v3.8.0

v3.8.0

Feat

• Pod disruption budget #1851
• Support single-line json as log format #1846

Ci

• Fix trivy exit code #1858
• Rework ci #1801
• Removed grype action #1841
• Rework integration test step #1841
• Rework sca step #1838
• Rework sast step #1837
• Rework compliance step #1836
• Rework build step #1835

Update

• Bump golang.org/x/crypto from 0.28.0 to 0.31.0 #1860
• Bump the gomod-packages group across 1 directory with 6 updates #1857
• Bump github/codeql-action #1859
• Bump the gh-actions-packages group across 1 directory with 4 updates #1855
• Bump the gomod-packages group with 4 updates #1830
• Bump the gh-actions-packages group across 5 directories with 11 updates #1834
• Bump golang in /build in the docker-packages group #1725

---

What's Changed

• update: bump golang from 1.22-alpine to 1.23-alpine in /build in the docker-packages group by @dependabot in #1725
• update: bump the gh-actions-packages group across 5 directories with 11 updates by @dependabot in #1834
• update: bump the gomod-packages group with 4 updates by @dependabot in #1830
• ci: rework build step by @phbelitz in #1835
• ci: rework compliance step by @phbelitz in #1836
• ci: rework sast step by @phbelitz in #1837
• ci: rework sca step by @phbelitz in #1838
• ci: rework integration test step by @phbelitz in #1841
• Ci/rework by @phbelitz in #1801
• feat: support single-line json as log format by @czenker @phbelitz in #1846
• feat: pod disruption budget by @phbelitz in #1851
• update: bump the gh-actions-packages group across 1 directory with 4 updates by @dependabot in #1855
• ci: fix trivy exit code by @phbelitz in #1858
• update: bump github/codeql-action from 3.27.7 to 3.27.9 in the gh-actions-packages group across 1 directory by @dependabot in #1859
• update: bump the gomod-packages group across 1 directory with 6 updates by @dependabot in #1857
• update: bump golang.org/x/crypto from 0.28.0 to 0.31.0 by @phbelitz in #1860
• Develop by @phbelitz in #1861

Full Changelog: v3.7.1...v3.8.0

v3.7.1

v3.7.1

Fix

• Validation mode lower case #1823
• Change security context of redis image to match redis user #1824

Ci

• Make self-hosted notary test setup more robust #1832
• Enable dependabot for local actions #1810
• Set fallback aws repository for ratelimited trivy dbs #1808
• Update trivy actions to v0.28.0 #1808
• Fix parameter value for container-retention-policy action #1807
• Improve output and runtime of changelog creation script #1800
• Deparallelize publish jobs #1799

Test

• Replace self-hosted notary certificates #1832

Update

• Bump the gh-actions-packages group across 1 directory with 4 updates #1831
• Bump github.com/go-playground/validator/v10 #1825
• Bump the gh-actions-packages group across 1 directory with 4 updates #1827
• Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 #1812

---

What's Changed

• ci: Deparallelize publish jobs by @Starkteetje in #1799
• ci: Improve output and runtime of changelog creation script by @Starkteetje in #1800
• ci: Fix parameter value for container-retention-policy action by @Starkteetje in #1807
• ci: Set fallback AWS repository for ratelimited trivy DBs by @Starkteetje in #1808
• Fix nightlies on master by @Starkteetje in #1809
• ci: Enable dependabot for local actions by @Starkteetje in #1810
• update: bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 by @dependabot in #1812
• fix: Change security context of Redis image to match redis user by @Starkteetje in #1824
• fix: validation mode lower case by @phbelitz in #1823
• update: bump the gh-actions-packages group across 1 directory with 4 updates by @dependabot in #1827
• update: bump github.com/go-playground/validator/v10 from 10.22.1 to 10.23.0 in the gomod-packages group by @dependabot in #1825
• Fix self-hosted notary test and make setup more robust by @Starkteetje in #1832
• update: bump the gh-actions-packages group across 1 directory with 4 updates by @dependabot in #1831
• Develop by @phbelitz in #1833

Full Changelog: v3.7.0...v3.7.1

v3.7.0

v3.7.0

Feat

• Ability to override redis image in values.yaml #1796
• Added customizable annotations #1773

Ci

• Fix parameters for snok/container-retention-policy action #1797

Docs

• Fixed k8-keychain renaming #1772

Update

• Bump the gomod-packages group with 3 updates #1792
• Bump the gh-actions-packages group across 1 directory with 6 updates #1793
• Bump the gomod-packages group across 1 directory with 8 updates #1786
• Bump the gh-actions-packages group across 1 directory with 5 updates #1784
• Bump the gh-actions-packages group across 1 directory with 4 updates #1771
• Bump the gomod-packages group across 1 directory with 12 updates #1768

---

What's Changed

• update: bump the gomod-packages group across 1 directory with 12 updates by @dependabot in #1768
• update: bump the gh-actions-packages group across 1 directory with 4 updates by @dependabot in #1771
• docs: fixed k8-keychain renaming by @phbelitz in #1772
• feat: added customizable annotations by @phbelitz in #1773
• update: bump the gh-actions-packages group across 1 directory with 5 updates by @dependabot in #1784
• update: bump the gomod-packages group across 1 directory with 8 updates by @dependabot in #1786
• feat: ability to override redis image in values.yaml by @PranavBhatSF in #1796
• ci: Fix parameters for snok/container-retention-policy action by @Starkteetje in #1797
• update: bump the gh-actions-packages group across 1 directory with 6 updates by @dependabot in #1793
• update: bump the gomod-packages group with 3 updates by @dependabot in #1792
• Release 3.7.0 by @Starkteetje in #1798

Full Changelog: v3.6.1...v3.7.0

v3.6.1

v3.6.1

Fix

• Correctly place connaisseur-env-secret in deployment yaml #1736
• Linting issues #1737

Update

• Version bump #1738
• Bump the gh-actions-packages group across 1 directory with 3 updates #1733
• Bump the gomod-packages group across 1 directory with 13 updates #1731

---

What's Changed

• fix: linting issues by @phbelitz in #1737
• fix: correctly place connaisseur-env-secret in deployment yaml by @phbelitz in #1736
• update: bump the gomod-packages group across 1 directory with 13 updates by @dependabot in #1731
• update: bump the gh-actions-packages group across 1 directory with 3 updates by @dependabot in #1733
• update: version bump by @phbelitz in #1738
• Develop by @phbelitz in #1739

Full Changelog: v3.6.0...v3.6.1

v3.6.0

v3.6.0

Feat

• Keyless #1659

Fix

• Return empty patch type if there is no patch #1714
• Remove unset reqid parameter from logging #1658

Build

• Make dockerfiles compliant with docker built-in linting #1698
• Unpin ca certificates #1689

Test

• Fixed failing workload test #1716
• Fix flakey redis-cert test #1715
• Unified testimages #1697
• Rework integration tests #1607
• Offline cosign test #1639

Docs

• Remove untrue algorithm restriction in docs #1698
• Remove documentation for acr flag #1698

Update

• Bump the gh-actions-packages group across 1 directory with 4 updates #1713
• Bump the gh-actions-packages group across 1 directory with 4 updates #1708
• Bump the gomod-packages group across 1 directory with 8 updates #1707
• Bump the gomod-packages group across 1 directory with 10 updates #1688
• Bump the gh-actions-packages group across 1 directory with 8 updates #1686
• Bump github.com/azure/azure-sdk-for-go/sdk/azidentity #1656
• Bump the gomod-packages group across 1 directory with 13 updates #1656

---

What's Changed

• test: offline cosign test by @phbelitz in #1639
• update: bump the gomod-packages group across 1 directory with 13 updates by @dependabot in #1656
• fix: Remove unset reqId parameter from logging by @Starkteetje in #1658
• Test/integration/rework by @phbelitz in #1607
• update: bump the gh-actions-packages group across 1 directory with 8 updates by @dependabot in #1686
• update: bump the gomod-packages group across 1 directory with 10 updates by @dependabot in #1688
• build: unpin ca certificates by @phbelitz in #1689
• Small fixes for docs and Dockerfiles by @Starkteetje in #1698
• update: bump the gomod-packages group across 1 directory with 8 updates by @dependabot in #1707
• update: bump the gh-actions-packages group across 1 directory with 4 updates by @dependabot in #1708
• test: unified testimages by @phbelitz in #1697
• feat: keyless by @phbelitz in #1659
• update: bump the gh-actions-packages group across 1 directory with 4 updates by @dependabot in #1713
• fix: return empty patch type if there is no patch by @phbelitz in #1714
• test: fix flakey redis-cert test by @phbelitz in #1715
• testing by @phbelitz in #1716
• Develop by @phbelitz in #1717

Full Changelog: v3.5.0...v3.6.0

v3.5.0

v3.5.0

Feat

• Allow to configure whether to cache errors #1608
• Allow configuration of cache time #1599

Fix

• Remove startup probe #1630
• Error handling for der formatted keys #1624
• Fix handling of undefined values in values.yaml #1609

Refactor

• Fix comment and remove unused argument for automatic unchanged approval #1599
• Make cache expiry a cacher implementation detail #1599

Build

• Update ca-certificates #1569

Ci

• Fix manual publish job #1628
• Adapt workflow files to new attestation permission #1606
• Fix wrong job dependency #1568
• Fix publish job funkypenguin#12

Docs

• Remove reference to config that is not implemented #1629
• Revert artifact hub docs #1627
• Add release checklist #1626
• Fix secret file reference #1625
• Fix vaules.yaml reference #1599

Update

• Go1.22 #1623
• Bump the docker-packages group in /build with 1 update #1623
• Bump the gomod-packages group across 1 directory with 8 updates #1623
• Bump the gh-actions-packages group across 1 directory with 5 updates (#1622) #1622
• Bump the gh-actions-packages group across 1 directory with 8 updates #1605
• Bump the gh-actions-packages group with 4 updates #1567
• Bump the gomod-packages group with 11 updates #1566

---

What's Changed

• ci: fix publish job by @phbelitz in #1551
• ci: fix publish job by @phbelitz in #1552
• update: bump the gomod-packages group with 11 updates by @dependabot in #1566
• update: bump the gh-actions-packages group with 4 updates by @dependabot in #1567
• ci: fix wrong job dependency by @phbelitz in #1568
• build: update ca-certificates by @phbelitz in #1569
• ci: Adapt workflow files to new attestation permission by @Starkteetje in #1606
• feat: Configurable cache expiry by @Starkteetje in #1599
• update: bump the gh-actions-packages group across 1 directory with 8 updates by @dependabot in #1605
• feat: Allow to configure whether to cache errors by @Starkteetje in #1608
• fix: Fix handling of undefined values in values.yaml by @Starkteetje in #1609
• update: bump the gh-actions-packages group across 1 directory with 5 updates by @dependabot in #1622
• docs: fix secret file reference by @phbelitz in #1625
• fix: error handling for DER formated keys by @phbelitz in #1624
• Update/go1.22 by @phbelitz in #1623
• docs: Add release checklist by @Starkteetje in #1626
• ci: Fix manual publish job by @Starkteetje in #1628
• docs: revert artifact hub docs by @phbelitz in #1627
• docs: Remove reference to config that is not implemented by @Starkteetje in #1629
• fix: remove startup probe by @phbelitz in #1630
• Develop by @phbelitz in #1631

Full Changelog: v3.4.0...v3.5.0

v3.4.0

Connaisseur v3.4.0

Big news: We are switching programming languages from Python to Golang! 🎉💯
See #1513

Notable features

• The policy rules now support a with.mode option that can be set to mutate or insecureValidateOnly, allowing the mutation of the image reference to be toggled on and off (the default is mutate, meaning references will be mutated; the alternative is considered insecure since it implies that while a trusted image is available, its use is not guaranteed 🤷).
• A caching mechanism in the form of a Redis key-value store now stores the results of a validation for 30 seconds.
• A new feature flag, resourceValidationMode, with supported values all and podsOnly. all is the default, causing Connaisseur to block all resources if they fail validation and mutate them if they pass. podsOnly will still validate all resources but only block and mutate Pod resources, while others are passed through with a warning (similar to PSA). This enhances compatibility with GitOps solutions like ArgoCD by preventing diffs on each reconciliation.
• Notary now supports all TUF compliant keys.
• Setting the with.trustRoot to * for a policy is now supported across all validators, allowing AND conjunctions for all defined trust roots within a validator.
• Custom labels can be added (thanks to @jimonthebarn)

v3.3.4

v3.3.4

Refactor

• Black formatting #1484

Build

• Fix notary call in getroot utility and improve caching #1492

Ci

• Disable non-oci-compliant provenance #1515
• Disable image cleanup during public golang test #1515
• New testimages #1484

Test

• Added oneliner to fix issues with minikube integration tests #1480

Docs

• Add example of payload fields #1481
• Drop deprecated materialx extension #1481

Update

• Bump the pip-packages group with 4 updates #1512
• Bump the gh-actions-packages group with 5 updates #1514
• Bump the pip-packages group with 5 updates #1496

---

What's Changed

• ci: new testimages by @phbelitz in #1484
• Payload field documentation by @Starkteetje in #1481
• fix: Added oneliner to fix issues with minikube by @chrysogonus in #1480
• build: Fix Notary call in getRoot utility and improve caching by @Starkteetje in #1492
• update: bump the pip-packages group with 5 updates by @dependabot in #1496
• update: bump the gh-actions-packages group with 5 updates by @dependabot in #1514
• CI: Disable non-OCI-compliant provenance and disable image cleanup during public Golang test by @Starkteetje in #1515
• update: bump the pip-packages group with 4 updates by @dependabot in #1512
• v3.3.4 by @phbelitz in #1516

Full Changelog: v3.3.3...v3.3.4

v3.3.3

v3.3.3

Fix

• Report notary auth failure #1469
• No exceptions on automatic child approval #1467

Build

• Removed safety #1471
• Fix build of getroot utility #1462

Update

• Bump the pip-packages group with 4 updates (#1468) #1468
• Bump the gh-actions-packages group with 4 updates (#1466) #1466
• Bump the pip-packages group with 6 updates #1460
• Bump the gh-actions-packages group with 4 updates #1461
• Update anchore/sbom-action to v0.15.1 #1439

---

What's Changed

• update: Update anchore/sbom-action to v0.15.1 by @Starkteetje in #1439
• update: bump the gh-actions-packages group with 4 updates by @dependabot in #1461
• update: bump the pip-packages group with 6 updates by @dependabot in #1460
• build: Fix build of getRoot utility by @Starkteetje in #1462
• fix: no exceptions on automatic child approval by @phbelitz in #1467
• fix: Report notary auth failure by @Starkteetje in #1469
• update: bump the gh-actions-packages group with 4 updates by @dependabot in #1466
• update: bump the pip-packages group with 4 updates by @dependabot in #1468
• build: removed safety by @phbelitz in #1471
• v3.3.3 by @phbelitz in #1470

Full Changelog: v3.3.2...v3.3.3

v3.3.2

What's Changed

• test: fix local integration testing and add script for ease of use by @annekebr in #1414
• test: get logs on error case of other-ns integration test by @annekebr in #1427
• ci: continue when kubelinter fails by @chrysogonus in #1428
• update: Update k8s image registry in default policy by @Starkteetje in #1429
• update: bump the pip-packages group with 4 updates by @dependabot in #1434
• update: bump the gh-actions-packages group with 4 updates by @dependabot in #1433
• update: Update Cosign to version 2.2.2 by @Starkteetje in #1435
• Develop by @Starkteetje in #1437

New Contributors

• @chrysogonus made their first contribution in #1428

Full Changelog: v3.3.1...v3.3.2

---

v3.3.2

Ci

• Continue when kubelinter fails #1428

Test

• Get logs on error case of other-ns integration test #1427
• Fix local integration testing and add script for ease of use #1414

Update

• Update cosign to version 2.2.2 #1435
• Bump the gh-actions-packages group with 4 updates #1433
• Bump the pip-packages group with 4 updates #1434
• Update k8s image registry in default policy #1429