v0.22.2

approver-policy provides a policy engine for certificates issued by cert-manager!

This release is a patch release, upgrading Go from 1.25.1 to 1.25.3, fixing a range of CVEs: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

Furthermore, additional go dependencies were upgraded where possible.

What's Changed

• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #730
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.3 by @octo-sts[bot] in #728
• fix(deps): update module github.com/cert-manager/cert-manager to v1.19.1 by @octo-sts[bot] in #731

Full Changelog: v0.22.1...v0.22.2

v0.22.1

approver-policy provides a policy engine for certificates issued by cert-manager!

This release is a patch release, downgrading Go from 1.25.2 to 1.25.1, to avoid the X.509 issues introduced by trying to fix a CVE. See golang/go#75828 (comment) for additional details.

What's Changed

• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #727

Full Changelog: v0.22.0...v0.22.1

v0.22.0

approver-policy provides a policy engine for certificates issued by cert-manager!

⚠️ Known issue ⚠️

Golang 1.25.2 has a backwards incompatible change (see golang/go#75828 (comment)). This will for example result in certificates with a DNS SAN ending in a dot failing approval.

---

This release primarily contains dependency updates, but also includes a major change to the custom metrics provided by approver-policy.

⚠️ Deprecation notice: The following custom approver-policy metrics are now deprecated:

• approverpolicy_certificaterequest_approved_count
• approverpolicy_certificaterequest_denied_count
• approverpolicy_certificaterequest_unmatched_count

Any use of these metrics should be replaced with the new composite certmanager_approverpolicy_certificaterequests_approval metrics. The deprecated metrics will be removed after a couple of releases. See #712 for background and details.

What's Changed

Miscellaneous

• Add new certificaterequests_approval metric by @erikgb in #712
• Bootstrap shared Renovate preset by @erikgb in #714

Updates by Dependabot/Renovate

• build(deps): bump github.com/cert-manager/cert-manager from 1.18.1 to 1.18.2 in the all group by @dependabot[bot] in #649
• build(deps): bump the all group with 7 updates by @dependabot[bot] in #653
• build(deps): bump the all group across 1 directory with 2 updates by @dependabot[bot] in #657
• build(deps): bump github.com/prometheus/client_golang from 1.22.0 to 1.23.0 in the all group by @dependabot[bot] in #658
• build(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.7 in the all group by @dependabot[bot] in #662
• build(deps): bump actions/checkout from 4 to 5 in the all group by @dependabot[bot] in #664
• build(deps): bump the all group with 7 updates by @dependabot[bot] in #668
• build(deps): bump the all-go-deps group across 1 directory with 3 updates by @dependabot[bot] in #674
• fix(deps): update misc go deps by @github-actions[bot] in #677
• fix(deps): update misc go deps by @github-actions[bot] in #681
• fix(deps): update kubernetes go deps by @github-actions[bot] in #682
• fix(deps): update misc go deps by @github-actions[bot] in #687
• chore(deps): update actions/setup-go action to v6 by @octo-sts[bot] in #699
• chore(deps): pin docker/login-action action to 184bdaa by @octo-sts[bot] in #697
• fix(deps): update misc go deps by @octo-sts[bot] in #701
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.25.3 by @octo-sts[bot] in #698
• fix(deps): update module github.com/prometheus/client_golang to v1.23.2 by @octo-sts[bot] in #703
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.1 by @octo-sts[bot] in #706
• fix(deps): update kubernetes go patches to v0.34.1 by @octo-sts[bot] in #709
• fix(deps): update module google.golang.org/protobuf to v1.36.9 by @octo-sts[bot] in #708
• fix(deps): update misc go deps by @octo-sts[bot] in #719
• chore(deps): update docker/login-action digest to 5e57cd1 by @octo-sts[bot] in #718
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.2 by @octo-sts[bot] in #722
• fix(deps): update module github.com/cert-manager/cert-manager to v1.19.0 by @octo-sts[bot] in #723
• fix(deps): update k8s.io/utils digest to bc988d5 by @octo-sts[bot] in #726

Updates by makefile-modules

• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #648
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #650
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #651
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #652
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #655
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #656
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #659
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #660
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #661
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #663
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #665
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #666
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #670
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #672
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #673
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #675
• Manual self upgrade by @erikgb in #676
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #679
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #680
• Manual self-upgrade by @erikgb in #683
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #684
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #685
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #686
• [CI] Self-upgrade merging self-upgrade-main into main by @erikgb in #688
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #689
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #690
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #691
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #693
• [CI] Self-upgrade merging self-upgrade-main into main by @erikgb in #695
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #696
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #702
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #704
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #705
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #707
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #710
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #711
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #715
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #716
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #717
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #720
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #721
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in https://github.com/cert-manager/approve...

v0.21.0

approver-policy provides a policy engine for certificates issued by cert-manager!

This release contains miscellaneous bug fixes and dependency updates.
It is built with Go 1.24.4 which fixes the following vulnerabilities: CVE-2025-4673 and CVE-2025-0913

helm inspect chart cert-manager-approver-policy --repo https://charts.jetstack.io --version v0.21.0

📖 Read installing approver-policy on the cert-manager website to learn about installing approver-policy with helm.

What's Changed

Miscellaneous

• Remove use of deprecated c/r Result.Requeue by @erikgb in #641
• Specify custom commonname for webhook dynamic authority by @inteon in #619

Updates by Dependabot

• build(deps): bump github.com/cert-manager/cert-manager from 1.17.2 to 1.18.0 in the all group by @dependabot in #643
• build(deps): bump github.com/cert-manager/cert-manager from 1.18.0 to 1.18.1 in the all group by @dependabot in #645
• build(deps): bump the all group across 1 directory with 9 updates by @dependabot in #640
• build(deps): bump the all group with 7 updates by @dependabot in #647

Updates by makefile-modules

• [CI] Merge self-upgrade-main into main by @github-actions in #631
• [CI] Merge self-upgrade-main into main by @github-actions in #632
• [CI] Merge self-upgrade-main into main by @github-actions in #633
• [CI] Merge self-upgrade-main into main by @github-actions in #634
• [CI] Merge self-upgrade-main into main by @github-actions in #635
• [CI] Merge self-upgrade-main into main by @github-actions in #637
• [CI] Merge self-upgrade-main into main by @github-actions in #642
• [CI] Merge self-upgrade-main into main by @github-actions in #644
• [CI] Merge self-upgrade-main into main by @github-actions in #646

Full Changelog: v0.20.0...v0.21.0

v0.20.0

approver-policy provides a policy engine for certificates issued by cert-manager!

This release is primarily a patch with routine dependency updates, but also includes a small enhancement from returning contributor @solidDoWant, who added names to container ports. 🫶

What's Changed

Enhancements

• Set container port names on Helm chart by @solidDoWant in #599

Dependency Bumps

• build(deps): bump the all group with 3 updates by @dependabot in #577
• build(deps): bump google.golang.org/protobuf from 1.36.4 to 1.36.5 in the all group across 1 directory by @dependabot in #584
• build(deps): bump github.com/cert-manager/cert-manager from 1.17.0 to 1.17.1 in the all group by @dependabot in #585
• build(deps): bump the all group with 7 updates by @dependabot in #586
• build(deps): bump the all group with 2 updates by @dependabot in #588
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #594
• build(deps): bump the all group across 1 directory with 11 updates by @dependabot in #602
• build(deps): bump the all group across 1 directory with 2 updates by @dependabot in #610
• build(deps): bump github.com/prometheus/client_golang from 1.21.1 to 1.22.0 in the all group by @dependabot in #611
• build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group by @dependabot in #617
• build(deps): bump the all group across 1 directory with 8 updates by @dependabot in #622

Other

• Fix Ginkgo commands by @erikgb in #603
• Bump Go to 1.24 fixing new lint errors by @erikgb in #623
• Add dependency licenses to repo and OCI image by @inteon in #625

Makefile Modules Upgrades

• [CI] Merge self-upgrade-main into main by @github-actions in #578
• [CI] Merge self-upgrade-main into main by @github-actions in #579
• [CI] Merge self-upgrade-main into main by @github-actions in #580
• [CI] Merge self-upgrade-main into main by @github-actions in #581
• [CI] Merge self-upgrade-main into main by @github-actions in #583
• [CI] Merge self-upgrade-main into main by @github-actions in #587
• [CI] Merge self-upgrade-main into main by @github-actions in #591
• [CI] Merge self-upgrade-main into main by @github-actions in #592
• [CI] Merge self-upgrade-main into main by @github-actions in #595
• [CI] Merge self-upgrade-main into main by @github-actions in #600
• [CI] Merge self-upgrade-main into main by @github-actions in #604
• [CI] Merge self-upgrade-main into main by @github-actions in #605
• [CI] Merge self-upgrade-main into main by @github-actions in #609
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #612
• [CI] Merge self-upgrade-main into main by @github-actions in #613
• [CI] Merge self-upgrade-main into main by @github-actions in #614
• [CI] Merge self-upgrade-main into main by @github-actions in #615
• [CI] Merge self-upgrade-main into main by @github-actions in #616
• [CI] Merge self-upgrade-main into main by @github-actions in #618
• [CI] Merge self-upgrade-main into main by @github-actions in #621
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #624
• [CI] Merge self-upgrade-main into main by @github-actions in #626
• [CI] Merge self-upgrade-main into main by @github-actions in #627
• [CI] Merge self-upgrade-main into main by @github-actions in #629
• [CI] Merge self-upgrade-main into main by @github-actions in #630

Full Changelog: v0.19.0...v0.20.0

v0.19.0

approver-policy provides a policy engine for certificates issued by cert-manager!

Version v0.19.0 is a minor release containing two nice contributions by @solidDoWant! 🚀 Users can now generate clients for approver-policy CRDs. This release also contains a bugfix allowing Ed25519 to be set in approver-policy CertificateRequestPolicy constraints. As usual, the release includes dependency upgrades and various improvements to Makefile modules.

What's Changed

New Features

• Add support for client-gen by @solidDoWant in #571

Bugfixes

• Fix private key algorithm constraint always erroring when set by @solidDoWant in #572

Cleanup

• Simplify integration test setup by @erikgb in #551

Dependency Updates

• build(deps): bump the all group across 1 directory with 10 updates by @dependabot in #569
• build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6 in the all group by @dependabot in #574

Makefile modules

• [CI] Merge self-upgrade-main into main by @github-actions in #566
• [CI] Merge self-upgrade-main into main by @github-actions in #568
• [CI] Merge self-upgrade-main into main by @github-actions in #570
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #573
• [CI] Merge self-upgrade-main into main by @github-actions in #575
• [CI] Merge self-upgrade-main into main by @github-actions in #576

New Contributors

• @solidDoWant made their first contribution in #571

Full Changelog: v0.18.0...v0.19.0

v0.18.0

approver-policy provides a policy engine for certificates issued by cert-manager!

Version v0.18.0 is mostly to capture various dependency updates which address various reported security vulnerabilities. It's important to note that we don't believe approver-policy was vulnerable in any meaningful way, but we think it's important to address reported vulnerabilities with new releases in any case.

What's Changed

Cleanup

• Remove generated api-docs by @erikgb in #537
• Remove unused Makefile variables by @erikgb in #539

Makefile Modules

• [CI] Merge self-upgrade-main into main by @github-actions in #536
• [CI] Merge self-upgrade-main into main by @github-actions in #538
• [CI] Merge self-upgrade-main into main by @github-actions in #541
• [CI] Merge self-upgrade-main into main by @github-actions in #542
• [CI] Merge self-upgrade-main into main by @github-actions in #545
• [CI] Merge self-upgrade-main into main by @github-actions in #546
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #548
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #553
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #554
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #555
• [CI] Merge self-upgrade-main into main by @github-actions in #561
• [CI] Merge self-upgrade-main into main by @github-actions in #564

Dependency Updates

• build(deps): bump the all group with 2 updates by @dependabot in #535
• build(deps): bump the all group across 1 directory with 2 updates by @dependabot in #544
• build(deps): bump the all group with 7 updates by @dependabot in #547
• build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 in the go_modules group by @dependabot in #550
• build(deps): bump the all group with 8 updates by @dependabot in #549
• Add Helm chart OCI release to GH automation by @inteon in #543
• build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0 in the all group by @dependabot in #552
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #558
• build(deps): bump github.com/onsi/ginkgo/v2 from 2.22.1 to 2.22.2 in the all group by @dependabot in #560
• build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.2 in the all group by @dependabot in #562
• build(deps): bump sigs.k8s.io/controller-runtime from 0.19.3 to 0.19.4 in the all group by @dependabot in #563

Full Changelog: v0.17.0...v0.18.0

v0.18.0-alpha.0

approver-policy provides a policy engine for certificates issued by cert-manager!

This is an alpha release to test internal OCI Helm chart release processes. We don't recommend running this version of approver-policy.

What's Changed

• build(deps): bump the all group with 2 updates by @dependabot in #535
• Remove generated api-docs by @erikgb in #537
• Remove unused Makefile variables by @erikgb in #539
• [CI] Merge self-upgrade-main into main by @github-actions in #536
• [CI] Merge self-upgrade-main into main by @github-actions in #538
• [CI] Merge self-upgrade-main into main by @github-actions in #541

Full Changelog: v0.17.0...v0.18.0-alpha.0

v0.17.0

approver-policy provides a policy engine for certificates issued by cert-manager!

v0.17.0 could be considered a bugfix release, but one of the changes is important enough to deserve a minor release for increased visibility:

It turns out that approver-policy did not consider the cert-manager issuer group and kind defaults when matching policies against cert-manager CertificateRequest resources. This was probably not intentional and has now been fixed. So if a CertificateRequest does not specify spec.issuerRef.group or spec.issuerRef.kind, approver-policy will default to the same values as cert-manager:

• cert-manager.io for issuer group
• Issuer for issuer kind

What's Changed

• test(e2e): rework to facilitate adding more tests by @erikgb in #525
• fix: apply cert-manager default issuer kind/group when matching policies by @erikgb in #523
• BUGFIX: Webhook CA Secret name should match Helm templated RBAC by @erikgb in #534
• Various updates relating to makefile-modules, including #524, #526, #527, #529, #532 (@cert-manager-bot )
• Various @dependabot updates (#522, #528, #530, #531, #533)

Full Changelog: v0.16.0...v0.17.0

v0.16.0

approver-policy provides a policy engine for certificates issued by cert-manager!

v0.16.0 adds an awesome improvement to the CEL validator courtesy of @jamesglennan!

The username field of CertificateRequest (CR) resources is now exposed to CEL, allowing for rich logical operators on the contents of the username.

This is useful for making complex decisions about whether the user who created the CR should be allowed to do so, beyond what's provided by Kubernetes' RBAC mechanism.

For example, if pods create their own CertificateRequests directly using RBAC, you might use this new feature to ensure that the CR inludes the Pod's ServiceAccount in the URIs field (for example, in a SPIFFE ID).

What's Changed

• Add CertificateRequest username to CEL Validator with serviceaccount functions by @jamesglennan in #514 🎉
• Various updates relating to makefile-modules, including #504, #507, #511, #512, #515, #520, #517 (@cert-manager-bot )
• Various @dependabot updates (#518, #516, #510, #519)

New Contributors

• @jamesglennan made their first contribution in #514 🎉

Special Thanks

• @erikgb for reviews!

Full Changelog: v0.15.2...v0.16.0