github vmware-tanzu/pinniped v0.9.0

Release v0.9.0

Release Images

Image Registry VMware Harbor DockerHub


Major Changes

  • The Pinniped Supervisor now supports LDAP identity providers, with a new LDAPIdentityProvider CRD:

    • Connect to an LDAP server over LDAPS or LDAP with StartTLS. Insecure plaintext LDAP is not supported. A custom TLS certificate authority bundle can be specified in the spec.tls.certificateAuthorityData field.

    • Bind using username/password credentials in a Secret referenced by spec.bind.secretName. Only authenticated simple bind are currently supported.

    • Search for users by specifying a search base (spec.userSearch.base) and filter (spec.userSearch.filter), then configure how the matching user is mapped to a Pinniped username and UID (spec.userSearch.attributes).

    • Search for an authenticated users groups by specifying another search base (spec.groupSearch.base) and filter (spec.groupSearch.filter), then configure how matching groups are mapped to Pinniped groups (spec.groupSearch.attributes).

    • Generate a kubeconfig file for each of your clusters using pinniped get kubeconfig just as before. At login time, you'll be prompted to enter your LDAP username/password once to log in to the Supervisor. You'll then have safe access to any connected cluster via the Concierge. Only the Supervisor handles your LDAP password.

See our blog post and our how-to guide for OpenLDAP for more details. LDAP is the second major identity provider supported by Pinniped, and joins our support for OpenID Connect via the OIDCIdentityProvider API.

  • The Concierge is now dynamically configurable via a new CredentialIssuer spec field. The API now lets you configure how the impersonation proxy is deployed:

    • The spec.impersonationProxy.mode field can be set to enabled to force the impersonation proxy to be deployed even on self-hosted clusters. It can be set to disabled to skip deploying the impersonation proxy even on cloud managed clusters. The default mode is auto, which deploys the proxy automatically on clusters lacking control plane nodes.

    • The spec.impersonationProxy.service field configures how the corresponding Service is configured. You can change the type of service (LoadBalancer or ClusterIP) or specify annotations or a specific load balancer IP. This can be used to select a private load balancer even when the cloud provider defaults to one that's externally accessible.

    • The spec.impersonationProxy.externalEndpoint lets you override the external endpoint where the proxy will be advertised. This supports configurations with custom domain names or IP routing.

The YAML installation manifests and ytt templates for the Concierge now include an initial CredentialIssuer with defaults corresponding to the previous behavior. See for example configurations.

Thanks to community user @jeuniii for suggesting this feature and providing great early feedback 🎉

Minor Changes

  • The Concierge will now reject webhook identities that assert UID or extra fields ( These fields could not be accurately conveyed to the Kubernetes API because they cannot be represented in an x509 certificate.

  • Upgraded Kubernetes runtime library dependencies to v1.21.1.

  • Upgraded several other dependencies, including Fosite to v0.40.2.

  • Improved the stability of several integration tests.

A complete list of changes (214 commits, 218 changed files with 22,791 additions and 18,084 deletions!) can be found here.

latest releases: v0.9.2, v0.9.1
14 days ago