outputting all log messages in a JSON format (#1145). The previous log format may still be configured, but is now deprecated and will be removed in some future release. The Pinniped CLI's log format has also been improved.

• Users may now optionally log in to LDAPIdentityProviders and ActiveDirectoryIdentityProviders using a new web-based UI hosted by the Supervisor (#1163, #1180). Previously, the only option was to log in via CLI prompts. The new web UI gives flexibility in situations where CLI prompts may be inconvenient, such as in IDE integrations, and will also be used by the upcoming dynamic clients feature which will allow Pinniped to offer authentication to webapps. This implements the proposal from #1116. Usage is described in the login documentation.

For more information about these new features, please see the blog post for this release.

Minor Changes

• Update Go to v1.18.3, update Kubernetes libraries to 0.24.1, and update several other project dependencies (#1186).

Bug Fixes

• Fix a minor bug in how error messages are returned to the client for certain edge cases in the authorization endpoint when the client requests response_mode=form_post and also makes a bad request (#1179).

Diffs

A complete list of changes (63 commits, 295 changed files with 20,824 additions and 2,146 deletions) can be found here.

Acknowledgements

• Thanks to @vrabbi for giving feedback on the proposed user experience of the LDAP/AD login page during design of that feature.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.