v0.33.0

[gardener/oidc-webhook-authenticator]

🏃 Others

• [DEVELOPER] gosec is made available for SAST(static application security testing), it can be run with make sast or make sast-report. by @vpnachev [#165]
• [OPERATOR] OWA is now built using go version 1.23.3. by @dimityrmirchev [#167]

Docker Images

• oidc-webhook-authenticator: europe-docker.pkg.dev/gardener-project/releases/gardener/oidc-webhook-authenticator:v0.33.0

v0.32.0

[gardener/oidc-webhook-authenticator]

🏃 Others

• [OPERATOR] OWA is now built using go version 1.23.2. by @dimityrmirchev [#162]
• [OPERATOR] OWA is now built with go version 1.23.1. by @dimityrmirchev [#160]

Docker Images

• oidc-webhook-authenticator: europe-docker.pkg.dev/gardener-project/releases/gardener/oidc-webhook-authenticator:v0.32.0

v0.31.0

[gardener/oidc-webhook-authenticator]

🏃 Others

• [DEPENDENCY] OWA is now built using go version 1.22.5. by @dimityrmirchev [#158]
• [DEVELOPER] The following dependencies have been updated:
  • github.com/coreos/go-oidc/v3 v3.1.0 -> v3.10.0
  • golang.org/x/time v0.3.0 -> v0.5.0
  • k8s.io/* v0.27.9 -> v0.30.1
  • sigs.k8s.io/controller-runtime v0.15.3 -> v0.18.4
  • golang.org/x/crypto v0.21.0 -> v0.24.0
  • golang.org/x/net v0.23.0 -> v0.26.0 by @vpnachev [#157]

Docker Images

• oidc-webhook-authenticator: europe-docker.pkg.dev/gardener-project/releases/gardener/oidc-webhook-authenticator:v0.31.0

v0.30.0

[gardener/oidc-webhook-authenticator]

🏃 Others

• [DEPENDENCY] OWA is now built using go version 1.22.3. by @dimityrmirchev [#155]
• [OPERATOR] The default resync period between reconciliations of openidconnects is increased to 30min. by @dimityrmirchev [#156]

Docker Images

• oidc-webhook-authenticator: europe-docker.pkg.dev/gardener-project/releases/gardener/oidc-webhook-authenticator:v0.30.0

v0.29.0

[gardener/oidc-webhook-authenticator]

⚠️ Breaking Changes

• [OPERATOR] ⚠️ OWA no longer delegates authentication and authorization to a kube-apiserver. It now only supports optional client certificate authentication which can be configured via the "--client-ca-file" flag. Paths that do require authentication can be skipped by setting the flag "--authentication-always-allow-paths". The same flags can be configured with the helm chart via .Values.runtime.auth.clientCABundle and .Values.runtime.auth.authenticationAlwaysAllowPaths. Operators should remove residuals of roles and rolebindings that were used to authorize OWA callers. by @dimityrmirchev [#148]
• [OPERATOR] Flags related to kube-apiserver authn/z delegation and kube-apiserver serving were removed. by @dimityrmirchev [#148]

🏃 Others

• [DEPENDENCY] OWA is now built using go version 1.22.1. by @dimityrmirchev [#151]

Docker Images

• oidc-webhook-authenticator: europe-docker.pkg.dev/gardener-project/releases/gardener/oidc-webhook-authenticator:v0.29.0

v0.28.0

[gardener/oidc-webhook-authenticator]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references.
  by @ccwienk [#143]

🏃 Others

• [DEPENDENCY] OWA is now built using go version 1.21.5. by @dimityrmirchev [#145]
• [DEPENDENCY] The following dependencies were updated:
  • github.com/go-logr/logr v1.2.4 -> v1.3.0
  • k8s.io/* v0.27.6 -> v0.27.6
  • sigs.k8s.io/controller-runtime v0.15.2 -> v0.15.3 by @dimityrmirchev [#141]
• [DEPENDENCY] The following dependencies were updated:
  • k8s.io/* v0.27.7 -> v0.27.9 by @dimityrmirchev [#145]
• [DEPENDENCY] OWA is now built using go version 1.21.4. by @dimityrmirchev [#141]
• [DEPENDENCY] Base image updated to gcr.io/distroless/static-debian12:nonroot. by @dimityrmirchev [#145]
• [DEPENDENCY] OWA is now built using go version 1.21.6. by @dimityrmirchev [#146]

Docker Images

• oidc-webhook-authenticator: europe-docker.pkg.dev/gardener-project/releases/gardener/oidc-webhook-authenticator:v0.28.0

v0.27.0

[gardener/oidc-webhook-authenticator]

🏃 Others

• [DEPENDENCY] The following dependencies were updated:
  • github.com/go-logr/logr v1.2.4 -> v1.3.0
  • k8s.io/* v0.27.6 -> v0.27.6
  • sigs.k8s.io/controller-runtime v0.15.2 -> v0.15.3 by @dimityrmirchev [#141]
• [DEPENDENCY] OWA is now built using go version 1.21.4. by @dimityrmirchev [#141]

Docker Images

• oidc-webhook-authenticator: eu.gcr.io/gardener-project/gardener/oidc-webhook-authenticator:v0.27.0

v0.26.0

[gardener/oidc-webhook-authenticator]

✨ New Features

• [OPERATOR] The helm chart can now be configured to pull the webhook image from a private registry through the use of the imagePullSecrets field. by @sgaist [#133]
• [USER] Go version was updated to 1.21.3 by @vpnachev [#134]

v0.25.0

[gardener/oidc-webhook-authenticator]

✨ New Features

• [OPERATOR] Logging was enhanced to indicate that a handler was removed from store when an openidconnect resource was not found. by @dimityrmirchev [#126]
• [USER] Administrators can now configure OpenIDConnect objects to retrieve additional claims from the JWT token using the new extraClaims field. The client (kubectl, web application, etc.) is responsible for requesting the scopes that will provide these claims upon authentication. by @sgaist [#128]

🏃 Others

• [DEPENDENCY] OWA is now built using go version 1.21.2. by @dimityrmirchev [#132]

v0.24.0

[gardener/oidc-webhook-authenticator]

✨ New Features

• [USER] OWA is now built using go version 1.21.0. by @dimityrmirchev [#124]

🏃 Others

• [DEPENDENCY] OWA is now built using go version 1.21.1. by @dimityrmirchev [#125]
• [DEPENDENCY] OWA is now built using go version 1.20.5. by @dimityrmirchev [#119]
• [DEPENDENCY] The following dependencies were updated:
  • k8s.io/* v0.26.3 -> v0.27.5
  • sigs.k8s.io/controller-runtime v0.14.5 -> v.0.15.2 by @dimityrmirchev [#125]
• [DEPENDENCY] OWA is now built using go version 1.20.7. by @dimityrmirchev [#122]