v0.22.0

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release includes a change which makes it much simpler to mirror container images to self-hosted registries.

There are also several CVE fixes including CVE-2026-27138, CVE-2026-27137, CVE-2026-27142 and CVE-2026-25679.

What's Changed

Features

• Add imageRegistry/imageNamespace to Helm chart image settings by @FelixPhipps in #897

Internal

• Replace another illegal image tag character in trust image by @erikgb in #891

Bumps / CI

• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #894
• chore(deps): update actions/setup-go action to v6.3.0 by @renovate[bot] in #896
• fix(deps): update kubernetes go patches to v0.35.2 by @renovate[bot] in #898
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #899
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #901
• [CI] Merge trust-package-upgrade-debian-bullseye-main into main by @github-actions[bot] in #890
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.2 by @renovate[bot] in #903
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.3 by @renovate[bot] in #904
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #906
• chore(deps): update docker/login-action action to v4 by @renovate[bot] in #902
• fix(deps): update module k8s.io/klog/v2 to v2.140.0 by @renovate[bot] in #905
• Bump trust packages to force rebuild with go 1.26.1 by @SgtCoDFish in #907

New Contributors

• @FelixPhipps made their first contribution in #897

Full Changelog: v0.21.1...v0.22.0

v0.21.1

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This is a patch release fixing an RBAC regression introduced in v0.21.0.

What's Changed

• Grant additional RBAC to events old API group by @erikgb in #889

Full Changelog: v0.21.0...v0.21.1

v0.21.0

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is primarily intended to fix CVE-2025-68121, but it includes several changes which have trickled in since v0.20.3

Notable Changes

Filter Non-CA Certs in Sources

There's a new .filterNonCACerts.enabled value available in the Helm chart, which will cause trust-manager to filter any non-CA certs found in sources. This logic relies on the isCa field of the basicConstraints X.509 extension only. The feature defaults to "off".

CRD Changes

The ClusterBundle CRD got a little stricter, to pass the Kube API Linter checks which we've enabled. We don't expect that this will change the use of the CRD for anyone, since the limits we've added are very permissive.

What's Changed

Functional / CRD Changes

• Add certificate verification process to filter non-CA certificates by @arsenalzp in #824
• Helm Chart: Add support for setting relabelling on the ServiceMonitor by @tiesmaster in #870
• Introduce Kube API linter by @erikgb in #850
• Introduce KAL minlength/maxlength checks by @erikgb in #866
• Introduce KAL required fields checks by @erikgb in #877
• Fix index formatting in webhook validations by @erikgb in #873
• Eliminate use of naked bool (includeDefaultCAs) in ClusterBundle API by @erikgb in #855
• Enable the CommentStart KAL check and fix violations by @erikgb in #858
• Rename ClusterBundle sources to sourceRefs by @erikgb in #854

Trust Packages

• Bump trust package versions to address CVE-2025-61729 by @SgtCoDFish in #817
• Trigger a new build of default trust bundle images by @erikgb in #875

Tests / Docs

• Refactor Bundle integration tests by @erikgb in #828
• Release improvements by @SgtCoDFish in #816
• Fix flaky integration test by @erikgb in #879
• Update release process to accurately reflect how new trust packages are picked up by @SgtCoDFish in #818
• Improve webhook validation test error list assert by @erikgb in #874

Upcoming Bundle Resource

• Use apply configuration to apply Bundle status in migration controller by @erikgb in #843
• Change Bundle source includeAllKeys to pointer by @erikgb in #876

Automated / CI

• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #814
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #819
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #820
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #821
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #823
• fix(deps): update kubernetes go deps to v0.35.0 by @renovate[bot] in #822
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #826
• fix(deps): update module software.sslmate.com/src/go-pkcs12 to v0.7.0 by @renovate[bot] in #825
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #827
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #829
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #832
• fix(deps): update github.com/onsi deps by @renovate[bot] in #831
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #833
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #834
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #840
• chore(deps): update actions/setup-go action to v6.2.0 by @renovate[bot] in #839
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.5 by @renovate[bot] in #838
• fix(deps): update k8s.io/utils digest to 914a6e7 by @renovate[bot] in #842
• Extend makefile-modules Renovate preset by @erikgb in #846
• Fix conversion Bundle->ClusterBundle by @erikgb in #844
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #847
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #849
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #852
• chore(deps): update actions/checkout action to v6.0.2 by @renovate[bot] in #851
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #853
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #859
• fix(deps): update github.com/onsi deps by @renovate[bot] in #861
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.28.1 by @renovate[bot] in #862
• chore(deps): update docker/login-action digest to c94ce9f by @renovate[bot] in #860
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #864
• Upgrade controller-runtime to v0.23.x by @erikgb in #863
• Fix events RBAC (new API group) by @erikgb in #865
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #867
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #869
• fix(deps): update module sigs.k8s.io/structured-merge-diff/v6 to v6.3.2 by @renovate[bot] in #872
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #878
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #880
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #882
• fix(deps): update kubernetes go patches to v0.35.1 by @renovate[bot] in #883
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #884
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #885
• Explicity set webhook Certificate private key rotation policy to Always by @mattwboyer in #857
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #887
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #888

New Contributors

• @tiesmaster made their first contribution in #870
• @mattwboyer made their first contribution in #857

Full Changelog: v0.20.3...v0.21.0

v0.20.3

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This is a dependency bump update with a few vulnerabilities reported by various tools that have been fixed. Notably, this bump will fix CVE-2025-61729.

What's Changed

• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #777
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.1 by @octo-sts[bot] in #779
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #780
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #782
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.2 by @octo-sts[bot] in #781
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #783
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #785
• Rename Makefile debian trust package variables and files by @inteon in #784
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #787
• Fix modernize linter errors by @inteon in #786
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #790
• fix(deps): update kubernetes go patches to v0.34.2 by @octo-sts[bot] in #791
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.4 by @octo-sts[bot] in #788
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #792
• fix(deps): update module sigs.k8s.io/structured-merge-diff/v6 to v6.3.1 by @octo-sts[bot] in #795
• chore(deps): update misc github actions by @octo-sts[bot] in #793
• chore(deps): update actions/checkout action to v6 by @octo-sts[bot] in #794
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #796
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #798
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #801
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #803
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #804
• fix(deps): update module github.com/spf13/cobra to v1.10.2 by @octo-sts[bot] in #802
• chore(deps): update actions/checkout action to v6.0.1 by @octo-sts[bot] in #799
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #806
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #807
• chore(deps): update module golang.org/x/crypto to v0.45.0 [security] by @renovate[bot] in #808
• fix(deps): update github.com/onsi deps by @renovate[bot] in #809
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #811
• fix(deps): update kubernetes go patches to v0.34.3 by @renovate[bot] in #813

New Contributors

• @renovate[bot] made their first contribution in #808

Full Changelog: v0.20.2...v0.20.3

v0.20.2

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is a patch release, upgrading Go from 1.25.1 to 1.25.3, fixing a range of CVEs: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

Furthermore, additional go dependencies were upgraded where possible.

What's Changed

• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #775
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.3 by @octo-sts[bot] in #773
• Bump trust package suffix, forcing a new go 1.25.3 build by @inteon in #776

Full Changelog: v0.20.1...v0.20.2

v0.20.1

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release is a patch release, downgrading Go from 1.25.2 to 1.25.1, to avoid the X.509 issues introduced by trying to fix a CVE. See golang/go#75828 (comment) for additional details.

What's Changed

• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #772

Full Changelog: v0.20.0...v0.20.1

v0.20.0

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

⚠️ Known issue ⚠️

Golang 1.25.2 has a backwards incompatible change (see golang/go#75828 (comment)). This will for example result in certificates with a DNS SAN ending in a dot causing trust-manager to error.

---

This release primarily contains dependency updates, but also includes a new feature that allows trust-manager to be configured to only operate on a list of named target namespaces. While this feature can allow trust-manager to operate without cluster-wide access to namespaces, the Bundle resource is cluster-scoped, and events from cluster-scoped resources are emitted to the default namespace.

⚠️ The code performing migration from client-side to server-side apply is removed in this release. This means that if upgrading from a really old version of trust-manager (< 0.7.0), you must upgrade to 0.19.0 first.

The work on migrating Bundle to ClusterBundle continues, but none of these changes are user-facing in this release.

What's Changed

Features

• You can now use trust-manager in the new "restricted" mode to scope trust-manager’s and target caches to a specific set of Kubernetes namespaces provided at startup. When this feature is not used, behavior remains unchanged (cluster-wide watch). By @asmaoune in #744
• Helm: you can now disable the creation of the RBAC resources. By @asmaoune in #753

Internal changes

• Add generated applyconfigurations for ClusterBundle API by @erikgb in #690
• Split integration tests for Bundle and ClusterBundle by @erikgb in #691
• Add new Bundle (migration) controller by @erikgb in #681
• Eliminate multiple sigs.k8s.io/structured-merge-diff deps by @erikgb in #712
• Refactor cache setup to controller package by @erikgb in #727
• Bootstrap shared Renovate preset by @erikgb in #751
• Move additional formats handling from source to target by @erikgb in #703
• Remove code for migrating CSA to SSA by @erikgb in #754
• Bump default CAs bundle version to trigger release by @erikgb in #768
• Make: missing quote breaking CI by @maelvls in #770
• Don't set the tag in values.yaml, since it is overwritten at chart build time by @inteon in #771

Updates by Dependabot/Renovate

• build(deps): Bump the all group with 5 updates by @dependabot[bot] in #687
• build(deps): Bump the all-go-deps group across 1 directory with 2 updates by @dependabot[bot] in #696
• fix(deps): update module github.com/stretchr/testify to v1.11.0 by @github-actions[bot] in #699
• fix(deps): update kubernetes go deps to v0.34.0 by @erikgb in #710
• fix(deps): update misc go deps by @github-actions[bot] in #707
• fix(deps): update misc go deps by @github-actions[bot] in #721
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.25.2 by @github-actions[bot] in #720
• build(deps): Bump actions/setup-go from 5 to 6 in the all-gh-actions group by @dependabot[bot] in #729
• chore(deps): update actions/github-script action to v8 by @octo-sts[bot] in #732
• chore(deps): pin dependencies by @octo-sts[bot] in #731
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.25.3 by @octo-sts[bot] in #736
• fix(deps): update kubernetes go patches to v0.34.1 by @octo-sts[bot] in #745
• chore(deps): pin quay.io/jetstack/trust-pkg-debian-bookworm docker tag to 4e46f31 by @octo-sts[bot] in #752
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.1 by @erikgb in #757
• chore(deps): update docker/login-action digest to 5e57cd1 by @octo-sts[bot] in #760
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.26.0 by @octo-sts[bot] in #763
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.2 by @octo-sts[bot] in #766
• fix(deps): update k8s.io/utils digest to bc988d5 by @octo-sts[bot] in #769

Updates by makefile-modules

• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #686
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #692
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #694
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #695
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #697
• Manual self upgrade by @erikgb in #698
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #705
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #706
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #714
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #715
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #717
• [CI] Self-upgrade merging self-upgrade-main into main by @erikgb in #718
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #719
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #723
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #724
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #725
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #728
• [CI] Self-upgrade merging self-upgrade-main into main by @erikgb in #730
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #735
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #737
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #738
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #739
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #740
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #743
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #746
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #747
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #755
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #758
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #759
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #764
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #765
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #767

New Contributors

• @octo-sts[bot] made their first contribution in #732
• @asmaoune made their first contribution in #744
• @maelvls made their first contribution in #770

Full Changelog: v0.19.0...v0.20.0

v0.19.0

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release contains a few new features, in particular an update of the default CA trust bundle to the latest version available in Debian Bookworm. Huge thanks to @hawksight for identifying and fixing a bug in our CI that prevented the bundle from getting minor updates from upstream Debian.

We are also working on the new ClusterBundle API, which will replace the Bundle API.

What's Changed

Features

• feat: Bump the ca-certificates package to 20230311+deb12u1 by @hawksight in #643
• Make bundle target optional by @erikgb in #661
• feat: Update trust-manager default trust bundle to newest version by @hawksight in #667
• feat(helm): Support revisionhistorylimit by @DrFaust92 in #676
• feat: Add a global value of enabled for wrapping trust-manager chart by @hawksight in #680

Fixes

• Make Bundle webhook configuration precise by @erikgb in #670
• Improve webhook setup and probes by @erikgb in #671

New ClusterBundle API (non-user-facing)

These changes help to prepare trust-manager for the next evolution of its design. None of these changes are available to be used yet.

• ClusterBundle source API rework by @erikgb in #647
• Final minor adjustments to new ClusterBundle API by @erikgb in #658
• Add generated CRD for new ClusterBundle API by @erikgb in #662
• Add ClusterBundle API validations by @erikgb in #664
• Add ClusterBundle validating webhook by @erikgb in #668

Other

• Use controller-gen to generate applyconfigurations by @erikgb in #657
• refactor: dedicated struct for building source data by @erikgb in #648
• Migrate test from JKS to PKCS#12 by @erikgb in #607
• refactor: split target apply and cleanup by @erikgb in #660
• Refactor scheme setup to support multi-group APIs by @erikgb in #669
• feat: Add hawksight as reviewer by @hawksight in #678
• Remove use of deprecated c/r Requeue by @erikgb in #673
• Remove use of deprecated c/r EventBroadcaster by @erikgb in #672

Dependabot updates

• build(deps): Bump the all group with 5 updates by @dependabot[bot] in #653
• build(deps): Bump the all group across 1 directory with 3 updates by @dependabot[bot] in #665
• build(deps): Bump actions/checkout from 4 to 5 in the all group by @dependabot[bot] in #684

makefile-modules updates

• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #646
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #649
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #651
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #652
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #655
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #663
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #674
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #675
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #677
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #679
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #682
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #685

New Contributors

• @hawksight made their first contribution in #643

Full Changelog: v0.18.0...v0.19.0

v0.18.0

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

This release contains miscellaneous bug fixes and dependency updates.
It is built with Go 1.24.4 which fixes the following vulnerabilities: CVE-2025-22874, CVE-2025-0913, and CVE-2025-4673.

helm inspect chart trust-manager --repo https://charts.jetstack.io --version v0.18.0

What's Changed

Bug Fixes

• CertPool should not error when input adds no certificates by @erikgb in #624
• Improve source error handling by @erikgb in #623

Non user-facing

• ClusterBundle target API rework by @erikgb in #486

Dependabot updates

• build(deps): Bump the all group across 1 directory with 7 updates by @dependabot in #634
• build(deps): Bump the all group with 5 updates by @dependabot in #644

makefile-modules updates

• [CI] Merge self-upgrade-main into main by @github-actions in #627
• [CI] Merge self-upgrade-main into main by @github-actions in #628
• [CI] Merge self-upgrade-main into main by @github-actions in #630
• [CI] Merge self-upgrade-main into main by @github-actions in #635
• [CI] Merge self-upgrade-main into main by @github-actions in #636
• [CI] Merge self-upgrade-main into main by @github-actions in #637
• [CI] Merge self-upgrade-main into main by @github-actions in #638
• [CI] Merge self-upgrade-main into main by @github-actions in #639

Full Changelog: v0.17.1...v0.18.0

v0.17.1

trust-manager is the easiest way to manage security-critical TLS trust bundles in Kubernetes and OpenShift clusters.

v0.17.1 is a patch release fixing two specific issues discovered after the release of v0.17.0:

The switch to use our PKCS#12 encoder to encode (Java compatible) PKCS#12 truststores seems to cause a regression. While we still want to deprecate JKS and eventually remove support for it, we will stick to the old JKS encoding library until the feature is removed.

⚠️ We discovered (after the release of v0.17.0) that the Helm value for configuring webhook TLS ciphers was misspelled. Since this was a brand new feature in v0.17.0 we decided to fix this and include the fix in a patch release, even if it's technically a breaking change for any user using this new feature with v0.17.0. Sorry for the inconvenience.

What's Changed

Fixes

• Revert "Use PKCS#12 encoder to encode JKS" by @erikgb in #626
• Fix new Helm TLS args by @erikgb in #620

Makefile Modules Updates

• [CI] Merge self-upgrade-main into main by @github-actions in #621
• [CI] Merge self-upgrade-main into main by @github-actions in #622

Full Changelog: v0.17.0...v0.17.1