Skip to content

Firefly Releases

Learn about current and past releases of the Firefly distributed component.

Supported Releases

1.5.0 1.3.4 1.2.1 1.1
Release Date Sept 9, 2024 Apr 16, 2024 Nov 1, 2023 Aug 9, 2023
Kubernetes Support 1.23 → 1.30 1.23 → 1.28 1.23 → 1.28 1.22 → 1.27
OpenShift Support 4.10 → 4.16 4.10 → 4.14 4.10 → 4.14 4.10 → 4.14
cert-manager Support 1.11 → 1.15 1.11 → 1.13 1.11 → 1.13 1.11 → 1.12

Release 1.5.0

Firefly 1.5.0 was released on September 9, 2024. Key features include:

  • Automatic CA chain population A new Helm option, deployment.config.controller.certManager.caRootChainPopulation, was added, automatically populating the CA certificate chain when using the cert-manager controller.
  • Simplified installation on Red Hat OpenShift The Helm chart now includes SecurityContextConstraints, simplifying installation on Red Hat OpenShift clusters.

Docker Image

bash docker pull registry.venafi.cloud/public/venafi-images/firefly:v1.5.0

Repo registry.venafi.cloud/public/venafi-images/firefly
Digest sha256:07472146c72dce77a2422e22832977634e4fd344801fd928006a85095572f05d
Tag v1.5.0

Helm Chart

helm pull oci://registry.venafi.cloud/public/venafi-images/helm/firefly \ 
    --version v1.5.0
Repo registry.venafi.cloud/public/venafi-images/helm/firefly
Digest sha256:cd852bd6d84632a90111bdb0bfc956fad3b68e1e803702826c2c4d2bb1066be0
Tag v1.5.0

Changelog

  1. A new Helm option, deployment.config.controller.certManager.caRootChainPopulation, was added.
  2. Default SecurityContextConstraints was added for Red Hat OpenShift. (VC-35772)

Release 1.4.3

Firefly 1.4.3 was released on August 29, 2024. Key features include:

  • Firefly connection to HSM for signing using an HSM-protected key You can now connect an HSM to the Firefly server (or container) to allow Firefly to sign certificates using a private key protected by an HSM. Learn more.

  • Option to specify alternative names for Firefly authorization claims: Firefly can now be configured to use alternative names for the venafi-firefly.configuration, venafi-firefly.allowedPolicies, and venafi-firefly.allowAllPolicies claims in JWTs presented by API clients.

  • Option to allow Firefly API clients to connect using TLS 1.2: Firefly can now be configured to allow legacy API clients that do not support TLS 1.3 to connect using TLS 1.2 instead.

  • Resilience to transient HSM availability issues Firefly will now automatically recover from the HSM protecting its signing key becoming temporarily unavailable.

  • Make Firefly trust anchor certificate more accessible for Kubernetes use cases You can now specify caRootChainPopulation: true in the config.yaml and Firefly will include its root CA certificate in the status.ca field of cert-manager CertificateRequest resources.

Docker Image

bash docker pull registry.venafi.cloud/public/venafi-images/firefly:v1.4.3

Repo registry.venafi.cloud/public/venafi-images/firefly
Digest sha256:93a989d5b55ebfbeaef7b10a4b442448a7d1b770d4869249ab9ec41861f419ff
Tag v1.4.3

Helm Chart

helm pull oci://registry.venafi.cloud/public/venafi-images/helm/firefly \ 
    --version v1.4.3
Repo registry.venafi.cloud/public/venafi-images/helm/firefly
Digest sha256:093255678de746fd6d309bf2a5c162577b15b821e9f95ac037bb630091ee7e78
Tag v1.4.3

PKCS#11 Binaries

Releases of firefly-pkcs11 are signed and the detached signature file is included with the binary in the downloadable zip file. SHA-256 checksums of the zip files each release are listed below for additional verification.

  • 1.4.3 (August 29, 2024) 23fb9f0e8275d07b3b45c96892bd855b3257cb05062046121126395065f22e6c
  • 1.4.2 (July 22, 2024) 92a35e5a77bd84639bbb4839dcf316696e3ae30ed8a430bbcd3daad778791ad3
  • 1.4.1 (July 12, 2024) 32fb025d7d8587a78525882bdcd501d3bdaa877d3db7a9704604a027531054ee
  • 1.4.0 (June 28, 2024) 86fab9bff47c202d871ff177f2989ace3ed9e94e7f15639199767954d94e0a95

Changelog

  1. PKCS#11 binary is added, not included in previous versions. (VC-32033)
  2. Firefly now supports HSM protected signing key. (VC-30950)
  3. Monitoring of config.yaml and service account private key files ignores chmod.
  4. Fixed issue that issue firefly-pkcs11 from being able to renew its issuer certificate. (VC-34576)
  5. Added metrics options to Helm chart. (VC-34401)
  6. Option to specify alternative names for authorization claims in API client JWTs. (VC-34341)
  7. Option to allow API clients to connect using TLS 1.2. (VC-34525)
  8. Firefly now automatically recovers when HSM is temporarily unavailable. (VC-34696)
  9. Log details of HSM partitions (slot/label/serial) visible to firefly-pkcs11 when it starts up.
  10. Option to include trust anchor (root CA) certificate in cert-manager CertificateRequest resources.

Release 1.3.4

Firefly 1.3.4 was released on April 16, 2024. Key features include:

  • Firefly now supports requesting certificates using Unix Domain Sockets: gRPC and REST clients can now request certificates from Firefly using a Unix Domain Socket (UDS) to forgo the overhead of TLS and authentication for use cases where clients are co-hosted with Firefly.

  • Firefly now has a method specifically for downloading trust chain CA certificates: Trust Manager clients can obtain the CA certificates applicable to Firefly trust without having to request a certificate.

  • Helm charts for Firefly now support configuring API servers: Support for configuring gRPC, GraphQL, and REST servers has been added to Helm charts.

  • Firefly image now includes OCI annotions: Introduced standard OCI annotations (labels) to the Firefly container image.

  • Firefly instances may now derive parts of their name from environment variables: Environment variable substitution is now supported for Firefly instance names when using Venafi Control Plane.

Docker Image

docker pull registry.venafi.cloud/public/venafi-images/firefly:v1.3.4
Repo registry.venafi.cloud/public/venafi-images/firefly
Digest sha256:602675785fae69af916ed95e277b0def93322707b326dd0377b0a0290261ce6d
Tag v1.3.4

Helm Chart

helm pull oci://registry.venafi.cloud/public/venafi-images/helm/firefly \
    --version v1.3.4
Repo registry.venafi.cloud/public/venafi-images/helm/firefly
Digest sha256:d6c92b7950a985c5a3ce13001107428fbd61c020bf42ff9c311b5d714509742c
Tag v1.3.4

Changelog

  1. Clients can request certificates using a Unix Domain Socket (UDS) with gRPC and REST. (VC-27929)
  2. Clients can obtain the CA certificates in the Firefly trust chain without requesting a certificate. (VC-27930)
  3. Timeout for Firefly to Venafi Control Plane increased to 30 seconds.
  4. Helm charts enhanced to support configuration of gRPC, GraphQL, and REST API servers.
  5. OCI annotations (labels) added to Firefly container image. (VC-31094)
  6. Support for environment variable substitution when naming Firefly instances. (VC-31747)

Release 1.2.1

Firefly 1.2.1 was released on November 1, 2023. Key features include:

  • Firefly now supports requesting certificates using a public key: gRPC clients can now request certificates from Firefly using a public key and Subject/SAN values for use cases where workloads generate keypairs but orchestrators request certificates for them.

  • Firefly now supports Instance Identity Documents from Azure and Google (in addition to AWS): Clients can now authenticate and get signed certificates from Firefly using Instance Identity Documents from Azure and Google. This builds on the AWS IID support in Firefly 1.1 and means that Firefly now supports all three major cloud providers.

  • Updated Terms of Use / EULA: The Firefly Terms of Use have been updated and are now available at a new URL. Please read the Venafi End User License Agreement before upgrading.

Changelog

  1. Clients can request certificates with a public key and Subject/SAN values using gRPC. (VC-27928)
  2. Clients can now authenticate to Firefly using Azure workload identity documents. (VC-24321)
  3. Clients can now authenticate to Firefly using Google workload identity documents. (VC-24322)
  4. The End User License Agreement has been updated. (VC-26429)
  5. Miscellaneous bug fixes and stability improvements.

Release 1.1

Firefly 1.1 was released on August 9, 2023. Key features include:

  • New AWS authentication endpoint: A new API endpoint for AWS authentication allows clients to authentication using AWS workload identity documents
  • Helm Chart: The addition of a new Helm chart makes it easy to install Firefly in a Kubernetes cluster, and to integrate it with cert-manager.

Changelog

  1. Clients can now authenticate to Firefly using AWS workload identity documents. (VC-22896)
  2. A new Helm chart makes it easy to install Firefly in a Kubernetes cluster and integrate with cert-manager (VC-23956)
  3. Improved error messages when connecting to the Venafi control plane help diagnose configuration errors. (VC-25547)
  4. Miscellaneous bug fixes and stability improvements.

Release 1.0

Firefly 1.0 was released on April 19, 2023. Key features include:

  • Versatility: Firefly has multiple, flexible deployment options including cloud, cloud-native, DevOps, and federated PKI.
  • Performance: Firefly can generate keys and issue certificates at speeds and volumes well beyond service mesh requirements.
  • Autonomy: Firefly operation is decentralized making it attractive to software architects and developers.
  • Security: Firefly is managed and governed by the Venafi Control Plane and supports modern authentication mechanisms.
  • Leanness: Firefly requires minimal infrastructure to deploy in production to achieve high availability and fault tolerance.

Read the full release announcement

New Venafi Firefly Delivers Machine Identities for Modern, Cloud Native Workloads at Lightning Speed.