Releases: sse-secure-systems/connaisseur
Version 2.5.2
v2.5.2
Major Scope
Centrally, this release fixes two important bugs:
Changelog
Fix
Update
- python dev dependencies #598
- update jinja2 requirement from ~=3.0.3 to ~=3.1.0 #595
- update pytz requirement from ~=2021.3 to ~=2022.1 #586
- update mkdocs-material requirement from ~=8.2.5 to ~=8.2.7 #593
- cosign v1.5.2 to v1.6.0 #570
- update setuptools requirement from ~=60.9.3 to ~=60.10.0 #581
- update prometheus-flask-exporter requirement (#579) #579
Ci
- ignore CVE-2022-23628 #596
- fix and improve completeness of nightly scans #571
- frequently pull all connaisseur versions #580
Docs
- fix create image pull secret command #585
- add clarity re generating registry credential secrets #578
What's Changed
- update: update prometheus-flask-exporter requirement from ~=0.18.7 to ~=0.19.0 by @dependabot in #579
- [Docs] Add clarity re generating registry credential secrets by @funkypenguin in #578
- update: update setuptools requirement from ~=60.9.3 to ~=60.10.0 by @dependabot in #581
- ci: frequently pull all connaisseur versions by @xopham in #580
- Update/cosign 1.6.0 by @xopham in #570
- ci: fix and improve completeness of nightly scans by @xopham in #571
- docs: fix create image pull secret command by @xopham in #585
- update: update mkdocs-material requirement from ~=8.2.5 to ~=8.2.7 by @dependabot in #593
- ci: ignore CVE-2022-23628 by @xopham in #596
- fix: digest confusion at high load by @xopham in #589
- fix: exclude k8s CRDs from parent resource check by @xopham in #590
- update: update pytz requirement from ~=2021.3 to ~=2022.1 by @dependabot in #586
- update: update jinja2 requirement from ~=3.0.3 to ~=3.1.0 by @dependabot in #595
- update: python dev dependencies by @xopham in #598
- Release v2.5.2 by @xopham in #597
New Contributors
- @funkypenguin made their first contribution in #578
Full Changelog: v2.5.1...v2.5.2
Version 2.5.1
v2.5.1
Major Scope
This Release mainly fixes a bug (#575) in cosign validator authentication to the registry that was introduced in v2.5.0
(#428): #576
Changelog
Fix
- broken cosign authentication for registries #576
Update
- update mkdocs-material requirement from ~=8.2.4 to ~=8.2.5 #574
- update pytest-asyncio requirement from ~=0.18.1 to ~=0.18.2 #569
- update mkdocs-material requirement from ~=8.2.3 to ~=8.2.4 #568
What's Changed
- update: update mkdocs-material requirement from ~=8.2.3 to ~=8.2.4 by @dependabot in #568
- update: update pytest-asyncio requirement from ~=0.18.1 to ~=0.18.2 by @dependabot in #569
- update: update mkdocs-material requirement from ~=8.2.4 to ~=8.2.5 by @dependabot in #574
- fix: broken cosign validator authentication for registries by @xopham in #576
- Release 2.5.1 by @xopham in #577
Full Changelog: v2.5.0...v2.5.1
Version 2.5.0
v2.5.0 - 🚨 Critical Fix for Service Interruption due to unexpected API change 🚨
Major Scope
🚨 Release contains a critical fix for a service interruption due to an unexpected API change by docker.io
: #564. helm upgrade
is not functional due to the issue and upgrade must be performed via helm uninstall
followed by helm install
. For more information, checkout #566.
This release also contains several several notable new features and improvements:
- exposing prometheus metrics (see docs): #508
- cosign support for ambient credentials/workload identities (see docs): #551
- cosign support for multiple signers of a single image (see docs): #428
- cosign KMS support goes GA (see docs): #558
- reinvocation policy for objects mutated during admission (see docs): #518
- less noisy logging: #501
Changelog
Feat
- enforce/require/allow multiple container image signers for cosign #428
- cosign kms support reaches GA #558
- add reinvocationPolicy option #518
- Support cosign --k8s-keychain flag #551
- silent healthz endpoints logging #501
- prometheus metrics #508
Update
- connaisseur (chart v1.3.0, image v2.5.0) #562
- bump actions/checkout from 2 to 3 #565
- bump actions/setup-python from 2 to 3 #561
- update mkdocs-material requirement from ~=8.2.1 to ~=8.2.3 #559
- cosign v1.5.1 to v1.5.2 #556
- update setuptools requirement from ~=60.9.2 to ~=60.9.3 #552
- update mkdocs-material requirement from ~=8.1.11 to ~=8.2.1 #553
- update setuptools requirement from ~=60.8.2 to ~=60.9.2 #549
- update flask requirement from ~=2.0.2 to ~=2.0.3 #544
- update pytest-asyncio requirement from ~=0.18.0 to ~=0.18.1 #536
- update mkdocs-material requirement from ~=8.1.10 to ~=8.1.11 #537
- update setuptools requirement from ~=60.8.1 to ~=60.8.2 #535
- update pytest-subprocess requirement from ~=1.4.0 to ~=1.4.1 #534
Test
- reset values.yaml after test #563
- added tests for logging wrapper #545
- Make IT exectuable and rename complexity files #554
- fix unset variable in preconfig integration test #542
Ci
Fix
Docs
Build
- Fix typo in Makefile #554
What's Changed
- feat: prometheus metrics by @masaruhoshi in #508
- update: update pytest-subprocess requirement from ~=1.4.0 to ~=1.4.1 by @dependabot in #534
- update: update setuptools requirement from ~=60.8.1 to ~=60.8.2 by @dependabot in #535
- update: update mkdocs-material requirement from ~=8.1.10 to ~=8.1.11 by @dependabot in #537
- update: update pytest-asyncio requirement from ~=0.18.0 to ~=0.18.1 by @dependabot in #536
- test: fix unset variable in preconfig integration test by @annekebr in #542
- update: update flask requirement from ~=2.0.2 to ~=2.0.3 by @dependabot in #544
- update: update setuptools requirement from ~=60.8.2 to ~=60.9.2 by @dependabot in #549
- update: update mkdocs-material requirement from ~=8.1.11 to ~=8.2.1 by @dependabot in #553
- update: update setuptools requirement from ~=60.9.2 to ~=60.9.3 by @dependabot in #552
- fix: add missing config schema fields by @phbelitz in #476
- Various changes by @Starkteetje in #554
- feat: silent healthz endpoints logging by @sf-jmarcou in #501
- update: cosign v1.5.1 to v1.5.2 by @xopham in #556
- docs: fix contributing guide link in pr template by @xopham in #557
- feat: Support cosign --k8s-keychain flag by @marckn0x in #551
- feat: add reinvocationPolicy option by @caiconkhicon in #518
- Expose k8s logs on failure by @Starkteetje in #555
- test: added tests for logging wrapper by @phbelitz in #545
- update: update mkdocs-material requirement from ~=8.2.1 to ~=8.2.3 by @dependabot in #559
- update: bump actions/setup-python from 2 to 3 by @dependabot in #561
- fix: disable aiohttp content type check by @xopham in #564
- Ci/run nightly scans on released version by @xopham in #567
- update: bump actions/checkout from 2 to 3 by @dependabot in #565
- test: reset values.yaml after test by @xopham in #563
- Feat/cosign kms support by @xopham in #558
- feat: multi-signer support for cosign by @xopham in #428
- Update/version 2.5.0 by @xopham in #562
- Release 2.5.0 by @xopham in #538
New Contributors
- @masaruhoshi made their first contribution in #508
- @marckn0x made their first contribution in #551
- @caiconkhicon made their first contribution in #518
Full Changelog: v2.4.1...v2.5.0
Version 2.4.1
v2.4.1
Major Scope
The release includes important updates to fix some bugs and vulnerabilities in dependencies:
Changelog
Ci
- fix changelogger for non-semantic commits #529
Update
- upgrade to debian, ca-certificates, wget #524
- update pytest-asyncio requirement from ~=0.17.2 to ~=0.18.0 #526
- update mkdocs-material requirement from ~=8.1.9 to ~=8.1.10 #523
- update setuptools requirement from ~=60.7.1 to ~=60.8.1 #522
- update pytest-subprocess requirement from ~=1.3.2 to ~=1.4.0 #517
- update setuptools requirement from ~=60.5.0 to ~=60.7.1 #515
- update mkdocs-material requirement from ~=8.1.7 to ~=8.1.9 #506
- update pytest-mock requirement from ~=3.6.1 to ~=3.7.0 #505
- cosign v1.5.0 to v1.5.1 #509
- cosign v1.4.1 to v1.5.0 #502
Test
Docs
- automate version warning of docs #520
Fix
What's Changed
- update: cosign v1.4.1 to v1.5.0 by @xopham in #502
- fix: corrected typo in ClusterRole helm template by @hsuchan in #510
- Update/cosign 1.5.1 by @xopham in #509
- update: update pytest-mock requirement from ~=3.6.1 to ~=3.7.0 by @dependabot in #505
- update: update mkdocs-material requirement from ~=8.1.7 to ~=8.1.9 by @dependabot in #506
- update: update setuptools requirement from ~=60.5.0 to ~=60.7.1 by @dependabot in #515
- fix: updated REST path for core api group by @hsuchan in #514
- Update/pytest subprocess by @xopham in #517
- Docs/version warnings by @xopham in #520
- test: fix stresstest failure due to node w/o DCT by @xopham in #528
- update: update setuptools requirement from ~=60.7.1 to ~=60.8.1 by @dependabot in #522
- update: update mkdocs-material requirement from ~=8.1.9 to ~=8.1.10 by @dependabot in #523
- update: update pytest-asyncio requirement from ~=0.17.2 to ~=0.18.0 by @dependabot in #526
- update: debian bullseye, ca-certificates, wget by @tluimes in #524
- ci: fix changelogger for non-semantic commits by @phbelitz in #529
- Release v2.4.1 by @xopham in #530
New Contributors
Full Changelog: v2.4.0...v2.4.1
Version 2.4.0
v2.4.0
Ci
- allowlisting for GMS-2021-101 #495
- test compatibility with Kubernetes v1.23 #429
- ci: fix release pipeline #497
Update
- update pytest-asyncio requirement from ~=0.17.0 to ~=0.17.2 #490
- update mkdocs-material requirement from ~=8.1.6 to ~=8.1.7 #489
- version bump #494
- update mkdocs-material requirement from ~=8.1.4 to ~=8.1.6 #482
- update jsonschema requirement from ~=4.3.3 to ~=4.4.0 #483
- update pytest-asyncio requirement from ~=0.16.0 to ~=0.17.0 #484
- update aioresponses requirement from ~=0.7.2 to ~=0.7.3 #480
- update setuptools requirement from ~=60.3.1 to ~=60.5.0 #478
- update setuptools requirement from ~=60.2.0 to ~=60.3.1 #475
- update requests requirement from ~=2.27.0 to ~=2.27.1 #473
- update cheroot requirement from ~=8.5.2 to ~=8.6.0 #472
- update requests requirement from ~=2.26.0 to ~=2.27.0 #471
- update jsonschema requirement from ~=4.3.1 to ~=4.3.3 #470
- update mkdocs-material requirement from ~=8.1.2 to ~=8.1.4 #469
- update setuptools requirement from ~=59.6.0 to ~=60.2.0 #467
Feat
- support extra configuration in helm chart #491
- implement imagePullSecrets for private container registries #468
Test
- Remove integration test namespaces during cleanup #487
- Allow local execution of integration test #486
- Remove unusable 'all' integration test #486
- Split stress test #486
- Remove superfluous comment
#487
Refactor
Docs
New Contributors
- @lpercetti made their first contribution in #468
Full Changelog: v2.3.0...v2.4.0
Version 2.3.0
v2.3.0
Major Scope
The release includes important updates to fix vulnerabilities in dependencies and several usability improvements and extensions:
- allow localhost for notary server (#446)
- using cosign with private registries with self-signed certs (#437)
- ECS alert template to use alerting with e.g. Elastic SIEM (#427)
Changelog
Feat
Fix
Refactor
- Refactor imports, comments, docstrings and some types (#421)
Ci
- Rework integration tests (#381)
Update
- version bump (#457)
- update jsonschema requirement from ~=4.2.1 to ~=4.3.1 (#455)
- update mkdocs-material requirement from ~=8.0.5 to ~=8.1.2 (#454)
- update setuptools requirement from ~=59.5.0 to ~=59.6.0 (#450)
- cosign v1.4.0 to v1.4.1 (#449)
- update mkdocs-material requirement from ~=8.0.4 to ~=8.0.5 (#443)
- update aiohttp requirement from ~=3.8.0 to ~=3.8.1 (#441)
- update pylint requirement from ~=2.12.1 to ~=2.12.2 (#442)
- cosign v1.3.1 to v1.4.0 (#444)
- update setuptools requirement from ~=59.4.0 to ~=59.5.0 (#440)
- update mkdocs-material requirement from ~=7.3.6 to ~=8.0.4 (#439)
- update setuptools requirement from ~=59.2.0 to ~=59.4.0 (#432)
- update pylint requirement from ~=2.11.1 to ~=2.12.1 (#425)
New contributors
Thanks to our new contributors @operatorequals and @sf-jmarcou !
Full Changelog: v2.2.1...v2.3.0
Version 2.2.1
v2.2.1
Major Scope
The release contains the following central improvements:
The focus is aimed to improve compatibility and validation speed.
Changelog
Feat
Fix
- only load required delegations + bug fix #318
- add api version batch/v1 support for CronJob resource #396
- Handle invalid admission requests #363
- allow CAPS in image tag #393
Docs
Update
- bump chart version #423
- update setuptools requirement from ~=58.5.3 to ~=59.2.0 #419
- cosign v1.3.0 to v1.3.1 #414
- update pytest-subprocess requirement from ~=1.3.1 to ~=1.3.2 #409
- update jsonschema requirement from ~=4.2.0 to ~=4.2.1 #408
- update jinja2 requirement from ~=3.0.2 to ~=3.0.3 #410
- cosign v1.2.1 to v1.3.0 #404
- update setuptools requirement from ~=58.2.0 to ~=58.5.3 #403
- update jsonschema requirement from ~=4.1.2 to ~=4.2.0 #402
- update pytest-subprocess requirement from ~=1.2.0 to ~=1.3.1 #400
- update mkdocs-material requirement from ~=7.3.4 to ~=7.3.6 #398
- update jsonschema requirement from ~=4.1.1 to ~=4.1.2 #377
- update jsonschema requirement from ~=4.1.0 to ~=4.1.1 #376
- update pytest-asyncio requirement from ~=0.15.1 to ~=0.16.0 #374
- update mkdocs-material requirement from ~=7.3.3 to ~=7.3.4 #373
Refactor
- properly handle different cosign key types #415
Ci
- speedup upgrade integration test #405
- Add loadtest to GitHub pipeline #299
- upgrade test #298
- integration test for workload objects and api versions #396
- use custom k3s cluster #397
Test
Commits
- update: update mkdocs-material requirement from ~=7.3.3 to ~=7.3.4 by @dependabot in #373
- update: update pytest-asyncio requirement from ~=0.15.1 to ~=0.16.0 by @dependabot in #374
- update: update jsonschema requirement from ~=4.1.0 to ~=4.1.1 by @dependabot in #376
- update: update jsonschema requirement from ~=4.1.1 to ~=4.1.2 by @dependabot in #377
- feat: async image validation by @phbelitz in #334
- Allow CAPS in image tag by @hsuchan in #393
- fix: Handle invalid admission requests by @Starkteetje in #363
- docs: add pull request template by @xopham in #395
- ci: use custom k3s cluster by @xopham in #397
- fix: support api versions for k8s workloadobjects, add tests by @xopham in #396
- update: update mkdocs-material requirement from ~=7.3.4 to ~=7.3.6 by @dependabot in #398
- update: update pytest-subprocess requirement from ~=1.2.0 to ~=1.3.1 by @dependabot in #400
- update: update jsonschema requirement from ~=4.1.2 to ~=4.2.0 by @dependabot in #402
- update: update setuptools requirement from ~=58.2.0 to ~=58.5.3 by @dependabot in #403
- ci: connaisseur upgrade integration test by @xopham in #298
- fix: only load required delegantions by @phbelitz in #318
- Production WSGI server by @Starkteetje in #299
- docs: add ADR-7 by @xopham in #406
- update: cosign v1.2.1 to v1.3.0 by @xopham in #404
- ci: speedup upgrade integration test by @xopham in #405
- update: update jinja2 requirement from ~=3.0.2 to ~=3.0.3 by @dependabot in #410
- update: update jsonschema requirement from ~=4.2.0 to ~=4.2.1 by @dependabot in #408
- update: update pytest-subprocess requirement from ~=1.3.1 to ~=1.3.2 by @dependabot in #409
- update: cosign v1.3.0 to v1.3.1 by @xopham in #414
- Refactor: cosign key types by @xopham in #415
- update: update setuptools requirement from ~=58.5.3 to ~=59.2.0 by @dependabot in #419
- Fix/bump app version by @phbelitz in #423
- v2.2.1 release by @xopham in #380
New Contributors
Full Changelog: v2.2.0...v2.2.1
Version 2.2.0
v2.2.0
Major Scope
The release contains central improvements to usability and compatibility of Connaisseur:
- More native Helm integration
- Charts published in public Connaisseur Artifact Hub repository
- Updating Connaisseur (configuration) via
helm upgrade
- Better compatibility with different flavors of Kubernetes (e.g. Openshift/OKD)
- Better compatibility with different versions of Kubernetes (automated tests for v1.16+)
- Improved KMS support for Cosign
Changelog
Full Changelog: v2.1.2...v2.2.0
Docs
- add instruction how to upgrade if added via helm (#365)
- notes on Kubernetes version compatibility (#356)
- add comments for automatic child approval feature (#356)
Fix
- bump helm app version (#364)
- changelogger (#361)
- remove alerting logs when alerting is not configured (#359)
- pod restart on config change (#358)
- k8s version minor parsing in helm (#342)
- admission webhook api version typo (#342)
- webhook api version (#345)
- increase timeout (#346)
- pod restart on config change (#280)
- changed bootstrapping, upgarding and deletion of Connaisseur (#255)
- use compliant/consistent validator names (#335)
- satisfy new pylint rule to enable pylint update (#314)
Ci
- expose helm chart on github pages (#307)
- k8s version test with v1.16 (#349)
- add k8s version compatibility tests (#342)
- fix release pipeline (#368)
Feat
- cosign kms support (#360)
- expose security context for e.g. compatibility with OKD/OpenShift 4 (#288)
- expose automatic child approval (#284)
- Add PodSecurityPolicy (#259)
Refactor
- fix minor issues and typos (#362)
Update
- update pyyaml requirement from ~=5.4.1 to ~=6.0 (#357)
- update mkdocs-material requirement from ~=7.3.2 to ~=7.3.3 (#355)
- update jsonschema requirement from ~=4.0.1 to ~=4.1.0 (#351)
- update pytest-subprocess requirement from ~=1.1.2 to ~=1.2.0 (#350)
- cosign built image package versions (#348)
- update mkdocs-material requirement from ~=7.3.1 to ~=7.3.2 (#343)
- cosign v1.0.0 to v1.2.1 (#289)
- update mike requirement from ~=1.1.1 to ~=1.1.2 (#340)
- update flask requirement from ~=2.0.1 to ~=2.0.2 (#341)
- bump stackrox/kube-linter-action from 1.0.3 to 1.0.4 (#339)
- update pytz requirement from ~=2021.1 to ~=2021.3 (#338)
- update mkdocs-material requirement from ~=7.3.0 to ~=7.3.1 (#337)
- update pytest-cov requirement from ~=2.12.1 to ~=3.0.0 (#336)
- update pylint requirement from ~=2.10.2 to ~=2.11.1 (#313)
- update jsonschema requirement from ~=3.2.0 to ~=4.0.1 (#330)
- bump stackrox/kube-linter-action from 1.0.2 to 1.0.3 (#319)
- update mkdocs-material requirement from ~=7.2.6 to ~=7.3.0 (#317)
- bump codecov/codecov-action from 2.0.3 to 2.1.0 (#309)
- update mike requirement from ~=1.1.0 to ~=1.1.1 (#310)
- update mike requirement from ~=1.0.1 to ~=1.1.0 (#303)
- update mkdocs-material requirement from ~=7.2.5 to ~=7.2.6 (#300)
Test
- k8s version test with v1.16 (#349)
New Contributors
- @youssefazrak made their first contribution in #259
- @pflaeging made their first contribution in #288
Thanks to all Contributors 🚀
Version 2.1.2
Version 2.1.1
v2.1.1
Docs
- minor rewording (#291)
- update cosign key type support (#282)
- remove outdated 2.0 announcement (#274)
- remove Helm purge flag from README.md (#277)
- update banner (#265)
- add namespace info for validator secrets (#263)
- add note on k8s version requirement for detection mode warnings (#236)
- add markdown footnotes (#236)
- update Chart.yaml (#146)
- Fix mistakes in documentation for integration test and health/ready endpoints (#232)
Update
- update mkdocs-material requirement in /docs (#286)
- bump codecov/codecov-action from 2.0.2 to 2.0.3 (#283)
- update pylint requirement from ~=2.9.6 to ~=2.10.2 (#281)
- bump stackrox/kube-linter-action from 1.0.0 to 1.0.2 (#271)
- update mkdocs-material requirement in /docs (#256)
- update mkdocs-material requirement from ~=7.2.2 to ~=7.2.3 (#247)
- update rfc3339-validator requirement from ~=0.1.2 to ~=0.1.4 (#241)
- update python-dateutil requirement from ~=2.8.1 to ~=2.8.2 (#240)
- update pytest-subprocess requirement from ~=1.0.1 to ~=1.1.2 (#239)
- update pytest-cov requirement from ~=2.10.0 to ~=2.12.1 (#227)
- update pytest-mock requirement from ~=3.3.1 to ~=3.6.1 (#229)
- update mkdocs-material requirement from ~=7.2.1 to ~=7.2.2 (#231)
- bump codecov/codecov-action from 1 to 2.0.2 (#214)
- update requests requirement from ~=2.24.0 to ~=2.26.0 (#230)
- update flask requirement from ~=1.1.2 to ~=2.0.1 (#228)
- update pylint requirement from ~=2.7.2 to ~=2.9.6 (#217)
- update pytz requirement from ~=2020.1 to ~=2021.1 (#219)
- update ecdsa requirement from ~=0.15 to ~=0.17 (#216)
- update requests-mock requirement from ~=1.8.0 to ~=1.9.3 (#218)
Fix
- bump helm hook version (#293)
- specify encoding in file reads (#281)
- IaC security configuration (#273)
- Fix variable namespace in make uninstall definition (#234)
- Fix order of webhook and sentinel probes during readiness probe (#235)
Test
Ci
- add trivy IaC scan (#273)
- fix pylint to scan connaisseur dir (#269)
- drop redundant dependabot configuration (#268)
- add kube-linter (#146)
Refactor
- fix linting errors (#269)
Build
- expose webhook failurePolicy (#267)
- add namespaces to makefile commands (#266)
- get signed cosign binary (#204)
Feat
- helm security/resource configs (#146)