Merge pull request #2832 from vmware/dependabot/docker/dockerfiles/eks-deployer/ci/amazon/aws-cli-2.32.30

Bump amazon/aws-cli from 2.32.29 to 2.32.30 in /dockerfiles/eks-deployer

AD-SETUP.md

@@ -18,8 +18,8 @@ gcloud auth login
 
 # Set some variables.
 project="REDACTED" # Change this to be the actual project name before running these commands.
-region="us-central1"
-zone="us-central1-b"
+region="us-west1"
+zone="us-west1-c"
 vpc_name="ad"
 
 # Create VPC.

CODE_OF_CONDUCT.md

@@ -1 +1 @@
-Please see https://github.com/vmware-tanzu/pinniped/blob/main/CODE_OF_CONDUCT.md
+Please see https://github.com/vmware/pinniped/blob/main/CODE_OF_CONDUCT.md

CONTRIBUTING.md

@@ -1 +1 @@
-Please see https://github.com/vmware-tanzu/pinniped/blob/main/CONTRIBUTING.md
+Please see https://github.com/vmware/pinniped/blob/main/CONTRIBUTING.md

MAINTAINERS.md

@@ -1 +1 @@
-Please see https://github.com/vmware-tanzu/pinniped/blob/main/MAINTAINERS.md
+Please see https://github.com/vmware/pinniped/blob/main/MAINTAINERS.md

README.md

@@ -1,6 +1,6 @@
 # Pinniped's `ci` branch
 
-This `ci` branch contains the CI/CD tooling for [Pinniped](https://github.com/vmware-tanzu/pinniped).
+This `ci` branch contains the CI/CD tooling for [Pinniped](https://github.com/vmware/pinniped).
 
 The documentation and code in this branch is mainly intended for the maintainers of Pinniped.
 
@@ -13,25 +13,25 @@ for these files was not copied from the private repository at the time of this m
 ## Reporting an issue in this branch
 
 Found a bug or would like to make an enhancement request?
-Please report issues in [this repo](https://github.com/vmware-tanzu/pinniped).
+Please report issues in [this repo](https://github.com/vmware/pinniped).
 
 ## Reporting security vulnerabilities
 
-Please follow the procedure described in [SECURITY.md](https://github.com/vmware-tanzu/pinniped/blob/main/SECURITY.md).
+Please follow the procedure described in [SECURITY.md](https://github.com/vmware/pinniped/blob/main/SECURITY.md).
 
 ## Creating a release
 
 When the team is preparing to ship a release, a maintainer will create a new
-GitHub [Issue](https://github.com/vmware-tanzu/pinniped/issues/new/choose) in this repo to
+GitHub [Issue](https://github.com/vmware/pinniped/issues/new/choose) in this repo to
 collaboratively track progress on the release checklist. As tasks are completed,
 the team will check them off. When all the tasks are completed, the issue is closed.
 
-The release checklist is committed to this repo as an [issue template](https://github.com/vmware-tanzu/pinniped/tree/main/.github/ISSUE_TEMPLATE/release_checklist.md).
+The release checklist is committed to this repo as an [issue template](https://github.com/vmware/pinniped/tree/main/.github/ISSUE_TEMPLATE/release_checklist.md).
 
 ## Pipelines
 
 Pinniped uses [Concourse](https://concourse-ci.org) for CI/CD.
-Our Concourse can be found at [ci.pinniped.dev](https://ci.pinniped.dev).
+We are currently running our Concourse on a network that can only be reached from inside the corporate network at [ci.pinniped.broadcom.net](https://ci.pinniped.broadcom.net).
 
 The following pipelines are implemented in this branch. Not all pipelines are necessarily publicly visible, although our goal is to make them all visible.
 
@@ -115,7 +115,7 @@ Some pipelines use github [webhooks to trigger resource checks](https://concours
 rather than the default of polling every minute, to make these pipelines more responsive and use fewer compute resources
 for running checks. Refer to places where `webhook_token` is configured in various `pipeline.yml` files.
 
-To make these webhooks work, they must be defined on the [GitHub repo's settings](https://github.com/vmware-tanzu/pinniped/settings/hooks).
+To make these webhooks work, they must be defined on the [GitHub repo's settings](https://github.com/vmware/pinniped/settings/hooks).
 
 ## Installing and operating Concourse
 
@@ -125,12 +125,12 @@ See [infra/README.md](./infra/README.md) for details about how Concourse was ins
 
 In addition to the many ephemeral Kubernetes clusters we use for testing, we also deploy a long-running acceptance environment.
 
-Google Kubernetes Engine (GKE) in the `gke-acceptance-cluster` cluster in our GCP project in the `us-central1-c` availability zone.
+Google Kubernetes Engine (GKE) in the `gke-acceptance-cluster` cluster in our GCP project in the `us-west1-c` availability zone.
 
 To access this cluster, download the kubeconfig to `gke-acceptance.yaml` by running:
 
 ```cmd
-KUBECONFIG=gke-acceptance.yaml gcloud container clusters get-credentials gke-acceptance-cluster --project "$PINNIPED_GCP_PROJECT" --zone us-central1-c
+KUBECONFIG=gke-acceptance.yaml gcloud container clusters get-credentials gke-acceptance-cluster --project "$PINNIPED_GCP_PROJECT" --zone us-west1-c
 ```
 
 The above command assumes that you have already set `PINNIPED_GCP_PROJECT` to be the name of the GCP project.

SECURITY.md

@@ -1 +1 @@
-Please see https://github.com/vmware-tanzu/pinniped/blob/main/SECURITY.md
+Please see https://github.com/vmware/pinniped/blob/main/SECURITY.md

dockerfiles/code-coverage-uploader/Dockerfile

@@ -2,13 +2,13 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # For running Go linters
-FROM debian:12.11-slim AS builder
+FROM debian:13.2-slim AS builder
 
 RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
 
 RUN curl -sfLo /tmp/codecov https://uploader.codecov.io/latest/linux/codecov
 RUN chmod +x /tmp/codecov
 
-FROM golang:1.24.3
+FROM golang:1.25.5
 RUN apt-get update -y && apt-get dist-upgrade -y
 COPY --from=builder /tmp/codecov /usr/local/bin/codecov

dockerfiles/crane/Dockerfile

@@ -2,9 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 
 FROM gcr.io/go-containerregistry/crane as crane
-FROM mikefarah/yq:4.45.4 AS yq
+FROM mikefarah/yq:4.50.1 AS yq
 
-FROM golang:1.24.3
+FROM golang:1.25.5
 COPY --from=yq /usr/bin/yq /usr/local/bin
 COPY --from=crane /ko-app/crane /usr/local/bin
 ENTRYPOINT ["bash"]

dockerfiles/deployment-yaml-formatter/Dockerfile

@@ -1,9 +1,9 @@
 # Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM mikefarah/yq:4.45.4 AS yq
+FROM mikefarah/yq:4.50.1 AS yq
 
-FROM debian:12.11-slim
+FROM debian:13.2-slim
 
 # Note: libdigest-sha-perl is to get shasum, which is used when installing Carvel tools below.
 RUN apt-get update && apt-get install -y ca-certificates jq curl libdigest-sha-perl && rm -rf /var/lib/apt/lists/*

dockerfiles/eks-deployer/Dockerfile

@@ -3,10 +3,10 @@
 
 # For deploying an EKS cluster and setting it up to run our tests.
 
-FROM weaveworks/eksctl:v0.208.0 AS eksctl
-FROM mikefarah/yq:4.45.4 AS yq
-FROM amazon/aws-cli:2.27.24
-RUN yum update -y && yum install -y jq && yum install -y perl-Digest-SHA && yum clean all
+FROM weaveworks/eksctl:v0.221.0 AS eksctl
+FROM mikefarah/yq:4.50.1 AS yq
+FROM amazon/aws-cli:2.32.30
+RUN yum update -y && yum install -y jq perl-Digest-SHA openssl && yum clean all
 COPY --from=eksctl eksctl /usr/local/bin/eksctl
 COPY --from=yq /usr/bin/yq /usr/local/bin/yq
 

dockerfiles/gh-cli/Dockerfile

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # For running the GitHub CLI.
-FROM debian:12.11-slim AS builder
+FROM debian:13.2-slim AS builder
 
 RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
 
@@ -11,5 +11,5 @@ RUN curl \
     https://github.com/cli/cli/releases/download/v2.40.0/gh_2.40.0_linux_amd64.tar.gz \
     && tar -C /tmp --strip-components=1 -xzvf /tmp/gh.tar.gz
 
-FROM golang:1.24.3
+FROM golang:1.25.5
 COPY --from=builder /tmp/bin/gh /usr/local/bin/gh

dockerfiles/integration-test-runner-beta/Dockerfile

@@ -3,14 +3,14 @@
 
 # For running the integration tests as a client to a k8s cluster
 
-FROM mikefarah/yq:4.45.4 AS yq
+FROM mikefarah/yq:4.50.1 AS yq
 
 # We need gcloud for running integration tests against GKE
 # because the kubeconfig uses gcloud as an `auth-provider`.
 # Use FROM gcloud-sdk instead of FROM golang because its
 # a lot easier to install Go than to install gcloud in the
 # subsequent commands below.
-FROM google/cloud-sdk:524.0.0-slim
+FROM google/cloud-sdk:551.0.0-slim
 
 # Install apache2-utils (for htpasswd to bcrypt passwords for the
 # local-user-authenticator) and jq.
@@ -36,7 +36,7 @@ RUN google-chrome --version
 
 # Install Go. The download URL that can be used below for any version of Go can be found on https://go.dev/dl/
 ENV PATH /usr/local/go/bin:$PATH
-RUN curl -fsSL https://go.dev/dl/go1.24.3.linux-amd64.tar.gz -o /tmp/go.tar.gz && \
+RUN curl -fsSL https://go.dev/dl/go1.25.5.linux-amd64.tar.gz -o /tmp/go.tar.gz && \
     tar -C /usr/local -xzf /tmp/go.tar.gz && \
     rm /tmp/go.tar.gz && \
     go version

dockerfiles/integration-test-runner/Dockerfile

@@ -3,14 +3,14 @@
 
 # For running the integration tests as a client to a k8s cluster
 
-FROM mikefarah/yq:4.45.4 AS yq
+FROM mikefarah/yq:4.50.1 AS yq
 
 # We need gcloud for running integration tests against GKE
 # because the kubeconfig uses gcloud as an `auth-provider`.
 # Use FROM gcloud-sdk instead of FROM golang because its
 # a lot easier to install Go than to install gcloud in the
 # subsequent commands below.
-FROM google/cloud-sdk:524.0.0-slim
+FROM google/cloud-sdk:551.0.0-slim
 
 # Install apache2-utils (for htpasswd to bcrypt passwords for the
 # local-user-authenticator) and jq.
@@ -36,7 +36,7 @@ RUN google-chrome --version
 
 # Install Go. The download URL that can be used below for any version of Go can be found on https://go.dev/dl/
 ENV PATH /usr/local/go/bin:$PATH
-RUN curl -fsSL https://go.dev/dl/go1.24.3.linux-amd64.tar.gz -o /tmp/go.tar.gz && \
+RUN curl -fsSL https://go.dev/dl/go1.25.5.linux-amd64.tar.gz -o /tmp/go.tar.gz && \
     tar -C /usr/local -xzf /tmp/go.tar.gz && \
     rm /tmp/go.tar.gz && \
     go version

dockerfiles/k8s-app-deployer/Dockerfile

@@ -3,7 +3,7 @@
 
 # For deploying apps onto Kubernetes clusters (including GKE)
 
-FROM google/cloud-sdk:524.0.0-slim
+FROM google/cloud-sdk:551.0.0-slim
 
 # Install apache2-utils (for htpasswd to bcrypt passwords for the
 # local-user-authenticator) and jq.

dockerfiles/k8s-code-generator/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -51,7 +51,9 @@ require (
 EOF
 
 # Resolve dependencies and download the modules.
+echo "Running go mod tidy ..."
 go mod tidy
+echo "Running go mod download ..."
 go mod download
 
 # Copy the downloaded source code of k8s.io/code-generator so we can "go install" all its commands.
@@ -64,7 +66,16 @@ cp -pr "$(go env GOMODCACHE)/k8s.io/code-generator@v$K8S_PKG_VERSION" "$(go env
 # The sed is a dirty hack to avoid having the code-generator shell scripts run go install again.
 # In version 0.23.0 the line inside the shell script that previously said "go install ..." started
 # to instead say "GO111MODULE=on go install ..." so this sed is a little wrong, but still seems to work.
+echo "Running go install for all k8s.io/code-generator commands ..."
+# Using sed to edit the go.mod file (and then running go mod tidy) is a dirty hack to work around
+# an issue introduced in Go v1.25. See https://github.com/golang/go/issues/74462.
+# The version of code-generator used by Kube 1.30 depends on x/tools v0.18.0.
+# The version of code-generator used by Kube 1.31 depends on x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d.
+# Other versions of Kube use code-generator versions which do not have this problem.
 (cd "$(go env GOPATH)/src/k8s.io/code-generator" &&
+  sed -i -E -e 's#golang\.org/x/tools v0\.18\.0#golang\.org/x/tools v0\.24\.1#g' ./go.mod &&
+  sed -i -E -e 's#golang\.org/x/tools v0\.21\.1-.*#golang\.org/x/tools v0\.24\.1#g' ./go.mod &&
+  go mod tidy &&
   go install -v ./cmd/... &&
   sed -i -E -e 's/(go install.*)/# \1/g' ./*.sh)
 
@@ -74,14 +85,30 @@ if [[ ! -f "$(go env GOPATH)/bin/openapi-gen" ]]; then
   # that is selected as an indirect dependency by the go.mod.
   kube_openapi_version=$(go list -m k8s.io/kube-openapi | cut -f2 -d' ')
   # Install that version of its openapi-gen command.
-  go install -v "k8s.io/kube-openapi/cmd/openapi-gen@$kube_openapi_version"
+  echo "Running go install for openapi-gen $kube_openapi_version ..."
+  # Using sed to edit the go.mod file (and then running go mod tidy) is a dirty hack to work around
+  # an issue introduced in Go v1.25. See https://github.com/golang/go/issues/74462.
+  # If this were not needed, then we could just use "go install" directly without
+  # copying the source code or editing the go.mod file (which is what this script used to do),
+  # like this: go install -v "k8s.io/kube-openapi/cmd/openapi-gen@$kube_openapi_version"
+  # The version of kube-openapi used by Kube 1.30 (and maybe 1.31) depends on x/tools v0.18.0.
+  # The version of kube-openapi used by Kube 1.32 depends on x/tools v0.24.0.
+  # Other versions of Kube use kube-openapi versions which do not have this problem.
+  cp -pr "$(go env GOMODCACHE)/k8s.io/kube-openapi@$kube_openapi_version" "$(go env GOPATH)/src/k8s.io/kube-openapi"
+  (cd "$(go env GOPATH)/src/k8s.io/kube-openapi" &&
+    sed -i -E -e 's#golang\.org/x/tools v0\.18\.0#golang\.org/x/tools v0\.24\.1#g' ./go.mod &&
+    sed -i -E -e 's#golang\.org/x/tools v0\.24\.0#golang\.org/x/tools v0\.24\.1#g' ./go.mod &&
+    go mod tidy &&
+    go install -v ./cmd/openapi-gen)
 fi
 
+echo "Running go install for controller-gen ..."
 go install -v sigs.k8s.io/controller-tools/cmd/controller-gen@v$CONTROLLER_GEN_VERSION
 
 # We use a commit sha instead of a release semver because this project does not create
 # releases very often. They seem to only release 1-2 times per year, but commit to
 # main more often.
+echo "Running go install for crd-ref-docs ..."
 go install -v github.com/elastic/crd-ref-docs@$CRD_REF_DOCS_COMMIT_SHA
 
 # List all the commands that we just installed.

dockerfiles/pool-trigger-resource/Dockerfile

@@ -9,7 +9,7 @@
 # to use newer versions of linux, jq, and git. The "assets" directory's source code is copied from
 # https://github.com/cfmobile/pool-trigger-resource/tree/master/assets as of commit efefe018c88e937.
 
-FROM debian:12.11-slim
+FROM debian:13.2-slim
 
 RUN apt-get update && apt-get install -y ca-certificates jq git && rm -rf /var/lib/apt/lists/*
 

dockerfiles/test-bitnami-ldap/Dockerfile

@@ -1,4 +1,11 @@
-# Copyright 2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM bitnami/openldap:2.6.10
+# It seems that Bitnami no longer supports openldap.
+# See https://github.com/bitnami/containers/issues/83267
+# All existing container images have been migrated from the public catalog (docker.io/bitnami) to
+# the “Bitnami Legacy” repository (docker.io/bitnamilegacy), where they will no longer receive updates.
+#
+# FROM bitnami/openldap:2.6.10
+
+FROM bitnamilegacy/openldap:2.6.10

dockerfiles/test-cfssl/Dockerfile

@@ -11,7 +11,7 @@ FROM cfssl/cfssl:v1.6.5 as cfssl
 
 # We just need any basic unix with bash, but we can pick the same
 # base image that they use, just in case they did any dynamic linking.
-FROM golang:1.24.3
+FROM golang:1.25.5
 
 # Thier Docerfile https://github.com/cloudflare/cfssl/blob/master/Dockerfile
 # calls their Makefile https://github.com/cloudflare/cfssl/blob/master/Makefile

dockerfiles/test-dex/Dockerfile

@@ -1,4 +1,4 @@
 # Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM ghcr.io/dexidp/dex:v2.43.1
+FROM ghcr.io/dexidp/dex:v2.44.0

dockerfiles/test-forward-proxy/Dockerfile

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # Use a runtime image based on Debian slim
-FROM debian:12.11-slim
+FROM debian:13.2-slim
 
 # Install Squid and drop in a very basic, open proxy configuration.
 RUN apt-get update && apt-get install -y squid

hack/approve-and-merge.sh

@@ -1,11 +1,11 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
 
-repo=vmware-tanzu/pinniped
+repo=vmware/pinniped
 current_branch_name=$(git rev-parse --abbrev-ref HEAD)
 
 if [[ "$current_branch_name" != "ci" ]]; then

hack/create-gke-acceptance-env.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -15,30 +15,61 @@ if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
   exit 1
 fi
 
+if [[ -z "${SHARED_VPC_PROJECT:-}" ]]; then
+  echo "SHARED_VPC_PROJECT env var must be set"
+  exit 1
+fi
+if [[ -z "${SHARED_VPC_NAME:-}" ]]; then
+  echo "SHARED_VPC_NAME env var must be set"
+  exit 1
+fi
+if [[ -z "${SUBNET_NAME:-}" ]]; then
+  echo "SUBNET_NAME env var must be set"
+  exit 1
+fi
+
+CLUSTER_ZONE="us-west1-c"
+SUBNET_REGION="us-west1"
+
 # Create (or recreate) a GKE acceptance cluster.
 # Pro tip: The GCP Console UI can help you build this command.
 # The following fields were customized, and all of the others are left as the GCP Console's defaults:
 #  - Cluster name
+#  - Machine type - starting in Aug 2025, the google pods request more than 1 CPU, making them not fit on a single e2-medium node
 #  - Cluster version - newest at the time
 #  - Num nodes - sized smaller to be cheaper
 #  - Maintenance window start and recurrence - to avoid downtime during business hours
 #  - Issue client certificate - to make it possible to use an admin kubeconfig without the GKE auth plugin
+#  - tags, authorized networks, private nodes, private endpoint, network, subnet, and secondary ranges
+#  - service account
 gcloud container --project "$PINNIPED_GCP_PROJECT" clusters create "gke-acceptance-cluster" \
-  --zone "us-central1-c" --no-enable-basic-auth --cluster-version "1.30.4-gke.1348000" --release-channel "regular" \
-  --machine-type "e2-medium" \
+  --zone "$CLUSTER_ZONE" \
+  --no-enable-basic-auth \
+  --cluster-version "1.32.4-gke.1415000" \
+  --release-channel "regular" \
+  --machine-type "e2-standard-2" \
   --image-type "COS_CONTAINERD" --disk-type "pd-balanced" --disk-size "100" --metadata disable-legacy-endpoints=true \
-  --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" \
   --num-nodes "1" \
   --logging=SYSTEM,WORKLOAD --monitoring=SYSTEM,STORAGE,POD,DEPLOYMENT,STATEFULSET,DAEMONSET,HPA,CADVISOR,KUBELET \
-  --enable-ip-alias \
-  --network "projects/$PINNIPED_GCP_PROJECT/global/networks/default" \
-  --subnetwork "projects/$PINNIPED_GCP_PROJECT/regions/us-central1/subnetworks/default" \
   --no-enable-intra-node-visibility \
   --default-max-pods-per-node "110" \
-  --security-posture=standard --workload-vulnerability-scanning=disabled --no-enable-master-authorized-networks \
+  --security-posture=standard --workload-vulnerability-scanning=disabled \
   --addons HorizontalPodAutoscaling,HttpLoadBalancing,GcePersistentDiskCsiDriver \
   --enable-autoupgrade --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 \
-  --binauthz-evaluation-mode=DISABLED --enable-managed-prometheus --enable-shielded-nodes --node-locations "us-central1-c" \
+  --binauthz-evaluation-mode=DISABLED --enable-managed-prometheus \
+  --enable-shielded-nodes --shielded-integrity-monitoring --no-shielded-secure-boot \
+  --node-locations "$CLUSTER_ZONE" \
   --maintenance-window-start "2020-07-01T03:00:00Z" --maintenance-window-end "2020-07-01T11:00:00Z" \
   --maintenance-window-recurrence "FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR,SA,SU" \
-  --issue-client-certificate
+  --issue-client-certificate \
+  --tags "gke-broadcom" \
+  --enable-master-authorized-networks \
+  --master-authorized-networks "10.0.0.0/8" \
+  --enable-private-nodes \
+  --enable-private-endpoint \
+  --enable-ip-alias \
+  --network "projects/${SHARED_VPC_PROJECT}/global/networks/${SHARED_VPC_NAME}" \
+  --subnetwork "projects/${SHARED_VPC_PROJECT}/regions/${SUBNET_REGION}/subnetworks/${SUBNET_NAME}" \
+  --cluster-secondary-range-name "services" \
+  --services-secondary-range-name "pods" \
+  --service-account "terraform@${PINNIPED_GCP_PROJECT}.iam.gserviceaccount.com"

hack/fly-helpers.sh

@@ -1,11 +1,11 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 #
 # Some global fly config.
 #
 export FLY_CLI=/usr/local/bin/fly
-export CONCOURSE_URL=https://ci.pinniped.dev
+export CONCOURSE_URL=https://ci.pinniped.broadcom.net
 export CONCOURSE_TEAM=main
 export CONCOURSE_TARGET=pinniped
 export ROOT_DIR

hack/prepare-remote-cluster-for-integration-tests.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 # Assuming that you have somehow got your hands on a remote GKE or kind cluster,
@@ -240,7 +240,7 @@ gke | aks | eks)
   log_note "KUBECONFIG='$KUBECONFIG' TEST_ENV_PATH='/tmp/integration-test-env' SOURCE_PATH='$pinniped_repo' $ROOT/pipelines/shared-tasks/run-integration-tests/task.sh"
   ;;
 kind)
-  log_note "KUBECONFIG='$KUBECONFIG' TEST_ENV_PATH='/tmp/integration-test-env' SOURCE_PATH='$pinniped_repo' START_GCLOUD_PROXY=yes GCP_PROJECT=$PINNIPED_GCP_PROJECT GCP_ZONE=us-central1-b $ROOT/pipelines/shared-tasks/run-integration-tests/task.sh"
+  log_note "KUBECONFIG='$KUBECONFIG' TEST_ENV_PATH='/tmp/integration-test-env' SOURCE_PATH='$pinniped_repo' START_GCLOUD_PROXY=yes GCP_PROJECT=$PINNIPED_GCP_PROJECT GCP_ZONE=us-west1-a $ROOT/pipelines/shared-tasks/run-integration-tests/task.sh"
   ;;
 *)
   log_error "Huh? Should never get here."

hack/remote-workstation/create.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -10,10 +10,30 @@ if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
   exit 1
 fi
 
+if [[ -z "${SHARED_VPC_PROJECT:-}" ]]; then
+  echo "SHARED_VPC_PROJECT env var must be set"
+  exit 1
+fi
+
+if [[ -z "${SUBNET_NAME:-}" ]]; then
+  echo "SUBNET_NAME env var must be set"
+  exit 1
+fi
+
+if [[ -z "${DISK_IMAGES_PROJECT:-}" ]]; then
+  echo "DISK_IMAGES_PROJECT env var must be set"
+  exit 1
+fi
+
+if ! gcloud auth print-access-token &>/dev/null; then
+  echo "Please run \`gcloud auth login\` and try again."
+  exit 1
+fi
+
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 instance_user="${REMOTE_INSTANCE_USERNAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-a"
 here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # Create a VM called $instance_name with some reasonable compute power and disk.
@@ -21,23 +41,45 @@ echo "Creating VM with name $instance_name..."
 gcloud compute instances create "$instance_name" \
   --project="$project" --zone="$zone" \
   --machine-type="e2-standard-8" \
-  --boot-disk-size="40GB" --boot-disk-type="pd-ssd" --boot-disk-device-name="$instance_name"
+  --network-interface=stack-type=IPV4_ONLY,subnet=projects/"$SHARED_VPC_PROJECT"/regions/us-west1/subnetworks/"${SUBNET_NAME}",no-address \
+  --create-disk=auto-delete=yes,boot=yes,device-name="$instance_name",image=projects/"${DISK_IMAGES_PROJECT}"/global/images/labs-saas-gcp-debian12-packer-latest,mode=rw,size=40,type=pd-ssd
 
-# Give a little time for the server to be ready.
-while true; do
-  sleep 5
-  if ! "$here"/ssh.sh ls; then
-    echo "Waiting for VM to be accessible via ssh..."
-  else
-    echo "VM ready!"
-    break
+# Make a private key for ssh.
+ssh_key_file="$HOME/.ssh/gcp-remote-workstation-key"
+if [[ ! -f "$ssh_key_file" ]]; then
+  ssh-keygen -t rsa -b 4096 -q -N "" -f "$ssh_key_file"
+fi
+
+# Add the key only to the specific VM instance (as VM metadata).
+echo "${instance_user}:$(cat "${ssh_key_file}.pub")" >/tmp/ssh-key-values
+gcloud compute instances add-metadata "$instance_name" \
+  --metadata-from-file ssh-keys=/tmp/ssh-key-values \
+  --zone "$zone" --project "$project"
+
+# Get the IP so we can use regular ssh (not gcloud ssh).
+gcloud_instance_ip=$(gcloud compute instances describe \
+  --zone "$zone" --project "$project" "${instance_name}" \
+  --format='get(networkInterfaces[0].networkIP)')
+
+ssh_dest="${instance_user}@${gcloud_instance_ip}"
+
+# Wait for the ssh server of the new instance to be ready.
+attempts=0
+while ! ssh -i "$ssh_key_file" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$ssh_dest" echo connection test; do
+  echo "Waiting for ssh server to start ..."
+  attempts=$((attempts + 1))
+  if [[ $attempts -gt 25 ]]; then
+    echo "ERROR: ssh server never accepted connections after waiting for a while"
+    exit 1
   fi
+  sleep 2
 done
 
 # Copy the deps script to the new VM.
 echo "Copying deps.sh to $instance_name..."
-gcloud compute scp "$here"/lib/deps.sh "$instance_user@$instance_name":/tmp \
-  --project="$project" --zone="$zone"
+scp -i "$ssh_key_file" \
+  -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+  "$here"/lib/deps.sh "$ssh_dest":/tmp
 
 # Run the deps script on the new VM.
 "$here"/ssh.sh /tmp/deps.sh

hack/remote-workstation/delete.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -10,9 +10,14 @@ if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
   exit 1
 fi
 
+if ! gcloud auth print-access-token &>/dev/null; then
+  echo "Please run \`gcloud auth login\` and try again."
+  exit 1
+fi
+
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-a"
 
 # Delete the instance forever. Will prompt for confirmation.
 echo "Destroying VM $instance_name..."

hack/remote-workstation/lib/deps.sh

@@ -19,12 +19,10 @@ brew install gcc
 
 # Install go.
 brew install go
-# On linux go really wants gcc5 to also be installed for some reason.
-brew install gcc@5
 
 # Install and configure zsh and plugins.
 brew install zsh zsh-history-substring-search
-brew install fasd fzf
+brew install fzf
 /home/linuxbrew/.linuxbrew/opt/fzf/install --all --no-bash --no-fish
 # Install https://ohmyz.sh
 export PATH=$PATH:/home/linuxbrew/.linuxbrew/bin
@@ -46,11 +44,11 @@ curl -fsSL https://gist.githubusercontent.com/cfryanr/80ada8af9a78f08b368327401e
 
 # Install other useful packages.
 brew tap homebrew/command-not-found
-brew tap vmware-tanzu/carvel
+brew tap carvel-dev/carvel
 brew install ytt kbld kapp imgpkg kwt vendir
 brew install git git-duet/tap/git-duet pre-commit gh
 brew install k9s kind kubectl kubectx stern
-brew install exa acarl005/homebrew-formulas/ls-go ripgrep procs bat tokei git-delta dust fd httpie chroma
+brew install acarl005/homebrew-formulas/ls-go ripgrep procs bat tokei git-delta dust fd httpie chroma
 brew install watch htop wget
 brew install jesseduffield/lazydocker/lazydocker ctop dive
 brew install jq yq
@@ -81,9 +79,7 @@ sudo systemctl enable containerd.service
 mkdir workspace
 pushd workspace
 ssh-keyscan -H github.com >> $HOME/.ssh/known_hosts
-# This assumes that you used `--ssh-flag=-A` when using `gcloud compute ssh` to log in to the host,
-# which will forward your ssh identities.
-git clone git@github.com:vmware-tanzu/pinniped.git
+git clone https://github.com/vmware/pinniped.git
 pushd pinniped
 pre-commit install
 ./hack/install-linter.sh

hack/remote-workstation/rsync-to-local.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 # This is similar to rsync.sh, but with the src and dest flipped at the end.
@@ -13,28 +13,36 @@ if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
   exit 1
 fi
 
+if ! gcloud auth print-access-token &>/dev/null; then
+  echo "Please run \`gcloud auth login\` and try again."
+  exit 1
+fi
+
 SRC_DIR=${SRC_DIR:-"$HOME/workspace/pinniped"}
 src_dir_parent=$(dirname "$SRC_DIR")
 dest_dir="./workspace/pinniped"
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 instance_user="${REMOTE_INSTANCE_USERNAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
-config_file="/tmp/gcp-ssh-config"
+zone="us-west1-a"
 here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ssh_key_file="$HOME/.ssh/gcp-remote-workstation-key"
+
+# Get the IP so we can use regular ssh (not gcloud ssh).
+gcloud_instance_ip=$(gcloud compute instances describe \
+  --zone "$zone" --project "$project" "${instance_name}" \
+  --format='get(networkInterfaces[0].networkIP)')
+
+ssh_dest="${instance_user}@${gcloud_instance_ip}"
 
 if [[ ! -d "$SRC_DIR" ]]; then
   echo "ERROR: $SRC_DIR does not exist"
   exit 1
 fi
 
-# Get the ssh fingerprints of all the GCP VMs.
-gcloud compute config-ssh --ssh-config-file="$config_file" \
-  --project="$project" >/dev/null
-
 cd "$SRC_DIR"
-local_commit=$(git rev-parse --short HEAD)
-remote_commit=$("$here"/ssh.sh "cd $dest_dir; git rev-parse --short HEAD" 2>/dev/null | tr -dc '[:print:]')
+local_commit=$(git rev-parse HEAD)
+remote_commit=$("$here"/ssh.sh "cd $dest_dir; git rev-parse HEAD" 2>/dev/null | tr -dc '[:print:]')
 
 if [[ -z "$local_commit" || -z "$remote_commit" ]]; then
   echo "ERROR: Could not determine currently checked out git commit sha"
@@ -43,8 +51,8 @@ fi
 
 if [[ "$local_commit" != "$remote_commit" ]]; then
   echo "ERROR: Local and remote repos are not on the same commit. This is usually a mistake."
-  echo "Local was $SRC_DIR at *${local_commit}*"
-  echo "Remote was ${instance_name}:${dest_dir} at *${remote_commit}*"
+  echo "Local was $SRC_DIR at ${local_commit}"
+  echo "Remote was ${instance_name}:${dest_dir} at ${remote_commit}"
   exit 1
 fi
 
@@ -55,5 +63,5 @@ rsync \
   --progress --delete --archive --compress --human-readable \
   --max-size 200K \
   --exclude .git/ --exclude .idea/ --exclude .DS_Store --exclude '*.test' --exclude '*.out' \
-  --rsh "ssh -F $config_file" \
-  "${instance_user}@${instance_name}.${zone}.${project}:$dest_dir" "$src_dir_parent"
+  --rsh "ssh -i '$ssh_key_file' -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \
+  "$ssh_dest:$dest_dir" "$src_dir_parent"

hack/remote-workstation/rsync.sh

@@ -1,9 +1,9 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# Copyright 2021 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -13,27 +13,35 @@ if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
   exit 1
 fi
 
+if ! gcloud auth print-access-token &>/dev/null; then
+  echo "Please run \`gcloud auth login\` and try again."
+  exit 1
+fi
+
 SRC_DIR=${SRC_DIR:-"$HOME/workspace/pinniped"}
 dest_dir="./workspace"
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 instance_user="${REMOTE_INSTANCE_USERNAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
-config_file="/tmp/gcp-ssh-config"
+zone="us-west1-a"
 here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ssh_key_file="$HOME/.ssh/gcp-remote-workstation-key"
+
+# Get the IP so we can use regular ssh (not gcloud ssh).
+gcloud_instance_ip=$(gcloud compute instances describe \
+  --zone "$zone" --project "$project" "${instance_name}" \
+  --format='get(networkInterfaces[0].networkIP)')
+
+ssh_dest="${instance_user}@${gcloud_instance_ip}"
 
 if [[ ! -d "$SRC_DIR" ]]; then
   echo "ERROR: $SRC_DIR does not exist"
   exit 1
 fi
 
-# Get the ssh fingerprints of all the GCP VMs.
-gcloud compute config-ssh --ssh-config-file="$config_file" \
-  --project="$project" >/dev/null
-
 cd "$SRC_DIR"
-local_commit=$(git rev-parse --short HEAD)
-remote_commit=$("$here"/ssh.sh "cd $dest_dir/pinniped; git rev-parse --short HEAD" 2>/dev/null | tr -dc '[:print:]')
+local_commit=$(git rev-parse HEAD)
+remote_commit=$("$here"/ssh.sh "cd $dest_dir/pinniped; git rev-parse HEAD" 2>/dev/null | tr -dc '[:print:]')
 
 if [[ -z "$local_commit" || -z "$remote_commit" ]]; then
   echo "ERROR: Could not determine currently checked out git commit sha"
@@ -42,8 +50,8 @@ fi
 
 if [[ "$local_commit" != "$remote_commit" ]]; then
   echo "ERROR: Local and remote repos are not on the same commit. This is usually a mistake."
-  echo "Local was $SRC_DIR at *${local_commit}*"
-  echo "Remote was ${instance_name}:${dest_dir}/pinniped at *${remote_commit}*"
+  echo "Local was $SRC_DIR at ${local_commit}"
+  echo "Remote was ${instance_name}:${dest_dir}/pinniped at ${remote_commit}"
   exit 1
 fi
 
@@ -54,5 +62,5 @@ rsync \
   --progress --delete --archive --compress --human-readable \
   --max-size 200K \
   --exclude .git/ --exclude .idea/ --exclude .DS_Store --exclude '*.test' --exclude '*.out' \
-  --rsh "ssh -F $config_file" \
-  "$SRC_DIR" "${instance_user}@${instance_name}.${zone}.${project}:$dest_dir"
+  --rsh "ssh -i '$ssh_key_file' -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" \
+  "$SRC_DIR" "$ssh_dest:$dest_dir"

hack/remote-workstation/ssh.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -10,13 +10,25 @@ if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
   exit 1
 fi
 
+if ! gcloud auth print-access-token &>/dev/null; then
+  echo "Please run \`gcloud auth login\` and try again."
+  exit 1
+fi
+
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 instance_user="${REMOTE_INSTANCE_USERNAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-a"
+ssh_key_file="$HOME/.ssh/gcp-remote-workstation-key"
+
+# Get the IP so we can use regular ssh (not gcloud ssh).
+gcloud_instance_ip=$(gcloud compute instances describe \
+  --zone "$zone" --project "$project" "${instance_name}" \
+  --format='get(networkInterfaces[0].networkIP)')
+
+ssh_dest="${instance_user}@${gcloud_instance_ip}"
 
 # Run ssh with identities forwarded so you can use them with git on the remote host.
 # Optionally run an arbitrary command on the remote host.
 # By default, start an interactive session.
-gcloud compute ssh --ssh-flag=-A "$instance_user@$instance_name" \
-  --project="$project" --zone="$zone" -- "$@"
+ssh -i "$ssh_key_file" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -A "$ssh_dest" -- "$@"

hack/remote-workstation/start.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -10,9 +10,14 @@ if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
   exit 1
 fi
 
+if ! gcloud auth print-access-token &>/dev/null; then
+  echo "Please run \`gcloud auth login\` and try again."
+  exit 1
+fi
+
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-a"
 
 # Start an instance which was previously stopped to save money.
 echo "Starting VM $instance_name..."

hack/remote-workstation/stop.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -10,9 +10,14 @@ if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
   exit 1
 fi
 
+if ! gcloud auth print-access-token &>/dev/null; then
+  echo "Please run \`gcloud auth login\` and try again."
+  exit 1
+fi
+
 instance_name="${REMOTE_INSTANCE_NAME:-${USER}}"
 project="$PINNIPED_GCP_PROJECT"
-zone="us-central1-b"
+zone="us-west1-a"
 
 # Stop the instance, to save money, in a way that it can be restarted.
 echo "Stopping VM $instance_name..."

hack/setup-fly.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -16,6 +16,11 @@ if [[ ! -f "$FLY_CLI" ]]; then
   chmod 755 "$FLY_CLI"
 fi
 
+if $FLY_CLI targets | grep ^"$CONCOURSE_TARGET" | grep -q 'https://ci\.pinniped\.dev'; then
+  # The user has the old ci.pinniped.dev target. Remove it so we can replace it.
+  $FLY_CLI delete-target --target "$CONCOURSE_TARGET"
+fi
+
 if ! $FLY_CLI targets | tr -s ' ' | cut -f1 -d ' ' | grep -q "$CONCOURSE_TARGET"; then
   # Create the target if needed
   $FLY_CLI --target "$CONCOURSE_TARGET" login \

infra/README.md

@@ -25,11 +25,13 @@ script must be used to auto-generate some values and store them in a new secret
 This script only needs to be run once.
 
 1. Create a github oauth client as described in https://concourse-ci.org/github-auth.html.
-   The callback URI should be set to `https://ci.pinniped.dev/sky/issuer/callback`.
+   The callback URI should be set to `https://ci.pinniped.broadcom.net/sky/issuer/callback`.
    Take note of the client ID and client secret for use in the next step.
 2. Run `GITHUB_CLIENT_ID=<your_client_id> GITHUB_CLIENT_SECRET=<your_client_secret> ./bootstrap-secrets.sh`.
    This will create a secret in the GCP Secrets Manager which includes the GitHub client info
    along with some auto-generated secrets.
+3. If you need to change the GitHub client's ID or secret later, edit the secret in GCP Secrets Manager,
+   and then redeploy the web deployment.
 
 ## Web Deployment
 
@@ -56,5 +58,5 @@ To upgrade each deployment to a new version of Concourse:
    back to its default number of replicas.
    1. [infra/concourse-install/deploy-concourse-web.sh](./concourse-install/deploy-concourse-web.sh)
    2. [infra/concourse-install/deploy-concourse-web.sh](./concourse-install/deploy-concourse-internal-workers.sh)
-3. Commit and push those script changes. 
+3. Commit and push those script changes.
 4. Trigger the CI jobs to scale the internal workers back to the desired number as needed.

infra/concourse-install/deploy-concourse-web.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -66,7 +66,7 @@ CLUSTER_NAME=$(yq eval '.cluster-name.value' "$TERRAFORM_OUTPUT_FILE")
 PROJECT=$(yq eval '.project.value' "$TERRAFORM_OUTPUT_FILE")
 ZONE=$(yq eval '.zone.value' "$TERRAFORM_OUTPUT_FILE")
 WEB_IP_ADDRESS=$(yq eval '.web-ip.value' "$TERRAFORM_OUTPUT_FILE")
-WEB_HOSTNAME=$(yq eval '.web-hostname.value' "$TERRAFORM_OUTPUT_FILE")
+WEB_HOSTNAME="ci.pinniped.broadcom.net"
 DB_IP_ADDRESS=$(yq eval '.database-ip.value' "$TERRAFORM_OUTPUT_FILE")
 DB_USERNAME=$(yq eval '.database-username.value' "$TERRAFORM_OUTPUT_FILE")
 DB_PASSWORD=$(yq eval '.database-password.value' "$TERRAFORM_OUTPUT_FILE")
@@ -83,9 +83,18 @@ chmod 0600 "$KUBECONFIG"
 BOOTSTRAP_SECRETS_FILE="$DEPLOY_TEMP_DIR/concourse-install-bootstrap.yaml"
 gcloud secrets versions access latest --secret="concourse-install-bootstrap" --project "$PROJECT" >"$BOOTSTRAP_SECRETS_FILE"
 
+# Download the TLS cert for ci.pinniped.broadcom.net which was manually added as a secret.
+TLS_SECRETS_FILE="$DEPLOY_TEMP_DIR/tls-cert.yaml"
+gcloud secrets versions access latest --secret="ci-pinniped-broadcom-net-tls-cert" --project "$PROJECT" >"$TLS_SECRETS_FILE"
+TLS_CERT="$(yq eval '."cert.pem"' "$TLS_SECRETS_FILE")"
+TLS_KEY="$(yq eval '."key.pem"' "$TLS_SECRETS_FILE")"
+
 # Dump out the cluster info for diagnostic purposes.
 kubectl cluster-info
 
+# Configure ip-masq-agent to allow the pods to reach the private IP of the Cloud SQL server.
+kubectl apply -f "$script_dir/web/ip-masq-agent-configmap.yaml"
+
 # Some of the configuration options used below were inspired by how HushHouse runs on GKE.
 # See https://github.com/concourse/hush-house/blob/master/deployments/with-creds/hush-house/values.yaml
 
@@ -111,6 +120,8 @@ helm upgrade "$HELM_RELEASE_NAME" concourse/concourse \
   --set secrets.postgresCaCert="$DB_CA_CERT" \
   --set secrets.postgresClientCert="$DB_CLIENT_CERT" \
   --set secrets.postgresClientKey="$DB_CLIENT_KEY" \
+  --set secrets.webTlsCert="$TLS_CERT" \
+  --set secrets.webTlsKey="$TLS_KEY" \
   --post-renderer "$script_dir/web/ytt-helm-postrender-web.sh"
 
 # By default, it will not be possible for the autoscaler to scale down to one node.

infra/concourse-install/internal-workers/values-workers.yaml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 # Helps decide the name of the Deployment along with other resources and labels. Will be suffixed with "-worker".
@@ -13,7 +13,7 @@ postgresql:
 worker:
   # In an effort to save money, default to 1 worker.
   replicas: 1
-  nodeSelector: { cloud.google.com/gke-nodepool: workers-2 } # the name of the nodepool from terraform
+  nodeSelector: { cloud.google.com/gke-nodepool: workers-1 } # the name of the nodepool from terraform
   hardAntiAffinity: true
   minAvailable: 0
   terminationGracePeriodSeconds: 3600
@@ -28,7 +28,7 @@ worker:
     # searches using the more commonly used names for those units, e.g. searching "29061248 KiB to GiB".
     #
     # Limit to using all available CPUs and most of the available memory in our e2-standard-8 VM nodes.
-    # According to the "Allocatable" section of the "kubectl describe nodes -l cloud.google.com/gke-nodepool=workers-2" output,
+    # According to the "Allocatable" section of the "kubectl describe nodes -l cloud.google.com/gke-nodepool=workers-1" output,
     # each node has 29061248 Ki, which is equal to 27.7149658203 Gi of memory allocatable,
     # and each node has 7910m cpu allocatable.
     #

infra/concourse-install/scale-down-concourse-internal-workers.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -16,10 +16,10 @@ fi
 
 CLUSTER="pinniped-concourse"
 PROJECT="$PINNIPED_GCP_PROJECT"
-ZONE="us-central1-c"
+ZONE="us-west1-c"
 STATEFULSET="concourse-worker"
 NAMESPACE="concourse-worker"
-NODEPOOL="workers-2"
+NODEPOOL="workers-1"
 
 if [[ -z "$(gcloud config list account --format "value(core.account)")" ]]; then
   gcloud auth activate-service-account \

infra/concourse-install/scale-print-concourse-internal-workers.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -14,13 +14,19 @@ if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
   exit 1
 fi
 
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Define some env vars
+source "$script_dir/../../hack/fly-helpers.sh"
+# Setup and login if needed
+"$script_dir/../../hack/setup-fly.sh"
+
 CLUSTER="pinniped-concourse"
 PROJECT="$PINNIPED_GCP_PROJECT"
-ZONE="us-central1-c"
+ZONE="us-west1-c"
 STATEFULSET="concourse-worker"
 NAMESPACE="concourse-worker"
-NODEPOOL="workers-2"
-TARGET="pinniped"
+NODEPOOL="workers-1"
 
 if [[ -z "$(gcloud config list account --format "value(core.account)")" ]]; then
   gcloud auth activate-service-account \
@@ -79,10 +85,7 @@ kubectl get nodes \
 
 echo
 echo "Current fly workers..."
-if ! fly --target "$TARGET" status >/dev/null; then
-  fly --target "$TARGET" login
-fi
-fly --target "$TARGET" workers
+$FLY_CLI --target "$CONCOURSE_TARGET" workers
 
 echo ""
 echo "Note: If the number of pods, nodes, and fly workers are not all the same,"

infra/concourse-install/scale-up-concourse-internal-workers.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -16,10 +16,10 @@ fi
 
 CLUSTER="pinniped-concourse"
 PROJECT="$PINNIPED_GCP_PROJECT"
-ZONE="us-central1-c"
+ZONE="us-west1-c"
 STATEFULSET="concourse-worker"
 NAMESPACE="concourse-worker"
-NODEPOOL="workers-2"
+NODEPOOL="workers-1"
 
 if [[ -z "$(gcloud config list account --format "value(core.account)")" ]]; then
   gcloud auth activate-service-account \

infra/concourse-install/web/ip-masq-agent-configmap.yaml

@@ -0,0 +1,14 @@
+# see internal doc https://bsg-confluence.broadcom.net/pages/viewpage.action?pageId=689720737
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ip-masq-agent
+  namespace: kube-system
+data:
+  # 240.0.0.0/4 is needed to allow the pod to reach the Cloud SQL server's private IP.
+  # I was told to also add the whole primary IP range of the cluster's subnet, which is 10.31.141.64/27.
+  config: |
+    nonMasqueradeCIDRs:
+     - 240.0.0.0/4
+     - 10.31.141.64/27
+    resyncInterval: 60s

infra/concourse-install/web/values-web.yaml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 # Helps decide the name of the Deployment along with other resources and labels. Will be suffixed with "-web".
@@ -27,8 +27,12 @@ web:
   service:
     api:
       type: LoadBalancer
+      annotations:
+        networking.gke.io/load-balancer-type: "Internal"
     workerGateway:
       type: LoadBalancer
+      annotations:
+        networking.gke.io/load-balancer-type: "Internal"
   # The first node in the generic-1 nodepool (using e2-highcpu-8 VM) has lots of GKE and Kubernetes pods running on it.
   # According to the "allocatable" section of the "kubectl get node -o yaml" output, the first node has
   # 7910m cpu and 6179084 Ki memory (which is about 5.893 Gi).
@@ -67,7 +71,10 @@ concourse:
           # Because it was created in the org, it should have permissions to read team memberships during a login.
           # The client ID and client secret are stored in the bootstrap secret in the Secrets Manager
           # (see infra/README.md for more info about the bootstrap secret).
-          team: vmware-tanzu:pinniped-owners
+          # TODO: this needs to change to be the team in the vmware org. Also need to change the clientID and clientSecret in the concourse-install-bootstrap GCP secret for one in the vmware org.
+#          team: vmware-tanzu:pinniped-owners
+          # Temporarily just list which specific users are admins instead.
+          user: cfryanr,joshuatcasey
       github:
         enabled: true
     bindPort: 80
@@ -94,9 +101,6 @@ concourse:
       enabled: true
     kubernetes:
       keepNamespaces: true
-    letsEncrypt:
-      enabled: true
-      acmeURL: "https://acme-v02.api.letsencrypt.org/directory"
     tls:
       enabled: true
       bindPort: 443

infra/terraform/gcloud/.terraform.lock.hcl

@@ -2,63 +2,60 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/google" {
-  version     = "5.11.0"
-  constraints = "~> 5.0"
+  version     = "6.40.0"
+  constraints = "~> 6.0"
   hashes = [
-    "h1:Ezg3fsY84CB/2P00ZwQEECuIfJd6UUYs5tIptN2kzsE=",
-    "h1:FV7t+G3+rJD3aN5Yr+FY8/cDG+FKhFCt8XvLJkqCcY8=",
-    "zh:444815a900947de3cb4e3aac48bf8cd98009130c110e3cee1e72698536046fee",
-    "zh:45ca22a2f44fe67f9ff71528dcd93493281e34bff7791f5eb24c86e76f32956d",
-    "zh:53e2e33824743e9e620454438de803de10572bd79ce16034abfc91ab1877be7a",
-    "zh:5eb699830a07320f896a3da7cdee169ab5fa356a6d38858b8b9337f1e4e30904",
-    "zh:6837cd8d9d63503e138ec3ebf52f850ca786824a3b0d5b9dfecec303f1656ca6",
-    "zh:7adde1fe2fc8966812bcbfeb24580cbb53f2f5301bd793eaa70ad753ba6b2d3c",
-    "zh:92052fd7ec776cd221f19db4624ae4ed1550c95c2984c9f3b6c54cea8896812b",
-    "zh:b0305aab81220b7d5711225224f5baad8fc6f5dd3a8199073966af8a151e2932",
-    "zh:e7b5aa624d89664803dd545f261261806b7f6607c19f6ceaf61f9011b0e02e63",
+    "h1:wCQBpao7//BaEDQLdmqfcHlTqABT7BeeKdPJrf8V21w=",
+    "zh:0c304517a2a26f78d058491a2041088dcd4dec9207219ca75a644e734e8394a8",
+    "zh:2df309e86e0d2edc65099e0e47bc9bc91172dce62e59d579dc5132337719d7f8",
+    "zh:4dfb3c5775dcae2f93f3e9affe52a2987aba76b35844883b188d236f5fb485d0",
+    "zh:5943c1fe00bbd63c5be3813c16ba225ca10b1d694e8ead0e8fc4ebd54e9d0b9c",
+    "zh:6ed84e95400f4e27b32fa56832ea47a350cbe581fbae76f5ddabf98f18f44f02",
+    "zh:77bccedaf8fd1807a8020baf422897e5487f5f182b13ee29a6e8c58024ee22be",
+    "zh:9e486f71a714f10cd0d0c0df04d4a8f2cd5c33518131a214b11f3624c683ea10",
+    "zh:c4598d6c6595e8a1cdd637ffc9af4381cb1cb856f9c14ea5dcc675378b01cca6",
+    "zh:dcba35d7cd1793b6ca2ef63ccd1737ce669b31d14161f0a0f2e3aa8d0d5c8793",
+    "zh:ed661f2c233bcd56360731f7f21dca8a94f58ec27f4e3b468d27711938812146",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:fbc04244e1f666ce0320b4eb0efb9cae460a5d688fc039637c8fe745665c19e5",
-    "zh:ff3553298929629ae2ad77000b3e050394e2f00c04e90a24268e3dfe6a6342c4",
+    "zh:fe09c7cb7a448aab121bad8ca857acbf33e00bbc0c2b25824c71ff3be2e629e4",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/google-beta" {
-  version     = "5.11.0"
-  constraints = "~> 5.0"
+  version     = "6.40.0"
+  constraints = "~> 6.0"
   hashes = [
-    "h1:izjzT8NnaePEXKbLQa+D4gw7HUYvK7NgIL3TJ23rjZk=",
-    "h1:teaW5i4Za+IHUuYSg3mRwJwVdLwKbND9UdCwG4MBvkY=",
-    "zh:0efa82e6fe2c83bd5280c3009db1c3acc9cdad3c9419b6ec721fbefc9f832449",
-    "zh:371df01e4f38b828195d115c9a8bebddebec4d34e9ef74cf3a79161da08e44b2",
-    "zh:5089967c420c5e4a4ba0d4c8c6ca344c7bb2476ec928f8319856260eacded369",
-    "zh:798a65c79386d356d6a097de680f4ece8982daae1cb0e10d6c53b383efef45f0",
-    "zh:90178911ac0e624c69a54a992fb3425ef09fdfb3e34b496ad7b6e168e80d4e0c",
-    "zh:b59c60f8479b8f0c8e91a93a4e707ce6d17c8e50e2f5afaf1d9a03c03cfedbf8",
-    "zh:c7f946282d80223ab3a6b284c22e4b53ffcd7b1a02449bb95a350007f30c87dc",
-    "zh:cd60e76987c2fdce2c84219eaff9390cd135f88aa9a27bc4d79a8fd4a8d09622",
-    "zh:de06bfa0393206c0253ebdea70821cb3b08ef87d5d4844be3ae463abfb4e1884",
-    "zh:de494bad600cca78986ce63d1018f5dbc1a1fcc2d4c41c94c15d5346f2b0dd1e",
+    "h1:R5yc207FnSQvJxNJwVD6xo0wwXPWI+CsgxXak+skiBs=",
+    "zh:003d3bfd2a39a950e7e5865e5b74a630594710a21990f892c3fb4c9193f532b0",
+    "zh:0f1e455cc73e288c8e047dd4587bc0ec7389855d4a949c853adcbf0a4aa19bb2",
+    "zh:12be1e25e2c51c8fb8dee0f4ed3bb43706b073027a895c6794c2755cbbc05a18",
+    "zh:3688208f155ea04dbfa3ba08d761cd3ae4ba342d8e5fdb65a659f1d72a8d8fc7",
+    "zh:4a71281ca84e3ab028a89935779b7cc6417ec9a54da5233a52fa5a062235fc61",
+    "zh:5c4798d3265d1768c18b8376663e1642c0ad5c554f6670633938b570eee4f6b8",
+    "zh:64e8d57530352b87480f22efd3cf7c4bca40e8c8fb60118615af761f3c480d6b",
+    "zh:7a6ebb211ea05acab41bd9f0039155e618f783bc0462d708a7e6c30827dcf644",
+    "zh:978524cb2a1ceab019232f66e29eed5b4bbc70ba71837c824935a139b86010d4",
+    "zh:9cad3dbf1b98ae30a5c27b10c7a6c85ebce9fb3332a65ac868e3499664883d26",
+    "zh:f0da73f9d9d53d499b69f11421a56fd48ba6aff98b33ba1fe2bf4c4cf0f917f1",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f97a8b6e83e0083dcb42a87e8e418ab33f12d641f9cdfdc92d154ba7fd7398fb",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/random" {
-  version = "3.6.0"
+  version = "3.7.2"
   hashes = [
-    "h1:I8MBeauYA8J8yheLJ8oSMWqB0kovn16dF/wKZ1QTdkk=",
-    "h1:p6WG1IPHnqx1fnJVKNjv733FBaArIugqy58HRZnpPCk=",
-    "zh:03360ed3ecd31e8c5dac9c95fe0858be50f3e9a0d0c654b5e504109c2159287d",
-    "zh:1c67ac51254ba2a2bb53a25e8ae7e4d076103483f55f39b426ec55e47d1fe211",
-    "zh:24a17bba7f6d679538ff51b3a2f378cedadede97af8a1db7dad4fd8d6d50f829",
-    "zh:30ffb297ffd1633175d6545d37c2217e2cef9545a6e03946e514c59c0859b77d",
-    "zh:454ce4b3dbc73e6775f2f6605d45cee6e16c3872a2e66a2c97993d6e5cbd7055",
+    "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=",
+    "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f",
+    "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc",
+    "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab",
+    "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3",
+    "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212",
+    "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f",
     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:91df0a9fab329aff2ff4cf26797592eb7a3a90b4a0c04d64ce186654e0cc6e17",
-    "zh:aa57384b85622a9f7bfb5d4512ca88e61f22a9cea9f30febaa4c98c68ff0dc21",
-    "zh:c4a3e329ba786ffb6f2b694e1fd41d413a7010f3a53c20b432325a94fa71e839",
-    "zh:e2699bc9116447f96c53d55f2a00570f982e6f9935038c3810603572693712d0",
-    "zh:e747c0fd5d7684e5bfad8aa0ca441903f15ae7a98a737ff6aca24ba223207e2c",
-    "zh:f1ca75f417ce490368f047b63ec09fd003711ae48487fba90b4aba2ccf71920e",
+    "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34",
+    "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967",
+    "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d",
+    "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62",
+    "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0",
   ]
 }

infra/terraform/gcloud/README.md

@@ -7,22 +7,40 @@ NOTE: Do not manually edit these resources using the Google Cloud UI, API, or CL
 Instead, please update the `.tf` files and follow the below steps again.
 
 To run Terraform to create or update the infrastructure:
-1. Install the `gcloud` CLI and authenticate as yourself, if you haven't already.
-2. Use `gcloud auth application-default login` if you haven't already. This is not optional.
-3. Install terraform if you haven't already. Use brew or brew install tfenv and then use tfenv.
-   At the time of writing this README, we were using Terraform v1.6.6.
-4. cd into this directory: `cd infra/terraform/gcloud`
-5. Run `terraform init`, if you haven't already for this directory.
-6. Run `terraform fmt`.
-7. Run `terraform validate`.
-8. Run `TF_VAR_project=$PINNIPED_GCP_PROJECT terraform apply`.
+
+1. If running for the first time ever, log in to the GCP Console for the project and
+   create the GCS storage bucket where terraform will save its state (see [gcp.tf](gcp.tf) for the bucket name).
+   Creating the bucket in one region (see [variables.tf](variables.tf) for the region name)
+   with otherwise default options should suffice.
+2. Install the `gcloud` CLI and authenticate as yourself using `gcloud auth login`, if you haven't already.
+3. Use `gcloud auth application-default login` if you haven't already. This is not optional. If you forget this step,
+   terraform will complain that it cannot read the state from the GCP bucket file.
+4. Install terraform if you haven't already. Use brew to install terraform,
+   or use `brew install tfenv` and then use tfenv to install Terraform.
+   At the time of last updating this README, we were using Terraform v1.12.2.
+5. cd into this directory: `cd infra/terraform/gcloud`
+6. Run `TF_VAR_project=$PINNIPED_GCP_PROJECT terraform init`, if you haven't already for this directory.
    This assumes that you have already exported an env var called `PINNIPED_GCP_PROJECT`
    whose value is the name of the GCP project.
+7. Run `terraform fmt`.
+8. Run `terraform validate`.
+9. Run
+   `TF_VAR_project=$PINNIPED_GCP_PROJECT TF_VAR_sharedVPCProject=$VPC_PROJECT TF_VAR_networkName=$VPC_NAME TF_VAR_concourseSubnetName=$SUBNET_NAME terraform plan`.
+   This assumes that you have already exported an env var called `PINNIPED_GCP_PROJECT`
+   whose value is the name of the GCP project, along with `VPC_PROJECT` which is the name
+   of another GCP project which is sharing a VPC network to our project, `VPC_NAME` which is
+   the name of that shared VPC, and `SUBNET_NAME` which is the name of a subnet from that
+   shared VPC that we want to give to our Concourse GKE cluster.
+   This command is a dry-run which will print what the `apply` command would perform.
+10. If you are happy with the output of `terraform plan`, then run
+    `TF_VAR_project=$PINNIPED_GCP_PROJECT TF_VAR_sharedVPCProject=$VPC_PROJECT TF_VAR_networkName=$VPC_NAME TF_VAR_concourseSubnetName=$SUBNET_NAME terraform apply`
+    to really create/update/delete the resources.
 
 If you do not need to run `terraform apply` because someone else has already done that,
 then you still need to follow the above directions up to and including running `terraform init`
 to set up terraform on your computer.
 
-To delete the entire Concourse deployment and all its related cloud infrastructure,
-use `terraform destroy`. There is no way to undo this action. This will also delete the Cloud SQL
-database which contains all CI job history.
+To delete the entire Concourse deployment and all its related cloud infrastructure, use `terraform destroy`.
+You may need to use `terraform apply` to set `deletion_protection=false` on some resources first (see Terraform docs).
+There is no way to undo `terraform destroy`. This will also delete the Cloud SQL database which contains all CI job
+history.

infra/terraform/gcloud/address/main.tf

@@ -1,26 +1,26 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# Use our pre-existing DNS zone.
-data "google_dns_managed_zone" "main" {
-  name = var.dns-zone
+# "data" reads a pre-existing resource without trying to manage its state.
+# This subnet is shared with us from another GCP project.
+data "google_compute_subnetwork" "existing_subnet_for_concourse" {
+  project = var.sharedVPCProject
+  name    = var.concourseSubnetName
 }
 
-# Reserved external static IPv4 address for the `web` instances.
-# This is needed so that we can have a static IP for `ci.pinniped.dev`.
+# Reserved internal static IPv4 address for the `web` instances.
+# This is needed so that we can have a static IP for `ci.pinniped.broadcom.net`.
 resource "google_compute_address" "main" {
-  name = "${var.subdomain}-${var.dns-zone}"
-}
-
-# Make a DNS A record for our subdomain to point at our new static IP.
-resource "google_dns_record_set" "main" {
-  name = "${var.subdomain}.${data.google_dns_managed_zone.main.dns_name}"
-  type = "A"
-  ttl  = 300
-
-  managed_zone = data.google_dns_managed_zone.main.name
-
-  rrdatas = [
-    google_compute_address.main.address,
-  ]
+  name         = "ci-pinniped-dev"
+  description  = "static IP address reserved for Concourse web interface"
+  subnetwork   = data.google_compute_subnetwork.existing_subnet_for_concourse.id
+  address_type = "INTERNAL"
+
+  # Allow it to be shared by multiple load balancers (each with different ports).
+  # We will have one for web and one for web-worker-gateway.
+  purpose = "SHARED_LOADBALANCER_VIP"
+
+  # Manually picked an IP from the range that did not cause an error when entered
+  # into GCP's "VPC Network / IP address / Reserve internal static IP" UI for this subnet.
+  address = "10.31.141.90"
 }

infra/terraform/gcloud/address/outputs.tf

@@ -1,10 +1,6 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 output "ip" {
   value = google_compute_address.main.address
 }
-
-output "hostname" {
-  value = trimsuffix(google_dns_record_set.main.name, ".")
-}

infra/terraform/gcloud/address/variables.tf

@@ -1,12 +1,12 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-variable "dns-zone" {
-  description = "Name of the DNS zone"
+variable "sharedVPCProject" {
+  description = "Name of the GCP project which contains the shared VPC."
   type        = string
 }
 
-variable "subdomain" {
-  description = "Subdomain under the DNS zone to register"
+variable "concourseSubnetName" {
+  description = "Name of the GCP subnet to use for concourse."
   type        = string
 }

infra/terraform/gcloud/cluster/main.tf

@@ -1,32 +1,32 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-module "vpc" {
-  source = "./vpc"
-
-  name   = var.name
-  region = var.region
-
-  vms-cidr      = "10.10.0.0/16"
-  pods-cidr     = "10.11.0.0/16"
-  services-cidr = "10.12.0.0/16"
+# "data" reads a pre-existing resource without trying to manage its state.
+data "google_compute_network" "existing_network" {
+  project = var.sharedVPCProject
+  name    = var.networkName
 }
 
-resource "google_service_account" "default" {
-  account_id   = "${var.name}-sa"
-  display_name = "GKE Node SA for ${var.name}"
+# This subnet is shared with us from another GCP project.
+data "google_compute_subnetwork" "existing_subnet" {
+  project = var.sharedVPCProject
+  name    = var.subnetName
+}
+
+data "google_service_account" "default" {
+  account_id = "terraform"
 }
 
 # See https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster
 resource "google_container_cluster" "main" {
   # Allow "terraform destroy" for this cluster.
-  deletion_protection = false
+  # deletion_protection = false
 
   name     = var.name
   location = var.zone
 
-  network    = module.vpc.name
-  subnetwork = module.vpc.subnet-name
+  network    = data.google_compute_network.existing_network.id
+  subnetwork = data.google_compute_subnetwork.existing_subnet.id
 
   # We can't create a cluster with no node pool defined, but we want to only use
   # separately managed node pools. This allows node pools to be added and removed without recreating the cluster.
@@ -34,11 +34,24 @@ resource "google_container_cluster" "main" {
   remove_default_node_pool = true
   initial_node_count       = 1
 
-  min_master_version = "1.30.4-gke.1348000"
+  min_master_version = "1.32.2-gke.1297002"
 
+  # Settings for a private cluster.
+  # See internal doc https://bsg-confluence.broadcom.net/pages/viewpage.action?pageId=689720737
+  networking_mode = "VPC_NATIVE"
+  private_cluster_config {
+    enable_private_endpoint = true
+    enable_private_nodes    = true
+  }
+  master_authorized_networks_config {
+    cidr_blocks {
+      cidr_block   = "10.0.0.0/8"
+      display_name = "corp internal networks"
+    }
+  }
   ip_allocation_policy {
-    cluster_secondary_range_name  = module.vpc.pods-range-name
-    services_secondary_range_name = module.vpc.services-range-name
+    cluster_secondary_range_name  = "pods"
+    services_secondary_range_name = "services"
   }
 
   addons_config {
@@ -84,6 +97,8 @@ resource "google_container_node_pool" "main" {
   cluster  = google_container_cluster.main.name
   name     = each.key
 
+  max_pods_per_node = 64
+
   autoscaling {
     min_node_count = each.value.min
     max_node_count = each.value.max
@@ -110,11 +125,13 @@ resource "google_container_node_pool" "main" {
       disable-legacy-endpoints = "true"
     }
 
-    # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles.
-    service_account = google_service_account.default.email
-    oauth_scopes    = [
+    service_account = data.google_service_account.default.email
+    oauth_scopes = [
       "https://www.googleapis.com/auth/cloud-platform"
     ]
+
+    # Tag to attach appropriate firewall rules.
+    tags = ["gke-broadcom"]
   }
 
   timeouts {

infra/terraform/gcloud/cluster/outputs.tf

@@ -1,10 +1,6 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-output "vpc-uri" {
-  value = module.vpc.uri
-}
-
 output "cluster-name" {
   value = google_container_cluster.main.name
 }

infra/terraform/gcloud/cluster/variables.tf

@@ -1,4 +1,4 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 variable "name" {
@@ -11,11 +11,6 @@ variable "zone" {
   description = "The zone where the cluster should live."
 }
 
-variable "region" {
-  default     = ""
-  description = "The region in which the cluster should be located at."
-}
-
 variable "project" {
   description = "The Google GCP project to host the resources."
 }
@@ -23,3 +18,18 @@ variable "project" {
 variable "node-pools" {
   description = "A list of node pool configurations to create and assign to the cluster."
 }
+
+variable "sharedVPCProject" {
+  description = "Name of the GCP project which contains the shared VPC."
+  type        = string
+}
+
+variable "networkName" {
+  description = "Name of the shared VPC network to use for the cluster."
+  type        = string
+}
+
+variable "subnetName" {
+  description = "Name of the GCP subnet to use for the cluster."
+  type        = string
+}

infra/terraform/gcloud/cluster/vpc/main.tf

@@ -1,69 +0,0 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
-
-resource "google_compute_network" "main" {
-  name = var.name
-
-  auto_create_subnetworks = "false"
-}
-
-resource "google_compute_subnetwork" "main" {
-  name = "${var.name}-sn-1"
-
-  ip_cidr_range = var.vms-cidr
-  network       = google_compute_network.main.name
-  region        = var.region
-
-  secondary_ip_range = [
-    {
-      range_name    = var.pods-range-name
-      ip_cidr_range = var.pods-cidr
-    },
-    {
-      range_name    = var.services-range-name
-      ip_cidr_range = var.services-cidr
-    }
-  ]
-}
-
-resource "google_compute_firewall" "internal-ingress" {
-  name = "${var.name}-internal"
-
-  network   = google_compute_network.main.name
-  direction = "INGRESS"
-
-  source_ranges = [
-    var.vms-cidr,
-    var.pods-cidr,
-    var.services-cidr,
-  ]
-
-  allow {
-    protocol = "icmp"
-  }
-
-  allow {
-    protocol = "tcp"
-  }
-
-  allow {
-    protocol = "udp"
-  }
-}
-
-resource "google_compute_firewall" "external-ingress" {
-  name      = "${var.name}-external"
-  network   = google_compute_network.main.name
-  direction = "INGRESS"
-
-  allow {
-    protocol = "icmp"
-  }
-
-  allow {
-    protocol = "tcp"
-    ports    = ["22"]
-  }
-
-  source_ranges = ["0.0.0.0/0"]
-}

infra/terraform/gcloud/cluster/vpc/outputs.tf

@@ -1,22 +0,0 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
-
-output "name" {
-  value = google_compute_network.main.name
-}
-
-output "subnet-name" {
-  value = google_compute_subnetwork.main.name
-}
-
-output "pods-range-name" {
-  value = var.pods-range-name
-}
-
-output "services-range-name" {
-  value = var.services-range-name
-}
-
-output "uri" {
-  value = google_compute_network.main.self_link
-}

infra/terraform/gcloud/cluster/vpc/variables.tf

@@ -1,32 +0,0 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
-
-variable "name" {
-  description = "TODO"
-}
-
-variable "region" {
-  description = "TODO"
-}
-
-variable "vms-cidr" {
-  description = "TODO"
-}
-
-variable "pods-cidr" {
-  description = "TODO"
-}
-
-variable "pods-range-name" {
-  default     = "pods-range"
-  description = "TODO"
-}
-
-variable "services-cidr" {
-  description = "TODO"
-}
-
-variable "services-range-name" {
-  default     = "services-range"
-  description = "TODO"
-}

infra/terraform/gcloud/database/main.tf

@@ -1,4 +1,4 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 # A piece of randomization that gets consumed by the
@@ -10,7 +10,29 @@ resource "random_id" "instance-name" {
   byte_length = 4
 }
 
+# "data" reads a pre-existing resource without trying to manage its state.
+data "google_compute_network" "private_network" {
+  provider = google-beta
+
+  project = var.sharedVPCProject
+  name    = var.networkName
+}
+
+# This API needs to be enabled in our project before creating our Cloud SQL instance,
+# or else we get error "googleapi: Error 400: Invalid request: Incorrect Service Networking config
+# for instance: xxx:xxx:SERVICE_NETWORKING_NOT_ENABLED., invalid".
+# See https://stackoverflow.com/a/66537918.
+resource "google_project_service" "project" {
+  service            = "servicenetworking.googleapis.com"
+  disable_on_destroy = false
+}
+
 resource "google_sql_database_instance" "main" {
+  provider = google-beta
+
+  # Allow "terraform destroy" for this db.
+  # deletion_protection = false
+
   name             = "${var.name}-${random_id.instance-name.hex}"
   region           = var.region
   database_version = "POSTGRES_15"
@@ -20,6 +42,7 @@ resource "google_sql_database_instance" "main" {
     disk_autoresize   = true
     disk_type         = "PD_SSD"
     tier              = "db-custom-${var.cpus}-${var.memory_mb}"
+    edition           = "ENTERPRISE" # cheaper than ENTERPRISE_PLUS
 
     database_flags {
       name  = "log_min_duration_statement"
@@ -32,13 +55,14 @@ resource "google_sql_database_instance" "main" {
     }
 
     ip_configuration {
-      ipv4_enabled = "true"
-      require_ssl  = "true"
+      # Disable assignment of a public IP address
+      ipv4_enabled = false
 
-      authorized_networks {
-        name  = "all"
-        value = "0.0.0.0/0"
-      }
+      ssl_mode = "ENCRYPTED_ONLY"
+
+      private_network = data.google_compute_network.private_network.self_link
+
+      enable_private_path_for_google_cloud_services = true
     }
 
     backup_configuration {
@@ -68,8 +92,8 @@ resource "random_string" "password" {
 resource "google_sql_user" "user" {
   name = "atc"
 
-  instance = google_sql_database_instance.main.name
-  password = random_string.password.result
+  instance    = google_sql_database_instance.main.name
+  password_wo = random_string.password.result
 }
 
 resource "google_sql_ssl_cert" "cert" {

infra/terraform/gcloud/database/outputs.tf

@@ -1,4 +1,4 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 output "username" {

infra/terraform/gcloud/database/variables.tf

@@ -1,9 +1,9 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 variable "name" {
   default     = ""
-  description = "The name of the CloudSQL instance to create (ps.: a random ID is appended to this name)"
+  description = "The name of the CloudSQL instance to create (ps.: a random ID is appended to this name)."
 }
 
 variable "memory_mb" {
@@ -18,20 +18,25 @@ variable "cpus" {
 
 variable "zone" {
   default     = ""
-  description = "The zone where this instance is supposed to be created at (e.g., us-central1-a)"
+  description = "The zone where this instance is supposed to be created at (e.g., us-central1-a)."
 }
 
 variable "region" {
   default     = ""
-  description = "The region where the instance is supposed to be created at (e.g., us-central1)"
-}
-
-variable "disk_size_gb" {
-  default     = ""
-  description = "The disk size in GB's (e.g. 10)"
+  description = "The region where the instance is supposed to be created at (e.g., us-central1)."
 }
 
 variable "max_connections" {
   default     = ""
-  description = "The max number of connections allowed by postgres"
+  description = "The max number of connections allowed by postgres."
+}
+
+variable "sharedVPCProject" {
+  description = "Name of the GCP project which contains the shared VPC."
+  type        = string
+}
+
+variable "networkName" {
+  description = "Name of the shared VPC network to use for the db."
+  type        = string
 }

infra/terraform/gcloud/gcp.tf

@@ -1,17 +1,17 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 terraform {
   required_providers {
-    google      = "~> 5"
-    google-beta = "~> 5"
+    google      = "~> 6"
+    google-beta = "~> 6"
   }
 
   backend "gcs" {
     # By not providing credentials, you will use your current identity from the gcloud CLI.
     # credentials = "gcp.json"
-    bucket = "tanzu-user-authentication-terraform-state"
-    prefix = "pinniped-concourse-jan2024"
+    bucket = "pinniped-ci-terraform-state"
+    prefix = "pinniped-concourse"
   }
 }
 

infra/terraform/gcloud/main.tf

@@ -1,23 +1,26 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-# The static IP and related DNS entry.
+# Create the static IP.
 module "address" {
   source = "./address"
 
-  dns-zone  = var.dns-zone
-  subdomain = var.subdomain
+  sharedVPCProject    = var.sharedVPCProject
+  concourseSubnetName = var.concourseSubnetName
 }
 
-# Instantiates the GKE Kubernetes cluster.
+# Create the GKE Kubernetes cluster.
 module "cluster" {
   source = "./cluster"
 
   name    = "pinniped-concourse"
   project = var.project
-  region  = var.region
   zone    = var.zone
 
+  sharedVPCProject = var.sharedVPCProject
+  networkName      = var.networkName
+  subnetName       = var.concourseSubnetName
+
   node-pools = {
 
     "generic-1" = {
@@ -30,10 +33,10 @@ module "cluster" {
       max          = 2
       min          = 1
       preemptible  = false
-      version      = "1.30.4-gke.1348000"
+      version      = "1.32.2-gke.1297002"
     },
 
-    "workers-2" = {
+    "workers-1" = {
       auto-upgrade = true
       disk-size    = "100"
       disk-type    = "pd-ssd"
@@ -43,7 +46,7 @@ module "cluster" {
       max          = 5
       min          = 1
       preemptible  = false
-      version      = "1.30.4-gke.1348000"
+      version      = "1.32.2-gke.1297002"
     },
   }
 }
@@ -52,10 +55,14 @@ module "cluster" {
 module "database" {
   source = "./database"
 
-  name            = "pinniped-concourse"
+  name   = "pinniped-concourse"
+  region = var.region
+  zone   = var.zone
+
+  sharedVPCProject = var.sharedVPCProject
+  networkName      = var.networkName
+
   cpus            = "4"
   memory_mb       = "7680"
-  region          = var.region
-  zone            = var.zone
   max_connections = "300"
 }

infra/terraform/gcloud/outputs.tf

@@ -1,14 +1,22 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
+output "project" {
+  value = var.project
+}
+
+output "region" {
+  value = var.region
+}
+
+output "zone" {
+  value = var.zone
+}
+
 output "web-ip" {
   value = module.address.ip
 }
 
-output "web-hostname" {
-  value = module.address.hostname
-}
-
 output "database-ip" {
   value = module.database.ip
 }
@@ -37,18 +45,6 @@ output "database-private-key" {
   value     = module.database.private-key
 }
 
-output "project" {
-  value = var.project
-}
-
-output "region" {
-  value = var.region
-}
-
-output "zone" {
-  value = var.zone
-}
-
 output "cluster-name" {
   value = module.cluster.cluster-name
 }

infra/terraform/gcloud/variables.tf

@@ -1,28 +1,36 @@
-# Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 variable "project" {
-  description = "The Google GCP project to host the resources"
+  description = "The Google GCP project to host the resources."
   type        = string
   # Please provide the value of this variable by setting the env var TF_VAR_project for all terraform commands.
 }
 
 variable "region" {
-  description = "The cloud provider region where the resources created"
-  default     = "us-central1"
+  description = "The cloud provider region where the resources created."
+  default     = "us-west1"
 }
 
 variable "zone" {
-  description = "The cloud provider zone where the resources are created"
-  default     = "us-central1-c"
+  description = "The cloud provider zone where the resources are created."
+  default     = "us-west1-c"
 }
 
-variable "dns-zone" {
-  description = "The default DNS zone to use when creating subdomains"
-  default     = "pinniped-dev"
+variable "sharedVPCProject" {
+  description = "Name of the GCP project which contains the shared VPC."
+  type        = string
+  # Please provide the value of this variable by setting the env var TF_VAR_sharedVPCProject for all terraform commands.
 }
 
-variable "subdomain" {
-  description = "Subdomain under the DNS zone to register"
-  default     = "ci"
+variable "networkName" {
+  description = "Name of the shared VPC network."
+  type        = string
+  # Please provide the value of this variable by setting the env var TF_VAR_networkName for all terraform commands.
+}
+
+variable "concourseSubnetName" {
+  description = "Name of the GCP subnet to use for concourse."
+  type        = string
+  # Please provide the value of this variable by setting the env var TF_VAR_concourseSubnetName for all terraform commands.
 }

pipelines/cleanup-aws/pipeline.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 display:
@@ -11,9 +11,9 @@ resources:
     type: git
     icon: github
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
 
 jobs:
 

pipelines/concourse-workers/pipeline.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2026 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 display:
@@ -9,24 +9,25 @@ meta:
 
   # GCP account info and which zone the workers should be created in and deleted from.
   gke_admin_params: &gke_admin_params
-    INSTANCE_ZONE: us-west1-b
+    INSTANCE_ZONE: us-west1-c
     PINNIPED_GCP_PROJECT: ((gcp-project-name))
-    GCP_USERNAME: ((gke-cluster-developer-username))
-    GCP_JSON_KEY: ((gke-cluster-developer-json-key))
+    GCP_USERNAME: ((gcp-instance-admin-username))
+    GCP_JSON_KEY: ((gcp-instance-admin-json-key))
 
   # GCP account info and which zone the workers should be created in and deleted from.
   gcp_account_params: &gcp_account_params
-    INSTANCE_ZONE: us-central1-b
+    INSTANCE_ZONE: us-west1-a
     GCP_PROJECT: ((gcp-project-name))
     GCP_USERNAME: ((gcp-instance-admin-username))
     GCP_JSON_KEY: ((gcp-instance-admin-json-key))
 
   # GKE account info and which zone the clusters should be created in and deleted from.
   gke_account_params: &gke_account_params
-    CLUSTER_ZONE: us-central1-c
+    CLUSTER_REGION: us-west1
+    CLUSTER_ZONE: us-west1-c
     GCP_PROJECT: ((gcp-project-name))
-    GCP_SERVICE_ACCOUNT: ((gke-test-pool-manager-username))
-    GCP_JSON_KEY: ((gke-test-pool-manager-json-key))
+    GCP_SERVICE_ACCOUNT: ((gcp-instance-admin-username))
+    GCP_JSON_KEY: ((gcp-instance-admin-json-key))
 
   # Azure account info and which resource group the clusters should be created in and deleted from.
   azure_account_params: &azure_account_params
@@ -42,9 +43,9 @@ resources:
     type: git
     icon: github
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
 
   - name: k8s-app-deployer-image
     type: registry-image
@@ -64,12 +65,12 @@ resources:
       repository: google/cloud-sdk
       tag: slim
 
-  - name: aks-deployer-image
-    type: registry-image
-    icon: docker
-    check_every: 5m
-    source:
-      repository: mcr.microsoft.com/azure-cli
+#  - name: aks-deployer-image
+#    type: registry-image
+#    icon: docker
+#    check_every: 5m
+#    source:
+#      repository: mcr.microsoft.com/azure-cli
 
   - name: hourly
     type: time
@@ -162,18 +163,18 @@ jobs:
         params:
           <<: *gke_account_params
 
-  - name: remove-orphaned-aks-clusters
-    public: true # all logs are publicly visible
-    plan:
-      - in_parallel:
-          - get: pinniped-ci
-          - get: aks-deployer-image
-          - get: hourly
-            trigger: true
-      - task: remove-orphaned-aks-clusters
-        attempts: 2
-        timeout: 25m
-        file: pinniped-ci/pipelines/shared-tasks/remove-orphaned-aks-clusters/task.yml
-        image: aks-deployer-image
-        params:
-          <<: *azure_account_params
+#  - name: remove-orphaned-aks-clusters
+#    public: true # all logs are publicly visible
+#    plan:
+#      - in_parallel:
+#          - get: pinniped-ci
+#          - get: aks-deployer-image
+#          - get: hourly
+#            trigger: true
+#      - task: remove-orphaned-aks-clusters
+#        attempts: 2
+#        timeout: 25m
+#        file: pinniped-ci/pipelines/shared-tasks/remove-orphaned-aks-clusters/task.yml
+#        image: aks-deployer-image
+#        params:
+#          <<: *azure_account_params

pipelines/dockerfile-builders/pipeline.yml

@@ -38,15 +38,15 @@ meta:
   # These version numbers should be updated periodically.
   codegen-versions: &codegen-versions
     # Choose which version of Golang to use in the codegen container images.
-    BUILD_ARG_GO_VERSION: '1.24.3'
+    BUILD_ARG_GO_VERSION: '1.25.5'
     # Choose which version of sigs.k8s.io/controller-tools/cmd/controller-gen to install
     # in the codegen container images.
-    BUILD_ARG_CONTROLLER_GEN_VERSION: 0.18.0
+    BUILD_ARG_CONTROLLER_GEN_VERSION: 0.20.0
     # Choose which version of github.com/elastic/crd-ref-docs to install in the codegen
     # container images. We use a commit sha instead of a release semver because this project
     # does not create releases very often. They seem to only release 1-2 times per year, but
     # commit to main more often.
-    BUILD_ARG_CRD_REF_DOCS_COMMIT_SHA: ade917a
+    BUILD_ARG_CRD_REF_DOCS_COMMIT_SHA: da1c9739
 
 resources:
 
@@ -55,9 +55,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/k8s-app-deployer/Dockerfile ]
 
   - name: k8s-app-deployer-image
@@ -75,9 +75,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/deployment-yaml-formatter/Dockerfile ]
 
   - name: deployment-yaml-formatter-image
@@ -95,9 +95,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/integration-test-runner/Dockerfile ]
 
   - name: integration-test-runner-beta-dockerfile
@@ -105,9 +105,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/integration-test-runner-beta/Dockerfile ]
 
   - name: integration-test-runner-image
@@ -135,9 +135,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/code-coverage-uploader/Dockerfile ]
 
   - name: code-coverage-uploader-image
@@ -155,9 +155,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths:
         - dockerfiles/pool-trigger-resource/Dockerfile
         - "dockerfiles/pool-trigger-resource/assets/*"
@@ -252,14 +252,34 @@ resources:
       password: ((ci-ghcr-pusher-token))
       tag: latest
 
+  - name: k8s-code-generator-1.34-image-ghcr
+    type: registry-image
+    icon: docker
+    <<: *check-every-for-image
+    source:
+      repository: ((ci-ghcr-registry))/k8s-code-generator-1.34
+      username: ((ci-ghcr-pusher-username))
+      password: ((ci-ghcr-pusher-token))
+      tag: latest
+
+  - name: k8s-code-generator-1.35-image-ghcr
+    type: registry-image
+    icon: docker
+    <<: *check-every-for-image
+    source:
+      repository: ((ci-ghcr-registry))/k8s-code-generator-1.35
+      username: ((ci-ghcr-pusher-username))
+      password: ((ci-ghcr-pusher-token))
+      tag: latest
+
   - name: k8s-code-generator-dockerfile
     type: git
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/k8s-code-generator/* ]
 
   - name: test-forward-proxy-image-ghcr
@@ -277,9 +297,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/test-forward-proxy/* ]
 
   - name: test-bitnami-ldap-image-ghcr
@@ -297,9 +317,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/test-bitnami-ldap/Dockerfile ]
 
   - name: test-dex-image
@@ -317,9 +337,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/test-dex/Dockerfile ]
 
   - name: test-cfssl-image
@@ -337,9 +357,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/test-cfssl/Dockerfile ]
 
   - name: test-kubectl-image
@@ -357,9 +377,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/test-kubectl/Dockerfile ]
 
   - name: gh-cli-image
@@ -377,9 +397,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/gh-cli/Dockerfile ]
 
   - name: crane-image
@@ -397,9 +417,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/crane/Dockerfile ]
 
   - name: eks-deployer-dockerfile
@@ -407,9 +427,9 @@ resources:
     icon: github
     <<: *check-every-for-dockerfile
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
       paths: [ dockerfiles/eks-deployer/Dockerfile ]
 
   - name: eks-deployer-image
@@ -804,7 +824,7 @@ jobs:
             - path: cache
           params:
             CONTEXT: k8s-code-generator-dockerfile/dockerfiles/k8s-code-generator
-            BUILD_ARG_K8S_PKG_VERSION: 0.30.12
+            BUILD_ARG_K8S_PKG_VERSION: 0.30.14
             <<: *codegen-versions
             OUTPUT_OCI: true # needed for building multi-arch images
             IMAGE_PLATFORM: "linux/amd64,linux/arm64" # build a multi-arch images which includes these platforms
@@ -840,7 +860,7 @@ jobs:
             - path: cache
           params:
             CONTEXT: k8s-code-generator-dockerfile/dockerfiles/k8s-code-generator
-            BUILD_ARG_K8S_PKG_VERSION: 0.31.8
+            BUILD_ARG_K8S_PKG_VERSION: 0.31.14
             <<: *codegen-versions
             OUTPUT_OCI: true # needed for building multi-arch images
             IMAGE_PLATFORM: "linux/amd64,linux/arm64" # build a multi-arch images which includes these platforms
@@ -876,7 +896,7 @@ jobs:
         - path: cache
         params:
           CONTEXT: k8s-code-generator-dockerfile/dockerfiles/k8s-code-generator
-          BUILD_ARG_K8S_PKG_VERSION: 0.32.4
+          BUILD_ARG_K8S_PKG_VERSION: 0.32.10
           <<: *codegen-versions
           OUTPUT_OCI: true # needed for building multi-arch images
           IMAGE_PLATFORM: "linux/amd64,linux/arm64" # build a multi-arch images which includes these platforms
@@ -912,7 +932,7 @@ jobs:
         - path: cache
         params:
           CONTEXT: k8s-code-generator-dockerfile/dockerfiles/k8s-code-generator
-          BUILD_ARG_K8S_PKG_VERSION: 0.33.0
+          BUILD_ARG_K8S_PKG_VERSION: 0.33.6
           <<: *codegen-versions
           OUTPUT_OCI: true # needed for building multi-arch images
           IMAGE_PLATFORM: "linux/amd64,linux/arm64" # build a multi-arch images which includes these platforms
@@ -922,6 +942,78 @@ jobs:
       params:
         image: image/image # this is a directory for OCI (multi-arch images)
 
+  - name: build-k8s-code-generator-1.34
+    public: true # all logs are publicly visible
+    serial: true
+    plan:
+    - get: k8s-code-generator-dockerfile
+      trigger: true
+    - get: daily
+      trigger: true
+    - task: build-image
+      privileged: true
+      config:
+        platform: linux
+        image_resource:
+          type: registry-image
+          source:
+            repository: concourse/oci-build-task
+        inputs:
+        - name: k8s-code-generator-dockerfile
+        outputs:
+        - name: image
+        run:
+          path: build
+        caches:
+        - path: cache
+        params:
+          CONTEXT: k8s-code-generator-dockerfile/dockerfiles/k8s-code-generator
+          BUILD_ARG_K8S_PKG_VERSION: 0.34.2
+          <<: *codegen-versions
+          OUTPUT_OCI: true # needed for building multi-arch images
+          IMAGE_PLATFORM: "linux/amd64,linux/arm64" # build a multi-arch images which includes these platforms
+    - put: k8s-code-generator-1.34-image-ghcr
+      get_params:
+        format: oci # needed for multi-arch images
+      params:
+        image: image/image # this is a directory for OCI (multi-arch images)
+
+  - name: build-k8s-code-generator-1.35
+    public: true # all logs are publicly visible
+    serial: true
+    plan:
+    - get: k8s-code-generator-dockerfile
+      trigger: true
+    - get: daily
+      trigger: true
+    - task: build-image
+      privileged: true
+      config:
+        platform: linux
+        image_resource:
+          type: registry-image
+          source:
+            repository: concourse/oci-build-task
+        inputs:
+        - name: k8s-code-generator-dockerfile
+        outputs:
+        - name: image
+        run:
+          path: build
+        caches:
+        - path: cache
+        params:
+          CONTEXT: k8s-code-generator-dockerfile/dockerfiles/k8s-code-generator
+          BUILD_ARG_K8S_PKG_VERSION: 0.35.0
+          <<: *codegen-versions
+          OUTPUT_OCI: true # needed for building multi-arch images
+          IMAGE_PLATFORM: "linux/amd64,linux/arm64" # build a multi-arch images which includes these platforms
+    - put: k8s-code-generator-1.35-image-ghcr
+      get_params:
+        format: oci # needed for multi-arch images
+      params:
+        image: image/image # this is a directory for OCI (multi-arch images)
+
   - name: build-test-forward-proxy
     public: true # all logs are publicly visible
     serial: true

pipelines/go-compatibility/pipeline.yml

@@ -1,148 +0,0 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
-
-display:
-
-  background_image: https://upload.wikimedia.org/wikipedia/commons/6/68/Mirounga_leonina.jpg
-
-meta:
-
-  build_pinniped: &build_pinniped
-    config:
-      platform: linux
-      inputs:
-        - name: pinniped-source
-      run:
-        path: bash
-        args:
-          - "-c"
-          - |
-            set -exuo pipefail
-            go version
-            cd pinniped-source/
-
-            # compile all of our code
-            go build -o /dev/null ./...
-
-            # compile (but don't actually run) all of our tests
-            go test ./... -run=nothing
-
-resources:
-
-  - name: daily
-    type: time
-    icon: calendar-clock
-    check_every: 10m
-    source:
-      location: America/Los_Angeles
-      start: 4:00 AM
-      stop: 5:00 AM
-      days: [ Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday ]
-
-  - name: pinniped-source
-    type: git
-    icon: github
-    source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
-      branch: main
-      private_key: ((source-repo-deploy-key))
-
-  - name: go-1.22-image
-    type: registry-image
-    icon: docker
-    check_every: 10m
-    source:
-      repository: docker.io/golang
-      tag: "1.22"
-
-jobs:
-
-  - name: go-install-cli
-    public: true # all logs are publicly visible
-    serial: true
-    plan:
-      - get: daily
-        trigger: true
-      - task: go-install
-        config:
-          platform: linux
-          image_resource:
-            type: registry-image
-            source:
-              repository: docker.io/golang
-          run:
-            path: bash
-            args:
-              - "-c"
-              - |
-                set -exuo pipefail
-                go install -v go.pinniped.dev/cmd/pinniped@latest
-
-  # This job attempts to check whether it's possible to depend on our API client submodule.
-  # It creates a simple test application with go.mod and main.go files, then attempts to compile it.
-  #
-  # As of now, this is known to be broken so we've decided to disable this job.
-  # - name: go-get-submodule
-  #   serial: true
-  #   plan:
-  #   - get: daily
-  #     trigger: true
-  #   - task: go-get
-  #     config:
-  #       platform: linux
-  #       image_resource:
-  #         type: registry-image
-  #         source:
-  #           repository: docker.io/golang
-  #       run:
-  #         path: bash
-  #         args:
-  #           - "-c"
-  #           - |
-  #             set -euo pipefail
-  #             mkdir /work
-  #             cd /work
-
-  #             cat << EOF > go.mod
-  #             module testapp
-
-  #             go 1.14
-
-  #             require (
-  #               go.pinniped.dev/generated/1.18/apis v0.0.0-00010101000000-000000000000
-  #               go.pinniped.dev/generated/1.18/client v0.0.0-20200918195624-2d4d7e588a18
-  #             )
-
-  #             replace (
-  #                 go.pinniped.dev/generated/1.18/apis v0.0.0-00010101000000-000000000000 => go.pinniped.dev/generated/1.18/apis v0.0.0-20200918195624-2d4d7e588a18
-  #             )
-  #             EOF
-
-  #             cat << EOF > main.go
-  #             package main
-
-  #             import (
-  #               _ "go.pinniped.dev/generated/1.18/apis/idp/v1alpha1"
-  #               _ "go.pinniped.dev/generated/1.18/client/clientset/versioned"
-  #             )
-
-  #             func main() {}
-  #             EOF
-
-  #             head -100 go.mod main.go
-  #             set -x
-  #             go mod download
-  #             go build -o testapp main.go
-
-  - name: go-1.22-compatibility
-    public: true # all logs are publicly visible
-    serial: true
-    plan:
-      - in_parallel:
-          - get: daily
-            trigger: true
-          - get: pinniped-source
-          - get: go-1.22-image
-      - task: build
-        image: go-1.22-image
-        <<: *build_pinniped

pipelines/go-compatibility/update-pipeline.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
-# SPDX-License-Identifier: Apache-2.0
-
-set -euo pipefail
-
-script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-pipeline=$(basename "$script_dir")
-source "$script_dir/../../hack/fly-helpers.sh"
-
-set_pipeline "$pipeline" "$script_dir/pipeline.yml"
-ensure_time_resource_has_at_least_one_version "$pipeline" daily

pipelines/kind-node-builder/pipeline.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 display:
@@ -18,7 +18,7 @@ meta:
 
   # GCP account info and which zone the workers should be created in and deleted from.
   gcp_account_params: &gcp_account_params
-    INSTANCE_ZONE: us-central1-b
+    INSTANCE_ZONE: us-west1-a
     GCP_PROJECT: ((gcp-project-name))
     GCP_USERNAME: ((gcp-instance-admin-username))
     GCP_JSON_KEY: ((gcp-instance-admin-json-key))
@@ -50,9 +50,9 @@ resources:
     type: git
     icon: github
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
 
   - name: daily
     type: time
@@ -86,6 +86,10 @@ jobs:
         file: pinniped-ci/pipelines/shared-tasks/create-kind-node-builder-vm/task.yml
         image: gcloud-image
         params:
+          SHARED_VPC_PROJECT: ((shared-vpc-project))
+          SUBNET_REGION: ((subnet-region))
+          SUBNET_NAME: ((instances-subnet-name))
+          DISK_IMAGES_PROJECT: ((disk-images-gcp-project-name))
           <<: *gcp_account_params
       - task: build-kind-node-image
         timeout: 90m

pipelines/pull-requests/pipeline.yml

@@ -73,15 +73,16 @@ meta:
 
   # GKE account info and which zone the clusters should be created in and deleted from.
   gke_account_params: &gke_account_params
-    CLUSTER_ZONE: us-central1-c
+    # CLUSTER_ZONE: us-west1-c
+    CLUSTER_REGION: us-west1
     GCP_PROJECT: ((gcp-project-name))
-    GCP_SERVICE_ACCOUNT: ((gke-test-pool-manager-username))
-    GCP_JSON_KEY: ((gke-test-pool-manager-json-key))
+    GCP_SERVICE_ACCOUNT: ((gcp-instance-admin-username))
+    GCP_JSON_KEY: ((gcp-instance-admin-json-key))
 
   # GCP account info and which zone the workers should be created in and deleted from.
   gcp_account_params: &gcp_account_params
-    INSTANCE_ZONE: us-central1-b # which zone the kind worker VMs should be created in and deleted from
-    GCP_ZONE: us-central1-b
+    INSTANCE_ZONE: us-west1-a # which zone the kind worker VMs should be created in and deleted from
+    GCP_ZONE: us-west1-a
     GCP_PROJECT: ((gcp-project-name))
     GCP_USERNAME: ((gcp-instance-admin-username))
     GCP_JSON_KEY: ((gcp-instance-admin-json-key))
@@ -91,10 +92,10 @@ meta:
     image: integration-test-runner-image
     timeout: 15m
     params:
-      GCS_BUCKET: pinniped-ci-archive
+      GCS_BUCKET: pinniped-ci-logs
       GCP_PROJECT: ((gcp-project-name))
-      GCP_USERNAME: ((gcp-cluster-diagnostic-uploader-username))
-      GCP_JSON_KEY: ((gcp-cluster-diagnostic-uploaded-json-key))
+      GCP_USERNAME: ((gcp-instance-admin-username))
+      GCP_JSON_KEY: ((gcp-instance-admin-json-key))
 
   # Decides which specific patch versions of k8s we would like to deploy when creating kind cluster workers.
   # It should be safe to update the patch version numbers here whenever new versions come out.
@@ -105,8 +106,8 @@ meta:
   # so always check the tags using the above link.
   kube_version_v1-21-x: &kube_version_v1-21-x
     KUBE_VERSION: v1.21.14
-  kube_version_v1-33-x: &kube_version_v1-33-x
-    KUBE_VERSION: v1.33.0
+  kube_version_v1-35-x: &kube_version_v1-35-x
+    KUBE_VERSION: v1.35.0
   kube_version_k8s-main: &kube_version_k8s-main
     KUBE_VERSION: "k8s-main"
     KIND_NODE_IMAGE: "ghcr.io/pinniped-ci-bot/kind-node-image:latest"
@@ -115,7 +116,7 @@ meta:
   oldest_kind_kube_version: &oldest_kind_kube_version
     <<: *kube_version_v1-21-x
   latest_kind_kube_version: &latest_kind_kube_version
-    <<: *kube_version_v1-33-x
+    <<: *kube_version_v1-35-x
 
   okta_integration_env_vars: &okta_integration_env_vars
     OKTA_CLI_CALLBACK: ((okta-cli-callback))
@@ -137,6 +138,7 @@ meta:
     JUMPCLOUD_LDAP_BIND_ACCOUNT_PASSWORD: ((jumpcloud-ldap-bind-account-password))
     JUMPCLOUD_LDAP_USERS_SEARCH_BASE: ((jumpcloud-ldap-users-search-base))
     JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE: ((jumpcloud-ldap-groups-search-base))
+    JUMPCLOUD_LDAP_GROUPS_SEARCH_FILTER: ((jumpcloud-ldap-groups-search-filter))
     JUMPCLOUD_LDAP_USER_DN: ((jumpcloud-ldap-user-dn))
     JUMPCLOUD_LDAP_USER_CN: ((jumpcloud-ldap-user-cn))
     JUMPCLOUD_LDAP_USER_PASSWORD: ((jumpcloud-ldap-user-password))
@@ -148,6 +150,25 @@ meta:
     JUMPCLOUD_LDAP_EXPECTED_DIRECT_GROUPS_CN: ((jumpcloud-ldap-expected-direct-groups-cn))
     JUMPCLOUD_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN: ((jumpcloud-ldap-expected-direct-posix-groups-cn))
 
+  okta_ldap_integration_env_vars: &okta_ldap_integration_env_vars
+    OKTA_LDAP_HOST: ((okta-ldap-host))
+    OKTA_LDAP_STARTTLS_ONLY_HOST: ((okta-ldap-start-tls-only-host))
+    OKTA_LDAP_BIND_ACCOUNT_USERNAME: ((okta-ldap-bind-account-username))
+    OKTA_LDAP_BIND_ACCOUNT_PASSWORD: ((okta-ldap-bind-account-password))
+    OKTA_LDAP_USERS_SEARCH_BASE: ((okta-ldap-users-search-base))
+    OKTA_LDAP_GROUPS_SEARCH_BASE: ((okta-ldap-groups-search-base))
+    OKTA_LDAP_GROUPS_SEARCH_FILTER: ((okta-ldap-groups-search-filter))
+    OKTA_LDAP_USER_DN: ((okta-ldap-user-dn))
+    OKTA_LDAP_USER_CN: ((okta-ldap-user-cn))
+    OKTA_LDAP_USER_PASSWORD: ((okta-ldap-user-password))
+    OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME: ((okta-ldap-user-unique-id-attribute-name))
+    OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE: ((okta-ldap-user-unique-id-attribute-value))
+    OKTA_LDAP_USER_EMAIL_ATTRIBUTE_NAME: ((okta-ldap-user-email-attribute-name))
+    OKTA_LDAP_USER_EMAIL_ATTRIBUTE_VALUE: ((okta-ldap-user-email-attribute-value))
+    OKTA_LDAP_EXPECTED_DIRECT_GROUPS_DN: ((okta-ldap-expected-direct-groups-dn))
+    OKTA_LDAP_EXPECTED_DIRECT_GROUPS_CN: ((okta-ldap-expected-direct-groups-cn))
+    OKTA_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN: ((okta-ldap-expected-direct-posix-groups-cn))
+
   active_directory_integration_env_vars: &active_directory_integration_env_vars
     TEST_ACTIVE_DIRECTORY: "yes"
     AWS_AD_HOST: ((aws-ad-host))
@@ -199,10 +220,9 @@ resources:
   - name: pinniped-pr
     type: pull-request
     icon: source-pull
-    check_every: 10m
-    webhook_token: ((github-webhook-token))
+    check_every: 1m
     source:
-      repository: vmware-tanzu/pinniped
+      repository: vmware/pinniped
       access_token: ((ci-bot-access-token-with-repo-status-permission))
       disable_forks: false
       base_branch: main
@@ -218,9 +238,9 @@ resources:
     type: git
     icon: github
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
 
   - name: ci-build-image
     type: registry-image
@@ -309,42 +329,6 @@ resources:
       username: ((ci-ghcr-puller-username))
       password: ((ci-ghcr-puller-token))
 
-  - name: k8s-code-generator-1.26-image
-    type: registry-image
-    icon: docker
-    check_every: 3m
-    source:
-      repository: ((ci-ghcr-registry))/k8s-code-generator-1.26
-      username: ((ci-ghcr-puller-username))
-      password: ((ci-ghcr-puller-token))
-
-  - name: k8s-code-generator-1.27-image
-    type: registry-image
-    icon: docker
-    check_every: 3m
-    source:
-      repository: ((ci-ghcr-registry))/k8s-code-generator-1.27
-      username: ((ci-ghcr-puller-username))
-      password: ((ci-ghcr-puller-token))
-
-  - name: k8s-code-generator-1.28-image
-    type: registry-image
-    icon: docker
-    check_every: 3m
-    source:
-      repository: ((ci-ghcr-registry))/k8s-code-generator-1.28
-      username: ((ci-ghcr-puller-username))
-      password: ((ci-ghcr-puller-token))
-
-  - name: k8s-code-generator-1.29-image
-    type: registry-image
-    icon: docker
-    check_every: 3m
-    source:
-      repository: ((ci-ghcr-registry))/k8s-code-generator-1.29
-      username: ((ci-ghcr-puller-username))
-      password: ((ci-ghcr-puller-token))
-
   - name: k8s-code-generator-1.30-image
     type: registry-image
     icon: docker
@@ -381,6 +365,24 @@ resources:
       username: ((ci-ghcr-puller-username))
       password: ((ci-ghcr-puller-token))
 
+  - name: k8s-code-generator-1.34-image
+    type: registry-image
+    icon: docker
+    check_every: 3m
+    source:
+      repository: ((ci-ghcr-registry))/k8s-code-generator-1.34
+      username: ((ci-ghcr-puller-username))
+      password: ((ci-ghcr-puller-token))
+
+  - name: k8s-code-generator-1.35-image
+    type: registry-image
+    icon: docker
+    check_every: 3m
+    source:
+      repository: ((ci-ghcr-registry))/k8s-code-generator-1.35
+      username: ((ci-ghcr-puller-username))
+      password: ((ci-ghcr-puller-token))
+
 jobs:
 
   - name: start
@@ -464,14 +466,12 @@ jobs:
             version: every
             passed: [ start ]
           - get: pinniped-ci
-          - get: k8s-code-generator-1.26-image
-          - get: k8s-code-generator-1.27-image
-          - get: k8s-code-generator-1.28-image
-          - get: k8s-code-generator-1.29-image
           - get: k8s-code-generator-1.30-image
           - get: k8s-code-generator-1.31-image
           - get: k8s-code-generator-1.32-image
           - get: k8s-code-generator-1.33-image
+          - get: k8s-code-generator-1.34-image
+          - get: k8s-code-generator-1.35-image
       - { <<: *pr-status-on-pending, params: { <<: *pr-status-on-pending-params, context: verify-codegen } }
       - in_parallel:
           - task: verify-go-mod-tidy
@@ -482,34 +482,6 @@ jobs:
             timeout: 20m
             <<: *pinniped-pr-input-mapping
             file: pinniped-ci/pipelines/shared-tasks/run-verify-go-generate/task.yml
-          - task: codegen-1.26
-            timeout: 20m
-            <<: *pinniped-pr-input-mapping
-            file: pinniped-ci/pipelines/shared-tasks/run-verify-codegen/task.yml
-            image: k8s-code-generator-1.26-image
-            params:
-              KUBE_MINOR_VERSION: "1.26"
-          - task: codegen-1.27
-            timeout: 20m
-            <<: *pinniped-pr-input-mapping
-            file: pinniped-ci/pipelines/shared-tasks/run-verify-codegen/task.yml
-            image: k8s-code-generator-1.27-image
-            params:
-              KUBE_MINOR_VERSION: "1.27"
-          - task: codegen-1.28
-            timeout: 20m
-            <<: *pinniped-pr-input-mapping
-            file: pinniped-ci/pipelines/shared-tasks/run-verify-codegen/task.yml
-            image: k8s-code-generator-1.28-image
-            params:
-              KUBE_MINOR_VERSION: "1.28"
-          - task: codegen-1.29
-            timeout: 20m
-            <<: *pinniped-pr-input-mapping
-            file: pinniped-ci/pipelines/shared-tasks/run-verify-codegen/task.yml
-            image: k8s-code-generator-1.29-image
-            params:
-              KUBE_MINOR_VERSION: "1.29"
           - task: codegen-1.30
             timeout: 20m
             <<: *pinniped-pr-input-mapping
@@ -538,6 +510,20 @@ jobs:
             image: k8s-code-generator-1.33-image
             params:
               KUBE_MINOR_VERSION: "1.33"
+          - task: codegen-1.34
+            timeout: 20m
+            <<: *pinniped-pr-input-mapping
+            file: pinniped-ci/pipelines/shared-tasks/run-verify-codegen/task.yml
+            image: k8s-code-generator-1.34-image
+            params:
+              KUBE_MINOR_VERSION: "1.34"
+          - task: codegen-1.35
+            timeout: 20m
+            <<: *pinniped-pr-input-mapping
+            file: pinniped-ci/pipelines/shared-tasks/run-verify-codegen/task.yml
+            image: k8s-code-generator-1.35-image
+            params:
+              KUBE_MINOR_VERSION: "1.35"
 
   - name: unit-test
     on_success: { <<: *pr-status-on-success, params: { <<: *pr-status-on-success-params, context: unit-test } }
@@ -586,7 +572,7 @@ jobs:
             type: registry-image
             source:
               repository: golang
-              tag: '1.24.3'
+              tag: '1.25.5'
           inputs:
             - name: pinniped-pr
           outputs:
@@ -616,6 +602,9 @@ jobs:
               tag: alpine
           inputs:
             - name: pinniped-modules
+          params:
+            SONATYPE_API_KEY: ((sonatype-api-key))
+            SONATYPE_USERNAME: ((sonatype-username))
           run:
             path: 'sh'
             args:
@@ -644,7 +633,10 @@ jobs:
 
                 EOF
 
-                nancy sleuth --exclude-vulnerability-file=exclusions.txt < pinniped-modules/modules.json
+                cat pinniped-modules/modules.json | nancy sleuth \
+                  --exclude-vulnerability-file=exclusions.txt \
+                  --token ${SONATYPE_API_KEY} \
+                  --username ${SONATYPE_USERNAME}
 
   - name: run-go-vuln-scan
     on_success: { <<: *pr-status-on-success, params: { <<: *pr-status-on-success-params, context: run-go-vuln-scan } }
@@ -1217,13 +1209,14 @@ jobs:
           # We don't need to run these on every version of Kubernetes for Kind in this pipeline, so we choose to run
           # them on one version to get some coverage.
           <<: *okta_integration_env_vars
-          # The following Jumpcloud params will cause the integration tests to use Jumpcloud instead of OpenLDAP.
+          # The following Okta LDAP params will cause the integration tests to use Okta LDAP instead of OpenLDAP.
           # We don't need to run these on every version of Kubernetes for Kind in this pipeline, so we choose to run
           # them on one version to get some coverage.
-          <<: *jumpcloud_integration_env_vars
+          <<: *okta_ldap_integration_env_vars
           # The following AD params enable the ActiveDirectory integration tests. We don't need to run these on every
           # version of Kubernetes for Kind in this pipeline, so we choose to run them on one version to get some coverage.
-          <<: *active_directory_integration_env_vars
+          # TODO: bring this back with a new AD server
+          # <<: *active_directory_integration_env_vars
           # The following params enable the GitHub integration tests. We don't need to run these on every
           # version of Kubernetes for Kind in this pipeline, so we choose to run them on one version to get some coverage.
           <<: *github_integration_env_vars
@@ -1368,7 +1361,8 @@ jobs:
           # The following AD params enable the ActiveDirectory integration tests. We don't need to run these on every
           # version of Kubernetes for Kind in this pipeline, but it is useful to know if we can communicate with our
           # AD server when using FIPS cipher suites.
-          <<: *active_directory_integration_env_vars
+          # TODO: bring this back with a new AD server
+          # <<: *active_directory_integration_env_vars
           # The following params enable the GitHub integration tests. We don't need to run these on every
           # version of Kubernetes for Kind in this pipeline, but it is useful to know if we can communicate with
           # GitHub when using FIPS cipher suites.
@@ -1825,6 +1819,7 @@ jobs:
     on_error: { <<: *pr-status-on-error, params: { <<: *pr-status-on-error-params, context: integration-test-gke-rapid } }
     on_abort: { <<: *pr-status-on-abort, params: { <<: *pr-status-on-abort-params, context: integration-test-gke-rapid } }
     public: true # all logs are publicly visible
+    serial: true # since we need to choose a subnet, we can't run this in parallel anymore
     plan:
       - in_parallel:
           - get: pinniped-pr
@@ -1847,6 +1842,10 @@ jobs:
         image: k8s-app-deployer-image
         params:
           GKE_CHANNEL: rapid
+          SHARED_VPC_PROJECT: ((shared-vpc-project))
+          SHARED_VPC_NAME: ((shared-vpc-name))
+          SUBNET_REGION: ((subnet-region))
+          SUBNET_NAME: ((gke-subnet-name-3)) # globally unique to this job
           <<: *gke_account_params
       - task: pre-warm-cluster
         timeout: 10m
@@ -1885,6 +1884,7 @@ jobs:
         ensure:
           task: remove-cluster
           timeout: 10m
+          attempts: 5
           file: pinniped-ci/pipelines/shared-tasks/remove-gke-cluster/task.yml
           image: k8s-app-deployer-image
           input_mapping:

pipelines/security-scan/pipeline.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 display:
@@ -56,23 +56,23 @@ resources:
     type: git
     icon: github
     source:
-      uri: https://github.com/vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: main
 
   - name: pinniped-ci
     type: git
     icon: github
     source:
-      uri: git@github.com:vmware-tanzu/pinniped.git
+      uri: https://github.com/vmware/pinniped.git
       branch: ci
-      private_key: ((source-repo-deploy-key))
+      username: ((ci-bot-access-token-with-read-only-public-repos))
 
   - name: pinniped-latest-release-image
     type: registry-image
     icon: docker
     check_every: 10m
     source:
-      repository: ghcr.io/vmware-tanzu/pinniped/pinniped-server
+      repository: ghcr.io/vmware/pinniped/pinniped-server
       tag: latest
 
   - name: pinniped-latest-main-image
@@ -173,6 +173,9 @@ jobs:
               tag: alpine
           inputs:
             - name: pinniped-modules
+          params:
+            SONATYPE_API_KEY: ((sonatype-api-key))
+            SONATYPE_USERNAME: ((sonatype-username))
           run:
             path: 'sh'
             args:
@@ -195,7 +198,10 @@ jobs:
                 CVE-2020-8561
                 EOF
 
-                nancy sleuth --exclude-vulnerability-file=exclusions.txt < pinniped-modules/modules.json
+                cat pinniped-modules/modules.json | nancy sleuth \
+                  --exclude-vulnerability-file=exclusions.txt \
+                  --token ${SONATYPE_API_KEY} \
+                  --username ${SONATYPE_USERNAME}
 
   - name: trivy-release
     public: true # all logs are publicly visible
@@ -263,8 +269,11 @@ jobs:
         image: gh-cli-image
         file: pinniped-ci/pipelines/shared-tasks/create-or-update-pr/task.yml
         params:
-          DEPLOY_KEY: ((source-repo-deploy-key))
           GH_TOKEN: ((ci-bot-access-token-with-public-repo-write-permission))
+          BRANCH: "pinny/bump-deps"
+          COMMIT_MESSAGE: "Bump dependencies"
+          PR_TITLE: "Bump dependencies"
+          PR_BODY: "Automatically bumped all go.mod direct dependencies and/or images in dockerfiles."
         input_mapping:
           pinniped: pinniped-out
 

pipelines/shared-helpers/prepare-cluster-for-integration-tests.sh

@@ -42,7 +42,7 @@ set -euo pipefail
 #  - $DEPLOY_LOCAL_USER_AUTHENTICATOR, when set to "yes", will deploy and use the
 #    local-user-authenticator instead of using the TMC webhook authenticator.
 #  - $DEPLOY_TEST_TOOLS will deploy the squid proxy, Dex, and OpenLDAP into the cluster.
-#    If the OKTA_* and JUMPCLOUD_* variables are not present, then Dex and OpenLDAP
+#    If the OKTA_* and JUMPCLOUD_*/OKTA_LDAP* variables are not present, then Dex and OpenLDAP
 #    will be configured for the integration tests.
 #  - To use Okta instead of Dex, use the variables $OKTA_ISSUER, $OKTA_CLI_CLIENT_ID,
 #    $OKTA_CLI_CALLBACK, $OKTA_ADDITIONAL_SCOPES, $OKTA_USERNAME_CLAIM, $OKTA_GROUPS_CLAIM,
@@ -51,19 +51,28 @@ set -euo pipefail
 #  - To use Jumpcloud instead of OpenLDAP, use the variables $JUMPCLOUD_LDAP_HOST,
 #    $JUMPCLOUD_LDAP_STARTTLS_ONLY_HOST,
 #    $JUMPCLOUD_LDAP_BIND_ACCOUNT_USERNAME, $JUMPCLOUD_LDAP_BIND_ACCOUNT_PASSWORD,
-#    $JUMPCLOUD_LDAP_USERS_SEARCH_BASE, $JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE,
+#    $JUMPCLOUD_LDAP_USERS_SEARCH_BASE, $JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE, $JUMPCLOUD_LDAP_GROUPS_SEARCH_FILTER,
 #    $JUMPCLOUD_LDAP_USER_DN, $JUMPCLOUD_LDAP_USER_CN, $JUMPCLOUD_LDAP_USER_PASSWORD,
 #    $JUMPCLOUD_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME, $JUMPCLOUD_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE,
 #    $JUMPCLOUD_LDAP_USER_EMAIL_ATTRIBUTE_NAME, $JUMPCLOUD_LDAP_USER_EMAIL_ATTRIBUTE_VALUE,
 #    $JUMPCLOUD_LDAP_EXPECTED_DIRECT_GROUPS_DN, $JUMPCLOUD_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN,
 #    and $JUMPCLOUD_LDAP_EXPECTED_DIRECT_GROUPS_CN to configure the LDAP tests.
+#  - To use Okta LDAP instead of OpenLDAP, use the variables $OKTA_LDAP_HOST,
+#    $OKTA_LDAP_STARTTLS_ONLY_HOST,
+#    $OKTA_LDAP_BIND_ACCOUNT_USERNAME, $OKTA_LDAP_BIND_ACCOUNT_PASSWORD,
+#    $OKTA_LDAP_USERS_SEARCH_BASE, $OKTA_LDAP_GROUPS_SEARCH_BASE, $OKTA_LDAP_GROUPS_SEARCH_FILTER,
+#    $OKTA_LDAP_USER_DN, $OKTA_LDAP_USER_CN, $OKTA_LDAP_USER_PASSWORD,
+#    $OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME, $OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE,
+#    $OKTA_LDAP_USER_EMAIL_ATTRIBUTE_NAME, $OKTA_LDAP_USER_EMAIL_ATTRIBUTE_VALUE,
+#    $OKTA_LDAP_EXPECTED_DIRECT_GROUPS_DN, $OKTA_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN,
+#    and $OKTA_LDAP_EXPECTED_DIRECT_GROUPS_CN to configure the LDAP tests.
 #  - $FIREWALL_IDPS, when set to "yes" will add NetworkPolicies to effectively firewall the Concierge
 #    and Supervisor pods such that they need to use the Squid proxy server to reach several of the IDPs.
 #    Note that NetworkPolicy is not supported on all flavors of Kube, but can be enabled on GKE by using
 #    `--enable-network-policy` when creating the GKE cluster, abd is supported in recent versions of Kind.
 #  - $TEST_ACTIVE_DIRECTORY determines whether to test against AWS Managed Active
 #    Directory. Note that there's no "local" equivalent-- for OIDC we use Dex's internal
-#    user store or Okta, for LDAP we deploy OpenLDAP or use Jumpcloud,
+#    user store or Okta, for LDAP we deploy OpenLDAP or use Jumpcloud/Okta LDAP,
 #    but for AD there is only the hosted version.
 #    When set, the tests are configured with the variables
 #    $AWS_AD_HOST, $AWS_AD_DOMAIN, $AWS_AD_BIND_ACCOUNT_USERNAME, $AWS_AD_BIND_ACCOUNT_PASSWORD,
@@ -89,19 +98,12 @@ set -euo pipefail
 #      to choose its own IP address, and dynamically register that address as the name
 #      specified in $SUPERVISOR_LOAD_BALANCER_DNS_NAME using the Cloud DNS service.
 #  - $SUPERVISOR_INGRESS, when set to "yes", will deploy the Supervisor with a
-#    NodePort Service defined and create an Ingress connected to that Service.
+#    ClusterIP Service defined and create an internal Ingress connected to that Service.
 #    When set to "yes" the following additional variables are expected:
 #    - $SUPERVISOR_INGRESS_STATIC_IP_NAME: The name of the static IP resource from the
-#      underlying cloud infrastructure platform. Optional.
+#      underlying cloud infrastructure platform. Required when $SUPERVISOR_INGRESS is "yes".
 #    - $SUPERVISOR_INGRESS_DNS_NAME: The DNS hostname name associated with the
 #      ingress' IP address. Required when $SUPERVISOR_INGRESS is "yes".
-#    - $SUPERVISOR_INGRESS_PATH_PATTERN: The path that will be set in the Ingress object
-#      (e.g., "/", "/*"; this depends on what is supported by the underlying platform).
-#      Required when $SUPERVISOR_INGRESS is "yes".
-#    - If the $SUPERVISOR_INGRESS_DNS_NAME is given without the
-#      $SUPERVISOR_INGRESS_STATIC_IP_NAME, then allow the ingress service
-#      to choose its own IP address, and dynamically register that address as the name
-#      specified in $SUPERVISOR_INGRESS_DNS_NAME using the Cloud DNS service.
 #  - When neither $SUPERVISOR_LOAD_BALANCER nor $SUPERVISOR_INGRESS then we will use
 #    nodeport services to make the supervisor available. In this case you may specify
 #    $PINNIPED_SUPERVISOR_HTTP_NODEPORT and $PINNIPED_SUPERVISOR_HTTPS_NODEPORT if you
@@ -176,64 +178,6 @@ function print_redacted_manifest() {
   print_or_redact_doc "$doc"
 }
 
-function update_gcloud_dns_record() {
-  if [[ -z "${PINNIPED_GCP_PROJECT:-}" ]]; then
-    echo "PINNIPED_GCP_PROJECT env var must be set when using update_gcloud_dns_record"
-    exit 1
-  fi
-
-  local dns_name=$1
-  local new_ip=$2
-  local dns_record_name="${dns_name}."
-  local dns_zone="pinniped-dev"
-  local dns_project="$PINNIPED_GCP_PROJECT"
-
-  # Login to gcloud CLI
-  gcloud auth activate-service-account "$GKE_USERNAME" --key-file <(echo "$GKE_JSON_KEY") --project "$dns_project"
-
-  # Get the current value of the DNS A record.
-  # We assume that this record already exists because it was manually created.
-  # We also assume in the transaction commands below that it was created with a TTL of 30 seconds.
-  current_dns_record_ip=$(gcloud dns record-sets list --zone "$dns_zone" \
-    --project "$dns_project" --name "$dns_record_name" --format json |
-    jq -r ".[] | select(.name ==\"${dns_record_name}\") | .rrdatas[0]")
-
-  if [[ "$current_dns_record_ip" == "$new_ip" ]]; then
-    echo "No update needed: DNS record $dns_record_name was already set to $new_ip"
-  else
-    echo "Changing DNS record $dns_record_name from $current_dns_record_ip to $new_ip ..."
-
-    # Updating a DNS record with gcloud must be done with a remove and an add wrapped in a transaction.
-    gcloud dns record-sets transaction start --zone "$dns_zone" --project "$dns_project"
-    gcloud dns record-sets transaction remove "$current_dns_record_ip" --name "$dns_name" \
-      --ttl "30" --type "A" --zone "$dns_zone" --project "$dns_project"
-    gcloud dns record-sets transaction add "$new_ip" --name "$dns_name" \
-      --ttl "30" --type "A" --zone "$dns_zone" --project "$dns_project"
-    change_id=$(gcloud dns record-sets transaction execute --zone "$dns_zone" --project "$dns_project" --format json | jq -r '.id')
-
-    # Wait for that transaction to commit. This is usually quick.
-    change_status="not-done"
-    while [[ "$change_status" != "done" ]]; do
-      sleep 3
-      change_status=$(gcloud dns record-sets changes describe "$change_id" \
-        --zone "$dns_zone" --project "$dns_project" --format json | jq -r '.status')
-      echo "Waiting for change $change_id to have status 'done'. Current status: $change_status"
-    done
-
-    # Wait for DNS propagation. The TTL is 30 seconds, so this shouldn't take too long.
-    echo "Waiting for new IP address $new_ip to appear in the result of a local DNS query. This may take a few minutes..."
-    while true; do
-      dig_result=$(dig +short "$dns_name")
-      echo "dig result for $dns_name: $dig_result"
-      if [[ "$dig_result" == "$new_ip" ]]; then
-        echo "New IP address has finished DNS propagation. Done with DNS update!"
-        break
-      fi
-      sleep 5
-    done
-  fi
-}
-
 if [[ "${TMC_API_TOKEN:-}" == "" && "${DEPLOY_LOCAL_USER_AUTHENTICATOR:-no}" != "yes" ]]; then
   echo "Must use either \$TMC_API_TOKEN or \$DEPLOY_LOCAL_USER_AUTHENTICATOR"
   exit 1
@@ -361,7 +305,7 @@ EOF
 # Also annotate the service so that GKE ingress knows to use HTTP2 for the backend connection.
 cat <<EOF >>/tmp/add-annotations-for-gke-ingress-overlay.yaml
 #@ load("@ytt:overlay", "overlay")
-#@overlay/match by=overlay.subset({"kind": "Service", "metadata":{"name":"${supervisor_app_name}-nodeport"}}), expects=1
+#@overlay/match by=overlay.subset({"kind": "Service", "metadata":{"name":"${supervisor_app_name}-clusterip"}}), expects=1
 ---
 metadata:
   annotations:
@@ -369,6 +313,20 @@ metadata:
     cloud.google.com/app-protocols: '{"https":"HTTP2"}'
     #@overlay/match missing_ok=True
     cloud.google.com/backend-config: '{"default":"healthcheck-backendconfig"}'
+    #@overlay/match missing_ok=True
+    cloud.google.com/neg: '{"ingress": true}'
+EOF
+
+# Save this file for possible later use. When we want to make a Supervisor load balancer service,
+# we need to make sure that we tell it that it should use an internal IP address.
+cat <<EOF >>/tmp/add-annotations-for-supervisor-lb-service-overlay.yaml
+#@ load("@ytt:overlay", "overlay")
+#@overlay/match by=overlay.subset({"kind": "Service", "metadata":{"name":"${supervisor_app_name}-loadbalancer"}}), expects=1
+---
+metadata:
+  annotations:
+    #@overlay/match missing_ok=True
+    networking.gke.io/load-balancer-type: "Internal"
 EOF
 
 if [[ "${DEPLOY_LOCAL_USER_AUTHENTICATOR:-no}" == "yes" ]]; then
@@ -495,6 +453,7 @@ metadata:
     app: ${supervisor_app_name}
   annotations:
     kapp.k14s.io/disable-default-label-scoping-rules: ""
+    networking.gke.io/load-balancer-type: "Internal"
 spec:
   type: LoadBalancer
   selector:
@@ -523,6 +482,7 @@ metadata:
     app: dex
   annotations:
     kapp.k14s.io/disable-default-label-scoping-rules: ""
+    networking.gke.io/load-balancer-type: "Internal"
 spec:
   type: LoadBalancer
   selector:
@@ -672,6 +632,7 @@ if [[ "${DEPLOY_TEST_TOOLS:-no}" == "yes" ]]; then
   pinniped_test_ldap_bind_account_password=password
   pinniped_test_ldap_users_search_base="ou=users,dc=pinniped,dc=dev"
   pinniped_test_ldap_groups_search_base="ou=groups,dc=pinniped,dc=dev"
+  pinniped_test_ldap_groups_search_filter=""
   pinniped_test_ldap_user_dn="cn=pinny,ou=users,dc=pinniped,dc=dev"
   pinniped_test_ldap_user_cn="pinny"
   pinniped_test_ldap_user_password=${ldap_test_password}
@@ -731,6 +692,7 @@ if [[ "${JUMPCLOUD_LDAP_HOST:-no}" != "no" ]]; then
   pinniped_test_ldap_bind_account_password="$JUMPCLOUD_LDAP_BIND_ACCOUNT_PASSWORD"
   pinniped_test_ldap_users_search_base="$JUMPCLOUD_LDAP_USERS_SEARCH_BASE"
   pinniped_test_ldap_groups_search_base="$JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE"
+  pinniped_test_ldap_groups_search_filter="$JUMPCLOUD_LDAP_GROUPS_SEARCH_FILTER"
   pinniped_test_ldap_user_dn="$JUMPCLOUD_LDAP_USER_DN"
   pinniped_test_ldap_user_cn="$JUMPCLOUD_LDAP_USER_CN"
   pinniped_test_ldap_user_password="$JUMPCLOUD_LDAP_USER_PASSWORD"
@@ -745,6 +707,31 @@ if [[ "${JUMPCLOUD_LDAP_HOST:-no}" != "no" ]]; then
   pinniped_test_ldap_expected_indirect_groups_cn=""
 fi
 
+# Whether or not the tools namespace is deployed, we can configure the integration
+# tests to use Jumpcloud instead of Okta LDAP as the LDAP provider.
+if [[ "${OKTA_LDAP_HOST:-no}" != "no" ]]; then
+  pinniped_test_ldap_host="$OKTA_LDAP_HOST"
+  pinniped_test_ldap_starttls_only_host="$OKTA_LDAP_STARTTLS_ONLY_HOST"
+  pinniped_test_ldap_ldaps_ca_bundle=""
+  pinniped_test_ldap_bind_account_username="$OKTA_LDAP_BIND_ACCOUNT_USERNAME"
+  pinniped_test_ldap_bind_account_password="$OKTA_LDAP_BIND_ACCOUNT_PASSWORD"
+  pinniped_test_ldap_users_search_base="$OKTA_LDAP_USERS_SEARCH_BASE"
+  pinniped_test_ldap_groups_search_base="$OKTA_LDAP_GROUPS_SEARCH_BASE"
+  pinniped_test_ldap_groups_search_filter="$OKTA_LDAP_GROUPS_SEARCH_FILTER"
+  pinniped_test_ldap_user_dn="$OKTA_LDAP_USER_DN"
+  pinniped_test_ldap_user_cn="$OKTA_LDAP_USER_CN"
+  pinniped_test_ldap_user_password="$OKTA_LDAP_USER_PASSWORD"
+  pinniped_test_ldap_user_unique_id_attribute_name="$OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME"
+  pinniped_test_ldap_user_unique_id_attribute_value="$OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE"
+  pinniped_test_ldap_user_email_attribute_name="$OKTA_LDAP_USER_EMAIL_ATTRIBUTE_NAME"
+  pinniped_test_ldap_user_email_attribute_value="$OKTA_LDAP_USER_EMAIL_ATTRIBUTE_VALUE"
+  pinniped_test_ldap_expected_direct_groups_dn="$OKTA_LDAP_EXPECTED_DIRECT_GROUPS_DN"
+  pinniped_test_ldap_expected_indirect_groups_dn=""
+  pinniped_test_ldap_expected_direct_groups_cn="$OKTA_LDAP_EXPECTED_DIRECT_GROUPS_CN"
+  pinniped_test_ldap_expected_direct_posix_groups_cn="$OKTA_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN"
+  pinniped_test_ldap_expected_indirect_groups_cn=""
+fi
+
 if [[ "${TEST_ACTIVE_DIRECTORY:-no}" == "yes" ]]; then
   # there's no way to test active directory locally... it has to be aws managed ad or nothing.
   # this is a separate toggle from $DEPLOY_TEST_TOOLS so we can run against ad once in the pr pipeline
@@ -853,6 +840,7 @@ ytt --file . \
   --data-value "log_level=debug" \
   --data-value-yaml "custom_labels=$concierge_custom_labels" \
   --data-value "discovery_url=$discovery_url" \
+  --data-value-yaml "impersonation_proxy_spec.service.annotations={'networking.gke.io/load-balancer-type': 'Internal', 'service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout': '4000'}" \
   ${concierge_optional_ytt_values[@]+"${concierge_optional_ytt_values[@]}"} \
   >"$manifest"
 
@@ -866,7 +854,7 @@ echo
 set -x
 kapp deploy --yes --app "$concierge_app_name" --diff-changes --file "$manifest"
 
-if ! { (($(kubectl version --output json | jq -r .serverVersion.major) == 1)) && (($(kubectl version --output json | jq -r .serverVersion.minor) < 19)); }; then
+if ! { (($(kubectl version --output json | jq -r .serverVersion.major) == 1)) && (($(kubectl version --output json | jq -r .serverVersion.minor) < 27)); }; then
   # Also perform a dry-run create with kubectl just to see if there are any validation errors.
   # Skip this on very old clusters, since we use some API fields (like seccompProfile) which did not exist back then.
   # Use can still install on these clusters by using kapp or by using kubectl --validate=false.
@@ -891,8 +879,7 @@ if [[ "${USE_LOAD_BALANCERS_FOR_DEX_AND_SUPERVISOR:-no}" != "yes" ]]; then
     fi
   fi
   if [[ "${SUPERVISOR_INGRESS:-no}" == "yes" ]]; then
-    # even when we have functioning ingress, we need a TCP connection to the supervisor https port to test its TLS config
-    supervisor_ytt_service_flags+=("--data-value-yaml=service_https_nodeport_port=443")
+    supervisor_ytt_service_flags+=("--data-value-yaml=service_https_clusterip_port=443")
   fi
   if [[ "${SUPERVISOR_LOAD_BALANCER:-no}" == "no" && "${SUPERVISOR_INGRESS:-no}" == "no" ]]; then
     # When no specific service was requested for the supervisor, we assume we are running on
@@ -921,6 +908,10 @@ fi
 if [[ "${SUPERVISOR_INGRESS:-no}" == "yes" && "$cluster_has_gke_backend_config" == "yes" ]]; then
   supervisor_optional_ytt_values+=("--file=/tmp/add-annotations-for-gke-ingress-overlay.yaml")
 fi
+if [[ "${USE_LOAD_BALANCERS_FOR_DEX_AND_SUPERVISOR:-no}" != "yes" && "${SUPERVISOR_LOAD_BALANCER:-no}" == "yes" ]]; then
+  # When using the ytt templates to create a LB service, then also tell the service to use an internal IP.
+  supervisor_optional_ytt_values+=("--file=/tmp/add-annotations-for-supervisor-lb-service-overlay.yaml")
+fi
 
 echo "Deploying the Supervisor app to the cluster..."
 echo "Using ytt service flags:" "${supervisor_ytt_service_flags[@]}"
@@ -948,7 +939,7 @@ echo
 set -x
 kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"
 
-if ! { (($(kubectl version --output json | jq -r .serverVersion.major) == 1)) && (($(kubectl version --output json | jq -r .serverVersion.minor) < 23)); }; then
+if ! { (($(kubectl version --output json | jq -r .serverVersion.major) == 1)) && (($(kubectl version --output json | jq -r .serverVersion.minor) < 27)); }; then
   # Also perform a dry-run create with kubectl just to see if there are any validation errors.
   # Skip this on very old clusters, since we use some API fields (like seccompProfile) which did not exist back then.
   # In the Supervisor CRDs we began to use CEL validations which were introduced in Kubernetes 1.23.
@@ -1045,12 +1036,6 @@ if [[ "${SUPERVISOR_LOAD_BALANCER:-no}" == "yes" ]]; then
   echo "Load balancer reported ingress: $ingress_json"
   ingress_ip=$(echo "$ingress_json" | jq -r '.ingress[0].ip')
 
-  if [[ "${SUPERVISOR_LOAD_BALANCER_STATIC_IP:-}" == "" ]]; then
-    # No static IP was provided, so the load balancer was allowed to choose its own IP.
-    # Update the DNS record associated with $SUPERVISOR_LOAD_BALANCER_DNS_NAME to make it match the new IP.
-    update_gcloud_dns_record "$SUPERVISOR_LOAD_BALANCER_DNS_NAME" "$ingress_ip"
-  fi
-
   # Use the published ingress address for the integration test env vars below.
   supervisor_https_address="https://${SUPERVISOR_LOAD_BALANCER_DNS_NAME}:443"
 elif [[ "${USE_LOAD_BALANCERS_FOR_DEX_AND_SUPERVISOR:-no}" == "yes" ]]; then
@@ -1157,17 +1142,7 @@ EOF
     kubectl get -n "$supervisor_namespace" secret "$ingress_tls_secret" -o jsonpath=\{.data.'tls\.crt'\} | base64 -d >"$ingress_tls_cert_file"
   fi
 
-  # If a static IP name was provided then use it. Otherwise, don't include the annotation at all.
-  static_ip_annotation=""
-  if [[ "${SUPERVISOR_INGRESS_STATIC_IP_NAME:-}" != "" ]]; then
-    static_ip_annotation="kubernetes.io/ingress.global-static-ip-name: ${SUPERVISOR_INGRESS_STATIC_IP_NAME}"
-  fi
-
   if [[ "$cluster_has_gke_backend_config" == "yes" ]]; then
-    # Get the nodePort port number that was dynamically assigned to the nodeport service.
-    nodeport_service_port=$(kubectl get service -n "${supervisor_namespace}" "${supervisor_app_name}-nodeport" -o jsonpath='{.spec.ports[0].nodePort}')
-    echo "${supervisor_app_name}-nodeport Service was assigned nodePort $nodeport_service_port"
-
     # Create or update a BackendConfig to configure the health checks that will be used by the Ingress for its backend Service.
     # The annotation already added to the Service by an overlay above tells the Service to use this BackendConfig.
     cat <<EOF | kubectl apply --wait -f -
@@ -1184,11 +1159,10 @@ spec:
     checkIntervalSec: 30
     healthyThreshold: 1
     unhealthyThreshold: 10
-    port: ${nodeport_service_port}
 EOF
   fi
 
-  # Create or update an Ingress to sit in front of our supervisor-nodeport service.
+  # Create or update an Ingress to sit in front of our supervisor-clusterip service.
   cat <<EOF | kubectl apply --wait -f -
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -1196,6 +1170,9 @@ metadata:
   name: ${supervisor_app_name}
   namespace: ${supervisor_namespace}
   annotations:
+    cloud.google.com/neg: '{"ingress":true}'
+    kubernetes.io/ingress.class: "gce-internal"
+    kubernetes.io/ingress.regional-static-ip-name: "${SUPERVISOR_INGRESS_STATIC_IP_NAME}"
     kubernetes.io/ingress.allow-http: "false"
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS
     # TODO Re-enable backend TLS cert verification once the Supervisor's default TLS cert is generated by automation in this script.
@@ -1203,11 +1180,10 @@ metadata:
     #nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
     #nginx.ingress.kubernetes.io/proxy-ssl-secret: ${supervisor_namespace}/${supervisor_app_name}-default-tls-certificate
     nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"
-    ${static_ip_annotation}
 spec:
   defaultBackend:
     service:
-      name: ${supervisor_app_name}-nodeport
+      name: ${supervisor_app_name}-clusterip
       port:
         number: 443
   tls:
@@ -1216,25 +1192,6 @@ spec:
         - ${SUPERVISOR_INGRESS_DNS_NAME}
 EOF
 
-  # If no static IP was provided for the ingress, then register the dynamic IP of the ingress with the DNS provider.
-  if [[ "${SUPERVISOR_INGRESS_STATIC_IP_NAME:-}" == "" ]]; then
-    # Wait for the ingress to get an IP
-    ingress_json='{}'
-    while [[ "$ingress_json" == '{}' ]]; do
-      echo "Checking for ingress address..."
-      sleep 1
-      ingress_json=$(kubectl get ingress "${supervisor_app_name}" -n "$supervisor_namespace" -o json |
-        jq -r '.status.loadBalancer')
-    done
-
-    echo "Ingress reported address: $ingress_json"
-    ingress_ip=$(echo "$ingress_json" | jq -r '.ingress[0].ip')
-
-    # No static IP was provided, so the load balancer was allowed to choose its own IP.
-    # Update the DNS record associated with $SUPERVISOR_INGRESS_DNS_NAME to make it match the new IP.
-    update_gcloud_dns_record "$SUPERVISOR_INGRESS_DNS_NAME" "$ingress_ip"
-  fi
-
   # Wait for the Ingress frontend to be up and running. Wait forever... until this Concourse task times out.
   healthz_via_ingress_url="https://${SUPERVISOR_INGRESS_DNS_NAME}/healthz"
   echo "The Ingress TLS CA bundle is:"
@@ -1282,6 +1239,7 @@ export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME='${pinniped_test_ldap_bind_accou
 export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD='${pinniped_test_ldap_bind_account_password}'
 export PINNIPED_TEST_LDAP_USERS_SEARCH_BASE='${pinniped_test_ldap_users_search_base}'
 export PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE='${pinniped_test_ldap_groups_search_base}'
+export PINNIPED_TEST_LDAP_GROUPS_SEARCH_FILTER='${pinniped_test_ldap_groups_search_filter}'
 export PINNIPED_TEST_LDAP_USER_DN='${pinniped_test_ldap_user_dn}'
 export PINNIPED_TEST_LDAP_USER_CN='${pinniped_test_ldap_user_cn}'
 export PINNIPED_TEST_LDAP_USER_PASSWORD='${pinniped_test_ldap_user_password}'
@@ -1300,6 +1258,9 @@ export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE='${test_cli_oidc_issuer_ca_bundle
 export PINNIPED_TEST_CLI_OIDC_ISSUER='${test_cli_oidc_issuer}'
 export PINNIPED_TEST_CLI_OIDC_PASSWORD='${test_cli_oidc_password}'
 export PINNIPED_TEST_CLI_OIDC_USERNAME='${test_cli_oidc_username}'
+export PINNIPED_TEST_CLI_OIDC_USERNAME_CLAIM='${test_supervisor_upstream_oidc_username_claim}'
+export PINNIPED_TEST_CLI_OIDC_GROUPS_CLAIM='${test_supervisor_upstream_oidc_groups_claim}'
+export PINNIPED_TEST_CLI_OIDC_EXPECTED_GROUPS='${test_supervisor_upstream_oidc_groups}'
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CALLBACK_URL='${test_supervisor_upstream_oidc_callback_url}'
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES='${test_supervisor_upstream_oidc_additional_scopes}'
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM='${test_supervisor_upstream_oidc_username_claim}'

pipelines/shared-helpers/test-binaries-image/Dockerfile

@@ -3,12 +3,7 @@
 # Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-
-# Using bullseye (debian 11) until google/cloud-sdk starts using bookworm (debian 12) because the
-# test binaries built by this dockerfile are run in a container built by dockerfiles/integration-test-runner/Dockerfile
-# which uses google/cloud-sdk as the base image. Mismatching debian versions causes the pinniped-integration-test
-# built below to error upon execution complaining that the expected version of GLIBC is not found.
-FROM golang:1.24.3-bullseye as build-env
+FROM golang:1.25.5-bookworm as build-env
 WORKDIR /work
 COPY . .
 ARG GOPROXY

pipelines/shared-helpers/test-binaries-image/Dockerfile_fips

@@ -6,11 +6,7 @@
 # we need a separate dockerfile for the fips test image so that the integration tests
 # use the right ciphers etc.
 
-# Using bullseye (debian 11) until google/cloud-sdk starts using bookworm (debian 12) because the
-# test binaries built by this dockerfile are run in a container built by dockerfiles/integration-test-runner/Dockerfile
-# which uses google/cloud-sdk as the base image. Mismatching debian versions causes the pinniped-integration-test
-# built below to error upon execution complaining that the expected version of GLIBC is not found.
-FROM golang:1.24.3-bullseye as build-env
+FROM golang:1.25.5-bookworm as build-env
 WORKDIR /work
 COPY . .
 ARG GOPROXY

pipelines/shared-tasks/build-cli-binaries/task.yml

@@ -7,7 +7,7 @@ image_resource:
   type: registry-image
   source:
     repository: golang
-    tag: '1.24.3'
+    tag: '1.25.5'
 inputs:
   - name: pinniped
   - name: pinniped-ci

pipelines/shared-tasks/build-kind-node-image/build-image.sh

@@ -1,12 +1,27 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 # This procedure is inspired from https://github.com/aojea/kind-images/blob/master/.circleci/config.yml
 
 set -euo pipefail
 
+# Put the original apt source list back.
+sudo cp /etc/apt/sources.list.bak /etc/apt/sources.list
+
+# Note that sources.list.bak file should have this content for debian 11,
+# noted here in case the file ever gets removed from the OS disk image:
+
+# deb https://deb.debian.org/debian bullseye main
+# deb-src https://deb.debian.org/debian bullseye main
+# deb https://deb.debian.org/debian-security bullseye-security main
+# deb-src https://deb.debian.org/debian-security bullseye-security main
+# deb https://deb.debian.org/debian bullseye-updates main
+# deb-src https://deb.debian.org/debian bullseye-updates main
+# deb https://deb.debian.org/debian bullseye-backports main
+# deb-src https://deb.debian.org/debian bullseye-backports main
+
 # Choose the tag for the new image that we will build below.
 full_repo="${PUSH_TO_IMAGE_REGISTRY}/${PUSH_TO_IMAGE_REPO}"
 image_tag="${full_repo}:latest"

pipelines/shared-tasks/build-kind-node-image/task.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -17,27 +17,61 @@ gcloud auth activate-service-account \
 
 # Create a temporary username because we can't ssh as root. Note that this username must be 32 character or less.
 ssh_user="kind-node-builder-$(openssl rand -hex 4)"
-ssh_dest="${ssh_user}@${instance_name}"
-echo "ssh user@dest will be ${ssh_dest}"
+echo "ssh user will be ${ssh_user}"
 
-# gcloud scp/ssh commands will interactively prompt to create an ssh key unless one already exists, so create one.
+# Make a private key for ssh.
 mkdir -p "$HOME/.ssh"
 ssh_key_file="$HOME/.ssh/kind-node-builder-key"
 ssh-keygen -t rsa -b 4096 -q -N "" -f "$ssh_key_file"
 
+# When run in CI, the service account should not have permission to create project-wide keys, so explicitly add the
+# key only to the specific VM instance (as VM metadata). We don't want to pollute the project-wide keys with these.
+# See https://cloud.google.com/compute/docs/connect/add-ssh-keys#after-vm-creation for explanation of these commands.
+# Note that this overwrites all ssh keys in the metadata. At the moment, these VMs have no ssh keys in the metadata
+# upon creation, so it should always be okay to overwrite the empty value. However, if someday they need to have some
+# initial ssh keys in the metadata for some reason, and if those keys need to be preserved for some reason, then
+# these commands could be enhanced to instead read the keys, add to them, and write back the new list.
+future_time="$(date --utc --date '+3 hours' '+%FT%T%z')"
+echo \
+  "${ssh_user}:$(cat "${ssh_key_file}.pub") google-ssh {\"userName\":\"${ssh_user}\",\"expireOn\":\"${future_time}\"}" \
+  >/tmp/ssh-key-values
+gcloud compute instances add-metadata "$instance_name" \
+  --metadata-from-file ssh-keys=/tmp/ssh-key-values \
+  --zone "$INSTANCE_ZONE" --project "$GCP_PROJECT"
+
+# Get the IP so we can use regular ssh (not gcloud ssh), now that it has been set up.
+gcloud_instance_ip=$(gcloud compute instances describe \
+  --zone "$INSTANCE_ZONE" --project "$GCP_PROJECT" "${instance_name}" \
+  --format='get(networkInterfaces[0].networkIP)')
+
+ssh_dest="${ssh_user}@${gcloud_instance_ip}"
+
+# Wait for the ssh server of the new instance to be ready.
+attempts=0
+while ! ssh -i "$ssh_key_file" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "$ssh_dest" echo connection test; do
+  echo "Waiting for ssh server to start ..."
+  attempts=$((attempts + 1))
+  if [[ $attempts -gt 25 ]]; then
+    echo "ERROR: ssh server never accepted connections after waiting for a while"
+    exit 1
+  fi
+  sleep 2
+done
+
 # Copy the build script to the VM.
 echo "Copying $local_build_script to $instance_name as $remote_build_script..."
-gcloud compute scp --zone "$INSTANCE_ZONE" --project "$GCP_PROJECT" \
-  --ssh-key-file "$ssh_key_file" --ssh-key-expire-after 1h --strict-host-key-checking no \
+scp -i "$ssh_key_file" \
+  -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
   "$local_build_script" "$ssh_dest":"$remote_build_script"
 
 # Run the script that was copied to the server above.
 # Note that this assumes that there is no single quote character inside the values of PUSH_TO_IMAGE_REPO,
 # DOCKER_USERNAME, and DOCKER_PASSWORD, which would cause quoting problems in the command below.
 echo "Running $remote_build_script on $instance_name..."
-gcloud compute ssh --zone "$INSTANCE_ZONE" --project "$GCP_PROJECT" "$ssh_dest" \
-  --ssh-key-file "$ssh_key_file" --ssh-key-expire-after 1h --strict-host-key-checking no \
-  --command "chmod 755 $remote_build_script && export PUSH_TO_IMAGE_REGISTRY='${PUSH_TO_IMAGE_REGISTRY}' && export PUSH_TO_IMAGE_REPO='${PUSH_TO_IMAGE_REPO}' && export DOCKER_USERNAME='${DOCKER_USERNAME}' && export DOCKER_PASSWORD='${DOCKER_PASSWORD}' && $remote_build_script"
+ssh -i "$ssh_key_file" \
+  -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+  "$ssh_dest" \
+  "chmod 755 $remote_build_script && export PUSH_TO_IMAGE_REGISTRY='${PUSH_TO_IMAGE_REGISTRY}' && export PUSH_TO_IMAGE_REPO='${PUSH_TO_IMAGE_REPO}' && export DOCKER_USERNAME='${DOCKER_USERNAME}' && export DOCKER_PASSWORD='${DOCKER_PASSWORD}' && $remote_build_script"
 
 echo
 echo "Done!"

pipelines/shared-tasks/confirm-built-with-fips/task.sh

@@ -28,7 +28,7 @@ then
   exit 1
 fi
 # check whether the kube-cert-agent binary has particular symbols that only exist when it's compiled with non-boring crypto
-kube_cert_agent_has_regular_crypto="$(go tool nm './image/rootfs/usr/local/bin/pinniped-concierge-kube-cert-agent' | grep sha256 | grep di)"
+kube_cert_agent_has_regular_crypto="$(go tool nm './image/rootfs/usr/local/bin/pinniped-concierge-kube-cert-agent' | grep sha256 | grep di | grep -v fips)"
 # if any of these symbols exist, that means it was compiled wrong and it should fail.
 if [ -n "$kube_cert_agent_has_regular_crypto" ]
 then

pipelines/shared-tasks/confirm-built-with-fips/task.yml

@@ -10,6 +10,6 @@ image_resource:
   type: registry-image
   source:
     repository: golang
-    tag: '1.24.3'
+    tag: '1.25.5'
 run:
   path: pinniped-ci/pipelines/shared-tasks/confirm-built-with-fips/task.sh

pipelines/shared-tasks/confirm-version/task.yml

@@ -10,7 +10,7 @@ image_resource:
   type: registry-image
   source:
     repository: golang
-    tag: '1.24.3'
+    tag: '1.25.5'
 run:
   # Confirm that the correct git sha was baked into the executables and that they log the version as their
   # first line of output. Do this by directly running the server binary from the rootfs of the built image.

pipelines/shared-tasks/create-kind-node-builder-vm/task.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -20,10 +20,10 @@ echo "Creating $INSTANCE_NAME in $INSTANCE_ZONE..."
 gcloud compute instances create "${INSTANCE_NAME}" \
   --zone "${INSTANCE_ZONE}" \
   --machine-type=e2-standard-2 \
-  --image=debian-11-bullseye-v20210916 --image-project=debian-cloud \
-  --boot-disk-size=30GB --boot-disk-type=pd-ssd \
   --labels "kind-node-builder=" \
   --no-service-account --no-scopes \
+  --network-interface=stack-type=IPV4_ONLY,subnet=projects/"$SHARED_VPC_PROJECT"/regions/"${SUBNET_REGION}"/subnetworks/"${SUBNET_NAME}",no-address \
+  --create-disk=auto-delete=yes,boot=yes,device-name="${INSTANCE_NAME}",image=projects/"${DISK_IMAGES_PROJECT}"/global/images/labs-saas-gcp-debian11-packer-latest,mode=rw,size=30,type=pd-ssd \
   --tags=kind-node-image-builder
 
 echo "$INSTANCE_NAME" > name

pipelines/shared-tasks/create-kind-node-builder-vm/task.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -12,5 +12,9 @@ params:
   GCP_PROJECT:
   GCP_USERNAME:
   GCP_JSON_KEY:
+  SHARED_VPC_PROJECT:
+  SUBNET_REGION:
+  SUBNET_NAME:
+  DISK_IMAGES_PROJECT:
 run:
   path: pinniped-ci/pipelines/shared-tasks/create-kind-node-builder-vm/task.sh

pipelines/shared-tasks/create-or-update-pr/task.sh

@@ -1,33 +1,24 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
 
-branch="${BRANCH:-"pinny/bump-deps"}"
+if [[ -z "${BRANCH:-}" || -z "${COMMIT_MESSAGE:-}" || -z "${PR_TITLE:-}" || -z "${PR_BODY:-}" ]]; then
+  echo "BRANCH, COMMIT_MESSAGE, PR_TITLE, and PR_BODY env vars are all required"
+  exit 1
+fi
 
 cd pinniped
 
 # Print the current status to the log.
 git status
 
-# Copied from https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
-github_hosts='
-github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
-github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
-github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
-'
-
 # Prepare to be able to do commits and pushes.
-ssh_dir="$HOME"/.ssh/
-mkdir "$ssh_dir"
-echo "$github_hosts" >"$ssh_dir"/known_hosts
-echo "${DEPLOY_KEY}" >"$ssh_dir"/id_rsa
-chmod 600 "$ssh_dir"/id_rsa
 git config user.email "pinniped-ci-bot@users.noreply.github.com"
 git config user.name "Pinny"
-git remote add ssh_origin "git@github.com:vmware-tanzu/pinniped.git"
+git remote add https_origin "https://${GH_TOKEN}@github.com/vmware/pinniped.git"
 
 # Add all the changed files.
 git add .
@@ -45,9 +36,9 @@ fi
 
 # Check if the branch already exists on the remote.
 new_branch="no"
-if [[ -z "$(git ls-remote ssh_origin "$branch")" ]]; then
+if [[ -z "$(git ls-remote https_origin "$BRANCH")" ]]; then
   echo "The branch does not already exist, so create it."
-  git checkout -b "$branch"
+  git checkout -b "$BRANCH"
   git status
   new_branch="yes"
 else
@@ -56,9 +47,9 @@ else
   git status
   git stash
   # Fetch all the remote branches so we can use one of them.
-  git fetch ssh_origin
+  git fetch https_origin
   # The branch already exists, so reuse it.
-  git checkout "$branch"
+  git checkout "$BRANCH"
   # Pull to sync up commits with the remote branch.
   git pull --rebase --autostash
   # Throw away all previous commits on the branch and set it up to look like main again.
@@ -76,14 +67,14 @@ git --no-pager diff --staged
 echo
 
 # Commit.
-echo "Committing changes to branch $branch. New branch? $new_branch."
-git commit -m "Bump dependencies"
+echo "Committing changes to branch $BRANCH. New branch? $new_branch."
+git commit -m "$COMMIT_MESSAGE"
 
 # Push.
 if [[ "$new_branch" == "yes" ]]; then
   # Push the new branch to the remote.
   echo "Pushing the new branch."
-  git push --set-upstream ssh_origin "$branch"
+  git push --set-upstream https_origin "$BRANCH"
 else
   # Force push the existing branch to the remote.
   echo "Force pushing the existing branch."
@@ -93,11 +84,10 @@ fi
 # Now check if there is already a PR open for our branch.
 # If there is already an open PR, then we just updated it by force pushing the branch.
 # Note that using the gh CLI without login depends on setting the GH_TOKEN env var.
-open_pr=$(gh pr list --head "$branch" --json title --jq '. | length')
+open_pr=$(gh pr list --head "$BRANCH" --json title --jq '. | length')
 if [[ "$open_pr" == "0" ]]; then
   # There is no currently open PR for this branch, so open a new PR for this branch
   # against main, and set the title and body.
   echo "Creating PR."
-  gh pr create --head "$branch" --base main \
-    --title "Bump dependencies" --body "Automatically bumped all go.mod direct dependencies and/or images in dockerfiles."
+  gh pr create --head "$BRANCH" --base main --title "$PR_TITLE" --body "$PR_BODY"
 fi

pipelines/shared-tasks/create-or-update-pr/task.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -10,5 +10,8 @@ params:
   DEPLOY_KEY:
   GH_TOKEN:
   BRANCH:
+  COMMIT_MESSAGE:
+  PR_TITLE:
+  PR_BODY:
 run:
   path: pinniped-ci/pipelines/shared-tasks/create-or-update-pr/task.sh

pipelines/shared-tasks/deploy-eks-cluster/task.sh

@@ -13,7 +13,7 @@ aws configure set credential_source Environment --profile service-account
 aws configure set role_arn "$AWS_ROLE_ARN" --profile service-account
 
 # Set some variables.
-CLUSTER_NAME="eks-$(python -c 'import os,binascii; print binascii.b2a_hex(os.urandom(8))')"
+CLUSTER_NAME="eks-$(openssl rand -hex 8)"
 ADMIN_USERNAME="$CLUSTER_NAME-admin"
 export CLUSTER_NAME
 export ADMIN_USERNAME

pipelines/shared-tasks/deploy-gke-cluster/task.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -13,13 +13,25 @@ export USE_GKE_GCLOUD_AUTH_PLUGIN=True
 cd deploy-gke-cluster-output
 gcloud auth activate-service-account "$GCP_SERVICE_ACCOUNT" --key-file <(echo "$GCP_JSON_KEY") --project "$GCP_PROJECT"
 
+# Decide if we want a regional or zonal cluster.
+if [[ -n "$CLUSTER_REGION" ]]; then
+  region_or_zone_flag="--region=$CLUSTER_REGION"
+  region_or_zone_suffix="region-$CLUSTER_REGION"
+  # regional clusters have 3 nodes (one per zone, minimum 3 zones), so use a smaller machine type
+  machine_type="e2-medium"
+else
+  region_or_zone_flag="--zone=$CLUSTER_ZONE"
+  region_or_zone_suffix="zone-$CLUSTER_ZONE"
+  # zonal clusters have 1 node, so use a bigger machine type
+  machine_type="e2-standard-4"
+fi
 
 if [ -n "$KUBE_VERSION" ]; then
   echo
   echo "Trying to use Kubernetes version $KUBE_VERSION"
 
   # Look up the latest GKE version for KUBE_VERSION.
-  GKE_VERSIONS="$(gcloud container get-server-config --zone "$CLUSTER_ZONE" --format json \
+  GKE_VERSIONS="$(gcloud container get-server-config "$region_or_zone_flag" --format json \
     | jq -r '.validMasterVersions[]')"
   echo
   echo "Found all versions of Kubernetes supported by GKE:"
@@ -36,28 +48,38 @@ else
   export VERSION_FLAG="--release-channel=${GKE_CHANNEL:-"regular"}"
 fi
 
-# Include the zone of the cluster in its name. This will allow us to change our preferred zone for new
-# clusters anytime we want, and the existing clusters can still be deleted because the old zone can
+# Include the region or zone of the cluster in its name. This will allow us to change our preferred region/zone for new
+# clusters anytime we want, and the existing clusters can still be deleted because the old region/zone can
 # be parsed out from the cluster name at deletion time.
-CLUSTER_NAME="gke-$(openssl rand -hex 4)-zone-${CLUSTER_ZONE}"
+CLUSTER_NAME="gke-$(openssl rand -hex 4)-${region_or_zone_suffix}"
 
 # The cluster name becomes the name of the lock in the pool.
-echo "$CLUSTER_NAME" > name
+echo "$CLUSTER_NAME" >name
 
 # Start the cluster
 # Note that --enable-network-policy is required to enable NetworkPolicy resources. Otherwise they are ignored.
 gcloud container clusters create "$CLUSTER_NAME" \
-  --zone "$CLUSTER_ZONE" \
+  "$region_or_zone_flag" \
   "$VERSION_FLAG" \
   --num-nodes 1 \
-  --machine-type e2-standard-4 \
+  --machine-type "$machine_type" \
   --preemptible \
   --issue-client-certificate \
   --no-enable-basic-auth \
-  --enable-network-policy
+  --enable-network-policy \
+  --tags "gke-broadcom" \
+  --enable-master-authorized-networks \
+  --master-authorized-networks "10.0.0.0/8" \
+  --enable-private-nodes \
+  --enable-private-endpoint \
+  --enable-ip-alias \
+  --network "projects/${SHARED_VPC_PROJECT}/global/networks/${SHARED_VPC_NAME}" \
+  --subnetwork "projects/${SHARED_VPC_PROJECT}/regions/${SUBNET_REGION}/subnetworks/${SUBNET_NAME}" \
+  --cluster-secondary-range-name "services" \
+  --services-secondary-range-name "pods"
 
 # Get the cluster details back, including the admin certificate:
-gcloud container clusters describe "$CLUSTER_NAME" --zone "$CLUSTER_ZONE" --format json \
+gcloud container clusters describe "$CLUSTER_NAME" "$region_or_zone_flag" --format json \
   > /tmp/cluster.json
 
 # Make a new kubeconfig user "cluster-admin" using the admin cert.

pipelines/shared-tasks/deploy-gke-cluster/task.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -10,9 +10,14 @@ outputs:
 params:
   KUBE_VERSION:
   CLUSTER_ZONE:
+  CLUSTER_REGION:
   GCP_PROJECT:
   GCP_SERVICE_ACCOUNT:
   GCP_JSON_KEY:
   GKE_CHANNEL:
+  SHARED_VPC_PROJECT:
+  SHARED_VPC_NAME:
+  SUBNET_REGION:
+  SUBNET_NAME:
 run:
   path: pinniped-ci/pipelines/shared-tasks/deploy-gke-cluster/task.sh

pipelines/shared-tasks/deploy-kind-cluster-vm/gce-init.sh

@@ -1,22 +1,22 @@
 #!/bin/bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 # This is the script that runs at startup to launch Kind on GCE.
 # A log of the output of this script can be viewed by running this command on the VM:
-# sudo journalctl -u google-startup-scripts.service
+# sudo journalctl -u google-startup-scripts.service --no-pager
 
 set -euo pipefail
 
 function cleanup() {
   # Upon exit, try to save the log of everything that happened to make debugging errors easier.
-  curl --retry-all-errors --retry 5 -X PUT --data "$(journalctl -u google-startup-scripts.service)" \
+  curl --retry-all-errors --retry 5 -X PUT --data "$(journalctl -u google-startup-scripts.service --no-pager)" \
     http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/kind/init_log -H "Metadata-Flavor: Google"
 }
 trap "cleanup" EXIT SIGINT
 
-PUBLIC_IP="$(curl --retry-all-errors --retry 5 http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip -H "Metadata-Flavor: Google")"
+INTERNAL_IP="$(curl --retry-all-errors --retry 5 http://metadata/computeMetadata/v1/instance/network-interfaces/0/ip -H "Metadata-Flavor: Google")"
 KIND_VERSION="$(curl --retry-all-errors --retry 5 http://metadata.google.internal/computeMetadata/v1/instance/attributes/kind_version -H "Metadata-Flavor: Google")"
 K8S_VERSION="$(curl --retry-all-errors --retry 5 http://metadata.google.internal/computeMetadata/v1/instance/attributes/k8s_version -H "Metadata-Flavor: Google")"
 KIND_NODE_IMAGE="$(curl --retry-all-errors --retry 5 http://metadata.google.internal/computeMetadata/v1/instance/attributes/kind_node_image -H "Metadata-Flavor: Google")"
@@ -92,9 +92,18 @@ kubeadmConfigPatches:
   apiVersion: ${KUBE_ADM_VERSION}
   kind: ClusterConfiguration
   # ControlPlaneEndpoint sets a stable IP address or DNS name for the control plane.
-  controlPlaneEndpoint: "${PUBLIC_IP}:6443"
+  # Although this worked when the VM had a public IP address that we could use here,
+  # this does not work when using the VM's internal IP address. kubeadm fails to connect
+  # to this endpoint during liveness probes, so it thinks that the api-server is not
+  # running (when it actually is running), which causes cluster creation to fail.
+  # Instead, we will add the internal IP as a SAN on the api-server's TLS certificate below,
+  # which will still allow us to validate TLS when connecting to the cluster using the
+  # VM's internal IP.
+  #controlPlaneEndpoint: "${INTERNAL_IP}:6443"
   # mount the kind extraMounts into the API server static pod so we can use the audit config
   apiServer:
+    certSANs:
+    - "${INTERNAL_IP}"
     extraVolumes:
     - name: audit-config
       hostPath: /audit-config/audit-config.yaml
@@ -177,8 +186,8 @@ fi
 
 /var/lib/google/kind create cluster --wait 5m --kubeconfig /tmp/kubeconfig.yaml --image "$image" --config /tmp/kind.yaml |& tee /tmp/kind-cluster-create.log
 
-# Change the kubeconfig to make the server address match the public IP configured as controlPlaneEndpoint above.
-sed -i "s/0\\.0\\.0\\.0/${PUBLIC_IP}/" /tmp/kubeconfig.yaml
+# Change the kubeconfig to make the server address match the IP configured as controlPlaneEndpoint above.
+sed -i "s/0\\.0\\.0\\.0/${INTERNAL_IP}/" /tmp/kubeconfig.yaml
 
 # The above YAML config file specifies one node, and Kind should never put the "control-plane"
 # taint on the node for single-node clusters. Due to the issue described in

pipelines/shared-tasks/deploy-to-acceptance-gke/task.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -20,7 +20,7 @@ gcloud auth activate-service-account "$GKE_USERNAME" --key-file <(echo "$GKE_JSO
 
 # https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
 export USE_GKE_GCLOUD_AUTH_PLUGIN=True
-gcloud container clusters get-credentials "$GKE_CLUSTER_NAME" --zone us-central1-c --project "$PINNIPED_GCP_PROJECT"
+gcloud container clusters get-credentials "$GKE_CLUSTER_NAME" --zone us-west1-c --project "$PINNIPED_GCP_PROJECT"
 
 pushd pinniped >/dev/null
 
@@ -48,9 +48,8 @@ CONCIERGE_NAMESPACE=concierge-acceptance \
   SUPERVISOR_LOAD_BALANCER_DNS_NAME="$LOAD_BALANCER_DNS_NAME" \
   SUPERVISOR_LOAD_BALANCER_STATIC_IP="$RESERVED_LOAD_BALANCER_STATIC_IP" \
   SUPERVISOR_INGRESS=yes \
-  SUPERVISOR_INGRESS_DNS_NAME="$INGRESS_DNS_ENTRY_GCLOUD_NAME" \
+  SUPERVISOR_INGRESS_DNS_NAME="$INGRESS_DNS_NAME" \
   SUPERVISOR_INGRESS_STATIC_IP_NAME="$INGRESS_STATIC_IP_GCLOUD_NAME" \
-  SUPERVISOR_INGRESS_PATH_PATTERN='/*' \
   IMAGE_PULL_SECRET="$image_pull_secret" \
   IMAGE_REPO="$CI_BUILD_IMAGE_NAME" \
   IMAGE_DIGEST="$digest" \
@@ -81,7 +80,7 @@ cp /tmp/integration-test-env integration-test-env-vars/
 
 # So that the tests can avoid using the GKE auth plugin, create an admin kubeconfig which uses certs (without the plugin).
 # Get the cluster details back, including the admin certificate:
-gcloud container clusters describe "$GKE_CLUSTER_NAME" --zone us-central1-c --format json >/tmp/cluster.json
+gcloud container clusters describe "$GKE_CLUSTER_NAME" --zone us-west1-c --format json >/tmp/cluster.json
 # Make a new kubeconfig user "cluster-admin" using the admin cert.
 jq -r .masterAuth.clientCertificate /tmp/cluster.json | base64 -d >/tmp/client.crt
 jq -r .masterAuth.clientKey /tmp/cluster.json | base64 -d >/tmp/client.key

pipelines/shared-tasks/deploy-to-acceptance-gke/task.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -29,10 +29,10 @@ params:
 
   # Set up a LoadBalancer for the Supervisor.
   RESERVED_LOAD_BALANCER_STATIC_IP: # An IP reserved for this purpose in our GCP project.
-  LOAD_BALANCER_DNS_NAME: # A DNS entry in our GCP project for the above IP address.
+  LOAD_BALANCER_DNS_NAME: # A DNS name for the above IP address. Must be created manually in the DNS provider.
   # Set up an Ingress for the Supervisor, as an alternate way to access it.
   INGRESS_STATIC_IP_GCLOUD_NAME: # The name of a static IP reservation in our GCP project used for this purpose.
-  INGRESS_DNS_ENTRY_GCLOUD_NAME: # A DNS entry in our GCP project for the IP address represented by the above static IP reservation name.
+  INGRESS_DNS_NAME: # A DNS name for the above static IP. Must be created manually in the DNS provider.
 
   # Set to a non-empty value to remove the CPU requests from these deployments.
   SUPERVISOR_AND_CONCIERGE_NO_CPU_REQUEST:

pipelines/shared-tasks/deploy-to-integration-kubectl-apply/task.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -175,6 +175,7 @@ pinniped_test_ldap_bind_account_username="cn=admin,dc=pinniped,dc=dev"
 pinniped_test_ldap_bind_account_password=password
 pinniped_test_ldap_users_search_base="ou=users,dc=pinniped,dc=dev"
 pinniped_test_ldap_groups_search_base="ou=groups,dc=pinniped,dc=dev"
+pinniped_test_ldap_groups_search_filter=""
 pinniped_test_ldap_user_dn="cn=pinny,ou=users,dc=pinniped,dc=dev"
 pinniped_test_ldap_user_cn="pinny"
 pinniped_test_ldap_user_password=${ldap_test_password}
@@ -291,6 +292,7 @@ export PINNIPED_TEST_LDAP_BIND_ACCOUNT_USERNAME='${pinniped_test_ldap_bind_accou
 export PINNIPED_TEST_LDAP_BIND_ACCOUNT_PASSWORD='${pinniped_test_ldap_bind_account_password}'
 export PINNIPED_TEST_LDAP_USERS_SEARCH_BASE='${pinniped_test_ldap_users_search_base}'
 export PINNIPED_TEST_LDAP_GROUPS_SEARCH_BASE='${pinniped_test_ldap_groups_search_base}'
+export PINNIPED_TEST_LDAP_GROUPS_SEARCH_FILTER='${pinniped_test_ldap_groups_search_filter}'
 export PINNIPED_TEST_LDAP_USER_DN='${pinniped_test_ldap_user_dn}'
 export PINNIPED_TEST_LDAP_USER_CN='${pinniped_test_ldap_user_cn}'
 export PINNIPED_TEST_LDAP_USER_PASSWORD='${pinniped_test_ldap_user_password}'
@@ -309,6 +311,9 @@ export PINNIPED_TEST_CLI_OIDC_ISSUER_CA_BUNDLE='${test_cli_oidc_issuer_ca_bundle
 export PINNIPED_TEST_CLI_OIDC_ISSUER='${test_cli_oidc_issuer}'
 export PINNIPED_TEST_CLI_OIDC_PASSWORD='${test_cli_oidc_password}'
 export PINNIPED_TEST_CLI_OIDC_USERNAME='${test_cli_oidc_username}'
+export PINNIPED_TEST_CLI_OIDC_USERNAME_CLAIM='${test_supervisor_upstream_oidc_username_claim}'
+export PINNIPED_TEST_CLI_OIDC_GROUPS_CLAIM='${test_supervisor_upstream_oidc_groups_claim}'
+export PINNIPED_TEST_CLI_OIDC_EXPECTED_GROUPS='${test_supervisor_upstream_oidc_groups}'
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_CALLBACK_URL='${test_supervisor_upstream_oidc_callback_url}'
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_ADDITIONAL_SCOPES='${test_supervisor_upstream_oidc_additional_scopes}'
 export PINNIPED_TEST_SUPERVISOR_UPSTREAM_OIDC_USERNAME_CLAIM='${test_supervisor_upstream_oidc_username_claim}'

pipelines/shared-tasks/deploy-to-integration/task.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -75,6 +75,7 @@ params:
   JUMPCLOUD_LDAP_BIND_ACCOUNT_USERNAME:
   JUMPCLOUD_LDAP_BIND_ACCOUNT_PASSWORD:
   JUMPCLOUD_LDAP_USERS_SEARCH_BASE:
+  JUMPCLOUD_LDAP_GROUPS_SEARCH_FILTER:
   JUMPCLOUD_LDAP_GROUPS_SEARCH_BASE:
   JUMPCLOUD_LDAP_USER_DN:
   JUMPCLOUD_LDAP_USER_CN:
@@ -87,7 +88,26 @@ params:
   JUMPCLOUD_LDAP_EXPECTED_DIRECT_GROUPS_CN:
   JUMPCLOUD_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN:
 
-   # only needed when wanting to test using GitHub as an identity provider
+  # only needed when wanting to test using Okta LDAP instead of OpenLDAP.
+  OKTA_LDAP_HOST:
+  OKTA_LDAP_STARTTLS_ONLY_HOST:
+  OKTA_LDAP_BIND_ACCOUNT_USERNAME:
+  OKTA_LDAP_BIND_ACCOUNT_PASSWORD:
+  OKTA_LDAP_USERS_SEARCH_BASE:
+  OKTA_LDAP_GROUPS_SEARCH_BASE:
+  OKTA_LDAP_GROUPS_SEARCH_FILTER:
+  OKTA_LDAP_USER_DN:
+  OKTA_LDAP_USER_CN:
+  OKTA_LDAP_USER_PASSWORD:
+  OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_NAME:
+  OKTA_LDAP_USER_UNIQUE_ID_ATTRIBUTE_VALUE:
+  OKTA_LDAP_USER_EMAIL_ATTRIBUTE_NAME:
+  OKTA_LDAP_USER_EMAIL_ATTRIBUTE_VALUE:
+  OKTA_LDAP_EXPECTED_DIRECT_GROUPS_DN:
+  OKTA_LDAP_EXPECTED_DIRECT_GROUPS_CN:
+  OKTA_LDAP_EXPECTED_DIRECT_POSIX_GROUPS_CN:
+
+  # only needed when wanting to test using GitHub as an identity provider
   PINNIPED_TEST_GITHUB_APP_CLIENT_ID:
   PINNIPED_TEST_GITHUB_APP_CLIENT_SECRET:
   PINNIPED_TEST_GITHUB_OAUTH_APP_CLIENT_ID:

pipelines/shared-tasks/format-release/task.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -6,8 +6,8 @@ platform: linux
 image_resource:
   type: registry-image
   source:
-    repository: debian
-    tag: 10.8-slim
+    repository: golang
+    tag: '1.25.5'
 inputs:
   - name: pinniped
   - name: release-semver
@@ -22,8 +22,6 @@ run:
   args:
     - -xeuc
     - |
-      ( apt update && apt install -y git ) 2>&1 > install.log || cat install.log
-
       THIS_VERSION="v$(cat release-semver/version)"
       PREVIOUS_VERSION="v$(cat previous-release-semver/version)"
 
@@ -45,7 +43,7 @@ run:
 
       | Image          | Registry      |
       | -------------- | ------------- |
-      | \`ghcr.io/vmware-tanzu/pinniped/pinniped-server:$THIS_VERSION\`  | GitHub Container Registry |
+      | \`ghcr.io/vmware/pinniped/pinniped-server:$THIS_VERSION\`  | GitHub Container Registry |
       | \`docker.io/getpinniped/pinniped-server:$THIS_VERSION\`          | DockerHub                 |
 
       These images can also be referenced by their digest: \`$(cat ci-build-image/digest)\`.
@@ -69,7 +67,7 @@ run:
       ### Diffs
 
       *TODO*: Make sure the following references the correct version tags. Note that the link will not work until the release is published (made public):<br/>
-      A complete list of changes can be found [here](https://github.com/vmware-tanzu/pinniped/compare/$PREVIOUS_VERSION...$THIS_VERSION).
+      A complete list of changes can be found [here](https://github.com/vmware/pinniped/compare/$PREVIOUS_VERSION...$THIS_VERSION).
 
       ## Acknowledgements
 

pipelines/shared-tasks/remove-gke-cluster/task.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -9,15 +9,41 @@ CLUSTER_NAME="$(cat gke-cluster-pool/name)"
 export CLUSTER_NAME
 export KUBECONFIG="gke-cluster-pool/metadata"
 
-# Parse the zone name from the cluster name, in case it was created in a different zone
-# compared to the zone in which we are currently creating new clusters.
+# Parse the region or zone name from the cluster name, in case it was created in a different region/zone
+# compared to the region/zone in which we are currently creating new clusters.
 zone=${CLUSTER_NAME##*-zone-}
-# If the zone name was empty, or if there was no zone delimiter in the cluster name to start with...
-if [[ -z $zone || "$CLUSTER_NAME" != *"-zone-"* ]]; then
-  echo "Umm... the cluster name did not contain a zone name."
+region=${CLUSTER_NAME##*-region-}
+
+# If the region/zone name was empty, or if there was no region/zone delimiter in the cluster name to start with...
+if [[ (-z $zone || "$CLUSTER_NAME" != *"-zone-"*) && (-z $region || "$CLUSTER_NAME" != *"-region-"*) ]]; then
+  echo "Umm... the cluster name $CLUSTER_NAME did not contain either region or zone name."
   exit 1
 fi
 
-echo "Removing $CLUSTER_NAME..."
+# Decide if we have a regional or zonal cluster.
+if [[ -n "$region" ]]; then
+  region_or_zone_flag="--region=$region"
+else
+  region_or_zone_flag="--zone=$zone"
+fi
+
 gcloud auth activate-service-account "$GCP_SERVICE_ACCOUNT" --key-file <(echo "$GCP_JSON_KEY") --project "$GCP_PROJECT"
-gcloud container clusters delete "$CLUSTER_NAME" --zone "$zone" --quiet
+
+for i in $(seq 1 10); do
+  echo "Checking $CLUSTER_NAME for ongoing operations (iteration $i)...."
+  running_ops=$(gcloud container operations list \
+    --filter="targetLink:$CLUSTER_NAME AND status != done" \
+    --project "$GCP_PROJECT" "$region_or_zone_flag" --format yaml)
+  if [[ -z "$running_ops" ]]; then
+    echo
+    break
+  fi
+  echo "Found a running cluster operation:"
+  echo "$running_ops"
+  echo
+  # Give some time for the operation to finsh before checking again.
+  sleep 30
+done
+
+echo "Removing $CLUSTER_NAME..."
+gcloud container clusters delete "$CLUSTER_NAME" "$region_or_zone_flag" --quiet

pipelines/shared-tasks/remove-orphaned-gke-clusters/task.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 # Sometimes something goes wrong with a GKE test job's cleanup and a
@@ -11,7 +11,8 @@
 # 1. Are running in GCP with a name that indicates that it was auto-created for testing,
 # 2. And are older than some number of hours since their creation time.
 #
-# Params are CLUSTER_ZONE, GCP_PROJECT, GCP_SERVICE_ACCOUNT, and GCP_JSON_KEY.
+# Params are CLUSTER_REGION, CLUSTER_ZONE, GCP_PROJECT, GCP_SERVICE_ACCOUNT, and GCP_JSON_KEY.
+# Search for both zonal and regional orphaned clusters.
 
 set -euo pipefail
 
@@ -20,17 +21,23 @@ gcloud auth activate-service-account \
   --key-file <(echo "$GCP_JSON_KEY") \
   --project "$GCP_PROJECT"
 
-all_cloud=($(gcloud container clusters list \
+all_zonal=($(gcloud container clusters list \
   --zone "$CLUSTER_ZONE" --project "$GCP_PROJECT" \
   --filter "name~gke-[a-f0-9]+-zone-${CLUSTER_ZONE}" --format 'table[no-heading](name)' | sort))
 
+all_regional=($(gcloud container clusters list \
+  --region "$CLUSTER_REGION" --project "$GCP_PROJECT" \
+  --filter "name~gke-[a-f0-9]+-region-${CLUSTER_REGION}" --format 'table[no-heading](name)' | sort))
+
 now_in_seconds_since_epoch=$(date +"%s")
 hours_ago_to_delete=2
-clusters_to_remove=()
+regional_clusters_to_remove=()
+zonal_clusters_to_remove=()
 
 echo
 echo "All auto-created GKE clusters (with creation time in UTC):"
-for i in "${all_cloud[@]}"; do
+
+for i in "${all_zonal[@]}"; do
   creation_time=$(gcloud container clusters describe "$i" \
     --zone "$CLUSTER_ZONE" --project "$GCP_PROJECT" \
     --format 'table[no-heading](createTime.date(tz=UTC))')
@@ -39,7 +46,7 @@ for i in "${all_cloud[@]}"; do
     # Note: on MacOS this date command would be: date -ju -f '%Y-%m-%dT%H:%M:%S' "$creation_time" '+%s'
     creation_time_seconds_since_epoch=$(date -u -d "$creation_time" '+%s')
     if (($((now_in_seconds_since_epoch - creation_time_seconds_since_epoch)) > $((hours_ago_to_delete * 60 * 60)))); then
-      clusters_to_remove+=("$i")
+      zonal_clusters_to_remove+=("$i")
       echo "$i $creation_time (older than $hours_ago_to_delete hours)"
     else
       echo "$i $creation_time (less than $hours_ago_to_delete hours old)"
@@ -49,16 +56,45 @@ for i in "${all_cloud[@]}"; do
     exit 1
   fi
 done
-if [[ ${#all_cloud[@]} -eq 0 ]]; then
+
+for i in "${all_regional[@]}"; do
+  creation_time=$(gcloud container clusters describe "$i" \
+    --region "$CLUSTER_REGION" --project "$GCP_PROJECT" \
+    --format 'table[no-heading](createTime.date(tz=UTC))')
+  # UTC date format example: 2022-04-01T17:01:59
+  if [[ "$creation_time" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}$ ]]; then
+    # Note: on MacOS this date command would be: date -ju -f '%Y-%m-%dT%H:%M:%S' "$creation_time" '+%s'
+    creation_time_seconds_since_epoch=$(date -u -d "$creation_time" '+%s')
+    if (($((now_in_seconds_since_epoch - creation_time_seconds_since_epoch)) > $((hours_ago_to_delete * 60 * 60)))); then
+      regional_clusters_to_remove+=("$i")
+      echo "$i $creation_time (older than $hours_ago_to_delete hours)"
+    else
+      echo "$i $creation_time (less than $hours_ago_to_delete hours old)"
+    fi
+  else
+    echo "GKE cluster creation time not in expected time format: $creation_time"
+    exit 1
+  fi
+done
+
+if [[ ${#all_zonal[@]} -eq 0 && ${#all_regional[@]} -eq 0 ]]; then
   echo "none"
 fi
 
 echo
-if [[ ${#clusters_to_remove[@]} -eq 0 ]]; then
-  echo "No old orphaned GKE clusters found to remove."
+if [[ ${#zonal_clusters_to_remove[@]} -eq 0 ]]; then
+  echo "No old orphaned zonal GKE clusters found to remove."
 else
-  echo "Removing ${#clusters_to_remove[@]} GKE clusters(s) which are older than $hours_ago_to_delete hours in $CLUSTER_ZONE: ${clusters_to_remove[*]} ..."
-  gcloud container clusters delete --zone "${CLUSTER_ZONE}" --quiet ${clusters_to_remove[*]}
+  echo "Removing ${#zonal_clusters_to_remove[@]} GKE clusters(s) which are older than $hours_ago_to_delete hours in $CLUSTER_ZONE: ${zonal_clusters_to_remove[*]} ..."
+  gcloud container clusters delete --zone "${CLUSTER_ZONE}" --quiet ${zonal_clusters_to_remove[*]}
+fi
+
+echo
+if [[ ${#regional_clusters_to_remove[@]} -eq 0 ]]; then
+  echo "No old orphaned regional GKE clusters found to remove."
+else
+  echo "Removing ${#regional_clusters_to_remove[@]} GKE clusters(s) which are older than $hours_ago_to_delete hours in $CLUSTER_REGION: ${regional_clusters_to_remove[*]} ..."
+  gcloud container clusters delete --region "${CLUSTER_REGION}" --quiet ${regional_clusters_to_remove[*]}
 fi
 
 echo

pipelines/shared-tasks/remove-orphaned-gke-clusters/task.yml

@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -7,6 +7,7 @@ inputs:
   - name: pinniped-ci
 outputs:
 params:
+  CLUSTER_REGION:
   CLUSTER_ZONE:
   GCP_PROJECT:
   GCP_SERVICE_ACCOUNT:

pipelines/shared-tasks/run-go-vuln-scan/task.yml

@@ -7,7 +7,7 @@ image_resource:
   type: registry-image
   source:
     repository: golang
-    tag: '1.24.3'
+    tag: '1.25.5'
 inputs:
   - name: pinniped
   - name: pinniped-ci

pipelines/shared-tasks/run-integration-tests/task.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 # Run the integration tests against a remote target cluster.
@@ -156,7 +156,7 @@ if [[ "${START_GCLOUD_PROXY:-no}" == "yes" ]]; then
   # seems to be no way to avoid it. :( So we'll use regular ssh.
   gcloud_instance_ip=$(gcloud compute instances describe \
     --zone "$GCP_ZONE" --project "$GCP_PROJECT" "${cluster_name}" \
-    --format='get(networkInterfaces[0].accessConfigs[0].natIP)')
+    --format='get(networkInterfaces[0].networkIP)')
 
   # Now start some simultaneous background jobs.
   for mapping in "${ssh_mappings[@]}"; do
@@ -256,6 +256,9 @@ fi
 # and that kubectl is configured to talk to the cluster. They also have the
 # k14s tools available (ytt, kapp, etc) in case they want to do more deploys.
 if [[ "$(id -u)" == "0" ]]; then
+  # Give the testrunner user permission to create the Go cache dirs that we configured at the top of this script.
+  chmod 777 "$initial_working_directory/cache"
+
   # Downgrade to a non-root user to run the tests. We don't want them reading the
   # environment of any parent process, e.g. by reading from /proc. This user account
   # was created in the Dockerfile of the container image used to run this script in CI.

pipelines/shared-tasks/run-unit-tests/task.sh

@@ -14,9 +14,4 @@ export GOCACHE="$PWD/cache/gocache"
 export GOMODCACHE="$PWD/cache/gomodcache"
 
 cd pinniped
-
-# Temporarily avoid using the race detector for the impersonator package due to https://github.com/kubernetes/kubernetes/issues/128548
-# Note that this will exclude the impersonator package from the code coverage for now as a side effect.
-# TODO: change this back to using the race detector everywhere
-go test -short -timeout 15m -race -coverprofile "${COVERAGE_OUTPUT}" -covermode atomic $(go list ./... | grep -v internal/concierge/impersonator)
-go test -short ./internal/concierge/impersonator
+go test -short -timeout 15m -race -coverprofile "${COVERAGE_OUTPUT}" -covermode atomic ./...

pipelines/shared-tasks/run-unit-tests/task.yml

@@ -7,7 +7,7 @@ image_resource:
   type: registry-image
   source:
     repository: golang
-    tag: '1.24.3'
+    tag: '1.25.5'
 inputs:
   - name: pinniped
   - name: pinniped-ci

pipelines/shared-tasks/run-verify-go-generate/task.yml

@@ -7,7 +7,7 @@ image_resource:
   type: registry-image
   source:
     repository: golang
-    tag: '1.24.3'
+    tag: '1.25.5'
 inputs:
   - name: pinniped
   - name: pinniped-ci

pipelines/shared-tasks/run-verify-go-mod-tidy/task.yml

@@ -7,7 +7,7 @@ image_resource:
   type: registry-image
   source:
     repository: golang
-    tag: '1.24.3'
+    tag: '1.25.5'
 inputs:
   - name: pinniped
   - name: pinniped-ci

pipelines/shared-tasks/run-verify-lint/task.yml

@@ -7,7 +7,7 @@ image_resource:
   type: registry-image
   source:
     repository: golang
-    tag: '1.24.3'
+    tag: '1.25.5'
 inputs:
   - name: pinniped
   - name: pinniped-ci