v0.17.0

Release v0.17.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.17.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.17.0	DockerHub

These images can also be referenced by their digest: sha256:fdd82564c896eb75ef218508f15b21bbcb30fd173af633074b74fad9d6d370f0.

Changes

This is a bug fix release for an LDAP and Active Directory login bug which could prevent end users who have certain special characters in their LDAP distinguished name (DN) from being able to log in using the Pinniped Supervisor.

Note that this bug had certain security implications for users of the Pinniped Supervisor when configured with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource. If the end user somehow had the ability to change their DN in the LDAP or Active Directory server record, then they could take advantage of this bug to, for example, use special characters in the common name (CN) to attempt LDAP query injection on the group search. The group search decides which groups the user belongs to in Kubernetes clusters, so it is important that end users cannot influence this search. Hopefully that would not happen in practice, since end users generally cannot edit their record in an LDAP or AD server. If you use the Pinniped Supervisor with either an LADPIdentityProvider or an ActiveDirectoryIdentityProvider resource, and your end users are able to change any part of their DN in their LDAP record, then you should upgrade Pinniped to this new version immediately. See GHSA-hvrf-5hhv-4348 for more information.

Bug Fixes

• Escape special characters in LDAP DNs when used in group search filters (#1148)

Minor Changes

• Several dependency bumps (#1146, #1140, and #1149)

Diffs

A complete list of changes (21 commits, 23 changed files with 637 additions and 358 deletions) can be found here.

Acknowledgements

• Thank you to @scottd018 for reporting the bug fixed by this release

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.16.0

Release v0.16.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.16.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.16.0	DockerHub

These images can also be referenced by their digest: sha256:e333109a3b6433d24c3477ee3589244cb3239c9e758f2dff22cc0a81cc6bc762.

Changes

This release continues our theme of providing security-hardening for Kubernetes authentication solutions with Pinniped. Users can now build their own FIPS compatible binaries of Pinniped and the Supervisor's HTTP listener is disabled by default.

Major Changes

• Bring-your-own FIPS compliant Pinniped Binaries (#1061, #1106, #1119). Please refer to our FIPS reference documentation for details on how to compile Pinniped with a FIPS validated cryptographic module that adheres to the standards established by FIPS 140-2.

• Supervisor HTTP listener disabled by default and may only bind to loopback interfaces (#1094). This is a breaking change intended to make it difficult to install and configure Pinniped in such a way that the TCP traffic going in and out of the Supervisor pods is not using TLS. That traffic includes credentials and secrets and should be encrypted using TLS. In recognition that it may take some users time to adjust to this breaking change, a new deprecated_insecure_accept_external_unencrypted_http_requests value has been introduced in deploy/supervisor/values.yaml. This can be used to bring back the old behavior by turning the new validation into a warning in the pod logs instead of an error which stops the Supervisor from starting.
  In some future release, this override will be removed and at that time the validation will always be an error. We plan to give sufficient time, probably several releases, before removing this override option.

Minor Changes

• Add custom prefix to downstream access and refresh tokens and authcodes (#1117)
• Added code_challenge_methods_supported to the Supervisor's OIDC discovery documents (#1127)
• JWTAuthenticator distributed claims resolution honors tls config (#1129)
• Update Go to v1.18.1 (#1118)

Bug Fixes

• Fixed bug where the impersonation proxy was accepting HTTP1.1 in situations where we intended to only allow HTTP2 (#1122)

Diffs

A complete list of changes (105 commits, 178 changed files with 2,313 additions and 1,741 deletions) can be found here.

Acknowledgements

• Thanks to @hectorj2f for adding code_challenge_methods_supported to the OIDC discovery doc.
• Thanks to @vicmarbev for fixing our documentation and test setup script to reference vmware-tanzu/carvel rather than the deprecated k14s/tap.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.15.0

Release v0.15.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.15.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.15.0	DockerHub

These images can also be referenced by their digest: sha256:62be9ea6c98760439a4f471963c654fdc789ea839edbfb8102e7022462dcc782.

Changes

The user's group membership in Active Directory and LDAP is now refreshed as they interact with the supervisor to obtain new credentials.

Major Changes

Active Directory and LDAP group refresh allows group membership changes to be quickly reflected into Kubernetes clusters. Since group membership is often used to bind authorization policies, it is important to keep the groups observed in Kubernetes clusters in-sync with the identity provider. This functionality for OIDC was introduced in v0.13.0, and now Active Directory and LDAP identity providers will have the same experience.

Warning

In some Active Directory and LDAP environments, frequent group membership queries may result in a significant performance impact on the identity provider and/or the supervisor. The best approach to handle performance impacts is to tweak the group query to be more performant, for example by disabling nested group search or by using a more targeted group search base.

If the group search query cannot be made performant and you are willing to have group memberships remain static for approximately a day, then set spec.groupSearch.skipGroupRefresh to true in your ActiveDirectoryIdentityProvider or LDAPIdentityProvider. This is an insecure configuration as authorization policies that are bound to group membership will not notice if a user has been removed from a particular group until their next login.

skipGroupRefresh is an experimental feature that may be removed or significantly altered in the future. Consumers of this configuration should carefully read all release notes before upgrading to ensure that the meaning of this field has not changed.

Minor Changes

• Update Go to v1.17.7 (#999)
• The Pinniped CLI now requires https issuers (#1013)
• Allow alternate deployment mechanisms for integration tests (#1028)
• Add toleration for new "control-plane" node label for Concierge deploy (#1031)
• Add generated code for Kubernetes 1.21, 1.22, and 1.23 (#1040)
• Update Kubernetes dependencies to v0.23.4 (#1041)
• Warn users when their groups have changed upon refresh (#1043)
• Fix rendering of API reference docs when | characters are used (#1044)

Diffs

A complete list of changes (84 commits, 1,344 changed files with 47,336 additions and 1,934 deletions) can be found here.

Acknowledgements

• Thanks to @jvanzyl for altering our helper scripts so that users can run integration tests using deployment mechanisms other than kapp.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.14.0

Release v0.14.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.14.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.14.0	DockerHub

These images can also be referenced by their digest: sha256:57bbeebec0995bfa852e0b530198985fc369c2ac94b5d5c3063ee20e47e7bd5e.

Changes

This is a bug fix release for an incompatibility between the Pinniped CLI and Chrome v98+ (released Feb 1, 2022)
that caused browser based logins to fail.

Bug Fixes

• Pinniped now responds to CORS preflight calls against the CLI's localhost listener. (#987, #989)
  This change is to address the new preflight calls that Chrome started sending in v98.
  For more details, see: https://developer.chrome.com/blog/private-network-access-preflight

Diffs

A complete list of changes (22 commits, 14 changed files with 563 additions and 149 deletions) can be found here.

Acknowledgements

• Thank you to @kdihalas @simox-83 @pksheldon4 and @Evalle for reporting this issue.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.12.1

Release v0.12.1

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.12.1	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.12.1	DockerHub

These images can also be referenced by their digest: sha256:8b4ee3b279d8d1d1f1c65d95f8611a99e00c6d2fbb5dbf974ad76ac4ca563d73.

Changes

This is a bug fix release for an incompatibility between the Pinniped CLI and Chrome v98+ (released Feb 1, 2022)
that caused browser based logins to fail.

This is a patch release on top of v0.12.0. Most users should opt for the latest release instead (currently v0.14.0).

Bug Fixes

• Pinniped now responds to CORS preflight calls against the CLI's localhost listener. (#987, #989)
  This change is to address the new preflight calls that Chrome started sending in v98.
  For more details, see: https://developer.chrome.com/blog/private-network-access-preflight

Diffs

A complete list of changes (13 commits, 12 changed files with 540 additions and 168 deletions) can be found here.

Acknowledgements

• Thank you to @kdihalas @simox-83 @pksheldon4 and @Evalle for reporting this issue.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.13.0

Release v0.13.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.13.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.13.0	DockerHub

These images can also be referenced by their digest: sha256:7bdd608100ef594d51cb36d63b87558524140c349cb2bf925338e8d7c11e208f.

Changes

The theme of release was security improvements. New features include detecting changes to user accounts/sessions in OIDC/LDAP/AD identity providers to quickly reflect those changes into Kubernetes, more strict TLS client and server settings, configurable server ports, and lots of other improvements. See our blog post for more details on these highlights.

It has been a little while since the previous release, so there were 54 pull requests included in this release!

Major Changes

• Note that this release updates the internal session storage format version of the Pinniped Supervisor, so when an existing installation of Pinniped is upgraded to at least this version from any version below this version, then all pre-existing user sessions will fail to refresh, causing users to need to log in again. The Pinniped CLI will gracefully handle this case, and will automatically prompt the user to log in again.

• For OIDCIdenitityProviders, when a user's Pinniped session is refreshed (approximately every 5 minutes), perform a refresh on the OIDC provider to ensure that the user's session on the provider has not been revoked (#858, #876, #917).

  • Note that feature may require some Pinniped configuration changes, and/or some changes on the OIDC client in the OIDC provider's UI or API, to allow Pinniped to receive refresh tokens from the OIDC provider. See our blog post and docs for more details.
  • If the lifetime of the refresh token returned by your OIDC provider is less than 9 hours, then your Pinniped session will end when your refresh token ends, and you will be prompted to log in again on your next kubectl command. On the other hand, if the lifetime of the refresh token returned by your OIDC provider is greater than 9 hours, then your Pinniped session will end after about 9 hours, which is the hard-coded maximum session duration of Pinniped Supervisor sessions.
  • If your OIDC provider cannot return refresh tokens, then Pinniped will instead use the access token to call the provider's userinfo endpoint during session refreshing (#944, #904). In this case, if the lifetime of the access token is less than 9 hours, then the access token's lifetime will dictate the lifetime of the user's Pinniped session. If the access toke lifetime is below 3 hours, Pinniped will show a warning to indicate that the lifetime is probably lower than what is needed to provide a good user experience (#895, #951).
  • When the user's group membership changes in the OIDC provider during a Pinniped session, the new group membership should be reflected into the Kubernetes session on the next refresh, typically within approximately 5 minutes (#948).

• For LDAPIdentityProviders and ActiveDirectoryIdentityProviders, when a user's Pinniped session is refreshed (approximately every 5 minutes), perform additional queries to ensure that the user still exists and will still result in the same username and UID as the original login (#877).

  • For ActiveDirectoryIdentityProviders, it additionally checks for password changes (using the password changed timestamp field), deactivated users, and locked users before allowing the session to continue (#884).
  • Note that changes to the user's group memberships made on the LDAP or AD server since the user's original login will not be reflected in their Kubernetes session. This feature will come in a future release.

• TLS 1.2+ with a modern set of TLS ciphers is now required for all connections coming into or going out of all pinniped components (#873, #889). See our blog post for more details.

• Pinniped server ports are now configurable. See our blog post for more details.

  • For the Concierge (#888), this feature makes it possible to change the listening port numbers of the aggregated API server and impersonation proxy, which is typically not necessary but could be used for example on a cluster using host networking where these ports are already consumed by other services. The aggregated API server now defaults to port 10250 to allow it to work without needing further configuration on private GKE clusters.
  • For the Supervisor (#945), this feature makes it possible to configure how the HTTP and HTTPS ports listen. They can use tcp ports (on all or some interfaces), unix domain sockets, or be disabled. See endpoints option in deploy/supervisor/values.yml for details. Binding the HTTP listener to TCP addresses other than 127.0.0.1 or ::1 is now considered deprecated but still allowed in this release. For more information, see the Supervisor docs.

Minor Changes

• The pinniped get kubeconfig command now accepts the --install-hint flag to allow the cluster admin to customize an installation hint presented the user when the exec plugin binary does not exist. The default hint refers the user to the official Pinniped docs. For more details, see the Kubernetes installHint documentation (#875, #878).
• The pinniped concierge takes less time to load the cluster signer on upgrade (#846).
• Add new columns that are shown in the table output of kubectl get for some of the Pinniped CRDs (#845).
• Directly detect user info support for OIDC providers (#852).
• Do not truncate x509 errors in OIDC discovery (#854).
• Log claim keys at debug level for OIDC providers (#853).
• Tests use CertificatesV1 when available, otherwise use CertificatesV1beta1 (#848).
• Several documentation changes (#857, #872, #903, #908, #919)
• Minor Dockerfile changes (#883).
• Minor changes to get Github's Dependabot working again (#918).
• Several dependency bumps, including using the latest distroless/static (#851, #879, #931), the latest golang (#860, #885, #905, #909, #938), the latest Kubernetes client libraries (#914, #935, #968), the latest Fosite library (#925, #939, #957, #943), and the Javascript minifier library (#953).

Bug Fixes

• Pinniped components now tolerate a larger clock skew between the API servers and the kubelets running the pinniped pods (#849).
• Do not rotate impersonation proxy signer CA unless necessary (#856).
• Fixed several flaky tests and several tests which were failing due to PR merges (#842, #893, #940, #956, #967).
• Fixed a misleading log statement in the token credential request (#847).

Diffs

A complete list of changes (225 commits, 245 changed files with 18,828 additions and 3,434 deletions) can be found here.

Acknowledgements

• Thank you, @siddhant94, for submitting a PR (#875) to add the --install-hint flag to the pinniped get kubeconfig command!

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.12.0

Release v0.12.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.12.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.12.0	DockerHub

These images can also be referenced by their digest: sha256:767fbfa1c7064b07afc96139689240654c971dac319e7014e48ac721d014c7fd.

Changes

This is a bug fix release.

Minor Changes

• Upgraded from golang 1.17.0 to 1.17.1 (#838)

Bug Fixes

• Fixed incorrect "readOnly" and "readOnlyRootFilesystem" field usage in Supervisor and Concierge deployment manifests, which was introduced in v0.11.0. This would cause installs using kubectl to fail with a validation error message. (#835)
• Fixed a bug where the LDAP search base would become blank when the Active Directory bind secret was updated. (#836)
• Fixed a bug with the selectors used on the Concierge Deployments and Services where they accidentally selected the Kube cert agent pod in addition to the expected pods. This could cause connection refused errors, or "the server is currently unable to handle the request" errors, for the Concierge API endpoints on some clusters. This bug would only appear on clusters which are configured to send requests to all pods which match the Service's selector, for example by performing round-robin request routing. A typical Concierge deployment has two Concierge pods and one Kube cert agent pod, resulting in one-third of the matching pods being wrong. (#839)

Diffs

A complete list of changes (46 commits, 29 changed files with 1,304 additions and 203 deletions) can be found here.

Acknowledgements

• Thanks to @JeremyCalcamuggio on Kubernetes Slack for quickly reporting the issue that was fixed by #835.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.11.0

Release v0.11.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.11.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.11.0	DockerHub

These images can also be referenced by their digest: sha256:ce59a0d43339b8a234f378613d242986fa7cad9c47cdbd2d0c88085e285e1730.

Changes

This release adds support for Active Directory identity providers in the Pinniped Supervisor, adds a CLI-based login experience for OIDC providers using the OIDC password grant, moves our base container images from Debian to Distroless, and lots of other improvements. See our blog post for more details on these highlights!

🐞 Note that a bug was introduced in this release. Installing using kubectl will result in validation errors unknown field "readOnlyRootFilesystem" and unknown field "readOnly". This will be fixed in the next release. Workarounds for this release include using the --validate=false flag with kubectl, or installing using kapp instead of kubectl.

Major Changes

• Added ActiveDirectoryIdentityProvider for configuring the Pinniped Supervisor to use Microsoft Active Directory as an identity provider (#695 and #756). See the blog post, how-to guide, documentation for the default values, and the API reference for more information.
• Add a CLI-based login experience for OIDC providers using the OIDC resource owner password credentials grant (#778). This can optionally be enabled for OIDC providers which support returning an ID token from a resource owner password credentials grant by using the new spec.authorizationConfig.allowPasswordGrant setting of OIDCIdentityProvider. See the blog post and the API reference for more information.
• Moved our base container images from Debian to Distroless (#738). This reduces the image size and reduces the dependencies contained within the image. See the blog post for more information.

Minor Changes

• Several dependency bumps, including Go 1.17 (#818), Kubernetes 1.22.1 libraries (#816), go-ldap 3.4.1 (#782).
• Implements leader election for all Concierge and Supervisor controllers to prevent multiple copies of the same controller running in different pods from all performing writes (#788, #796, #800, #828, #829). Now one Supervisor pod and one Concierge pod will be elected as leaders and will be the only pods allowed to perform write operations from inside controllers. When the leader pods shut down or otherwise disappear, a new leader will be elected automatically.
• Added https_proxy and no_proxy ytt parameters for the Concierge deployment. See comments in file deploy/concierge/values.yaml for documentation. no_proxy is defaulted to $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local for both the Concierge and the Supervisor (#785).
• Remove several replace directives in go.mod that we previously needed to make sure we got a working and secure set of Go module dependencies (#786).
• Various changes to improve the runtime and reliability of our integration tests. Perhaps the most notable change was to run some hand-picked integration tests in parallel with the sequential integration tests (#808 and #815).

Bug Fixes

• For clusters where the control plane nodes aren't running a CNI, the kube-cert-agent pods deployed by the Concierge could not be scheduled without hostNetwork: true. hostNetwork settings will now be inherited for the kube-cert-agent pod (#814).
• Fixed a bug in the pinniped CLI that would sometimes cause the first kubectl command after a browser based login to fail with "Unable to connect to the server: getting credentials: decoding stdout: couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value." (#780). Subsequent commands would run successfully since credentials would be cached.

Diffs

A complete list of changes (147 commits, 225 changed files with 17,961 additions and 2,170 deletions) can be found here.

Acknowledgements

• Thank you, @vrabbi, for sharing your experience with Active Directory which influenced the design of the defaults for ActiveDirectoryIdentityProvider. And thank you for all your valuable feedback on numerous other technical proposals during the time that we were developing this release.
• Thank you, @mayankbh, for reporting an issue with host networking and also providing the fix for the issue in PR #814.
• Thank you, @joivo, for reporting and helping to debug the issue which was fixed in PR #780.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.10.0

Release v0.10.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.10.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.10.0	DockerHub

These images can also be referenced by their digest: sha256:3bdfb9ad9275449f07614081eca27cff16f15562aeabfee9214a0b0506bb6320.

Changes

This release extends Pinniped to support logins from more scenarios, including OIDC access from SSH jump hosts and LDAP access from CI/CD jobs. See our blog post for more details and a demo video!

Major Changes

• Added support for authenticating to the Supervisor on machines without web browsers using an out-of-band login flow (#687). You can now use OpenID Connect browser-based login flows even on SSH jump hosts or other environments without a local web browser.
• Added support for non-interactive LDAP password-based logins. You can now use PINNIPED_USERNAME and PINNIPED_PASSWORD environment variables to avoid being interactively prompted for username and password. This is useful, for example, to authenticate as an LDAP service account in a CI/CD job (#730).

Minor Changes

• Added https_proxy and no_proxy ytt parameters for the Supervisor deployment (#701). These variables can be used to connect to OIDCIdentityProviders which can only be reached via HTTP proxy.
• The Supervisor can now serve FederationDomain with an IPv6 address in the spec.issuer field (#684).
• Added documentation for using the Pinniped Supervisor with Dex and Github (#729).
• Upgraded Debian base images from 10.9 to 10.10.
• Upgraded Go from 1.16.5 to 1.16.6.
• Upgraded Kubernetes runtime library dependencies to v1.21.3, and upgraded several other miscellaneous Go module dependencies.
• Improved the stability of several integration tests.

Bug Fixes

• Fixed undesired behavior where some other non-Pinniped controller competes with the Pinniped controllers to write an annotation onto the impersonator's Service (#739). This could cause unwanted etcd resource consumption on some clusters.
• Fixed a bug that caused failures when installing recent versions of the Concierge using kubectl (#664). We now recommend installing with kapp, or using two kubectl apply invocations to install the CRDs separately from the rest of the resources.
• The Concierge now correctly reacts to changes in the impersonation proxy ClusterIP service immediately (#752).
• Fixed a race during Concierge API service serving certificate rotation that could cause unnecessary updates to the API service. This could cause some aggregated API requests to fail for a short duration (#747).
• The first line of the server logs for the Supervisor and Concierge containers will now correctly include the current git SHA of source code repo at build time. This can help identify what version of the code is running in the container by cross-referencing it back to the GitHub repo (#724).

Diffs

A complete list of changes (140 commits, 143 changed files with 4,228 additions and 1,449 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.4.4

Release v0.4.4

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.4.4	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.4.4	DockerHub

Changes

This is a patch release on top of v0.4.3. Most users should opt for the latest release instead (currently v0.9.2).

Minor Changes

• Add https_proxy and no_proxy settings for the Supervisor. These settings are available as ytt value parameters for the Supervisor deployment. They are unset by default. When set, they configure the HTTPS_PROXY and NO_PROXY environment variables on the Supervisor's containers.
• When the Supervisor makes requests to an upstream OIDC Provider as defined by an OIDCIdentityProvider, it will now use the Golang standard proxy environment variables, including HTTPS_PROXY and NO_PROXY.
• If your OIDC Provider is only reachable from your cluster via an HTTP proxy server, then you may wish to use these settings.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.