v0.17.0

approver-policy provides a policy engine for certificates issued by cert-manager!

v0.17.0 could be considered a bugfix release, but one of the changes is important enough to deserve a minor release for increased visibility:

It turns out that approver-policy did not consider the cert-manager issuer group and kind defaults when matching policies against cert-manager CertificateRequest resources. This was probably not intentional and has now been fixed. So if a CertificateRequest does not specify spec.issuerRef.group or spec.issuerRef.kind, approver-policy will default to the same values as cert-manager:

• cert-manager.io for issuer group
• Issuer for issuer kind

What's Changed

• test(e2e): rework to facilitate adding more tests by @erikgb in #525
• fix: apply cert-manager default issuer kind/group when matching policies by @erikgb in #523
• BUGFIX: Webhook CA Secret name should match Helm templated RBAC by @erikgb in #534
• Various updates relating to makefile-modules, including #524, #526, #527, #529, #532 (@cert-manager-bot )
• Various @dependabot updates (#522, #528, #530, #531, #533)

Full Changelog: v0.16.0...v0.17.0

v0.16.0

approver-policy provides a policy engine for certificates issued by cert-manager!

v0.16.0 adds an awesome improvement to the CEL validator courtesy of @jamesglennan!

The username field of CertificateRequest (CR) resources is now exposed to CEL, allowing for rich logical operators on the contents of the username.

This is useful for making complex decisions about whether the user who created the CR should be allowed to do so, beyond what's provided by Kubernetes' RBAC mechanism.

For example, if pods create their own CertificateRequests directly using RBAC, you might use this new feature to ensure that the CR inludes the Pod's ServiceAccount in the URIs field (for example, in a SPIFFE ID).

What's Changed

• Add CertificateRequest username to CEL Validator with serviceaccount functions by @jamesglennan in #514 🎉
• Various updates relating to makefile-modules, including #504, #507, #511, #512, #515, #520, #517 (@cert-manager-bot )
• Various @dependabot updates (#518, #516, #510, #519)

New Contributors

• @jamesglennan made their first contribution in #514 🎉

Special Thanks

• @erikgb for reviews!

Full Changelog: v0.15.2...v0.16.0

v0.16.0-alpha.0

approver-policy provides a policy engine for certificates issued by cert-manager!

This is a pre-release to test out some new CEL features added in #514

What's Changed

• Add CertificateRequest username to CEL Validator with serviceaccount functions by @jamesglennan in #514 (thanks to @erikgb for the review!)

New Contributors

• @jamesglennan made their first contribution in #514 🎉

Full Changelog: v0.15.2...v0.16.0-alpha.0

v0.15.2

approver-policy provides a policy engine for certificates issued by cert-manager!

This PR upgrades go dependencies and tooling.

What's Changed

• chore: pre-fix new nilnil linter error by @erikgb in #486
• Add erikgb to approvers by @erikgb in #490

Dependency upgrades:

• Bump sigs.k8s.io/controller-runtime to 0.19.0 by @erikgb in #487
• build(deps): bump k8s.io/cli-runtime from 0.30.3 to 0.31.0 in the all group across 1 directory by @dependabot in #488
• build(deps): bump github.com/prometheus/client_golang from 1.20.0 to 1.20.1 in the all group by @dependabot in #489
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #494
• build(deps): bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group by @dependabot in #497
• build(deps): bump the all group with 6 updates by @dependabot in #500
• build(deps): bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group by @dependabot in #501

Makefile modules:

• [CI] Merge self-upgrade-main into main by @github-actions in #485
• [CI] Merge self-upgrade-main into main by @github-actions in #492
• [CI] Merge self-upgrade-main into main by @github-actions in #495
• [CI] Merge self-upgrade-main into main by @github-actions in #496
• [CI] Merge self-upgrade-main into main by @github-actions in #498
• [CI] Merge self-upgrade-main into main by @github-actions in #499
• [CI] Merge self-upgrade-main into main by @github-actions in #502
• [CI] Merge self-upgrade-main into main by @github-actions in #503

Full Changelog: v0.15.1...v0.15.2

v0.15.1

approver-policy provides a policy engine for certificates issued by cert-manager!

This patch release fixes a bug in the dynamic webhook TLS certificate generator:

• BUGFIX: the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail renewing it's CA certificate. Please upgrade before the expiration of this CA certificate is reached.

See v0.15.0 for more changes that are included in this minor release.

What's Changed

• Upgrade cert-manager go dependency from v1.15.2 to v1.15.3 by @inteon in #483

Dependabot:

• build(deps): bump the all group with 2 updates by @dependabot in #472
• build(deps): bump the all group with 2 updates by @dependabot in #473
• build(deps): bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 in the all group by @dependabot in #476

Makefile modules:

• [CI] Merge self-upgrade-main into main by @github-actions in #474
• [CI] Merge self-upgrade-main into main by @github-actions in #475
• [CI] Merge self-upgrade-main into main by @github-actions in #477
• [CI] Merge self-upgrade-main into main by @github-actions in #480

Full Changelog: v0.15.0...v0.15.1

v0.15.0

approver-policy provides a policy engine for certificates issued by cert-manager!

What's Changed

• Helm: set linux nodeSelector by default by @inteon in #442
• docs: create RELEASE.md documenting release process by @ThatsMrTalbot in #443
• Add support for JSON logging format by @erikgb in #456
• add webhook cert configs by @rgodha in #462
• BUGFIX: Avoid duplicate Prometheus scrape targets by using a named port in the ServiceMonitor by @wallrj in #471

dependabot:

• build(deps): bump the all group with 6 updates by @dependabot in #445
• chore(deps): bump github.com/cert-manager/cert-manager to v1.15.0 by @erikgb in #453
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #454
• build(deps): bump google.golang.org/protobuf from 1.34.1 to 1.34.2 in the all group by @dependabot in #457
• build(deps): bump the all group across 1 directory with 8 updates by @dependabot in #460
• build(deps): bump github.com/cert-manager/cert-manager from 1.15.0 to 1.15.1 in the all group by @dependabot in #461
• build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 in the go_modules group by @dependabot in #464
• build(deps): bump the all group with 6 updates by @dependabot in #469

Makefile modules:

• [CI] Merge self-upgrade-main into main by @github-actions in #444
• [CI] Merge self-upgrade-main into main by @github-actions in #446
• [CI] Merge self-upgrade-main into main by @github-actions in #455
• [CI] Merge self-upgrade-main into main by @github-actions in #463
• [CI] Merge self-upgrade-main into main by @github-actions in #465
• [CI] Merge self-upgrade-main into main by @github-actions in #467
• [CI] Merge self-upgrade-main into main by @github-actions in #468
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #470

New Contributors

• @rgodha made their first contribution in #462

Full Changelog: v0.14.1...v0.15.0

v0.14.1

approver-policy provides a policy engine for certificates issued by cert-manager!

This patch release upgrades the Go version used to build from 1.22.2 to 1.22.3, fixing GO-2024-2824 (GHSA-2jwv-jmq4-4j3r).

Additionally, the PR includes version bumps for all Go dependencies.

Version bumps

• build(deps): bump the all group with 8 updates by @dependabot in #430
• build(deps): bump github.com/cert-manager/cert-manager from 1.14.4 to 1.14.5 in the all group by @dependabot in #431
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #436
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #439
• build(deps): bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 in the all group by @dependabot in #441

Full Changelog: v0.14.0...v0.14.1

v0.14.0

approver-policy provides a policy engine for certificates issued by cert-manager!

v0.14.0 includes a big quality-of-life improvement to the Helm chart which makes approver-policy much easier to use with external issuers such as the AWS Private CA Issuer or the Venafi Enhanced Issuer.

Previously, approver-policy required explicitly granted permission to use external issuers via the approveSignerNames Helm value. This was commonly forgotten leading to confusing errors and a lot of time spent debugging.

Now, the default is for approver-policy to be able to be used with all issuers. It's still possible to restrict the list if you want to, but we'd expect that doing so would only be helpful in niche scenarios. The scenarios in which you might want to take action are described below, but most users should need to take no acti0on.

Read Before Upgrading: New Signer Permissions

The new signer permissions described above will take effect by default upon upgrading to approver-policy v0.14.0 unless you explicitly set the approveSignerNames Helm value. Consider which of the below scenarios fits your use case to determine if you need to take any action:

Scenario 1: No Custom approveSignerNames

If you didn't previously set a value for approveSignerNames then the list of issuers usable by approver-policy would've been restricted to only the built-in issuers. When upgrading to v0.14.0, that list will expand to include all possible issuers.

If you're happy for approver-policy to be able to approve for all issuers, no action is required. Most users should fall into this category.

If you for some reason do not want to allow approver-policy to handle approval for certificates signed by external issuers but you do want to use it for built-in issuers, you need to manually set app.approveSignerNames to its old value.

Scenario 2: Custom app.approveSignerNames

If you're already using external issuers with approver-policy you'll have already set a custom value for approveSignerNames.

If you're happy for approver-policy to be able to approve for all issuers, you should remove your custom value for approveSignerNames and use the new default.

If you wish to keep restrictions in place, you can leave your custom value in place.

Why would I restrict approveSignerNames?

We changed the default because we believe the arguments for doing this are generally niche. It makes sense to restrict this value if you have external issuers installed and you want to limit the issuers which approver-policy is able to approve for. This would imply that you have some other approver running in your cluster which should apply to some issuers.

We believe that for most users it's fine to accept the new default of allowing access for approver-policy to all issuers.

What's Changed

• 🚀 Default to allowing all signers for approval by @SgtCoDFish in #416
• Add design for allowing all signers by default by @SgtCoDFish in #415
• Update the go module and replace oci-image with oci-build and oci-publish by @inteon in #412
• Fix linters by @inteon in #413

Dependency Bumps / Other

• build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 in the go_modules group by @dependabot in #425
• build(deps): bump the all group with 2 updates by @dependabot in #408
• build(deps): bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #420
• Upgrade repository-base module by @inteon in #426

Full Changelog: v0.13.1...v0.14.0

v0.13.1

approver-policy provides a policy engine for certificates issued by cert-manager!

What's Changed Since v0.13.0

• The Helm chart now lets you configure an HTTP proxy using the variables http_proxy, https_proxy, and no_proxy. If you are using the upstream version of approver-policy, this may not be useful to you. These variables are useful for projects building plugins on top of approver-policy and make HTTP calls to the internet. (@maelvls, #409)
• The Helm chart now allows you to configure the priorityClassName field. (@wallrj, #403)
• The vulnerability GO-2024-2611 (CVE-2024-24786) was fixed by upgrading to google.golang.org/[email protected]. (@wallrj, #398)

Full Changelog: v0.13.0...v0.13.1

v0.13.0

approver-policy provides a policy engine for certificates issued by cert-manager!

🔧 Breaking changes

By default, the Helm chart now adds the helm.sh/resource-policy: keep annotation to all CRDs.
This prevents accidental deletion of CRDs when uninstalling the component using Helm.
However, this also introduces an additional uninstallation step:

$ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io

You can also not add the annotation by adding '--set crds.keep=false' to your installation and you can exclude the CRD from the Helm installation by setting '--set crds.enabled=false'.

The Helm chart now has JSON schema validation, to provide better error reporting when the user provides an incorrect set of values for a chart.

What's Changed since v0.12

• Remove README header since it is already included in the artifacthub sidebar by @inteon in #367
• Replace tab with spaces in API comment by @inteon in #369
• docs(api): fenced code block to fix generated API docs by @erikgb in #371
• docs(api): add ticks to Godoc to fix generated API docs by @erikgb in #372
• Add 'crds.enabled' and 'crds.keep' options to generated CRDs by @inteon in #376
• Enable helm-tool linter and schema generator by @inteon in #340
• Use same include statement for labels everywhere by @inteon in #381
• Add optional PodDisruptionBudget to the Helm chart by @wallrj in #383
• Set a size limit on the emptyDir used for /tmp by @wallrj in #384
• Platform engineer can now set Topology Spread Constraints using a Helm chart value by @wallrj in #385
• Remove emptydir /tmp volume because it is unused by @wallrj in #386
• Make all Deployment related Helm values global by @wallrj in #387
• Allow replicaCount to be set to int or string by @wallrj in #388
• Document the nameOverride Helm chart value and add it to the JSON schema by @wallrj in #390
• Added global values to the Helm chart JSON schema validation so that the chart can be used as a sub-chart by @inteon in #391
• Allow Deployment strategy customization when installing the Helm chart by @wallrj in #396

Dependabot

• build(deps): bump the all group with 2 updates by @dependabot in #393
• build(deps): bump the all group with 1 update by @dependabot in #382
• build(deps): bump the all group with 1 update by @dependabot in #368
• build(deps): bump the all group with 7 updates by @dependabot in #377
• build(deps): bump the all group with 1 update by @dependabot in #375

Makefile modules

• [CI] Merge self-upgrade into main by @github-actions in #395
• [CI] Merge self-upgrade into main by @github-actions in #392
• [CI] Merge self-upgrade into main by @github-actions in #391
• [CI] Merge self-upgrade into main by @github-actions in #380
• [CI] Merge self-upgrade into main by @github-actions in #379
• [CI] Merge self-upgrade into main by @github-actions in #378
• [CI] Merge self-upgrade into main by @github-actions in #374
• [CI] Merge self-upgrade into main by @github-actions in #373
• [CI] Merge self-upgrade into main by @github-actions in #370

Full Changelog: v0.13.0-alpha.2...v0.12.1