Releases: cert-manager/approver-policy
v0.15.2
approver-policy provides a policy engine for certificates issued by cert-manager!
This PR upgrades go dependencies and tooling.
What's Changed
- chore: pre-fix new nilnil linter error by @erikgb in #486
- Add erikgb to approvers by @erikgb in #490
Dependency upgrades:
- Bump sigs.k8s.io/controller-runtime to 0.19.0 by @erikgb in #487
- build(deps): bump k8s.io/cli-runtime from 0.30.3 to 0.31.0 in the all group across 1 directory by @dependabot in #488
- build(deps): bump github.com/prometheus/client_golang from 1.20.0 to 1.20.1 in the all group by @dependabot in #489
- build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #494
- build(deps): bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group by @dependabot in #497
- build(deps): bump the all group with 6 updates by @dependabot in #500
- build(deps): bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group by @dependabot in #501
Makefile modules:
- [CI] Merge self-upgrade-main into main by @github-actions in #485
- [CI] Merge self-upgrade-main into main by @github-actions in #492
- [CI] Merge self-upgrade-main into main by @github-actions in #495
- [CI] Merge self-upgrade-main into main by @github-actions in #496
- [CI] Merge self-upgrade-main into main by @github-actions in #498
- [CI] Merge self-upgrade-main into main by @github-actions in #499
- [CI] Merge self-upgrade-main into main by @github-actions in #502
- [CI] Merge self-upgrade-main into main by @github-actions in #503
Full Changelog: v0.15.1...v0.15.2
Contributors
Assets 3
v0.15.1
approver-policy provides a policy engine for certificates issued by cert-manager!
This patch release fixes a bug in the dynamic webhook TLS certificate generator:
- BUGFIX: the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail renewing it's CA certificate. Please upgrade before the expiration of this CA certificate is reached.
See v0.15.0 for more changes that are included in this minor release.
What's Changed
Dependabot:
- build(deps): bump the all group with 2 updates by @dependabot in #472
- build(deps): bump the all group with 2 updates by @dependabot in #473
- build(deps): bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 in the all group by @dependabot in #476
Makefile modules:
- [CI] Merge self-upgrade-main into main by @github-actions in #474
- [CI] Merge self-upgrade-main into main by @github-actions in #475
- [CI] Merge self-upgrade-main into main by @github-actions in #477
- [CI] Merge self-upgrade-main into main by @github-actions in #480
Full Changelog: v0.15.0...v0.15.1
Contributors
Assets 3
v0.15.0
approver-policy provides a policy engine for certificates issued by cert-manager!
What's Changed
- Helm: set linux nodeSelector by default by @inteon in #442
- docs: create RELEASE.md documenting release process by @ThatsMrTalbot in #443
- Add support for JSON logging format by @erikgb in #456
- add webhook cert configs by @rgodha in #462
- BUGFIX: Avoid duplicate Prometheus scrape targets by using a named port in the ServiceMonitor by @wallrj in #471
dependabot:
- build(deps): bump the all group with 6 updates by @dependabot in #445
- chore(deps): bump github.com/cert-manager/cert-manager to v1.15.0 by @erikgb in #453
- build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #454
- build(deps): bump google.golang.org/protobuf from 1.34.1 to 1.34.2 in the all group by @dependabot in #457
- build(deps): bump the all group across 1 directory with 8 updates by @dependabot in #460
- build(deps): bump github.com/cert-manager/cert-manager from 1.15.0 to 1.15.1 in the all group by @dependabot in #461
- build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 in the go_modules group by @dependabot in #464
- build(deps): bump the all group with 6 updates by @dependabot in #469
Makefile modules:
- [CI] Merge self-upgrade-main into main by @github-actions in #444
- [CI] Merge self-upgrade-main into main by @github-actions in #446
- [CI] Merge self-upgrade-main into main by @github-actions in #455
- [CI] Merge self-upgrade-main into main by @github-actions in #463
- [CI] Merge self-upgrade-main into main by @github-actions in #465
- [CI] Merge self-upgrade-main into main by @github-actions in #467
- [CI] Merge self-upgrade-main into main by @github-actions in #468
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #470
New Contributors
Full Changelog: v0.14.1...v0.15.0
Contributors
Assets 3
v0.14.1
approver-policy provides a policy engine for certificates issued by cert-manager!
This patch release upgrades the Go version used to build from 1.22.2 to 1.22.3, fixing GO-2024-2824 (GHSA-2jwv-jmq4-4j3r).
Additionally, the PR includes version bumps for all Go dependencies.
Version bumps
- build(deps): bump the all group with 8 updates by @dependabot in #430
- build(deps): bump github.com/cert-manager/cert-manager from 1.14.4 to 1.14.5 in the all group by @dependabot in #431
- build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #436
- build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #439
- build(deps): bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 in the all group by @dependabot in #441
Full Changelog: v0.14.0...v0.14.1
Contributors
Assets 3
v0.14.0
SgtCoDFish
Ashley Davis
approver-policy provides a policy engine for certificates issued by cert-manager!
v0.14.0 includes a big quality-of-life improvement to the Helm chart which makes approver-policy much easier to use with external issuers such as the AWS Private CA Issuer or the Venafi Enhanced Issuer.
Previously, approver-policy required explicitly granted permission to use external issuers via the approveSignerNames Helm value. This was commonly forgotten leading to confusing errors and a lot of time spent debugging.
Now, the default is for approver-policy to be able to be used with all issuers. It's still possible to restrict the list if you want to, but we'd expect that doing so would only be helpful in niche scenarios. The scenarios in which you might want to take action are described below, but most users should need to take no acti0on.
Read Before Upgrading: New Signer Permissions
The new signer permissions described above will take effect by default upon upgrading to approver-policy v0.14.0 unless you explicitly set the approveSignerNames Helm value. Consider which of the below scenarios fits your use case to determine if you need to take any action:
Scenario 1: No Custom approveSignerNames
If you didn't previously set a value for approveSignerNames then the list of issuers usable by approver-policy would've been restricted to only the built-in issuers. When upgrading to v0.14.0, that list will expand to include all possible issuers.
If you're happy for approver-policy to be able to approve for all issuers, no action is required. Most users should fall into this category.
If you for some reason do not want to allow approver-policy to handle approval for certificates signed by external issuers but you do want to use it for built-in issuers, you need to manually set app.approveSignerNames to its old value.
Scenario 2: Custom app.approveSignerNames
If you're already using external issuers with approver-policy you'll have already set a custom value for approveSignerNames.
If you're happy for approver-policy to be able to approve for all issuers, you should remove your custom value for approveSignerNames and use the new default.
If you wish to keep restrictions in place, you can leave your custom value in place.
Why would I restrict approveSignerNames?
We changed the default because we believe the arguments for doing this are generally niche. It makes sense to restrict this value if you have external issuers installed and you want to limit the issuers which approver-policy is able to approve for. This would imply that you have some other approver running in your cluster which should apply to some issuers.
We believe that for most users it's fine to accept the new default of allowing access for approver-policy to all issuers.
What's Changed
- 🚀 Default to allowing all signers for approval by @SgtCoDFish in #416
- Add design for allowing all signers by default by @SgtCoDFish in #415
- Update the go module and replace oci-image with oci-build and oci-publish by @inteon in #412
- Fix linters by @inteon in #413
Dependency Bumps / Other
- build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 in the go_modules group by @dependabot in #425
- build(deps): bump the all group with 2 updates by @dependabot in #408
- build(deps): bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #420
- Upgrade repository-base module by @inteon in #426
Full Changelog: v0.13.1...v0.14.0
Contributors
Assets 3
v0.13.1
approver-policy provides a policy engine for certificates issued by cert-manager!
What's Changed Since v0.13.0
- The Helm chart now lets you configure an HTTP proxy using the variables
http_proxy,https_proxy, andno_proxy. If you are using the upstream version of approver-policy, this may not be useful to you. These variables are useful for projects building plugins on top of approver-policy and make HTTP calls to the internet. (@maelvls, #409) - The Helm chart now allows you to configure the
priorityClassNamefield. (@wallrj, #403) - The vulnerability GO-2024-2611 (CVE-2024-24786) was fixed by upgrading to
google.golang.org/protobuf@v1.33.0. (@wallrj, #398)
Full Changelog: v0.13.0...v0.13.1
Contributors
Assets 3
v0.13.0
approver-policy provides a policy engine for certificates issued by cert-manager!
🔧 Breaking changes
By default, the Helm chart now adds the helm.sh/resource-policy: keep annotation to all CRDs.
This prevents accidental deletion of CRDs when uninstalling the component using Helm.
However, this also introduces an additional uninstallation step:
$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.ioYou can also not add the annotation by adding '--set crds.keep=false' to your installation and you can exclude the CRD from the Helm installation by setting '--set crds.enabled=false'.
The Helm chart now has JSON schema validation, to provide better error reporting when the user provides an incorrect set of values for a chart.
What's Changed since v0.12
- Remove README header since it is already included in the artifacthub sidebar by @inteon in #367
- Replace tab with spaces in API comment by @inteon in #369
- docs(api): fenced code block to fix generated API docs by @erikgb in #371
- docs(api): add ticks to Godoc to fix generated API docs by @erikgb in #372
- Add 'crds.enabled' and 'crds.keep' options to generated CRDs by @inteon in #376
- Enable helm-tool linter and schema generator by @inteon in #340
- Use same include statement for labels everywhere by @inteon in #381
- Add optional PodDisruptionBudget to the Helm chart by @wallrj in #383
- Set a size limit on the emptyDir used for /tmp by @wallrj in #384
- Platform engineer can now set Topology Spread Constraints using a Helm chart value by @wallrj in #385
- Remove emptydir /tmp volume because it is unused by @wallrj in #386
- Make all Deployment related Helm values global by @wallrj in #387
- Allow replicaCount to be set to int or string by @wallrj in #388
- Document the
nameOverrideHelm chart value and add it to the JSON schema by @wallrj in #390 - Added
globalvalues to the Helm chart JSON schema validation so that the chart can be used as a sub-chart by @inteon in #391 - Allow Deployment strategy customization when installing the Helm chart by @wallrj in #396
Dependabot
- build(deps): bump the all group with 2 updates by @dependabot in #393
- build(deps): bump the all group with 1 update by @dependabot in #382
- build(deps): bump the all group with 1 update by @dependabot in #368
- build(deps): bump the all group with 7 updates by @dependabot in #377
- build(deps): bump the all group with 1 update by @dependabot in #375
Makefile modules
- [CI] Merge self-upgrade into main by @github-actions in #395
- [CI] Merge self-upgrade into main by @github-actions in #392
- [CI] Merge self-upgrade into main by @github-actions in #391
- [CI] Merge self-upgrade into main by @github-actions in #380
- [CI] Merge self-upgrade into main by @github-actions in #379
- [CI] Merge self-upgrade into main by @github-actions in #378
- [CI] Merge self-upgrade into main by @github-actions in #374
- [CI] Merge self-upgrade into main by @github-actions in #373
- [CI] Merge self-upgrade into main by @github-actions in #370
Full Changelog: v0.13.0-alpha.2...v0.12.1
Contributors
Assets 3
v0.13.0-alpha.2
approver-policy provides a policy engine for certificates issued by cert-manager!
⚠️ Read https://github.com/cert-manager/approver-policy/releases/tag/v0.13.0-alpha.0 before installing.
This release adds values.yaml jsonschema validation to the Helm chart and adds 'crds.enabled' and 'crds.keep' options to control the CRDs in Helm.
🔧 Breaking changes
By default, the Helm chart now adds the helm.sh/resource-policy: keep annotation to all CRDs.
This prevents accidental deletion of CRDs when uninstalling the component using Helm.
However, this also introduces an additional uninstallation step:
$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.ioYou can also not add the annotation by adding '--set crds.keep=false' to your installation and you can exclude the CRD from the Helm installation by setting '--set crds.enabled=false'.
What's Changed since v0.13.0-alpha.1
- Document the
nameOverrideHelm chart value and add it to the JSON schema by @wallrj in #390 - Added
globalvalues to the Helm chart JSON schema validation so that the chart can be used as a sub-chart by @inteon in #391
Makefile modules
- [CI] Merge self-upgrade into main by @github-actions in #391
Full Changelog: v0.13.0-alpha.1...v0.13.0-alpha.2
Contributors
Assets 3
v0.13.0-alpha.1
approver-policy provides a policy engine for certificates issued by cert-manager!
⚠️ Read https://github.com/cert-manager/approver-policy/releases/tag/v0.13.0-alpha.0 before installing.
This release adds values.yaml jsonschema validation to the Helm chart and adds 'crds.enabled' and 'crds.keep' options to control the CRDs in Helm.
🔧 Breaking changes
By default, the Helm chart now adds the helm.sh/resource-policy: keep annotation to all CRDs.
This prevents accidental deletion of CRDs when uninstalling the component using Helm.
However, this also introduces an additional uninstallation step:
$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.ioYou can also not add the annotation by adding '--set crds.keep=false' to your installation and you can exclude the CRD from the Helm installation by setting '--set crds.enabled=false'.
What's Changed since v0.13.0-alpha.0
- Use same include statement for labels everywhere by @inteon in #381
- Add optional PodDisruptionBudget to the Helm chart by @wallrj in #383
- Set a size limit on the emptyDir used for /tmp by @wallrj in #384
- Platform engineer can now set Topology Spread Constraints using a Helm chart value by @wallrj in #385
- Remove emptydir /tmp volume because it is unused by @wallrj in #386
- Make all Deployment related Helm values global by @wallrj in #387
- Allow replicaCount to be set to int or string by @wallrj in #388
Dependabot
- build(deps): bump the all group with 1 update by @dependabot in #382
Makefile module updates:
- [CI] Merge self-upgrade into main by @github-actions in #379
- [CI] Merge self-upgrade into main by @github-actions in #380
Full Changelog: v0.13.0-alpha.0...v0.13.0-alpha.1
Contributors
Assets 3
v0.13.0-alpha.0
approver-policy provides a policy engine for certificates issued by cert-manager!
Read https://github.com/cert-manager/approver-policy/releases/tag/v0.13.0-alpha.0 before installing.
This release adds values.yaml jsonschema validation to the Helm chart and adds 'crds.enabled' and 'crds.keep' options to control the CRDs in Helm.
🔧 Breaking changes
By default, the Helm chart now adds the helm.sh/resource-policy: keep annotation to all CRDs.
This prevents accidental deletion of CRDs when uninstalling the component using Helm.
However, this also introduces an additional uninstallation step:
$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.ioYou can also not add the annotation by adding '--set crds.keep=false' to your installation and you can exclude the CRD from the Helm installation by setting '--set crds.enabled=false'.
What's Changed
- Remove README header since it is already included in the artifacthub sidebar by @inteon in #367
- Replace tab with spaces in API comment by @inteon in #369
- docs(api): fenced code block to fix generated API docs by @erikgb in #371
- docs(api): add ticks to Godoc to fix generated API docs by @erikgb in #372
- Add 'crds.enabled' and 'crds.keep' options to generated CRDs by @inteon in #376
- Enable helm-tool linter and schema generator by @inteon in #340
Dependabot:
- build(deps): bump the all group with 1 update by @dependabot in #368
- build(deps): bump the all group with 1 update by @dependabot in #375
- build(deps): bump the all group with 7 updates by @dependabot in #377
Makefile module updates:
- [CI] Merge self-upgrade into main by @github-actions in #370
- [CI] Merge self-upgrade into main by @github-actions in #373
- [CI] Merge self-upgrade into main by @github-actions in #374
- [CI] Merge self-upgrade into main by @github-actions in #378
Full Changelog: v0.12.1...v0.13.0-alpha.0