Approver Policy releases¶

Approver Policy provides a policy engine for certificates issued by cert-manager.

Learn about current and past releases of Approver Policy.

Latest release¶

​ The latest stable version of Approver Policy is v0.14.1.

Downloads¶

Release v0.14.1¶

Approver Policy v0.14.1 was released on May 13, 2024.

Key features¶

• This release updates the version of Go used from 1.22.2 to 1.22.3 to fix the following vulnerability: GO-2024-2824 (CVE-2024-24788). All Go-related dependencies were also upgraded in this release.

Release v0.14.0¶

Approver Policy v0.14.0 was released on April 23, 2024.

Key features¶

• Approver Policy now accepts all external issuers by default. This makes Approver Policy easier to use with external issuers such as the AWS Private CA Issuer or the Venafi Enhanced Issuer. Previously, the Approver Policy required explicitly granted permission to use external issuers via the approveSignerNames Helm value.

  Approver Policy can be used with all issuers. It's still possible to restrict the list if you want to, however doing so would only be helpful in niche scenarios. The scenarios in which you might want to take action are described below, but most users should take no action.

Release v0.13.1¶

Approver Policy v0.13.1 was released on March 26, 2024.

Key features¶

• You can now configure an HTTP proxy from the Helm chart by using the following values: http_proxy, https_proxy, and no_proxy. If you are using the upstream version of Approver Policy, this may not be useful to you. These variables are useful for projects building plugins on top of Approver Policy and make HTTP calls to the internet. For more information, see Approver Policy Helm values reference page.
• You can now also configure the priorityClassName field in the Helm chart. For more information, see Approver Policy Helm values reference page.
• The following vulnerability was fixed by upgrading to google.golang.org/protobuf@v1.33.0: GO-2024-2611 (CVE-2024-24786).

Release v0.13.0¶

Approver Policy v0.13.0 was released on March 6, 2024.

Key features¶

• By default, the Helm chart now adds the helm.sh/resource-policy: keep annotation to all CRDs. This prevents accidental deletion of CRDs when uninstalling the component using Helm.

  Note

  This feature introduces an additional uninstall step:

  $ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io
  

  To avoid using the annotation, add --set crds.keep=false to your installation. To exclude the CRD from the Helm installation use --set crds.enabled=false.

• This release also adds an optional PodDisruptionBudget helm value that can be used in your values.yaml file:

      podDisruptionBudget:
          enabled: true
  

• To help avoid disk exhaustion attacks, a size limit of 50mb has been set on the emptyDir used for the /tmp directory. A /tmp directory is used for the TLS certificate which it generates for the webhook, as well as by some Approver Policy plugins for creating temporary configuration files.

• Platform engineers can now set Topology Spread Constraints using a Helm chart values. For more information see Topology Spread Constraints.

• All Approver Policy deployment-related Helm values have been made global in this release.

• The replicaCount Helm value can now be set to either an integer or a string.

Release v0.12.1¶

Approver Policy v0.12.1 was released on February 1, 2024.

Key features¶

• This patch release improves the Helm chart README and metadata properties.

  Note

  This release of Approver Policy changes how containers are built, which in turn changes the path at which the binary can be found inside the container. This means that new container images can't be used with older Helm charts, or with any software which expects the old path.

  For the simplest upgrade experience, use the latest helm chart with the latest image.