v0.7.0

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.7.0 adds a huge variety of changes; chief among them is support for writing trust bundles to Kubernetes Secret resources, as well as support for optionally writing a PKCS#12 trust store to the target.

We also added support for server side apply and made a variety of improvements, tweaks and patches.

What's Changed

• Add Secret target support

  • feat: support secret as a target by @Jiawei0227 in #193
  • BUGFIX: fix bugs in validation logic for secret target & add tests by @inteon in #212
  • BUGFIX: support switching between target types by @inteon in #211
  • fix: should not have have read access to all secrets when secret targets disabled by @erikgb in #207
  • Cleanup patch functions Secret and ConfigMap targets by @inteon in #210

• Support PKCS12 truststores

  • Refactor CM binary data reconcile preparing for PKCS#12 support by @erikgb in #162
  • Add support for PKCS12 truststores by @erikgb in #163
  • Add support for PKCS12 truststores (update CRD) by @erikgb in #164

• Switch to SSA

  • Refactor util functions in preparation for SSA by @inteon in #170
  • Fix BundleStatus go definition in preparation for SSA by @inteon in #173
  • Use SSA by @inteon in #89
  • BUGFIX: fix migration from csa to ssa by @inteon in #178
  • Fix SSA migration field managers by @erikgb in #189
  • fix: add missing RBAC for CSA->SSA migration of bundles/status by @erikgb in #191
  • FIX: For CSA to SSA migration, we need UPDATE permission on the resource (not the sub-resource) by @inteon in #218

• Helm chart improvements

  • Add new optional registry and digest Helm values by @erikgb in #154
  • HELM: add options for configuring image by @inteon in #179
  • Update kubeVersion to allow for eks metadata at end of kubernetes ver… by @dsand1234 in #182
  • Add extra information to the Chart.yaml file by @inteon in #190
  • Allow enabling hostNetwork mode in Helm chart by @cablespaghetti in #156
  • allow setting namespace for helm chart by @vinny-sabatini in #198
  • Make seccompProfile optional in initContainer by @aelbarkani in #118
  • add a CN for the trust-manager certificate by @SgtCoDFish in #201
  • Allow configuring of the priorityClass by @WatcherWhale in #176
  • Use proper namespace for webhook by @joemccall86 in #215
  • Allow user to specify the name of cert-manager's ServiceAccount by @SgtCoDFish in #174

• Dependency upgrades:

  • Vendor dependencies correctly by @SgtCoDFish in #194
  • Upgrade to kubernetes 1.28 & c/r 0.16 by @inteon in #161
  • ci: verify all generated files are up-to-date by @erikgb in #166
  • Move from k8s.io/utils/pointer to k8s.io/utils/ptr by @inteon in #171
  • Fix misinterpretation, ByObject cache settings are GVK specific by @inteon in #172
  • Enable dependabot updates by @inteon in #197
  • Bump the all group with 7 updates by @dependabot in #202
  • Bump the all group with 1 update by @dependabot in #206
  • Remove patch versions from go directives by @SgtCoDFish in #209
  • Upgrade go to 1.21 by @inteon in #204

• Cleanup, refactor and bugfixes

  • Filter resources triggered by namespace by @inteon in #169
  • Refactor bundle controller setup by @erikgb in #185
  • Cleanup controller bootstrap by @erikgb in #188
  • Add certificates deduplication feature by @arsenalzp in #184
  • Update a couple of instances of the old project name by @SgtCoDFish in #192
  • Fix build on macOS / values.yaml wording tweaks by @SgtCoDFish in #200

New Contributors

Thank you to all of the many new contributors for this release - it's awesome to see such a long list of names ❤️

• @dsand1234 made their first contribution in #182
• @arsenalzp made their first contribution in #184
• @cablespaghetti made their first contribution in #156
• @vinny-sabatini made their first contribution in #198
• @Jiawei0227 made their first contribution in #193
• @aelbarkani made their first contribution in #118
• @dependabot made their first contribution in #202
• @WatcherWhale made their first contribution in #176
• @joemccall86 made their first contribution in #215

Full Changelog: v0.6.0...v0.7.0

v0.7.0-alpha.3

What's Changed

• Upgrade go to 1.21 by @inteon in #204
• Allow configuring of the priorityClass by @WatcherWhale in #176
• Bump the all group with 1 update by @dependabot in #206
• Remove patch versions from go directives by @SgtCoDFish in #209
• Cleanup patch functions Secret and ConfigMap targets by @inteon in #210
• BUGFIX: fix bugs in validation logic for secret target & add tests by @inteon in #212
• BUGFIX: support switching between target types by @inteon in #211
• fix: should not have have read access to all secrets when secret targets disabled by @erikgb in #207
• Bump release version to v0.7.0-alpha.3 by @inteon in #213

New Contributors

• @WatcherWhale made their first contribution in #176

Full Changelog: v0.7.0-alpha.2...v0.7.0-alpha.3

v0.6.1

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.6.1 is intended to fix CVE-2023-44487 and CVE-2023-39325, which relate to HTTP/2 servers in Go.

We have no particular reason to think that trust-manager was specifically vulnerable to (or even impacted by) these CVEs, but given their prominence we thought it best to patch them.

What's Changed

• [release-0.6] Bump deps to fix CVEs by @SgtCoDFish in #208

Full Changelog: v0.6.0...v0.6.1

v0.7.0-alpha.2

What's Changed

• fix: add missing RBAC for CSA->SSA migration of bundles/status by @erikgb in #191
• Update a couple of instances of the old project name by @SgtCoDFish in #192
• Vendor dependencies correctly by @SgtCoDFish in #194
• Allow enabling hostNetwork mode in Helm chart by @cablespaghetti in #156
• allow setting namespace for helm chart by @vinny-sabatini in #198
• feat: support secret as a target by @Jiawei0227 in #193
• Fix build on macOS / values.yaml wording tweaks by @SgtCoDFish in #200
• Make seccompProfile optional in initContainer by @aelbarkani in #118
• Enable dependabot updates by @inteon in #197
• Bump the all group with 7 updates by @dependabot in #202
• add a CN for the trust-manager certificate by @SgtCoDFish in #201
• Preparing release v0.7.0-alpha.2 by @inteon in #203

New Contributors

• @cablespaghetti made their first contribution in #156
• @vinny-sabatini made their first contribution in #198
• @Jiawei0227 made their first contribution in #193
• @aelbarkani made their first contribution in #118
• @dependabot made their first contribution in #202

Full Changelog: v0.7.0-alpha.1...v0.7.0-alpha.2

v0.7.0-alpha.1

What's Changed

• Allow user to specify the name of cert-manager's ServiceAccount by @SgtCoDFish in #174
• HELM: add options for configuring image by @inteon in #179
• BUGFIX: fix migration from csa to ssa by @inteon in #178
• Update kubeVersion to allow for eks metadata at end of kubernetes ver… by @dsand1234 in #182
• Refactor bundle controller setup by @erikgb in #185
• Cleanup controller bootstrap by @erikgb in #188
• Add certificates deduplication feature by @arsenalzp in #184
• Fix SSA migration field managers by @erikgb in #189
• Add extra information to the Chart.yaml file by @inteon in #190
• Bump version to v0.7.0-alpha.1 by @inteon in #186

New Contributors

• @dsand1234 made their first contribution in #182
• @arsenalzp made their first contribution in #184

Full Changelog: v0.7.0-alpha.0...v0.7.0-alpha.1

v0.7.0-alpha.0

What's Changed

• Add new optional registry and digest Helm values by @erikgb in #154
• Refactor CM binary data reconcile preparing for PKCS#12 support by @erikgb in #162
• Add support for PKCS12 truststores by @erikgb in #163
• Add support for PKCS12 truststores (update CRD) by @erikgb in #164
• Add erikgb to project reviewers by @erikgb in #167
• Upgrade to kubernetes 1.28 & c/r 0.16 by @inteon in #161
• ci: verify all generated files are up-to-date by @erikgb in #166
• Filter resources triggered by namespace by @inteon in #169
• Move from k8s.io/utils/pointer to k8s.io/utils/ptr by @inteon in #171
• Fix misinterpretation, ByObject cache settings are GVK specific by @inteon in #172
• Refactor util functions in preparation for SSA by @inteon in #170
• Fix BundleStatus go definition in preparation for SSA by @inteon in #173
• Use SSA by @inteon in #89
• Release v0.7.0-alpha.0 by @inteon in #177

Full Changelog: v0.6.0...v0.7.0-alpha.0

v0.6.0

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.6.0 includes a few bug fixes, some dependency bumps and an important quality-of-life fix for users who run approver-policy in their clusters!

approver-policy

trust-manager requires a certificate for its webhook, which is the part which checks if your Bundle resources are valid. Currently, trust-manager's helm chart depends on cert-manager for creating this certificate.

With the "default approver" enabled in cert-manager, this certificate will be auto-approved at install time. But if you're running approver-policy to have fine-grained control over the certificates you issue with cert-manager, you'll have disabled the default approver which in turn will mean that trust-manager "hangs" when you try to install it.

It's possible to manually approve the certificate using cmctl renew but manual steps aren't much fun. Instead, this release allows you to specify the new app.webhook.tls.approverPolicy.enabled Helm flag, which will create a policy permitting approver-policy to approve trust-manager's webhook certificate.

Note that you'll need to set app.webhook.tls.approverPolicy.certManagerNamespace too if you don't have cert-manager installed in the cert-manager namespace!

Validating Webhook Path Change

Updating our version of controller-runtime meant we had to change the URL at which the webhook receives validation requests, since this was changed in controller-runtime itself.

Previously (trust-manager v0.5.0 and earlier) the webhook listened on /validate but it now listens on /validate-trust-cert-manager-io-v1alpha1-bundle.

This shouldn't be a problem if you update your running containers (i.e. updating the Helm image.tag parameter to v0.6.0) at the same time as the helm chart - but it does mean that you cannot run the v0.6.0 Helm chart using the v0.5.0 images, and vice versa.

What's Changed

• Add support for approver policy by @SgtCoDFish in #158
• Add description for JKS field for better docs by @SgtCoDFish in #137
• Bump dependencies including changes to get latest controller-runtil library working by @irbekrm in #138
• Update OWNERS file, adding inteon and removing meyskens and jahrlin by @inteon in #152
• Setting useDefaultCAs: false no longer causes failures by @hazmat345 in #143
• Fix code generation by @Jamstah in #146
• Bump versions ready for v0.6.0 by @SgtCoDFish in #160

New Contributors

• @hazmat345 made their first contribution in #143
• @Jamstah made their first contribution in #146

Full Changelog: v0.5.0...v0.6.0

v0.5.0

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.5.0 introduces support for writing JKS formatted trust bundles, along with a set of improvements to our Helm chart and a bunch of other tweaks.

Special thanks to all of the contributors and to @xxmaestroxx, @vinzent, @hazmat345 and @claudiuavat1 for testing the beta releases of this version to help iron out bugs 🐛

JKS Support

Lots of Java applications consume trust stores not from the PEM bundles which trust-manager has always supported, but from binary JKS files. Using PEM bundles in Java can be a pain, and we heard that loud and clear!

We've introduced support for JKS files in trust-manager, as an additional (binary) field you can add to your targets!

For an example, see the below Bundle definition:

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: jks-test-bundle
spec:
  sources:
  - useDefaultCAs: true
  target:
    configMap:
      key: "target-key"
    additionalFormats:
      jks:
        key: "my-bundle.jks"

What's Changed

• Add support for JKS truststores by @aidy in #122
• Use ordered aliases when creating JKS files by @SgtCoDFish in #127
• Ensure unique aliases in JKS files by @SgtCoDFish in #129
• Minor restructure for ko compatibility by @aidy in #124
• Bump to v0.5.0-beta.0 for release by @SgtCoDFish in #125
• Allow node selection based on nodeSelector, tolerations, affinities and topologySpreadConstraints (fixes #13) by @stzov in #117
• Make installation of default trust package optional in helm chart by @siiimooon in #121
• Add descriptions for some helm chart fields by @SgtCoDFish in #126
• Formatting improvements, tests for dummy certs by @SgtCoDFish in #128
• Explicitly define resource namespaces in Helm chart by @inteon in #123
• Use boilersuite for boilerplate verification by @SgtCoDFish in #130
• Add a design for public trust bundles by @SgtCoDFish in #43

New Contributors

• @aidy made their first contribution in #122
• @stzov made their first contribution in #117
• @siiimooon made their first contribution in #121

Full Changelog: v0.4.0...v0.5.0

v0.5.0-beta.1

trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters.

This prerelease version is intended as a follow up to v0.5.0-beta.0, allowing users to test the new JKS support available in trust-manager. It fixes a bug in the original implementation of the JKS feature which meant some certificates wouldn't appear in the resulting JKS file - this was addressed in #127 - special thanks to @claudiuavat1 and @hazmat345 for their debugging efforts!

Several other pull requests landed, mostly tweaking helm charts to allow for easier use.

Users can test JKS functionality using a bundle such as the following:

{
  "apiVersion": "trust.cert-manager.io/v1alpha1",
  "kind": "Bundle",
  "metadata": {
    "name": "testing"
  },
  "spec": {
    "sources": [
      {
        "useDefaultCAs": true
      }
    ],
    "target": {
      "additionalFormats": {
        "jks": {
          "key": "my-bundle.jks"
        }
      },
      "configMap": {
        "key": "mybundle.pem"
      }
    }
  }
}

What's Changed

• ⭐ Use ordered aliases when creating JKS files by @SgtCoDFish in #127
• Allow node selection based on nodeSelector, tolerations, affinities and topologySpreadConstraints (fixes #13) by @stzov in #117
• helm: make installation of default trust package optional by @siiimooon in #121
• Add descriptions for some helm chart fields by @SgtCoDFish in #126
• Formatting improvements, tests for dummy certs by @SgtCoDFish in #128
• Explicitly define resource namespaces in Helm chart by @inteon in #123
• Use boilersuite for boilerplate verification by @SgtCoDFish in #130
• Ensure unique aliases in JKS files by @SgtCoDFish in #129
• Bump version to v0.5.0-beta.1 by @SgtCoDFish in #134

New Contributors

• @stzov made their first contribution in #117
• @siiimooon made their first contribution in #121

Full Changelog: v0.5.0-beta.0...v0.5.0-beta.1

v0.5.0-beta.0

trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters.

This prerelease version is intended to allow users to test the new JKS support available in trust-manager.

Users can test JKS functionality using a bundle such as the following:

{
  "apiVersion": "trust.cert-manager.io/v1alpha1",
  "kind": "Bundle",
  "metadata": {
    "name": "testing"
  },
  "spec": {
    "sources": [
      {
        "useDefaultCAs": true
      }
    ],
    "target": {
      "additionalFormats": {
        "jks": {
          "key": "my-bundle.jks"
        }
      },
      "configMap": {
        "key": "mybundle.pem"
      }
    }
  }
}

What's Changed

• Add support for JKS truststores by @aidy in #122
• Bump values in helm chart by @SgtCoDFish in #114
• Add a design for public trust bundles by @SgtCoDFish in #43
• Minor restructure for ko compatibility by @aidy in #124
• Bump to v0.5.0-beta.0 for release by @SgtCoDFish in #125

New Contributors

• @aidy made their first contribution in #122 🎉

Full Changelog: v0.4.0...v0.5.0-beta.0