Skip to content

Latest commit

 

History

History
140 lines (108 loc) · 7.35 KB

File metadata and controls

140 lines (108 loc) · 7.35 KB

v2.6.0

Features

  • Allow certificateAuthorityLogicalName to be optional when using an enrollment pattern.
  • The default healthcheck interval has been bumped from 1 minute to 10 minutes.

Security

  • The Helm chart now defaults serviceAccount.automountServiceAccountToken to false, replacing the long-lived auto-mounted token with a short-lived projected token (~1 hour, automatically rotated by kubelet). The token is still mounted at the standard path /var/run/secrets/kubernetes.io/serviceaccount so no application changes are required.
  • Go version has been bumped from 1.24 to 1.26.2+ to fix CVE-2026-27143 (affects Go compiler versions below 1.25.9, and 1.26.0-1.26.1).

Important

Upgrade Notes

  • Rolling restart: Upgrading from v2.5.x will patch the ServiceAccount and update the Deployment spec, triggering an automatic rolling restart. Plan accordingly if downtime is a concern in your environment.
  • Bring-your-own ServiceAccount: If you set serviceAccount.create: false and manage your own ServiceAccount, you must either set automountServiceAccountToken: true in your values.yaml to preserve the previous behavior, or manually add automountServiceAccountToken: false and the projected volume to your ServiceAccount and Deployment manifests.
  • To restore the previous behavior explicitly, set in your values.yaml:
serviceAccount:
  automountServiceAccountToken: true

v2.5.3

Security

  • Updated dependencies to address various security vulnerabilities:
    • google.golang.org/grpc -> v1.79.3 (CVE-2026-33186)
    • github.com/Azure/go-ntlmssp -> v0.1.1 (CVE-2026-32952)
    • golang.org/x/crypto -> v0.46.0 (CVE-2025-58181 & CVE-2025-47914)

v2.5.2

Fixes

  • Fixes an issue where a namespace may not be properly applied if applying the Helm template without a namespace specified / using kubectl apply -f directly with the rendered template.
  • Fixes an issue where the error message from a failed Enrollment API call is not logged.

Chores

  • Update GitHub Actions workflow to check for policy enforcement on Helm chart rendered manifests in addition to checking for drift in generated CRDs.
  • Fixes various linting issues in the codebase.

v2.5.1

Fixes

  • Fixes an issue where OAuth 2.0 client credentials were being regenerated on every API call.

v2.5.0

Features

  • Add support to specify a ConfigMap for CA trust bundles in Issuer / ClusterIssuer resources via the caBundleConfigMapName specification.
  • Add support for specifying a key on a Secret / ConfigMap resource for the CA trust bundle via the caBundleKey specification on an Issuer / ClusterIssuer resource.
  • Add a timeout when fetching ambient Azure credentials to move onto other ambient credential methods.
  • Ability to specify environment variables on issuer deployment to set additional configuration options (i.e. HTTP proxy settings, etc.)

Chores

  • Add documentation for how to configure command-cert-manager-issuer with ambient credentials on Google Kubernetes Engine (GKE).
  • Add documentation for configuring CA trust bundles via Secret and ConfigMap resources using trust-manager.

v2.4.0

Features

  • Add a healthcheck specification to Issuer / ClusterIssuer resources, allowing flexibility in the health check interval.

v2.3.1

Fixes

  • Add a manual dispatch of Helm chart release.

v2.3.0

Features

  • Added support for OwnerRoleName and OwnerRoleId to Issuer specification, which will specify the owner of the enrolling certificate.

Chores

  • Update e2e tests to test ClusterIssuer resource
  • Refactor code for better unit testability

v2.2.0

Features

  • Added support for enrolling CSRs with Enrollment Patterns, a new feature introduced in Keyfactor Command 25.1. Release notes
    • Usage of CertificateTemplate is still supported, but if using Keyfactor Command 25.1 and above, it is recommended to start using Enrollment Patterns in your issuer specification. You may use EnrollmentPatternId or EnrollmentPatternName in your specification.
  • When using ambient credentials, some relevant token claims (subject, issuer, object ID, etc.) are logged for easier debugging and setup for security roles and identity providers.

Chores

  • Updated documentation for using ambient credentials with Azure Kuberentes Services.
  • Removed documentation for using ambient credentials with Google Kubernetes Engine. As of writing, Google is not a supported identity provider in Keyfactor Command.
  • Migrated from using keyfactor-go-client to keyfactor-go-client-sdk.

Fixes

  • Fix the Helm chart releaser job to not run into issues with overlapping Helm chart versions.

v2.1.1

Fixes

  • Update Helm chart deployment template to resolve Docker image metadata issue.

Chores

  • Update documentation for more clear instructions on deploying workloads to Azure Kubernetes Service and Google Kubernetes Engine, as well as permissions needed on Command Security Roles.

v2.1.0

Fixes

v2.0.2

Fixes

  • Bug fix in Helm chart release action

v2.0.1

Fixes

  • Change Helm release trigger from v* to release-* to support Keyfactor Bootstrap Workflow

v2.0.0

Features

  • Implement OAuth 2.0 Client Credentials grant as an authentication mechanism.
  • Implement Azure Workload Identity as an authentication mechanism.

Chores

  • Refactor Command signer module to remove tight dependency on Issuer/ClusterIssuer types.
  • Migrate Kubebuilder from go/v3 to go/v4:
    • Upgrade kustomize version to v5.3.0.
    • Upgrade controller-gen to v0.14.0.
  • Refactor unit tests to use fake Command API instead of requiring live Command server.
  • Write e2e integration test.

v1.0.5

Features

  • feat(controller): Implement Kubernetes client-go REST client for Secret/ConfigMap retrieval to bypass controller-runtime caching system. This enables the reconciler to retrieve Secret and ConfigMap resources at the namespace scope with only namespace-level permissions.

Fixes

  • fix(helm): Add configuration flag to configure chart to either grant cluster-scoped or namespace-scoped access to Secret and ConfigMap API
  • fix(controller): Add logic to read secret from reconciler namespace or Issuer namespace depending on Helm configuration.

v1.0.4

Features

  • feat(signer): Signer recognizes metadata.command-issuer.keyfactor.com/<metadata-field-name>: <metadata-value> annotations on the CertificateRequest resource and uses them to populate certificate metadata in Command.
  • feat(release): Container build and release now uses GitHub Actions.

Fixes

  • fix(helm): CRDs now correspond to correct values for the command-issuer.
  • fix(helm): Signer Helm Chart now includes a secureMetrics value to enable/disable sidecar RBAC container for further protection of the /metrics endpoint.
  • fix(signer): Signer now returns CA chain bytes instead of appending to the leaf certificate.
  • fix(role): Removed permissions for configmaps resource types for the leader-election-role role.