v0.12.1

Release v0.12.1

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.12.1	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.12.1	DockerHub

These images can also be referenced by their digest: sha256:8b4ee3b279d8d1d1f1c65d95f8611a99e00c6d2fbb5dbf974ad76ac4ca563d73.

Changes

This is a bug fix release for an incompatibility between the Pinniped CLI and Chrome v98+ (released Feb 1, 2022)
that caused browser based logins to fail.

This is a patch release on top of v0.12.0. Most users should opt for the latest release instead (currently v0.14.0).

Bug Fixes

• Pinniped now responds to CORS preflight calls against the CLI's localhost listener. (#987, #989)
  This change is to address the new preflight calls that Chrome started sending in v98.
  For more details, see: https://developer.chrome.com/blog/private-network-access-preflight

Diffs

A complete list of changes (13 commits, 12 changed files with 540 additions and 168 deletions) can be found here.

Acknowledgements

• Thank you to @kdihalas @simox-83 @pksheldon4 and @Evalle for reporting this issue.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.13.0

Release v0.13.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.13.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.13.0	DockerHub

These images can also be referenced by their digest: sha256:7bdd608100ef594d51cb36d63b87558524140c349cb2bf925338e8d7c11e208f.

Changes

The theme of release was security improvements. New features include detecting changes to user accounts/sessions in OIDC/LDAP/AD identity providers to quickly reflect those changes into Kubernetes, more strict TLS client and server settings, configurable server ports, and lots of other improvements. See our blog post for more details on these highlights.

It has been a little while since the previous release, so there were 54 pull requests included in this release!

Major Changes

• Note that this release updates the internal session storage format version of the Pinniped Supervisor, so when an existing installation of Pinniped is upgraded to at least this version from any version below this version, then all pre-existing user sessions will fail to refresh, causing users to need to log in again. The Pinniped CLI will gracefully handle this case, and will automatically prompt the user to log in again.

• For OIDCIdenitityProviders, when a user's Pinniped session is refreshed (approximately every 5 minutes), perform a refresh on the OIDC provider to ensure that the user's session on the provider has not been revoked (#858, #876, #917).

  • Note that feature may require some Pinniped configuration changes, and/or some changes on the OIDC client in the OIDC provider's UI or API, to allow Pinniped to receive refresh tokens from the OIDC provider. See our blog post and docs for more details.
  • If the lifetime of the refresh token returned by your OIDC provider is less than 9 hours, then your Pinniped session will end when your refresh token ends, and you will be prompted to log in again on your next kubectl command. On the other hand, if the lifetime of the refresh token returned by your OIDC provider is greater than 9 hours, then your Pinniped session will end after about 9 hours, which is the hard-coded maximum session duration of Pinniped Supervisor sessions.
  • If your OIDC provider cannot return refresh tokens, then Pinniped will instead use the access token to call the provider's userinfo endpoint during session refreshing (#944, #904). In this case, if the lifetime of the access token is less than 9 hours, then the access token's lifetime will dictate the lifetime of the user's Pinniped session. If the access toke lifetime is below 3 hours, Pinniped will show a warning to indicate that the lifetime is probably lower than what is needed to provide a good user experience (#895, #951).
  • When the user's group membership changes in the OIDC provider during a Pinniped session, the new group membership should be reflected into the Kubernetes session on the next refresh, typically within approximately 5 minutes (#948).

• For LDAPIdentityProviders and ActiveDirectoryIdentityProviders, when a user's Pinniped session is refreshed (approximately every 5 minutes), perform additional queries to ensure that the user still exists and will still result in the same username and UID as the original login (#877).

  • For ActiveDirectoryIdentityProviders, it additionally checks for password changes (using the password changed timestamp field), deactivated users, and locked users before allowing the session to continue (#884).
  • Note that changes to the user's group memberships made on the LDAP or AD server since the user's original login will not be reflected in their Kubernetes session. This feature will come in a future release.

• TLS 1.2+ with a modern set of TLS ciphers is now required for all connections coming into or going out of all pinniped components (#873, #889). See our blog post for more details.

• Pinniped server ports are now configurable. See our blog post for more details.

  • For the Concierge (#888), this feature makes it possible to change the listening port numbers of the aggregated API server and impersonation proxy, which is typically not necessary but could be used for example on a cluster using host networking where these ports are already consumed by other services. The aggregated API server now defaults to port 10250 to allow it to work without needing further configuration on private GKE clusters.
  • For the Supervisor (#945), this feature makes it possible to configure how the HTTP and HTTPS ports listen. They can use tcp ports (on all or some interfaces), unix domain sockets, or be disabled. See endpoints option in deploy/supervisor/values.yml for details. Binding the HTTP listener to TCP addresses other than 127.0.0.1 or ::1 is now considered deprecated but still allowed in this release. For more information, see the Supervisor docs.

Minor Changes

• The pinniped get kubeconfig command now accepts the --install-hint flag to allow the cluster admin to customize an installation hint presented the user when the exec plugin binary does not exist. The default hint refers the user to the official Pinniped docs. For more details, see the Kubernetes installHint documentation (#875, #878).
• The pinniped concierge takes less time to load the cluster signer on upgrade (#846).
• Add new columns that are shown in the table output of kubectl get for some of the Pinniped CRDs (#845).
• Directly detect user info support for OIDC providers (#852).
• Do not truncate x509 errors in OIDC discovery (#854).
• Log claim keys at debug level for OIDC providers (#853).
• Tests use CertificatesV1 when available, otherwise use CertificatesV1beta1 (#848).
• Several documentation changes (#857, #872, #903, #908, #919)
• Minor Dockerfile changes (#883).
• Minor changes to get Github's Dependabot working again (#918).
• Several dependency bumps, including using the latest distroless/static (#851, #879, #931), the latest golang (#860, #885, #905, #909, #938), the latest Kubernetes client libraries (#914, #935, #968), the latest Fosite library (#925, #939, #957, #943), and the Javascript minifier library (#953).

Bug Fixes

• Pinniped components now tolerate a larger clock skew between the API servers and the kubelets running the pinniped pods (#849).
• Do not rotate impersonation proxy signer CA unless necessary (#856).
• Fixed several flaky tests and several tests which were failing due to PR merges (#842, #893, #940, #956, #967).
• Fixed a misleading log statement in the token credential request (#847).

Diffs

A complete list of changes (225 commits, 245 changed files with 18,828 additions and 3,434 deletions) can be found here.

Acknowledgements

• Thank you, @siddhant94, for submitting a PR (#875) to add the --install-hint flag to the pinniped get kubeconfig command!

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.12.0

Release v0.12.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.12.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.12.0	DockerHub

These images can also be referenced by their digest: sha256:767fbfa1c7064b07afc96139689240654c971dac319e7014e48ac721d014c7fd.

Changes

This is a bug fix release.

Minor Changes

• Upgraded from golang 1.17.0 to 1.17.1 (#838)

Bug Fixes

• Fixed incorrect "readOnly" and "readOnlyRootFilesystem" field usage in Supervisor and Concierge deployment manifests, which was introduced in v0.11.0. This would cause installs using kubectl to fail with a validation error message. (#835)
• Fixed a bug where the LDAP search base would become blank when the Active Directory bind secret was updated. (#836)
• Fixed a bug with the selectors used on the Concierge Deployments and Services where they accidentally selected the Kube cert agent pod in addition to the expected pods. This could cause connection refused errors, or "the server is currently unable to handle the request" errors, for the Concierge API endpoints on some clusters. This bug would only appear on clusters which are configured to send requests to all pods which match the Service's selector, for example by performing round-robin request routing. A typical Concierge deployment has two Concierge pods and one Kube cert agent pod, resulting in one-third of the matching pods being wrong. (#839)

Diffs

A complete list of changes (46 commits, 29 changed files with 1,304 additions and 203 deletions) can be found here.

Acknowledgements

• Thanks to @JeremyCalcamuggio on Kubernetes Slack for quickly reporting the issue that was fixed by #835.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.11.0

Release v0.11.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.11.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.11.0	DockerHub

These images can also be referenced by their digest: sha256:ce59a0d43339b8a234f378613d242986fa7cad9c47cdbd2d0c88085e285e1730.

Changes

This release adds support for Active Directory identity providers in the Pinniped Supervisor, adds a CLI-based login experience for OIDC providers using the OIDC password grant, moves our base container images from Debian to Distroless, and lots of other improvements. See our blog post for more details on these highlights!

🐞 Note that a bug was introduced in this release. Installing using kubectl will result in validation errors unknown field "readOnlyRootFilesystem" and unknown field "readOnly". This will be fixed in the next release. Workarounds for this release include using the --validate=false flag with kubectl, or installing using kapp instead of kubectl.

Major Changes

• Added ActiveDirectoryIdentityProvider for configuring the Pinniped Supervisor to use Microsoft Active Directory as an identity provider (#695 and #756). See the blog post, how-to guide, documentation for the default values, and the API reference for more information.
• Add a CLI-based login experience for OIDC providers using the OIDC resource owner password credentials grant (#778). This can optionally be enabled for OIDC providers which support returning an ID token from a resource owner password credentials grant by using the new spec.authorizationConfig.allowPasswordGrant setting of OIDCIdentityProvider. See the blog post and the API reference for more information.
• Moved our base container images from Debian to Distroless (#738). This reduces the image size and reduces the dependencies contained within the image. See the blog post for more information.

Minor Changes

• Several dependency bumps, including Go 1.17 (#818), Kubernetes 1.22.1 libraries (#816), go-ldap 3.4.1 (#782).
• Implements leader election for all Concierge and Supervisor controllers to prevent multiple copies of the same controller running in different pods from all performing writes (#788, #796, #800, #828, #829). Now one Supervisor pod and one Concierge pod will be elected as leaders and will be the only pods allowed to perform write operations from inside controllers. When the leader pods shut down or otherwise disappear, a new leader will be elected automatically.
• Added https_proxy and no_proxy ytt parameters for the Concierge deployment. See comments in file deploy/concierge/values.yaml for documentation. no_proxy is defaulted to $(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local for both the Concierge and the Supervisor (#785).
• Remove several replace directives in go.mod that we previously needed to make sure we got a working and secure set of Go module dependencies (#786).
• Various changes to improve the runtime and reliability of our integration tests. Perhaps the most notable change was to run some hand-picked integration tests in parallel with the sequential integration tests (#808 and #815).

Bug Fixes

• For clusters where the control plane nodes aren't running a CNI, the kube-cert-agent pods deployed by the Concierge could not be scheduled without hostNetwork: true. hostNetwork settings will now be inherited for the kube-cert-agent pod (#814).
• Fixed a bug in the pinniped CLI that would sometimes cause the first kubectl command after a browser based login to fail with "Unable to connect to the server: getting credentials: decoding stdout: couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value." (#780). Subsequent commands would run successfully since credentials would be cached.

Diffs

A complete list of changes (147 commits, 225 changed files with 17,961 additions and 2,170 deletions) can be found here.

Acknowledgements

• Thank you, @vrabbi, for sharing your experience with Active Directory which influenced the design of the defaults for ActiveDirectoryIdentityProvider. And thank you for all your valuable feedback on numerous other technical proposals during the time that we were developing this release.
• Thank you, @mayankbh, for reporting an issue with host networking and also providing the fix for the issue in PR #814.
• Thank you, @joivo, for reporting and helping to debug the issue which was fixed in PR #780.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.10.0

Release v0.10.0

Release Image

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.10.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.10.0	DockerHub

These images can also be referenced by their digest: sha256:3bdfb9ad9275449f07614081eca27cff16f15562aeabfee9214a0b0506bb6320.

Changes

This release extends Pinniped to support logins from more scenarios, including OIDC access from SSH jump hosts and LDAP access from CI/CD jobs. See our blog post for more details and a demo video!

Major Changes

• Added support for authenticating to the Supervisor on machines without web browsers using an out-of-band login flow (#687). You can now use OpenID Connect browser-based login flows even on SSH jump hosts or other environments without a local web browser.
• Added support for non-interactive LDAP password-based logins. You can now use PINNIPED_USERNAME and PINNIPED_PASSWORD environment variables to avoid being interactively prompted for username and password. This is useful, for example, to authenticate as an LDAP service account in a CI/CD job (#730).

Minor Changes

• Added https_proxy and no_proxy ytt parameters for the Supervisor deployment (#701). These variables can be used to connect to OIDCIdentityProviders which can only be reached via HTTP proxy.
• The Supervisor can now serve FederationDomain with an IPv6 address in the spec.issuer field (#684).
• Added documentation for using the Pinniped Supervisor with Dex and Github (#729).
• Upgraded Debian base images from 10.9 to 10.10.
• Upgraded Go from 1.16.5 to 1.16.6.
• Upgraded Kubernetes runtime library dependencies to v1.21.3, and upgraded several other miscellaneous Go module dependencies.
• Improved the stability of several integration tests.

Bug Fixes

• Fixed undesired behavior where some other non-Pinniped controller competes with the Pinniped controllers to write an annotation onto the impersonator's Service (#739). This could cause unwanted etcd resource consumption on some clusters.
• Fixed a bug that caused failures when installing recent versions of the Concierge using kubectl (#664). We now recommend installing with kapp, or using two kubectl apply invocations to install the CRDs separately from the rest of the resources.
• The Concierge now correctly reacts to changes in the impersonation proxy ClusterIP service immediately (#752).
• Fixed a race during Concierge API service serving certificate rotation that could cause unnecessary updates to the API service. This could cause some aggregated API requests to fail for a short duration (#747).
• The first line of the server logs for the Supervisor and Concierge containers will now correctly include the current git SHA of source code repo at build time. This can help identify what version of the code is running in the container by cross-referencing it back to the GitHub repo (#724).

Diffs

A complete list of changes (140 commits, 143 changed files with 4,228 additions and 1,449 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.4.4

Release v0.4.4

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.4.4	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.4.4	DockerHub

Changes

This is a patch release on top of v0.4.3. Most users should opt for the latest release instead (currently v0.9.2).

Minor Changes

• Add https_proxy and no_proxy settings for the Supervisor. These settings are available as ytt value parameters for the Supervisor deployment. They are unset by default. When set, they configure the HTTPS_PROXY and NO_PROXY environment variables on the Supervisor's containers.
• When the Supervisor makes requests to an upstream OIDC Provider as defined by an OIDCIdentityProvider, it will now use the Golang standard proxy environment variables, including HTTPS_PROXY and NO_PROXY.
• If your OIDC Provider is only reachable from your cluster via an HTTP proxy server, then you may wish to use these settings.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.9.2

Release v0.9.2

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.9.2	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.9.2	DockerHub

Changes

Pinniped v0.9.2 is a small security hardening release on top of the recent v0.9.1 release.

Minor Changes

• We've made several changes to harden the impersonation proxy against potential future security vulnerabilities. These changes are proactive based on our understanding of potential issues:

  • The impersonation proxy now always authorizes every request, rather than deferring authorization to the Kubernetes API.

  • The impersonation proxy now uses a distinct service account with no RBAC privileges other than impersonation.

  • On clusters where anonymous authentication is disabled (such as AKS), the impersonation proxy now refuses anonymous requests. The Pinniped TokenCredentialRequest API is still allowed, since it is necessarily a pre-authentication API.

• Upgraded Go from 1.16.4 to 1.16.5.

Diffs

A complete list of changes (16 commits, 15 changed files with 1,197 additions and 210 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.9.1

Release v0.9.1

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.9.1	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.9.1	DockerHub

Changes

Pinniped v0.9.1 is a small bug fix release on top of the recent v0.9.0 release.

Bug Fixes

• Fixed a bug in the Concierge deployment YAML (install-pinniped-concierge.yaml). There was a wrong field name which caused installation to fail with some deployment tools (#659). Thanks again to community user @jeuniii for noticing and reporting this!

Minor Changes

• Improved the stability of several integration tests.

Diffs

A complete list of changes (21 commits, 20 changed files with 93 additions and 70 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.9.0

Release v0.9.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.9.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.9.0	DockerHub

Changes

Major Changes

• The Pinniped Supervisor now supports LDAP identity providers, with a new LDAPIdentityProvider CRD:

  • Connect to an LDAP server over LDAPS or LDAP with StartTLS. Insecure plaintext LDAP is not supported. A custom TLS certificate authority bundle can be specified in the spec.tls.certificateAuthorityData field.

  • Bind using username/password credentials in a Secret referenced by spec.bind.secretName. Only authenticated simple bind are currently supported.

  • Search for users by specifying a search base (spec.userSearch.base) and filter (spec.userSearch.filter), then configure how the matching user is mapped to a Pinniped username and UID (spec.userSearch.attributes).

  • Search for an authenticated users groups by specifying another search base (spec.groupSearch.base) and filter (spec.groupSearch.filter), then configure how matching groups are mapped to Pinniped groups (spec.groupSearch.attributes).

  • Generate a kubeconfig file for each of your clusters using pinniped get kubeconfig just as before. At login time, you'll be prompted to enter your LDAP username/password once to log in to the Supervisor. You'll then have safe access to any connected cluster via the Concierge. Only the Supervisor handles your LDAP password.

  See our blog post and our how-to guide for OpenLDAP for more details. LDAP is the second major identity provider supported by Pinniped, and joins our support for OpenID Connect via the OIDCIdentityProvider API.

• The Concierge is now dynamically configurable via a new CredentialIssuer spec field. The API now lets you configure how the impersonation proxy is deployed:

  • The spec.impersonationProxy.mode field can be set to enabled to force the impersonation proxy to be deployed even on self-hosted clusters. It can be set to disabled to skip deploying the impersonation proxy even on cloud managed clusters. The default mode is auto, which deploys the proxy automatically on clusters lacking control plane nodes.

  • The spec.impersonationProxy.service field configures how the corresponding Service is configured. You can change the type of service (LoadBalancer or ClusterIP) or specify annotations or a specific load balancer IP. This can be used to select a private load balancer even when the cloud provider defaults to one that's externally accessible.

  • The spec.impersonationProxy.externalEndpoint lets you override the external endpoint where the proxy will be advertised. This supports configurations with custom domain names or IP routing.

  The YAML installation manifests and ytt templates for the Concierge now include an initial CredentialIssuer with defaults corresponding to the previous behavior. See #617 for example configurations.

  Thanks to community user @jeuniii for suggesting this feature and providing great early feedback 🎉

Minor Changes

• The Concierge will now reject webhook identities that assert UID or extra fields (#594). These fields could not be accurately conveyed to the Kubernetes API because they cannot be represented in an x509 certificate.

• Upgraded Kubernetes runtime library dependencies to v1.21.1.

• Upgraded several other dependencies, including Fosite to v0.40.2.

• Improved the stability of several integration tests.

Diffs

A complete list of changes (214 commits, 218 changed files with 22,791 additions and 18,084 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.4.3

Release v0.4.3

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.4.3	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.4.3	DockerHub

Changes

This is a patch release on top of v0.4.2. Most users should opt for the latest release instead (currently v0.8.0).

Minor Changes

• Fixed a bug that caused refresh tokens to become invalid after approximately 20 minutes instead of the intended 9 hours (#601).

• Upgraded Go from 1.15.11 to 1.15.12.

• Upgraded Kubernetes runtime library dependencies from v1.20.6 to v1.20.7.

Diffs

A complete list of changes (4 commits, 4 changed files with 22 additions and 22 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.