Releases: gardener/oidc-webhook-authenticator
Releases · gardener/oidc-webhook-authenticator
v0.4.0
[oidc-webhook-authenticator]
⚠️ Breaking Changes
- [USER] Username claim for the
openidconnectresources is now required and is no longer defaulted tosub. (gardener/oidc-webhook-authenticator#54, @dimityrmirchev) - [USER] Groups claim for the
openidconnectresources is no longer defaulted togroups. (gardener/oidc-webhook-authenticator#54, @dimityrmirchev) - [OPERATOR] Helm charts residing in the
helmdirectory were deleted since they are no longer maintained. The maintained version of the charts can be found in thecharts/oidc-webhook-authenticatordirectory. (gardener/oidc-webhook-authenticator#51, @dimityrmirchev) - [OPERATOR] The
values.yamlfile of the root helm chart now supports configuring the subcharts viaglobal,applicationandruntimesections. Please refer to the updatedvalues.yamlfor more information. (gardener/oidc-webhook-authenticator#51, @dimityrmirchev) - [OPERATOR] Bindings for
system:auth-delegatorclusterrole andextension-apiserver-authentication-readerrole are now installed with theapplicationhelm subchart. (gardener/oidc-webhook-authenticator#48, @dimityrmirchev) - [OPERATOR] In values.yaml file .authKubeconfig is now replaced with
.auth.kubeconfig(gardener/oidc-webhook-authenticator#43, @dimityrmirchev) - [OPERATOR] It is now required to provide
.webhookConfig.caBundlein thevalues.yamlfile when installing viahelmin order to successfully register a validating webhook for theopenidconnectresources. (gardener/oidc-webhook-authenticator#39, @dimityrmirchev)
✨ New Features
- [USER] Username and groups prefixes starting with
system:will be rejected if a validating webhook is registered for theopenidconnectresources. (gardener/oidc-webhook-authenticator#46, @dimityrmirchev) - [USER]
validatingwebhookconfigurationfor theopenidconnectresources is now installed with thehelmchart. (gardener/oidc-webhook-authenticator#39, @dimityrmirchev) - [OPERATOR] It is now possible to configure a
User(instead of aServiceAccount) to be bound to the needed roles in the target cluster by setting.virtualGarden.user.name. (gardener/oidc-webhook-authenticator#52, @dimityrmirchev) - [OPERATOR] It is now possible to configure the certificates for the
oidc-webhook-authenticatorviacert-manager. (gardener/oidc-webhook-authenticator#51, @dimityrmirchev) - [OPERATOR] It is now possible to configure Horizontal Pod Autoscaler by setting
.values.autoscaling.hpa.enabled: true. (gardener/oidc-webhook-authenticator#49, @dimityrmirchev) - [OPERATOR] It is now possible to specify http paths that will not require authorization by setting
.auth.authorizationAlwaysAllowPathsin the values.yaml file. (gardener/oidc-webhook-authenticator#43, @dimityrmirchev) - [OPERATOR] It is now possible to explicitly specify if the service account token for the
oidc-webhook-authenticatorpod should be automounted by setting.automountServiceAccountTokenin the values.yaml file. (gardener/oidc-webhook-authenticator#43, @dimityrmirchev) - [OPERATOR] It is now possible to explicitly skip the installation of auth-delegator RBACs by setting
.installDelegatorBindings: falsein the values.yaml file. This is useful when the auth cluster is different from where theoidc-webhook-authenticatoris installed. (gardener/oidc-webhook-authenticator#43, @dimityrmirchev) - [OPERATOR] It is now possible to ensure that tokens used against the authenticator are bound to at least one of the specified audiences by setting
--api-audiences=value1,value2(gardener/oidc-webhook-authenticator#38, @dimityrmirchev)
v0.3.0
[oidc-webhook-authenticator]
✨ New Features
- [USER] It is now possible to mount the service account token of the
oidc-webhook-authenticatorvia projected volume source by setting.serviceAccountTokenVolumeProjection.enabled: truein the values.yaml file. This will ensure the automatic rotation of the token by thekubelet. Note that if this feature is enabled then the static service account token will no longer be mounted on the well known path/var/run/secrets/kubernetes.io/serviceaccount/tokenin the pod's filesystem and the.kubeconfigfield in the values.yaml file will become required. (gardener/oidc-webhook-authenticator#36, @dimityrmirchev)
v0.2.0
[oidc-webhook-authenticator]
⚠️ Breaking Changes
- [USER] Kubeconfig for configuring the
kube-apiserverto talk to theoidc-webhook-authenticatoris no longer part of the helm chart templates. (gardener/oidc-webhook-authenticator#32, @dimityrmirchev)
🐛 Bug Fixes
- [USER] Fixed a bug where single cluster installation of the authenticator was failing due to duplicate
serviceaccountsandclusterrolebindingsin the helm chart definitions. (gardener/oidc-webhook-authenticator#34, @dimityrmirchev)
v0.1.0
no release notes available