The Pinniped Supervisor now supports LDAP identity providers, with a new LDAPIdentityProvider CRD:
Connect to an LDAP server over LDAPS or LDAP with StartTLS. Insecure plaintext LDAP is not supported. A custom TLS certificate authority bundle can be specified in the
Bind using username/password credentials in a Secret referenced by
spec.bind.secretName. Only authenticated simple bind are currently supported.
Search for users by specifying a search base (
spec.userSearch.base) and filter (
spec.userSearch.filter), then configure how the matching user is mapped to a Pinniped username and UID (
Search for an authenticated users groups by specifying another search base (
spec.groupSearch.base) and filter (
spec.groupSearch.filter), then configure how matching groups are mapped to Pinniped groups (
Generate a kubeconfig file for each of your clusters using
pinniped get kubeconfigjust as before. At login time, you'll be prompted to enter your LDAP username/password once to log in to the Supervisor. You'll then have safe access to any connected cluster via the Concierge. Only the Supervisor handles your LDAP password.
See our blog post and our how-to guide for OpenLDAP for more details. LDAP is the second major identity provider supported by Pinniped, and joins our support for OpenID Connect via the OIDCIdentityProvider API.
spec.impersonationProxy.modefield can be set to
enabledto force the impersonation proxy to be deployed even on self-hosted clusters. It can be set to
disabledto skip deploying the impersonation proxy even on cloud managed clusters. The default mode is
auto, which deploys the proxy automatically on clusters lacking control plane nodes.
spec.impersonationProxy.servicefield configures how the corresponding Service is configured. You can change the type of service (
ClusterIP) or specify annotations or a specific load balancer IP. This can be used to select a private load balancer even when the cloud provider defaults to one that's externally accessible.
spec.impersonationProxy.externalEndpointlets you override the external endpoint where the proxy will be advertised. This supports configurations with custom domain names or IP routing.
The YAML installation manifests and ytt templates for the Concierge now include an initial CredentialIssuer with defaults corresponding to the previous behavior. See https://github.com/vmware-tanzu/pinniped/issues/617 for example configurations.
Thanks to community user @jeuniii for suggesting this feature and providing great early feedback 🎉
The Concierge will now reject webhook identities that assert UID or extra fields (https://github.com/vmware-tanzu/pinniped/pull/594). These fields could not be accurately conveyed to the Kubernetes API because they cannot be represented in an x509 certificate.
Upgraded Kubernetes runtime library dependencies to v1.21.1.
Upgraded several other dependencies, including Fosite to v0.40.2.
Improved the stability of several integration tests.
A complete list of changes (214 commits, 218 changed files with 22,791 additions and 18,084 deletions!) can be found here.