github cert-manager/trust-manager v0.21.0
on GitHub

4 hours ago

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is primarily intended to fix CVE-2025-68121, but it includes several changes which have trickled in since v0.20.3

Notable Changes

Filter Non-CA Certs in Sources

There's a new .filterNonCACerts.enabled value available in the Helm chart, which will cause trust-manager to filter any non-CA certs found in sources. This logic relies on the isCa field of the basicConstraints X.509 extension only. The feature defaults to "off".

CRD Changes

The ClusterBundle CRD got a little stricter, to pass the Kube API Linter checks which we've enabled. We don't expect that this will change the use of the CRD for anyone, since the limits we've added are very permissive.

What's Changed

Functional / CRD Changes

  • Add certificate verification process to filter non-CA certificates by @arsenalzp in #824
  • Helm Chart: Add support for setting relabelling on the ServiceMonitor by @tiesmaster in #870
  • Introduce Kube API linter by @erikgb in #850
  • Introduce KAL minlength/maxlength checks by @erikgb in #866
  • Introduce KAL required fields checks by @erikgb in #877
  • Fix index formatting in webhook validations by @erikgb in #873
  • Eliminate use of naked bool (includeDefaultCAs) in ClusterBundle API by @erikgb in #855
  • Enable the CommentStart KAL check and fix violations by @erikgb in #858
  • Rename ClusterBundle sources to sourceRefs by @erikgb in #854

Trust Packages

Tests / Docs

  • Refactor Bundle integration tests by @erikgb in #828
  • Release improvements by @SgtCoDFish in #816
  • Fix flaky integration test by @erikgb in #879
  • Update release process to accurately reflect how new trust packages are picked up by @SgtCoDFish in #818
  • Improve webhook validation test error list assert by @erikgb in #874

Upcoming Bundle Resource

  • Use apply configuration to apply Bundle status in migration controller by @erikgb in #843
  • Change Bundle source includeAllKeys to pointer by @erikgb in #876

Automated / CI

  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #814
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #819
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #820
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #821
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #823
  • fix(deps): update kubernetes go deps to v0.35.0 by @renovate[bot] in #822
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #826
  • fix(deps): update module software.sslmate.com/src/go-pkcs12 to v0.7.0 by @renovate[bot] in #825
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #827
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #829
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #832
  • fix(deps): update github.com/onsi deps by @renovate[bot] in #831
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #833
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #834
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #840
  • chore(deps): update actions/setup-go action to v6.2.0 by @renovate[bot] in #839
  • fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.5 by @renovate[bot] in #838
  • fix(deps): update k8s.io/utils digest to 914a6e7 by @renovate[bot] in #842
  • Extend makefile-modules Renovate preset by @erikgb in #846
  • Fix conversion Bundle->ClusterBundle by @erikgb in #844
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #847
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #849
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #852
  • chore(deps): update actions/checkout action to v6.0.2 by @renovate[bot] in #851
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #853
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #859
  • fix(deps): update github.com/onsi deps by @renovate[bot] in #861
  • fix(deps): update module github.com/onsi/ginkgo/v2 to v2.28.1 by @renovate[bot] in #862
  • chore(deps): update docker/login-action digest to c94ce9f by @renovate[bot] in #860
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #864
  • Upgrade controller-runtime to v0.23.x by @erikgb in #863
  • Fix events RBAC (new API group) by @erikgb in #865
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #867
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #869
  • fix(deps): update module sigs.k8s.io/structured-merge-diff/v6 to v6.3.2 by @renovate[bot] in #872
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #878
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #880
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #882
  • fix(deps): update kubernetes go patches to v0.35.1 by @renovate[bot] in #883
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #884
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #885
  • Explicity set webhook Certificate private key rotation policy to Always by @mattwboyer in #857
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #887
  • [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #888

New Contributors

Full Changelog: v0.20.3...v0.21.0

Check out latest releases or
releases around cert-manager/trust-manager v0.21.0

Don't miss a new trust-manager release

NewReleases is sending notifications on new releases.

Get notifications