github vmware-tanzu/pinniped v0.33.0

latest releases: v0.35.0, v0.34.0
3 months ago

Release v0.33.0

Release Image

Image Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.33.0 GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.33.0 DockerHub

These images can also be referenced by their digest: sha256:0f9591eefa6e865988217c9c1b33312bd48056df1f271ddc8ae8ba7c851a6a0f.

Changes

This release introduces support for dynamically reading CA bundles from ConfigMaps or Secrets. It also includes some minor changes, bug fixes, and upgrades all project dependencies.

Major Changes

  • All custom resource types that configure Pinniped to act as an HTTPS client to some external server have been updated to optionally allow the CA bundle used to verify those HTTPS connections to be configured in a ConfigMap or Secret, which will by dynamically watched by Pinniped for updates. (#1984, #1996)
    • This includes the JWTAuthenticator, WebhookAuthenticator, OIDCIdentityProvider, GitHubIdentityProvider, ActiveDirectoryIdentityProvider, and LDAPIdentityProvider resources.
    • This makes it easier for your CA bundles to be configured and managed externally by cert-manager, trust-manager, or any other automation tools.
    • See the API docs for the Concierge TLSSpec and the very similar Supervisor TLSSpec.
    • See the blog post announcing this feature.

Minor Changes

  • A new Status printer column was added to the table output for WebhookAuthenticator and JWTAuthenticator. The value shown in the column is the status.Phase of the resource. (#1996)
  • To be consistent with other Pinniped custom resources, enhanced OIDCIdentityProvider, LDAPIdentityProvider, and ActiveDirectoryIdentityProvider to report status.conditions with status Unknown when it cannot perform a validation due to a configuration problem already reported on another status condition. (#2034)
  • Updates Go to v1.21.5, updates the Kubernetes libraries to v0.30.3, and updates all other project dependencies. (#2036, #2035, #2030, #2026, #2023, #2021, #2020, #2019, #2018, #2015, #2014, #2012, #2008, #2011, #2007, #2005, #2004, #2003, #2001, #1999, #1998, #1997, #1995)
  • Some developer tooling, log statements, and comments were improved for the project maintainers and contributors. (#2033, #2024, #2010)
  • Some small documentation updates. (#2028, #1993)

Bug Fixes

  • Fixes a bug for JWTAuthenticators and WebhookAuthenticators where their status was not always being updated after its initial creation. (#1996)
  • Host names with upper case characters were previously considered invalid by several Pinniped custom resources. Now mixed-case host names will be allowed. (#2022)
  • When testing connection for GitHubIdentityProvider's default host github.com, actually dial api.github.com for status.conditions validation purposes, because api.github.com is the host that will actually be used during end-user authentication. (#2032)
  • WebhookAuthenticators and JWTAuthenticators which were previously validated, and then become invalid due to a spec change, are not considered usable for end-user authentication anymore. To reduce the number of TCP dials to the remote server made during validation, WebhookAuthenticators and JWTAuthenticators that are already validated by a Concierge pod will not be validated again by that same pod unless the spec changes, the specified CA bundle changes, or the pod restarts. (#2013)

Diffs

A complete list of changes (186 commits, 258 changed files with 15,058 additions and 3,036 deletions) can be found here.

Don't miss a new pinniped release

NewReleases is sending notifications on new releases.