Releases: cert-manager/trust-manager
v0.11.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
v0.11.0 includes support for JSON logging, as well as some bug fixes and code quality improvements which have been made since the release of trust-manager v0.10.0
Notably, this release re-adds the s390x architecture which was missing in v0.10.0 and v0.10.1 and enables several linters to ensure the codebase remains at a high level of quality.
Feature Overview: JSON Logging
Prolific contributor @erikgb added support for JSON logging in trust-manager in #354 🚀
JSON logging can be enabled through the new app.logFormat
Helm value which defaults to text
but can be set to json
.
$ helm upgrade trust-manager jetstack/trust-manager \
--set app.logFormat=json \
--install \
--namespace cert-manager \
--wait
$ kubectl logs -n cert-manager trust-manager-xxxxx
{"time":"2024-06-03T14:05:12.468612847Z","level":"INFO","msg":"successfully loaded default package from filesystem","logger":"trust/bundle","path":"/packages/cert-manager-package-debian.json"}
...
Log Level Parsing
v0.11.0 also changes how log levels are parsed when passed in to trust-manager.
Previously, non-numeric log levels would be silently ignored, so if you set a log level of "v5" rather than "5", the setting would not take effect and the log level would default to 1. Now, log levels must be valid integers and trust-manager will fail to start if a log level is invalid.
This change will help to catch configuration errors.
What's Changed
Features
- Add support for JSON logging format by @erikgb in #354
- Re-add support for s390x by @SgtCoDFish in #366
Bug Fixes
- Fix use of system trust bundle when building package by @SgtCoDFish in #355
- Use the go version specified in the Makefile tools module by @inteon in #364
Testing / Code Quality
- Replace deprecated klog.New in tests with ktesting.NewTestContext by @erikgb in #352
- Deduplicate code for syncing target configmaps and secrets by @erikgb in #356
- Fix all linter issues and un-ignore golanci-lint linter exceptions by @inteon in #360
Docs
- Add RELEASE.md file to document release process by @ThatsMrTalbot in #365
Version Bumps
- [CI] Merge self-upgrade-main into main by @github-actions in #363
- [CI] Merge self-upgrade-main into main by @github-actions in #361
- [CI] Merge self-upgrade-main into main by @github-actions in #357
- [CI] Merge self-upgrade-main into main by @github-actions in #351
- [CI] Merge self-upgrade-main into main by @github-actions in #349
- Bump the all group with 5 updates by @dependabot in #350
- Bump the all group with 2 updates by @dependabot in #359
- Bump the all group with 2 updates by @dependabot in #362
Full Changelog: v0.10.0...v0.11.0
v0.10.2
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
The release of v0.10.2 was abandoned as the v0.10.2
tag was accidentally created containing changes which were larger than the scope of a patch release.
It will be replaced with v0.11.0
v0.10.1
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This patch release fixes a bug in the trust-manager build process causing it to be build with an out-of-date go version (1.22.0), instead of the latest Go version available at the time (1.22.3).
Warning
trust-manager v0.10.1 does not include images for s390x. This was an oversight arising from the migration to makefile-modules.
This will be fixed in trust-manager v0.11.0
Full Changelog: v0.10.0...v0.10.1
v0.10.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This release is be the first trust-manager release that uses Makefile modules. Apart from that change, this release includes a lot of version bumps and some small bug fixes.
Warning
There was a bug with the release of trust-manager v0.10.0 which meant it was built with go 1.22.0 rather than the latest Go version available at the time (1.22.3).
This was fixed in trust-manager v0.10.1 and v0.11.0+
Warning
trust-manager v0.10.0 does not include images for s390x. This was an oversight arising from the migration to makefile-modules.
This will be fixed in trust-manager v0.11.0
What's Changed
- Allow replicaCount to be set to int or string by @erikgb in #320
- Also check for correct architectures in trust package build by @SgtCoDFish in #323
- Helm chart - document and add to schema nameOverride by @DrFaust92 in #330
- Fix Bundle target print column by @erikgb in #344
- Simplify managed fields upgrade from CSA to SSA by @erikgb in #319
- Make
Makefile
s reusable and automate release process by @inteon in #195
Dependency upgrades
- Bump the all group with 1 update by @dependabot in #322
- Bump the all group with 5 updates by @dependabot in #327
- Bump the all group with 2 updates by @dependabot in #329
- Bump protobuf version in hack gomod to fix CVE-2024-24786 by @SgtCoDFish in #332
- Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #338
- Bump the all group across 1 directory with 8 updates by @dependabot in #342
- Bump the all group with 2 updates by @dependabot in #345
- Bump the all group with 3 updates by @dependabot in #346
- Bump the all group with 2 updates by @dependabot in #347
New Contributors
- @DrFaust92 made their first contribution in #330
- @github-actions made their first contribution in #348
Full Changelog: v0.9.2...v0.10.0
v0.10.0-alpha.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This release is an alpha release in preparation for v0.10.0
. This release will be the first release that uses Makefile modules. Apart from that change, this release includes a lot of version bumps and some small bug fixes.
What's Changed
- bump builder go to 1.22 by @SgtCoDFish in #321
- Allow replicaCount to be set to int or string by @erikgb in #320
- Also check for correct architectures in trust package build by @SgtCoDFish in #323
- Helm chart - document and add to schema nameOverride by @DrFaust92 in #330
- Fix Bundle target print column by @erikgb in #344
- Simplify managed fields upgrade from CSA to SSA by @erikgb in #319
- Make
Makefile
s reusable and automate release process by @inteon in #195
Dependency upgrades
- Bump the all group with 1 update by @dependabot in #322
- Bump the all group with 5 updates by @dependabot in #327
- Bump the all group with 2 updates by @dependabot in #329
- Bump protobuf version in hack gomod to fix CVE-2024-24786 by @SgtCoDFish in #332
- Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #338
- Bump the all group across 1 directory with 8 updates by @dependabot in #342
- Bump the all group with 2 updates by @dependabot in #345
- Bump the all group with 3 updates by @dependabot in #346
- Bump the all group with 2 updates by @dependabot in #347
New Contributors
- @DrFaust92 made their first contribution in #330
- @github-actions made their first contribution in #348
Full Changelog: v0.9.2...v0.10.0-alpha.0
v0.9.2
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.9.2 is another small bugfix release for a minor issue in the Helm chart's schema along with a small dependency update to fix a reported CVE. Thanks @DrFaust92 for fixing the schema!
What's Changed
- [release-0.9] Backport name override by @SgtCoDFish in #331
- [release-0.9] Fix CVE-2024-24786 by bumping protobuf lib by @SgtCoDFish in #333
Full Changelog: v0.9.1...v0.9.2
v0.9.1
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.9.1 is a small bugfix release for a minor issue in the Helm chart's schema. Thanks to @erikgb and @wallrj for the bugfix!
In addition, unrelated to this specific release, we're looking to rebuild the debian trust package to include the s390x architecture that was added in trust-manager v0.9.0. That will happen outside of the release process for v0.9.1.
What's Changed
- [release-0.9] Bump builder go to 1.22 by @SgtCoDFish in #325
- [release-0.9] Allow replicaCount to be set to int or string by @SgtCoDFish in #324
- [release-0.9] Bump to v0.9.1 by @SgtCoDFish in #326
Full Changelog: v0.9.0...v0.9.1
v0.9.0
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.9.0 contains a bunch of improvements and once again the awesome trust-manager community played a huge role!
Inclusions to note are:
- We fixed a bug (#296) which broke passwordless PKCS#12 files when read by Java.
- It's possible that this could have an effect on non-Java platforms, but in testing it seemed safe for both Go and Java
- We added support for the s390x architecture for trust-manager!
- We added a
crds.keep
option to reduce the risk of losing important data when uninstalling trust-manager - We fixed an issue with certificate deduplication when certs were present in multiple sources
As always, please report any issues either here in the repo, in a cert-manager meeting or on Slack!
Happy bundling!
Special Thanks
We'd like to thank the following for their contributions, expertise, time and patience since the last trust-manager release:
- @erikgb
- @rishikakedia
- @arsenalzp
- @niklastanner
- @ditatechwriter
- @justdan96
- @arjunprasad2143
- @dilipgb
- @bmhughes
- @mnlipp
- @Jiawei0227
In addition, a warm welcome to our latest reviewer @ThatsMrTalbot ! 🎉
What's Changed
New Features
- 💻 Enable trust manager on s390x by @rishikakedia in #315
- Helm: Uniformize all label include statements & add labels to pod template by @inteon in #306
- Add configurable common labels by @justdan96 in #149
- Add 'crds.keep' options to generated CRDs by @inteon in #288
Bug Fixes and Resilience Improvements
- Improve certificate deduplication operation by @arsenalzp in #303
- 🐛 Fix passwordless pkcs12 files for Java by @SgtCoDFish in #307
- Set a size limit on emptyDir by @SgtCoDFish in #308
- Generate values.schema.json by @inteon in #290
- Production readiness Helm chart tweaks by @wallrj in #309
- initContainer Resource Block: Fix #295 for merging by @SgtCoDFish in #316
- Bump toolchain to latest to address CVE-2024-24783 by @SgtCoDFish in #318
Documentation and Testing
- docs: updating chart values.yaml for better comment docs by @ditatechwriter in #280
- Update README.md and Chart.yaml by @inteon in #287
- Improve OCI image options' Helm README.md documentation by @inteon in #289
- Fix typo in Chart.yaml icon URL by @inteon in #292
- test: should test setBundleCondition as it's used by @erikgb in #284
Bumps and Miscellaneous
- 🎉 Add thatsmrtalbot as a reviewer by @inteon in #293
- Bump version for release @SgtCoDFish in #314
- Two tool update PRs by @inteon (#286, #317)
- Several @dependabot PRs (#313, #298, #285, #279)
New Contributors
- @ditatechwriter made their first contribution in #280
- @justdan96 made their first contribution in #149
- @wallrj made their first contribution in #309
- @rishikakedia made their first contribution in #315
Full Changelog: v0.8.0...v0.9.0
v0.8.0
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.8.0 includes a bunch of new features, largely contributed by our awesome community!
Included is an option at startup to filter expired certificates from all bundles and the ability to include Secret
and ConfigMap
resources via labels.
There are also a bunch of improvements which make trust-manager easier to develop and iterate on, which isn't as exciting as new features but should make it easier for us to provide features going forwards!
Speaking of going forwards, trust-manager is on the road to v1! 🎉 From here, we want to stabilise our API, get our CRDs to v1beta1
and then v1
, and bump trust-manager itself to v1
. We don't have a timeline currently, but we think it's important to be clear that it's a goal of ours to be rock-solid and stable for everyone to build upon!
Special thanks to @erikgb for his efforts in reviewing, developing and helping in this release - it couldn't have happened without him!
⚠️ Known Issues
When using PKCS#12 targets with empty passwords, a PKCS#12 file will be generated that the Java keytool
utility is unable to read. See #296
Read Before Updating
Removal of .status.target
trust-manager v0.8.0 removes the .status.target
field from Bundle
resources, which had a significant overhead to maintain and wasn't particularly useful as far as we could tell.
If you were previously relying on this field, you should be able to calculate it from the spec
of your Bundle
. We try to avoid breaking anything generally but we felt like this field was worth the removal.
What's Changed
New Features
- Add option to filter expired certificates from bundle by @Hoega in #273
- Add label selector option for Secret and ConfigMap sources by @ocampeau in #258
- Add support for additional pod annotations/labels by @jaygridley in #116
- Allow permissions to put the leases in the trust-manager namespace, not the trust namespace by @tspearconquest in #225
Changes
- Remove
.status.target
field from Bundle API by @erikgb in #230 - Encode additional target format just once per bundle reconcile by @erikgb in #241
- Add dedicated structures for PKCS12 and JKS stores by @arsenalzp in #253
- fix: Reconcile targets consistently by @erikgb in #260
Changes for trust-manager Developers
- Better handling of local arch differences by @SgtCoDFish in #250
- Improve package CI error handling by @SgtCoDFish in #247
- Improve makefile comments around image building by @SgtCoDFish in #268
- Move to helm-tool for docs by @ThatsMrTalbot in #278
- Do more of the container build process locally by @SgtCoDFish in #251
- Don't build trust bundle images using make image by @SgtCoDFish in #269
- Generate applyconfigurations for custom resources by @erikgb in #217
- Fix flaky tests by introducing komega by @erikgb in #252
- Fix apply-configuration gen for Bundle (cluster-scoped) by @erikgb in #257
- Fix apply configuration generation on macOS by @SgtCoDFish in #248
- Align BundleCondition with upstream metav1.Condition by @erikgb in #249
New Contributors
- @jaygridley made their first contribution in #116
- @tspearconquest made their first contribution in #225
- @ocampeau made their first contribution in #258
- @Hoega made their first contribution in #273
- @ThatsMrTalbot made their first contribution in #278
Full Changelog: v0.7.0...v0.8.0
v0.7.1
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.7.1 is a patch release fixing a bug in targets including PKCS#12 bundles - see #260 for details. All users are recommended to upgrade to this version from v0.7.0 immediately.
What's Changed
- Should reconcile targets consistently by @erikgb in #266
- Allow permissions to put the leases in the trust-manager namespace, not the trust namespace by @jetstack-bot in #263
- Fix flaky tests by introducing komega by @erikgb in #264
- Bump versions to fix trivy-reported vulns and prepare for release by @SgtCoDFish in #267
Full Changelog: v0.7.0...v0.7.1