github vmware-tanzu/pinniped v0.38.0
on GitHub

6 days ago

Release v0.38.0

Release Image

Image Registry
ghcr.io/vmware-tanzu/pinniped/pinniped-server:v0.38.0 GitHub Container Registry
docker.io/getpinniped/pinniped-server:v0.38.0 DockerHub

These images can also be referenced by their digest: sha256:cc1769112d738ff95a3f8430d254d8546fc254d2cbc065f916b88d83ceb22c65.

Changes

This release includes several new features and upgrades project dependencies.

Minor Changes

  • The Pinniped Supervisor now supports using response_mode=form_post with an OIDCIdentityProvider. Some versions of ADFS might require this in order for Pinniped to receive certain claims in the ADFS-issued ID token. (#2254)
  • The pinniped get kubeconfig CLI command now auto-discovers the issuer's CA bundle from a JWTAuthenticator's spec.TLS.CertificateAuthorityDataSource, and this CA bundle is written into the resulting kubeconfig. (#2193)
  • The FederationDomain.spec.issuer field must start with https://. This was previously validated after the resource was created. Now this validation will cause resource creation to fail. (#2167)
  • The long-deprecated CredentialIssuer.status.kubeConfigInfo field has been removed. (#2167)
  • Both the Pinniped Supervisor and the Pinniped Concierge have a new configuration option available in their respective ConfigMaps to disable various types of dynamic admission plugins for their aggregated APIs. It is not typically necessary to disable these admission plugins. This feature was added because having lots of ValidatingAdmissionPolicies on your cluster can cause the Pinniped and Kubernetes API server pods to use lots of memory. For more information, see the description of PR #2269. (#2269)
  • When compiling for FIPS compatibility, this release is designed to be used with Go 1.24, which included an updated version of boringcrypto. Note that Pinniped is still designed to be used with GOEXPERIMENT=boringcrypto, and has not yet been tested with Go 1.24's new fips140 GODEBUG setting. When compiled using hack/Dockerfile_fips, the Pinniped Concierge and Supervisor servers will allow the use of both TLS 1.2 and TLS 1.3, because Go 1.24 now supports both with its updated version of boringcrypto. As a result, the fips_enable_tls13_max_for_default_profile build tag, which could previously be used to allow the use of TLS 1.3 in FIPS-compatible mode, is no longer needed, as that is now the default behavior. Also drops the use of two insecure ciphers that have been dropped by boringcrypto. (#2203)
  • Updates the Kubernetes libraries to v0.31.6, Golang to v1.24.1, and updates all other project dependencies. (#2276, #2268, #2266, #2264, #2249, #2239, #2236, #2233, #2228, #2209, #2205, #2197, #2196, #2195, #2192, #2191, #2190, #2189, #2188, #2187, #2186, #2278)
  • Some additional changes were made to improve tests. (#2253, #2250)

Diffs

A complete list of changes (81 commits, 179 changed files with 2,049 additions and 1,535 deletions) can be found here.

Acknowledgements

Check out latest releases or
releases around vmware-tanzu/pinniped v0.38.0

Don't miss a new pinniped release

NewReleases is sending notifications on new releases.

Get notifications