v0.8.0

Release v0.8.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.8.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.8.0	DockerHub

Changes

Major Changes

• The Pinniped command-line tool now caches ephemeral cluster-specific credentials issued by the Concierge. This notably improves performance on clusters with poor request latency.

• The Concierge impersonation proxy (used on managed Kubernetes cluster types) now supports more extended authentication features:

  • Support for authenticating with ServiceAccount tokens or other bearer tokens that are valid on the underlying Kubernetes cluster.

  • Support for using --as/--as-group via the proxy (nested impersonation). When a request using impersonation is made via the proxy, Pinniped now performs the requisite authorization checks and performs the impersonation. When these requests are audited by Kubernetes, the original user info is preserved in the original-user-info.impersonation-proxy.concierge.pinniped.dev extra field.

Minor Changes

• The pinniped get kubeconfig command now generates more helpful "context", "cluster", and "user" names. The names will now be copied from the original kubeconfig but suffixed with "-pinniped". This suffix can be overridden with the--generated-name-suffix flag.

• The Supervisor now produces more detailed error messages in the status conditions of OIDCIdentityProvider. This makes it easier to diagnose many common OIDC misconfigurations.

• Fixed a bug in the Supervisor that caused refresh tokens to become invalid before their intended expiration. This caused unnecessary interactive logins when your CLI was idle for more than 20 minutes. The Supervisor now properly observes the intended 9 hour refresh token lifetime.

• Added optional debug logging to the Pinniped CLI login flow. The new logs can be enabled by setting the $PINNIPED_DEBUG environment variable when running kubectl, for example export PINNIPED_DEBUG=true.

• The Supervisor access token lifetime has been reduced from 15 minutes to 2 minutes, since the new Concierge credential caching means these tokens no longer need to be reused for performance reasons.

• The kube-cert-agent pod used to collect the client certificate signing CA is now created via a Deployment instead of directly as a Pod. This fixes a bug that could cause the Concierge to become broken when a cluster is shut down and restarted or suspended and resumed (#493).

• Refactored Supervisor garbage collection controller to use a singleton informer queue.

• Upgraded Go from 1.16.2 to 1.16.4.

• Upgraded Kubernetes runtime library dependencies to v1.21.0.

• Improved the stability of several integration tests.

Diffs

A complete list of changes (102 commits, 113 changed files with 6,710 additions and 5,086 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.4.2

Release v0.4.2

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.4.2	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.4.2	DockerHub

Changes

This is a patch release on top of v0.4.1. Most users should opt for the latest release instead (currently v0.7.0).

Minor Changes

• Fixed a bug that could cause the Concierge to become broken when a cluster is shut down and restarted or suspended and resumed (#493). The Concierge now correctly detects and cleans up kube-cert-agent pods that are stuck in a Failed or Unknown status.

• Upgraded Debian base images from 10.7 to 10.9.

• Upgraded Go from 1.15.6 to 1.15.11.

• Upgraded Kubernetes runtime library dependencies from v1.20.1 to v1.20.6.

Diffs

A complete list of changes (10 commits, 8 changed files with 239 additions and 89 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.7.0

Release v0.7.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.7.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.7.0	DockerHub

Changes

Major Changes

• The Concierge now supports most managed Kubernetes clusters including EKS, AKS, and GKE. This works by using a new strategy that employs Kubernetes impersonation. For more information about this new feature, see our blog post.

• The Pinniped command-line tool now supports a whoami subcommand, which returns the currently-authenticated user identity. This functionality is also available in a new WhoAmIRequest API served by the Concierge.

• The pinniped get kubeconfig command now waits for the Concierge to become stable and validates that the final generated kubeconfig is valid. It also prints more verbose log output describing any parameters that are autodetected.

Minor Changes

• Added several new optional flags to the pinniped get kubeconfig command, including --concierge-mode, --concierge-skip-wait, --skip-validation, --timeout, and --output. For a full list of new options, see the CLI reference documentation.

• Added new API fields to the CredentialIssuer API to support the impersonation proxy strategy. The status.kubeConfigInfo field is now deprecated and will be removed in a future release.

• Fixed Homebrew installation of the main branch using --HEAD.

• Upgraded Debian base images from 10.8 to 10.9.

• Upgraded Go from 1.15.8 to 1.16.2.

• Upgraded Kubernetes runtime library dependencies from v1.20.1 to v1.20.5 plus some additional unreleased commits to address CVE-2021-3121 (a potential denial-of-service vulnerability).

• Improved the stability of several integration tests.

Diffs

A complete list of changes (377 commits, 862 changed files with 33,098 additions and 4,917 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.6.0

Release v0.6.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.6.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.6.0	DockerHub

Changes

Breaking Changes

• All concierge APIs are now cluster-scoped. This is a breaking change for the sake of API consistency. To upgrade Pinniped concierge, you must delete and recreate the concierge CRD objects. If you require a non-disruptive upgrade path, you can use the --api-group-suffix feature added in v0.5.0 to deploy multiple Concierge instances on the same cluster.

Minor Changes

• All Pinniped APIs now use the status subresource functionality of Kubernetes API machinery.

• The --concierge-namespace flag is now ignored and deprecated in the pinniped get kubeconfig and pinniped login CLI commands.

• Upgraded Debian base images from 10.7 to 10.8.

• Upgraded Go from 1.15.7 to 1.15.8.

• Removed the pinniped get-kubeconfig and pinniped exchange-credential commands, which were deprecated in v0.3.0.

• The kubectl get pinniped -A command no longer reports a "method not found" warning related to TokenCredentialRequest.

• Updated default RBAC cluster roles to support Kubernetes flow control on clusters that have it enabled.

Diffs

A complete list of changes (40 commits, 243 changed files with 2,179 additions and 2,519 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.5.0

Release v0.5.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.5.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.5.0	DockerHub

Changes

Major Changes

• Pinniped now supports multiple instances on a single cluster. For more details, please see our blog post

Minor Changes

• Enhanced the integration tests to assert that no pods crash/restart during a test.

• Updated several library dependencies to the latest version.

• Updated to Go 1.15.7.

• Re-enabled "max in flight" checks for the concierge aggregated API server.

Diffs

A complete list of changes (64 commits, 134 changed files with 5,572 additions and 1,152 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.4.1

Release v0.4.1

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.4.1	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.4.1	DockerHub

Changes

Major Changes

None

Minor Changes

There is only one change included compared to v0.4.0:

• When the the Supervisor is configured to use the upstream OIDC Provider's email claim as the downstream username, then validate that the email_verified claim has the value true if the email_verified claim was included in the upstream ID token. If the email_validated claim is not included in the upstream ID token, then assume that the upstream provider doesn't implement it and allow the login to continue. This change only impacts configurations where the configured upstream OIDC Provider supports the email_verified claim, which is usually supported Providers which allow users to either self-register for an account or modify their email addresses on an existing account.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.4.0

Release v0.4.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.4.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.4.0	DockerHub

Changes

Major Changes

• The Pinniped supervisor now loads additional OIDC claims by calling the UserInfo endpoint during the authorization flow. This enables support for passing custom claims such as groups on a wider range of upstream identity providers.

Minor Changes

• Improved documentation for both the concierge and supervisor.

• Added filtering to supervisor controllers to improve performance and reduce CPU overhead and log noise.

• More consistently set owner references on all Kubernetes resources created by Pinniped.

• Stop setting blockOwnerDeletion: true on resources created by Pinniped.

• Normalize the type of the groups claim in ID tokens issued by the supervisor.
  The claim will now always be a list of strings, which may be empty if the upstream identity provider did not provide a groups claim.

• Fixed some intermittent integration test flakes.

• Upgraded Kubernetes library components to v1.20.1.

Diffs

A complete list of changes (74 commits, 247 changed files with 14,880 additions and 1,410 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.3.0

Release v0.3.0

Release Images

Image	Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.3.0	GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.3.0	DockerHub

Changes

Major Changes

• Implemented core login functionality of the Pinniped supervisor.
  The supervisor is an OpenID Connect (OIDC) server that passes identities from an upstream identity provider down to your Kubernetes clusters.
  In this release, we finish what we started in v0.2.0 by adding several new APIs and implementing all the core login functionality:

  • config.supervisor.pinniped.dev/FederationDomain configures the "downstream" behavior of the supervisor as an OIDC issuer.

  • idp.supervisor.pinniped.dev/OIDCIdentityProvider configures an "upstream" OIDC provider which will be the source of identities.

  The supervisor is a standards-compliant OIDC provider supporting the authorization code and refresh token flows.
  It also includes support for a RFC8693 token exchange grant flow.
  This new flow is key to supporting smooth login flows involving multiple clusters.

• Added support for JSON Web Token (JWT) validation to the Pinniped concierge. This is configured with a new API type:

  • authentication.concierge.pinniped.dev/JWTAuthenticator configures JWT validation parameters for the cluster.

• Added a new comprehensive command line interface that unifies the concierge and supervisor functionality:

  • pinniped get kubeconfig generates a Pinniped-based kubeconfig YAML.
    This command can autodiscover all required parameters in most cases, and supports using only a subset of Pinniped components.

Minor Changes

• Extended the pinniped login oidc subcommand.
  This command is normally not called directly, but via a kubeconfig generated by pinniped get kubeconfig.
  It now supports login flows combining OIDC browser-based login and the concierge TokenCredentialRequest API.
  It also now supports the RFC8693 token exchange functionality via a new --request-audience flag.

• Added a new pinniped login static subcommand which is similar to pinniped login oidc but using static tokens.
  Tokens can be passed in the kubeconfig or via environment variable.

• Deprecated the pinniped get-kubeconfig subcommand.
  This has been replaced with pinniped get kubeconfig and will be removed in a future release.

• Deprecated the pinniped exchange-credential subcommand.
  This has been replaced with pinniped login static and will be removed in a future release.

• Adjusted the default logging level to be less verbose.
  Debug log output can now be enabled via a configuration field.

• Increased the overall timeout for pinniped login oidc to 90 minutes and added shorter timeouts for non-interactive portions of the login flow.

• Reduced the lifetime of concierge-issued client certificates from 1 hour to 5 minutes.

• Upgraded to Go 1.15.6.

• Upgraded container base image to Debian 10.7 (slim).

• Upgraded Kubernetes library components to v1.19.5.

• Moved some stable OIDC client functionality from ./internal to ./pkg so it can be more easily imported by other projects.

Diffs

A complete list of changes (450 commits, 622 changed files with 38,117 additions and 16,689 deletions!) can be found here.

Updates

The attached yaml files were updated on May 6, 2024 to use ghcr.io/vmware-tanzu/pinniped/pinniped-server instead of projects.registry.vmware.com/pinniped/pinniped-server.

v0.2.0

Release v0.2.0

Release Image

docker.io/getpinniped/pinniped-server:v0.2.0

Changes

Major Changes

• Splits Pinniped into two components:

  • The "concierge" extends a Kubernetes cluster to enable dynamic configuration of authenticators.
  • The "supervisor" is a federated OpenID Connect gateway that enables smooth multi-cluster user experience for CLI flows. Currently only the Concierge component is fully working.

• Renamed several APIs for clarity and consistency:

  • config.pinniped.dev/CredentialIssuerConfig is now named config.concierge.pinniped.dev/CredentialIssuer.

  • idp.concierge.pinniped.dev/WebhookIdentityProvider is now authentication.concierge.pinniped.dev/WebhookAuthenticator.

  • login.pinniped.dev/TokenCredentialRequest is now named login.concierge.pinniped.dev/TokenCredentialRequest and the spec.identityProvider field is now named spec.authenticator.

  • config.supervisor.pinniped.dev/OIDCProvider is a new type for configuring a downstream OpenID Connect (OIDC) provider. This type and the rest of the supervisor functionality is not fully implemented in v0.2.0.

  Note that this is the last release where we intend to make breaking API changes. Future changes will be subject to a deprecation period.

• Introduced new pinniped login oidc CLI command for performing an OIDC login flow from the CLI. This command is currently tested with third-party OIDC implementations, but in future versions it will integrate more tightly with the supervisor OIDC implementation. It uses a file-based session cache in ~/.config/pinniped/sessions.yaml.

• Implemented the initial basic functionality of the Pinniped supervisor. This component is not yet finished, but the supervisor can be installed and serves working OIDC discovery and JWKS endpoints. It supports serving via a TLS-terminating Kubernetes Ingress or a TCP-level LoadBalancer Service with TLS terminated at the app layer using certificates configured via the spec.tls.secretName field in OIDCProvider.

  Future versions of the supervisor will implement the rest of the OIDC login flow with extensions to support a seamless multi-cluster user experience.

Minor Changes

• Added support for specifying custom labels in our ytt template. These labels will be passed down to all installed resources including resources dynamically created at runtime.

• Added support for installing the concierge and supervisor resources into existing namespaces instead of creating dedicated namespaces.

• Added container resource requests/limits to all Pinniped pods.

• Changed all container images and deployments to run as a non-root user. This change also involved updating the default listen ports to 8080/8443.

• Added default permissions to permit the dynamically-created "cert agent" Pod to run even when a restrictive PodSecurityPolicy is configured on the cluster.

• Upgraded to Go 1.15.3.

• Upgraded container base image to Debian 10.6.

• Added Tilt-based local development workflow scripts and configuration. This allows a much faster feedback cycle when developing locally.

• Removed an erroneous namespace field on one of our ClusterRoleBinding resources.

• Updated documentation and contribution guide.

A complete list of changes (189 commits, 656 changed files with 31,106 additions and 7,372 deletions!) can be found here.

v0.1.0

Release v0.1.0

Release Image

docker.io/getpinniped/pinniped-server:v0.1.0

Changes

Initial release.