v3.7.0

v3.7.0

Feat

• Ability to override redis image in values.yaml #1796
• Added customizable annotations #1773

Ci

• Fix parameters for snok/container-retention-policy action #1797

Docs

• Fixed k8-keychain renaming #1772

Update

• Bump the gomod-packages group with 3 updates #1792
• Bump the gh-actions-packages group across 1 directory with 6 updates #1793
• Bump the gomod-packages group across 1 directory with 8 updates #1786
• Bump the gh-actions-packages group across 1 directory with 5 updates #1784
• Bump the gh-actions-packages group across 1 directory with 4 updates #1771
• Bump the gomod-packages group across 1 directory with 12 updates #1768

---

What's Changed

• update: bump the gomod-packages group across 1 directory with 12 updates by @dependabot in #1768
• update: bump the gh-actions-packages group across 1 directory with 4 updates by @dependabot in #1771
• docs: fixed k8-keychain renaming by @phbelitz in #1772
• feat: added customizable annotations by @phbelitz in #1773
• update: bump the gh-actions-packages group across 1 directory with 5 updates by @dependabot in #1784
• update: bump the gomod-packages group across 1 directory with 8 updates by @dependabot in #1786
• feat: ability to override redis image in values.yaml by @PranavBhatSF in #1796
• ci: Fix parameters for snok/container-retention-policy action by @Starkteetje in #1797
• update: bump the gh-actions-packages group across 1 directory with 6 updates by @dependabot in #1793
• update: bump the gomod-packages group with 3 updates by @dependabot in #1792
• Release 3.7.0 by @Starkteetje in #1798

Full Changelog: v3.6.1...v3.7.0

v3.6.1

v3.6.1

Fix

• Correctly place connaisseur-env-secret in deployment yaml #1736
• Linting issues #1737

Update

• Version bump #1738
• Bump the gh-actions-packages group across 1 directory with 3 updates #1733
• Bump the gomod-packages group across 1 directory with 13 updates #1731

---

What's Changed

• fix: linting issues by @phbelitz in #1737
• fix: correctly place connaisseur-env-secret in deployment yaml by @phbelitz in #1736
• update: bump the gomod-packages group across 1 directory with 13 updates by @dependabot in #1731
• update: bump the gh-actions-packages group across 1 directory with 3 updates by @dependabot in #1733
• update: version bump by @phbelitz in #1738
• Develop by @phbelitz in #1739

Full Changelog: v3.6.0...v3.6.1

v3.6.0

v3.6.0

Feat

• Keyless #1659

Fix

• Return empty patch type if there is no patch #1714
• Remove unset reqid parameter from logging #1658

Build

• Make dockerfiles compliant with docker built-in linting #1698
• Unpin ca certificates #1689

Test

• Fixed failing workload test #1716
• Fix flakey redis-cert test #1715
• Unified testimages #1697
• Rework integration tests #1607
• Offline cosign test #1639

Docs

• Remove untrue algorithm restriction in docs #1698
• Remove documentation for acr flag #1698

Update

• Bump the gh-actions-packages group across 1 directory with 4 updates #1713
• Bump the gh-actions-packages group across 1 directory with 4 updates #1708
• Bump the gomod-packages group across 1 directory with 8 updates #1707
• Bump the gomod-packages group across 1 directory with 10 updates #1688
• Bump the gh-actions-packages group across 1 directory with 8 updates #1686
• Bump github.com/azure/azure-sdk-for-go/sdk/azidentity #1656
• Bump the gomod-packages group across 1 directory with 13 updates #1656

---

What's Changed

• test: offline cosign test by @phbelitz in #1639
• update: bump the gomod-packages group across 1 directory with 13 updates by @dependabot in #1656
• fix: Remove unset reqId parameter from logging by @Starkteetje in #1658
• Test/integration/rework by @phbelitz in #1607
• update: bump the gh-actions-packages group across 1 directory with 8 updates by @dependabot in #1686
• update: bump the gomod-packages group across 1 directory with 10 updates by @dependabot in #1688
• build: unpin ca certificates by @phbelitz in #1689
• Small fixes for docs and Dockerfiles by @Starkteetje in #1698
• update: bump the gomod-packages group across 1 directory with 8 updates by @dependabot in #1707
• update: bump the gh-actions-packages group across 1 directory with 4 updates by @dependabot in #1708
• test: unified testimages by @phbelitz in #1697
• feat: keyless by @phbelitz in #1659
• update: bump the gh-actions-packages group across 1 directory with 4 updates by @dependabot in #1713
• fix: return empty patch type if there is no patch by @phbelitz in #1714
• test: fix flakey redis-cert test by @phbelitz in #1715
• testing by @phbelitz in #1716
• Develop by @phbelitz in #1717

Full Changelog: v3.5.0...v3.6.0

v3.5.0

v3.5.0

Feat

• Allow to configure whether to cache errors #1608
• Allow configuration of cache time #1599

Fix

• Remove startup probe #1630
• Error handling for der formatted keys #1624
• Fix handling of undefined values in values.yaml #1609

Refactor

• Fix comment and remove unused argument for automatic unchanged approval #1599
• Make cache expiry a cacher implementation detail #1599

Build

• Update ca-certificates #1569

Ci

• Fix manual publish job #1628
• Adapt workflow files to new attestation permission #1606
• Fix wrong job dependency #1568
• Fix publish job funkypenguin#12

Docs

• Remove reference to config that is not implemented #1629
• Revert artifact hub docs #1627
• Add release checklist #1626
• Fix secret file reference #1625
• Fix vaules.yaml reference #1599

Update

• Go1.22 #1623
• Bump the docker-packages group in /build with 1 update #1623
• Bump the gomod-packages group across 1 directory with 8 updates #1623
• Bump the gh-actions-packages group across 1 directory with 5 updates (#1622) #1622
• Bump the gh-actions-packages group across 1 directory with 8 updates #1605
• Bump the gh-actions-packages group with 4 updates #1567
• Bump the gomod-packages group with 11 updates #1566

---

What's Changed

• ci: fix publish job by @phbelitz in #1551
• ci: fix publish job by @phbelitz in #1552
• update: bump the gomod-packages group with 11 updates by @dependabot in #1566
• update: bump the gh-actions-packages group with 4 updates by @dependabot in #1567
• ci: fix wrong job dependency by @phbelitz in #1568
• build: update ca-certificates by @phbelitz in #1569
• ci: Adapt workflow files to new attestation permission by @Starkteetje in #1606
• feat: Configurable cache expiry by @Starkteetje in #1599
• update: bump the gh-actions-packages group across 1 directory with 8 updates by @dependabot in #1605
• feat: Allow to configure whether to cache errors by @Starkteetje in #1608
• fix: Fix handling of undefined values in values.yaml by @Starkteetje in #1609
• update: bump the gh-actions-packages group across 1 directory with 5 updates by @dependabot in #1622
• docs: fix secret file reference by @phbelitz in #1625
• fix: error handling for DER formated keys by @phbelitz in #1624
• Update/go1.22 by @phbelitz in #1623
• docs: Add release checklist by @Starkteetje in #1626
• ci: Fix manual publish job by @Starkteetje in #1628
• docs: revert artifact hub docs by @phbelitz in #1627
• docs: Remove reference to config that is not implemented by @Starkteetje in #1629
• fix: remove startup probe by @phbelitz in #1630
• Develop by @phbelitz in #1631

Full Changelog: v3.4.0...v3.5.0

v3.4.0

Connaisseur v3.4.0

Big news: We are switching programming languages from Python to Golang! 🎉💯
See #1513

Notable features

• The policy rules now support a with.mode option that can be set to mutate or insecureValidateOnly, allowing the mutation of the image reference to be toggled on and off (the default is mutate, meaning references will be mutated; the alternative is considered insecure since it implies that while a trusted image is available, its use is not guaranteed 🤷).
• A caching mechanism in the form of a Redis key-value store now stores the results of a validation for 30 seconds.
• A new feature flag, resourceValidationMode, with supported values all and podsOnly. all is the default, causing Connaisseur to block all resources if they fail validation and mutate them if they pass. podsOnly will still validate all resources but only block and mutate Pod resources, while others are passed through with a warning (similar to PSA). This enhances compatibility with GitOps solutions like ArgoCD by preventing diffs on each reconciliation.
• Notary now supports all TUF compliant keys.
• Setting the with.trustRoot to * for a policy is now supported across all validators, allowing AND conjunctions for all defined trust roots within a validator.
• Custom labels can be added (thanks to @jimonthebarn)

v3.3.4

v3.3.4

Refactor

• Black formatting #1484

Build

• Fix notary call in getroot utility and improve caching #1492

Ci

• Disable non-oci-compliant provenance #1515
• Disable image cleanup during public golang test #1515
• New testimages #1484

Test

• Added oneliner to fix issues with minikube integration tests #1480

Docs

• Add example of payload fields #1481
• Drop deprecated materialx extension #1481

Update

• Bump the pip-packages group with 4 updates #1512
• Bump the gh-actions-packages group with 5 updates #1514
• Bump the pip-packages group with 5 updates #1496

---

What's Changed

• ci: new testimages by @phbelitz in #1484
• Payload field documentation by @Starkteetje in #1481
• fix: Added oneliner to fix issues with minikube by @chrysogonus in #1480
• build: Fix Notary call in getRoot utility and improve caching by @Starkteetje in #1492
• update: bump the pip-packages group with 5 updates by @dependabot in #1496
• update: bump the gh-actions-packages group with 5 updates by @dependabot in #1514
• CI: Disable non-OCI-compliant provenance and disable image cleanup during public Golang test by @Starkteetje in #1515
• update: bump the pip-packages group with 4 updates by @dependabot in #1512
• v3.3.4 by @phbelitz in #1516

Full Changelog: v3.3.3...v3.3.4

v3.3.3

v3.3.3

Fix

• Report notary auth failure #1469
• No exceptions on automatic child approval #1467

Build

• Removed safety #1471
• Fix build of getroot utility #1462

Update

• Bump the pip-packages group with 4 updates (#1468) #1468
• Bump the gh-actions-packages group with 4 updates (#1466) #1466
• Bump the pip-packages group with 6 updates #1460
• Bump the gh-actions-packages group with 4 updates #1461
• Update anchore/sbom-action to v0.15.1 #1439

---

What's Changed

• update: Update anchore/sbom-action to v0.15.1 by @Starkteetje in #1439
• update: bump the gh-actions-packages group with 4 updates by @dependabot in #1461
• update: bump the pip-packages group with 6 updates by @dependabot in #1460
• build: Fix build of getRoot utility by @Starkteetje in #1462
• fix: no exceptions on automatic child approval by @phbelitz in #1467
• fix: Report notary auth failure by @Starkteetje in #1469
• update: bump the gh-actions-packages group with 4 updates by @dependabot in #1466
• update: bump the pip-packages group with 4 updates by @dependabot in #1468
• build: removed safety by @phbelitz in #1471
• v3.3.3 by @phbelitz in #1470

Full Changelog: v3.3.2...v3.3.3

v3.3.2

What's Changed

• test: fix local integration testing and add script for ease of use by @annekebr in #1414
• test: get logs on error case of other-ns integration test by @annekebr in #1427
• ci: continue when kubelinter fails by @chrysogonus in #1428
• update: Update k8s image registry in default policy by @Starkteetje in #1429
• update: bump the pip-packages group with 4 updates by @dependabot in #1434
• update: bump the gh-actions-packages group with 4 updates by @dependabot in #1433
• update: Update Cosign to version 2.2.2 by @Starkteetje in #1435
• Develop by @Starkteetje in #1437

New Contributors

• @chrysogonus made their first contribution in #1428

Full Changelog: v3.3.1...v3.3.2

---

v3.3.2

Ci

• Continue when kubelinter fails #1428

Test

• Get logs on error case of other-ns integration test #1427
• Fix local integration testing and add script for ease of use #1414

Update

• Update cosign to version 2.2.2 #1435
• Bump the gh-actions-packages group with 4 updates #1433
• Bump the pip-packages group with 4 updates #1434
• Update k8s image registry in default policy #1429

v3.3.1

What's Changed

• build: remove pip package manager after installation of needed python… by @annekebr in #1403
• Fix/redundant network calls to notary during auth by @annekebr in #1376
• test: Fix unit test to use mocked responses instead of live ones by @Starkteetje in #1405
• Fix DoS vulnerability by @Starkteetje in #1407
• update: bump the gh-actions-packages group with 3 updates by @dependabot in #1408
• update: bump the pip-packages group with 3 updates by @dependabot in #1402
• Connaisseur version 3.3.1 by @Starkteetje in #1409

Full Changelog: v3.3.0...v3.3.1

---

Connaisseur v3.3.1

Sec

• Prevent redos during delegation validation #1407

Fix

• Add generic timeout for any async operations #1407
• Do not redundantly authenticate calls to notary #1376

Build

• Remove pip package manager after installation of needed python images #1403

Ci

• Add security release annotation if there is a commit with security commit header #1407
• Add new sec commit header #1407

Test

• Fix unit test to use mocked responses instead of live ones #1405
• Add integration test for self hosted notary without auth #1376

Docs

• Fix testing instructions #1376

Update

• Bump the pip-packages group with 3 updates #1402
• Bump the gh-actions-packages group with 3 updates #1408
• Add k8s version 1.28 for integration tests #1376

v3.3.0

What's Changed

• update: bump the gh-actions-packages group with 2 updates by @dependabot in #1343
• update: bump the pip-packages group with 1 update by @dependabot in #1342
• More improvements to integration tests by @Starkteetje in #1344
• Fix integration test failures by @Starkteetje in #1331
• Cosign logging by @Starkteetje in #1347
• Fix RuntimeError by @Starkteetje in #1334
• update: bump the pip-packages group with 1 update by @dependabot in #1345
• update: bump the gh-actions-packages group with 4 updates by @dependabot in #1371
• fix: Allow unset path of delegation by @Starkteetje in #1372
• update: bump the gh-actions-packages group with 2 updates by @dependabot in #1383
• Cosign 2.2.1 by @Starkteetje in #1384
• feat: add functional labels by @xopham in #1321
• update: bump the pip-packages group with 3 updates by @dependabot in #1389
• update: bump the docker-packages group in /docker with 1 update by @dependabot in #1390
• update: bump the gh-actions-packages group with 2 updates by @dependabot in #1391
• Connaisseur v3.3.0 by @Starkteetje in #1392

Full Changelog: v3.2.0...v3.3.0

---

v3.3.0

Feat

• Add functional labels #1321
• Update cosign to 2.2.1 #1384
• Enable cosign debugging at debug log level #1347

Fix

• Correct cosign logging output if manifest_unknown #1384
• Allow unset path of delegation #1372
• Fix initialization of event loop and prevent runtimeerrors #1334

Build

• Update pip version in build container #1344

Ci

• Update cosign installer package #1347

Test

• Improve execution of local integration test #1334
• Correctly mock and actually test with test_update_with_delegation_trust_data #1347
• Remove unused imports #1347
• Use context managing for sessions #1347
• Resolve sporadic integration test failures #1331
• Remove non-functional receiver config in tests #1344
• Improve debug base pod naming #1344

Docs

• Modernize documentation using admonitions and code block titles #1321
• Switch note blocks to mkdocs admonitions #1321
• Add deployment of kubernetes manifests #1321
• Fix deprecated cosign flag in docs #1384

Update

• Bump the gh-actions-packages group with 2 updates #1391
• Bump the docker-packages group in /docker with 1 update #1390
• Bump the pip-packages group with 3 updates #1389
• Bump the pip-packages group with 4 updates #1384
• Bump the gh-actions-packages group with 2 updates #1383
• Bump the gh-actions-packages group with 4 updates #1371
• Bump the pip-packages group with 1 update #1345
• Bump the pip-packages group with 1 update #1342
• Bump the gh-actions-packages group with 2 updates #1343