Skip to content

Releases: cert-manager/trust-manager

v0.15.0

13 Jan 13:59
v0.15.0
41f8200
Compare
Choose a tag to compare

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

The most important changes in this release are a slew of version bumps, with some important consequences for how trust-manager parses certificates.

trust-manager v0.15.0 uses Go 1.23, which by default disallows parsing of certificates with negative serial numbers. Most certificates are unaffected by this, since a negative serial number would be in violation of relevant standards and specs.

Unfortunately, some legacy certificates are not compliant, and there are certificates in the wild with negative serial numbers including one certificate which appears in the trust-manager default trust package (since it was included in Debian 10).

We've decided to make this certificate a special case and ignore it when it's included in a bundle. While it's still present in the trust package container image it will be ignored when the cert-manager-package-debian:20210119.0 package is used or if manually included. When it's ignored, a log line will be emitted each time:

time=2025-01-13T11:37:10.034Z level=INFO msg="skipping a certificate in PEM bundle for compatibility reasons" logger=trust/bundle/cert-pool details="cert in bundle with CN=EC-ACC and fingerprint '88497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799' has negative serial number and will be skipped"

If you depend on trusting certs with negative serial numbers, support for them can be re-enabled at runtime by setting the GODEBUG environment variable to x509negativeserial=1 in the trust-manager container:

        env:
        - name: GODEBUG
          value: x509negativeserial=1

If this value is not set - which is the default behavior - all certs with negative serial numbers will cause an error on the bundle except for the special case certificate above, which will be skipped.

What's Changed

Important Changes

  • Bump to Go 1.23 (and allow certificates with negative serial numbers) by @erikgb in #511
  • Add special case handling of cert with negative serial number by @SgtCoDFish in #515

Makefile Modules Bumps, Fixes and Tweaks

  • Remove unused Makefile variables by @erikgb in #494
  • Manual makefile modules update by @SgtCoDFish in #516
  • Add Helm chart OCI release to GH automation by @inteon in #506
  • Add 'fetch-depth: 0' to Debian trust bundle GH checkout action by @inteon in #523
  • [CI] Merge self-upgrade-main into main by @github-actions in #498
  • [CI] Merge self-upgrade-main into main by @github-actions in #500
  • build(deps): Bump the all group across 1 directory with 2 updates by @dependabot in #502
  • [CI] Merge self-upgrade-main into main by @github-actions in #504
  • [CI] Merge self-upgrade-main into main by @github-actions in #505
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #509
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #519
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #520
  • [CI] Merge self-upgrade-main into main by @github-actions in #525
  • [CI] Merge self-upgrade-main into main by @github-actions in #529

Dependency Bumps / Miscellaneous Changes

  • Update readme to better reflect project status today by @SgtCoDFish in #508
  • build(deps): Bump the all group with 5 updates by @dependabot in #507
  • build(deps): Bump the all group across 1 directory with 9 updates by @dependabot in #524
  • build(deps): Bump sigs.k8s.io/controller-runtime from 0.19.3 to 0.19.4 in the all group by @dependabot in #527

Full Changelog: v0.14.0...v0.15.0

v0.15.0-alpha.0

13 Jan 11:30
d685a48
Compare
Choose a tag to compare
v0.15.0-alpha.0 Pre-release
Pre-release

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

v0.15.0-alpha.0 was a test release for testing some of our internal automation. We don't recommend installing this release.

v0.14.0

02 Dec 13:29
f3cd2f5
Compare
Choose a tag to compare

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

v0.14.0 is a minor release including new features, some bugfixes, refactors and dependency updates.

Among the new features is support for set-based requirements (matchExpressions) when selecting namepaces to target with a Bundle.

This release also inludes some major bugfixes:

  • Allow key to be omitted when using the new includeAllKeys field introduced in v0.13.0 by @juliocamarero.
  • Updating JKS/PKCS#12 target truststores when password changes by @arsenalzp and @inteon.

Thanks to all contributors! 🚀

New features

Bugfixes

  • Fix crd validation: Key should not be required anymore in bundle source resources by @juliocamarero in #474
  • Fix issue with updating of JKS/PKCS targets when password changes #449 (review) by @inteon in #480
  • Fix issue with updating of JKS/PKCS targets when password changes by @arsenalzp in #449

Enhancements and Refactorings

  • Improve OpenAPI validation and SSA Golang markers by @erikgb in #477
  • refactor: more generic target handling by @erikgb in #440
  • Set dummy Helm chart versions by @erikgb in #490
  • Remove generated api-docs by @erikgb in #491

Automated Dependency Bumps

  • build(deps): Bump the all group with 2 updates by @dependabot in #464
  • build(deps): Bump the all group across 1 directory with 2 updates by @dependabot in #473
  • build(deps): Bump the all group with 6 updates by @dependabot in #481
  • build(deps): Bump sigs.k8s.io/controller-runtime from 0.19.1 to 0.19.2 in the all group by @dependabot in #484
  • build(deps): Bump the all group with 2 updates by @dependabot in #487

Automated Makefile Modules Updates

  • [CI] Merge self-upgrade-main into main by @github-actions in #470
  • [CI] Merge self-upgrade-main into main by @github-actions in #471
  • [CI] Merge self-upgrade-main into main by @github-actions in #472
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #479
  • [CI] Merge self-upgrade-main into main by @github-actions in #483
  • [CI] Merge self-upgrade-main into main by @github-actions in #488
  • [CI] Merge self-upgrade-main into main by @github-actions in #492

New Contributors

Full Changelog: v0.13.0...v0.14.0

v0.13.0

29 Oct 16:54
v0.13.0
e631941
Compare
Choose a tag to compare

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

v0.13.0 is a minor release to include a swathe of dependency updates, refactors and a few new features.

Among the new features is the new optional includeAllKeys field for Secret and ConfigMap sources, by @juliocamarero. Previously, these sources required users to specify an indvidual key to include in the resulting bundle. With this new field, you can request that all keys be included instead. Note that Secret sources of kubernetes.io/tls type are not eligible for use with includeAllKeys, to avoid trust-manager reading a private key.

In addition, @arsenalzp landed a great PR which cleans up handling of certificates within trust-manager, reducing the number of encode/decode operations done during a bundle reconcile.

What's Changed

  • Support for including all certificates from a secret/configMap in bundle source by @juliocamarero in #460
  • Introduce certificate pool structure and remove multiple encode/decode process by @arsenalzp in #375
  • Fix example of topologySpreadConstraints to reference trust-manager by @SgtCoDFish in #401
  • Bump sigs.k8s.io/controller-runtime to 0.19.0 by @erikgb in #414
  • fix: don't error if source selector selects no sources by @erikgb in #432
  • ci: fix new copyloopvar lint errors by @erikgb in #445
  • test: add tests for truststore deterministic by @erikgb in #443

Refactoring

  • refactor: move FieldManager to more available package by @erikgb in #397
  • refactor: fix name and import alias collisions by @erikgb in #412
  • refactor: dedicated target data struct by @erikgb in #415
  • refactor: move function for creating managed field entries by @erikgb in #413
  • refactor: use NamespacedName instead of positional name/namespace by @erikgb in #435
  • refactor: reduce duplication in sync target functions by @erikgb in #436
  • refactor: establish target.Reconciler by @erikgb in #378

Automated Dependency Bumps

  • Bump the all group across 1 directory with 2 updates by @dependabot in #404
  • Bump the all group with 2 updates by @dependabot in #398
  • Bump k8s.io/cli-runtime from 0.30.3 to 0.31.0 in the all group across 1 directory by @dependabot in #417
  • Bump the all group across 1 directory with 3 updates by @dependabot in #429
  • build(deps): Bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 in the all group by @dependabot in #463
  • Bump the all group with 5 updates by @dependabot in #438
  • build(deps): Bump the all group with 5 updates by @dependabot in #461

Automated Makefile Modules Updates

  • [CI] Merge self-upgrade-main into main by @github-actions in #400
  • [CI] Merge self-upgrade-main into main by @github-actions in #402
  • [CI] Merge self-upgrade-main into main by @github-actions in #405
  • [CI] Merge self-upgrade-main into main by @github-actions in #410
  • [CI] Merge self-upgrade-main into main by @github-actions in #416
  • [CI] Merge self-upgrade-main into main by @github-actions in #418
  • [CI] Merge self-upgrade-main into main by @github-actions in #422
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #423
  • [CI] Merge self-upgrade-main into main by @github-actions in #427
  • [CI] Merge self-upgrade-main into main by @github-actions in #430
  • [CI] Merge self-upgrade-main into main by @github-actions in #431
  • [CI] Merge self-upgrade-main into main by @github-actions in #437
  • [CI] Merge self-upgrade-main into main by @github-actions in #439
  • [CI] Merge self-upgrade-main into main by @github-actions in #441
  • [CI] Merge self-upgrade-main into main by @github-actions in #444
  • [CI] Merge self-upgrade-main into main by @github-actions in #446
  • [CI] Merge self-upgrade-main into main by @github-actions in #448
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #450
  • [CI] Merge self-upgrade-main into main by @github-actions in #451
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #456
  • [CI] Merge self-upgrade-main into main by @github-actions in #462

New Contributors

Full Changelog: v0.12.0...v0.13.0

v0.12.0

19 Jul 12:32
v0.12.0
db4471f
Compare
Choose a tag to compare

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

v0.12.0 includes a variety of Helm chart improvements, notably including the ability to install trust-manager without having first installed cert-manager!

Overview

Standalone trust-manager

Previously, trust-manager required that cert-manager was installed for generating the trust-manager webhook certificate. cert-manager's cainjector was used to inject this webhook cert into the Kubernetes webhook resource.

Some users wanted to be able to install trust-manager standalone, and now this is possible thanks to Helm's inbuilt support for generating certificates. We'd like to note that relying on Helm for this functionality isn't likely to be the best way to run in production - we'd strongly suggest that running with cert-manager is the way to go, since that will handle cert rotation and be much easier to administer.

Still, for any user who wants to simply run trust-manager, that's now possible:

helm upgrade trust-manager jetstack/trust-manager \
  --install \
  --namespace cert-manager \
  --wait \
  --set app.webhook.tls.helmCert.enabled=true

Other Helm Improvements

There are even more improvements to the Helm chart:

  1. Support for configuring a dual stack service for the webhook (Thanks @M0NsTeRRR!)
  2. More configurability of trust-manager's leader-election including duration and deadline (Thanks @jabdoa2!)

What's Changed

New Features

  • Add support for generating certificates with helm by @SgtCoDFish in #157
  • feat(helm): dual-stack cluster service configuration by @M0NsTeRRR in #337
  • Add flags to configure LeaseDuration and RenewDeadline by @jabdoa2 in #385
  • Expose leader election leaseDuration and renewDeadline in helm chart by @jabdoa2 in #388

Refactors

  • refactor: simplify SSA patch calls by @erikgb in #393
  • refactor: move default truststore passwords to API by @erikgb in #394
  • refactor: extract truststore encoding to internal package by @erikgb in #396

New Contributors

Full Changelog: v0.11.1...v0.12.0

v0.11.1

15 Jul 11:59
ef5428c
Compare
Choose a tag to compare

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

What's Changed

  • Bump sigs.k8s.io/controller-runtime from 0.18.3 to 0.18.4 in the all group by @dependabot in #369
  • refactor: split bundle sync code into source and target by @erikgb in #370
  • Bump the all group across 1 directory with 7 updates by @dependabot in #374
  • refactor: build bundle data from relevant spec by @erikgb in #377
  • Sort certificates in bundles to ensure deterministic behaviour by @jabdoa2 in #380

New Contributors

Full Changelog: v0.11.0...v0.11.1

v0.11.0

03 Jun 14:51
v0.11.0
8c4561b
Compare
Choose a tag to compare

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

v0.11.0 includes support for JSON logging, as well as some bug fixes and code quality improvements which have been made since the release of trust-manager v0.10.0

Notably, this release re-adds the s390x architecture which was missing in v0.10.0 and v0.10.1 and enables several linters to ensure the codebase remains at a high level of quality.

Feature Overview: JSON Logging

Prolific contributor @erikgb added support for JSON logging in trust-manager in #354 🚀

JSON logging can be enabled through the new app.logFormat Helm value which defaults to text but can be set to json.

$ helm upgrade trust-manager jetstack/trust-manager \
  --set app.logFormat=json \
  --install \
  --namespace cert-manager \
  --wait

$ kubectl logs -n cert-manager trust-manager-xxxxx
{"time":"2024-06-03T14:05:12.468612847Z","level":"INFO","msg":"successfully loaded default package from filesystem","logger":"trust/bundle","path":"/packages/cert-manager-package-debian.json"}
...

Log Level Parsing

v0.11.0 also changes how log levels are parsed when passed in to trust-manager.

Previously, non-numeric log levels would be silently ignored, so if you set a log level of "v5" rather than "5", the setting would not take effect and the log level would default to 1. Now, log levels must be valid integers and trust-manager will fail to start if a log level is invalid.

This change will help to catch configuration errors.

What's Changed

Features

Bug Fixes

  • Fix use of system trust bundle when building package by @SgtCoDFish in #355
  • Use the go version specified in the Makefile tools module by @inteon in #364

Testing / Code Quality

  • Replace deprecated klog.New in tests with ktesting.NewTestContext by @erikgb in #352
  • Deduplicate code for syncing target configmaps and secrets by @erikgb in #356
  • Fix all linter issues and un-ignore golanci-lint linter exceptions by @inteon in #360

Docs

Version Bumps

  • [CI] Merge self-upgrade-main into main by @github-actions in #363
  • [CI] Merge self-upgrade-main into main by @github-actions in #361
  • [CI] Merge self-upgrade-main into main by @github-actions in #357
  • [CI] Merge self-upgrade-main into main by @github-actions in #351
  • [CI] Merge self-upgrade-main into main by @github-actions in #349
  • Bump the all group with 5 updates by @dependabot in #350
  • Bump the all group with 2 updates by @dependabot in #359
  • Bump the all group with 2 updates by @dependabot in #362

Full Changelog: v0.10.0...v0.11.0

v0.10.2

03 Jun 13:48
v0.10.2
8c4561b
Compare
Choose a tag to compare

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

The release of v0.10.2 was abandoned as the v0.10.2 tag was accidentally created containing changes which were larger than the scope of a patch release.

It will be replaced with v0.11.0

v0.10.1

29 May 15:45
3dbeb6c
Compare
Choose a tag to compare

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This patch release fixes a bug in the trust-manager build process causing it to be build with an out-of-date go version (1.22.0), instead of the latest Go version available at the time (1.22.3).

Warning

trust-manager v0.10.1 does not include images for s390x. This was an oversight arising from the migration to makefile-modules.
This will be fixed in trust-manager v0.11.0

Full Changelog: v0.10.0...v0.10.1

v0.10.0

13 May 14:34
4323445
Compare
Choose a tag to compare

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is be the first trust-manager release that uses Makefile modules. Apart from that change, this release includes a lot of version bumps and some small bug fixes.

Warning

There was a bug with the release of trust-manager v0.10.0 which meant it was built with go 1.22.0 rather than the latest Go version available at the time (1.22.3).
This was fixed in trust-manager v0.10.1 and v0.11.0+

Warning

trust-manager v0.10.0 does not include images for s390x. This was an oversight arising from the migration to makefile-modules.
This will be fixed in trust-manager v0.11.0

What's Changed

  • Allow replicaCount to be set to int or string by @erikgb in #320
  • Also check for correct architectures in trust package build by @SgtCoDFish in #323
  • Helm chart - document and add to schema nameOverride by @DrFaust92 in #330
  • Fix Bundle target print column by @erikgb in #344
  • Simplify managed fields upgrade from CSA to SSA by @erikgb in #319
  • Make Makefiles reusable and automate release process by @inteon in #195

Dependency upgrades

New Contributors

  • @DrFaust92 made their first contribution in #330
  • @github-actions made their first contribution in #348

Full Changelog: v0.9.2...v0.10.0