v0.6.0

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.6.0 includes a few bug fixes, some dependency bumps and an important quality-of-life fix for users who run approver-policy in their clusters!

approver-policy

trust-manager requires a certificate for its webhook, which is the part which checks if your Bundle resources are valid. Currently, trust-manager's helm chart depends on cert-manager for creating this certificate.

With the "default approver" enabled in cert-manager, this certificate will be auto-approved at install time. But if you're running approver-policy to have fine-grained control over the certificates you issue with cert-manager, you'll have disabled the default approver which in turn will mean that trust-manager "hangs" when you try to install it.

It's possible to manually approve the certificate using cmctl renew but manual steps aren't much fun. Instead, this release allows you to specify the new app.webhook.tls.approverPolicy.enabled Helm flag, which will create a policy permitting approver-policy to approve trust-manager's webhook certificate.

Note that you'll need to set app.webhook.tls.approverPolicy.certManagerNamespace too if you don't have cert-manager installed in the cert-manager namespace!

Validating Webhook Path Change

Updating our version of controller-runtime meant we had to change the URL at which the webhook receives validation requests, since this was changed in controller-runtime itself.

Previously (trust-manager v0.5.0 and earlier) the webhook listened on /validate but it now listens on /validate-trust-cert-manager-io-v1alpha1-bundle.

This shouldn't be a problem if you update your running containers (i.e. updating the Helm image.tag parameter to v0.6.0) at the same time as the helm chart - but it does mean that you cannot run the v0.6.0 Helm chart using the v0.5.0 images, and vice versa.

What's Changed

• Add support for approver policy by @SgtCoDFish in #158
• Add description for JKS field for better docs by @SgtCoDFish in #137
• Bump dependencies including changes to get latest controller-runtil library working by @irbekrm in #138
• Update OWNERS file, adding inteon and removing meyskens and jahrlin by @inteon in #152
• Setting useDefaultCAs: false no longer causes failures by @hazmat345 in #143
• Fix code generation by @Jamstah in #146
• Bump versions ready for v0.6.0 by @SgtCoDFish in #160

New Contributors

• @hazmat345 made their first contribution in #143
• @Jamstah made their first contribution in #146

Full Changelog: v0.5.0...v0.6.0

v0.5.0

trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.

v0.5.0 introduces support for writing JKS formatted trust bundles, along with a set of improvements to our Helm chart and a bunch of other tweaks.

Special thanks to all of the contributors and to @xxmaestroxx, @vinzent, @hazmat345 and @claudiuavat1 for testing the beta releases of this version to help iron out bugs 🐛

JKS Support

Lots of Java applications consume trust stores not from the PEM bundles which trust-manager has always supported, but from binary JKS files. Using PEM bundles in Java can be a pain, and we heard that loud and clear!

We've introduced support for JKS files in trust-manager, as an additional (binary) field you can add to your targets!

For an example, see the below Bundle definition:

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: jks-test-bundle
spec:
  sources:
  - useDefaultCAs: true
  target:
    configMap:
      key: "target-key"
    additionalFormats:
      jks:
        key: "my-bundle.jks"

What's Changed

• Add support for JKS truststores by @aidy in #122
• Use ordered aliases when creating JKS files by @SgtCoDFish in #127
• Ensure unique aliases in JKS files by @SgtCoDFish in #129
• Minor restructure for ko compatibility by @aidy in #124
• Bump to v0.5.0-beta.0 for release by @SgtCoDFish in #125
• Allow node selection based on nodeSelector, tolerations, affinities and topologySpreadConstraints (fixes #13) by @stzov in #117
• Make installation of default trust package optional in helm chart by @siiimooon in #121
• Add descriptions for some helm chart fields by @SgtCoDFish in #126
• Formatting improvements, tests for dummy certs by @SgtCoDFish in #128
• Explicitly define resource namespaces in Helm chart by @inteon in #123
• Use boilersuite for boilerplate verification by @SgtCoDFish in #130
• Add a design for public trust bundles by @SgtCoDFish in #43

New Contributors

• @aidy made their first contribution in #122
• @stzov made their first contribution in #117
• @siiimooon made their first contribution in #121

Full Changelog: v0.4.0...v0.5.0

v0.5.0-beta.1

trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters.

This prerelease version is intended as a follow up to v0.5.0-beta.0, allowing users to test the new JKS support available in trust-manager. It fixes a bug in the original implementation of the JKS feature which meant some certificates wouldn't appear in the resulting JKS file - this was addressed in #127 - special thanks to @claudiuavat1 and @hazmat345 for their debugging efforts!

Several other pull requests landed, mostly tweaking helm charts to allow for easier use.

Users can test JKS functionality using a bundle such as the following:

{
  "apiVersion": "trust.cert-manager.io/v1alpha1",
  "kind": "Bundle",
  "metadata": {
    "name": "testing"
  },
  "spec": {
    "sources": [
      {
        "useDefaultCAs": true
      }
    ],
    "target": {
      "additionalFormats": {
        "jks": {
          "key": "my-bundle.jks"
        }
      },
      "configMap": {
        "key": "mybundle.pem"
      }
    }
  }
}

What's Changed

• ⭐ Use ordered aliases when creating JKS files by @SgtCoDFish in #127
• Allow node selection based on nodeSelector, tolerations, affinities and topologySpreadConstraints (fixes #13) by @stzov in #117
• helm: make installation of default trust package optional by @siiimooon in #121
• Add descriptions for some helm chart fields by @SgtCoDFish in #126
• Formatting improvements, tests for dummy certs by @SgtCoDFish in #128
• Explicitly define resource namespaces in Helm chart by @inteon in #123
• Use boilersuite for boilerplate verification by @SgtCoDFish in #130
• Ensure unique aliases in JKS files by @SgtCoDFish in #129
• Bump version to v0.5.0-beta.1 by @SgtCoDFish in #134

New Contributors

• @stzov made their first contribution in #117
• @siiimooon made their first contribution in #121

Full Changelog: v0.5.0-beta.0...v0.5.0-beta.1

v0.5.0-beta.0

trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters.

This prerelease version is intended to allow users to test the new JKS support available in trust-manager.

Users can test JKS functionality using a bundle such as the following:

{
  "apiVersion": "trust.cert-manager.io/v1alpha1",
  "kind": "Bundle",
  "metadata": {
    "name": "testing"
  },
  "spec": {
    "sources": [
      {
        "useDefaultCAs": true
      }
    ],
    "target": {
      "additionalFormats": {
        "jks": {
          "key": "my-bundle.jks"
        }
      },
      "configMap": {
        "key": "mybundle.pem"
      }
    }
  }
}

What's Changed

• Add support for JKS truststores by @aidy in #122
• Bump values in helm chart by @SgtCoDFish in #114
• Add a design for public trust bundles by @SgtCoDFish in #43
• Minor restructure for ko compatibility by @aidy in #124
• Bump to v0.5.0-beta.0 for release by @SgtCoDFish in #125

New Contributors

• @aidy made their first contribution in #122 🎉

Full Changelog: v0.4.0...v0.5.0-beta.0

v0.4.0

trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters.

This enables much easier cloud native private PKI while enabling easier updates of trusted certificates across your entire estate.

Major Features

Publicly Trusted Certificate Bundles

The most important new feature in v0.4.0 is the addition of publicly trusted certificate bundles!

By simply adding the useDefaultCAs: true source to your Bundle resource, you can include a publicly trusted bundle of certificates. This is similar to building your container with a Debian or "distroless" base image, and will allow most pods which use trust-manager generated certificate bundles to "just work" with most services today.

These bundles have been designed so that they can be updated separately to trust-manager, allowing you to keep running trust-manager while ensuring you have the latest CA bundle included.

trust-manager is now much easier to use as the single place for all trust management in a cluster; you don't need to bake bundles into your containers, which in turn means you no longer need to worry about rebuilding your entire container estate when your base image is updated to include a new trust bundle.

PEM Certificate Verification

Today, trust-manager entirely relies upon PEM certificates for creating and generating trust bundles. Longer term (see #98 !) we'd like to
support more types of input and output formats, but today we have PEM.

PEM is a reasonably simple format, but it can still be done wrong in many ways which might not comply with the standard - which in turn could mean that your certificates might not work when you need them to.

trust-manager now attempts to validate all input it receives so that an invalid certificate doesn't sneak through and cause problems down the road - and it'll also ensure that each source provides at least one valid PEM certificate, so you don't think that you added a new item to the trust store only to discover it was ignored!

Better OpenShift Support

trust-manager was previously difficult to use in some OpenShift and Kubernetes environments due to a missing permission in its ClusterRole, relating to Bundle finalizers.

We've now added that permission which should make it much easier to run trust-manager in more environments, including OpenShift and Kubernetes environments which set the OwnerReferencesPermissionEnforcement admission controller!

What's Changed

• Prefix release version with 'v' by @irbekrm in #68
• Add a static bundle sidecar container build by @SgtCoDFish in #73
• Update docker config to use a trust-manager-specific token by @SgtCoDFish in #74
• ✨ Add PEM verification function by @SgtCoDFish in #75
• Put seccomp behind a flag by @xrl in #70
• Fix broken link and old name references by @hdeadman in #78
• Fix incorrect variable reference which was missed in #77 by @SgtCoDFish in #80
• Pass GOPROXY to build environment by @SgtCoDFish in #79
• Fix logic error in trust-manager tests by @SgtCoDFish in #84
• Upgrade to ginkgo v2 + refactor several aspects of integration tests by @SgtCoDFish in #85
• ✨ Bundles with a sidecar container by @SgtCoDFish in #46
• Fix the MultiScopedCache by @inteon in #90
• Remove type from trust packages + add validation on package build by @SgtCoDFish in #88
• Validate CA package during build by @SgtCoDFish in #93
• Fix non-cached client by @inteon in #92
• Integration test tweaks by @SgtCoDFish in #86
• fix typo by @SgtCoDFish in #95
• Helm tweaks + better makefile "ensure" by @SgtCoDFish in #97
• Readme tweak taken from website#1160 by @SgtCoDFish in #103
• Rename '_test.go' suffix to test file by @inteon in #104
• Remove deprecated v1beta1 admission review version by @SgtCoDFish in #105
• Upgrade go dependencies by @inteon in #106
• Use a source and a target cache instead of a MultiScopedCache by @inteon in #107
• Make CRD installation optional by @maxsargentdev in #102
• ✨ Add missing permission to update bundle finalizers by @SgtCoDFish in #109 (thanks also to @wallrj !)
• Bumps + doc updates for 0.4.0 by @SgtCoDFish in #110
• Review suggestion for README by @SgtCoDFish in #111

New Contributors

• @irbekrm made their first contribution in #68
• @xrl made their first contribution in #70
• @hdeadman made their first contribution in #78
• @maxsargentdev made their first contribution in #102

Full Changelog: v0.3.0...v0.4.0

Note: The container images for this release are built against the v0.4.0 tag, as expected. The Helm chart is actually built against a following commit, since a required update to values.yaml had been missed (#114 ).

We didn't want to change the tag once it had been published, so we agreed this was the best way to proceed!

v0.3.0

What's Changed

• Update Eventually timeout to be 10s by @JoshVanL in #57
• Rename to trust-manager by @inteon in #64
• Update Certificate resource to include issuerRef and group. by @sitaramkm in #65
• Rename trust to trust-manager in README.md by @inteon in #66
• #14 Updating the apiVersion to v2 by @joscabmar in #61
• Release v0.3.0 by @inteon in #67

New Contributors

• @inteon made their first contribution in #64
• @sitaramkm made their first contribution in #65
• @joscabmar made their first contribution in #61

Full Changelog: v0.2.0...v0.3.0

v0.2.0

What's Changed

• Adds design doc for bundle CRD by @JoshVanL in #2
• Update OWNERS + Fix broken HTML by @SgtCoDFish in #9
• Update logo + link by @SgtCoDFish in #18
• feat: add image pull secrets to service account by @Jaxwood in #15
• Updates Dockerfile to use go v1.18 by @JoshVanL in #20
• Updates reference to jetstack/cert-manager to cert-manager/cert-manager in SECURITY.md by @JoshVanL in #22
• Makefile: go vet by @JoshVanL in #21
• Adds better WithName to logger to improve structure by @JoshVanL in #26
• Use the trust namespace as the namespace where the role and rolebinding are created in by @JoshVanL in #27
• Updates go modules and updates go version to v1.18 by @JoshVanL in #19
• Use smaller cert-manager logo by @SgtCoDFish in #30
• Removes docs from repo in favour of using cert-manager.io by @JoshVanL in #31
• docs: correct broken link to documentation by @erikgb in #34
• Add chart building + ensure BINDIR is created when running targets by @SgtCoDFish in #38
• Bundle: namespaceSelector by @JoshVanL in #37
• Increase timeout for bundle integration tests for desired state from 10s to 30s by @JoshVanL in #41
• Fix copy paste errors, add warning to readme by @SgtCoDFish in #45
• add restrictive securitycontext for controller pod by @SgtCoDFish in #47
• Updates Helm chart version to v0.1.2 by @JoshVanL in #48
• Update go to v1.19 by @JoshVanL in #50
• Use FROM scratch for base image by @JoshVanL in #51
• Remove same bundle target key validation check by @JoshVanL in #32
• Update tag to v0.2.0 ready for release by @JoshVanL in #52

New Contributors

• @SgtCoDFish made their first contribution in #9
• @Jaxwood made their first contribution in #15
• @erikgb made their first contribution in #34

Full Changelog: v0.1.0...v0.2.0

v0.1.0

Initial Release

trust is an operator for distributing trust bundles across a Kubernetes cluster. trust is designed to compliment cert-manager by enabling services to trust X.509 certificates signed by Issuers, as well as external CAs which may not be known to cert-manager at all.