Releases: cert-manager/trust-manager
v0.20.2
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This release is a patch release, upgrading Go from 1.25.1 to 1.25.3, fixing a range of CVEs: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.
Furthermore, additional go dependencies were upgraded where possible.
What's Changed
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #775
- fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.3 by @octo-sts[bot] in #773
- Bump trust package suffix, forcing a new go 1.25.3 build by @inteon in #776
Full Changelog: v0.20.1...v0.20.2
Contributors
Assets 2
v0.20.1
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This release is a patch release, downgrading Go from 1.25.2 to 1.25.1, to avoid the X.509 issues introduced by trying to fix a CVE. See golang/go#75828 (comment) for additional details.
What's Changed
Full Changelog: v0.20.0...v0.20.1
Contributors
Assets 2
v0.20.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
⚠️ Known issue ⚠️
Golang 1.25.2 has a backwards incompatible change (see golang/go#75828 (comment)). This will for example result in certificates with a DNS SAN ending in a dot causing trust-manager to error.
This release primarily contains dependency updates, but also includes a new feature that allows trust-manager to be configured to only operate on a list of named target namespaces. While this feature can allow trust-manager to operate without cluster-wide access to namespaces, the Bundle resource is cluster-scoped, and events from cluster-scoped resources are emitted to the default namespace.
The work on migrating Bundle to ClusterBundle continues, but none of these changes are user-facing in this release.
What's Changed
Features
- You can now use trust-manager in the new "restricted" mode to scope trust-manager’s and target caches to a specific set of Kubernetes namespaces provided at startup. When this feature is not used, behavior remains unchanged (cluster-wide watch). By @asmaoune in #744
- Helm: you can now disable the creation of the RBAC resources. By @asmaoune in #753
Internal changes
- Add generated applyconfigurations for ClusterBundle API by @erikgb in #690
- Split integration tests for Bundle and ClusterBundle by @erikgb in #691
- Add new Bundle (migration) controller by @erikgb in #681
- Eliminate multiple sigs.k8s.io/structured-merge-diff deps by @erikgb in #712
- Refactor cache setup to controller package by @erikgb in #727
- Bootstrap shared Renovate preset by @erikgb in #751
- Move additional formats handling from source to target by @erikgb in #703
- Remove code for migrating CSA to SSA by @erikgb in #754
- Bump default CAs bundle version to trigger release by @erikgb in #768
- Make: missing quote breaking CI by @maelvls in #770
- Don't set the tag in values.yaml, since it is overwritten at chart build time by @inteon in #771
Updates by Dependabot/Renovate
- build(deps): Bump the all group with 5 updates by @dependabot[bot] in #687
- build(deps): Bump the all-go-deps group across 1 directory with 2 updates by @dependabot[bot] in #696
- fix(deps): update module github.com/stretchr/testify to v1.11.0 by @github-actions[bot] in #699
- fix(deps): update kubernetes go deps to v0.34.0 by @erikgb in #710
- fix(deps): update misc go deps by @github-actions[bot] in #707
- fix(deps): update misc go deps by @github-actions[bot] in #721
- fix(deps): update module github.com/onsi/ginkgo/v2 to v2.25.2 by @github-actions[bot] in #720
- build(deps): Bump actions/setup-go from 5 to 6 in the all-gh-actions group by @dependabot[bot] in #729
- chore(deps): update actions/github-script action to v8 by @octo-sts[bot] in #732
- chore(deps): pin dependencies by @octo-sts[bot] in #731
- fix(deps): update module github.com/onsi/ginkgo/v2 to v2.25.3 by @octo-sts[bot] in #736
- fix(deps): update kubernetes go patches to v0.34.1 by @octo-sts[bot] in #745
- chore(deps): pin quay.io/jetstack/trust-pkg-debian-bookworm docker tag to 4e46f31 by @octo-sts[bot] in #752
- fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.1 by @erikgb in #757
- chore(deps): update docker/login-action digest to 5e57cd1 by @octo-sts[bot] in #760
- fix(deps): update module github.com/onsi/ginkgo/v2 to v2.26.0 by @octo-sts[bot] in #763
- fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.2 by @octo-sts[bot] in #766
- fix(deps): update k8s.io/utils digest to bc988d5 by @octo-sts[bot] in #769
Updates by makefile-modules
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #686
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #692
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #694
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #695
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #697
- Manual self upgrade by @erikgb in #698
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #705
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #706
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #714
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #715
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #717
- [CI] Self-upgrade merging self-upgrade-main into main by @erikgb in #718
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #719
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #723
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #724
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #725
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #728
- [CI] Self-upgrade merging self-upgrade-main into main by @erikgb in #730
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #735
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #737
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #738
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #739
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #740
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #743
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #746
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #747
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #755
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #758
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #759
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #764
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #765
- [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #767
New Contributors
- @octo-sts[bot] made their first contribution in #732
- @asmaoune made their first contribution in #744
- @maelvls made their first contribution in #770
Full Changelog: v0.19.0...v0.20.0
Contributors
Assets 2
v0.19.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This release contains a few new features, in particular an update of the default CA trust bundle to the latest version available in Debian Bookworm. Huge thanks to @hawksight for identifying and fixing a bug in our CI that prevented the bundle from getting minor updates from upstream Debian.
We are also working on the new ClusterBundle API, which will replace the Bundle API.
What's Changed
Features
- feat: Bump the ca-certificates package to 20230311+deb12u1 by @hawksight in #643
- Make bundle target optional by @erikgb in #661
- feat: Update trust-manager default trust bundle to newest version by @hawksight in #667
- feat(helm): Support revisionhistorylimit by @DrFaust92 in #676
- feat: Add a global value of enabled for wrapping trust-manager chart by @hawksight in #680
Fixes
- Make Bundle webhook configuration precise by @erikgb in #670
- Improve webhook setup and probes by @erikgb in #671
New ClusterBundle API (non-user-facing)
These changes help to prepare trust-manager for the next evolution of its design. None of these changes are available to be used yet.
- ClusterBundle source API rework by @erikgb in #647
- Final minor adjustments to new ClusterBundle API by @erikgb in #658
- Add generated CRD for new ClusterBundle API by @erikgb in #662
- Add ClusterBundle API validations by @erikgb in #664
- Add ClusterBundle validating webhook by @erikgb in #668
Other
- Use controller-gen to generate applyconfigurations by @erikgb in #657
- refactor: dedicated struct for building source data by @erikgb in #648
- Migrate test from JKS to PKCS#12 by @erikgb in #607
- refactor: split target apply and cleanup by @erikgb in #660
- Refactor scheme setup to support multi-group APIs by @erikgb in #669
- feat: Add hawksight as reviewer by @hawksight in #678
- Remove use of deprecated c/r Requeue by @erikgb in #673
- Remove use of deprecated c/r EventBroadcaster by @erikgb in #672
Dependabot updates
- build(deps): Bump the all group with 5 updates by @dependabot[bot] in #653
- build(deps): Bump the all group across 1 directory with 3 updates by @dependabot[bot] in #665
- build(deps): Bump actions/checkout from 4 to 5 in the all group by @dependabot[bot] in #684
makefile-modules updates
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #646
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #649
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #651
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #652
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #655
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #663
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #674
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #675
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #677
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #679
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #682
- [CI] Merge self-upgrade-main into main by @github-actions[bot] in #685
New Contributors
- @hawksight made their first contribution in #643
Full Changelog: v0.18.0...v0.19.0
Contributors
Assets 2
v0.18.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
This release contains miscellaneous bug fixes and dependency updates.
It is built with Go 1.24.4 which fixes the following vulnerabilities: CVE-2025-22874, CVE-2025-0913, and CVE-2025-4673.
helm inspect chart trust-manager --repo https://charts.jetstack.io --version v0.18.0
What's Changed
Bug Fixes
- CertPool should not error when input adds no certificates by @erikgb in #624
- Improve source error handling by @erikgb in #623
Non user-facing
Dependabot updates
- build(deps): Bump the all group across 1 directory with 7 updates by @dependabot in #634
- build(deps): Bump the all group with 5 updates by @dependabot in #644
makefile-modules updates
- [CI] Merge self-upgrade-main into main by @github-actions in #627
- [CI] Merge self-upgrade-main into main by @github-actions in #628
- [CI] Merge self-upgrade-main into main by @github-actions in #630
- [CI] Merge self-upgrade-main into main by @github-actions in #635
- [CI] Merge self-upgrade-main into main by @github-actions in #636
- [CI] Merge self-upgrade-main into main by @github-actions in #637
- [CI] Merge self-upgrade-main into main by @github-actions in #638
- [CI] Merge self-upgrade-main into main by @github-actions in #639
Full Changelog: v0.17.1...v0.18.0
Contributors
Assets 2
v0.17.1
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
v0.17.1 is a patch release fixing two specific issues discovered after the release of v0.17.0:
The switch to use our PKCS#12 encoder to encode (Java compatible) PKCS#12 truststores seems to cause a regression. While we still want to deprecate JKS and eventually remove support for it, we will stick to the old JKS encoding library until the feature is removed.
What's Changed
Fixes
- Revert "Use PKCS#12 encoder to encode JKS" by @erikgb in #626
- Fix new Helm TLS args by @erikgb in #620
Makefile Modules Updates
- [CI] Merge self-upgrade-main into main by @github-actions in #621
- [CI] Merge self-upgrade-main into main by @github-actions in #622
Full Changelog: v0.17.0...v0.17.1
Contributors
Assets 2
v0.17.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
v0.17.0 contains many interesting new features, mostly from new contributors recruited from cert-manager ContribFest event at KubeCon EU 2025. Welcome! 🫶 Special thanks to @terricain for implementing one of our most wanted features, allowing adding labels/annotations to target configmaps/secrets! 👏 When configuring trust-manager, it is now possible to disable leader election (@KyriosGN0) and set webhook TLS requirements like minimum TLS version and acceptable cipher suites (@arsenalzp). And the Helm chart installation now supports adding common annotations to all resources (@ali-hamza-noor) and extra resources managed by Helm (@TTRCmedia).
What's Changed
Features
- add leaderElection flag to trust manager by @KyriosGN0 in #555
- Introduce min-tls and ciphers-suite application options for webhook server by @arsenalzp in #556
- Added PKCS12 profile option by @terricain in #577
- Add support for target annotations and labels by @terricain in #582
- Use PKCS#12 encoder to encode JKS by @erikgb in #603
- Add extraObjects to Helm chart by @TTRCmedia in #585
- Adding common annotations for all the resources by @ali-hamza-noor in #615
Fixes
- Fixup PDB namespace population logic by @alloveras in #583
Other
- Change names of actions workflows to be more explicit by @SgtCoDFish in #554
- Add validating admission integration tests by @erikgb in #562
- Fix Ginkgo commands by @erikgb in #573
- Use upstream metav1.Condition instead of our own BundleCondition by @erikgb in #596
- Add generation of applyconfigurations (again) by @erikgb in #598
- Introduce ClusterBundle API as a copy of Bundle by @erikgb in #495
- Improve webhook TLS config configuration by @erikgb in #595
- Fix slightly misleading PKCS#12 profile API docs by @erikgb in #602
- Add dependency licenses to repo and OCI image by @inteon in #610
- Add missing LICENSE file by @inteon in #613
Dependency Updates
- build(deps): Bump the all group with 5 updates by @dependabot in #557
- build(deps): Bump the all group with 2 updates by @dependabot in #561
- build(deps): Bump the all group across 1 directory with 2 updates by @dependabot in #566
- build(deps): Bump the all group across 1 directory with 8 updates by @dependabot in #572
- build(deps): Bump the all group across 1 directory with 2 updates by @dependabot in #581
- build(deps): Bump sigs.k8s.io/structured-merge-diff/v4 from 4.6.0 to 4.7.0 in the all group by @dependabot in #599
- build(deps): Bump the all group with 5 updates by @dependabot in #606
Makefile Modules Updates
- [CI] Merge self-upgrade-main into main by @github-actions in #559
- [CI] Merge self-upgrade-main into main by @github-actions in #563
- [CI] Merge self-upgrade-main into main by @github-actions in #564
- [CI] Merge self-upgrade-main into main by @github-actions in #567
- [CI] Merge self-upgrade-main into main by @github-actions in #570
- [CI] Merge self-upgrade-main into main by @github-actions in #575
- [CI] Merge self-upgrade-main into main by @github-actions in #576
- [CI] Merge self-upgrade-main into main by @github-actions in #580
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #586
- [CI] Merge self-upgrade-main into main by @github-actions in #587
- [CI] Merge self-upgrade-main into main by @github-actions in #590
- [CI] Merge self-upgrade-main into main by @github-actions in #600
- [CI] Merge self-upgrade-main into main by @github-actions in #601
- [CI] Merge self-upgrade-main into main by @github-actions in #604
- [CI] Merge self-upgrade-main into main by @github-actions in #608
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #609
- [CI] Merge self-upgrade-main into main by @github-actions in #611
- [CI] Merge self-upgrade-main into main by @github-actions in #612
- [CI] Merge self-upgrade-main into main by @github-actions in #614
- [CI] Merge self-upgrade-main into main by @github-actions in #616
- [CI] Merge self-upgrade-main into main by @github-actions in #618
New Contributors
- @KyriosGN0 made their first contribution in #555
- @terricain made their first contribution in #577
- @alloveras made their first contribution in #583
- @TTRCmedia made their first contribution in #585
- @ali-hamza-noor made their first contribution in #615
Full Changelog: v0.16.0...v0.17.0
Contributors
Assets 2
v0.16.0
SgtCoDFish
Ashley Davis
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
v0.16.0 includes an important change which you should be aware of before upgrading: by default, trust-manager v0.16.0 uses a trust package based on Debian Bookworm which is more modern than the previous image.
Most users should be unaffected by this change, since it roughly corresponds to running applications on a Debian Bullseye VM and then upgrading to Bookworm - the most commonly-used CA certificates on the web are present in both trust stores. However, it may be wise to deploy to a test environment first.
You don't need to upgrade trust packages when upgrading to a newer version of trust-manager; the old trust package is compatible with v0.16.0, just as the new trust package is compatible with older versions of trust-manager.
There's a full guide on cert-manager.io detailing how to upgrade safely. If you upgrade and choose to use the new default trust package, your Bundle resources will automatically be updated. As usual, you may need to restart pods to pick up any changes.
What's Changed
Features
- Add build for trust package based on Debian Bookworm by @SgtCoDFish in #540
- Use the Debian Bookworm package for testing + releases by @SgtCoDFish in #547
- Use Context to pass Logger by @erikgb in #550
- Helm: Allow configuring automountServiceAccountToken by @germanattanasio in #513
Test / CI
- Simplify integration test setup by @erikgb in #493
- Add fetch-depth to checkout action by @SgtCoDFish in #543
- Fix syntax error by @SgtCoDFish in #544
- Copy the other release action by @SgtCoDFish in #545
- Add fetch-depth:0 to bookworm upgrade job by @SgtCoDFish in #553
- Tweak JUnit config for e2e / integration tests by @SgtCoDFish in #551
Dependency Updates
- build(deps): Bump the all group across 1 directory with 6 updates by @dependabot in #535
- build(deps): Bump github.com/spf13/pflag from 1.0.5 to 1.0.6 in the all group by @dependabot in #539
Design Docs
Makefile Modules Updates
- [CI] Merge self-upgrade-main into main by @github-actions in #531
- [CI] Merge self-upgrade-main into main by @github-actions in #534
- [CI] Merge self-upgrade-main into main by @github-actions in #536
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #537
- [CI] Merge self-upgrade-main into main by @github-actions in #541
- [CI] Merge self-upgrade-main into main by @github-actions in #542
- [CI] Merge self-upgrade-main into main by @github-actions in #546
- [CI] Merge self-upgrade-main into main by @github-actions in #548
- [CI] Merge self-upgrade-main into main by @github-actions in #549
- [CI] Merge self-upgrade-main into main by @github-actions in #552
- Upgrade oci-build makefile module by @inteon in #538
New Contributors
- @germanattanasio made their first contribution in #513 🎉
Full Changelog: v0.15.0...v0.16.0
Contributors
Assets 2
v0.15.0
SgtCoDFish
Ashley Davis
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
The most important changes in this release are a slew of version bumps, with some important consequences for how trust-manager parses certificates.
trust-manager v0.15.0 uses Go 1.23, which by default disallows parsing of certificates with negative serial numbers. Most certificates are unaffected by this, since a negative serial number would be in violation of relevant standards and specs.
Unfortunately, some legacy certificates are not compliant, and there are certificates in the wild with negative serial numbers including one certificate which appears in the trust-manager default trust package (since it was included in Debian 10).
We've decided to make this certificate a special case and ignore it when it's included in a bundle. While it's still present in the trust package container image it will be ignored when the cert-manager-package-debian:20210119.0 package is used or if manually included. When it's ignored, a log line will be emitted each time:
time=2025-01-13T11:37:10.034Z level=INFO msg="skipping a certificate in PEM bundle for compatibility reasons" logger=trust/bundle/cert-pool details="cert in bundle with CN=EC-ACC and fingerprint '88497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799' has negative serial number and will be skipped"If you depend on trusting certs with negative serial numbers, support for them can be re-enabled at runtime by setting the GODEBUG environment variable to x509negativeserial=1 in the trust-manager container:
env:
- name: GODEBUG
value: x509negativeserial=1If this value is not set - which is the default behavior - all certs with negative serial numbers will cause an error on the bundle except for the special case certificate above, which will be skipped.
What's Changed
Important Changes
- Bump to Go 1.23 (and allow certificates with negative serial numbers) by @erikgb in #511
- Add special case handling of cert with negative serial number by @SgtCoDFish in #515
Makefile Modules Bumps, Fixes and Tweaks
- Remove unused Makefile variables by @erikgb in #494
- Manual makefile modules update by @SgtCoDFish in #516
- Add Helm chart OCI release to GH automation by @inteon in #506
- Add 'fetch-depth: 0' to Debian trust bundle GH checkout action by @inteon in #523
- [CI] Merge self-upgrade-main into main by @github-actions in #498
- [CI] Merge self-upgrade-main into main by @github-actions in #500
- build(deps): Bump the all group across 1 directory with 2 updates by @dependabot in #502
- [CI] Merge self-upgrade-main into main by @github-actions in #504
- [CI] Merge self-upgrade-main into main by @github-actions in #505
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #509
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #519
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #520
- [CI] Merge self-upgrade-main into main by @github-actions in #525
- [CI] Merge self-upgrade-main into main by @github-actions in #529
Dependency Bumps / Miscellaneous Changes
- Update readme to better reflect project status today by @SgtCoDFish in #508
- build(deps): Bump the all group with 5 updates by @dependabot in #507
- build(deps): Bump the all group across 1 directory with 9 updates by @dependabot in #524
- build(deps): Bump sigs.k8s.io/controller-runtime from 0.19.3 to 0.19.4 in the all group by @dependabot in #527
Full Changelog: v0.14.0...v0.15.0
Contributors
Assets 2
v0.15.0-alpha.0
trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.
v0.15.0-alpha.0 was a test release for testing some of our internal automation. We don't recommend installing this release.