Trust Manager releases¶

Trust Manager is a small Kubernetes operator that helps reduce the overhead of managing TLS trust bundles in your clusters.

It orchestrates bundles of trusted X.509 certificates that are primarily used for validating certificates during a TLS handshake but can be used in other situations, too.

Learn about current and past releases of Trust Manager.

Latest release¶

​ The latest stable version of Trust Manager is v0.13.0.

Downloads¶

Release v0.13.0¶

Trust Manager v0.13.0 was released on October 29, 2024.

Key features¶

• This release includes a new optional includeAllKeys field for Secret and ConfigMap sources. Previously, these sources required users to specify an indvidual key to include in the resulting bundle. With this new field, you can request that all keys be included instead. Note that Secret sources of kubernetes.io/tls type are not eligible for use with includeAllKeys, to avoid Trust Manager reading a private key.
• This release also includes improvements to reduce the number of encode/decode operations done during a bundle reconcile.

• The following small bug fixes are included in this release:

  • A fix was added so that error is not raised if a source selector selects no sources.
  • A fix was included to stop copyloopvar lint errors.
  • The topologySpreadConstraints example was updated to reference Trust Manager.

• The following dependencies were updated in this release:

  • sigs.k8s.io/controller-runtime was updated to v0.19.1
  • k8s.io/api was updated to v0.31.2
  • k8s.io/apimachinery was updated to v0.31.2
  • k8s.io/cli-runtime was updated to v0.31.2
  • k8s.io/client-go was updated to v0.31.2
  • k8s.io/component-base was updated to v0.31.2
  • github.com/onsi/ginkgo/v2 was updated to v2.20.2
  • github.com/onsi/gomega was updated to v1.34.2

Release v0.12.0¶

Trust Manager v0.12.0 was released on July 19, 2024.

Key features¶

• Stand-alone Trust Manager

  Prior to this release, Trust Manager required cert-manager to be installed for generating the Trust Manager webhook certificate. cert-manager's cainjector was used to inject this webhook certificate into the Kubernetes webhook resource.

  It is now possible to install Trust Manager separately from cert-manager. However, relying on Helm for this functionality is not recommended for production environments. It is strongly recommended to run Trust Manager with cert-manager, as it will handle certificate rotation and simplify administration. Learn more

• Other Helm chart improvements

  This release also adds support for a dual-stack service for the webhook, and more configurability of trust-manager's leader-election with additional flags for LeaseDuration and RenewDeadline.

Release v0.11.1¶

Trust Manager v0.11.1 was released on July 15, 2024.

Key features¶

• This release addresses an issue where the ConfigMap label selector caused unintended updates to trust bundles within ConfigMaps.

• The following dependencies were updated in this release:

  • github.com/spf13/cobra was updated to v1.8.1
  • k8s.io/api was updated to v.30.2
  • k8s.io/cli-runtime was updated to v0.30.2
  • k8s.io/component-base was updated to v0.30.2
  • k8s.io/klog/v2 was updated to v2.130.1
  • sigs.k8s.io/controller-runtime was updated to v0.18.4

Release v0.11.0¶

Trust Manager v0.11.0 was released on June 3, 2024.

Key features¶

• JSON logging

  JSON logging can be enabled through the new app.logFormat Helm value, which defaults to text but can be set to json. For example:

  helm upgrade trust-manager jetstack/trust-manager \
      --set app.logFormat=json \
      --install \
      --namespace cert-manager \
      --wait
  
  kubectl logs -n cert-manager trust-manager-xxxxx
  {"time":"2024-06-03T14:05:12.468612847Z","level":"INFO","msg":"successfully loaded default package from filesystem","logger":"trust/bundle","path":"/packages/cert-manager-package-debian.json"}
  ...
  

• Log Level Parsing

  This release also changes how log levels are parsed when passed in to trust-manager.

  Previously, non-numeric log levels would be silently ignored, so if you set a log level of "v5" rather than "5", the setting would not take effect, and the log level would default to 1. Now, log levels must be valid integers, and Trust Manager will fail to start if a log level is invalid.

• Fixes and improvements

  • Updated to use the Go version specified in the Makefile tools module.
  • Replaced deprecated klog.New in tests with ktesting.NewTestContext.
  • Deduplicated code for syncing target configmaps and secrets.
  • Fixed all linter issues and un-ignore golanci-lint linter exceptions.

Release v0.10.1¶

Trust Manager v0.10.1 was released on May 29, 2024.

Key features¶

• Release v0.10.1 fixes an issue in the Trust Manager build process causing it to be built with an out-of-date Go version (1.22.0). Trust Manager v0.10.1 now builds with Go v1.22.3.

Release v0.10.0¶

Trust Manager v0.10.0 was released on May 13, 2024.

Key features¶

• Trust Manager has been updated to use Makefile modules.
• Release v0.10.0 also upgrades the Go version used to build to 1.22.3 to fix the following vulnerability: GO-2024-2824 (CVE-2024-24788).
• The google.golang.org/protobuf library has been updated to v1.33.0 to fix the following vulnerability: CVE-2024-24786.
• This release also includes dependency version updates and minor bug fixes.

Release v0.9.2¶

Trust Manager v0.9.2 was released on March 26, 2024.

Key features¶

• This release fixes an minor Helm schema issue with the nameoverride value.
• The following vulnerability was fixed by upgrading to google.golang.org/protobuf@v1.33.0: CVE-2024-24786 s.

Release v0.9.1¶

Trust Manager v0.9.1 was released on March 13, 2024.

Key features¶

• A helm chart schema fix for the replicaCount field to assist further chart templating.
• This release also further improves support for the s390x architecture introduced in v0.9.0 by building the Debian trust package for s390x.

Release v0.9.0¶

Trust Manager v0.9.0 was released on March 7, 2024.

Key features¶

• This release fixes an issue which broke passwordless PKCS#12 files when read by Java. It's possible that this could have an effect on non-Java platforms, but in testing it seemed safe for both Go and Java.
• This release also adds support for the s390x architecture for Trust Manager.
• A new crds.keep option was added to reduce the risk of losing important data when uninstalling Trust Manager.
• An issue with certificate deduplication when certs were present in multiple sources was also fixed in this release.

Release v0.8.0¶

Trust Manager v0.8.0 was released on January 19, 2024.

Key features¶

• This release adds an option at startup to filter expired certificates from all bundles and the ability to include Secret and ConfigMap resources via labels.

  Removal of .status.target

  Trust Manager v0.8.0 removes the .status.target field from Bundle resources. If you relied on this field previously, you should be able to calculate it from the spec of your Bundle.