diff --git a/bitnami/pinniped/CHANGELOG.md b/bitnami/pinniped/CHANGELOG.md
index 983b951ce0..104392cc69 100644
--- a/bitnami/pinniped/CHANGELOG.md
+++ b/bitnami/pinniped/CHANGELOG.md
@@ -1,8 +1,12 @@
# Changelog
-## 2.4.20 (2025-07-09)
+## 2.4.21 (2025-08-04)
-* [bitnami/pinniped] :zap: :arrow_up: Update dependency references ([#34934](https://github.com/bitnami/charts/pull/34934))
+* [bitnami/pinniped] :zap: :arrow_up: Update dependency references ([#35403](https://github.com/bitnami/charts/pull/35403))
+
+## 2.4.20 (2025-07-09)
+
+* [bitnami/pinniped] :zap: :arrow_up: Update dependency references (#34934) ([e887bcc](https://github.com/bitnami/charts/commit/e887bcc79728767e7df24f998b461d641f54a40a)), closes [#34934](https://github.com/bitnami/charts/issues/34934)
## 2.4.19 (2025-06-13)
diff --git a/bitnami/pinniped/Chart.yaml b/bitnami/pinniped/Chart.yaml
index b29121f34b..c7eb61d840 100644
--- a/bitnami/pinniped/Chart.yaml
+++ b/bitnami/pinniped/Chart.yaml
@@ -5,11 +5,11 @@ annotations:
category: Infrastructure
images: |
- name: pinniped
- image: docker.io/bitnami/pinniped:0.39.0-debian-12-r3
+ image: docker.io/bitnami/pinniped:0.40.0-debian-12-r0
licenses: Apache-2.0
tanzuCategory: clusterUtility
apiVersion: v2
-appVersion: 0.39.0
+appVersion: 0.40.0
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
@@ -30,4 +30,4 @@ maintainers:
name: pinniped
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/pinniped
-version: 2.4.20
+version: 2.4.21
diff --git a/bitnami/pinniped/crds/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml b/bitnami/pinniped/crds/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
index 3f4a7c5ad8..c58bed0c79 100644
--- a/bitnami/pinniped/crds/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
+++ b/bitnami/pinniped/crds/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
@@ -1,5 +1,5 @@
# Source: https://raw.githubusercontent.com/vmware-tanzu/pinniped/v{version}/deploy/concierge/authentication.concierge.pinniped.dev_jwtauthenticators.yaml
-# Version: 0.39.0
+# Version: 0.40.0
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -60,37 +60,219 @@ spec:
metadata:
type: object
spec:
- description: Spec for configuring the authenticator.
+ description: spec for configuring the authenticator.
properties:
audience:
- description: Audience is the required value of the "aud" JWT claim.
+ description: audience is the required value of the "aud" JWT claim.
minLength: 1
type: string
+ claimValidationRules:
+ description: |-
+ claimValidationRules are rules that are applied to validate token claims to authenticate users.
+ This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
+ https://kubernetes.io/docs/reference/access-authn-authz/authentication.
+ This is an advanced configuration option. During an end-user login flow, mistakes in this
+ configuration will cause the user's login to fail.
+ items:
+ description: ClaimValidationRule provides the configuration for
+ a single claim validation rule.
+ properties:
+ claim:
+ description: |-
+ claim is the name of a required claim.
+ Only string claim keys are supported.
+ Mutually exclusive with expression and message.
+ type: string
+ expression:
+ description: |-
+ expression represents the expression which will be evaluated by CEL.
+ Must produce a boolean.
+
+ CEL expressions have access to the contents of the token claims, organized into CEL variable:
+ - 'claims' is a map of claim names to claim values.
+ For example, a variable named 'sub' can be accessed as 'claims.sub'.
+ Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+ Must return true for the validation to pass.
+
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+ Mutually exclusive with claim and requiredValue.
+ type: string
+ message:
+ description: |-
+ message customizes the returned error message when expression returns false.
+ message is a literal string.
+ Mutually exclusive with claim and requiredValue.
+ type: string
+ requiredValue:
+ description: |-
+ requiredValue is the value of a required claim.
+ Only string claim values are supported.
+ If claim is set and requiredValue is not set, the claim must be present with a value set to the empty string.
+ Mutually exclusive with expression and message.
+ type: string
+ type: object
+ type: array
claims:
description: |-
- Claims allows customization of the claims that will be mapped to user identity
+ claims allows customization of the claims that will be mapped to user identity
for Kubernetes access.
properties:
+ extra:
+ description: |-
+ extra is similar to claimMappings.extra from Kubernetes AuthenticationConfiguration
+ as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
+
+ However, note that the Pinniped Concierge issues client certificates to users for the purpose
+ of authenticating, and the Kubernetes API server does not have any mechanism for transmitting
+ auth extras via client certificates. When configured, these extras will appear in client
+ certificates issued by the Pinniped Supervisor in the x509 Subject field as Organizational
+ Units (OU). However, when this client certificate is presented to Kubernetes for authentication,
+ Kubernetes will ignore these extras. This is probably only useful if you are using a custom
+ authenticating proxy in front of your Kubernetes API server which can translate these OUs into
+ auth extras, as described by
+ https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy.
+ This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
+ must evaluate to either a string or an array of strings, or else the user's login will fail.
+
+ These keys must be a domain-prefixed path (such as "acme.io/foo") and must not contain an equals sign ("=").
+
+ expression must produce a string or string array value.
+ If the value is empty, the extra mapping will not be present.
+
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+ hard-coded extra key/value
+ - key: "acme.io/foo"
+ valueExpression: "'bar'"
+ This will result in an extra attribute - acme.io/foo: ["bar"]
+
+ hard-coded key, value copying claim value
+ - key: "acme.io/foo"
+ valueExpression: "claims.some_claim"
+ This will result in an extra attribute - acme.io/foo: [value of some_claim]
+
+ hard-coded key, value derived from claim value
+ - key: "acme.io/admin"
+ valueExpression: '(has(claims.is_admin) && claims.is_admin) ? "true":""'
+ This will result in:
+ - if is_admin claim is present and true, extra attribute - acme.io/admin: ["true"]
+ - if is_admin claim is present and false or is_admin claim is not present, no extra attribute will be added
+ items:
+ description: ExtraMapping provides the configuration for a single
+ extra mapping.
+ properties:
+ key:
+ description: |-
+ key is a string to use as the extra attribute key.
+ key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
+ subdomain as defined by RFC 1123. All characters trailing the first "/" must
+ be valid HTTP Path characters as defined by RFC 3986.
+ key must be lowercase.
+ Required to be unique.
+ Additionally, the key must not contain an equals sign ("=").
+ type: string
+ valueExpression:
+ description: |-
+ valueExpression is a CEL expression to extract extra attribute value.
+ valueExpression must produce a string or string array value.
+ "", [], and null values are treated as the extra mapping not being present.
+ Empty string values contained within a string array are filtered out.
+
+ CEL expressions have access to the contents of the token claims, organized into CEL variable:
+ - 'claims' is a map of claim names to claim values.
+ For example, a variable named 'sub' can be accessed as 'claims.sub'.
+ Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+ type: string
+ required:
+ - key
+ - valueExpression
+ type: object
+ type: array
groups:
description: |-
- Groups is the name of the claim which should be read to extract the user's
- group membership from the JWT token. When not specified, it will default to "groups".
+ groups is the name of the claim which should be read to extract the user's
+ group membership from the JWT token. When not specified, it will default to "groups",
+ unless groupsExpression is specified.
+
+ Mutually exclusive with groupsExpression. Use either groups or groupsExpression to
+ determine the user's group membership from the JWT token.
+ type: string
+ groupsExpression:
+ description: |-
+ groupsExpression represents an expression which will be evaluated by CEL.
+ The expression's result will become the user's group memberships.
+
+ groupsExpression is similar to claimMappings.groups.expression from Kubernetes AuthenticationConfiguration
+ as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
+ This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
+ must evaluate to one of the expected types without errors, or else the user's login will fail.
+ Additionally, mistakes in this configuration can cause the users to have unintended group memberships.
+
+ The expression must produce a string or string array value.
+ "", [], and null values are treated as the group mapping not being present.
+
+ CEL expressions have access to the contents of the token claims, organized into CEL variable:
+ - 'claims' is a map of claim names to claim values.
+ For example, a variable named 'sub' can be accessed as 'claims.sub'.
+ Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+ Mutually exclusive with groups. Use either groups or groupsExpression to
+ determine the user's group membership from the JWT token.
type: string
username:
description: |-
- Username is the name of the claim which should be read to extract the
- username from the JWT token. When not specified, it will default to "username".
+ username is the name of the claim which should be read to extract the
+ username from the JWT token. When not specified, it will default to "username",
+ unless usernameExpression is specified.
+
+ Mutually exclusive with usernameExpression. Use either username or usernameExpression to
+ determine the user's username from the JWT token.
+ type: string
+ usernameExpression:
+ description: |-
+ usernameExpression represents an expression which will be evaluated by CEL.
+ The expression's result will become the user's username.
+
+ usernameExpression is similar to claimMappings.username.expression from Kubernetes AuthenticationConfiguration
+ as documented in https://kubernetes.io/docs/reference/access-authn-authz/authentication.
+ This is an advanced configuration option. During an end-user login flow, each of these CEL expressions
+ must evaluate to the expected type without errors, or else the user's login will fail.
+ Additionally, mistakes in this configuration can cause the users to have unintended usernames.
+
+ The expression must produce a non-empty string value.
+ If the expression uses 'claims.email', then 'claims.email_verified' must be used in
+ the expression or extra[*].valueExpression or claimValidationRules[*].expression.
+ An example claim validation rule expression that matches the validation automatically
+ applied when username.claim is set to 'email' is 'claims.?email_verified.orValue(true) == true'.
+ By explicitly comparing the value to true, we let type-checking see the result will be a boolean,
+ and to make sure a non-boolean email_verified claim will be caught at runtime.
+
+ CEL expressions have access to the contents of the token claims, organized into CEL variable:
+ - 'claims' is a map of claim names to claim values.
+ For example, a variable named 'sub' can be accessed as 'claims.sub'.
+ Nested claims can be accessed using dot notation, e.g. 'claims.foo.bar'.
+
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+ Mutually exclusive with username. Use either username or usernameExpression to
+ determine the user's username from the JWT token.
type: string
type: object
issuer:
description: |-
- Issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
+ issuer is the OIDC issuer URL that will be used to discover public signing keys. Issuer is
also used to validate the "iss" JWT claim.
minLength: 1
pattern: ^https://
type: string
tls:
- description: TLS configuration for communicating with the OIDC provider.
+ description: tls is the configuration for communicating with the OIDC
+ provider via TLS.
properties:
certificateAuthorityData:
description: X.509 Certificate Authority (base64-encoded PEM bundle).
@@ -130,12 +312,47 @@ spec:
- name
type: object
type: object
+ userValidationRules:
+ description: |-
+ userValidationRules are rules that are applied to final user before completing authentication.
+ These allow invariants to be applied to incoming identities such as preventing the
+ use of the system: prefix that is commonly used by Kubernetes components.
+ The validation rules are logically ANDed together and must all return true for the validation to pass.
+ This is similar to claimValidationRules from Kubernetes AuthenticationConfiguration as documented in
+ https://kubernetes.io/docs/reference/access-authn-authz/authentication.
+ This is an advanced configuration option. During an end-user login flow, mistakes in this
+ configuration will cause the user's login to fail.
+ items:
+ description: UserValidationRule provides the configuration for a
+ single user info validation rule.
+ properties:
+ expression:
+ description: |-
+ expression represents the expression which will be evaluated by CEL.
+ Must return true for the validation to pass.
+
+ CEL expressions have access to the contents of UserInfo, organized into CEL variable:
+ - 'user' - authentication.k8s.io/v1, Kind=UserInfo object
+ Refer to https://github.com/kubernetes/api/blob/release-1.28/authentication/v1/types.go#L105-L122 for the definition.
+ API documentation: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#userinfo-v1-authentication-k8s-io
+
+ Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+ type: string
+ message:
+ description: |-
+ message customizes the returned error message when rule returns false.
+ message is a literal string.
+ type: string
+ required:
+ - expression
+ type: object
+ type: array
required:
- audience
- issuer
type: object
status:
- description: Status of the authenticator.
+ description: status of the authenticator.
properties:
conditions:
description: Represents the observations of the authenticator's current
diff --git a/bitnami/pinniped/crds/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml b/bitnami/pinniped/crds/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
index a7ff35d7f6..12fe06b3cd 100644
--- a/bitnami/pinniped/crds/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
+++ b/bitnami/pinniped/crds/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
@@ -1,5 +1,5 @@
# Source: https://raw.githubusercontent.com/vmware-tanzu/pinniped/v{version}/deploy/concierge/authentication.concierge.pinniped.dev_webhookauthenticators.yaml
-# Version: 0.39.0
+# Version: 0.40.0
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
diff --git a/bitnami/pinniped/crds/concierge/config.concierge.pinniped.dev_credentialissuers.yaml b/bitnami/pinniped/crds/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
index 1e038e51ea..6362d28385 100644
--- a/bitnami/pinniped/crds/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
+++ b/bitnami/pinniped/crds/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
@@ -1,5 +1,5 @@
# Source: https://raw.githubusercontent.com/vmware-tanzu/pinniped/v{version}/deploy/concierge/config.concierge.pinniped.dev_credentialissuers.yaml
-# Version: 0.39.0
+# Version: 0.40.0
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
diff --git a/bitnami/pinniped/crds/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml b/bitnami/pinniped/crds/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
index debb2447b5..c0c9c323d6 100644
--- a/bitnami/pinniped/crds/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
+++ b/bitnami/pinniped/crds/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
@@ -1,5 +1,5 @@
# Source: https://raw.githubusercontent.com/vmware-tanzu/pinniped/v{version}/deploy/supervisor/config.supervisor.pinniped.dev_federationdomains.yaml
-# Version: 0.39.0
+# Version: 0.40.0
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
diff --git a/bitnami/pinniped/crds/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml b/bitnami/pinniped/crds/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
index d36f0cc4c3..f1df01825d 100644
--- a/bitnami/pinniped/crds/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
+++ b/bitnami/pinniped/crds/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
@@ -1,5 +1,5 @@
# Source: https://raw.githubusercontent.com/vmware-tanzu/pinniped/v{version}/deploy/supervisor/config.supervisor.pinniped.dev_oidcclients.yaml
-# Version: 0.39.0
+# Version: 0.40.0
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
diff --git a/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml b/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
index 4792233da2..a4928d5d66 100644
--- a/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
+++ b/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
@@ -1,5 +1,5 @@
# Source: https://raw.githubusercontent.com/vmware-tanzu/pinniped/v{version}/deploy/supervisor/idp.supervisor.pinniped.dev_activedirectoryidentityproviders.yaml
-# Version: 0.39.0
+# Version: 0.40.0
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
diff --git a/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml b/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
index 21f99ea548..ffd316a104 100644
--- a/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
+++ b/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
@@ -1,5 +1,5 @@
# Source: https://raw.githubusercontent.com/vmware-tanzu/pinniped/v{version}/deploy/supervisor/idp.supervisor.pinniped.dev_githubidentityproviders.yaml
-# Version: 0.39.0
+# Version: 0.40.0
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
diff --git a/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml b/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
index 83b8fda43e..8d676d33cc 100644
--- a/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
+++ b/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
@@ -1,5 +1,5 @@
# Source: https://raw.githubusercontent.com/vmware-tanzu/pinniped/v{version}/deploy/supervisor/idp.supervisor.pinniped.dev_ldapidentityproviders.yaml
-# Version: 0.39.0
+# Version: 0.40.0
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
diff --git a/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml b/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
index 8c7cf7c3a2..48538758a8 100644
--- a/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
+++ b/bitnami/pinniped/crds/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
@@ -1,5 +1,5 @@
# Source: https://raw.githubusercontent.com/vmware-tanzu/pinniped/v{version}/deploy/supervisor/idp.supervisor.pinniped.dev_oidcidentityproviders.yaml
-# Version: 0.39.0
+# Version: 0.40.0
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
diff --git a/bitnami/pinniped/values.yaml b/bitnami/pinniped/values.yaml
index 9fea6cf234..47967d5707 100644
--- a/bitnami/pinniped/values.yaml
+++ b/bitnami/pinniped/values.yaml
@@ -74,7 +74,7 @@ extraDeploy: []
image:
registry: docker.io
repository: bitnami/pinniped
- tag: 0.39.0-debian-12-r3
+ tag: 0.40.0-debian-12-r0
digest: ""
## Specify a imagePullPolicy
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images