Skip to content

v0.14.0
Compare
Choose a tag to compare
@github-actions github-actions released this 23 Apr 13:19
· 181 commits to main since this release
v0.14.0
This tag was signed with the committer’s verified signature.
SgtCoDFish Ashley Davis
SSH Key Fingerprint: 2/r7Xip8D/TOyjbQBZcd6gKt41j0xlAUYgAvO5tqmb4 Learn about vigilant mode.
5ec34d8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

approver-policy provides a policy engine for certificates issued by cert-manager!

v0.14.0 includes a big quality-of-life improvement to the Helm chart which makes approver-policy much easier to use with external issuers such as the AWS Private CA Issuer or the Venafi Enhanced Issuer.

Previously, approver-policy required explicitly granted permission to use external issuers via the approveSignerNames Helm value. This was commonly forgotten leading to confusing errors and a lot of time spent debugging.

Now, the default is for approver-policy to be able to be used with all issuers. It's still possible to restrict the list if you want to, but we'd expect that doing so would only be helpful in niche scenarios. The scenarios in which you might want to take action are described below, but most users should need to take no acti0on.

Read Before Upgrading: New Signer Permissions

The new signer permissions described above will take effect by default upon upgrading to approver-policy v0.14.0 unless you explicitly set the approveSignerNames Helm value. Consider which of the below scenarios fits your use case to determine if you need to take any action:

Scenario 1: No Custom approveSignerNames

If you didn't previously set a value for approveSignerNames then the list of issuers usable by approver-policy would've been restricted to only the built-in issuers. When upgrading to v0.14.0, that list will expand to include all possible issuers.

If you're happy for approver-policy to be able to approve for all issuers, no action is required. Most users should fall into this category.

If you for some reason do not want to allow approver-policy to handle approval for certificates signed by external issuers but you do want to use it for built-in issuers, you need to manually set app.approveSignerNames to its old value.

Scenario 2: Custom app.approveSignerNames

If you're already using external issuers with approver-policy you'll have already set a custom value for approveSignerNames.

If you're happy for approver-policy to be able to approve for all issuers, you should remove your custom value for approveSignerNames and use the new default.

If you wish to keep restrictions in place, you can leave your custom value in place.

Why would I restrict approveSignerNames?

We changed the default because we believe the arguments for doing this are generally niche. It makes sense to restrict this value if you have external issuers installed and you want to limit the issuers which approver-policy is able to approve for. This would imply that you have some other approver running in your cluster which should apply to some issuers.

We believe that for most users it's fine to accept the new default of allowing access for approver-policy to all issuers.

What's Changed

  • 🚀 Default to allowing all signers for approval by @SgtCoDFish in #416
  • Add design for allowing all signers by default by @SgtCoDFish in #415
  • Update the go module and replace oci-image with oci-build and oci-publish by @inteon in #412
  • Fix linters by @inteon in #413

Dependency Bumps / Other

  • build(deps): bump golang.org/x/net from 0.20.0 to 0.23.0 in the go_modules group by @dependabot in #425
  • build(deps): bump the all group with 2 updates by @dependabot in #408
  • build(deps): bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #420
  • Upgrade repository-base module by @inteon in #426

Full Changelog: v0.13.1...v0.14.0

Contributors

SgtCoDFish, dependabot, and inteon
Assets 3
Loading