SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for pinniped-fish-completion-0.33.0-1.7.noarch.rpm :

* Thu Aug 08 2024 opensuse_buildserviceAATTojkastl.de- Update to version 0.33.0: This release introduces support for dynamically reading CA bundles from ConfigMaps or Secrets. It also includes some minor changes, bug fixes, and upgrades all project dependencies.
* Major Changes - All custom resource types that configure Pinniped to act as an HTTPS client to some external server have been updated to optionally allow the CA bundle used to verify those HTTPS connections to be configured in a ConfigMap or Secret, which will by dynamically watched by Pinniped for updates. (#1984, [#1996]) - This includes the JWTAuthenticator, WebhookAuthenticator, OIDCIdentityProvider, GitHubIdentityProvider, ActiveDirectoryIdentityProvider, and LDAPIdentityProvider resources. - This makes it easier for your CA bundles to be configured and managed externally by cert-manager, trust-manager, or any other automation tools. - See the API docs for the Concierge TLSSpec and the very similar Supervisor TLSSpec. - See the blog post announcing this feature.
* Minor Changes - A new Status printer column was added to the table output for WebhookAuthenticator and JWTAuthenticator. The value shown in the column is the status.Phase of the resource. (#1996) - To be consistent with other Pinniped custom resources, enhanced OIDCIdentityProvider, LDAPIdentityProvider, and ActiveDirectoryIdentityProvider to report status.conditions with status Unknown when it cannot perform a validation due to a configuration problem already reported on another status condition. (#2034) - Updates Go to v1.21.5, updates the Kubernetes libraries to v0.30.3, and updates all other project dependencies. (#2036, [#2035], #2030, #2026, #2023, #2021, #2020, #2019, #2018, [#2015], #2014, #2012, #2008, #2011, #2007, #2005, #2004, [#2003], #2001, #1999, #1998, #1997, #1995) - Some developer tooling, log statements, and comments were improved for the project maintainers and contributors. (#2033, #2024, #2010) - Some small documentation updates. (#2028, #1993)
* Bug Fixes - Fixes a bug for JWTAuthenticators and WebhookAuthenticators where their status was not always being updated after its initial creation. (#1996) - Host names with upper case characters were previously considered invalid by several Pinniped custom resources. Now mixed-case host names will be allowed. (#2022) - When testing connection for GitHubIdentityProvider\'s default host github.com, actually dial api.github.com for status.conditions validation purposes, because api.github.com is the host that will actually be used during end-user authentication. (#2032) - WebhookAuthenticators and JWTAuthenticators which were previously validated, and then become invalid due to a spec change, are not considered usable for end-user authentication anymore. To reduce the number of TCP dials to the remote server made during validation, WebhookAuthenticators and JWTAuthenticators that are already validated by a Concierge pod will not be validated again by that same pod unless the spec changes, the specified CA bundle changes, or the pod restarts. (#2013)
* Fri Jun 21 2024 opensuse_buildserviceAATTojkastl.de- Update to version 0.32.0:
* rewrite flaky category test
* bump codegen kube versions
* Bump dependencies
* some mild refactoring of ptls common.go (mostly renames)
* Also probe aggregated API ports in new ciphers test
* fix lint
* Refactor to make profiles.go and profiles_fips_strict.go more similar
* Add integration test for allowed ciphers
* User can now configured allowed ciphers, to restrict the ciphers used by the Default profile
* Remove Legacy TLS Config, which is not used in the source code
* Remove plog.Logr, make plog.TestZapr private, and CLI logs do not need a name
* No need for calling code to use deprecated options
* Use plog.Logger instead of logr.Logger wherever possible
* Lint new files from the GitHub branch
* update toolchain version in some go.mod files
* handle another githug login interstitial page
* Updated versions in docs for v0.31.0 release
* blog post for v0.31.0: github IDP support
* Bump golang.org/x/mod from 0.17.0 to 0.18.0 in /hack/update-go-mod
* Add module generate command and update all generated files
* Move all mock files into internal/mocks and use mock prefix
* Prefer slices package and slices.Concat where possible
* Enforce more imports
* Enable \'makezero\' and \'prealloc\' linters, and require \'any\' instead of \'interface{}\'
* Enforce aliases for \'k8s.io/apimachinery/pkg/util/errors\' and \'k8s.io/apimachinery/pkg/api/errors\'
* Fri Jun 07 2024 opensuse_buildserviceAATTojkastl.de- Update to version 0.31.0: CLI-related changes
* Pinniped CLI and the oidc-client package are now enhanced by pinniped_supported_identity_provider_types
* Fri May 10 2024 opensuse_buildserviceAATTojkastl.de- Update to version 0.30.0:
* Added new option to OIDCClient resource to allow configuration of ID token lifetime for tokens issued by authcode flows and refresh flows. See OIDCClient.spec.tokenLifetimes.idTokenSeconds in the API docs. (#1914)
* Setting the new env var PINNIPED_SKIP_PRINT_LOGIN_URL=true will cause the Pinniped CLI to skip printing the login URL when a browser has launched, which can be useful when using console UIs like k9s. (#1938, #1897)
* WebhookAuthenticator resources will have detailed status written to them automatically, to aid in debugging. (#1894)
* WebhookAuthenticators now honor Pinniped\'s preferred client TLS configuration, including its preferred allowed TLS v1.2 ciphers. This could be a breaking change if your webhook server is serving requests using only TLS v1.2 (not allowing TLS v1.3) and does not allow any of Pinniped\'s preferred TLS v1.2 ciphers. Note that Pinniped\'s preferred TLS v1.2 cipher list is different depending on if it was compiled in FIPS compatibility mode or not. (#1917)
* Removed all deprecated deployment options from ytt templates. (#1926)
* Clarified the text in some error messages. (#1932, #1922)
* Added documentation to provide some debugging tips. (#1936, [#1904], #1824)
* Updates Go to v1.22.3, updates the Kubernetes libraries to v0.30.0, and updates all other project dependencies. (#1940, [#1937], #1935, #1934, #1933, #1931, #1921, #1916, #1913, #1911, [#1902], #1899)
* Fri Mar 15 2024 opensuse_buildserviceAATTojkastl.de- Update to version 0.29.0:
* Use go.uber.org/mock instead of github.com/golang/mock and rerun mock generation
* Bump dependencies
* Bump golang.org/x/mod from 0.15.0 to 0.16.0 in /hack/update-go-mod
* Use ghcr instead of Harbor as the default for pinniped-server images
* CLI\'s localhost listener handles CORS preflight requests for GETs
* Integration tests should use a valid value for CredentialIssuer spec.impersonationProxy.service.type
* Bump google.golang.org/protobuf to v1.33.0 for CVE-2024-24786
* whoami integration test now allows for additional extra fields in K8s 1.30+
* Add some logging and comments making it easier to debug with chrome
* replace verison of otelhttptrace in go.mod
* Add 1.29 and update patch versions in kube-versions.txt; run codegen
* Change codegen scripts to work with Kube 1.29
* wait for JWTAuthenticator to be phase=ready in supervisor warnings test
* Update jwtauthenticator unit tests to check actions
* Update jwk authenticator status integration tests
* Add Status & tests for jwks key fetching
* Update copyright year in modified files
* Add integration tests for JWTAuthenticators
* add WaitForJWTAuthenticatorStatusPhase() integration helper
* fix comment in testlib/client.go
* Improve jwtcachefiller tests
* extract status comparison test helpers
* ldap upstream watcher: rename local var for clarity
* Add .Status to JWTAuthenticator with Conditions,Phase
* Update some comments in go.mod
* Fix races in login_test.go units tests
* Update codeql workflow actions to latest versions and add setup-go
* \"login oidc\" CLI command sometimes skips printing auth URL for non-ttys
* Update configure-concierge-jwt.md doc with clarifications
* Add hack/prepare-jwtauthenticator-on-kind.sh
* CLI deciding if token exchange needed should not look at ID token expiry
* Don\'t skip upstream group memberships when groups scope is not granted
* Rename a func and collapse applying id transforms into creating session
* Refactor to move invocation of identity transforms out of IDP interfaces
* Refactor token endpoint to add interface for IDP upstream refresh
* Refactor to extract interface for upstream IDP interactions
* More refactoring of auth handler and related refactor of upstreamldap
* Refactor error handling in authorize endpoint (changes some responses)
* Correct doc which explained bug that has since been fixed.
* Adjust tests and comments for upgrade to latest version of fosite
* login oidc cmd checks access token expiry before doing token exchange
* Convert double-quoted strings to raw strings in login_test.go
* Fix ptls_test.go for Go 1.22
* Rerun codegen after upgrading CI controller-gen from v0.13.0 to v0.14.0
* Fix plog_test.go for Go 1.22
* Revert support TLS 1.3 in FIPS mode because Go reverted goboring upgrade
* Test util AssertTLS supports both old and new goboring
* Bump golang.org/x/mod from 0.14.0 to 0.15.0 in /hack/update-go-mod
* disable dependabot for some things in favor of our own tooling
* Increase the lint timeout in hack/module.sh for when CI workers get slow
* update CI URL in CONTRIBUTING.md
* Support the new Go FIPS compiler which was upgraded inside Go 1.21.6
* Update dependencies, including Kube packages to v0.29.0
* Updated versions in docs for v0.28.0 release
* Sat Dec 16 2023 kastlAATTb1-systems.de- Update to version 0.28.0:
* Minor Changes - The Concierge will no longer create a long-lived service account token upon installation, which was previously contained in a Secret in the Concierge\'s namespace. Instead, it will dynamically fetch short-lived tokens and hold them in-memory in the Pods. Upon upgrade, the old Secret will be automatically deleted. This improves security posture by making it impossible for an RBAC configuration or similar mistake to make this token readable to non-admins, and also by making the token short-lived. Other Secrets in the namespace must still be protected against read by non-admins. (#1733) - The Supervisor will now show an interstitial web page to allow the end-user to choose one of the configured IDPs, when multiple IDPs are configured, and when the query parameters to the OIDC authorize endpoint do not specify which IDP to use. (#1742) - A new debugging tool has been added to aid in debugging your LDAPIdentityProvider settings. See hack/debug-ldapidentityprovider.sh. (#1594) - The values.yaml files in the ytt template directories have been converted to use ytt\'s schema feature. This makes it easier for users or 3rd parties to create Carvel packages using the Dockerfile and ytt templates from the Pinniped repo. At this time, the Pinniped releases on GitHub do not include Carvel packages. (#1701) - The project\'s Dockerfiles have been updated to add build ARGs to choose the BUILD_IMAGE (golang image used to compile) and the BASE_IMAGE (base layer of the resulting container image). This will make it easier for users and 3rd parties to choose alternate images when building the project. The default values are the latest golang image and the latest gcr.io/distroless/static image. The project maintainers will continue to bump the default values when updates of those images are available. (#1776) - Updates Go to v1.21.5, updates the Kubernetes libraries to v0.28.4, and updates all other project dependencies. (#1815, [#1808], #1807, #1804, #1803, #1801, #1793, #1791, #1788, [#1779], #1775, #1772, #1771, #1767, #1763, #1755, #1751, [#1748], #1741, #1738, #1735, #1734, #1732, #1721, #1752)
* Bug Fixes - pinniped whoami has a new --timeout parameter, which defaults to no timeout. This replaces a hardcoded timeout which caused pinniped whoami to fail when a user took more than 20 seconds to complete a fresh interactive login. (#1774)
* Wed Oct 11 2023 kastlAATTb1-systems.de- Update to version 0.27.0:
* document usage of --pinniped-cli-path option
* Bump go.mod direct dependencies
* add a login banner to CLI-based login prompts which shows the IDP name
* backfill unit tests for expected stderr output in login_test.go
* Rename username and password prompt variables
* Shorten kubeconfigCommand func for lint funlen
* Allow \'pinniped get kubeconfig\' to override the client-go credential plugin command
* Update kube versions for codegen
* tolerate arm64 in tools deployments and jobs
* Bump dockerfiles to golang:1.21.2
* Update hack/update-go-mod/go.mod
* Bump go.mod direct dependencies
* Update website docs for arm64 support
* Use bitnami/openldap in integration tests instead of our old fork
* Support building and deploying multi-arch linux amd64 and arm64 images
* Show errors from the form_post POST request on the page
* Bump go.mod direct dependencies
* Bump go.mod direct dependencies
* Optionally use Contour in hack/prepare-supervisor-on-kind.sh
* fix flake seen in pod_shutdown_test.go
* Stop using deprecated critical-pod annotation
* Same error messages shown in CLI\'s callback web page and in terminal
* Use latest controller-gen, which allows CEL validations
* add integration test for graceful shutdowns which release leader leases
* Fix deadlock during shutdown which prevented leader election cleanup
* Update blog rendering to h1 the title (not h2)
* Updated versions in docs for v0.26.0 release
* add blog post for v0.26.0 release
* Add CI/CD How-To
* Wed Sep 20 2023 kastlAATTb1-systems.de- Update to version 0.26.0:
* trying to avoid flake on Okta login page in browser
* specify the container name when fetching keys from kube cert agent pod
* Update LDAP integration tests for changes in github.com/go-ldap/ldap/v3
* Bump k8s.io/kube-openapi and pin github.com/google/cel-go
* Bump go.mod direct dependencies
* Bump go.uber.org/zap from 1.25.0 to 1.26.0
* Keep the deps updated from previous commit but keep cel-go at 0.16.x
* Bump go.mod direct dependencies
* update kube-versions.txt for codegen
* multiple IDPs and identity transformations docs
* remove extra timeoutCtx for exec.CommandContext invocations in e2e test
* add celformer unit test demonstrating string regexp in CEL expressions
* make prepare-supervisor-on-kind.sh work with older versions of bash
* fix imports grouping in manager.go
* add workaround in update-codegen.sh for problem seen when run on linux
* update FederationDomain.status.conditions to come from metav1
* Fix conflicts caused from rebasing main into multiple IDPs branch
* add the IDP display name to the downstream ID token\'s `sub` claim
* add units tests to token_handler_test.go
* run codegen again after rebasing main branch into feature branch
* started add units tests for identity transforms to token_handler_test.go
* add units tests to post_login_handler_test.go
* add new unit tests in callback_handler_test.go
* use slices.Contains() instead of custom func in token_handler_test.go
* add new unit tests in auth_handler_test.go
* Add more tests with identity transformations in supervisor_login_test.go
* Replace more pointer.String() with the new ptr.To()
* Start adding identity transformations tests to supervisor_login_test.go
* Fix expectations in FederationDomains status test for old Kube versions
* Add e2e test for rejecting auth using identity transformation policy
* handle old versions of k8s in supervisor_federationdomain_status_test.go
* remove expectation about TransformsConstantsNamesUnique status condition
* rename a local variable in an integration test
* add an e2e test for a FederationDomain with multiple IDPs and transforms
* CRD already validates that IDP transform constant names are unique
* fix some here.Doc string indents in federation_domain_watcher_test.go
* wordsmith some FederationDomain status messages
* add integration test for FederationDomain status updates
* small refactor in supervisor_discovery_test.go
* add unit test for ApplyIdentityTransformations helper
* add unit tests for getters in federation_domain_issuer_test.go
* extract a helper function in federation_domain_watcher.go
* use multiple IDPs in manager_test.go
* Status condition messages for IDP transforms show index of invalid IDP
* Make it possible to compare transformation pipelines in unit tests
* Validate transforms examples in federation_domain_watcher.go
* Validate transforms expressions in federation_domain_watcher.go
* Add helper for happy/sad conditions to federation_domain_watcher_test.go
* Allow for slower CI workers in celformer_test.go
* Validate transforms const names in federation_domain_watcher.go
* Update proposal doc statuses
* Replace sleep with kubectl wait in prepare-supervisor-on-kind.sh
* Validate IDP objectRef kind names in federation_domain_watcher.go
* Validate apiGroup names are valid in federation_domain_watcher.go
* Validate display names are unique in federation_domain_watcher.go
* Handle some unexpected errors in federation_domain_watcher.go
* Refactor: extract helper functions in federation_domain_watcher.go
* Load FederationDomain endpoints before updating its status
* Fix lint errors in federation_domain_watcher.go, and adjust unit test
* Update integration tests for new FederationDomain phase behavior
* Refactor federation_domain_watcher_test.go and add new test to its table
* Expand IdentityProvidersFound condition in federation_domain_watcher
* Update federation_domain_watcher with new IdentityProviderFound
* Change federation_domain_watcher_test.go to use a test table style
* Update informers unit test for FederationDomainWatcherController
* Change name of FederationDomain printer column back to \"Status\"
* Change FederationDomain.Status to use Phase and Conditions
* Update a test assertion to make failure easier to understand
* fix more integration tests for multiple IDPs
* update 1.27 codegen for multiple IDPs
* update unit test that fails on slow CI workers
* Fix some tests in supervisor_login_test.go
* escape semicolons in variable values in integration-test-env-goland.sh
* fix callback_handler_test.go
* fix token_handler_test.go
* test FederationDomainIdentityProvidersListerFinder
* reorganize federation domain packages to be more intuitive
* Reorganized FederationDomain packages to avoid circular dependency
* Fix auth_handler_test.go
* Update auth_handler.go to return 422 error when upstream IdP not found
* Fix post_login_handler_test.go
* add a type assertion
* fix internal/oidc/provider/manager/manager_test.go
* refactor: rename \"provider\" to \"federationdomain\" when appropriate
* Get tests to compile again and fix lint errors
* Add tests for identity_transformation.go
* Fixup unit tests for the previous commit
* First draft of implementation of multiple IDPs support
* Allow user-defined string & stringList consts for use in CEL expressions
* Add identity transformation packages idtransform and celformer
* Add APIs for multiple IDP and id transformations to FederationDomain CRD
* Use Conditions from apimachinery, specifically k8s.io/apimachinery/pkg/apis/meta/v1.Conditions
* Improve pod logs related to Supervisor TLS certificate problems
* Bump to go1.20.1
* Bump go.mod direct dependencies
* site: fix codeblock left padding and spacing tweak
* Make pre code blocks have more consistent font size and line height
* [LDAP] move attributeUnchangedSinceLogin from upstreamldap to activedirectoryupstreamwatcher
* Adjust test expectations for compilation differences with 1.21
* Run \'go fix ./...\' with go1.21.0
* Inline and remove testutil.TempDir
* Simplify build tags associated with unsupported golang versions
* Bump to golang 1.21.0, and bump all golang deps
* Add docs for Supervisor with Azure AD
* Improve hack/prepare-for-integration-tests.sh flexibility
* Do not fail hack/prepare-for-integration-tests.sh without KUBE_GIT_VERSION
* Do not fail when KUBE_GIT_VERSION is not set
* Update comments to indicate support for newer versions of Kubernetes
* Remove generated code for K8s 1.17, 1.18, 1.19, and 1.20
* Split off helper function
* Use pversion to retrieve buildtime information
* Integration tests should use \'kubectl explain --output plaintext-openapiv2\'
* Expose OpenAPIv3 explanations
* Ensure that kubegenerator scripts are executable
* Run K8s codegen, adding 1.28.0
* K8s API Server audit events are no longer pointers
* Update all golang dependencies, especially k8s.io (for 1.28)
* Update docs to clarify which Supervisor port to expose outside cluster
* blog: clean up tags page
* blog: add multiple author support for posts
* blog: impersonation-proxy spelling, grammar
* blog: impersonation-proxy post updates
* add author to blog list page
* Add blog post for v0.25.0
* Updated versions in docs for v0.25.0 release
* Tue Sep 05 2023 kastlAATTb1-systems.de- Update to version 0.25.0:
* Address PR feedback
* Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy
* Bump go.mod direct dependencies
* Address PR feedback, especially to check that the CA bundle is some kind of valid cert
* Add integration test to verify that the impersonation proxy will use an external TLS serving cert
* Test Refactor: use explicit names for mTLS signing cert
* Impersonation proxy detects when the user has configured an externally provided TLS secret to serve TLS
* Add CredentialIssuer.Spec.ImpersonationProxy.TLS to configure an externally provided TLS secret
* The impersonation controller should sync when any secret of type kubernetes.io/tls changes in the namespace
* Bump golang to 1.20.7
* Bump go.mod direct dependencies
* site: autogenerate new sections on main docs listing page
* site: minor text updates
* site: reorganize /howto/idp->/howto/supervisor
* site: add redirects for old doc links
* site style: code block tweaks and sidebar menu highlight
* site sidebar: menu renaming & reorganization
* site sidebar: create new How-to sub-heading for IDP config
* Replace agouti and chromedriver with chromedp across the whole project
* Bump go.mod direct dependencies
* Add How To... Integrate with Auth0
* site css: images on resource page should fit the grid
* Use k8s.io/utils/ptr instead of k8s.io/utils/pointer, which is deprecated
* Bump go.mod direct dependencies
* add AWS blog post to resources page of pinniped.dev
* kube cert agent pod requests 0 cpu to avoid scheduling failures
* Bump K8s APIs 1.24 through 1.27
* Bump go.mod direct dependencies
* Remove untested comments
* Do not name return variables
* Fix lint
* Mark untested code paths
* Pass caBundle instead of an object
* Backfill test cases
* Prefer early return
* Backfill issuer tests
* Use go:embed for easier to read tests
* Fix godoc
* Bump base images to go1.20.6 in Dockerfiles
* Bump go.mod direct dependencies
* Improve performance of supervisor_oidcclientsecret_test.go
* Add proposal to implement #1547, Concierge Impersonation Proxy | External Certificate Management
* Add proposal for multiple identity providers in the Supervisor
* Bump to golang:1.20.5
* Func ldap.Conn.Close() now returns an error
* Pin to the version of k8s.io/kube-openapi used by client-goAATTv0.27.3
* Update generated files
* Bump hack/update-go-mod/go.mod
* Bump all go.mod dependencies
* Updated versions in docs for v0.24.0 release
* Increase a test timeout in supervisor_secrets_test.go
* Update codeql-analysis.yml according to the latest template
* Fri Jul 14 2023 kastlAATTb1-systems.de- Update to version 0.24.0:
* Update codeql-analysis.yml
* Increase a test timeout for when pulling container image is slow
* backtick changes
* Increase some test timeouts
* increase timeout in a test
* Add docs for UserAttributeForFilter group search setting
* Add integration test for AD UserAttributeForFilter group search setting
* Use groupSearch.userAttributeForFilter during ActiveDirectory group searches
* Add ActiveDirectoryIdentityProvider.spec.groupSearch.userAttributeForFilter
* Add integration test for UserAttributeForFilter group search setting
* Add group search tests for UserAttributeForFilter in ldap_client_test.go
* command line option.
* Use groupSearch.userAttributeForFilter during LDAP group searches
* Add LDAPIdentityProvider.spec.groupSearch.userAttributeForFilter
* Add some posixGroups to the openldap server for use in integration tests
* Fri Jul 14 2023 Johannes Kastl - new package pinniped: CLI for the Pinniped identity service provider for Kubernetes
  
ICM