Release v0.31.0
Release Image
| Image | Registry |
|---|---|
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.31.0
| GitHub Container Registry |
docker.io/getpinniped/pinniped-server:v0.31.0
| DockerHub |
These images can also be referenced by their digest: sha256:d07ee61c059b36337e17893c91b7bd4ac3c13d0258f9de11759d5b42b7b2060d.
Changes
This release adds support for using GitHub as an identity provider, along with other new features, and upgrades project dependencies.
Major Changes
- The Pinniped Supervisor now supports using GitHub as an identity provider using browser-based authentication, configured via a new custom resource called GitHubIdentityProvider. (#1978)
- Both github.com and GitHub Enterprise are supported.
- Administrators can optionally limit authentication by GitHub organization membership.
- GitHub team membership is automatically mapped to Kubernetes group membership.
- Frequent session refreshes check that the user's GitHub access token is still valid, revalidate the user's identity, and update the user's group memberships. In a typical setup, any changes to org or team membership will be reflected to end-user sessions within about 5 minutes.
- As with any identity provider in the Supervisor, the administrator can optionally configure policies to restrict authentication by username and group (GitHub team) membership, and can modify usernames and group memberships by configuring CEL expressions on the FederationDomain.
- Note that at least v0.31.0 of the Pinniped CLI should be used by end-users for GitHub authentication.
- End-users of webapp clients configured as OIDCClients in the Supervisor can also authenticate via GitHub.
- For more information see the blog post for this release, the GitHub configuration guide and the GitHubIdentityProvider resource documentation.
- Many PRs were merged into the final cumulative PR #1978 for this feature: #1976, #1975, #1963, #1966, #1960, #1958, #1959, #1860, #1946, #1929, #1944, #1910, #1930, #1908, #1925, #1924, #1907, #1912, #1903, #1900.
Minor Changes
- The Pinniped CLI uses Supervisor discovery endpoints to determine the identity provider types that are supported by that particular Supervisor server. (#1928)
- Documentation updates. (#1953, #1970)
- Developer tooling updates and internal refactors. (#1941, #1939, #1950)
- Updates Go to 1.22.4 the Kubernetes libraries to v0.30.1, and updates all other project dependencies. (#1982, #1979, #1977, #1974, #1973, #1969, #1968, #1967, #1965, #1964, #1962, #1961, #1957, #1954, #1951, #1948, #1945)
Diffs
A complete list of changes (177 commits, 494 changed files with 26,750 additions and 2,482 deletions) can be found here.