trust-manager is the easiest way to manage trust bundles in Kubernetes and OpenShift clusters.
This enables much easier cloud native private PKI while enabling easier updates of trusted certificates across your entire estate.
Major Features
Publicly Trusted Certificate Bundles
The most important new feature in v0.4.0 is the addition of publicly trusted certificate bundles!
By simply adding the useDefaultCAs: true source to your Bundle resource, you can include a publicly trusted bundle of certificates. This is similar to building your container with a Debian or "distroless" base image, and will allow most pods which use trust-manager generated certificate bundles to "just work" with most services today.
These bundles have been designed so that they can be updated separately to trust-manager, allowing you to keep running trust-manager while ensuring you have the latest CA bundle included.
trust-manager is now much easier to use as the single place for all trust management in a cluster; you don't need to bake bundles into your containers, which in turn means you no longer need to worry about rebuilding your entire container estate when your base image is updated to include a new trust bundle.
PEM Certificate Verification
Today, trust-manager entirely relies upon PEM certificates for creating and generating trust bundles. Longer term (see #98 !) we'd like to
support more types of input and output formats, but today we have PEM.
PEM is a reasonably simple format, but it can still be done wrong in many ways which might not comply with the standard - which in turn could mean that your certificates might not work when you need them to.
trust-manager now attempts to validate all input it receives so that an invalid certificate doesn't sneak through and cause problems down the road - and it'll also ensure that each source provides at least one valid PEM certificate, so you don't think that you added a new item to the trust store only to discover it was ignored!
Better OpenShift Support
trust-manager was previously difficult to use in some OpenShift and Kubernetes environments due to a missing permission in its ClusterRole, relating to Bundle finalizers.
We've now added that permission which should make it much easier to run trust-manager in more environments, including OpenShift and Kubernetes environments which set the OwnerReferencesPermissionEnforcement admission controller!
What's Changed
- Prefix release version with 'v' by @irbekrm in #68
- Add a static bundle sidecar container build by @SgtCoDFish in #73
- Update docker config to use a trust-manager-specific token by @SgtCoDFish in #74
- ✨ Add PEM verification function by @SgtCoDFish in #75
- Put seccomp behind a flag by @xrl in #70
- Fix broken link and old name references by @hdeadman in #78
- Fix incorrect variable reference which was missed in #77 by @SgtCoDFish in #80
- Pass GOPROXY to build environment by @SgtCoDFish in #79
- Fix logic error in trust-manager tests by @SgtCoDFish in #84
- Upgrade to ginkgo v2 + refactor several aspects of integration tests by @SgtCoDFish in #85
- ✨ Bundles with a sidecar container by @SgtCoDFish in #46
- Fix the MultiScopedCache by @inteon in #90
- Remove type from trust packages + add validation on package build by @SgtCoDFish in #88
- Validate CA package during build by @SgtCoDFish in #93
- Fix non-cached client by @inteon in #92
- Integration test tweaks by @SgtCoDFish in #86
- fix typo by @SgtCoDFish in #95
- Helm tweaks + better makefile "ensure" by @SgtCoDFish in #97
- Readme tweak taken from website#1160 by @SgtCoDFish in #103
- Rename '_test.go' suffix to test file by @inteon in #104
- Remove deprecated v1beta1 admission review version by @SgtCoDFish in #105
- Upgrade go dependencies by @inteon in #106
- Use a source and a target cache instead of a MultiScopedCache by @inteon in #107
- Make CRD installation optional by @maxsargentdev in #102
- ✨ Add missing permission to update bundle finalizers by @SgtCoDFish in #109 (thanks also to @wallrj !)
- Bumps + doc updates for 0.4.0 by @SgtCoDFish in #110
- Review suggestion for README by @SgtCoDFish in #111
New Contributors
- @irbekrm made their first contribution in #68
- @xrl made their first contribution in #70
- @hdeadman made their first contribution in #78
- @maxsargentdev made their first contribution in #102
Full Changelog: v0.3.0...v0.4.0
Note: The container images for this release are built against the v0.4.0 tag, as expected. The Helm chart is actually built against a following commit, since a required update to values.yaml had been missed (#114 ).
We didn't want to change the tag once it had been published, so we agreed this was the best way to proceed!