All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Made a bunch of dep updates, all through dependabot so full list will be easy to get (
git log v3.2.1..HEAD --author=dependabot --pretty=oneline).
- Changing
--search-attributesto--extra-attributes, fixing extra attributes not being processed and added to the user object. This is the change triggering a major update since the interface changed.
- The entry in the credential manager is now specific to the k8s-ldap-auth server address, allowing for different k8s-ldap-auth to be used against different ldap servers.
- Password is now stored into the OS credential manager upon successful interactive authentication.
/healthnow serves the application status.
- User username properties mapping with ldap can now be set with specific parameters or environment variable.
- Parameter
--member-of-propertyis now--memberof-property(style consistency change) - TokenReview user won't contain a list of group cn only anymore but their full dn to prevent name collision
- Cache file and folder containing the ExecCredential are now only readable by the owner.
- Added PIE compilation for binary hardening.
- Added trimpath option for reproducible builds.
- Token longevity can now be configured (in seconds). Default to 43200 (12 hours).
- Token generated now only contains uid. Groups and DN are added to the TokenReview when kube-apiserver dial k8s-ldap-auth.
- There is now a reset command to ease the removal of cached token and force re-authentication on next invocation.
/authroute for ldap authentication, returning an ExecCredential/tokenroute for apiserver TokenReview validation- Loading key pair for jwt signing and validation from files
- Generating an arbitrary key pair for jwt signing and validation if none is given
- TokenReview contains user id and groups from LDAP
- Password and username can be given from standard input, environment variables or files.