Update Helm release trust-manager to v0.8.0
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| trust-manager | minor |
0.5.0 -> v0.8.0
|
Release Notes
cert-manager/trust-manager (trust-manager)
v0.8.0
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.8.0 includes a bunch of new features, largely contributed by our awesome community!
Included is an option at startup to filter expired certificates from all bundles and the ability to include Secret and ConfigMap resources via labels.
There are also a bunch of improvements which make trust-manager easier to develop and iterate on, which isn't as exciting as new features but should make it easier for us to provide features going forwards!
Speaking of going forwards, trust-manager is on the road to v1! v1beta1 and then v1, and bump trust-manager itself to v1. We don't have a timeline currently, but we think it's important to be clear that it's a goal of ours to be rock-solid and stable for everyone to build upon!
Special thanks to @erikgb for his efforts in reviewing, developing and helping in this release - it couldn't have happened without him!
Read Before Updating
Removal of .status.target
trust-manager v0.8.0 removes the .status.target field from Bundle resources, which had a significant overhead to maintain and wasn't particularly useful as far as we could tell.
If you were previously relying on this field, you should be able to calculate it from the spec of your Bundle. We try to avoid breaking anything generally but we felt like this field was worth the removal.
What's Changed
New Features
- Add option to filter expired certificates from bundle by @Hoega in https://github.com/cert-manager/trust-manager/pull/273
- Add label selector option for Secret and ConfigMap sources by @ocampeau in https://github.com/cert-manager/trust-manager/pull/258
- Add support for additional pod annotations/labels by @jaygridley in https://github.com/cert-manager/trust-manager/pull/116
- Allow permissions to put the leases in the trust-manager namespace, not the trust namespace by @tspearconquest in https://github.com/cert-manager/trust-manager/pull/225
Changes
- Remove
.status.targetfield from Bundle API by @erikgb in https://github.com/cert-manager/trust-manager/pull/230 - Encode additional target format just once per bundle reconcile by @erikgb in https://github.com/cert-manager/trust-manager/pull/241
- Add dedicated structures for PKCS12 and JKS stores by @arsenalzp in https://github.com/cert-manager/trust-manager/pull/253
- fix: Reconcile targets consistently by @erikgb in https://github.com/cert-manager/trust-manager/pull/260
Changes for trust-manager Developers
- Better handling of local arch differences by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/250
- Improve package CI error handling by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/247
- Improve makefile comments around image building by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/268
- Move to helm-tool for docs by @ThatsMrTalbot in https://github.com/cert-manager/trust-manager/pull/278
- Do more of the container build process locally by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/251
- Don't build trust bundle images using make image by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/269
- Generate applyconfigurations for custom resources by @erikgb in https://github.com/cert-manager/trust-manager/pull/217
- Fix flaky tests by introducing komega by @erikgb in https://github.com/cert-manager/trust-manager/pull/252
- Fix apply-configuration gen for Bundle (cluster-scoped) by @erikgb in https://github.com/cert-manager/trust-manager/pull/257
- Fix apply configuration generation on macOS by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/248
- Align BundleCondition with upstream metav1.Condition by @erikgb in https://github.com/cert-manager/trust-manager/pull/249
New Contributors
- @jaygridley made their first contribution in https://github.com/cert-manager/trust-manager/pull/116
- @tspearconquest made their first contribution in https://github.com/cert-manager/trust-manager/pull/225
- @ocampeau made their first contribution in https://github.com/cert-manager/trust-manager/pull/258
- @Hoega made their first contribution in https://github.com/cert-manager/trust-manager/pull/273
- @ThatsMrTalbot made their first contribution in https://github.com/cert-manager/trust-manager/pull/278
Full Changelog: https://github.com/cert-manager/trust-manager/compare/v0.7.0...v0.8.0
v0.7.1
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.7.1 is a patch release fixing a bug in targets including PKCS#12 bundles - see #260 for details. All users are recommended to upgrade to this version from v0.7.0 immediately.
What's Changed
- Should reconcile targets consistently by @erikgb in https://github.com/cert-manager/trust-manager/pull/266
- Allow permissions to put the leases in the trust-manager namespace, not the trust namespace by @jetstack-bot in https://github.com/cert-manager/trust-manager/pull/263
- Fix flaky tests by introducing komega by @erikgb in https://github.com/cert-manager/trust-manager/pull/264
- Bump versions to fix trivy-reported vulns and prepare for release by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/267
Full Changelog: https://github.com/cert-manager/trust-manager/compare/v0.7.0...v0.7.1
v0.7.0
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.7.0 adds a huge variety of changes; chief among them is support for writing trust bundles to Kubernetes Secret resources, as well as support for optionally writing a PKCS#12 trust store to the target.
We also added support for server side apply and made a variety of improvements, tweaks and patches.
What's Changed
-
Add Secret target support
- feat: support secret as a target by @Jiawei0227 in https://github.com/cert-manager/trust-manager/pull/193
- BUGFIX: fix bugs in validation logic for secret target & add tests by @inteon in https://github.com/cert-manager/trust-manager/pull/212
- BUGFIX: support switching between target types by @inteon in https://github.com/cert-manager/trust-manager/pull/211
- fix: should not have have read access to all secrets when secret targets disabled by @erikgb in https://github.com/cert-manager/trust-manager/pull/207
- Cleanup patch functions Secret and ConfigMap targets by @inteon in https://github.com/cert-manager/trust-manager/pull/210
-
Support PKCS12 truststores
- Refactor CM binary data reconcile preparing for PKCS#12 support by @erikgb in https://github.com/cert-manager/trust-manager/pull/162
- Add support for PKCS12 truststores by @erikgb in https://github.com/cert-manager/trust-manager/pull/163
- Add support for PKCS12 truststores (update CRD) by @erikgb in https://github.com/cert-manager/trust-manager/pull/164
-
Switch to SSA
- Refactor util functions in preparation for SSA by @inteon in https://github.com/cert-manager/trust-manager/pull/170
- Fix BundleStatus go definition in preparation for SSA by @inteon in https://github.com/cert-manager/trust-manager/pull/173
- Use SSA by @inteon in https://github.com/cert-manager/trust-manager/pull/89
- BUGFIX: fix migration from csa to ssa by @inteon in https://github.com/cert-manager/trust-manager/pull/178
- Fix SSA migration field managers by @erikgb in https://github.com/cert-manager/trust-manager/pull/189
- fix: add missing RBAC for CSA->SSA migration of bundles/status by @erikgb in https://github.com/cert-manager/trust-manager/pull/191
- FIX: For CSA to SSA migration, we need UPDATE permission on the resource (not the sub-resource) by @inteon in https://github.com/cert-manager/trust-manager/pull/218
-
Helm chart improvements
- Add new optional registry and digest Helm values by @erikgb in https://github.com/cert-manager/trust-manager/pull/154
- HELM: add options for configuring image by @inteon in https://github.com/cert-manager/trust-manager/pull/179
- Update kubeVersion to allow for eks metadata at end of kubernetes ver… by @dsand1234 in https://github.com/cert-manager/trust-manager/pull/182
- Add extra information to the Chart.yaml file by @inteon in https://github.com/cert-manager/trust-manager/pull/190
- Allow enabling hostNetwork mode in Helm chart by @cablespaghetti in https://github.com/cert-manager/trust-manager/pull/156
- allow setting namespace for helm chart by @vinny-sabatini in https://github.com/cert-manager/trust-manager/pull/198
- Make seccompProfile optional in initContainer by @aelbarkani in https://github.com/cert-manager/trust-manager/pull/118
- add a CN for the trust-manager certificate by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/201
- Allow configuring of the priorityClass by @WatcherWhale in https://github.com/cert-manager/trust-manager/pull/176
- Use proper namespace for webhook by @joemccall86 in https://github.com/cert-manager/trust-manager/pull/215
- Allow user to specify the name of cert-manager's ServiceAccount by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/174
-
Dependency upgrades:
- Vendor dependencies correctly by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/194
- Upgrade to kubernetes 1.28 & c/r 0.16 by @inteon in https://github.com/cert-manager/trust-manager/pull/161
- ci: verify all generated files are up-to-date by @erikgb in https://github.com/cert-manager/trust-manager/pull/166
- Move from k8s.io/utils/pointer to k8s.io/utils/ptr by @inteon in https://github.com/cert-manager/trust-manager/pull/171
- Fix misinterpretation, ByObject cache settings are GVK specific by @inteon in https://github.com/cert-manager/trust-manager/pull/172
- Enable dependabot updates by @inteon in https://github.com/cert-manager/trust-manager/pull/197
- Bump the all group with 7 updates by @dependabot in https://github.com/cert-manager/trust-manager/pull/202
- Bump the all group with 1 update by @dependabot in https://github.com/cert-manager/trust-manager/pull/206
- Remove patch versions from go directives by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/209
- Upgrade go to 1.21 by @inteon in https://github.com/cert-manager/trust-manager/pull/204
-
Cleanup, refactor and bugfixes
- Filter resources triggered by namespace by @inteon in https://github.com/cert-manager/trust-manager/pull/169
- Refactor bundle controller setup by @erikgb in https://github.com/cert-manager/trust-manager/pull/185
- Cleanup controller bootstrap by @erikgb in https://github.com/cert-manager/trust-manager/pull/188
- Add certificates deduplication feature by @arsenalzp in https://github.com/cert-manager/trust-manager/pull/184
- Update a couple of instances of the old project name by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/192
- Fix build on macOS / values.yaml wording tweaks by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/200
New Contributors
Thank you to all of the many new contributors for this release - it's awesome to see such a long list of names
- @dsand1234 made their first contribution in https://github.com/cert-manager/trust-manager/pull/182
- @arsenalzp made their first contribution in https://github.com/cert-manager/trust-manager/pull/184
- @cablespaghetti made their first contribution in https://github.com/cert-manager/trust-manager/pull/156
- @vinny-sabatini made their first contribution in https://github.com/cert-manager/trust-manager/pull/198
- @Jiawei0227 made their first contribution in https://github.com/cert-manager/trust-manager/pull/193
- @aelbarkani made their first contribution in https://github.com/cert-manager/trust-manager/pull/118
- @dependabot made their first contribution in https://github.com/cert-manager/trust-manager/pull/202
- @WatcherWhale made their first contribution in https://github.com/cert-manager/trust-manager/pull/176
- @joemccall86 made their first contribution in https://github.com/cert-manager/trust-manager/pull/215
Full Changelog: https://github.com/cert-manager/trust-manager/compare/v0.6.0...v0.7.0
v0.6.1
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.6.1 is intended to fix CVE-2023-44487 and CVE-2023-39325, which relate to HTTP/2 servers in Go.
We have no particular reason to think that trust-manager was specifically vulnerable to (or even impacted by) these CVEs, but given their prominence we thought it best to patch them.
What's Changed
- [release-0.6] Bump deps to fix CVEs by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/208
Full Changelog: https://github.com/cert-manager/trust-manager/compare/v0.6.0...v0.6.1
v0.6.0
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.6.0 includes a few bug fixes, some dependency bumps and an important quality-of-life fix for users who run approver-policy in their clusters!
approver-policy
trust-manager requires a certificate for its webhook, which is the part which checks if your Bundle resources are valid. Currently, trust-manager's helm chart depends on cert-manager for creating this certificate.
With the "default approver" enabled in cert-manager, this certificate will be auto-approved at install time. But if you're running approver-policy to have fine-grained control over the certificates you issue with cert-manager, you'll have disabled the default approver which in turn will mean that trust-manager "hangs" when you try to install it.
It's possible to manually approve the certificate using cmctl renew but manual steps aren't much fun. Instead, this release allows you to specify the new app.webhook.tls.approverPolicy.enabled Helm flag, which will create a policy permitting approver-policy to approve trust-manager's webhook certificate.
Note that you'll need to set app.webhook.tls.approverPolicy.certManagerNamespace too if you don't have cert-manager installed in the cert-manager namespace!
Validating Webhook Path Change
Updating our version of controller-runtime meant we had to change the URL at which the webhook receives validation requests, since this was changed in controller-runtime itself.
Previously (trust-manager v0.5.0 and earlier) the webhook listened on /validate but it now listens on /validate-trust-cert-manager-io-v1alpha1-bundle.
This shouldn't be a problem if you update your running containers (i.e. updating the Helm image.tag parameter to v0.6.0) at the same time as the helm chart - but it does mean that you cannot run the v0.6.0 Helm chart using the v0.5.0 images, and vice versa.
What's Changed
- Add support for approver policy by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/158
- Add description for JKS field for better docs by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/137
- Bump dependencies including changes to get latest controller-runtil library working by @irbekrm in https://github.com/cert-manager/trust-manager/pull/138
- Update OWNERS file, adding inteon and removing meyskens and jahrlin by @inteon in https://github.com/cert-manager/trust-manager/pull/152
- Setting useDefaultCAs: false no longer causes failures by @hazmat345 in https://github.com/cert-manager/trust-manager/pull/143
- Fix code generation by @Jamstah in https://github.com/cert-manager/trust-manager/pull/146
- Bump versions ready for v0.6.0 by @SgtCoDFish in https://github.com/cert-manager/trust-manager/pull/160
New Contributors
- @hazmat345 made their first contribution in https://github.com/cert-manager/trust-manager/pull/143
- @Jamstah made their first contribution in https://github.com/cert-manager/trust-manager/pull/146
Full Changelog: https://github.com/cert-manager/trust-manager/compare/v0.5.0...v0.6.0
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot. Tell Nogweii if it blows up.