cert-manager/trust-manager v0.17.0

on GitHub

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

v0.17.0 contains many interesting new features, mostly from new contributors recruited from cert-manager ContribFest event at KubeCon EU 2025. Welcome! 🫶 Special thanks to @terricain for implementing one of our most wanted features, allowing adding labels/annotations to target configmaps/secrets! 👏 When configuring trust-manager, it is now possible to disable leader election (@KyriosGN0) and set webhook TLS requirements like minimum TLS version and acceptable cipher suites (@arsenalzp). And the Helm chart installation now supports adding common annotations to all resources (@ali-hamza-noor) and extra resources managed by Helm (@TTRCmedia).

⚠️ In this release, target JKS truststores are deprecated and will be removed in our next version of the Bundle/ClusterBundle API. Users requiring truststore support should migrate to target PKCS#12 truststores. The encoding of JKS has been migrated to Java-compliant PKCS#12. This should work with recent Java versions, and has been tested with the latest releases of Java LTS: 8, 11, 17, and 21. But please let us know if you are experiencing any issues with this change! We now also support various PKCS#12 profile options (@terricain), allowing for more compatible and "secure" encoding.

What's Changed

Features

• add leaderElection flag to trust manager by @KyriosGN0 in #555
• Introduce min-tls and ciphers-suite application options for webhook server by @arsenalzp in #556
• Added PKCS12 profile option by @terricain in #577
• Add support for target annotations and labels by @terricain in #582
• Use PKCS#12 encoder to encode JKS by @erikgb in #603
• Add extraObjects to Helm chart by @TTRCmedia in #585
• Adding common annotations for all the resources by @ali-hamza-noor in #615

Fixes

• Fixup PDB namespace population logic by @alloveras in #583

Other

• Change names of actions workflows to be more explicit by @SgtCoDFish in #554
• Add validating admission integration tests by @erikgb in #562
• Fix Ginkgo commands by @erikgb in #573
• Use upstream metav1.Condition instead of our own BundleCondition by @erikgb in #596
• Add generation of applyconfigurations (again) by @erikgb in #598
• Introduce ClusterBundle API as a copy of Bundle by @erikgb in #495
• Improve webhook TLS config configuration by @erikgb in #595
• Fix slightly misleading PKCS#12 profile API docs by @erikgb in #602
• Add dependency licenses to repo and OCI image by @inteon in #610
• Add missing LICENSE file by @inteon in #613

Dependency Updates

• build(deps): Bump the all group with 5 updates by @dependabot in #557
• build(deps): Bump the all group with 2 updates by @dependabot in #561
• build(deps): Bump the all group across 1 directory with 2 updates by @dependabot in #566
• build(deps): Bump the all group across 1 directory with 8 updates by @dependabot in #572
• build(deps): Bump the all group across 1 directory with 2 updates by @dependabot in #581
• build(deps): Bump sigs.k8s.io/structured-merge-diff/v4 from 4.6.0 to 4.7.0 in the all group by @dependabot in #599
• build(deps): Bump the all group with 5 updates by @dependabot in #606

Makefile Modules Updates

• [CI] Merge self-upgrade-main into main by @github-actions in #559
• [CI] Merge self-upgrade-main into main by @github-actions in #563
• [CI] Merge self-upgrade-main into main by @github-actions in #564
• [CI] Merge self-upgrade-main into main by @github-actions in #567
• [CI] Merge self-upgrade-main into main by @github-actions in #570
• [CI] Merge self-upgrade-main into main by @github-actions in #575
• [CI] Merge self-upgrade-main into main by @github-actions in #576
• [CI] Merge self-upgrade-main into main by @github-actions in #580
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #586
• [CI] Merge self-upgrade-main into main by @github-actions in #587
• [CI] Merge self-upgrade-main into main by @github-actions in #590
• [CI] Merge self-upgrade-main into main by @github-actions in #600
• [CI] Merge self-upgrade-main into main by @github-actions in #601
• [CI] Merge self-upgrade-main into main by @github-actions in #604
• [CI] Merge self-upgrade-main into main by @github-actions in #608
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #609
• [CI] Merge self-upgrade-main into main by @github-actions in #611
• [CI] Merge self-upgrade-main into main by @github-actions in #612
• [CI] Merge self-upgrade-main into main by @github-actions in #614
• [CI] Merge self-upgrade-main into main by @github-actions in #616
• [CI] Merge self-upgrade-main into main by @github-actions in #618

New Contributors

• @KyriosGN0 made their first contribution in #555
• @terricain made their first contribution in #577
• @alloveras made their first contribution in #583
• @TTRCmedia made their first contribution in #585
• @ali-hamza-noor made their first contribution in #615

Full Changelog: v0.16.0...v0.17.0