Release v0.28.0
Release Image
Image | Registry |
---|---|
projects.registry.vmware.com/pinniped/pinniped-server:v0.28.0
| VMware Harbor |
docker.io/getpinniped/pinniped-server:v0.28.0
| DockerHub |
These images can also be referenced by their digest: sha256:069df550a71db7acb41eda1922fe5997c72fab26939c6fd0a0fb544e461c0ac8
.
Changes
This release includes security improvements, new features, and bug fixes. It also upgrades all project dependencies.
Minor Changes
- The Concierge will no longer create a long-lived service account token upon installation, which was previously contained in a Secret in the Concierge's namespace. Instead, it will dynamically fetch short-lived tokens and hold them in-memory in the Pods. Upon upgrade, the old Secret will be automatically deleted. This improves security posture by making it impossible for an RBAC configuration or similar mistake to make this token readable to non-admins, and also by making the token short-lived. Other Secrets in the namespace must still be protected against read by non-admins. (#1733)
- The Supervisor will now show an interstitial web page to allow the end-user to choose one of the configured IDPs, when multiple IDPs are configured, and when the query parameters to the OIDC authorize endpoint do not specify which IDP to use. (#1742)
- A new debugging tool has been added to aid in debugging your LDAPIdentityProvider settings. See hack/debug-ldapidentityprovider.sh. (#1594)
- The
values.yaml
files in theytt
template directories have been converted to useytt
's schema feature. This makes it easier for users or 3rd parties to create Carvel packages using the Dockerfile andytt
templates from the Pinniped repo. At this time, the Pinniped releases on GitHub do not include Carvel packages. (#1701) - The project's Dockerfiles have been updated to add build
ARG
s to choose theBUILD_IMAGE
(golang image used to compile) and theBASE_IMAGE
(base layer of the resulting container image). This will make it easier for users and 3rd parties to choose alternate images when building the project. The default values are the latest golang image and the latestgcr.io/distroless/static
image. The project maintainers will continue to bump the default values when updates of those images are available. (#1776) - Updates Go to v1.21.5, updates the Kubernetes libraries to v0.28.4, and updates all other project dependencies. (#1815, #1808, #1807, #1804, #1803, #1801, #1793, #1791, #1788, #1779, #1775, #1772, #1771, #1767, #1763, #1755, #1751, #1748, #1741, #1738, #1735, #1734, #1732, #1721, #1752)
Bug Fixes
pinniped whoami
has a new--timeout
parameter, which defaults to no timeout. This replaces a hardcoded timeout which causedpinniped whoami
to fail when a user took more than 20 seconds to complete a fresh interactive login. (#1774)
A complete list of changes (111 commits, 188 changed files with 6,808 additions and 2,382 deletions) can be found here.