artifacthub helm/cert-manager/trust-manager 0.15.0
v0.15.0
on Artifact Hub

one day ago

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

The most important changes in this release are a slew of version bumps, with some important consequences for how trust-manager parses certificates.

trust-manager v0.15.0 uses Go 1.23, which by default disallows parsing of certificates with negative serial numbers. Most certificates are unaffected by this, since a negative serial number would be in violation of relevant standards and specs.

Unfortunately, some legacy certificates are not compliant, and there are certificates in the wild with negative serial numbers including one certificate which appears in the trust-manager default trust package (since it was included in Debian 10).

We've decided to make this certificate a special case and ignore it when it's included in a bundle. While it's still present in the trust package container image it will be ignored when the cert-manager-package-debian:20210119.0 package is used or if manually included. When it's ignored, a log line will be emitted each time: 

time=2025-01-13T11:37:10.034Z level=INFO msg="skipping a certificate in PEM bundle for compatibility reasons" logger=trust/bundle/cert-pool details="cert in bundle with CN=EC-ACC and fingerprint '88497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799' has negative serial number and will be skipped"

If you depend on trusting certs with negative serial numbers, support for them can be re-enabled at runtime by setting the GODEBUG environment variable to x509negativeserial=1 in the trust-manager container: 

        env:
        - name: GODEBUG
          value: x509negativeserial=1

If this value is not set - which is the default behavior - all certs with negative serial numbers will cause an error on the bundle except for the special case certificate above, which will be skipped.

What's Changed

Important Changes

  • Bump to Go 1.23 (and allow certificates with negative serial numbers) by @erikgb in #511
  • Add special case handling of cert with negative serial number by @SgtCoDFish in #515

Makefile Modules Bumps, Fixes and Tweaks

  • Remove unused Makefile variables by @erikgb in #494
  • Manual makefile modules update by @SgtCoDFish in #516
  • Add Helm chart OCI release to GH automation by @inteon in #506
  • Add 'fetch-depth: 0' to Debian trust bundle GH checkout action by @inteon in #523
  • [CI] Merge self-upgrade-main into main by @github-actions in #498
  • [CI] Merge self-upgrade-main into main by @github-actions in #500
  • build(deps): Bump the all group across 1 directory with 2 updates by @dependabot in #502
  • [CI] Merge self-upgrade-main into main by @github-actions in #504
  • [CI] Merge self-upgrade-main into main by @github-actions in #505
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #509
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #519
  • [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #520
  • [CI] Merge self-upgrade-main into main by @github-actions in #525
  • [CI] Merge self-upgrade-main into main by @github-actions in #529

Dependency Bumps / Miscellaneous Changes

  • Update readme to better reflect project status today by @SgtCoDFish in #508
  • build(deps): Bump the all group with 5 updates by @dependabot in #507
  • build(deps): Bump the all group across 1 directory with 9 updates by @dependabot in #524
  • build(deps): Bump sigs.k8s.io/controller-runtime from 0.19.3 to 0.19.4 in the all group by @dependabot in #527

Full Changelog: v0.14.0...v0.15.0

Check out latest releases or
releases around helm/cert-manager/trust-manager 0.15.0

Don't miss a new trust-manager release

NewReleases is sending notifications on new releases.

Get notifications