v0.9.2

Release v0.9.2

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.9.2	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.9.2	DockerHub

Changes

Pinniped v0.9.2 is a small security hardening release on top of the recent v0.9.1 release.

Minor Changes

• We've made several changes to harden the impersonation proxy against potential future security vulnerabilities. These changes are proactive based on our understanding of potential issues:

  • The impersonation proxy now always authorizes every request, rather than deferring authorization to the Kubernetes API.

  • The impersonation proxy now uses a distinct service account with no RBAC privileges other than impersonation.

  • On clusters where anonymous authentication is disabled (such as AKS), the impersonation proxy now refuses anonymous requests. The Pinniped TokenCredentialRequest API is still allowed, since it is necessarily a pre-authentication API.

• Upgraded Go from 1.16.4 to 1.16.5.

Diffs

A complete list of changes (16 commits, 15 changed files with 1,197 additions and 210 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.9.1

Release v0.9.1

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.9.1	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.9.1	DockerHub

Changes

Pinniped v0.9.1 is a small bug fix release on top of the recent v0.9.0 release.

Bug Fixes

• Fixed a bug in the Concierge deployment YAML (install-pinniped-concierge.yaml). There was a wrong field name which caused installation to fail with some deployment tools (#659). Thanks again to community user @jeuniii for noticing and reporting this!

Minor Changes

• Improved the stability of several integration tests.

Diffs

A complete list of changes (21 commits, 20 changed files with 93 additions and 70 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.9.0

Release v0.9.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.9.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.9.0	DockerHub

Changes

Major Changes

• The Pinniped Supervisor now supports LDAP identity providers, with a new LDAPIdentityProvider CRD:

  • Connect to an LDAP server over LDAPS or LDAP with StartTLS. Insecure plaintext LDAP is not supported. A custom TLS certificate authority bundle can be specified in the spec.tls.certificateAuthorityData field.

  • Bind using username/password credentials in a Secret referenced by spec.bind.secretName. Only authenticated simple bind are currently supported.

  • Search for users by specifying a search base (spec.userSearch.base) and filter (spec.userSearch.filter), then configure how the matching user is mapped to a Pinniped username and UID (spec.userSearch.attributes).

  • Search for an authenticated users groups by specifying another search base (spec.groupSearch.base) and filter (spec.groupSearch.filter), then configure how matching groups are mapped to Pinniped groups (spec.groupSearch.attributes).

  • Generate a kubeconfig file for each of your clusters using pinniped get kubeconfig just as before. At login time, you'll be prompted to enter your LDAP username/password once to log in to the Supervisor. You'll then have safe access to any connected cluster via the Concierge. Only the Supervisor handles your LDAP password.

  See our blog post and our how-to guide for OpenLDAP for more details. LDAP is the second major identity provider supported by Pinniped, and joins our support for OpenID Connect via the OIDCIdentityProvider API.

• The Concierge is now dynamically configurable via a new CredentialIssuer spec field. The API now lets you configure how the impersonation proxy is deployed:

  • The spec.impersonationProxy.mode field can be set to enabled to force the impersonation proxy to be deployed even on self-hosted clusters. It can be set to disabled to skip deploying the impersonation proxy even on cloud managed clusters. The default mode is auto, which deploys the proxy automatically on clusters lacking control plane nodes.

  • The spec.impersonationProxy.service field configures how the corresponding Service is configured. You can change the type of service (LoadBalancer or ClusterIP) or specify annotations or a specific load balancer IP. This can be used to select a private load balancer even when the cloud provider defaults to one that's externally accessible.

  • The spec.impersonationProxy.externalEndpoint lets you override the external endpoint where the proxy will be advertised. This supports configurations with custom domain names or IP routing.

  The YAML installation manifests and ytt templates for the Concierge now include an initial CredentialIssuer with defaults corresponding to the previous behavior. See #617 for example configurations.

  Thanks to community user @jeuniii for suggesting this feature and providing great early feedback 🎉

Minor Changes

• The Concierge will now reject webhook identities that assert UID or extra fields (#594). These fields could not be accurately conveyed to the Kubernetes API because they cannot be represented in an x509 certificate.

• Upgraded Kubernetes runtime library dependencies to v1.21.1.

• Upgraded several other dependencies, including Fosite to v0.40.2.

• Improved the stability of several integration tests.

Diffs

A complete list of changes (214 commits, 218 changed files with 22,791 additions and 18,084 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.4.3

Release v0.4.3

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.4.3	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.4.3	DockerHub

Changes

This is a patch release on top of v0.4.2. Most users should opt for the latest release instead (currently v0.8.0).

Minor Changes

• Fixed a bug that caused refresh tokens to become invalid after approximately 20 minutes instead of the intended 9 hours (#601).

• Upgraded Go from 1.15.11 to 1.15.12.

• Upgraded Kubernetes runtime library dependencies from v1.20.6 to v1.20.7.

Diffs

A complete list of changes (4 commits, 4 changed files with 22 additions and 22 deletions) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.8.0

Release v0.8.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.8.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.8.0	DockerHub

Changes

Major Changes

• The Pinniped command-line tool now caches ephemeral cluster-specific credentials issued by the Concierge. This notably improves performance on clusters with poor request latency.

• The Concierge impersonation proxy (used on managed Kubernetes cluster types) now supports more extended authentication features:

  • Support for authenticating with ServiceAccount tokens or other bearer tokens that are valid on the underlying Kubernetes cluster.

  • Support for using --as/--as-group via the proxy (nested impersonation). When a request using impersonation is made via the proxy, Pinniped now performs the requisite authorization checks and performs the impersonation. When these requests are audited by Kubernetes, the original user info is preserved in the original-user-info.impersonation-proxy.concierge.pinniped.dev extra field.

Minor Changes

• The pinniped get kubeconfig command now generates more helpful "context", "cluster", and "user" names. The names will now be copied from the original kubeconfig but suffixed with "-pinniped". This suffix can be overridden with the--generated-name-suffix flag.

• The Supervisor now produces more detailed error messages in the status conditions of OIDCIdentityProvider. This makes it easier to diagnose many common OIDC misconfigurations.

• Fixed a bug in the Supervisor that caused refresh tokens to become invalid before their intended expiration. This caused unnecessary interactive logins when your CLI was idle for more than 20 minutes. The Supervisor now properly observes the intended 9 hour refresh token lifetime.

• Added optional debug logging to the Pinniped CLI login flow. The new logs can be enabled by setting the $PINNIPED_DEBUG environment variable when running kubectl, for example export PINNIPED_DEBUG=true.

• The Supervisor access token lifetime has been reduced from 15 minutes to 2 minutes, since the new Concierge credential caching means these tokens no longer need to be reused for performance reasons.

• The kube-cert-agent pod used to collect the client certificate signing CA is now created via a Deployment instead of directly as a Pod. This fixes a bug that could cause the Concierge to become broken when a cluster is shut down and restarted or suspended and resumed (#493).

• Refactored Supervisor garbage collection controller to use a singleton informer queue.

• Upgraded Go from 1.16.2 to 1.16.4.

• Upgraded Kubernetes runtime library dependencies to v1.21.0.

• Improved the stability of several integration tests.

Diffs

A complete list of changes (102 commits, 113 changed files with 6,710 additions and 5,086 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.4.2

Release v0.4.2

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.4.2	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.4.2	DockerHub

Changes

This is a patch release on top of v0.4.1. Most users should opt for the latest release instead (currently v0.7.0).

Minor Changes

• Fixed a bug that could cause the Concierge to become broken when a cluster is shut down and restarted or suspended and resumed (#493). The Concierge now correctly detects and cleans up kube-cert-agent pods that are stuck in a Failed or Unknown status.

• Upgraded Debian base images from 10.7 to 10.9.

• Upgraded Go from 1.15.6 to 1.15.11.

• Upgraded Kubernetes runtime library dependencies from v1.20.1 to v1.20.6.

Diffs

A complete list of changes (10 commits, 8 changed files with 239 additions and 89 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.7.0

Release v0.7.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.7.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.7.0	DockerHub

Changes

Major Changes

• The Concierge now supports most managed Kubernetes clusters including EKS, AKS, and GKE. This works by using a new strategy that employs Kubernetes impersonation. For more information about this new feature, see our blog post.

• The Pinniped command-line tool now supports a whoami subcommand, which returns the currently-authenticated user identity. This functionality is also available in a new WhoAmIRequest API served by the Concierge.

• The pinniped get kubeconfig command now waits for the Concierge to become stable and validates that the final generated kubeconfig is valid. It also prints more verbose log output describing any parameters that are autodetected.

Minor Changes

• Added several new optional flags to the pinniped get kubeconfig command, including --concierge-mode, --concierge-skip-wait, --skip-validation, --timeout, and --output. For a full list of new options, see the CLI reference documentation.

• Added new API fields to the CredentialIssuer API to support the impersonation proxy strategy. The status.kubeConfigInfo field is now deprecated and will be removed in a future release.

• Fixed Homebrew installation of the main branch using --HEAD.

• Upgraded Debian base images from 10.8 to 10.9.

• Upgraded Go from 1.15.8 to 1.16.2.

• Upgraded Kubernetes runtime library dependencies from v1.20.1 to v1.20.5 plus some additional unreleased commits to address CVE-2021-3121 (a potential denial-of-service vulnerability).

• Improved the stability of several integration tests.

Diffs

A complete list of changes (377 commits, 862 changed files with 33,098 additions and 4,917 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.6.0

Release v0.6.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.6.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.6.0	DockerHub

Changes

Breaking Changes

• All concierge APIs are now cluster-scoped. This is a breaking change for the sake of API consistency. To upgrade Pinniped concierge, you must delete and recreate the concierge CRD objects. If you require a non-disruptive upgrade path, you can use the --api-group-suffix feature added in v0.5.0 to deploy multiple Concierge instances on the same cluster.

Minor Changes

• All Pinniped APIs now use the status subresource functionality of Kubernetes API machinery.

• The --concierge-namespace flag is now ignored and deprecated in the pinniped get kubeconfig and pinniped login CLI commands.

• Upgraded Debian base images from 10.7 to 10.8.

• Upgraded Go from 1.15.7 to 1.15.8.

• Removed the pinniped get-kubeconfig and pinniped exchange-credential commands, which were deprecated in v0.3.0.

• The kubectl get pinniped -A command no longer reports a "method not found" warning related to TokenCredentialRequest.

• Updated default RBAC cluster roles to support Kubernetes flow control on clusters that have it enabled.

Diffs

A complete list of changes (40 commits, 243 changed files with 2,179 additions and 2,519 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.5.0

Release v0.5.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.5.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.5.0	DockerHub

Changes

Major Changes

• Pinniped now supports multiple instances on a single cluster. For more details, please see our blog post

Minor Changes

• Enhanced the integration tests to assert that no pods crash/restart during a test.

• Updated several library dependencies to the latest version.

• Updated to Go 1.15.7.

• Re-enabled "max in flight" checks for the concierge aggregated API server.

Diffs

A complete list of changes (64 commits, 134 changed files with 5,572 additions and 1,152 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.4.1

Release v0.4.1

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.4.1	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.4.1	DockerHub

Changes

Major Changes

None

Minor Changes

There is only one change included compared to v0.4.0:

• When the the Supervisor is configured to use the upstream OIDC Provider's email claim as the downstream username, then validate that the email_verified claim has the value true if the email_verified claim was included in the upstream ID token. If the email_validated claim is not included in the upstream ID token, then assume that the upstream provider doesn't implement it and allow the login to continue. This change only impacts configurations where the configured upstream OIDC Provider supports the email_verified claim, which is usually supported Providers which allow users to either self-register for an account or modify their email addresses on an existing account.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.