v0.19.0

approver-policy provides a policy engine for certificates issued by cert-manager!

Version v0.19.0 is a minor release containing two nice contributions by @solidDoWant! 🚀 Users can now generate clients for approver-policy CRDs. This release also contains a bugfix allowing Ed25519 to be set in approver-policy CertificateRequestPolicy constraints. As usual, the release includes dependency upgrades and various improvements to Makefile modules.

What's Changed

New Features

• Add support for client-gen by @solidDoWant in #571

Bugfixes

• Fix private key algorithm constraint always erroring when set by @solidDoWant in #572

Cleanup

• Simplify integration test setup by @erikgb in #551

Dependency Updates

• build(deps): bump the all group across 1 directory with 10 updates by @dependabot in #569
• build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6 in the all group by @dependabot in #574

Makefile modules

• [CI] Merge self-upgrade-main into main by @github-actions in #566
• [CI] Merge self-upgrade-main into main by @github-actions in #568
• [CI] Merge self-upgrade-main into main by @github-actions in #570
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #573
• [CI] Merge self-upgrade-main into main by @github-actions in #575
• [CI] Merge self-upgrade-main into main by @github-actions in #576

New Contributors

• @solidDoWant made their first contribution in #571

Full Changelog: v0.18.0...v0.19.0

v0.18.0

approver-policy provides a policy engine for certificates issued by cert-manager!

Version v0.18.0 is mostly to capture various dependency updates which address various reported security vulnerabilities. It's important to note that we don't believe approver-policy was vulnerable in any meaningful way, but we think it's important to address reported vulnerabilities with new releases in any case.

What's Changed

Cleanup

• Remove generated api-docs by @erikgb in #537
• Remove unused Makefile variables by @erikgb in #539

Makefile Modules

• [CI] Merge self-upgrade-main into main by @github-actions in #536
• [CI] Merge self-upgrade-main into main by @github-actions in #538
• [CI] Merge self-upgrade-main into main by @github-actions in #541
• [CI] Merge self-upgrade-main into main by @github-actions in #542
• [CI] Merge self-upgrade-main into main by @github-actions in #545
• [CI] Merge self-upgrade-main into main by @github-actions in #546
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #548
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #553
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #554
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #555
• [CI] Merge self-upgrade-main into main by @github-actions in #561
• [CI] Merge self-upgrade-main into main by @github-actions in #564

Dependency Updates

• build(deps): bump the all group with 2 updates by @dependabot in #535
• build(deps): bump the all group across 1 directory with 2 updates by @dependabot in #544
• build(deps): bump the all group with 7 updates by @dependabot in #547
• build(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 in the go_modules group by @dependabot in #550
• build(deps): bump the all group with 8 updates by @dependabot in #549
• Add Helm chart OCI release to GH automation by @inteon in #543
• build(deps): bump google.golang.org/protobuf from 1.35.2 to 1.36.0 in the all group by @dependabot in #552
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #558
• build(deps): bump github.com/onsi/ginkgo/v2 from 2.22.1 to 2.22.2 in the all group by @dependabot in #560
• build(deps): bump google.golang.org/protobuf from 1.36.1 to 1.36.2 in the all group by @dependabot in #562
• build(deps): bump sigs.k8s.io/controller-runtime from 0.19.3 to 0.19.4 in the all group by @dependabot in #563

Full Changelog: v0.17.0...v0.18.0

v0.18.0-alpha.0

approver-policy provides a policy engine for certificates issued by cert-manager!

This is an alpha release to test internal OCI Helm chart release processes. We don't recommend running this version of approver-policy.

What's Changed

• build(deps): bump the all group with 2 updates by @dependabot in #535
• Remove generated api-docs by @erikgb in #537
• Remove unused Makefile variables by @erikgb in #539
• [CI] Merge self-upgrade-main into main by @github-actions in #536
• [CI] Merge self-upgrade-main into main by @github-actions in #538
• [CI] Merge self-upgrade-main into main by @github-actions in #541

Full Changelog: v0.17.0...v0.18.0-alpha.0

v0.17.0

approver-policy provides a policy engine for certificates issued by cert-manager!

v0.17.0 could be considered a bugfix release, but one of the changes is important enough to deserve a minor release for increased visibility:

It turns out that approver-policy did not consider the cert-manager issuer group and kind defaults when matching policies against cert-manager CertificateRequest resources. This was probably not intentional and has now been fixed. So if a CertificateRequest does not specify spec.issuerRef.group or spec.issuerRef.kind, approver-policy will default to the same values as cert-manager:

• cert-manager.io for issuer group
• Issuer for issuer kind

What's Changed

• test(e2e): rework to facilitate adding more tests by @erikgb in #525
• fix: apply cert-manager default issuer kind/group when matching policies by @erikgb in #523
• BUGFIX: Webhook CA Secret name should match Helm templated RBAC by @erikgb in #534
• Various updates relating to makefile-modules, including #524, #526, #527, #529, #532 (@cert-manager-bot )
• Various @dependabot updates (#522, #528, #530, #531, #533)

Full Changelog: v0.16.0...v0.17.0

v0.16.0

approver-policy provides a policy engine for certificates issued by cert-manager!

v0.16.0 adds an awesome improvement to the CEL validator courtesy of @jamesglennan!

The username field of CertificateRequest (CR) resources is now exposed to CEL, allowing for rich logical operators on the contents of the username.

This is useful for making complex decisions about whether the user who created the CR should be allowed to do so, beyond what's provided by Kubernetes' RBAC mechanism.

For example, if pods create their own CertificateRequests directly using RBAC, you might use this new feature to ensure that the CR inludes the Pod's ServiceAccount in the URIs field (for example, in a SPIFFE ID).

What's Changed

• Add CertificateRequest username to CEL Validator with serviceaccount functions by @jamesglennan in #514 🎉
• Various updates relating to makefile-modules, including #504, #507, #511, #512, #515, #520, #517 (@cert-manager-bot )
• Various @dependabot updates (#518, #516, #510, #519)

New Contributors

• @jamesglennan made their first contribution in #514 🎉

Special Thanks

• @erikgb for reviews!

Full Changelog: v0.15.2...v0.16.0

v0.16.0-alpha.0

approver-policy provides a policy engine for certificates issued by cert-manager!

This is a pre-release to test out some new CEL features added in #514

What's Changed

• Add CertificateRequest username to CEL Validator with serviceaccount functions by @jamesglennan in #514 (thanks to @erikgb for the review!)

New Contributors

• @jamesglennan made their first contribution in #514 🎉

Full Changelog: v0.15.2...v0.16.0-alpha.0

v0.15.2

approver-policy provides a policy engine for certificates issued by cert-manager!

This PR upgrades go dependencies and tooling.

What's Changed

• chore: pre-fix new nilnil linter error by @erikgb in #486
• Add erikgb to approvers by @erikgb in #490

Dependency upgrades:

• Bump sigs.k8s.io/controller-runtime to 0.19.0 by @erikgb in #487
• build(deps): bump k8s.io/cli-runtime from 0.30.3 to 0.31.0 in the all group across 1 directory by @dependabot in #488
• build(deps): bump github.com/prometheus/client_golang from 1.20.0 to 1.20.1 in the all group by @dependabot in #489
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #494
• build(deps): bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group by @dependabot in #497
• build(deps): bump the all group with 6 updates by @dependabot in #500
• build(deps): bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group by @dependabot in #501

Makefile modules:

• [CI] Merge self-upgrade-main into main by @github-actions in #485
• [CI] Merge self-upgrade-main into main by @github-actions in #492
• [CI] Merge self-upgrade-main into main by @github-actions in #495
• [CI] Merge self-upgrade-main into main by @github-actions in #496
• [CI] Merge self-upgrade-main into main by @github-actions in #498
• [CI] Merge self-upgrade-main into main by @github-actions in #499
• [CI] Merge self-upgrade-main into main by @github-actions in #502
• [CI] Merge self-upgrade-main into main by @github-actions in #503

Full Changelog: v0.15.1...v0.15.2

v0.15.1

approver-policy provides a policy engine for certificates issued by cert-manager!

This patch release fixes a bug in the dynamic webhook TLS certificate generator:

• BUGFIX: the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail renewing it's CA certificate. Please upgrade before the expiration of this CA certificate is reached.

See v0.15.0 for more changes that are included in this minor release.

What's Changed

• Upgrade cert-manager go dependency from v1.15.2 to v1.15.3 by @inteon in #483

Dependabot:

• build(deps): bump the all group with 2 updates by @dependabot in #472
• build(deps): bump the all group with 2 updates by @dependabot in #473
• build(deps): bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 in the all group by @dependabot in #476

Makefile modules:

• [CI] Merge self-upgrade-main into main by @github-actions in #474
• [CI] Merge self-upgrade-main into main by @github-actions in #475
• [CI] Merge self-upgrade-main into main by @github-actions in #477
• [CI] Merge self-upgrade-main into main by @github-actions in #480

Full Changelog: v0.15.0...v0.15.1

v0.15.0

approver-policy provides a policy engine for certificates issued by cert-manager!

What's Changed

• Helm: set linux nodeSelector by default by @inteon in #442
• docs: create RELEASE.md documenting release process by @ThatsMrTalbot in #443
• Add support for JSON logging format by @erikgb in #456
• add webhook cert configs by @rgodha in #462
• BUGFIX: Avoid duplicate Prometheus scrape targets by using a named port in the ServiceMonitor by @wallrj in #471

dependabot:

• build(deps): bump the all group with 6 updates by @dependabot in #445
• chore(deps): bump github.com/cert-manager/cert-manager to v1.15.0 by @erikgb in #453
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #454
• build(deps): bump google.golang.org/protobuf from 1.34.1 to 1.34.2 in the all group by @dependabot in #457
• build(deps): bump the all group across 1 directory with 8 updates by @dependabot in #460
• build(deps): bump github.com/cert-manager/cert-manager from 1.15.0 to 1.15.1 in the all group by @dependabot in #461
• build(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 in the go_modules group by @dependabot in #464
• build(deps): bump the all group with 6 updates by @dependabot in #469

Makefile modules:

• [CI] Merge self-upgrade-main into main by @github-actions in #444
• [CI] Merge self-upgrade-main into main by @github-actions in #446
• [CI] Merge self-upgrade-main into main by @github-actions in #455
• [CI] Merge self-upgrade-main into main by @github-actions in #463
• [CI] Merge self-upgrade-main into main by @github-actions in #465
• [CI] Merge self-upgrade-main into main by @github-actions in #467
• [CI] Merge self-upgrade-main into main by @github-actions in #468
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #470

New Contributors

• @rgodha made their first contribution in #462

Full Changelog: v0.14.1...v0.15.0

v0.14.1

approver-policy provides a policy engine for certificates issued by cert-manager!

This patch release upgrades the Go version used to build from 1.22.2 to 1.22.3, fixing GO-2024-2824 (GHSA-2jwv-jmq4-4j3r).

Additionally, the PR includes version bumps for all Go dependencies.

Version bumps

• build(deps): bump the all group with 8 updates by @dependabot in #430
• build(deps): bump github.com/cert-manager/cert-manager from 1.14.4 to 1.14.5 in the all group by @dependabot in #431
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #436
• build(deps): bump the all group across 1 directory with 3 updates by @dependabot in #439
• build(deps): bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 in the all group by @dependabot in #441

Full Changelog: v0.14.0...v0.14.1