UNCLASSIFIED - NO CUI

Skip to content

hj

Cody Williams requested to merge renovate/github into main

This MR contains the following updates:

Package Type Update Change
FairwindsOps/pluto minor 5.16.4 -> 5.18.4
defenseunicorns/zarf minor v0.27.0 -> 0.29.2
fluxcd/flux2 minor 2.0.1 -> 2.1.0
golang stage minor 1.19 -> 1.21
golang stage minor 1.13 -> 1.21
google/go-containerregistry minor v0.15.2 -> 0.16.1
helm/helm patch 3.12.0 -> 3.12.3
kyverno/kyverno minor v1.9.2 -> 1.10.3
mikefarah/yq minor 4.34.1 -> 4.35.1
rancher/k3d minor 5.5.1 -> 5.6.0
registry.access.redhat.com/ubi8/ubi stage minor 8.4 -> 8.8
terraform-aws-modules/eks/aws (source) module minor 19.15.2 -> 19.16.0
terraform-aws-modules/iam/aws (source) module minor 4.7.0 -> 4.24.1
terraform-aws-modules/vpc/aws (source) module minor 5.0.0 -> 5.1.2

Release Notes

FairwindsOps/pluto

v5.18.4

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub

v5.18.3

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub

v5.18.2

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub

v5.18.1

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub

v5.18.0

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub

v5.17.0

Compare Source

Changelog

You can verify the signatures of both the checksums.txt file and the published docker images using cosign.

cosign 1.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub

cosign 2.x

cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub --insecure-ignore-tlog
cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub
defenseunicorns/zarf

v0.29.2

Compare Source

What's Changed

Features

Note: This command currently only supports images and git repositories - Helm chart support requires OCI mirroring which is being workedin #​2005

Fixes

Documentation

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.29.1...v0.29.2

v0.29.1

Compare Source

What's Changed

Features

Fixes

Development

New Contributors

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.29.0...v0.29.1

v0.29.0

Compare Source

What's Changed

Features

    

Rollup From v0.28 Patch Releases

Fixes

Rollup From v0.28 Patch Releases

Docs

Rollup From v0.28 Patch Releases

Dependencies

Rollup From v0.28 Patch Releases

Development

Rollup From v0.28 Patch Releases

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.4...v0.29.0

v0.28.4

Compare Source

What's Changed

Features

Fixes

Docs

Dependencies

Developement

New Contributors

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.3...v0.28.4

v0.28.3

Compare Source

What's Changed

Features

Fixes

Docs

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.2...v0.28.3

v0.28.2

Compare Source

What's Changed

Features

Fixes

Dependencies

Development

New Contributors

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.1...v0.28.2

v0.28.1

Compare Source

What's Changed

Features

Fixes

Docs

Dependencies

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.28.0...v0.28.1

v0.28.0

Compare Source

What's Changed

Breaking Changes

This only impacts existing deployments using the k3s component from the default init package, and the deprecated APIs are outlined in the K8s Deprecated API Migration Guide. Chart manifests will need to be updated to support the new APIs and will need to be redeployed to the cluster ideally prior to upgrading k3s. Zarf-managed charts can detect deprecations and attempt migrations after a k3s update but any GitOps deployments will need to be updated manually (see the Helm mapkubeapis plugin if you need to do this after updating k3s)

Features

    

Rollup From v0.27 Patch Releases

Fixes

Rollup From v0.27 Patch Releases

Docs

Rollup From v0.27 Patch Releases

Dependencies

Rollup From v0.27 Patch Releases

Development

Rollup From v0.27 Patch Releases

New Contributors

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.27.1...v0.28.0

v0.27.1

Compare Source

What's Changed

Features

Fixes

Docs

Dependencies

Development

Full Changelog: https://github.com/defenseunicorns/zarf/compare/v0.27.0...v0.27.1

fluxcd/flux2

v2.1.0

Compare Source

Highlights

Flux v2.1.0 is a feature release. Users are encouraged to upgrade for the best experience.

The Flux APIs were extended with new opt-in features in a backwards-compatible manner.

The Flux Git capabilities have been improved with support for Git push options, Git refspec, Gerrit, HTTP/S and SOCKS5 proxies.

The Flux alerting capabilities have been extended with Datadog support.

The Flux controllers come with performance improvements when reconciling Helm repositories with large indexes (80% memory reduction), and when reconciling Flux Kustomizations with thousands of resources (x4 faster server-side apply). The load distribution has been improved when reconciling Flux objects in parallel to reduce CPU and memory spikes.

Big thanks to all the Flux contributors that helped us with this release!

Deprecations

Flux v2.1.0 comes with support for Kubernetes TLS Secrets when referring to secrets containing TLS certs, and deprecates the usage of caFile, keyFile and certFile keys.

For more details about the TLS changes please see the Kubernetes TLS Secrets section.

Flux v2.1.0 comes with major improvements to the Prometheus monitoring stack. Starting with this version, Flux is leveraging the kube-state-metrics CRD exporter to report metrics containing rich information about Flux reconciliation status e.g. Git revision, Helm chart version, OCI artifacts digests, etc. The gotk_reconcile_condition metrics was deprecated in favor of the gotk_resource_info.

For more details about the new monitoring stack please see the Flux Prometheus metrics documentation and the flux2-monitoring-example repository.

API changes

GitRepository v1

The GitRepository API was extended with the following fields:

  • .spec.proxySecretRef.name is an optional field used to specify the name of a Kubernetes Secret that contains the HTTP/S or SOCKS5 proxy settings.
  • .spec.verify.mode now support one of the following values HEAD, Tag, TagAndHEAD.
Kustomization v1

The Kustomization API was extended with two apply policies IfNotPresent and Ignore.

Changing the apply behaviour for specific Kubernetes resources, can be done using the following annotations:

Annotation Default Values Role
kustomize.toolkit.fluxcd.io/ssa Override - Override
- Merge
- IfNotPresent
- Ignore 		Apply policy
kustomize.toolkit.fluxcd.io/force Disabled - Enabled
- Disabled 		Recreate policy
kustomize.toolkit.fluxcd.io/prune Enabled - Enabled
- Disabled 		Delete policy

The IfNotPresent policy instructs the controller to only apply the Kubernetes resources if they are not present on the cluster. This policy can be used for Kubernetes Secrets and ValidatingWebhookConfigurations managed by cert-manager, where Flux creates the resources with fields that are later on mutated by other controllers.

ImageUpdateAutomation v1beta1

The ImageUpdateAutomation was extended with the following fields:

  • .spec.git.push.refspec is an optional field used to specify a Git refspec used when pushing commits upstream.
  • .spec.git.push.options is an optional field used to specify the Git push options to be sent to the Git server when pushing commits upstream.
Kubernetes TLS Secrets

All the Flux APIs that accept TLS data have been modified to adopt Secrets of type kubernetes.io/tls. This includes:

  • HelmRepository: The field .spec.secretRef has been deprecated in favor of a new field .spec.certSecretRef.
  • OCIRepository: Support for the caFile, keyFile and certFile keys in the Secret specified in .spec.certSecretRef have been deprecated in favor of ca.crt, tls.key and tls.crt.
  • ImageRepository: Support for thecaFile, keyFile and certFile keys in the Secret specified in .spec.certSecretRef have been deprecated in favor of ca.crt, tls.key and tls.crt.
  • GitRepository: CA certificate can now be provided in the Secret specified in .spec.secretRef using the ca.crt key, which takes precedence over the caFile key.

Upgrade procedure

Upgrade Flux from v2.0.x to v2.1.0 either by rerunning bootstrap or by using the Flux GitHub Action.

To upgrade Flux from v0.x to v2.1.0 please follow the Flux GA upgrade procedure.

Kubernetes compatibility

This release is compatible with the following Kubernetes versions:

Kubernetes version Minimum required
v1.25 >= 1.25.0
v1.26 >= 1.26.0
v1.27 >= 1.27.1
v1.28 >= 1.28.0

Note that Flux may work on older versions of Kubernetes e.g. 1.21, but we don't recommend running end-of-life versions in production nor do we offer support for these versions.

New Documentation

Components changelog

CLI Changelog

google/go-containerregistry

v0.16.1

Compare Source

Release is broken due to goreleaser error, 0.16.1 has the fix

What's Changed

New Contributors

Full Changelog: https://github.com/google/go-containerregistry/compare/v0.15.2...v0.16.1

Container Images

https://gcr.io/go-containerregistry/crane:v0.16.1 https://gcr.io/go-containerregistry/gcrane:v0.16.1

For example:

docker pull gcr.io/go-containerregistry/crane:v0.16.1
docker pull gcr.io/go-containerregistry/gcrane:v0.16.1

v0.16.0

Compare Source

Release is broken due to goreleaser error, 0.16.1 has the fix

helm/helm

v3.12.3: Helm v3.12.3

Compare Source

Helm v3.12.3 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing MRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.12.3. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.13.0 is the next feature release and be on September 13, 2023.

Changelog

  • bump kubernetes modules to v0.27.3 3a31588 (Joe Julian)
  • Add priority class to kind sorter fb74155 (Stepan Dohnal)

v3.12.2: Helm v3.12.2

Compare Source

Helm v3.12.2 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing MRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.12.2. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.12.3 is the next patch/bug fix release and will be on August 9, 2023.
  • 3.13.0 is the next feature release and be on September 13, 2023.

Changelog

  • add GetRegistryClient method 1e210a2 (wujunwei)
  • chore(deps): bump oras.land/oras-go from 1.2.2 to 1.2.3 cfa7bc6 (dependabot[bot])

v3.12.1: Helm v3.12.1

Compare Source

Helm v3.12.1 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing MRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.12.1. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.12.2 is the next patch/bug fix release and will be on July 12, 2023.
  • 3.13.0 is the next feature release and be on September 13, 2023.

Changelog

  • add some test case f32a527 (wujunwei)
  • fix comment grammar error. 91bb1e3 (wujunwei)
  • bugfix:(#​11391) helm lint infinite loop when malformed template object 5217482 (wujunwei)
  • chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 524a0e7 (dependabot[bot])
  • chore(deps): bump github.com/docker/distribution c60cdf6 (dependabot[bot])
  • update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart 321f71a (Dmitry Kamenskikh)
  • test(search): add mixedCase test case aca1e44 (Höhl, Lukas)
  • chore(deps): bump github.com/lib/pq from 1.10.7 to 1.10.9 c09e93f (dependabot[bot])
  • chore(deps): bump github.com/Masterminds/squirrel from 1.5.3 to 1.5.4 8eab82b (dependabot[bot])
  • chore(deps): bump github.com/Masterminds/semver/v3 from 3.2.0 to 3.2.1 aa6b8aa (dependabot[bot])
  • fix(search): print repo search result in original case 5b19d8e (Höhl, Lukas)
  • strict file permissions of repository.yaml dee1fde (shankeerthan-kasilingam)
  • update kubernetes dependencies from v0.27.0 to v0.27.1 4f32150 (Joe Julian)
kyverno/kyverno

v1.10.3

Compare Source

🐛 Fixed 🐛

Fixed an issue where the error is not returned when the deferred loader is disabled. (https://github.com/kyverno/kyverno/pull/7982)

v1.10.2

Compare Source

Added

  • Added a new --policyReports flag to control if the Policy Reports system is enabled or not. When set to a value of false, only standard Events and log messages will contain policy violations both in admission mode as well as background scans.
  • Booleans can now be properly compared in conditional operators without needing to be converted to string. (#​7847)
  • Added log messages for API call failures. (#​7834)
  • Events will now be created upon successful resource generation. (#​7550)
Helm
  • Added an additional check to the ServiceMonitor template to ensure that the cluster supports the monitoring.coreos.com/v1 API version and if not, it will silently not create the ServiceMonitor instead of failing deployment of the chart. (#​7926)
  • Added chart configurations for cleanup and webhooks. (#​7871)
  • Add nodeSelector and labels to the cleanup CronJobs. (#​7851, #​7808)

️ Changed

  • (kyverno-policies chart) Added a precondition to skip DELETE operations on a couple policies to make them all consistent. (#​7883)
  • Schema validation for policies matching on CRDs will be skipped. (#​7869)
  • Performed better validation of policies which use the cloneList declaration in generate rules. (#​7823)
  • Removed an extra Event created by Kyverno in some verifyImages rules. (#​7810)
  • The Event created upon resource mutation has been updated to make more sense. (#​7550)

🐛 Fixed 🐛

  • Fixed an issue where higher log levels weren't being printed in the logs. (#​7877)
  • Fixed an issue with an entry in a nil map when validating a policy. (#​7874)
  • Fixed a type confusion problem. (#​7857)
  • Fixed an issue with namespaceSelector and matching on Namespaces. (#​7837)
  • Fixed an issue where category and severity annotations weren't being returned in policy reports from CLI tests. (#​7828)
  • Fixed an issue where some verifyImages rules may have broken in Audit mode. (#​7806)
  • Fixed an issue in target scope validations for generate rules. (#​7800)
  • Fixed an issue with aggregated admission reports having stale results. (#​7798)
  • Fixed an issue preventing a rollback when a verifyImages rule was in place. (#​7752)
  • Removed some obsolete structs from the CLI. (#​6802)
Helm
  • Fixed a minor chart templating issue in RBAC. (#​7774)
Click to expand all MRs

#​7926 fix(chart): only create ServiceMonitor if cluster supports it #​7888 add flag for policy reports #​7883 fix(policy chart): Skip DELETE requests on policies using deny statements #​7877 fix log level in logging package #​7874 policy validation: fix assignment to entry in nil map #​7871 feat(chart) Add configurations for cleanup jobs and webhooks #​7869 feat: skip schema validation for CRD #​7858 fix: add tekton/pipeline to nancy ignore list #​7857 fix type confusion in policy validation #​7851 Add nodeSelector for cleanupJob CronJob resources #​7847 feat: enable operator boolean comparison #​7837 fix: namespace label matching for Namespace #​7834 Added log message for API call failures #​7828 bug: add severity and category in cluster policy report #​7823 Feat: cloneList rule validation #​7810 fix: skip creating event for an empty resource name #​7808 feat: allow pod labels for cleanup jobs #​7806 refactor: remove manual keychain refresh from client #​7800 fix: target scope validation for the generate rule #​7798 fix: aggregated admission report not updated correctly #​7774 chart: fix admission controller rbac templating #​7752 Modified annotation matching during rollback #​7550 feat: add events for successful generation #​6802 refactor: remove obsolete structs from CLI

v1.10.1

Compare Source

This patch release of 1.10 unblocks users of generate rules using clone-type declarations as mentioned in the 1.10 migration guide.

Please see the complete 1.10.0 release notes if you are installing/upgrading to 1.10.1 without progressing through 1.10.0.

Please also see the security advisory here acknowledging detected vulnerabilities in the 1.10 release to which Kyverno is NOT susceptible.

Added

  • Added the ability to assign custom labels to policy reports (#​7416)
  • All release artifacts are now signed (#​7478, #​7711)
  • Added a new environment variable, settable on the background controller, called BACKGROUND_SCAN_INTERVAL which can override the background scan interval from its default of one hour (#​7504)
  • Added a new container flag called --enableDeferredLoading (true by default) which allows disabling of the new deferred/lazy context variable loading system introduced in 1.10.0 (#​7694, #​7691)
Helm
  • Added the ability to configure tolerations, resources, and Pod annotations for the admission report cleanup jobs (#​7331, #​7337, #​7366)
  • Added missing delete verb to the admission reports cleanup job ClusterRole (#​7375)
  • Added the ability to set verbs for the additionalresources ClusterRole used by the background controller to address the inability to generate Roles and ClusterRoles (#​7380)
  • Removal of the Helm chart will now properly remove all Kyverno webhooks (#​7633)
  • Added ability to select cluster on the Grafana dashboard (#​7659)
  • Add relabelings and metricRelabelings config to all ServiceMonitors (#​7659)
  • Make ConfigMap labels for the Grafana dashboard ConfigMap configurable (#​7659)
  • Added ability to use imagePullSecrets for the admission reports cleanup CronJobs (#​7730)

️ Changed

  • The new order field available under foreach loops will now be respected when the mutation method is patchStrategicMerge (#​7336)
  • Changed the message returned from a failed permissions check so it's more general in nature (#​7362)
  • Removed the redundant loop protection introduced in 1.10.0 making it possible to match on the same resource kind as Kyverno should generate (#​7388)
  • Performed some internal refactoring of the generate rule type (#​7417)
  • Make it so that setting --webhookTimeout affects all of Kyverno's webhooks and not just the resource webhooks (#​7435)
  • Made it so that the name field for a rule is required (#​7464)
  • Log kind, namespace, and name in processed resources (#​7498)
  • Refactored some reconciliation logic for generate rules (#​7531)
  • Mutation failures, when occurring within a foreach loop, will show the cause (#​7563)
  • Bumped notation-go from 1.0.0-rc.3 to 1.0.0-rc.6 (#​7666)
  • Misc. refactors related to the changes/fixes in deferred/lazy loading (#​7675, #​7678, #​7690)

🐛 Fixed 🐛

  • Fixed a panic when a user installs a policy with an invalid schema (#​6526)
  • Fixed an issue where the default field in a variable-type context variable was not being used when the result was nil (#​7251)
  • Fixed a panic in the reports controller when it encounters an invalid image (#​7332)
  • Fixed an issue when --protectManagedResources was enabled which prevented generation of bindings (#​7363)
  • Fixed a panic when environment variables weren't passed (#​7383)
  • Fixed an inability to use the target.* variable in a mutate existing rule (#​7387)
  • Fixed a sync issue if an array element was removed from a clone source (#​7417)
  • Fixed an issue preventing background reports from being created if an empty response is received for a given API group (#​7428)
  • Fixed an issue where Policy Exceptions weren't being considered for deletes (#​7433)
  • Fixed an issue preventing one clone source from being used in multiple rules or for multiple targets (#​7436)
  • Fixed an issue with generate rules failing when the trigger resource kind used a forward slash (#​7436)
  • Fixed a generate issue in which removal of a single trigger would remove generated resources it shouldn't have (#​7579)
  • Fixed an issue with how Kyverno reports a failure when it cannot fetch a CRD (#​7439)
  • Fixed an issue with auto-gen not generating the correct matching kinds when overridden with the annotation (#​7455)
  • Fixed another issue with auto-gen in which CronJob translated rules weren't translating variables correctly (#​7571)
  • Fixed an issue with a generate rule using a cloneList declaration so that syncs are observed properly (#​7466)
  • Fixed a panic when the background controller substitutes a variable with nil (#​7473)
  • Fixed the scope validation check for a generate rule so it detects the correct resource kind (#​7479)
  • Fixed an issue preventing generated resources from being removed when preconditions no longer matched (#​7496)
  • Fixed a slightly misleading error message in deny conditions (#​7503)
  • Fixed it (finally) so that no informational logs are produced when logging is set to 0 (#​7515)
  • Fixed removal of ownerReferences when generating via clone a resource across Namespaces (#​7517)
  • Fixed residual issues from 1.10.0 for lazy/deferred loading of context variables (#​7552, #​7597)
  • Fixed an issue performing image verification in background mode (#​7564)
  • Make configuring max procs not exit in case of error (#​7588)
  • Fixed some typos in the descriptions of flags applicable to the reports controller (#​7617)
  • Fixed a permissions check when installing a generate policy due to incorrect API group matching (#​7628)
  • Fixed an issue where the service name in a tracer configuration could not be customized (#​7644)
  • Fixed an issue with an image verification rule which would cause updating a Deployment with more than one container to fail (#​7692)
  • Fixed a minor issue in an error message (#​7688)
  • Fixed an issue with locking the schema manager which could result in CRDs not being found (#​7704)
Helm
  • Fixed missing environment variables in the admission controller (#​7383)
  • Fixed missing extraEnvVars on all controllers (#​7403)
  • Fixed an issue templating the new reports cleanup job image (#​7430)
  • Fixed a typo when enabling anti-affinity (#​7440)
  • Fixed missing imagePullSecrets (#​7474)
  • Fixed missing delete verb for Secrets in the admission controller and cleanup controller (#​7527, #​7679)
Click to expand all MRs

7730 feat: Add option to add imagePullSecrets to cleanup CronJobs 7712 fix: remove show goreleaser version step 7711 fix: release signing 7704 fix: lock schema manager when updating it 7694 Fix deferred loading (cherry-pick #​7597) 7692 fix: image verification (cherry-pick #​7652) 7691 feat: add lazy loading feature flag (cherry-pick #​7680) 7690 refactor: migrate context loaders (part 2) from #​7597 (cherry-pick #​7677) 7688 fix: Swap any/all in the error message. 7680 feat: add lazy loading feature flag 7679 fix: cleanup controller rbac (cherry-pick #​7669) 7678 refactor: migrate context loaders (part 1) from #​7597 (cherry-pick #​7676) 7677 refactor: migrate context loaders (part 2) from #​7597 7676 refactor: migrate context loaders (part 1) from #​7597 7675 refactor: add specific loaders from #​7597 (cherry-pick #​7671) 7671 refactor: add specific loaders from #​7597 7669 fix: cleanup controller rbac 7666 [Chore] bump notation-go from 1.0.0-rc.3 -> 1.0.0-rc.6 7659 feat: add cluster select and relabling config for ServiceMonitors 7652 fix: image verification with 2+ containers 7644 fix: customizable tracer configuration 7633 feat: enable Helm webhook cleanup hook by default 7628 fix: auth checks with the APIVersion and the subresource 7617 fix: update the flag descriptions of the reports-controller 7597 Fix deferred loading 7596 fix: CLI tests 7590 Add nancy-ignore to make it pass with current dependencies 7589 chore: reduce sleep duration for generate kuttl tests 7588 fix: make configuring max procs not exit in case of error 7579 fix: deletion mismatch for the generate policy 7571 fix: autogen not working correctly with cronjob conditions 7564 fix: background image verification not working 7563 Fix: Mutate: Foreach: Error cause is missing 7552 fix: recursive lazy loading 7531 refactor: generate reconciliation on policy updates 7527 fix: update kyverno admission-controller role to have delete verb for… 7517 fix: Remove ownerReferences when cloning across Namespaces 7515 fix: log level initialisation 7504 feat: add debug env BACKGROUND_SCAN_INTERVAL 7503 fix: misleading error message in deny conditions 7498 fix: log kind/namespace/name in scan errors 7496 fix: Delete downstream objects on precondition fail 7479 fix: target scope validation for the generate rule 7478 feat: sign released artifacts 7474 fix: image pull secrets in admission controller 7473 fix: background controller panics during variables substitution 7466 fix: cloneList sync behavior 7464 fix: rule name not required in the crd schema 7460 fix: flaky generate test 7455 fix: autogen not generating the correct kind 7440 fixed typo in admission controller chart template 7439 fix: error reported when sanity check fails 7436 fix: the same source cannot be used for multiple targets with a generate clone rule 7435 fix: add missing webhook timeouts 7433 fix: exceptions not considered on delete 7430 fix: helm template for cleanup jobs image 7428 fix: reports discovery error 7417 fix: array element removal should be synced to the downstream resource with a generate data sync rule 7416 feat: hold custom labels 7403 fix: missing extraEnvVars in helm chart 7388 Remove policy validation prevent loop for generate 7387 fix mutate targets validation 7383 fix: missing/incorrect env variables 7380 Allow setting verbs for clusterrole extraresources on backgroundController 7375 Add missing delete verb to admission cleanup clusterrole 7366 feat(cronjobs): Enable podAnnotations on CronJobs 7363 fix: protect managed resource not considering other components 7362 fix: permission validation message 7338 fix: flaky kuttl test add-external-secret-prefix 7337 feat: cleanup jobs resources 7336 feat: obey the order field in patchStrategicMerge method 7332 fix: panic in background reports 7331 feat: cleanup job tolerations 7251 Fix: [Bug] The default field in a context variable does not replace nil results 6526 fix: add type conversion error judgment to avoid program panic

v1.10.0

Compare Source

v1.9.5

Compare Source

🐛 Fixed 🐛

  • Removed some insecure 3DES ciphers. (#​7308 )
Click to expand all MRs

#​7308 fix: tls cipher suites

v1.9.4

Compare Source

🐛 Fixed 🐛

  • Fixed an issue with the podSecurity subrule (validate.podSecurity) in which using the latest version of the PSS caused the Seccomp control to not be evaluated properly. (#​7263)
Click to expand all MRs

#​7263 fix: PSa latest version check

v1.9.3

Compare Source

v1.9.3

# Added

  • Added support for configuring webhook annotations via the ConfigMap's webhookAnnotations stanza. This should fix problems for AKS users with the Admission Enforcer entering a reconciliation war with Kyverno over its webhooks. (#​6579)
🐛 Fixed 🐛
  • Bumped a Docker dependency (#​6787)
  • Skip applying default exclude groups in the match evaluation (#​6242)
Click to expand all MRs

#​6787 chore(deps): bump github.com/docker/docker from 23.0.2+incompatible to 23.0.3+incompatible #​6579 feat: add webhook annotations support in config map #​6242 fix: do not pass dynamicConfig to matchesResourceDescriptionMatchHelper

mikefarah/yq

v4.35.1: - Lua Output!

Compare Source

  • Added Lua output support (Thanks @​Zash)!
    • Added BSD checksum format (Thanks @​viq)!
    • Bumped dependencies

v4.34.2

Compare Source

Bumped depedencies

rancher/k3d

v5.6.0

Compare Source

Added
  • add: iptables in DinD image (#​1298)
  • docs(podman): add usage for rootless mode on macOS (#​1314)
Changed
  • Potentially Breaking: For people using k3d as a module: switch from netaddr.af to netipx + netip (changed some code around host.k3d.internal and the docker runtime)
  • Potentially Breaking: K3d config directory may change for you: Adhere to XDG's configuration specification (#​1320)
Fixed
  • docs: fix go install command (#​1337)
  • fix docs links in CONTRIBUTING.md
  • chore: pkg imported more than once (#​1313)

v5.5.2

Compare Source

Fixed
Changed
  • change: proxy - update nginx-alpine base image (#​1309)
  • change: add empty /tmp to binary-only image to make it work with config files
Added
  • add: workflow to label issues/prs by sponsors
terraform-aws-modules/terraform-aws-eks

v19.16.0

Compare Source

Features
  • Add node_iam_role_arns local variable to check for Windows platform on EKS managed nodegroups (#​2477) (adb47f4)
19.15.4 (2023-07-27)
Bug Fixes
19.15.3 (2023-06-09)
Bug Fixes
19.15.2 (2023-05-30)
Bug Fixes
  • Ensure isra_tag_values can be tried before defaulting to cluster_name on Karpenter module (#​2631) (6c56e2a)
19.15.1 (2023-05-24)
Bug Fixes

v19.15.4

Compare Source

v19.15.3

Compare Source

terraform-aws-modules/terraform-aws-iam

v4.24.1

Compare Source

v4.24.0

Compare Source

Features

v4.23.0

Compare Source

Features
  • Improved iam-eks-role module (simplified, removed provider_url_sa_pairs, updated docs) (#​236) (d014730)
4.22.1 (2022-04-25)
Bug Fixes

v4.22.1

Compare Source

v4.22.0

Compare Source

Features
4.21.1 (2022-04-22)
Bug Fixes
  • Correct aws arn partition for service account eks (#​235) (e51b6c3)

v4.21.1

Compare Source

v4.21.0

Compare Source

Features
  • Added appmesh controller support to iam-role-for-service-accounts-eks (#​231) (0492955)
4.20.3 (2022-04-20)
Bug Fixes
  • Correct policy attachment to cert_manager in example (#​234) (6a28193)
4.20.2 (2022-04-19)
Bug Fixes
4.20.1 (2022-04-15)
Bug Fixes
  • Fixed example where VPC CNI permissions should apply to the aws-node account (#​225) (1fb1cfc)

v4.20.3

Compare Source

v4.20.2

Compare Source

v4.20.1

Compare Source

v4.20.0

Compare Source

Features
  • Add support for AMP, cert-manager, and external-secrets to iam-role-for-service-accounts-eks (#​223) (f53d409)

v4.19.0

Compare Source

Features
  • Add variable to allow changing tag condition on Karpenter iam-role-for-service-accounts-eks policy (#​218) (3d7ea33)

v4.18.0

Compare Source

Features
  • Add support for EFS CSI driver to iam-role-for-service-accounts-eks (#​215) (5afe63f)
4.17.2 (2022-03-31)
Bug Fixes
  • Fixed output of iam_user_login_profile_password in iam-user submodule (#​214) (932a7d8)
4.17.1 (2022-03-29)
Bug Fixes
  • Backwards compatibility in 4.x.x series in iam-user submodule (#​212) (2c57668)

v4.17.2

Compare Source

v4.17.1

Compare Source

v4.17.0

Compare Source

Features

v4.16.0

Compare Source

Features
  • Add load_balancer_controller targetgroup binding only role (#​199) (e00526e)
4.15.1 (2022-03-23)
Bug Fixes
  • Permit RunInstances permission for Karpenter when request contains karpenter.sh/discovery tag key (#​209) (18081d1)

v4.15.1

Compare Source

v4.15.0

Compare Source

Features
  • Made it clear that we stand with Ukraine (8e2b836)
Bug Fixes
  • Policy generation when ebs_csi_kms_cmk_ids is set (#​203) (e2b4054)

v4.14.0

Compare Source

Features
  • Add variable to change IAM condition test operator to suite; defaults to StringEquals (#​201) (8469c03)
4.13.2 (2022-03-02)
Bug Fixes
4.13.1 (2022-02-18)
Bug Fixes
  • Correct permission on AWS load balancer controller (#​191) (a912557)

v4.13.2

Compare Source

v4.13.1

Compare Source

v4.13.0

Compare Source

Features
  • Add new addon policy for AWS load balancer controller to IRSA role (#​189) (e2ce5c9)

v4.12.0

Compare Source

Features
  • Add conditional policy statement attachments for EKS IAM role module (#​184) (e29b94f)

v4.11.0

Compare Source

Features
  • Include cost explorer to default console services in iam-read-only-policy module (#​186) (e701139)
4.10.1 (2022-01-21)
Bug Fixes

v4.10.1

Compare Source

v4.10.0

Compare Source

Features
  • Allow setting custom trust policy in iam-assumable-role (#​176) (095cb29)

v4.9.0

Compare Source

Features

v4.8.0

Compare Source

Bug Fixes
  • update CI/CD process to enable auto-release workflow (#​175) (9278e6f)
Features

v4.7.0 - 2021-10-14

  • feat: Added support for trusted_role_actions for MFA in iam-assumable-role (#​171)

v4.6.0 - 2021-09-20

  • feat: Added output group_arn to iam-group-with-policies (#​165)

v4.5.0 - 2021-09-16

  • feat: Added id of iam assumable role to outputs (#​164)

v4.4.0 - 2021-09-10

  • feat: Add ability for controlling whether or not to create a policy (#​163)
  • docs: Update version constraints (#​162)

v4.3.0 - 2021-08-18

  • feat: Add support for cross account access in iam-assumable-role-with-oidc (#​158)

v4.2.0 - 2021-06-29

  • feat: Support External ID with MFA in iam-assumable-role (#​159)

v4.1.0 - 2021-05-03

  • feat: Add support tags to additional IAM modules (#​144)
  • chore: update CI/CD to use stable terraform-docs release artifact and discoverable Apache2.0 license (#​151)

v4.0.0 - 2021-04-26

  • feat: Shorten outputs (removing this_) (#​150)

v3.16.0 - 2021-04-20

  • feat: Add iam role unique_id to outputs (#​149)

v3.15.0 - 2021-04-15

  • fix: Set sensitive=true for sensitive outputs and use tolist() (#​148)

v3.14.0 - 2021-04-07

  • feat: Add role unique_id output in iam-assumable-role module (#​143)
  • chore: update documentation and pin terraform_docs version to avoid future changes (#​142)

v3.13.0 - 2021-03-11

  • feat: Allows multiple STS External IDs to be provided to an assumable role (#​138)

v3.12.0 - 2021-03-05

  • feat: Add iam-assumable-role-with-saml module (#​127)

v3.11.0 - 2021-03-04

  • fix: handle unencrypted secrets (#​139)
  • chore: update ci-cd workflow to allow for pulling min version from each directory (#​137)

v3.10.0 - 2021-03-01

  • fix: Update syntax for Terraform 0.15 (#​135)
  • chore: Run pre-commit terraform_docs hook (#​133)
  • chore: add ci-cd workflow for pre-commit checks (#​132)

v3.9.0 - 2021-02-20

  • chore: update documentation based on latest terraform-docs which includes module and resource sections (#​131)

v3.8.0 - 2021-01-29

  • feat: Add arn of created group(s) to outputs (#​128)

v3.7.0 - 2021-01-14

  • fix: Multiple provider_urls not working with iam-assumable-role-with-oidc (#​115)

v3.6.0 - 2020-12-04

  • feat: Fixed number of policies everywhere (#​121)

v3.5.0 - 2020-12-04

  • fix: automatically determine the number of role policy arns (#​119)

v3.4.0 - 2020-11-13

  • feat: iam-assumable-roles-with-saml - Allow for multiple provider ids (#​110)

v3.3.0 - 2020-11-02

  • ci: Updated pre-commit hooks, added terraform_validate (#​106)

v3.2.0 - 2020-10-30

  • docs: Updated examples in README (#​105)

v3.1.0 - 2020-10-30

  • Bump new major release v3

v3.0.0 - 2020-10-30

  • feat: Added number_of_ variables for iam-assumable-role submodules (#​96)

v2.25.0 - 2020-10-30

  • fix: remove empty string elements from local.urls in iam-assumable-role-with-oidc submodule (#​99)

v2.24.0 - 2020-10-30

  • feat: Add role_name_prefix option for oidc roles (#​101)

v2.23.0 - 2020-10-30

  • feat: Updated to support Terraform 0.13 also (#​103)
  • ci: Update pre-commit-terraform (#​100)

v2.22.0 - 2020-10-16

  • feat: Add role description variable for assumable role with oidc (#​98)

v2.21.0 - 2020-09-22

  • fix: Fixed ses_smtp_password_v4 output name

v2.20.0 - 2020-09-08

  • fix: simplify count statements (#​93)

v2.19.0 - 2020-09-08

  • fix: Allow running on custom AWS partition (incl. govcloud) (#​94)

v2.18.0 - 2020-08-18

  • feat: modules/iam-assumable-role-with-oidc: Support multiple provider URLs (#​91)

v2.17.0 - 2020-08-17

v2.16.0 - 2020-08-17

  • fix: Allow modules/iam-assumable-role-with-oidc to work in govcloud (#​83)

v2.15.0 - 2020-08-17

  • feat: Added support for sts:ExternalId in modules/iam-assumable-role (#​90)

v2.14.0 - 2020-08-13

  • fix: Delete DEMRECATED ses_smtp_password in iam-user. (#​88)

v2.13.0 - 2020-08-13

  • feat: Support for Terraform v0.13 and AWS provider v3 (#​87)
  • docs: Updated example in README (#​52)

v2.12.0 - 2020-06-10

  • Updated formatting
  • fix: Fix conditions with multiple subjects in assume role with oidc policy (#​74)

v2.11.0 - 2020-06-10

  • feat: Allow to set force_detach_policies on roles (#​68)

v2.10.0 - 2020-05-26

  • fix: Allow customisation of trusted_role_actions in iam-assumable-role module (#​76)

v2.9.0 - 2020-04-23

  • feat: modules/iam-user - Output SMTP password generated with SigV4 algorithm (#​70)

v2.8.0 - 2020-04-22

  • docs: Add note about pgp_key when create_iam_login_profile is set (#​69)
  • fix: Fix module source and name in README (#​65)
  • fix typo (#​62)

v2.7.0 - 2020-02-22

  • Updated pre-commit-terraform with README
  • Add instance profile to role sub-module (#​46)

v2.6.0 - 2020-01-27

  • Rename module from "-iodc" to "-oidc" (#​48)

v2.5.0 - 2020-01-27

  • New sub-module for IAM assumable role with OIDC (#​37)

v2.4.0 - 2020-01-09

  • Updated pre-commit hooks
  • iam-assumable-role: add description support (#​45)
  • Removed link to missing complete example (fixed #​34)

v2.3.0 - 2019-08-21

  • Added description support for custom group policies using a lookup (#​33)

v2.2.0 - 2019-08-21

  • Added trusted_role_services to iam-assumable-roles, autoupdated docs
  • Add Trusted Services to iam-assumable-role (#​31)
  • Fix link to iam-assumable-role example in README (#​35)

v2.1.0 - 2019-06-11

  • Removed duplicated tags from variables in iam-user (#​30)

v2.0.0 - 2019-06-11

  • Upgraded module to support Terraform 0.12 (#​29)

v1.0.0 - 2019-06-11

  • Fixed styles after #​26
  • iam-user,iam-assumable-role,iam-assumable-roles,iam-assumable-roles-with-saml tags support (#​26)

v0.5.0 - 2019-05-15

  • Added support for list of policies to attach to roles (#​25)

v0.4.0 - 2019-03-16

  • Minor adjustments
  • assumable roles for Users with SAML Identity Provider (#​19)

v0.3.0 - 2019-02-20

  • Added iam-group-with-policies and iam-group-complete

v0.2.0 - 2019-02-19

  • Added iam-group-with-assumable-roles-policy and iam-assumable-role (#​18)

v0.1.0 - 2019-02-19

  • Updated examples for iam-policy and formatting
  • Added iam policy (#​15)
  • Permission boundary (#​16)

v0.0.7 - 2018-08-19

  • Follow-up after #​12, added possibility to upload IAM SSH public keys
  • Ssh key support (#​12)
  • fix descriptions of variables (#​10)

v0.0.6 - 2018-05-28

  • Custom Session Duration (#​9)

v0.0.5 - 2018-05-16

  • Added pre-commit hook to autogenerate terraform-docs
  • Implement conditional logic for role creation (#​7)

v0.0.4 - 2018-03-01

  • Add max_password_age for password policy (#​5)

v0.0.3 - 2018-02-28

  • Added iam-user module (#​4)

v0.0.2 - 2018-02-12

  • Added iam-assumable-roles (#​2)
  • Added iam-account (#​1)

v0.0.1 - 2018-02-05

  • Do pre-commit run on all code
  • Added iam-account
  • Initial commit
terraform-aws-modules/terraform-aws-vpc

v5.1.2

Compare Source

v5.1.1

Compare Source

v5.1.0

Compare Source

Features
  • Add support for creating a security group for VPC endpoint(s) (#​962) (802d5f1)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports

UNCLASSIFIED - NO CUI