Approver Policy releases¶
Approver Policy provides a policy engine for certificates issued by cert-manager.
Learn about current and past releases of Approver Policy.
Latest release¶
The latest stable version of Approver Policy is v0.17.0.
Downloads¶
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.17.0
- FIPS Image: There is no FIPS image for Approver Policy.
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.17.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.17.0
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/approver-policy:v0.17.0
- FIPS Image: There is no FIPS image for Approver Policy.
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.17.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.17.0
Note
There is an Approver Policy Enterprise FIPS build available at private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise-fips
which will work in place of the open source Approver Policy component.
Release v0.17.0¶
Approver Policy v0.17.0 was released on November 25, 2024.
Key features¶
-
This release corrects an issue where the Approver Policy did not consider the cert-manager issuer
group
andkind
defaults when matching policies against cert-managerCertificateRequest
resources. When referencing issuers in cert-managerCertificate
andCertificateRequest
, theissuerRef
kind and group are optional and defaulted in the cert-manager controller. This becomes problematic in Approver Policy if you want to enforce a policy addressing cert-manager issuers. This release fixes this issue by applying the cert-manager default issuer kind/group when matching policies. Now, if aCertificateRequest
does not specifyspec.issuerRef.group
orspec.issuerRef.kind
, Approver Policy defaults to the same values as cert-manager:cert-manager.io
for issuer groupIssuer
for issuer kind
-
This release also fixes a bug in the Helm chart so that the Webhook CA Secret now matches the name override value and the RBAC.
-
The following dependencies were also updated in this release:
- github.com/cert-manager/cert-manager was updated to v1.16.2
- sigs.k8s.io/controller-runtime was updated to v0.19.2
- github.com/onsi/ginkgo/v2 was updated to v2.22.0
- github.com/onsi/gomega was updated to v1.35.1
- k8s.io/api was updated to v0.31.3
- k8s.io/apiextensions-apiserver was updated to v0.31.3
- k8s.io/apimachinery was updated to v0.31.3
- k8s.io/apiserver was updated to v0.31.3
- k8s.io/cli-runtime was updated to v0.31.3
- k8s.io/client-go was updated to v0.31.3
- k8s.io/component-base was updated to v0.31.3
- google.golang.org/protobuf was updated to v1.35.2
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.17.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.17.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.17.0
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.17.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.17.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.17.0
Release v0.16.0¶
Approver Policy v0.16.0 was released on October 28, 2024.
Key features¶
-
Common Expression Language (CEL) validator improvements
The
username
field ofCertificateRequest
(CR) resources is now exposed to CEL, allowing for rich logical operators on the contents of the username.This is useful for making complex decisions about whether the user who created the
CertificateRequest
should be allowed to do so, beyond what is provided by Kubernetes' RBAC mechanism.For example, if pods creates their own certificate requests directly using RBAC, you might use this new feature to ensure that the certificate request inludes the Pod's service account in the
URIs
field (for example, in a SPIFFE ID). -
Dependency updates
The following dependencies were updated in this release:
- github.com/cert-manager/cert-manager was updated to v1.16.1
- github.com/prometheus/client_golang was updated to v1.20.5
- google.golang.org/protobuf was updated to v1.35.1
- k8s.io/api was updated to v0.31.2
- k8s.io/apiextensions-apiserver was updated to v0.31.2
- k8s.io/apimachinery was updated to v0.31.2
- k8s.io/cli-runtime was updated to v0.31.2
- k8s.io/client-go was updated to v0.31.2
- k8s.io/component-base was updated to v0.31.2
- k8s.io/utils was updated to 0.0.0-20240921022957-49e7df575cb6
- sigs.k8s.io/controller-runtime was updated to v0.19.1
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.16.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.16.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.16.0
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.16.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.16.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.16.0
Release v0.15.2¶
Approver Policy v0.15.2 was released on September 25, 2024.
Key features¶
-
The following dependencies were updated in this release:
- github.com/onsi/ginkgo/v2 was updated to v2.20.2
- github.com/onsi/gomega was updated to v1.34.2
- github.com/prometheus/client_golang was updated to 1.20.4
- k8s.io/api was updated to v0.31.1
- k8s.io/apiextensions-apiserver was updated to v0.31.1
- k8s.io/apimachinery was updated to v0.31.1
- k8s.io/cli-runtime was updated to v0.31.1
- k8s.io/client-go was updated to v0.31.1
- k8s.io/component-base was updated to v0.31.1
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.15.2
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.15.2
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.15.2
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.15.2
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.15.2
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.15.2
Release v0.15.1¶
Approver Policy v0.15.1 was released on August 16, 2024.
Key features¶
- Release 0.15.1 of Approver Policy is a patch release that fixes an issue where the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail to renew its CA certificate. Please upgrade before the expiration of this CA certificate is reached.
-
The following dependencies were also updated in this release:
- github.com/cert-manager/cert-manager was updated to v1.15.3
- github.com/onsi/ginkgo/v2 was updated to v2.20.0
- github.com/onsi/gomega was updated to v1.34.1
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.15.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.15.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.15.1
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.15.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.15.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.15.1
Release v0.15.0¶
Approver Policy v0.15.0 was released on July 26, 2024.
Key features¶
- Release 0.15.0 of Approver Policy sets the
nodeSelector
Helm value to"kubernetes.io/os": "linux"
by default. - This release also adds support for structured JSON logging.
- Also in this release the cert-manager Approver Policy webhook server dynamic_source CA duration and leaf certificate duration are now configurable. The default CA Duration is now 1 year and the default leaf certificate duration is now 7 days.
- This release includes a fix for an issue with duplicate Prometheus scrape targets by using a named port in the ServiceMonitor.
- The version of cert-manager used was updated in this release to v1.15.1.
- This release is built using Go 1.22.5 to fix some security vulnerabilities in the Go standard library.
-
The following dependencies were also updated in this release:
- k8s.io/api was updated to v0.30.3
- k8s.io/apiextensions-apiserver was updated to v0.30.3
- k8s.io/apimachinery was updated to v0.30.3
- k8s.io/cli-runtime was updated to v0.30.3
- k8s.io/client-go was updated to v0.30.3
- k8s.io/component-base was updated to v0.30.3
- k8s.io/klog/v2 was updated to v2.130.1
- google.golang.org/grpc was updated to v1.64.1
- google.golang.org/protobuf was updated to v1.34.2
- github.com/go-logr/logr was updated to v1.4.2
- github.com/onsi/ginkgo/v2 was updated to v2.19.0
- sigs.k8s.io/controller-runtime was updated to v0.18.4
- github.com/spf13/cobra was updated to v1.8.1
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.15.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.15.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.15.0
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.15.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.15.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.15.0
Release v0.14.1¶
Approver Policy v0.14.1 was released on May 13, 2024.
Key features¶
- This release updates the version of Go used from 1.22.2 to 1.22.3 to fix the following vulnerability: GO-2024-2824 (CVE-2024-24788). All Go-related dependencies were also upgraded in this release.
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.1
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.14.1
Release v0.14.0¶
Approver Policy v0.14.0 was released on April 23, 2024.
Key features¶
-
Approver Policy now accepts all external issuers by default. This makes Approver Policy easier to use with external issuers such as the AWS Private CA Issuer or the Venafi Enhanced Issuer. Previously, the Approver Policy required explicitly granted permission to use external issuers via the
approveSignerNames
Helm value.Approver Policy can be used with all issuers. It's still possible to restrict the list if you want to, however doing so would only be helpful in niche scenarios. The scenarios in which you might want to take action are described below, but most users should take no action.
Read before upgrading
The new signer permissions described above take effect by default upon upgrading to Approver Policy v0.14.0 unless you explicitly set the approveSignerNames
Helm value. Consider which of the following scenarios fits your use case to determine if you need to take any action:
Scenario 1: No Custom approveSignerNames
If you didn't previously set a value for approveSignerNames
then the list of issuers usable by Approver Policy would've been restricted to only the built-in issuers. When upgrading to v0.14.0, that list will expand to include all possible issuers.
If you're happy for Approver Policy to approve for all issuers, no action is required. Most users should fall into this category.
If you for some reason do not want to allow Approver Policy to handle approval for certificates signed by external issuers but you do want to use it for built-in issuers, you need to manually set app.approveSignerNames
to its old value.
Scenario 2: Custom app.approveSignerNames
If you're already using external issuers with Approver Policy, you'll have already set a custom value for approveSignerNames
.
If you're happy for Approver Policy t0 approve for all issuers, remove your custom value for approveSignerNames
and use the new default.
If you wish to keep restrictions in place, you can leave your custom value in place.
Why should I restrict approveSignerNames
?
It makes sense to restrict this value if you have external issuers installed and you want to limit the issuers that Approver Policy can approve. This would imply that you have some other approver running in your cluster which should apply to some issuers.
We believe that for most users it's fine to accept the new default of allowing access for Approver Policy to all issuers.
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.0
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.14.0
Release v0.13.1¶
Approver Policy v0.13.1 was released on March 26, 2024.
Key features¶
- You can now configure an HTTP proxy from the Helm chart by using the following values:
http_proxy
,https_proxy
, andno_proxy
. If you are using the upstream version of Approver Policy, this may not be useful to you. These variables are useful for projects building plugins on top of Approver Policy and make HTTP calls to the internet. For more information, see Approver Policy Helm values reference page. - You can now also configure the
priorityClassName
field in the Helm chart. For more information, see Approver Policy Helm values reference page. - The following vulnerability was fixed by upgrading to google.golang.org/protobuf@v1.33.0: GO-2024-2611 (CVE-2024-24786).
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.1
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.13.1
Release v0.13.0¶
Approver Policy v0.13.0 was released on March 6, 2024.
Key features¶
-
By default, the Helm chart now adds the
helm.sh/resource-policy: keep annotation
to all CRDs. This prevents accidental deletion of CRDs when uninstalling the component using Helm.Note
This feature introduces an additional uninstall step:
$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io
To avoid using the annotation, add
--set crds.keep=false
to your installation. To exclude the CRD from the Helm installation use--set crds.enabled=false
. -
This release also adds an optional
PodDisruptionBudget
helm value that can be used in your values.yaml file:podDisruptionBudget: enabled: true
-
To help avoid disk exhaustion attacks, a size limit of 50mb has been set on the
emptyDir
used for the/tmp
directory. A/tmp
directory is used for the TLS certificate which it generates for the webhook, as well as by some Approver Policy plugins for creating temporary configuration files. -
Platform engineers can now set Topology Spread Constraints using a Helm chart values. For more information see Topology Spread Constraints.
-
All Approver Policy deployment-related Helm values have been made global in this release.
-
The
replicaCount
Helm value can now be set to either an integer or a string.
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.0
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.13.0
Release v0.12.1¶
Approver Policy v0.12.1 was released on February 1, 2024.
Key features¶
-
This patch release improves the Helm chart README and metadata properties.
Note
This release of Approver Policy changes how containers are built, which in turn changes the path at which the binary can be found inside the container. This means that new container images can't be used with older Helm charts, or with any software which expects the old path.
For the simplest upgrade experience, use the latest helm chart with the latest image.
Downloads
- Container Image:
private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.12.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.12.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.12.1
- Container Image:
private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.12.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.12.1
he- Helm Chart:oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.12.1