artifacthub helm/cert-manager/trust-manager 0.4.0
v0.4.0

latest releases: 0.13.0, 0.12.0, 0.11.1...
21 months ago

trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters.

This enables much easier cloud native private PKI while enabling easier updates of trusted certificates across your entire estate.

Major Features

Publicly Trusted Certificate Bundles

The most important new feature in v0.4.0 is the addition of publicly trusted certificate bundles!

By simply adding the useDefaultCAs: true source to your Bundle resource, you can include a publicly trusted bundle of certificates. This is similar to building your container with a Debian or "distroless" base image, and will allow most pods which use trust-manager generated certificate bundles to "just work" with most services today.

These bundles have been designed so that they can be updated separately to trust-manager, allowing you to keep running trust-manager while ensuring you have the latest CA bundle included.

trust-manager is now much easier to use as the single place for all trust management in a cluster; you don't need to bake bundles into your containers, which in turn means you no longer need to worry about rebuilding your entire container estate when your base image is updated to include a new trust bundle.

PEM Certificate Verification

Today, trust-manager entirely relies upon PEM certificates for creating and generating trust bundles. Longer term (see #98 !) we'd like to
support more types of input and output formats, but today we have PEM.

PEM is a reasonably simple format, but it can still be done wrong in many ways which might not comply with the standard - which in turn could mean that your certificates might not work when you need them to.

trust-manager now attempts to validate all input it receives so that an invalid certificate doesn't sneak through and cause problems down the road - and it'll also ensure that each source provides at least one valid PEM certificate, so you don't think that you added a new item to the trust store only to discover it was ignored!

Better OpenShift Support

trust-manager was previously difficult to use in some OpenShift and Kubernetes environments due to a missing permission in its ClusterRole, relating to Bundle finalizers.

We've now added that permission which should make it much easier to run trust-manager in more environments, including OpenShift and Kubernetes environments which set the OwnerReferencesPermissionEnforcement admission controller!

What's Changed

New Contributors

Full Changelog: v0.3.0...v0.4.0

Note: The container images for this release are built against the v0.4.0 tag, as expected. The Helm chart is actually built against a following commit, since a required update to values.yaml had been missed (#114 ).

We didn't want to change the tag once it had been published, so we agreed this was the best way to proceed!

Don't miss a new trust-manager release

NewReleases is sending notifications on new releases.