Releases: cert-manager/trust-manager
v0.12.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
v0.12.0 includes a variety of Helm chart improvements, notably including the ability to install trust-manager without having first installed cert-manager!
Overview
Standalone trust-manager
Previously, trust-manager required that cert-manager was installed for generating the trust-manager webhook certificate. cert-manager's cainjector was used to inject this webhook cert into the Kubernetes webhook resource.
Some users wanted to be able to install trust-manager standalone, and now this is possible thanks to Helm's inbuilt support for generating certificates. We'd like to note that relying on Helm for this functionality isn't likely to be the best way to run in production - we'd strongly suggest that running with cert-manager is the way to go, since that will handle cert rotation and be much easier to administer.
Still, for any user who wants to simply run trust-manager, that's now possible:
helm upgrade trust-manager jetstack/trust-manager \
--install \
--namespace cert-manager \
--wait \
--set app.webhook.tls.helmCert.enabled=true
Other Helm Improvements
There are even more improvements to the Helm chart:
- Support for configuring a dual stack service for the webhook (Thanks @M0NsTeRRR!)
- More configurability of trust-manager's leader-election including duration and deadline (Thanks @jabdoa2!)
What's Changed
New Features
- Add support for generating certificates with helm by @SgtCoDFish in #157
- feat(helm): dual-stack cluster service configuration by @M0NsTeRRR in #337
- Add flags to configure LeaseDuration and RenewDeadline by @jabdoa2 in #385
- Expose leader election leaseDuration and renewDeadline in helm chart by @jabdoa2 in #388
Refactors
- refactor: simplify SSA patch calls by @erikgb in #393
- refactor: move default truststore passwords to API by @erikgb in #394
- refactor: extract truststore encoding to internal package by @erikgb in #396
New Contributors
- @M0NsTeRRR made their first contribution in #337
Full Changelog: v0.11.1...v0.12.0
v0.11.1
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
What's Changed
- Bump sigs.k8s.io/controller-runtime from 0.18.3 to 0.18.4 in the all group by @dependabot in #369
- refactor: split bundle sync code into source and target by @erikgb in #370
- Bump the all group across 1 directory with 7 updates by @dependabot in #374
- refactor: build bundle data from relevant spec by @erikgb in #377
- Sort certificates in bundles to ensure deterministic behaviour by @jabdoa2 in #380
New Contributors
Full Changelog: v0.11.0...v0.11.1
v0.11.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
v0.11.0 includes support for JSON logging, as well as some bug fixes and code quality improvements which have been made since the release of trust-manager v0.10.0
Notably, this release re-adds the s390x architecture which was missing in v0.10.0 and v0.10.1 and enables several linters to ensure the codebase remains at a high level of quality.
Feature Overview: JSON Logging
Prolific contributor @erikgb added support for JSON logging in trust-manager in #354 🚀
JSON logging can be enabled through the new app.logFormat
Helm value which defaults to text
but can be set to json
.
$ helm upgrade trust-manager jetstack/trust-manager \
--set app.logFormat=json \
--install \
--namespace cert-manager \
--wait
$ kubectl logs -n cert-manager trust-manager-xxxxx
{"time":"2024-06-03T14:05:12.468612847Z","level":"INFO","msg":"successfully loaded default package from filesystem","logger":"trust/bundle","path":"/packages/cert-manager-package-debian.json"}
...
Log Level Parsing
v0.11.0 also changes how log levels are parsed when passed in to trust-manager.
Previously, non-numeric log levels would be silently ignored, so if you set a log level of "v5" rather than "5", the setting would not take effect and the log level would default to 1. Now, log levels must be valid integers and trust-manager will fail to start if a log level is invalid.
This change will help to catch configuration errors.
What's Changed
Features
- Add support for JSON logging format by @erikgb in #354
- Re-add support for s390x by @SgtCoDFish in #366
Bug Fixes
- Fix use of system trust bundle when building package by @SgtCoDFish in #355
- Use the go version specified in the Makefile tools module by @inteon in #364
Testing / Code Quality
- Replace deprecated klog.New in tests with ktesting.NewTestContext by @erikgb in #352
- Deduplicate code for syncing target configmaps and secrets by @erikgb in #356
- Fix all linter issues and un-ignore golanci-lint linter exceptions by @inteon in #360
Docs
- Add RELEASE.md file to document release process by @ThatsMrTalbot in #365
Version Bumps
- [CI] Merge self-upgrade-main into main by @github-actions in #363
- [CI] Merge self-upgrade-main into main by @github-actions in #361
- [CI] Merge self-upgrade-main into main by @github-actions in #357
- [CI] Merge self-upgrade-main into main by @github-actions in #351
- [CI] Merge self-upgrade-main into main by @github-actions in #349
- Bump the all group with 5 updates by @dependabot in #350
- Bump the all group with 2 updates by @dependabot in #359
- Bump the all group with 2 updates by @dependabot in #362
Full Changelog: v0.10.0...v0.11.0
v0.10.2
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
The release of v0.10.2 was abandoned as the v0.10.2
tag was accidentally created containing changes which were larger than the scope of a patch release.
It will be replaced with v0.11.0
v0.10.1
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This patch release fixes a bug in the trust-manager build process causing it to be build with an out-of-date go version (1.22.0), instead of the latest Go version available at the time (1.22.3).
Warning
trust-manager v0.10.1 does not include images for s390x. This was an oversight arising from the migration to makefile-modules.
This will be fixed in trust-manager v0.11.0
Full Changelog: v0.10.0...v0.10.1
v0.10.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This release is be the first trust-manager release that uses Makefile modules. Apart from that change, this release includes a lot of version bumps and some small bug fixes.
Warning
There was a bug with the release of trust-manager v0.10.0 which meant it was built with go 1.22.0 rather than the latest Go version available at the time (1.22.3).
This was fixed in trust-manager v0.10.1 and v0.11.0+
Warning
trust-manager v0.10.0 does not include images for s390x. This was an oversight arising from the migration to makefile-modules.
This will be fixed in trust-manager v0.11.0
What's Changed
- Allow replicaCount to be set to int or string by @erikgb in #320
- Also check for correct architectures in trust package build by @SgtCoDFish in #323
- Helm chart - document and add to schema nameOverride by @DrFaust92 in #330
- Fix Bundle target print column by @erikgb in #344
- Simplify managed fields upgrade from CSA to SSA by @erikgb in #319
- Make
Makefile
s reusable and automate release process by @inteon in #195
Dependency upgrades
- Bump the all group with 1 update by @dependabot in #322
- Bump the all group with 5 updates by @dependabot in #327
- Bump the all group with 2 updates by @dependabot in #329
- Bump protobuf version in hack gomod to fix CVE-2024-24786 by @SgtCoDFish in #332
- Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #338
- Bump the all group across 1 directory with 8 updates by @dependabot in #342
- Bump the all group with 2 updates by @dependabot in #345
- Bump the all group with 3 updates by @dependabot in #346
- Bump the all group with 2 updates by @dependabot in #347
New Contributors
- @DrFaust92 made their first contribution in #330
- @github-actions made their first contribution in #348
Full Changelog: v0.9.2...v0.10.0
v0.10.0-alpha.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This release is an alpha release in preparation for v0.10.0
. This release will be the first release that uses Makefile modules. Apart from that change, this release includes a lot of version bumps and some small bug fixes.
What's Changed
- bump builder go to 1.22 by @SgtCoDFish in #321
- Allow replicaCount to be set to int or string by @erikgb in #320
- Also check for correct architectures in trust package build by @SgtCoDFish in #323
- Helm chart - document and add to schema nameOverride by @DrFaust92 in #330
- Fix Bundle target print column by @erikgb in #344
- Simplify managed fields upgrade from CSA to SSA by @erikgb in #319
- Make
Makefile
s reusable and automate release process by @inteon in #195
Dependency upgrades
- Bump the all group with 1 update by @dependabot in #322
- Bump the all group with 5 updates by @dependabot in #327
- Bump the all group with 2 updates by @dependabot in #329
- Bump protobuf version in hack gomod to fix CVE-2024-24786 by @SgtCoDFish in #332
- Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #338
- Bump the all group across 1 directory with 8 updates by @dependabot in #342
- Bump the all group with 2 updates by @dependabot in #345
- Bump the all group with 3 updates by @dependabot in #346
- Bump the all group with 2 updates by @dependabot in #347
New Contributors
- @DrFaust92 made their first contribution in #330
- @github-actions made their first contribution in #348
Full Changelog: v0.9.2...v0.10.0-alpha.0
v0.9.2
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.9.2 is another small bugfix release for a minor issue in the Helm chart's schema along with a small dependency update to fix a reported CVE. Thanks @DrFaust92 for fixing the schema!
What's Changed
- [release-0.9] Backport name override by @SgtCoDFish in #331
- [release-0.9] Fix CVE-2024-24786 by bumping protobuf lib by @SgtCoDFish in #333
Full Changelog: v0.9.1...v0.9.2
v0.9.1
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.9.1 is a small bugfix release for a minor issue in the Helm chart's schema. Thanks to @erikgb and @wallrj for the bugfix!
In addition, unrelated to this specific release, we're looking to rebuild the debian trust package to include the s390x architecture that was added in trust-manager v0.9.0. That will happen outside of the release process for v0.9.1.
What's Changed
- [release-0.9] Bump builder go to 1.22 by @SgtCoDFish in #325
- [release-0.9] Allow replicaCount to be set to int or string by @SgtCoDFish in #324
- [release-0.9] Bump to v0.9.1 by @SgtCoDFish in #326
Full Changelog: v0.9.0...v0.9.1
v0.9.0
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.9.0 contains a bunch of improvements and once again the awesome trust-manager community played a huge role!
Inclusions to note are:
- We fixed a bug (#296) which broke passwordless PKCS#12 files when read by Java.
- It's possible that this could have an effect on non-Java platforms, but in testing it seemed safe for both Go and Java
- We added support for the s390x architecture for trust-manager!
- We added a
crds.keep
option to reduce the risk of losing important data when uninstalling trust-manager - We fixed an issue with certificate deduplication when certs were present in multiple sources
As always, please report any issues either here in the repo, in a cert-manager meeting or on Slack!
Happy bundling!
Special Thanks
We'd like to thank the following for their contributions, expertise, time and patience since the last trust-manager release:
- @erikgb
- @rishikakedia
- @arsenalzp
- @niklastanner
- @ditatechwriter
- @justdan96
- @arjunprasad2143
- @dilipgb
- @bmhughes
- @mnlipp
- @Jiawei0227
In addition, a warm welcome to our latest reviewer @ThatsMrTalbot ! 🎉
What's Changed
New Features
- 💻 Enable trust manager on s390x by @rishikakedia in #315
- Helm: Uniformize all label include statements & add labels to pod template by @inteon in #306
- Add configurable common labels by @justdan96 in #149
- Add 'crds.keep' options to generated CRDs by @inteon in #288
Bug Fixes and Resilience Improvements
- Improve certificate deduplication operation by @arsenalzp in #303
- 🐛 Fix passwordless pkcs12 files for Java by @SgtCoDFish in #307
- Set a size limit on emptyDir by @SgtCoDFish in #308
- Generate values.schema.json by @inteon in #290
- Production readiness Helm chart tweaks by @wallrj in #309
- initContainer Resource Block: Fix #295 for merging by @SgtCoDFish in #316
- Bump toolchain to latest to address CVE-2024-24783 by @SgtCoDFish in #318
Documentation and Testing
- docs: updating chart values.yaml for better comment docs by @ditatechwriter in #280
- Update README.md and Chart.yaml by @inteon in #287
- Improve OCI image options' Helm README.md documentation by @inteon in #289
- Fix typo in Chart.yaml icon URL by @inteon in #292
- test: should test setBundleCondition as it's used by @erikgb in #284
Bumps and Miscellaneous
- 🎉 Add thatsmrtalbot as a reviewer by @inteon in #293
- Bump version for release @SgtCoDFish in #314
- Two tool update PRs by @inteon (#286, #317)
- Several @dependabot PRs (#313, #298, #285, #279)
New Contributors
- @ditatechwriter made their first contribution in #280
- @justdan96 made their first contribution in #149
- @wallrj made their first contribution in #309
- @rishikakedia made their first contribution in #315
Full Changelog: v0.8.0...v0.9.0