Skip to content

Approver Policy Enterprise releases

​ Learn about current and past releases of Approver Policy Enterprise. ​

Latest release

​ The latest stable version of Approver Policy Enterprise is v0.17.1.

Downloads

  • Docker Image: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.17.1
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.1
  • Docker Image: private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.17.1
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.17.1

Release 0.17.1

Approver Policy Enterprise 0.17.1 was released on June 12, 2024.

Key features

  • This patch release fixes an issue with an incorrect cert-manager-approver-policy ServiceAccount name in the Rego (Cluster)RoleBinding reference.
Downloads
  • Docker Image: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.17.1
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.1
  • Docker Image: private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.17.1
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.17.1

Release 0.17.0

Approver Policy Enterprise 0.17.0 was released on May 17, 2024.

Key features

  • Approver Policy Enterprise has been updated in this release to use Approver Policy 0.14.1.
  • This release has also been updated to use Venafi Connection 0.1.0.
Downloads
  • Docker Image: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.17.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.0
  • Docker Image: private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.17.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.17.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.17.0

Release 0.16.0

Approver Policy Enterprise 0.16.0 was released on April 26, 2024.

Key features

  • Approver Policy Enterprise now accepts all external issuers by default. You can now remove approveSignerNames from your values.yaml file.This makes Approver Policy Enterprise easier to use with external issuers such as the AWS Private CA Issuer or the Venafi Enhanced Issuer. Previously, Approver Policy Enterprise required explicitly granted permission to use external issuers via the approveSignerNames Helm value.

    Approver Policy Enterprise can be used with all issuers. It's still possible to restrict the list if you want to, however doing so would only be helpful in niche scenarios. The scenarios in which you might want to take action are described below, but most users should take no action.

  • When using TLS Protect Datacenter, you can now remove the revoke privilege from the API Integration that you use with Approver Policy Enterprise.

  • The version of Venafi Connection was updated to v0.0.20.

  • The version of Approver Policy was updated to v0.13.1.

Read before upgrading

The new signer permissions described above take effect by default upon upgrading to Approver Policy Enterprise v0.16.0 unless you explicitly set the approveSignerNames Helm value. Consider which of the following scenarios fits your use case to determine if you need to take any action:

Scenario 1: No Custom approveSignerNames

If you didn't previously set a value for approveSignerNames, then the list of issuers usable by Approver Policy Enterprise would've been restricted to only the built-in issuers. When upgrading to v0.16.0, that list will expand to include all possible issuers.

If you're happy for Approver Policy Enterprise to approve for all issuers, no action is required. Most users should fall into this category.

If you for some reason do not want to allow Approver Policy Enterprise to handle approval for certificates signed by external issuers but you do want to use it for built-in issuers, you need to manually set app.approveSignerNames to its old value.

Scenario 2: Custom app.approveSignerNames

If you're already using external issuers with Approver Policy Enterprise, you'll have already set a custom value for approveSignerNames.

If you're happy for Approver Policy Enterprise to approve for all issuers, remove your custom value for approveSignerNames and use the new default.

If you wish to keep restrictions in place, you can leave your custom value in place.

Why should I restrict approveSignerNames?

It makes sense to restrict this value if you have external issuers installed and want to limit the issuers Approver Policy Enterprise can approve for. This would imply that you have some other approver running in your cluster, which should apply to some issuers.

We believe that for most users it's fine to accept the new default of allowing access for Approver Policy Enterprise to all issuers.

Downloads
  • Docker Image: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.16.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.16.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.16.0
  • Docker Image: private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.16.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.16.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.16.0

Release 0.15.0

Approver Policy Enterprise 0.15.0 was released on March 26, 2024.

Key features

  • You can now configure an HTTP proxy from the Helm chart by using the following values: http_proxy, https_proxy, and no_proxy. If you are using the upstream version of Approver Policy, this may not be useful to you. These variables are useful for projects building plugins on top of Approver Policy and make HTTP calls to the internet. For more information, see Approver Policy Helm values reference page.
  • You can now also configure the priorityClassName field in the Helm chart. For more information, see Approver Policy Helm values reference page.
  • The following vulnerability was fixed by upgrading to google.golang.org/protobuf@v1.33.0: GO-2024-2611 (CVE-2024-24786).
Downloads
  • Docker Image: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.15.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.15.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.15.0
  • Docker Image: private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.15.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.15.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.15.0

Release 0.14.0

Approver Policy Enterprise 0.14.0 was released on March 7th, 2024.

Key features

This releases incorporates the following Helm value updates to reflect changes made in Approver Policy 0.13.0:

  • By default, the Helm chart now adds the helm.sh/resource-policy: keep annotation to all CRDs. This prevents accidental deletion of CRDs when uninstalling the component using Helm.

    Note

    This feature introduces an additional uninstall step:

    $ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io
    

    To avoid using the annotation, add --set crds.keep=false to your installation. To exclude the CRD from the Helm installation use --set crds.enabled=false.

  • This release also adds an optional PodDisruptionBudget helm value that can be used in your values.yaml file:

        podDisruptionBudget:
            enabled: true
    
  • Platform engineers can now set Topology Spread Constraints using a Helm chart values. For more information see Topology Spread Constraints.

  • All Approver Policy deployment-related Helm values have been made global in this release.

  • The replicaCount Helm value can now be set to either an integer or a string.

For more information, see Approver Policy Enterprise Helm values.

Downloads
  • Docker Image: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.14.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.14.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.14.0
  • Docker Image: private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.14.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.14.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.14.0

Release 0.13.0

Approver Policy Enterprise 0.13.0 was released on November 29th, 2023.

Key features

  • A new metric venaficonnection_status is now available. This metric lets you monitor connection or authentication problems to the Venafi Control Plane API and TPP.
  • The existing HTTP metrics now include the HTTP path and host. The host label holds the hostname of the TPP or TLS Protect Cloud instance, for example tpp.example.com and api.venafi.cloud. The path label holds the HTTP path of the request. The UUID and names are stripped from the HTTP paths are stripped so that the cardinality of the metrics doesn't explode.
  • The field clientId in thehashicorpVaultOAuth block in the Venafi Connection custom resource is deprecated. This field had been mistakenly introduced. This change should not affect existing users of Venafi Enhanced Issuer since this field was not effective and wasn't shown in any of the documentation pages.
  • Approver Policy has been updated and now supports CEL-based validation rules.

    You can learn more by reading the document 20230726-cel-policy.md.

Downloads
  • Docker Image: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.13.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.13.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.13.0
  • Docker Image: private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.13.0
  • Helm Chart: oci://registry.venafi.cloud/charts/approver-policy-enterprise:v0.13.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.13.0

Release 0.12.0

​ Approver Policy Enterprise 0.12.0 was released on October 27th, 2023.

Key features

  • Golang has been updated to mitigate CVE-2023-44487 and CVE-2023-39325.

  • The Approver Policy Enterprise component exposes operational and usage telemetry metrics suitable for popular monitoring solutions, enabling alerts on important operational states. For more information, see Metrics for Approver Policy Enterprise.

Downloads

US region

  • Docker Image: private-registry.venafi.cloud/venafi-approver-policy/approver-policy-enterprise:v0.12.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/approver-policy-enterprise:v0.12.0

EU region

  • Docker Image: private-registry.venafi.eu/venafi-approver-policy/approver-policy-enterprise:v0.12.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/approver-policy-enterprise:v0.12.0