Approver Policy Enterprise releases¶
Learn about current and past releases of Approver Policy Enterprise.
Latest release¶
The latest stable version of Approver Policy Enterprise is v0.18.1.
Downloads¶
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.18.1
- FIPS Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise-fips:v0.18.1
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.18.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.18.1
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.18.1
- FIPS Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise-fips:v0.18.1
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.18.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.18.1
Release 0.18.1¶
Approver Policy Enterprise 0.18.1 was released on August 20, 2024.
Key features¶
-
Release 0.18.1 of Approver Policy Enterprise is a patch release that fixes an issue where the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail to renew its CA certificate. Please upgrade before the expiration of this CA certificate is reached.
-
The following dependencies were also updated in this release:
- github.com/cert-manager/approver-policy was updated to v0.15.1
- github.com/cert-manager/cert-manager was updated to v1.15.3
Downloads
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.18.1
- FIPS image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise-fips:v0.18.1
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.18.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.18.1
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.18.1
- FIPS image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise-fips:v0.18.1
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.18.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.18.1
Release 0.18.0¶
Approver Policy Enterprise 0.18.0 was released on July 30, 2024.
Key features¶
- Approver Policy Enterprise has been updated in this release to use Approver Policy 0.15.0.
- The version of Go used for the build was updated to v1.22.5.
- The Approver Policy Enterprise Venafi plugin has been updated to retry more quickly, in the event of a temporary failure to connect to Venafi API endpoints.
Downloads
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.18.0
- FIPS image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise-fips:v0.18.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.18.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.18.0
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.18.0
- FIPS image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise-fips:v0.18.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.18.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.18.0
Release 0.17.2¶
Approver Policy Enterprise 0.17.2 was released on July 11, 2024.
Key features¶
- This patch release fixes a Helm template call error introduced in release 0.17.1.
Downloads
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.17.2
- FIPS image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise-fips:v0.17.2
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.2
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.2
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.17.2
- FIPS image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise-fips:v0.17.2
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.2
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.17.2
Release 0.17.1¶
Approver Policy Enterprise 0.17.1 was released on June 12, 2024.
Key features¶
- This patch release fixes an issue with an incorrect cert-manager-approver-policy ServiceAccount name in the Rego (Cluster)RoleBinding reference.
Downloads
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.17.1
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.1
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.17.1
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.17.1
Release 0.17.0¶
Approver Policy Enterprise 0.17.0 was released on May 17, 2024.
Key features¶
- Approver Policy Enterprise has been updated in this release to use Approver Policy 0.14.1.
- This release has also been updated to use Venafi Connection 0.1.0.
Downloads
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.17.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.0
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.17.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.17.0
Release 0.16.0¶
Approver Policy Enterprise 0.16.0 was released on April 26, 2024.
Key features¶
-
Approver Policy Enterprise now accepts all external issuers by default. You can now remove
approveSignerNames
from yourvalues.yaml
file.This makes Approver Policy Enterprise easier to use with external issuers such as the AWS Private CA Issuer or the Venafi Enhanced Issuer. Previously, Approver Policy Enterprise required explicitly granted permission to use external issuers via theapproveSignerNames
Helm value.Approver Policy Enterprise can be used with all issuers. It's still possible to restrict the list if you want to, however doing so would only be helpful in niche scenarios. The scenarios in which you might want to take action are described below, but most users should take no action.
-
When using TLS Protect Datacenter, you can now remove the
revoke
privilege from the API Integration that you use with Approver Policy Enterprise. -
The version of Venafi Connection was updated to v0.0.20.
-
The version of Approver Policy was updated to v0.13.1.
Read before upgrading
The new signer permissions described above take effect by default upon upgrading to Approver Policy Enterprise v0.16.0 unless you explicitly set the approveSignerNames
Helm value. Consider which of the following scenarios fits your use case to determine if you need to take any action:
Scenario 1: No Custom approveSignerNames
If you didn't previously set a value for approveSignerNames
, then the list of issuers usable by Approver Policy Enterprise would've been restricted to only the built-in issuers. When upgrading to v0.16.0, that list will expand to include all possible issuers.
If you're happy for Approver Policy Enterprise to approve for all issuers, no action is required. Most users should fall into this category.
If you for some reason do not want to allow Approver Policy Enterprise to handle approval for certificates signed by external issuers but you do want to use it for built-in issuers, you need to manually set app.approveSignerNames
to its old value.
Scenario 2: Custom app.approveSignerNames
If you're already using external issuers with Approver Policy Enterprise, you'll have already set a custom value for approveSignerNames
.
If you're happy for Approver Policy Enterprise to approve for all issuers, remove your custom value for approveSignerNames
and use the new default.
If you wish to keep restrictions in place, you can leave your custom value in place.
Why should I restrict approveSignerNames
?
It makes sense to restrict this value if you have external issuers installed and want to limit the issuers Approver Policy Enterprise can approve for. This would imply that you have some other approver running in your cluster, which should apply to some issuers.
We believe that for most users it's fine to accept the new default of allowing access for Approver Policy Enterprise to all issuers.
Downloads
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.16.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.16.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.16.0
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.16.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.16.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.16.0
Release 0.15.0¶
Approver Policy Enterprise 0.15.0 was released on March 26, 2024.
Key features¶
- You can now configure an HTTP proxy from the Helm chart by using the following values:
http_proxy
,https_proxy
, andno_proxy
. If you are using the upstream version of Approver Policy, this may not be useful to you. These variables are useful for projects building plugins on top of Approver Policy and make HTTP calls to the internet. For more information, see Approver Policy Helm values reference page. - You can now also configure the
priorityClassName
field in the Helm chart. For more information, see Approver Policy Helm values reference page. - The following vulnerability was fixed by upgrading to google.golang.org/protobuf@v1.33.0: GO-2024-2611 (CVE-2024-24786).
Downloads
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.15.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.15.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.15.0
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.15.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.15.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.15.0
Release 0.14.0¶
Approver Policy Enterprise 0.14.0 was released on March 7th, 2024.
Key features¶
This releases incorporates the following Helm value updates to reflect changes made in Approver Policy 0.13.0:
-
By default, the Helm chart now adds the
helm.sh/resource-policy: keep annotation
to all CRDs. This prevents accidental deletion of CRDs when uninstalling the component using Helm.Note
This feature introduces an additional uninstall step:
$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io
To avoid using the annotation, add
--set crds.keep=false
to your installation. To exclude the CRD from the Helm installation use--set crds.enabled=false
. -
This release also adds an optional
PodDisruptionBudget
helm value that can be used in your values.yaml file:podDisruptionBudget: enabled: true
-
Platform engineers can now set Topology Spread Constraints using a Helm chart values. For more information see Topology Spread Constraints.
-
All Approver Policy deployment-related Helm values have been made global in this release.
-
The
replicaCount
Helm value can now be set to either an integer or a string.
For more information, see Approver Policy Enterprise Helm values.
Downloads
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.14.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.14.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.14.0
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.14.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.14.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.14.0
Release 0.13.0¶
Approver Policy Enterprise 0.13.0 was released on November 29th, 2023.
Key features¶
- A new metric
venaficonnection_status
is now available. This metric lets you monitor connection or authentication problems to the Venafi Control Plane API and TPP. - The existing HTTP metrics now include the HTTP path and host. The
host
label holds the hostname of the TPP or TLS Protect Cloud instance, for exampletpp.example.com
andapi.venafi.cloud
. Thepath
label holds the HTTP path of the request. The UUID and names are stripped from the HTTP paths are stripped so that the cardinality of the metrics doesn't explode. - The field
clientId
in thehashicorpVaultOAuth
block in the Venafi Connection custom resource is deprecated. This field had been mistakenly introduced. This change should not affect existing users of Venafi Enhanced Issuer since this field was not effective and wasn't shown in any of the documentation pages. -
Approver Policy has been updated and now supports CEL-based validation rules.
You can learn more by reading the document 20230726-cel-policy.md.
Downloads
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.13.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.13.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.13.0
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.13.0
- Helm Chart:
oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.13.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.13.0
Release 0.12.0¶
Approver Policy Enterprise 0.12.0 was released on October 27th, 2023.
Key features¶
-
Golang has been updated to mitigate CVE-2023-44487 and CVE-2023-39325.
-
The Approver Policy Enterprise component exposes operational and usage telemetry metrics suitable for popular monitoring solutions, enabling alerts on important operational states. For more information, see Metrics for Approver Policy Enterprise.
Downloads
US region
- Container Image:
private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.12.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.12.0
EU region
- Container Image:
private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.12.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.12.0
Related links¶
- Installing Approver Policy Enterprise
- Configuring Approver Policy Enterprise
- Common scenarios
- Approver Policy Enterprise Venafi plugin
- Approver Policy Enterprise Rego plugin
- Approver Policy Enterprise administration
- Metrics for Policy Approver Enterprise
- Approver Policy Enterprise API reference
- Approver Policy Enterprise image flags