v0.4.0

trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters.

This enables much easier cloud native private PKI while enabling easier updates of trusted certificates across your entire estate.

Major Features

Publicly Trusted Certificate Bundles

The most important new feature in v0.4.0 is the addition of publicly trusted certificate bundles!

By simply adding the useDefaultCAs: true source to your Bundle resource, you can include a publicly trusted bundle of certificates. This is similar to building your container with a Debian or "distroless" base image, and will allow most pods which use trust-manager generated certificate bundles to "just work" with most services today.

These bundles have been designed so that they can be updated separately to trust-manager, allowing you to keep running trust-manager while ensuring you have the latest CA bundle included.

trust-manager is now much easier to use as the single place for all trust management in a cluster; you don't need to bake bundles into your containers, which in turn means you no longer need to worry about rebuilding your entire container estate when your base image is updated to include a new trust bundle.

PEM Certificate Verification

Today, trust-manager entirely relies upon PEM certificates for creating and generating trust bundles. Longer term (see #98 !) we'd like to
support more types of input and output formats, but today we have PEM.

PEM is a reasonably simple format, but it can still be done wrong in many ways which might not comply with the standard - which in turn could mean that your certificates might not work when you need them to.

trust-manager now attempts to validate all input it receives so that an invalid certificate doesn't sneak through and cause problems down the road - and it'll also ensure that each source provides at least one valid PEM certificate, so you don't think that you added a new item to the trust store only to discover it was ignored!

Better OpenShift Support

trust-manager was previously difficult to use in some OpenShift and Kubernetes environments due to a missing permission in its ClusterRole, relating to Bundle finalizers.

We've now added that permission which should make it much easier to run trust-manager in more environments, including OpenShift and Kubernetes environments which set the OwnerReferencesPermissionEnforcement admission controller!

What's Changed

• Prefix release version with 'v' by @irbekrm in #68
• Add a static bundle sidecar container build by @SgtCoDFish in #73
• Update docker config to use a trust-manager-specific token by @SgtCoDFish in #74
• ✨ Add PEM verification function by @SgtCoDFish in #75
• Put seccomp behind a flag by @xrl in #70
• Fix broken link and old name references by @hdeadman in #78
• Fix incorrect variable reference which was missed in #77 by @SgtCoDFish in #80
• Pass GOPROXY to build environment by @SgtCoDFish in #79
• Fix logic error in trust-manager tests by @SgtCoDFish in #84
• Upgrade to ginkgo v2 + refactor several aspects of integration tests by @SgtCoDFish in #85
• ✨ Bundles with a sidecar container by @SgtCoDFish in #46
• Fix the MultiScopedCache by @inteon in #90
• Remove type from trust packages + add validation on package build by @SgtCoDFish in #88
• Validate CA package during build by @SgtCoDFish in #93
• Fix non-cached client by @inteon in #92
• Integration test tweaks by @SgtCoDFish in #86
• fix typo by @SgtCoDFish in #95
• Helm tweaks + better makefile "ensure" by @SgtCoDFish in #97
• Readme tweak taken from website#1160 by @SgtCoDFish in #103
• Rename '_test.go' suffix to test file by @inteon in #104
• Remove deprecated v1beta1 admission review version by @SgtCoDFish in #105
• Upgrade go dependencies by @inteon in #106
• Use a source and a target cache instead of a MultiScopedCache by @inteon in #107
• Make CRD installation optional by @maxsargentdev in #102
• ✨ Add missing permission to update bundle finalizers by @SgtCoDFish in #109 (thanks also to @wallrj !)
• Bumps + doc updates for 0.4.0 by @SgtCoDFish in #110
• Review suggestion for README by @SgtCoDFish in #111

New Contributors

• @irbekrm made their first contribution in #68
• @xrl made their first contribution in #70
• @hdeadman made their first contribution in #78
• @maxsargentdev made their first contribution in #102

Full Changelog: v0.3.0...v0.4.0

Note: The container images for this release are built against the v0.4.0 tag, as expected. The Helm chart is actually built against a following commit, since a required update to values.yaml had been missed (#114 ).

We didn't want to change the tag once it had been published, so we agreed this was the best way to proceed!

v0.3.0

What's Changed

• Update Eventually timeout to be 10s by @JoshVanL in #57
• Rename to trust-manager by @inteon in #64
• Update Certificate resource to include issuerRef and group. by @sitaramkm in #65
• Rename trust to trust-manager in README.md by @inteon in #66
• #14 Updating the apiVersion to v2 by @joscabmar in #61
• Release v0.3.0 by @inteon in #67

New Contributors

• @inteon made their first contribution in #64
• @sitaramkm made their first contribution in #65
• @joscabmar made their first contribution in #61

Full Changelog: v0.2.0...v0.3.0

v0.2.0

What's Changed

• Adds design doc for bundle CRD by @JoshVanL in #2
• Update OWNERS + Fix broken HTML by @SgtCoDFish in #9
• Update logo + link by @SgtCoDFish in #18
• feat: add image pull secrets to service account by @Jaxwood in #15
• Updates Dockerfile to use go v1.18 by @JoshVanL in #20
• Updates reference to jetstack/cert-manager to cert-manager/cert-manager in SECURITY.md by @JoshVanL in #22
• Makefile: go vet by @JoshVanL in #21
• Adds better WithName to logger to improve structure by @JoshVanL in #26
• Use the trust namespace as the namespace where the role and rolebinding are created in by @JoshVanL in #27
• Updates go modules and updates go version to v1.18 by @JoshVanL in #19
• Use smaller cert-manager logo by @SgtCoDFish in #30
• Removes docs from repo in favour of using cert-manager.io by @JoshVanL in #31
• docs: correct broken link to documentation by @erikgb in #34
• Add chart building + ensure BINDIR is created when running targets by @SgtCoDFish in #38
• Bundle: namespaceSelector by @JoshVanL in #37
• Increase timeout for bundle integration tests for desired state from 10s to 30s by @JoshVanL in #41
• Fix copy paste errors, add warning to readme by @SgtCoDFish in #45
• add restrictive securitycontext for controller pod by @SgtCoDFish in #47
• Updates Helm chart version to v0.1.2 by @JoshVanL in #48
• Update go to v1.19 by @JoshVanL in #50
• Use FROM scratch for base image by @JoshVanL in #51
• Remove same bundle target key validation check by @JoshVanL in #32
• Update tag to v0.2.0 ready for release by @JoshVanL in #52

New Contributors

• @SgtCoDFish made their first contribution in #9
• @Jaxwood made their first contribution in #15
• @erikgb made their first contribution in #34

Full Changelog: v0.1.0...v0.2.0

v0.1.0

Initial Release

trust is an operator for distributing trust bundles across a Kubernetes cluster. trust is designed to compliment cert-manager by enabling services to trust X.509 certificates signed by Issuers, as well as external CAs which may not be known to cert-manager at all.