v0.10.0

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is be the first trust-manager release that uses Makefile modules. Apart from that change, this release includes a lot of version bumps and some small bug fixes.

What's Changed

• bump builder go to 1.22 by @SgtCoDFish in #321
• Allow replicaCount to be set to int or string by @erikgb in #320
• Also check for correct architectures in trust package build by @SgtCoDFish in #323
• Helm chart - document and add to schema nameOverride by @DrFaust92 in #330
• Fix Bundle target print column by @erikgb in #344
• Simplify managed fields upgrade from CSA to SSA by @erikgb in #319
• Make Makefiles reusable and automate release process by @inteon in #195

Dependency upgrades

• Bump the all group with 1 update by @dependabot in #322
• Bump the all group with 5 updates by @dependabot in #327
• Bump the all group with 2 updates by @dependabot in #329
• Bump protobuf version in hack gomod to fix CVE-2024-24786 by @SgtCoDFish in #332
• Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #338
• Bump the all group across 1 directory with 8 updates by @dependabot in #342
• Bump the all group with 2 updates by @dependabot in #345
• Bump the all group with 3 updates by @dependabot in #346
• Bump the all group with 2 updates by @dependabot in #347

New Contributors

• @DrFaust92 made their first contribution in #330
• @github-actions made their first contribution in #348

Full Changelog: v0.9.2...v0.10.0

v0.10.0-alpha.0

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is an alpha release in preparation for v0.10.0. This release will be the first release that uses Makefile modules. Apart from that change, this release includes a lot of version bumps and some small bug fixes.

What's Changed

• bump builder go to 1.22 by @SgtCoDFish in #321
• Allow replicaCount to be set to int or string by @erikgb in #320
• Also check for correct architectures in trust package build by @SgtCoDFish in #323
• Helm chart - document and add to schema nameOverride by @DrFaust92 in #330
• Fix Bundle target print column by @erikgb in #344
• Simplify managed fields upgrade from CSA to SSA by @erikgb in #319
• Make Makefiles reusable and automate release process by @inteon in #195

Dependency upgrades

• Bump the all group with 1 update by @dependabot in #322
• Bump the all group with 5 updates by @dependabot in #327
• Bump the all group with 2 updates by @dependabot in #329
• Bump protobuf version in hack gomod to fix CVE-2024-24786 by @SgtCoDFish in #332
• Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #338
• Bump the all group across 1 directory with 8 updates by @dependabot in #342
• Bump the all group with 2 updates by @dependabot in #345
• Bump the all group with 3 updates by @dependabot in #346
• Bump the all group with 2 updates by @dependabot in #347

New Contributors

• @DrFaust92 made their first contribution in #330
• @github-actions made their first contribution in #348

Full Changelog: v0.9.2...v0.10.0-alpha.0

v0.9.2

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.9.2 is another small bugfix release for a minor issue in the Helm chart's schema along with a small dependency update to fix a reported CVE. Thanks @DrFaust92 for fixing the schema!

What's Changed

• [release-0.9] Backport name override by @SgtCoDFish in #331
• [release-0.9] Fix CVE-2024-24786 by bumping protobuf lib by @SgtCoDFish in #333

Full Changelog: v0.9.1...v0.9.2

v0.9.1

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.9.1 is a small bugfix release for a minor issue in the Helm chart's schema. Thanks to @erikgb and @wallrj for the bugfix!

In addition, unrelated to this specific release, we're looking to rebuild the debian trust package to include the s390x architecture that was added in trust-manager v0.9.0. That will happen outside of the release process for v0.9.1.

What's Changed

• [release-0.9] Bump builder go to 1.22 by @SgtCoDFish in #325
• [release-0.9] Allow replicaCount to be set to int or string by @SgtCoDFish in #324
• [release-0.9] Bump to v0.9.1 by @SgtCoDFish in #326

Full Changelog: v0.9.0...v0.9.1

v0.9.0

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.9.0 contains a bunch of improvements and once again the awesome trust-manager community played a huge role!

Inclusions to note are:

• We fixed a bug (#296) which broke passwordless PKCS#12 files when read by Java.
  • It's possible that this could have an effect on non-Java platforms, but in testing it seemed safe for both Go and Java
• We added support for the s390x architecture for trust-manager!
• We added a crds.keep option to reduce the risk of losing important data when uninstalling trust-manager
• We fixed an issue with certificate deduplication when certs were present in multiple sources

As always, please report any issues either here in the repo, in a cert-manager meeting or on Slack!

Happy bundling!

Special Thanks

We'd like to thank the following for their contributions, expertise, time and patience since the last trust-manager release:

• @erikgb
• @rishikakedia
• @arsenalzp
• @niklastanner
• @ditatechwriter
• @justdan96
• @arjunprasad2143
• @dilipgb
• @bmhughes
• @mnlipp
• @Jiawei0227

In addition, a warm welcome to our latest reviewer @ThatsMrTalbot ! 🎉

What's Changed

New Features

• 💻 Enable trust manager on s390x by @rishikakedia in #315
• Helm: Uniformize all label include statements & add labels to pod template by @inteon in #306
• Add configurable common labels by @justdan96 in #149
• Add 'crds.keep' options to generated CRDs by @inteon in #288

Bug Fixes and Resilience Improvements

• Improve certificate deduplication operation by @arsenalzp in #303
• 🐛 Fix passwordless pkcs12 files for Java by @SgtCoDFish in #307
• Set a size limit on emptyDir by @SgtCoDFish in #308
• Generate values.schema.json by @inteon in #290
• Production readiness Helm chart tweaks by @wallrj in #309
• initContainer Resource Block: Fix #295 for merging by @SgtCoDFish in #316
• Bump toolchain to latest to address CVE-2024-24783 by @SgtCoDFish in #318

Documentation and Testing

• docs: updating chart values.yaml for better comment docs by @ditatechwriter in #280
• Update README.md and Chart.yaml by @inteon in #287
• Improve OCI image options' Helm README.md documentation by @inteon in #289
• Fix typo in Chart.yaml icon URL by @inteon in #292
• test: should test setBundleCondition as it's used by @erikgb in #284

Bumps and Miscellaneous

• 🎉 Add thatsmrtalbot as a reviewer by @inteon in #293
• Bump version for release @SgtCoDFish in #314
• Two tool update PRs by @inteon (#286, #317)
• Several @dependabot PRs (#313, #298, #285, #279)

New Contributors

• @ditatechwriter made their first contribution in #280
• @justdan96 made their first contribution in #149
• @wallrj made their first contribution in #309
• @rishikakedia made their first contribution in #315

Full Changelog: v0.8.0...v0.9.0

v0.8.0

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.8.0 includes a bunch of new features, largely contributed by our awesome community!

Included is an option at startup to filter expired certificates from all bundles and the ability to include Secret and ConfigMap resources via labels.

There are also a bunch of improvements which make trust-manager easier to develop and iterate on, which isn't as exciting as new features but should make it easier for us to provide features going forwards!

Speaking of going forwards, trust-manager is on the road to v1! 🎉 From here, we want to stabilise our API, get our CRDs to v1beta1 and then v1, and bump trust-manager itself to v1. We don't have a timeline currently, but we think it's important to be clear that it's a goal of ours to be rock-solid and stable for everyone to build upon!

Special thanks to @erikgb for his efforts in reviewing, developing and helping in this release - it couldn't have happened without him!

⚠️ Known Issues

When using PKCS#12 targets with empty passwords, a PKCS#12 file will be generated that the Java keytool utility is unable to read. See #296

Read Before Updating

Removal of .status.target

trust-manager v0.8.0 removes the .status.target field from Bundle resources, which had a significant overhead to maintain and wasn't particularly useful as far as we could tell.

If you were previously relying on this field, you should be able to calculate it from the spec of your Bundle. We try to avoid breaking anything generally but we felt like this field was worth the removal.

What's Changed

New Features

• Add option to filter expired certificates from bundle by @Hoega in #273
• Add label selector option for Secret and ConfigMap sources by @ocampeau in #258
• Add support for additional pod annotations/labels by @jaygridley in #116
• Allow permissions to put the leases in the trust-manager namespace, not the trust namespace by @tspearconquest in #225

Changes

• Remove .status.target field from Bundle API by @erikgb in #230
• Encode additional target format just once per bundle reconcile by @erikgb in #241
• Add dedicated structures for PKCS12 and JKS stores by @arsenalzp in #253
• fix: Reconcile targets consistently by @erikgb in #260

Changes for trust-manager Developers

• Better handling of local arch differences by @SgtCoDFish in #250
• Improve package CI error handling by @SgtCoDFish in #247
• Improve makefile comments around image building by @SgtCoDFish in #268
• Move to helm-tool for docs by @ThatsMrTalbot in #278
• Do more of the container build process locally by @SgtCoDFish in #251
• Don't build trust bundle images using make image by @SgtCoDFish in #269
• Generate applyconfigurations for custom resources by @erikgb in #217
• Fix flaky tests by introducing komega by @erikgb in #252
• Fix apply-configuration gen for Bundle (cluster-scoped) by @erikgb in #257
• Fix apply configuration generation on macOS by @SgtCoDFish in #248
• Align BundleCondition with upstream metav1.Condition by @erikgb in #249

New Contributors

• @jaygridley made their first contribution in #116
• @tspearconquest made their first contribution in #225
• @ocampeau made their first contribution in #258
• @Hoega made their first contribution in #273
• @ThatsMrTalbot made their first contribution in #278

Full Changelog: v0.7.0...v0.8.0

v0.7.1

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.7.1 is a patch release fixing a bug in targets including PKCS#12 bundles - see #260 for details. All users are recommended to upgrade to this version from v0.7.0 immediately.

What's Changed

• Should reconcile targets consistently by @erikgb in #266
• Allow permissions to put the leases in the trust-manager namespace, not the trust namespace by @jetstack-bot in #263
• Fix flaky tests by introducing komega by @erikgb in #264
• Bump versions to fix trivy-reported vulns and prepare for release by @SgtCoDFish in #267

Full Changelog: v0.7.0...v0.7.1

v0.7.0

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.7.0 adds a huge variety of changes; chief among them is support for writing trust bundles to Kubernetes Secret resources, as well as support for optionally writing a PKCS#12 trust store to the target.

We also added support for server side apply and made a variety of improvements, tweaks and patches.

What's Changed

• Add Secret target support

  • feat: support secret as a target by @Jiawei0227 in #193
  • BUGFIX: fix bugs in validation logic for secret target & add tests by @inteon in #212
  • BUGFIX: support switching between target types by @inteon in #211
  • fix: should not have have read access to all secrets when secret targets disabled by @erikgb in #207
  • Cleanup patch functions Secret and ConfigMap targets by @inteon in #210

• Support PKCS12 truststores

  • Refactor CM binary data reconcile preparing for PKCS#12 support by @erikgb in #162
  • Add support for PKCS12 truststores by @erikgb in #163
  • Add support for PKCS12 truststores (update CRD) by @erikgb in #164

• Switch to SSA

  • Refactor util functions in preparation for SSA by @inteon in #170
  • Fix BundleStatus go definition in preparation for SSA by @inteon in #173
  • Use SSA by @inteon in #89
  • BUGFIX: fix migration from csa to ssa by @inteon in #178
  • Fix SSA migration field managers by @erikgb in #189
  • fix: add missing RBAC for CSA->SSA migration of bundles/status by @erikgb in #191
  • FIX: For CSA to SSA migration, we need UPDATE permission on the resource (not the sub-resource) by @inteon in #218

• Helm chart improvements

  • Add new optional registry and digest Helm values by @erikgb in #154
  • HELM: add options for configuring image by @inteon in #179
  • Update kubeVersion to allow for eks metadata at end of kubernetes ver… by @dsand1234 in #182
  • Add extra information to the Chart.yaml file by @inteon in #190
  • Allow enabling hostNetwork mode in Helm chart by @cablespaghetti in #156
  • allow setting namespace for helm chart by @vinny-sabatini in #198
  • Make seccompProfile optional in initContainer by @aelbarkani in #118
  • add a CN for the trust-manager certificate by @SgtCoDFish in #201
  • Allow configuring of the priorityClass by @WatcherWhale in #176
  • Use proper namespace for webhook by @joemccall86 in #215
  • Allow user to specify the name of cert-manager's ServiceAccount by @SgtCoDFish in #174

• Dependency upgrades:

  • Vendor dependencies correctly by @SgtCoDFish in #194
  • Upgrade to kubernetes 1.28 & c/r 0.16 by @inteon in #161
  • ci: verify all generated files are up-to-date by @erikgb in #166
  • Move from k8s.io/utils/pointer to k8s.io/utils/ptr by @inteon in #171
  • Fix misinterpretation, ByObject cache settings are GVK specific by @inteon in #172
  • Enable dependabot updates by @inteon in #197
  • Bump the all group with 7 updates by @dependabot in #202
  • Bump the all group with 1 update by @dependabot in #206
  • Remove patch versions from go directives by @SgtCoDFish in #209
  • Upgrade go to 1.21 by @inteon in #204

• Cleanup, refactor and bugfixes

  • Filter resources triggered by namespace by @inteon in #169
  • Refactor bundle controller setup by @erikgb in #185
  • Cleanup controller bootstrap by @erikgb in #188
  • Add certificates deduplication feature by @arsenalzp in #184
  • Update a couple of instances of the old project name by @SgtCoDFish in #192
  • Fix build on macOS / values.yaml wording tweaks by @SgtCoDFish in #200

New Contributors

Thank you to all of the many new contributors for this release - it's awesome to see such a long list of names ❤️

• @dsand1234 made their first contribution in #182
• @arsenalzp made their first contribution in #184
• @cablespaghetti made their first contribution in #156
• @vinny-sabatini made their first contribution in #198
• @Jiawei0227 made their first contribution in #193
• @aelbarkani made their first contribution in #118
• @dependabot made their first contribution in #202
• @WatcherWhale made their first contribution in #176
• @joemccall86 made their first contribution in #215

Full Changelog: v0.6.0...v0.7.0

v0.7.0-alpha.3

What's Changed

• Upgrade go to 1.21 by @inteon in #204
• Allow configuring of the priorityClass by @WatcherWhale in #176
• Bump the all group with 1 update by @dependabot in #206
• Remove patch versions from go directives by @SgtCoDFish in #209
• Cleanup patch functions Secret and ConfigMap targets by @inteon in #210
• BUGFIX: fix bugs in validation logic for secret target & add tests by @inteon in #212
• BUGFIX: support switching between target types by @inteon in #211
• fix: should not have have read access to all secrets when secret targets disabled by @erikgb in #207
• Bump release version to v0.7.0-alpha.3 by @inteon in #213

New Contributors

• @WatcherWhale made their first contribution in #176

Full Changelog: v0.7.0-alpha.2...v0.7.0-alpha.3

v0.6.1

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.6.1 is intended to fix CVE-2023-44487 and CVE-2023-39325, which relate to HTTP/2 servers in Go.

We have no particular reason to think that trust-manager was specifically vulnerable to (or even impacted by) these CVEs, but given their prominence we thought it best to patch them.

What's Changed

• [release-0.6] Bump deps to fix CVEs by @SgtCoDFish in #208

Full Changelog: v0.6.0...v0.6.1