Skip to content

Approver Policy releases

Approver Policy provides a policy engine for certificates issued by cert-manager.

Learn about current and past releases of Approver Policy.

Latest release

‚Äč The latest stable version of Approver Policy is v0.14.1.

Downloads

  • Docker Image: private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.1
  • Docker Image: private-registry.venafi.eu/cert-manager-approver-policy/approver-policy:v0.14.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.14.1

Release v0.14.1

Approver Policy v0.14.1 was released on May 13, 2024.

Key features

  • This release updates the version of Go used from 1.22.2 to 1.22.3 to fix the following vulnerability: GO-2024-2824 (CVE-2024-24788). All Go-related dependencies were also upgraded in this release.
Downloads
  • Docker Image: private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.1
  • Docker Image: private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.14.1

Release v0.14.0

Approver Policy v0.14.0 was released on April 23, 2024.

Key features

  • Approver Policy now accepts all external issuers by default. This makes Approver Policy easier to use with external issuers such as the AWS Private CA Issuer or the Venafi Enhanced Issuer. Previously, the Approver Policy required explicitly granted permission to use external issuers via the approveSignerNames Helm value.

    Approver Policy can be used with all issuers. It's still possible to restrict the list if you want to, however doing so would only be helpful in niche scenarios. The scenarios in which you might want to take action are described below, but most users should take no action.

Read before upgrading

The new signer permissions described above take effect by default upon upgrading to Approver Policy v0.14.0 unless you explicitly set the approveSignerNames Helm value. Consider which of the following scenarios fits your use case to determine if you need to take any action:

Scenario 1: No Custom approveSignerNames

If you didn't previously set a value for approveSignerNames then the list of issuers usable by Approver Policy would've been restricted to only the built-in issuers. When upgrading to v0.14.0, that list will expand to include all possible issuers.

If you're happy for Approver Policy to approve for all issuers, no action is required. Most users should fall into this category.

If you for some reason do not want to allow Approver Policy to handle approval for certificates signed by external issuers but you do want to use it for built-in issuers, you need to manually set app.approveSignerNames to its old value.

Scenario 2: Custom app.approveSignerNames

If you're already using external issuers with Approver Policy, you'll have already set a custom value for approveSignerNames.

If you're happy for Approver Policy t0 approve for all issuers, remove your custom value for approveSignerNames and use the new default.

If you wish to keep restrictions in place, you can leave your custom value in place.

Why should I restrict approveSignerNames?

It makes sense to restrict this value if you have external issuers installed and you want to limit the issuers that Approver Policy can approve. This would imply that you have some other approver running in your cluster which should apply to some issuers.

We believe that for most users it's fine to accept the new default of allowing access for Approver Policy to all issuers.

Downloads
  • Docker Image: private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.0
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.0
  • Docker Image: private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.0
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.14.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.14.0

Release v0.13.1

Approver Policy v0.13.1 was released on March 26, 2024.

Key features

  • You can now configure an HTTP proxy from the Helm chart by using the following values: http_proxy, https_proxy, and no_proxy. If you are using the upstream version of Approver Policy, this may not be useful to you. These variables are useful for projects building plugins on top of Approver Policy and make HTTP calls to the internet. For more information, see Approver Policy Helm values reference page.
  • You can now also configure the priorityClassName field in the Helm chart. For more information, see Approver Policy Helm values reference page.
  • The following vulnerability was fixed by upgrading to google.golang.org/protobuf@v1.33.0: GO-2024-2611 (CVE-2024-24786).
Downloads
  • Docker Image: private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.1
  • Docker Image: private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.13.1

Release v0.13.0

Approver Policy v0.13.0 was released on March 6, 2024.

Key features

  • By default, the Helm chart now adds the helm.sh/resource-policy: keep annotation to all CRDs. This prevents accidental deletion of CRDs when uninstalling the component using Helm.

    Note

    This feature introduces an additional uninstall step:

    $ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io
    

    To avoid using the annotation, add --set crds.keep=false to your installation. To exclude the CRD from the Helm installation use --set crds.enabled=false.

  • This release also adds an optional PodDisruptionBudget helm value that can be used in your values.yaml file:

        podDisruptionBudget:
            enabled: true
    
  • To help avoid disk exhaustion attacks, a size limit of 50mb has been set on the emptyDir used for the /tmp directory. A /tmp directory is used for the TLS certificate which it generates for the webhook, as well as by some Approver Policy plugins for creating temporary configuration files.

  • Platform engineers can now set Topology Spread Constraints using a Helm chart values. For more information see Topology Spread Constraints.

  • All Approver Policy deployment-related Helm values have been made global in this release.

  • The replicaCount Helm value can now be set to either an integer or a string.

Downloads
  • Docker Image: private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.0
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.0
  • Docker Image: private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.0
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.13.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.13.0

Release v0.12.1

Approver Policy v0.12.1 was released on February 1, 2024.

Key features

  • This patch release improves the Helm chart README and metadata properties.

    Note

    This release of Approver Policy changes how containers are built, which in turn changes the path at which the binary can be found inside the container. This means that new container images can't be used with older Helm charts, or with any software which expects the old path.

    For the simplest upgrade experience, use the latest helm chart with the latest image.

Downloads
  • Docker Image: private-registry.venafi.cloud/cert-manager-approver-policy/cert-manager-approver-policy:v0.12.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.12.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager-approver-policy:v0.12.1
  • Docker Image: private-registry.venafi.eu/cert-manager-approver-policy/cert-manager-approver-policy:v0.12.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager-approver-policy:v0.12.1 he- Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager-approver-policy:v0.12.1