Trust Manager releases¶
Trust Manager is a small Kubernetes operator that helps reduce the overhead of managing TLS trust bundles in your clusters.
It orchestrates bundles of trusted X.509 certificates that are primarily used for validating certificates during a TLS handshake but can be used in other situations, too.
Learn about current and past releases of Trust Manager.
Latest release¶
The latest stable version of Trust Manager is v0.14.0.
Downloads¶
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.14.0
- FIPS Image:
private-registry.venafi.cloud/trust-manager/trust-manager-fips:v0.14.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.14.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.14.0
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.14.0
- FIPS Image:
private-registry.venafi.eu/trust-manager/trust-manager-fips:v0.14.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.14.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.14.0
Release v0.14.0¶
Trust Manager v0.14.0 was released on December 2, 2024.
Key features¶
- The release includes support for set-based requirements (
matchExpressions
) when selecting namespaces to target with a Bundle. - Because some environments have admission webhooks that might mandate specific labels or annotations, release v0.14.0 of Trust Manager allows chart users to set labels and/or annotations in the Secret created by the Certificate resources.
- This release also adds port naming for podMonitor support.
-
The following bug fixes were also added in this release:
- An issue with CRD validation was fixed. Keys are no longer required in bundle source resources.
- This release also fixes an issue with updating JKS/PKCS targets when the password changes.
-
The following dependencies were updated in this release:
- actions/setup-go was updated to 5
- actions/upload-artifact was updated to 4
- actions/download-artifact was updated to 4
- sigs.k8s.io/controller-runtime was updated to v0.18.2
- k8s.io/api was updated to v0.30.0
- k8s.io/apimachinery was updated to v0.29.3
- k8s.io/cli-runtime was updated to v0.30.0
- k8s.io/client-go was updated to v0.29.3
- k8s.io/component-base was updated to v0.30.0
- github.com/onsi/ginkgo/v2 was updated to v2.17.3
- github.com/onsi/gomega was updated to v1.33.1
- google.golang.org/protobuf was updated to 1.33.0 to fix CVE-2024-24786
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.14.0
- FIPS Image:
private-registry.venafi.cloud/trust-manager/trust-manager-fips:v0.14.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.14.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.14.0
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.14.0
- FIPS Image:
private-registry.venafi.eu/trust-manager/trust-manager-fips:v0.14.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.14.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.14.0
Release v0.13.0¶
Trust Manager v0.13.0 was released on October 29, 2024.
Key features¶
- This release includes a new optional
includeAllKeys
field forSecret
andConfigMap
sources. Previously, these sources required users to specify an indvidual key to include in the resulting bundle. With this new field, you can request that all keys be included instead. Note thatSecret
sources ofkubernetes.io/tls
type are not eligible for use withincludeAllKeys
, to avoid Trust Manager reading a private key. - This release also includes improvements to reduce the number of encode/decode operations done during a bundle reconcile.
-
The following small bug fixes are included in this release:
- A fix was added so that error is not raised if a source selector selects no sources.
- A fix was included to stop copyloopvar lint errors.
- The
topologySpreadConstraints
example was updated to reference Trust Manager.
-
The following dependencies were updated in this release:
- sigs.k8s.io/controller-runtime was updated to v0.19.1
- k8s.io/api was updated to v0.31.2
- k8s.io/apimachinery was updated to v0.31.2
- k8s.io/cli-runtime was updated to v0.31.2
- k8s.io/client-go was updated to v0.31.2
- k8s.io/component-base was updated to v0.31.2
- github.com/onsi/ginkgo/v2 was updated to v2.20.2
- github.com/onsi/gomega was updated to v1.34.2
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.13.0
- FIPS Image:
private-registry.venafi.cloud/trust-manager/trust-manager-fips:v0.13.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.13.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.13.0
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.13.0
- FIPS Image:
private-registry.venafi.eu/trust-manager/trust-manager-fips:v0.13.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.13.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.13.0
Release v0.12.0¶
Trust Manager v0.12.0 was released on July 19, 2024.
Key features¶
-
Stand-alone Trust Manager
Prior to this release, Trust Manager required cert-manager to be installed for generating the Trust Manager webhook certificate. cert-manager's
cainjector
was used to inject this webhook certificate into the Kubernetes webhook resource.It is now possible to install Trust Manager separately from cert-manager. However, relying on Helm for this functionality is not recommended for production environments. It is strongly recommended to run Trust Manager with cert-manager, as it will handle certificate rotation and simplify administration. Learn more
-
Other Helm chart improvements
This release also adds support for a dual-stack service for the webhook, and more configurability of trust-manager's leader-election with additional flags for
LeaseDuration
andRenewDeadline
.
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.12.0
- FIPS Image:
private-registry.venafi.cloud/trust-manager/trust-manager-fips:v0.12.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.12.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.12.0
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.12.0
- FIPS Image:
private-registry.venafi.eu/trust-manager/trust-manager-fips:v0.12.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.12.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.12.0
Release v0.11.1¶
Trust Manager v0.11.1 was released on July 15, 2024.
Key features¶
- This release addresses an issue where the ConfigMap label selector caused unintended updates to trust bundles within ConfigMaps.
-
The following dependencies were updated in this release:
- github.com/spf13/cobra was updated to v1.8.1
- k8s.io/api was updated to v.30.2
- k8s.io/cli-runtime was updated to v0.30.2
- k8s.io/component-base was updated to v0.30.2
- k8s.io/klog/v2 was updated to v2.130.1
- sigs.k8s.io/controller-runtime was updated to v0.18.4
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.11.1
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.11.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.11.1
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.11.1
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.11.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.11.1
Release v0.11.0¶
Trust Manager v0.11.0 was released on June 3, 2024.
Key features¶
-
JSON logging
JSON logging can be enabled through the new
app.logFormat
Helm value, which defaults totext
but can be set tojson
. For example:helm upgrade trust-manager jetstack/trust-manager \ --set app.logFormat=json \ --install \ --namespace cert-manager \ --wait kubectl logs -n cert-manager trust-manager-xxxxx {"time":"2024-06-03T14:05:12.468612847Z","level":"INFO","msg":"successfully loaded default package from filesystem","logger":"trust/bundle","path":"/packages/cert-manager-package-debian.json"} ...
-
Log Level Parsing
This release also changes how log levels are parsed when passed in to trust-manager.
Previously, non-numeric log levels would be silently ignored, so if you set a log level of "v5" rather than "5", the setting would not take effect, and the log level would default to 1. Now, log levels must be valid integers, and Trust Manager will fail to start if a log level is invalid.
-
Fixes and improvements
- Updated to use the Go version specified in the Makefile tools module.
- Replaced deprecated
klog.New
in tests withktesting.NewTestContext
. - Deduplicated code for syncing target configmaps and secrets.
- Fixed all linter issues and un-ignore golanci-lint linter exceptions.
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.11.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.11.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.11.0
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.11.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.11.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.11.0
Release v0.10.1¶
Trust Manager v0.10.1 was released on May 29, 2024.
Key features¶
- Release v0.10.1 fixes an issue in the Trust Manager build process causing it to be built with an out-of-date Go version (1.22.0). Trust Manager v0.10.1 now builds with Go v1.22.3.
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.10.1
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.10.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.10.1
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.10.1
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.10.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.10.1
Release v0.10.0¶
Trust Manager v0.10.0 was released on May 13, 2024.
Key features¶
- Trust Manager has been updated to use Makefile modules.
- Release v0.10.0 also upgrades the Go version used to build to 1.22.3 to fix the following vulnerability: GO-2024-2824 (CVE-2024-24788).
- The
google.golang.org/protobuf
library has been updated to v1.33.0 to fix the following vulnerability: CVE-2024-24786. - This release also includes dependency version updates and minor bug fixes.
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.10.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.10.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.10.0
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.10.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.10.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.10.0
Release v0.9.2¶
Trust Manager v0.9.2 was released on March 26, 2024.
Key features¶
- This release fixes an minor Helm schema issue with the
nameoverride
value. - The following vulnerability was fixed by upgrading to
google.golang.org/protobuf@v1.33.0
: CVE-2024-24786 s.
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.9.2
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.9.2
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.9.2
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.9.2
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.9.2
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.9.2
Release v0.9.1¶
Trust Manager v0.9.1 was released on March 13, 2024.
Key features¶
- A helm chart schema fix for the
replicaCount
field to assist further chart templating. - This release also further improves support for the s390x architecture introduced in v0.9.0 by building the Debian trust package for s390x.
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.9.1
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.9.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.9.1
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.9.1
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.9.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.9.1
Release v0.9.0¶
Trust Manager v0.9.0 was released on March 7, 2024.
Key features¶
- This release fixes an issue which broke passwordless PKCS#12 files when read by Java. It's possible that this could have an effect on non-Java platforms, but in testing it seemed safe for both Go and Java.
- This release also adds support for the s390x architecture for Trust Manager.
- A new
crds.keep
option was added to reduce the risk of losing important data when uninstalling Trust Manager. - An issue with certificate deduplication when certs were present in multiple sources was also fixed in this release.
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.9.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.9.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.9.0
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.9.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.9.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.9.0
Release v0.8.0¶
Trust Manager v0.8.0 was released on January 19, 2024.
Key features¶
-
This release adds an option at startup to filter expired certificates from all bundles and the ability to include Secret and ConfigMap resources via labels.
Removal of
.status.target
Trust Manager v0.8.0 removes the
.status.target
field from Bundle resources. If you relied on this field previously, you should be able to calculate it from the spec of your Bundle.
Downloads
- Container Image:
private-registry.venafi.cloud/trust-manager/trust-manager:v0.8.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.8.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/trust-manager:v0.8.0
- Container Image:
private-registry.venafi.eu/trust-manager/trust-manager:v0.8.0
- Helm Chart:
oci://registry.venafi.cloud/charts/trust-manager:v0.8.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/trust-manager:v0.8.0