Release v0.16.0
Release Image
Image | Registry |
---|---|
projects.registry.vmware.com/pinniped/pinniped-server:v0.16.0
| VMware Harbor |
docker.io/getpinniped/pinniped-server:v0.16.0
| DockerHub |
These images can also be referenced by their digest: sha256:e333109a3b6433d24c3477ee3589244cb3239c9e758f2dff22cc0a81cc6bc762
.
Changes
This release continues our theme of providing security-hardening for Kubernetes authentication solutions with Pinniped. Users can now build their own FIPS compatible binaries of Pinniped and the Supervisor's HTTP listener is disabled by default.
Major Changes
-
Bring-your-own FIPS compliant Pinniped Binaries (#1061, #1106, #1119). Please refer to our FIPS reference documentation for details on how to compile Pinniped with a FIPS validated cryptographic module that adheres to the standards established by FIPS 140-2.
-
Supervisor HTTP listener disabled by default and may only bind to loopback interfaces (#1094). This is a breaking change intended to make it difficult to install and configure Pinniped in such a way that the TCP traffic going in and out of the Supervisor pods is not using TLS. That traffic includes credentials and secrets and should be encrypted using TLS. In recognition that it may take some users time to adjust to this breaking change, a new
deprecated_insecure_accept_external_unencrypted_http_requests
value has been introduced in deploy/supervisor/values.yaml. This can be used to bring back the old behavior by turning the new validation into a warning in the pod logs instead of an error which stops the Supervisor from starting.
In some future release, this override will be removed and at that time the validation will always be an error. We plan to give sufficient time, probably several releases, before removing this override option.
Minor Changes
- Add custom prefix to downstream access and refresh tokens and authcodes (#1117)
- Added
code_challenge_methods_supported
to the Supervisor's OIDC discovery documents (#1127) - JWTAuthenticator distributed claims resolution honors tls config (#1129)
- Update Go to v1.18.1 (#1118)
Bug Fixes
- Fixed bug where the impersonation proxy was accepting HTTP1.1 in situations where we intended to only allow HTTP2 (#1122)
A complete list of changes can be found here.
Acknowledgements
- Thanks to @hectorj2f for adding
code_challenge_methods_supported
to the OIDC discovery doc. - Thanks to @vicmarbev for fixing our documentation and test setup script to reference
vmware-tanzu/carvel
rather than the deprecatedk14s/tap
.