Skip to content

Trust Manager releases

Trust Manager is a small Kubernetes operator that helps reduce the overhead of managing TLS trust bundles in your clusters.

It orchestrates bundles of trusted X.509 certificates that are primarily used for validating certificates during a TLS handshake but can be used in other situations, too.

Learn about current and past releases of Trust Manager.

Latest release

​ The latest stable version of Trust Manager is v0.14.0.

Downloads

  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.14.0
  • FIPS Image: private-registry.venafi.cloud/trust-manager/trust-manager-fips:v0.14.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.14.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.14.0
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.14.0
  • FIPS Image: private-registry.venafi.eu/trust-manager/trust-manager-fips:v0.14.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.14.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.14.0

Release v0.14.0

Trust Manager v0.14.0 was released on December 2, 2024.

Key features

  • The release includes support for set-based requirements (matchExpressions) when selecting namespaces to target with a Bundle.
  • Because some environments have admission webhooks that might mandate specific labels or annotations, release v0.14.0 of Trust Manager allows chart users to set labels and/or annotations in the Secret created by the Certificate resources.
  • This release also adds port naming for podMonitor support.
  • The following bug fixes were also added in this release:

    • An issue with CRD validation was fixed. Keys are no longer required in bundle source resources.
    • This release also fixes an issue with updating JKS/PKCS targets when the password changes.
  • The following dependencies were updated in this release:

    • actions/setup-go was updated to 5
    • actions/upload-artifact was updated to 4
    • actions/download-artifact was updated to 4
    • sigs.k8s.io/controller-runtime was updated to v0.18.2
    • k8s.io/api was updated to v0.30.0
    • k8s.io/apimachinery was updated to v0.29.3
    • k8s.io/cli-runtime was updated to v0.30.0
    • k8s.io/client-go was updated to v0.29.3
    • k8s.io/component-base was updated to v0.30.0
    • github.com/onsi/ginkgo/v2 was updated to v2.17.3
    • github.com/onsi/gomega was updated to v1.33.1
    • google.golang.org/protobuf was updated to 1.33.0 to fix CVE-2024-24786
Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.14.0
  • FIPS Image: private-registry.venafi.cloud/trust-manager/trust-manager-fips:v0.14.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.14.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.14.0
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.14.0
  • FIPS Image: private-registry.venafi.eu/trust-manager/trust-manager-fips:v0.14.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.14.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.14.0

Release v0.13.0

Trust Manager v0.13.0 was released on October 29, 2024.

Key features

  • This release includes a new optional includeAllKeys field for Secret and ConfigMap sources. Previously, these sources required users to specify an indvidual key to include in the resulting bundle. With this new field, you can request that all keys be included instead. Note that Secret sources of kubernetes.io/tls type are not eligible for use with includeAllKeys, to avoid Trust Manager reading a private key.
  • This release also includes improvements to reduce the number of encode/decode operations done during a bundle reconcile.
  • The following small bug fixes are included in this release:

    • A fix was added so that error is not raised if a source selector selects no sources.
    • A fix was included to stop copyloopvar lint errors.
    • The topologySpreadConstraints example was updated to reference Trust Manager.
  • The following dependencies were updated in this release:

    • sigs.k8s.io/controller-runtime was updated to v0.19.1
    • k8s.io/api was updated to v0.31.2
    • k8s.io/apimachinery was updated to v0.31.2
    • k8s.io/cli-runtime was updated to v0.31.2
    • k8s.io/client-go was updated to v0.31.2
    • k8s.io/component-base was updated to v0.31.2
    • github.com/onsi/ginkgo/v2 was updated to v2.20.2
    • github.com/onsi/gomega was updated to v1.34.2
Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.13.0
  • FIPS Image: private-registry.venafi.cloud/trust-manager/trust-manager-fips:v0.13.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.13.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.13.0
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.13.0
  • FIPS Image: private-registry.venafi.eu/trust-manager/trust-manager-fips:v0.13.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.13.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.13.0

Release v0.12.0

Trust Manager v0.12.0 was released on July 19, 2024.

Key features

  • Stand-alone Trust Manager

    Prior to this release, Trust Manager required cert-manager to be installed for generating the Trust Manager webhook certificate. cert-manager's cainjector was used to inject this webhook certificate into the Kubernetes webhook resource.

    It is now possible to install Trust Manager separately from cert-manager. However, relying on Helm for this functionality is not recommended for production environments. It is strongly recommended to run Trust Manager with cert-manager, as it will handle certificate rotation and simplify administration. Learn more

  • Other Helm chart improvements

    This release also adds support for a dual-stack service for the webhook, and more configurability of trust-manager's leader-election with additional flags for LeaseDuration and RenewDeadline.

Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.12.0
  • FIPS Image: private-registry.venafi.cloud/trust-manager/trust-manager-fips:v0.12.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.12.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.12.0
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.12.0
  • FIPS Image: private-registry.venafi.eu/trust-manager/trust-manager-fips:v0.12.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.12.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.12.0

Release v0.11.1

Trust Manager v0.11.1 was released on July 15, 2024.

Key features

  • This release addresses an issue where the ConfigMap label selector caused unintended updates to trust bundles within ConfigMaps.
  • The following dependencies were updated in this release:

    • github.com/spf13/cobra was updated to v1.8.1
    • k8s.io/api was updated to v.30.2
    • k8s.io/cli-runtime was updated to v0.30.2
    • k8s.io/component-base was updated to v0.30.2
    • k8s.io/klog/v2 was updated to v2.130.1
    • sigs.k8s.io/controller-runtime was updated to v0.18.4
Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.11.1
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.11.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.11.1
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.11.1
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.11.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.11.1

Release v0.11.0

Trust Manager v0.11.0 was released on June 3, 2024.

Key features

  • JSON logging

    JSON logging can be enabled through the new app.logFormat Helm value, which defaults to text but can be set to json. For example:

    helm upgrade trust-manager jetstack/trust-manager \
        --set app.logFormat=json \
        --install \
        --namespace cert-manager \
        --wait
    
    kubectl logs -n cert-manager trust-manager-xxxxx
    {"time":"2024-06-03T14:05:12.468612847Z","level":"INFO","msg":"successfully loaded default package from filesystem","logger":"trust/bundle","path":"/packages/cert-manager-package-debian.json"}
    ...
    
  • Log Level Parsing

    This release also changes how log levels are parsed when passed in to trust-manager.

    Previously, non-numeric log levels would be silently ignored, so if you set a log level of "v5" rather than "5", the setting would not take effect, and the log level would default to 1. Now, log levels must be valid integers, and Trust Manager will fail to start if a log level is invalid.

  • Fixes and improvements

    • Updated to use the Go version specified in the Makefile tools module.
    • Replaced deprecated klog.New in tests with ktesting.NewTestContext.
    • Deduplicated code for syncing target configmaps and secrets.
    • Fixed all linter issues and un-ignore golanci-lint linter exceptions.
Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.11.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.11.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.11.0
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.11.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.11.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.11.0

Release v0.10.1

Trust Manager v0.10.1 was released on May 29, 2024.

Key features

  • Release v0.10.1 fixes an issue in the Trust Manager build process causing it to be built with an out-of-date Go version (1.22.0). Trust Manager v0.10.1 now builds with Go v1.22.3.
Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.10.1
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.10.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.10.1
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.10.1
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.10.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.10.1

Release v0.10.0

Trust Manager v0.10.0 was released on May 13, 2024.

Key features

  • Trust Manager has been updated to use Makefile modules.
  • Release v0.10.0 also upgrades the Go version used to build to 1.22.3 to fix the following vulnerability: GO-2024-2824 (CVE-2024-24788).
  • The google.golang.org/protobuf library has been updated to v1.33.0 to fix the following vulnerability: CVE-2024-24786.
  • This release also includes dependency version updates and minor bug fixes.
Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.10.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.10.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.10.0
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.10.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.10.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.10.0

Release v0.9.2

Trust Manager v0.9.2 was released on March 26, 2024.

Key features

  • This release fixes an minor Helm schema issue with the nameoverride value.
  • The following vulnerability was fixed by upgrading to google.golang.org/protobuf@v1.33.0: CVE-2024-24786 s.
Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.9.2
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.9.2
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.9.2
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.9.2
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.9.2
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.9.2

Release v0.9.1

Trust Manager v0.9.1 was released on March 13, 2024.

Key features

  • A helm chart schema fix for the replicaCount field to assist further chart templating.
  • This release also further improves support for the s390x architecture introduced in v0.9.0 by building the Debian trust package for s390x.
Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.9.1
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.9.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.9.1
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.9.1
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.9.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.9.1

Release v0.9.0

Trust Manager v0.9.0 was released on March 7, 2024.

Key features

  • This release fixes an issue which broke passwordless PKCS#12 files when read by Java. It's possible that this could have an effect on non-Java platforms, but in testing it seemed safe for both Go and Java.
  • This release also adds support for the s390x architecture for Trust Manager.
  • A new crds.keep option was added to reduce the risk of losing important data when uninstalling Trust Manager.
  • An issue with certificate deduplication when certs were present in multiple sources was also fixed in this release.
Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.9.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.9.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.9.0
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.9.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.9.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.9.0

Release v0.8.0

Trust Manager v0.8.0 was released on January 19, 2024.

Key features

  • This release adds an option at startup to filter expired certificates from all bundles and the ability to include Secret and ConfigMap resources via labels.

    Removal of .status.target

    Trust Manager v0.8.0 removes the .status.target field from Bundle resources. If you relied on this field previously, you should be able to calculate it from the spec of your Bundle.

Downloads
  • Container Image: private-registry.venafi.cloud/trust-manager/trust-manager:v0.8.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.8.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/trust-manager:v0.8.0
  • Container Image: private-registry.venafi.eu/trust-manager/trust-manager:v0.8.0
  • Helm Chart: oci://registry.venafi.cloud/charts/trust-manager:v0.8.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/trust-manager:v0.8.0