What's new
-
CA bundle watching (
kind: cabundle) — the exporter can now watch cluster-scoped Kubernetes resources that carry inlinecaBundlePEM fields:MutatingWebhookConfiguration,ValidatingWebhookConfiguration,APIService, andCustomResourceDefinitionconversion webhooks. EachcaBundlefield is extracted and tracked as a regular certificate series, with the same label and filtering semantics as Secret-sourced certs. The feature is opt-in (disabled by default in the chart) and each resource kind is independently togglable; the chart's ClusterRole is scoped to exactly the kinds enabled. -
DER format (via
format: der) — raw DER-encoded certificate and CRL blobs are now first-class inputs. Point anysecretTypeskey or file pattern at a.dercert or.crlfile (the kind served by HTTP CRL Distribution Points) and the exporter parses it directly, without requiring PEM wrapping. CRLs parsed via DER feed into thex509_crl_*metric family alongside their PEM counterparts. -
CRL freshness monitoring — PEM bundles may now contain
X509 CRLblocks freely intermixed withCERTIFICATEblocks. Each CRL found in a bundle is tracked by the newx509_crl_*family:x509_crl_this_update,x509_crl_next_update,x509_crl_number, and the alert-readyx509_crl_stale/ relative-time variants. Two new PrometheusRule alerts —CRLNeedsRefreshandCRLStale— are bundled with the chart. -
JKS / JCEKS support (via
format: jks) — Java KeyStore and JCEKS keystores and truststores are now parsed natively, using magic-byte auto-detection to distinguish the two formats at runtime. Thejks:block insecretTypesmirrors the existingpkcs12:API: passphrase from a sibling Secret key (passphraseKey), an external file, ortryEmptyPassphrasefor passwordless stores. A dedicatedx509_jks_passphrase_failures_totalcounter (auto-registered, symmetric to its PKCS#12 counterpart) surfaces wrong-passphrase events per source.
Changelog
Features
- 6f8d783: feat(source/cabundle): watch MWC + VWC caBundles cluster-wide (@npdgm)
- 176e25c: feat(registry): emit x509_crl_* metric family from Bundle.RevocationItems (@npdgm)
- 36aaf39: feat(registry): add x509_jks_passphrase_failures_total + format-aware routing (@npdgm)
- ab1ce3a: feat(k8s): support shell-glob patterns in include/exclude names (@npdgm)
- 19305f0: feat(config, cmd): wire format: jks + jks: passphrase block (@npdgm)
- 9626e52: feat(chart): support glob and recursive (**) patterns in watchDirectories (@npdgm)
- 587d0f1: feat(chart): expose include/exclude secrets and configmaps by name (@npdgm)
- 830ca14: feat(chart): expose cluster-scoped cabundle exporter (opt-in) (@npdgm)
- 3bcafda: feat(chart): add jks format + jks: passphrase block to secretTypes schema (@npdgm)
- 9d4b97f: feat(chart): add CRLNeedsRefresh and CRLStale PrometheusRule alerts (@npdgm)
- fcc6dd2: feat(cert/pem): parse X509 CRL blocks into Bundle.RevocationItems (@npdgm)
- 3d571b6: feat(cert/jks): parse JKS and JCEKS keystores and truststores (@npdgm)
- 7ce1092: feat(cert/der): parse single-blob DER as cert or CRL via x509 stdlib (@npdgm)
- 7610ca6: feat(cabundle): extend source to APIService and CRD conversion webhooks (@npdgm)
Bug Fixes
- 074db88: fix(k8s): trim only CR/LF from secret-sourced passphrases, not all whitespace (@npdgm)
- 2958d64: fix(chart): omit registry segment when image.registry is empty (@npdgm)
Documentation
- 5770c37: docs(readme): announce CRL freshness monitoring in the v4 highlights (@npdgm)
- 9b02f8f: docs(metrics): describe the x509_crl_* family (@npdgm)
- c6e9aec: docs(chart, metrics): document DER format and add a positive schema fixture (@npdgm)
- a163963: docs(README, metrics): announce JKS/JCEKS support and x509_jks_passphrase_failures_total (@npdgm)
- c3a255c: docs(README): don't generalize memory gains in v4 (@npdgm)
- 0e186d8: docs(README): announce support for DER and CRLs (@npdgm)