File pinniped.changes of Package pinniped
-------------------------------------------------------------------
Wed Oct 29 08:51:03 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 0.42.0:
* Changes
- This release adds some more advanced configuration options
for the Concierge's kube cert agent Deployment.
* Minor Changes
- Adds a new configuration option which can be used in the
Concierge's ConfigMap to change the kube cert agent
Deployment's strategy type. See PR description for details.
(#2690)
- Adds a new configuration option which can be used in the
Concierge's ConfigMap to change the kube cert agent
Deployment's pod template runAsUser and runAsGroup. See PR
description for details. (#2683)
- Updates the Kubernetes libraries to v0.33.5, Golang to
v1.25.3, and updates all other project dependencies. (#2676,
#2590)
* Diffs
A complete list of changes (15 commits, 32 changed files with
648 additions and 205 deletions) can be found here.
https://github.com/vmware-tanzu/pinniped/compare/v0.41.0...v0.42.0
-------------------------------------------------------------------
Tue Sep 02 06:05:31 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 0.41.0:
This release enables the use of ADFS with the Pinniped Supervisor
and upgrades dependencies.
* Major Changes
- The Pinniped Supervisor support OIDC-compliant providers,
along with several other identity provider types. However,
ADFS does not correctly implement the OIDC specification, so
it was not previously supported. This release provides a
workaround so that the Pinniped Supervisor can be configured
to use ADFS as an OIDCIdentityProvider. See PR #2580's
description for more documentation.
* Minor Changes
- Updates the Kubernetes libraries to v0.33.4, Golang to
v1.25.0, and updates all other project dependencies. (#2588,
#2577, #2573, #2536, #2531, #2529)
* Diffs
- A complete list of changes (20 commits, 112 changed files
with 679 additions and 256 deletions) can be found here.
https://github.com/vmware-tanzu/pinniped/compare/v0.40.0...v0.41.0
-------------------------------------------------------------------
Tue Aug 05 05:21:54 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 0.40.0:
This release adds new features to JWTAuthenticator upgrades dependencies.
* Major Changes
- Starting with this release, container images for the release
will no longer be pushed to
ghcr.io/vmware-tanzu/pinniped/pinniped-server. For this
release and for future releases, container images will be
pushed to ghcr.io/vmware/pinniped/pinniped-server instead.
This is because the Pinniped GitHub repository was recently
moved from the vmware-tanzu GitHub organization to the vmware
organization. GitHub automatically redirects most things from
the old location to the new location, but not the container
image repository. (#2526)
- The Pinniped JWTAuthenticator has several new features which
are meant to be similar to features found in Kubernetes
AuthenticationConfiguration. (#2491) These are all expert
user features and should be used with caution. See the
Pinniped API docs for full documentation. The new features
are:
- spec.claimValidationRules: works like jwt[].claimValidationRules
- spec.userValidationRules: works like jwt[].userValidationRules
- spec.claims.usernameExpression: works like jwt[].claimMappings.username.expression
- spec.claims.groupsExpression: works like jwt[].claimMappings.groups.expression
- spec.claims.extra: works like jwt[].claimMappings.extra
- Note that while these extras will be added to the client
certificate issued by the Pinniped Concierge during end
user login, Kubernetes will not respect these extras
because Kubernetes has no mechanism for userInfo extras
from a client cert. This will probably only be useful if
you are using a custom auth proxy in front of Kubernetes.
- Also note that unlike in Kubernetes structured auth, the
keys for these extras in Pinniped are not allowed to
contain the = character.
* Minor Changes
- Updates the Kubernetes libraries to v0.33.3, Golang to
v1.24.4, and updates all other project dependencies. (#2482,
#2475, #2473, #2471, #2393, #2525, #2528)
- Makes some minor changes to accommodate Pinniped's CI system
moving. (#2514, #2506, #2485, #2461)
* Diffs
A complete list of changes (45 commits, 199 changed files with
9,549 additions and 1,229 deletions) can be found here.
https://github.com/vmware-tanzu/pinniped/compare/v0.39.0...v0.40.0
-------------------------------------------------------------------
Tue May 20 04:56:11 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 0.39.0:
* Changes
- Add a feature to set spec.priorityClassName for the
kube-cert-agent pod created by Concierge.
* Major Changes
- Added a feature to set spec.priorityClassName for the
kube-cert-agent pod created by Concierge. For more
information see the issue #2349 and the PR #2389. It's
possible to set the spec.priorityClassName for the Concierge
and Supervisor pods by changing the manifest (if using the
provided ./deploy directory, use a ytt overlay).
* Minor Changes
- Updated many golang dependencies. See the go.mod file for
details
- Added Pinniped golang codegen for K8s 1.32 and 1.33. Removed
Pinniped codegen for K8s 1.25.
* Bug Fixes
- N/A
-------------------------------------------------------------------
Thu Mar 20 05:55:28 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 0.38.0:
A complete list of changes (81 commits, 179 changed files with
2,049 additions and 1,535 deletions) can be found here.
https://github.com/vmware-tanzu/pinniped/compare/v0.37.0...v0.38.0
* Minor Changes
- The Pinniped Supervisor now supports using
response_mode=form_post with an OIDCIdentityProvider. Some
versions of ADFS might require this in order for Pinniped to
receive certain claims in the ADFS-issued ID token. (#2254)
- The pinniped get kubeconfig CLI command now auto-discovers
the issuer's CA bundle from a JWTAuthenticator's
spec.TLS.CertificateAuthorityDataSource, and this CA bundle
is written into the resulting kubeconfig. (#2193)
- The FederationDomain.spec.issuer field must start with
https://. This was previously validated after the resource
was created. Now this validation will cause resource creation
to fail. (#2167)
- The long-deprecated CredentialIssuer.status.kubeConfigInfo
field has been removed. (#2167)
- Both the Pinniped Supervisor and the Pinniped Concierge have
a new configuration option available in their respective
ConfigMaps to disable various types of dynamic admission
plugins for their aggregated APIs. It is not typically
necessary to disable these admission plugins. This feature
was added because having lots of ValidatingAdmissionPolicies
on your cluster can cause the Pinniped and Kubernetes API
server pods to use lots of memory. For more information, see
the description of PR #2269. (#2269)
- When compiling for FIPS compatibility, this release is
designed to be used with Go 1.24, which included an updated
version of boringcrypto. Note that Pinniped is still designed
to be used with GOEXPERIMENT=boringcrypto, and has not yet
been tested with Go 1.24's new fips140 GODEBUG setting. When
compiled using hack/Dockerfile_fips, the Pinniped Concierge
and Supervisor servers will allow the use of both TLS 1.2 and
TLS 1.3, because Go 1.24 now supports both with its updated
version of boringcrypto. As a result, the
fips_enable_tls13_max_for_default_profile build tag, which
could previously be used to allow the use of TLS 1.3 in
FIPS-compatible mode, is no longer needed, as that is now the
default behavior. Also drops the use of two insecure ciphers
that have been dropped by boringcrypto. (#2203)
- Updates the Kubernetes libraries to v0.31.6, Golang to
v1.24.1, and updates all other project dependencies. (#2276,
#2268, #2266, #2264, #2249, #2239, #2236, #2233, #2228,
#2209, #2205, #2197, #2196, #2195, #2192, #2191, #2190,
#2189, #2188, #2187, #2186, #2278)
- Some additional changes were made to improve tests. (#2253,
#2250)
-------------------------------------------------------------------
Thu Jan 16 05:55:46 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 0.37.0:
* Bump dependencies
* rerun codegen after bumping controller-gen and crd-ref-docs
* use github.Ptr where deprecated github.String and github.Int64
were used
* upgrade dep to github.com/google/go-github/v68/github
* update architecture.md
* add doc describing all tokens and credentials
* Bump dependencies
* change remoteAddr to sourceIPs in Supervisor audit log for
incoming reqs
* upgrade golangci-lint to v1.63.4
* Bump codegen for 1.31, 1.30, and 1.29
* bump build image to latest
* temporarily avoid upgrades to kube v0.32.0 without replace
directives
* Pin k8s.io dependencies to v0.31.4
* bump golang.org/x/net
* introduce build tags to optionally override some TLS settings
* upgrade fosite to v0.49.0 and handle its API changes
* Updated versions in docs for v0.36.0 release
-------------------------------------------------------------------
Wed Dec 11 06:54:15 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.36.0:
* Callback endpoint emits audit log with authorizeID even when
code param not found
* Bump dependencies
* make audit_test.go ignore pod log lines that aren't JSON
* ran update.sh after updating kube minor versions for codegen
* update kube-versions.txt for new patch versions
* update release_checklist.md for new hack script
* ran new hack script to update all majors: updated github mod
* add hack script to help update major versions of modules
* Bump dependencies
* Update error text assertion due to change in ory/fosite
* Standardize casing in Dockerfiles
* Bump dependencies
* attempt to fix a test flake seen sometimes in CI
* TokenCredentialRequest uses actual cert expiry time instead of
estimate
* simplify single-node.yaml
* callback endpoint renders more useful user-facing error
messages
* fix typo in audit-logging.md
* rename `tokenIdentifier` to `tokenID` in the audit logs
* update audit-logging.md to reflect changes in recent commits
* allow audit correlation between token being issued and being
used
* Allow override of audit.log_usernames_and_groups for local
debugging
* Easily enable kind audit logs with ENABLE_AUDIT_LOGGING=true
./hack/kind-up.sh
* Small fixes for integration tests
* simplify godoc
* add integration test for personal info showing in login audit
logs
* Backfill unit tests for paramsSafeToLog
* Backfill unit tests for cmd/pinniped/cmd/audit_id.go
* Backfill unit tests for audit logging from the CLI
* log response audit-id for tokencredentialrequests made from CLI
* prepare-supervisor-on-kind.sh takes new --api-group-suffix flag
* pinniped CLI should print the audit-ID in certain error cases
* Add generic audit integration test
* update original audit logging proposal
* clean up audit logging documentation
* cleanup example audit logs to make them prettier
* use test helper in rest_test.go to reduce some duplication
* don't audit log missing username or password, change query
param value
* update audit-logging.md to resolve todos
* audit log session ID in token handler for every grant type
* audit log OIDCClientSecretRequests
* resolve TODO by adding docs
* add unit test for audit logging when token refresh updates
groups
* audit log request params on GET and POST login handlers
* refactor and add unit test for AuditRequestParams()
* token handler uses common method to audit HTTP request
parameters
* introduce common method to audit HTTP request parameters
* Use correct caller when generating audit events
* Add audit event 'Incorrect Username Or Password' to
auth_handler and audit event 'Using Upstream IDP' to
callback_handler
* Add audit logging to post_login_handler
* tokencredentialrequest audit logs failed requests
* tokencredentialrequest audit logs successful responses
* Start backfilling some audit unit tests in post_login_handler
* all callers of Audit() identify which keys may contain PII
* audit log: keep key ordering in personalInfo, render nil slices
and maps
* make Audit() take struct as param for all optional params and
redact PII
* add config for audit logging, remove Audit() from Logger
interface
* Fix some rebase conflicts
* Backfill unit tests for garbage_collector audit logging
* Audit event 'HTTP Request Completed' will now log the location
with err, error, and error_description query parameters
* Add last audit log unit tests to auth_handler
* refactor to move audit event message types to their own pkg
* auth handler audit logs headers and params when http method is
wrong
* The 'HTTP Request Parameters' audit event now logs params as a
JSON object
* Log params to token_handler endpoint even during error cases
* Fix lint and unit test compilation
* Start to backfill some audit unit tests for the token_handler
* resolve some todos
* Add configuration to audit internal endpoints and backfill unit
tests
* Clarify docs
* Extract testutil helper function
* Add audit event tests for login_handler
* Add audit event tests for callback_handler
* document audit logging
* update fips reference doc
* plog.TestLogger returns a buffer that holds the logs
* Refactor: don't copy the loop variable in test loops
* fix lint
* Add 'AuthorizeID From Parameters' audit logs to the /callback
and /login endpoints
* Use a helper to verify audit messages
* Check the sessionID as well
* WIP: Add audit event when upstream redirect occurs and backfill
tests
* Add testutil.RequireLogLines to verify multiple log lines at
once
* audit logging WIP
* Bump dependencies
* kube cert agent controller avoids unschedulable nodes when
possible
* Bump dependencies
* plog.TestLogger returns a buffer instead of taking one in
* Bump dependencies
* update test expectation to match new validation error text in
new Kube
* Updated versions in docs for v0.35.0 release
* fix test flake by removing memory limit from test pod
-------------------------------------------------------------------
Tue Nov 12 06:52:50 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.35.0:
* Pin sigs.k8s.io/structured-merge-diff/v4s to the version used
in k8s.io/apimachinery@v0.31.2
* Bump dependencies
* add SAN to default cert in supervisor_discovery_test.go
* run codegen again after updating version of controller-gen in
CI
* run codegen after updating kube-versions.txt in previous commit
* update kube-versions.txt
* JWTAuthenticator must reload when spec.audience or spec.claims
changes
* remove replace directives made unnecessary by recent dep bumps
* Bump dependencies
* update replace directives in go.mod
* Bump dependencies
* changes related to migrating CI code from private repo to `ci`
branch
* Bump dependencies
* Bump dependencies
* Bump dependencies
* Run go generate with new version of mock library
* Bump dependencies
* Updated versions in docs for v0.34.0 release
* Updated versions in docs for v0.33.0 release
-------------------------------------------------------------------
Thu Oct 17 19:03:40 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.34.0:
* Minor Changes
- Updates Go to v1.23.2, updates the Kubernetes libraries to
v0.31.1, and updates all other project dependencies. (#2071,
#2068, #2067, #2064, #2063, #2059, #2058, #2057, #2052,
#2047, #2048, #2046, #2045, #2044, #2042, #2041)
- Some developer tooling, log statements, and comments were
improved for the project maintainers and contributors.
(#2061, #2049, #2037)
- Some small documentation updates. (#2050, #2038, #2039)
* Bug Fixes
- When the HTTPS_PROXY environment variable was set for the
Concierge pods, the Concierge would not use the proxy setting
while calculating the status conditions of
WebhookAuthenticators. This could cause the connection probe
to fail and the WebhookAuthenticator to be incorrectly put
into an error status, making it unusable. This bug was
introduced in v0.30.0 when the WebhookAuthenticator status
conditions were introduced. This release fixes the bug by
automatically skipping the connection probe when the
HTTPS_PROXY and NO_PROXY environment variable values would
cause requests to the WebhookAuthenticator's configured URL
to be made through the proxy. (#2069) Additionally, the
tls.Dial used in this connection probe was assigned a
timeout. (#2056, #2065)
- When the HTTPS_PROXY environment variable was set for the
Supervisor pods, the Supervisor would not use the proxy
setting while calculating the status conditions of
GitHubIdentityProviders. This could cause the connection
probe to fail and the GitHubIdentityProvider to be
incorrectly put into an error status, making it unusable.
This bug was introduced in v0.31.0 when
GitHubIdentityProviders were first introduced. This release
fixes the bug by respecting the values of the HTTPS_PROXY and
NO_PROXY environment variables during the connection probe to
the configured GitHub server. (#2069)
- When the Concierge finds a controller-manager pod and tries
to parse its configured command-line flags, it previously
looked for the flags --cluster-signing-cert-file and
--cluster-signing-key-file. Now it will also look for the
alternate flags
--cluster-signing-kube-apiserver-client-key-file and
--cluster-signing-kube-apiserver-client-cert-file. This could
potentially help make the Concierge compatible with more
Kubernetes distributions. For more information, please see
the PR description. (#2043)
* Diffs
A complete list of changes (113 commits, 421 changed files with
25,654 additions and 11,665 deletions) can be found here.
https://github.com/vmware-tanzu/pinniped/compare/v0.33.0...v0.34.0
-------------------------------------------------------------------
Thu Aug 08 05:21:13 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.33.0:
This release introduces support for dynamically reading CA
bundles from ConfigMaps or Secrets. It also includes some minor
changes, bug fixes, and upgrades all project dependencies.
* Major Changes
- All custom resource types that configure Pinniped to act as
an HTTPS client to some external server have been updated to
optionally allow the CA bundle used to verify those HTTPS
connections to be configured in a ConfigMap or Secret, which
will by dynamically watched by Pinniped for updates. (#1984,
#1996)
- This includes the JWTAuthenticator, WebhookAuthenticator,
OIDCIdentityProvider, GitHubIdentityProvider,
ActiveDirectoryIdentityProvider, and LDAPIdentityProvider
resources.
- This makes it easier for your CA bundles to be configured
and managed externally by cert-manager, trust-manager, or
any other automation tools.
- See the API docs for the Concierge TLSSpec and the very
similar Supervisor TLSSpec.
- See the blog post announcing this feature.
* Minor Changes
- A new Status printer column was added to the table output for
WebhookAuthenticator and JWTAuthenticator. The value shown in
the column is the status.Phase of the resource. (#1996)
- To be consistent with other Pinniped custom resources,
enhanced OIDCIdentityProvider, LDAPIdentityProvider, and
ActiveDirectoryIdentityProvider to report status.conditions
with status Unknown when it cannot perform a validation due
to a configuration problem already reported on another status
condition. (#2034)
- Updates Go to v1.21.5, updates the Kubernetes libraries to
v0.30.3, and updates all other project dependencies. (#2036,
#2035, #2030, #2026, #2023, #2021, #2020, #2019, #2018,
#2015, #2014, #2012, #2008, #2011, #2007, #2005, #2004,
#2003, #2001, #1999, #1998, #1997, #1995)
- Some developer tooling, log statements, and comments were
improved for the project maintainers and contributors.
(#2033, #2024, #2010)
- Some small documentation updates. (#2028, #1993)
* Bug Fixes
- Fixes a bug for JWTAuthenticators and WebhookAuthenticators
where their status was not always being updated after its
initial creation. (#1996)
- Host names with upper case characters were previously
considered invalid by several Pinniped custom resources. Now
mixed-case host names will be allowed. (#2022)
- When testing connection for GitHubIdentityProvider's default
host github.com, actually dial api.github.com for
status.conditions validation purposes, because api.github.com
is the host that will actually be used during end-user
authentication. (#2032)
- WebhookAuthenticators and JWTAuthenticators which were
previously validated, and then become invalid due to a spec
change, are not considered usable for end-user authentication
anymore. To reduce the number of TCP dials to the remote
server made during validation, WebhookAuthenticators and
JWTAuthenticators that are already validated by a Concierge
pod will not be validated again by that same pod unless the
spec changes, the specified CA bundle changes, or the pod
restarts. (#2013)
-------------------------------------------------------------------
Fri Jun 21 20:10:21 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.32.0:
* rewrite flaky category test
* bump codegen kube versions
* Bump dependencies
* some mild refactoring of ptls common.go (mostly renames)
* Also probe aggregated API ports in new ciphers test
* fix lint
* Refactor to make profiles.go and profiles_fips_strict.go more
similar
* Add integration test for allowed ciphers
* User can now configured allowed ciphers, to restrict the
ciphers used by the Default profile
* Remove Legacy TLS Config, which is not used in the source code
* Remove plog.Logr, make plog.TestZapr private, and CLI logs do
not need a name
* No need for calling code to use deprecated options
* Use plog.Logger instead of logr.Logger wherever possible
* Lint new files from the GitHub branch
* update toolchain version in some go.mod files
* handle another githug login interstitial page
* Updated versions in docs for v0.31.0 release
* blog post for v0.31.0: github IDP support
* Bump golang.org/x/mod from 0.17.0 to 0.18.0 in
/hack/update-go-mod
* Add module generate command and update all generated files
* Move all mock files into internal/mocks and use mock prefix
* Prefer slices package and slices.Concat where possible
* Enforce more imports
* Enable 'makezero' and 'prealloc' linters, and require 'any'
instead of 'interface{}'
* Enforce aliases for 'k8s.io/apimachinery/pkg/util/errors' and
'k8s.io/apimachinery/pkg/api/errors'
-------------------------------------------------------------------
Fri Jun 07 19:28:42 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.31.0:
CLI-related changes
* Pinniped CLI and the oidc-client package are now enhanced by
pinniped_supported_identity_provider_types
-------------------------------------------------------------------
Fri May 10 04:57:05 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.30.0:
* Added new option to OIDCClient resource to allow configuration
of ID token lifetime for tokens issued by authcode flows and
refresh flows. See
OIDCClient.spec.tokenLifetimes.idTokenSeconds in the API docs.
(#1914)
* Setting the new env var PINNIPED_SKIP_PRINT_LOGIN_URL=true will
cause the Pinniped CLI to skip printing the login URL when a
browser has launched, which can be useful when using console
UIs like k9s. (#1938, #1897)
* WebhookAuthenticator resources will have detailed status
written to them automatically, to aid in debugging. (#1894)
* WebhookAuthenticators now honor Pinniped's preferred client TLS
configuration, including its preferred allowed TLS v1.2
ciphers. This could be a breaking change if your webhook server
is serving requests using only TLS v1.2 (not allowing TLS v1.3)
and does not allow any of Pinniped's preferred TLS v1.2
ciphers. Note that Pinniped's preferred TLS v1.2 cipher list is
different depending on if it was compiled in FIPS compatibility
mode or not. (#1917)
* Removed all deprecated deployment options from ytt templates.
(#1926)
* Clarified the text in some error messages. (#1932, #1922)
* Added documentation to provide some debugging tips. (#1936,
#1904, #1824)
* Updates Go to v1.22.3, updates the Kubernetes libraries to
v0.30.0, and updates all other project dependencies. (#1940,
#1937, #1935, #1934, #1933, #1931, #1921, #1916, #1913, #1911,
#1902, #1899)
-------------------------------------------------------------------
Fri Mar 15 21:35:06 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.29.0:
* Use go.uber.org/mock instead of github.com/golang/mock and
rerun mock generation
* Bump dependencies
* Bump golang.org/x/mod from 0.15.0 to 0.16.0 in
/hack/update-go-mod
* Use ghcr instead of Harbor as the default for pinniped-server
images
* CLI's localhost listener handles CORS preflight requests for
GETs
* Integration tests should use a valid value for CredentialIssuer
spec.impersonationProxy.service.type
* Bump google.golang.org/protobuf to v1.33.0 for CVE-2024-24786
* whoami integration test now allows for additional extra fields
in K8s 1.30+
* Add some logging and comments making it easier to debug with
chrome
* replace verison of otelhttptrace in go.mod
* Add 1.29 and update patch versions in kube-versions.txt; run
codegen
* Change codegen scripts to work with Kube 1.29
* wait for JWTAuthenticator to be phase=ready in supervisor
warnings test
* Update jwtauthenticator unit tests to check actions
* Update jwk authenticator status integration tests
* Add Status & tests for jwks key fetching
* Update copyright year in modified files
* Add integration tests for JWTAuthenticators
* add WaitForJWTAuthenticatorStatusPhase() integration helper
* fix comment in testlib/client.go
* Improve jwtcachefiller tests
* extract status comparison test helpers
* ldap upstream watcher: rename local var for clarity
* Add .Status to JWTAuthenticator with Conditions,Phase
* Update some comments in go.mod
* Fix races in login_test.go units tests
* Update codeql workflow actions to latest versions and add
setup-go
* "login oidc" CLI command sometimes skips printing auth URL for
non-ttys
* Update configure-concierge-jwt.md doc with clarifications
* Add hack/prepare-jwtauthenticator-on-kind.sh
* CLI deciding if token exchange needed should not look at ID
token expiry
* Don't skip upstream group memberships when groups scope is not
granted
* Rename a func and collapse applying id transforms into creating
session
* Refactor to move invocation of identity transforms out of IDP
interfaces
* Refactor token endpoint to add interface for IDP upstream
refresh
* Refactor to extract interface for upstream IDP interactions
* More refactoring of auth handler and related refactor of
upstreamldap
* Refactor error handling in authorize endpoint (changes some
responses)
* Correct doc which explained bug that has since been fixed.
* Adjust tests and comments for upgrade to latest version of
fosite
* login oidc cmd checks access token expiry before doing token
exchange
* Convert double-quoted strings to raw strings in login_test.go
* Fix ptls_test.go for Go 1.22
* Rerun codegen after upgrading CI controller-gen from v0.13.0 to
v0.14.0
* Fix plog_test.go for Go 1.22
* Revert support TLS 1.3 in FIPS mode because Go reverted
goboring upgrade
* Test util AssertTLS supports both old and new goboring
* Bump golang.org/x/mod from 0.14.0 to 0.15.0 in
/hack/update-go-mod
* disable dependabot for some things in favor of our own tooling
* Increase the lint timeout in hack/module.sh for when CI workers
get slow
* update CI URL in CONTRIBUTING.md
* Support the new Go FIPS compiler which was upgraded inside Go
1.21.6
* Update dependencies, including Kube packages to v0.29.0
* Updated versions in docs for v0.28.0 release
-------------------------------------------------------------------
Sat Dec 16 19:00:25 UTC 2023 - kastl@b1-systems.de
- Update to version 0.28.0:
* Minor Changes
- The Concierge will no longer create a long-lived service
account token upon installation, which was previously
contained in a Secret in the Concierge's namespace. Instead,
it will dynamically fetch short-lived tokens and hold them
in-memory in the Pods. Upon upgrade, the old Secret will be
automatically deleted. This improves security posture by
making it impossible for an RBAC configuration or similar
mistake to make this token readable to non-admins, and also
by making the token short-lived. Other Secrets in the
namespace must still be protected against read by non-admins.
(#1733)
- The Supervisor will now show an interstitial web page to
allow the end-user to choose one of the configured IDPs, when
multiple IDPs are configured, and when the query parameters
to the OIDC authorize endpoint do not specify which IDP to
use. (#1742)
- A new debugging tool has been added to aid in debugging your
LDAPIdentityProvider settings. See
hack/debug-ldapidentityprovider.sh. (#1594)
- The values.yaml files in the ytt template directories have
been converted to use ytt's schema feature. This makes it
easier for users or 3rd parties to create Carvel packages
using the Dockerfile and ytt templates from the Pinniped
repo. At this time, the Pinniped releases on GitHub do not
include Carvel packages. (#1701)
- The project's Dockerfiles have been updated to add build ARGs
to choose the BUILD_IMAGE (golang image used to compile) and
the BASE_IMAGE (base layer of the resulting container image).
This will make it easier for users and 3rd parties to choose
alternate images when building the project. The default
values are the latest golang image and the latest
gcr.io/distroless/static image. The project maintainers will
continue to bump the default values when updates of those
images are available. (#1776)
- Updates Go to v1.21.5, updates the Kubernetes libraries to
v0.28.4, and updates all other project dependencies. (#1815,
#1808, #1807, #1804, #1803, #1801, #1793, #1791, #1788,
#1779, #1775, #1772, #1771, #1767, #1763, #1755, #1751,
#1748, #1741, #1738, #1735, #1734, #1732, #1721, #1752)
* Bug Fixes
- pinniped whoami has a new --timeout parameter, which defaults
to no timeout. This replaces a hardcoded timeout which caused
pinniped whoami to fail when a user took more than 20 seconds
to complete a fresh interactive login. (#1774)
-------------------------------------------------------------------
Wed Oct 11 04:44:59 UTC 2023 - kastl@b1-systems.de
- Update to version 0.27.0:
* document usage of --pinniped-cli-path option
* Bump go.mod direct dependencies
* add a login banner to CLI-based login prompts which shows the
IDP name
* backfill unit tests for expected stderr output in login_test.go
* Rename username and password prompt variables
* Shorten kubeconfigCommand func for lint funlen
* Allow 'pinniped get kubeconfig' to override the client-go
credential plugin command
* Update kube versions for codegen
* tolerate arm64 in tools deployments and jobs
* Bump dockerfiles to golang:1.21.2
* Update hack/update-go-mod/go.mod
* Bump go.mod direct dependencies
* Update website docs for arm64 support
* Use bitnami/openldap in integration tests instead of our old
fork
* Support building and deploying multi-arch linux amd64 and arm64
images
* Show errors from the form_post POST request on the page
* Bump go.mod direct dependencies
* Bump go.mod direct dependencies
* Optionally use Contour in hack/prepare-supervisor-on-kind.sh
* fix flake seen in pod_shutdown_test.go
* Stop using deprecated critical-pod annotation
* Same error messages shown in CLI's callback web page and in
terminal
* Use latest controller-gen, which allows CEL validations
* add integration test for graceful shutdowns which release
leader leases
* Fix deadlock during shutdown which prevented leader election
cleanup
* Update blog rendering to h1 the title (not h2)
* Updated versions in docs for v0.26.0 release
* add blog post for v0.26.0 release
* Add CI/CD How-To
-------------------------------------------------------------------
Wed Sep 20 05:38:43 UTC 2023 - kastl@b1-systems.de
- Update to version 0.26.0:
* trying to avoid flake on Okta login page in browser
* specify the container name when fetching keys from kube cert
agent pod
* Update LDAP integration tests for changes in
github.com/go-ldap/ldap/v3
* Bump k8s.io/kube-openapi and pin github.com/google/cel-go
* Bump go.mod direct dependencies
* Bump go.uber.org/zap from 1.25.0 to 1.26.0
* Keep the deps updated from previous commit but keep cel-go at
0.16.x
* Bump go.mod direct dependencies
* update kube-versions.txt for codegen
* multiple IDPs and identity transformations docs
* remove extra timeoutCtx for exec.CommandContext invocations in
e2e test
* add celformer unit test demonstrating string regexp in CEL
expressions
* make prepare-supervisor-on-kind.sh work with older versions of
bash
* fix imports grouping in manager.go
* add workaround in update-codegen.sh for problem seen when run
on linux
* update FederationDomain.status.conditions to come from metav1
* Fix conflicts caused from rebasing main into multiple IDPs
branch
* add the IDP display name to the downstream ID token's `sub`
claim
* add units tests to token_handler_test.go
* run codegen again after rebasing main branch into feature
branch
* started add units tests for identity transforms to
token_handler_test.go
* add units tests to post_login_handler_test.go
* add new unit tests in callback_handler_test.go
* use slices.Contains() instead of custom func in
token_handler_test.go
* add new unit tests in auth_handler_test.go
* Add more tests with identity transformations in
supervisor_login_test.go
* Replace more pointer.String() with the new ptr.To()
* Start adding identity transformations tests to
supervisor_login_test.go
* Fix expectations in FederationDomains status test for old Kube
versions
* Add e2e test for rejecting auth using identity transformation
policy
* handle old versions of k8s in
supervisor_federationdomain_status_test.go
* remove expectation about TransformsConstantsNamesUnique status
condition
* rename a local variable in an integration test
* add an e2e test for a FederationDomain with multiple IDPs and
transforms
* CRD already validates that IDP transform constant names are
unique
* fix some here.Doc string indents in
federation_domain_watcher_test.go
* wordsmith some FederationDomain status messages
* add integration test for FederationDomain status updates
* small refactor in supervisor_discovery_test.go
* add unit test for ApplyIdentityTransformations helper
* add unit tests for getters in federation_domain_issuer_test.go
* extract a helper function in federation_domain_watcher.go
* use multiple IDPs in manager_test.go
* Status condition messages for IDP transforms show index of
invalid IDP
* Make it possible to compare transformation pipelines in unit
tests
* Validate transforms examples in federation_domain_watcher.go
* Validate transforms expressions in federation_domain_watcher.go
* Add helper for happy/sad conditions to
federation_domain_watcher_test.go
* Allow for slower CI workers in celformer_test.go
* Validate transforms const names in federation_domain_watcher.go
* Update proposal doc statuses
* Replace sleep with kubectl wait in
prepare-supervisor-on-kind.sh
* Validate IDP objectRef kind names in
federation_domain_watcher.go
* Validate apiGroup names are valid in
federation_domain_watcher.go
* Validate display names are unique in
federation_domain_watcher.go
* Handle some unexpected errors in federation_domain_watcher.go
* Refactor: extract helper functions in
federation_domain_watcher.go
* Load FederationDomain endpoints before updating its status
* Fix lint errors in federation_domain_watcher.go, and adjust
unit test
* Update integration tests for new FederationDomain phase
behavior
* Refactor federation_domain_watcher_test.go and add new test to
its table
* Expand IdentityProvidersFound condition in
federation_domain_watcher
* Update federation_domain_watcher with new IdentityProviderFound
* Change federation_domain_watcher_test.go to use a test table
style
* Update informers unit test for
FederationDomainWatcherController
* Change name of FederationDomain printer column back to "Status"
* Change FederationDomain.Status to use Phase and Conditions
* Update a test assertion to make failure easier to understand
* fix more integration tests for multiple IDPs
* update 1.27 codegen for multiple IDPs
* update unit test that fails on slow CI workers
* Fix some tests in supervisor_login_test.go
* escape semicolons in variable values in
integration-test-env-goland.sh
* fix callback_handler_test.go
* fix token_handler_test.go
* test FederationDomainIdentityProvidersListerFinder
* reorganize federation domain packages to be more intuitive
* Reorganized FederationDomain packages to avoid circular
dependency
* Fix auth_handler_test.go
* Update auth_handler.go to return 422 error when upstream IdP
not found
* Fix post_login_handler_test.go
* add a type assertion
* fix internal/oidc/provider/manager/manager_test.go
* refactor: rename "provider" to "federationdomain" when
appropriate
* Get tests to compile again and fix lint errors
* Add tests for identity_transformation.go
* Fixup unit tests for the previous commit
* First draft of implementation of multiple IDPs support
* Allow user-defined string & stringList consts for use in CEL
expressions
* Add identity transformation packages idtransform and celformer
* Add APIs for multiple IDP and id transformations to
FederationDomain CRD
* Use Conditions from apimachinery, specifically
k8s.io/apimachinery/pkg/apis/meta/v1.Conditions
* Improve pod logs related to Supervisor TLS certificate problems
* Bump to go1.20.1
* Bump go.mod direct dependencies
* site: fix codeblock left padding and spacing tweak
* Make pre code blocks have more consistent font size and line
height
* [LDAP] move attributeUnchangedSinceLogin from upstreamldap to
activedirectoryupstreamwatcher
* Adjust test expectations for compilation differences with 1.21
* Run 'go fix ./...' with go1.21.0
* Inline and remove testutil.TempDir
* Simplify build tags associated with unsupported golang versions
* Bump to golang 1.21.0, and bump all golang deps
* Add docs for Supervisor with Azure AD
* Improve hack/prepare-for-integration-tests.sh flexibility
* Do not fail hack/prepare-for-integration-tests.sh without
KUBE_GIT_VERSION
* Do not fail when KUBE_GIT_VERSION is not set
* Update comments to indicate support for newer versions of
Kubernetes
* Remove generated code for K8s 1.17, 1.18, 1.19, and 1.20
* Split off helper function
* Use pversion to retrieve buildtime information
* Integration tests should use 'kubectl explain --output
plaintext-openapiv2'
* Expose OpenAPIv3 explanations
* Ensure that kubegenerator scripts are executable
* Run K8s codegen, adding 1.28.0
* K8s API Server audit events are no longer pointers
* Update all golang dependencies, especially k8s.io (for 1.28)
* Update docs to clarify which Supervisor port to expose outside
cluster
* blog: clean up tags page
* blog: add multiple author support for posts
* blog: impersonation-proxy spelling, grammar
* blog: impersonation-proxy post updates
* add author to blog list page
* Add blog post for v0.25.0
* Updated versions in docs for v0.25.0 release
-------------------------------------------------------------------
Tue Sep 05 15:03:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.25.0:
* Address PR feedback
* Fix #1582 by not double-decoding the ca.crt field in external
TLS secrets for the impersonation proxy
* Bump go.mod direct dependencies
* Address PR feedback, especially to check that the CA bundle is
some kind of valid cert
* Add integration test to verify that the impersonation proxy
will use an external TLS serving cert
* Test Refactor: use explicit names for mTLS signing cert
* Impersonation proxy detects when the user has configured an
externally provided TLS secret to serve TLS
* Add CredentialIssuer.Spec.ImpersonationProxy.TLS to configure
an externally provided TLS secret
* The impersonation controller should sync when any secret of
type kubernetes.io/tls changes in the namespace
* Bump golang to 1.20.7
* Bump go.mod direct dependencies
* site: autogenerate new sections on main docs listing page
* site: minor text updates
* site: reorganize /howto/idp->/howto/supervisor
* site: add redirects for old doc links
* site style: code block tweaks and sidebar menu highlight
* site sidebar: menu renaming & reorganization
* site sidebar: create new How-to sub-heading for IDP config
* Replace agouti and chromedriver with chromedp across the whole
project
* Bump go.mod direct dependencies
* Add How To... Integrate with Auth0
* site css: images on resource page should fit the grid
* Use k8s.io/utils/ptr instead of k8s.io/utils/pointer, which is
deprecated
* Bump go.mod direct dependencies
* add AWS blog post to resources page of pinniped.dev
* kube cert agent pod requests 0 cpu to avoid scheduling failures
* Bump K8s APIs 1.24 through 1.27
* Bump go.mod direct dependencies
* Remove untested comments
* Do not name return variables
* Fix lint
* Mark untested code paths
* Pass caBundle instead of an object
* Backfill test cases
* Prefer early return
* Backfill issuer tests
* Use go:embed for easier to read tests
* Fix godoc
* Bump base images to go1.20.6 in Dockerfiles
* Bump go.mod direct dependencies
* Improve performance of supervisor_oidcclientsecret_test.go
* Add proposal to implement #1547, Concierge Impersonation Proxy
| External Certificate Management
* Add proposal for multiple identity providers in the Supervisor
* Bump to golang:1.20.5
* Func ldap.Conn.Close() now returns an error
* Pin to the version of k8s.io/kube-openapi used by
client-go@v0.27.3
* Update generated files
* Bump hack/update-go-mod/go.mod
* Bump all go.mod dependencies
* Updated versions in docs for v0.24.0 release
* Increase a test timeout in supervisor_secrets_test.go
* Update codeql-analysis.yml according to the latest template
-------------------------------------------------------------------
Fri Jul 14 07:19:32 UTC 2023 - kastl@b1-systems.de
- Update to version 0.24.0:
* Update codeql-analysis.yml
* Increase a test timeout for when pulling container image is slow
* backtick changes
* Increase some test timeouts
* increase timeout in a test
* Add docs for UserAttributeForFilter group search setting
* Add integration test for AD UserAttributeForFilter group search setting
* Use groupSearch.userAttributeForFilter during ActiveDirectory group searches
* Add ActiveDirectoryIdentityProvider.spec.groupSearch.userAttributeForFilter
* Add integration test for UserAttributeForFilter group search setting
* Add group search tests for UserAttributeForFilter in ldap_client_test.go
* command line option.
* Use groupSearch.userAttributeForFilter during LDAP group searches
* Add LDAPIdentityProvider.spec.groupSearch.userAttributeForFilter
* Add some posixGroups to the openldap server for use in integration tests
-------------------------------------------------------------------
Fri Jul 14 07:16:37 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- new package pinniped: CLI for the Pinniped identity service
provider for Kubernetes
