v0.7.0
trust-manager is the easiest way to manage security-critical trust bundles in Kubernetes and OpenShift clusters.
v0.7.0 adds a huge variety of changes; chief among them is support for writing trust bundles to Kubernetes Secret resources, as well as support for optionally writing a PKCS#12 trust store to the target.
We also added support for server side apply and made a variety of improvements, tweaks and patches.
What's Changed
-
Add Secret target support
- feat: support secret as a target by @Jiawei0227 in #193
- BUGFIX: fix bugs in validation logic for secret target & add tests by @inteon in #212
- BUGFIX: support switching between target types by @inteon in #211
- fix: should not have have read access to all secrets when secret targets disabled by @erikgb in #207
- Cleanup patch functions Secret and ConfigMap targets by @inteon in #210
-
Support PKCS12 truststores
-
Switch to SSA
- Refactor util functions in preparation for SSA by @inteon in #170
- Fix BundleStatus go definition in preparation for SSA by @inteon in #173
- Use SSA by @inteon in #89
- BUGFIX: fix migration from csa to ssa by @inteon in #178
- Fix SSA migration field managers by @erikgb in #189
- fix: add missing RBAC for CSA->SSA migration of bundles/status by @erikgb in #191
- FIX: For CSA to SSA migration, we need UPDATE permission on the resource (not the sub-resource) by @inteon in #218
-
Helm chart improvements
- Add new optional registry and digest Helm values by @erikgb in #154
- HELM: add options for configuring image by @inteon in #179
- Update kubeVersion to allow for eks metadata at end of kubernetes ver… by @dsand1234 in #182
- Add extra information to the Chart.yaml file by @inteon in #190
- Allow enabling hostNetwork mode in Helm chart by @cablespaghetti in #156
- allow setting namespace for helm chart by @vinny-sabatini in #198
- Make seccompProfile optional in initContainer by @aelbarkani in #118
- add a CN for the trust-manager certificate by @SgtCoDFish in #201
- Allow configuring of the priorityClass by @WatcherWhale in #176
- Use proper namespace for webhook by @joemccall86 in #215
- Allow user to specify the name of cert-manager's ServiceAccount by @SgtCoDFish in #174
-
Dependency upgrades:
- Vendor dependencies correctly by @SgtCoDFish in #194
- Upgrade to kubernetes 1.28 & c/r 0.16 by @inteon in #161
- ci: verify all generated files are up-to-date by @erikgb in #166
- Move from k8s.io/utils/pointer to k8s.io/utils/ptr by @inteon in #171
- Fix misinterpretation, ByObject cache settings are GVK specific by @inteon in #172
- Enable dependabot updates by @inteon in #197
- Bump the all group with 7 updates by @dependabot in #202
- Bump the all group with 1 update by @dependabot in #206
- Remove patch versions from go directives by @SgtCoDFish in #209
- Upgrade go to 1.21 by @inteon in #204
-
Cleanup, refactor and bugfixes
- Filter resources triggered by namespace by @inteon in #169
- Refactor bundle controller setup by @erikgb in #185
- Cleanup controller bootstrap by @erikgb in #188
- Add certificates deduplication feature by @arsenalzp in #184
- Update a couple of instances of the old project name by @SgtCoDFish in #192
- Fix build on macOS / values.yaml wording tweaks by @SgtCoDFish in #200
New Contributors
Thank you to all of the many new contributors for this release - it's awesome to see such a long list of names ❤️
- @dsand1234 made their first contribution in #182
- @arsenalzp made their first contribution in #184
- @cablespaghetti made their first contribution in #156
- @vinny-sabatini made their first contribution in #198
- @Jiawei0227 made their first contribution in #193
- @aelbarkani made their first contribution in #118
- @dependabot made their first contribution in #202
- @WatcherWhale made their first contribution in #176
- @joemccall86 made their first contribution in #215
Full Changelog: v0.6.0...v0.7.0
Contributors
erikgb, SgtCoDFish, and 10 other contributors