Releases: sse-secure-systems/connaisseur
Releases · sse-secure-systems/connaisseur
v3.5.0
v3.5.0
Feat
Fix
- Remove startup probe #1630
- Error handling for der formatted keys #1624
- Fix handling of undefined values in values.yaml #1609
Refactor
- Fix comment and remove unused argument for automatic unchanged approval #1599
- Make cache expiry a cacher implementation detail #1599
Build
- Update ca-certificates #1569
Ci
- Fix manual publish job #1628
- Adapt workflow files to new attestation permission #1606
- Fix wrong job dependency #1568
- Fix publish job funkypenguin#12
Docs
- Remove reference to config that is not implemented #1629
- Revert artifact hub docs #1627
- Add release checklist #1626
- Fix secret file reference #1625
- Fix vaules.yaml reference #1599
Update
- Go1.22 #1623
- Bump the docker-packages group in /build with 1 update #1623
- Bump the gomod-packages group across 1 directory with 8 updates #1623
- Bump the gh-actions-packages group across 1 directory with 5 updates (#1622) #1622
- Bump the gh-actions-packages group across 1 directory with 8 updates #1605
- Bump the gh-actions-packages group with 4 updates #1567
- Bump the gomod-packages group with 11 updates #1566
What's Changed
- ci: fix publish job by @phbelitz in #1551
- ci: fix publish job by @phbelitz in #1552
- update: bump the gomod-packages group with 11 updates by @dependabot in #1566
- update: bump the gh-actions-packages group with 4 updates by @dependabot in #1567
- ci: fix wrong job dependency by @phbelitz in #1568
- build: update ca-certificates by @phbelitz in #1569
- ci: Adapt workflow files to new attestation permission by @Starkteetje in #1606
- feat: Configurable cache expiry by @Starkteetje in #1599
- update: bump the gh-actions-packages group across 1 directory with 8 updates by @dependabot in #1605
- feat: Allow to configure whether to cache errors by @Starkteetje in #1608
- fix: Fix handling of undefined values in values.yaml by @Starkteetje in #1609
- update: bump the gh-actions-packages group across 1 directory with 5 updates by @dependabot in #1622
- docs: fix secret file reference by @phbelitz in #1625
- fix: error handling for DER formated keys by @phbelitz in #1624
- Update/go1.22 by @phbelitz in #1623
- docs: Add release checklist by @Starkteetje in #1626
- ci: Fix manual publish job by @Starkteetje in #1628
- docs: revert artifact hub docs by @phbelitz in #1627
- docs: Remove reference to config that is not implemented by @Starkteetje in #1629
- fix: remove startup probe by @phbelitz in #1630
- Develop by @phbelitz in #1631
Full Changelog: v3.4.0...v3.5.0
v3.4.0
Connaisseur v3.4.0
Big news: We are switching programming languages from Python to Golang! 🎉💯
See #1513
Notable features
- The policy rules now support a
with.mode
option that can be set tomutate
orinsecureValidateOnly
, allowing the mutation of the image reference to be toggled on and off (the default ismutate
, meaning references will be mutated; the alternative is considered insecure since it implies that while a trusted image is available, its use is not guaranteed 🤷). - A caching mechanism in the form of a Redis key-value store now stores the results of a validation for 30 seconds.
- A new feature flag,
resourceValidationMode
, with supported valuesall
andpodsOnly
.all
is the default, causing Connaisseur to block all resources if they fail validation and mutate them if they pass.podsOnly
will still validate all resources but only block and mutate Pod resources, while others are passed through with a warning (similar to PSA). This enhances compatibility with GitOps solutions like ArgoCD by preventing diffs on each reconciliation. - Notary now supports all TUF compliant keys.
- Setting the
with.trustRoot
to*
for a policy is now supported across all validators, allowing AND conjunctions for all defined trust roots within a validator. - Custom labels can be added (thanks to @jimonthebarn)
v3.3.4
v3.3.4
Refactor
- Black formatting #1484
Build
- Fix notary call in getroot utility and improve caching #1492
Ci
- Disable non-oci-compliant provenance #1515
- Disable image cleanup during public golang test #1515
- New testimages #1484
Test
- Added oneliner to fix issues with minikube integration tests #1480
Docs
Update
- Bump the pip-packages group with 4 updates #1512
- Bump the gh-actions-packages group with 5 updates #1514
- Bump the pip-packages group with 5 updates #1496
What's Changed
- ci: new testimages by @phbelitz in #1484
- Payload field documentation by @Starkteetje in #1481
- fix: Added oneliner to fix issues with minikube by @chrysogonus in #1480
- build: Fix Notary call in getRoot utility and improve caching by @Starkteetje in #1492
- update: bump the pip-packages group with 5 updates by @dependabot in #1496
- update: bump the gh-actions-packages group with 5 updates by @dependabot in #1514
- CI: Disable non-OCI-compliant provenance and disable image cleanup during public Golang test by @Starkteetje in #1515
- update: bump the pip-packages group with 4 updates by @dependabot in #1512
- v3.3.4 by @phbelitz in #1516
Full Changelog: v3.3.3...v3.3.4
v3.3.3
v3.3.3
Fix
Build
Update
- Bump the pip-packages group with 4 updates (#1468) #1468
- Bump the gh-actions-packages group with 4 updates (#1466) #1466
- Bump the pip-packages group with 6 updates #1460
- Bump the gh-actions-packages group with 4 updates #1461
- Update anchore/sbom-action to v0.15.1 #1439
What's Changed
- update: Update anchore/sbom-action to v0.15.1 by @Starkteetje in #1439
- update: bump the gh-actions-packages group with 4 updates by @dependabot in #1461
- update: bump the pip-packages group with 6 updates by @dependabot in #1460
- build: Fix build of getRoot utility by @Starkteetje in #1462
- fix: no exceptions on automatic child approval by @phbelitz in #1467
- fix: Report notary auth failure by @Starkteetje in #1469
- update: bump the gh-actions-packages group with 4 updates by @dependabot in #1466
- update: bump the pip-packages group with 4 updates by @dependabot in #1468
- build: removed safety by @phbelitz in #1471
- v3.3.3 by @phbelitz in #1470
Full Changelog: v3.3.2...v3.3.3
v3.3.2
What's Changed
- test: fix local integration testing and add script for ease of use by @annekebr in #1414
- test: get logs on error case of other-ns integration test by @annekebr in #1427
- ci: continue when kubelinter fails by @chrysogonus in #1428
- update: Update k8s image registry in default policy by @Starkteetje in #1429
- update: bump the pip-packages group with 4 updates by @dependabot in #1434
- update: bump the gh-actions-packages group with 4 updates by @dependabot in #1433
- update: Update Cosign to version 2.2.2 by @Starkteetje in #1435
- Develop by @Starkteetje in #1437
New Contributors
- @chrysogonus made their first contribution in #1428
Full Changelog: v3.3.1...v3.3.2
v3.3.2
Ci
- Continue when kubelinter fails #1428
Test
- Get logs on error case of other-ns integration test #1427
- Fix local integration testing and add script for ease of use #1414
Update
v3.3.1
What's Changed
- build: remove pip package manager after installation of needed python… by @annekebr in #1403
- Fix/redundant network calls to notary during auth by @annekebr in #1376
- test: Fix unit test to use mocked responses instead of live ones by @Starkteetje in #1405
- Fix DoS vulnerability by @Starkteetje in #1407
- update: bump the gh-actions-packages group with 3 updates by @dependabot in #1408
- update: bump the pip-packages group with 3 updates by @dependabot in #1402
- Connaisseur version 3.3.1 by @Starkteetje in #1409
Full Changelog: v3.3.0...v3.3.1
Connaisseur v3.3.1
Sec
- Prevent redos during delegation validation #1407
Fix
- Add generic timeout for any async operations #1407
- Do not redundantly authenticate calls to notary #1376
Build
- Remove pip package manager after installation of needed python images #1403
Ci
- Add security release annotation if there is a commit with security commit header #1407
- Add new sec commit header #1407
Test
- Fix unit test to use mocked responses instead of live ones #1405
- Add integration test for self hosted notary without auth #1376
Docs
- Fix testing instructions #1376
Update
v3.3.0
What's Changed
- update: bump the gh-actions-packages group with 2 updates by @dependabot in #1343
- update: bump the pip-packages group with 1 update by @dependabot in #1342
- More improvements to integration tests by @Starkteetje in #1344
- Fix integration test failures by @Starkteetje in #1331
- Cosign logging by @Starkteetje in #1347
- Fix RuntimeError by @Starkteetje in #1334
- update: bump the pip-packages group with 1 update by @dependabot in #1345
- update: bump the gh-actions-packages group with 4 updates by @dependabot in #1371
- fix: Allow unset path of delegation by @Starkteetje in #1372
- update: bump the gh-actions-packages group with 2 updates by @dependabot in #1383
- Cosign 2.2.1 by @Starkteetje in #1384
- feat: add functional labels by @xopham in #1321
- update: bump the pip-packages group with 3 updates by @dependabot in #1389
- update: bump the docker-packages group in /docker with 1 update by @dependabot in #1390
- update: bump the gh-actions-packages group with 2 updates by @dependabot in #1391
- Connaisseur v3.3.0 by @Starkteetje in #1392
Full Changelog: v3.2.0...v3.3.0
v3.3.0
Feat
- Add functional labels #1321
- Update cosign to 2.2.1 #1384
- Enable cosign debugging at debug log level #1347
Fix
- Correct cosign logging output if manifest_unknown #1384
- Allow unset path of delegation #1372
- Fix initialization of event loop and prevent runtimeerrors #1334
Build
- Update pip version in build container #1344
Ci
- Update cosign installer package #1347
Test
- Improve execution of local integration test #1334
- Correctly mock and actually test with test_update_with_delegation_trust_data #1347
- Remove unused imports #1347
- Use context managing for sessions #1347
- Resolve sporadic integration test failures #1331
- Remove non-functional receiver config in tests #1344
- Improve debug base pod naming #1344
Docs
- Modernize documentation using admonitions and code block titles #1321
- Switch
note
blocks to mkdocs admonitions #1321 - Add deployment of kubernetes manifests #1321
- Fix deprecated cosign flag in docs #1384
Update
- Bump the gh-actions-packages group with 2 updates #1391
- Bump the docker-packages group in /docker with 1 update #1390
- Bump the pip-packages group with 3 updates #1389
- Bump the pip-packages group with 4 updates #1384
- Bump the gh-actions-packages group with 2 updates #1383
- Bump the gh-actions-packages group with 4 updates #1371
- Bump the pip-packages group with 1 update #1345
- Bump the pip-packages group with 1 update #1342
- Bump the gh-actions-packages group with 2 updates #1343
v3.2.0
What's Changed
- fix: fix regular integration test by @phbelitz in #1309
- feat: explicitly specify containerPort in helm chart by @phbelitz in #1308
- docs: add copy/select code buttons by @xopham in #1302
- test: fix getRoot utility by @xopham in #1295
- docs: fix code blocks in basics by @xopham in #1310
- Feat: Validate ephemeral containers by @Starkteetje in #1311
- update: cosign v2.2.0 by @xopham in #1296
- test: Add message to retry of deployment during integration test by @Starkteetje in #1332
- update: bump the gh-actions-packages group with 4 updates by @dependabot in #1333
- update: bump the pip-packages group with 5 updates by @dependabot in #1338
- Multiple improvements to the integration test setup by @Starkteetje in #1335
- update: bump the gh-actions-packages group with 1 update by @dependabot in #1336
- Connaisseur release 3.2.0 by @Starkteetje in #1340
Full Changelog: v3.1.1...v3.2.0
v3.2.0
Feat
Fix
Refactor
- Add missing variable brackets #1335
Ci
- Show non-truncated logs on failure #1335
Test
- No uninstall on integration test failure #1335
- Run most integration tests on a single replica #1335
- Add message to retry of deployment during integration test #1332
Docs
- Update unittest recommendation #1311
- Fix code blocks in basics #1310
- Add copy code buttons and linked content tabs #1302
Update
v3.1.1
Fixed some automation problem, which hampered release v3.1.0
What's Changed
Full Changelog: v3.1.0...v3.1.1
v3.1.0
What's Changed
- fix: less verbose logging for cosign by @phbelitz in #1138
- Make failures visible via metrics in detection mode by @phbelitz in #1148
- Update/dependencies by @phbelitz in #1162
- update: bump bridgecrewio/checkov-action from 12.2434.0 to 12.2463.0 by @dependabot in #1192
- Update/dependencies by @phbelitz in #1193
- update: update setuptools requirement from ~=68.1.0 to ~=68.1.2 by @dependabot in #1195
- Update/dependencies by @phbelitz in #1214
- update: trivy-action by @phbelitz in #1263
- ci: grouping of dependabot PRs by @phbelitz in #1241
- feat: Add pod securityContext to helm chart by @phbelitz in #1264
- update: update flask requirement from ~=2.3.3 to ~=3.0.0 by @dependabot in #1267
- Update/dependencies by @phbelitz in #1268
- fix: switch to python 3.11 by @phbelitz in #1275
- Update flask_application.py by @phbelitz in #1274
- fix: overloaded requests by @phbelitz in #1280
- fix: skip replica to zero by @phbelitz in #1262
- Update/dependencies by @phbelitz in #1281
- ci: add k8s v1.27 integration test by @xopham in #1283
- refactor: Minimize software footprint of Dockerfiles by @phbelitz in #1282
- update: bump version by @phbelitz in #1286
- Develop by @phbelitz in #1287
thanks to @FalacerSelene @hsudbrock @jacobkoren1 and @b3n3d17
v3.1.0
Feat
- Add pod securitycontext to helm chart
Fix
- Skip replica to zero #1262
- Use nest-asyncio #1280
- Potential memory leak fix #1274
- Switch to python 3.11
- Make failures visible via metrics in detection mode (#1148)
- Less verbose logging for cosign
Refactor
- Minimize software footprint of dockerfiles #1282
Ci
- Add k8s v1.27 integration test #1283
- Split log and state display #1280
- Grouping of dependabot prs (#1241)
Update
- Bump version #1286
- Bump bridgecrewio/checkov-action from 12.2519.0 to 12.2526.0 #1281
- Update pylint requirement from ~=2.17.7 to ~=3.0.1 #1281
- Update mkdocs-material requirement from ~=9.4.2 to ~=9.4.4 #1281
- Bump actions/dependency-review-action from 3.0.8 to 3.1.0
- Update setuptools requirement from ~=68.1.2 to ~=68.2.2
- Bump docker/login-action from 2.2.0 to 3.0.0
- Update jsonschema requirement from ~=4.19.0 to ~=4.19.1
- Bump actions/checkout from 4.0.0 to 4.1.0
- Update mkdocs-material requirement from ~=9.2.8 to ~=9.4.2
- Bump github/codeql-action from 2.21.5 to 2.21.9
- Bump bridgecrewio/checkov-action from 12.2486.0 to 12.2519.0
- Update pylint requirement from ~=2.17.5 to ~=2.17.7
- Update flask requirement from ~=2.3.3 to ~=3.0.0
- Trivy-action (#1263)
- Update mkdocs-material requirement from ~=9.1.21 to ~=9.2.8
- Bump actions/checkout from 3.5.3 to 4.0.0
- Bump bridgecrewio/checkov-action from 12.2463.0 to 12.2486.0 #1214
- Bump github/codeql-action from 2.21.4 to 2.21.5 #1214
- Update flask requirement from ~=2.3.2 to ~=2.3.3 #1214
- Update setuptools requirement from ~=68.1.0 to ~=68.1.2 #1214
- Update pylint requirement from ~=2.17.4 to ~=2.17.5 #1193
- Update mkdocs-material requirement from ~=9.1.19 to ~=9.1.21 #1193
- Bump snok/container-retention-policy from 2.1.1 to 2.1.2 #1193
- Update jsonschema requirement from ~=4.18.4 to ~=4.19.0 #1193
- Bump github/codeql-action from 2.21.0 to 2.21.4 #1193
- Bump actions/dependency-review-action from 3.0.6 to 3.0.8 #1193
- Update setuptools requirement from ~=68.0.0 to ~=68.1.0
- Bump bridgecrewio/checkov-action from 12.2434.0 to 12.2463.0
- Bump bridgecrewio/checkov-action from 12.2401.0 to 12.2434.0
- Bump github/codeql-action from 2.20.1 to 2.21.0
- Update aiohttp requirement from ~=3.8.4 to ~=3.8.5
- Update jsonschema requirement from ~=4.17.3 to ~=4.18.4
- Update mkdocs-material requirement from ~=9.1.17 to ~=9.1.19
- Update pytest-asyncio requirement from ~=0.21.0 to ~=0.21.1
Full Changelog: v3.0.0...v3.1.0