Skip to content

Approver Policy releases

Learn about current and past releases of Approver Policy.

Helm charts are public, but container images require a pull secret. See Configuring access to the NGTS registry.

The latest stable version is v0.24.0
  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.24.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.24.0

Release 0.24.0

Approver Policy v0.24.0 was released on 9 March, 2026.

Key features

  • Simplified registry configuration

    Helm charts now support installation from your custom OCI registry using new imageRegistry and imageNamespace values in the Helm values file. Previously, you had to specify the full image repository path.

    We'll continue to support the legacy image.repository setting and it will take precedence if you use both methods.

    The following examples show the new and legacy methods.

    helm upgrade cert-manager-approver-policy oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy \
    --install \
    --namespace venafi \
    --set imageRegistry=myregistry.example.com \
    --set imageNamespace=cert-manager-approver-policy \
    --version v0.24.0 \
    --wait

    helm upgrade cert-manager-approver-policy oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy \
    --install \
    --namespace venafi \
    --set image.repository="myregistry.example.com/cert-manager-approver-policy/cert-manager-approver-policy" \
    --version v0.24.0 \
    --wait

Fixes and updates

  • Go updated to v1.26.1.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.24.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.24.0

Release 0.23.2

Approver Policy v0.23.2 was released on 4 March, 2026.

Fixes and updates

  • Updates Go-related dependencies to address CVE-2025-68121.
  • Fixes a crash loop in v0.23.1.

Recommended upgrade

We recommend skipping v0.23.1 in favor of this release and upgrading carefully from 0.23.1 if required.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.23.2
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.23.2

Release 0.23.1

Approver Policy v0.23.1 was released on 23 February, 2026.

Fixes and updates

  • Addresses vulnerabilities including CVE-2025-68121.
  • Adds support for using Common Expression Language (CEL) in the policy rules that validate groups exposed on a CertificateRequest.

  • The following dependencies were upgraded in this release:

    • k8s.io/api was updated to v0.35.1
    • k8s.io/apiextensions-apiserver was updated to 0.35.1
    • k8s.io/apimachinery was updated to v0.35.1
    • k8s.io/apiserver was updated to v0.35.1
    • k8s.io/cli-runtime was updated to v0.35.1
    • k8s.io/client-go was updated to v0.35.1
    • k8s.io/component-base was updated to v0.35.1
    • github.com/cert-manager/cert-manager was updated to v1.19.3
    • github.com/google/cel-go was updated to v0.27.0
    • github.com/onsi/ginkgo/v2 was updated to v2.28.1
    • github.com/onsi/gomega was updated to v1.39.1
    • google.golang.org/protobuf was updated to v1.36.11.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.23.1
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.23.1

Release 0.23.0

Approver Policy v0.23.0 was released on 10 December, 2025.

Fixes and updates

  • Release v0.23.0 has been built using Go v1.25.5 to fix CVE-2025-6172 and CVE-2025-61729.
  • This release also contains a configurable securityContext for both pod and container in the Helm chart.

  • The following dependencies were upgraded in this release:

    • golang.org/x/crypto was updated to v0.45.0
    • sigs.k8s.io/controller-runtime was updated to v0.22.4
    • k8s.io/api was updated to v0.34.2
    • k8s.io/apiextensions-apiserver was updated to v0.34.2
    • k8s.io/apiserver was updated to v0.34.2
    • k8s.io/apimachinery was updated to v0.34.2
    • k8s.io/cli-runtime was updated to v0.34.2
    • k8s.io/client-go was updated to v0.34.2
    • k8s.io/component-base was updated to v0.34.2
    • github.com/onsi/ginkgo/v2 was updated to v2.27.2

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.23.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.23.0

Release 0.22.2

Approver Policy v0.22.2 was released on 17 October, 2025.

Fixes and updates

  • This patch release upgrades the version of Go used to 1.25.3 in order to address the following non-critical CVEs: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.22.2
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.22.2

Release 0.22.1

Approver Policy v0.22.1 was released on 10 October, 2025.

Fixes and updates

  • This release replaces Go 1.25.2 with 1.25.1. This avoids some X.509 issues introduced in v0.22.0.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.22.1
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.22.1

Release 0.22.0

Approver Policy v0.22.0 was released on 9 October, 2025.

Known issue

Golang 1.25.2 has a backwards incompatible change. This will for example result in certificates with a DNS SAN ending in a dot failing approval.

Key features

  • The following custom Approver Policy metrics are now deprecated:

    • approverpolicy_certificaterequest_approved_count
    • approverpolicy_certificaterequest_denied_count
    • approverpolicy_certificaterequest_unmatched_count

    Any use of these metrics should be replaced with the new composite certmanager_approverpolicy_certificaterequests_approval metrics. The deprecated metrics will be removed after a couple of releases.

  • The following dependencies were updated in this release:

    • actions/setup-go was updated to v6 in the all-gh-actions group.
    • github.com/cert-manager/cert-manager was updated to v1.19.0.
    • github.com/onsi/ginkgo/v2 was updated to v2.26.0.
    • github.com/onsi/gomega was updated to v1.38.1
    • github.com/google/cel-go was updated to v0.26.0
    • github.com/stretchr/testify was updated to v1.11.0.
    • github.com/prometheus/client_golang was updated to v1.23.2
    • github.com/spf13/cobra was updated to v1.10.1.
    • github.com/spf13/pflag was updated to 1.0.10.
    • google.golang.org/protobuf was updated to 1.36.10.
    • k8s.io/api was updated to v0.34.1.
    • k8s.io/apiextensions-apiserver was updated to v0.34.1.
    • k8s.io/apimachinery was updated to v0.34.1.
    • k8s.io/cli-runtime was updated to v0.34.1.
    • k8s.io/client-go was updated to v0.34.1.
    • k8s.io/component-base was updated to v0.34.1.
    • k8s.io/utils digest was updated to bc988d5.
    • kubernetes go patches were updated to v0.34.1
    • sigs.k8s.io/controller-runtime to was updated to v0.22.2.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.22.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.22.0

Release 0.21.0

Approver Policy v0.21.0 was released on 20 June, 2025.

Key features

  • The Result.Requeue field is deprecated in sigs.k8s.io/controller-runtime v0.21.0 and thus has been removed.
  • The name used in the managed-by label of the webhook CA Secret was parameterized to distinguish it from the CA Secret created by cert-manager.

  • Release v0.21.0 of Approver Policy includes a number of dependency updates. The following dependencies were updated in this release:

    • Go was updated to v1.24.4 to address CVE-2025-4673 and CVE-2025-0913.
    • cert-manager was updated to v1.18.1
    • sigs.k8s.io/controller-runtime was updated to v0.20.2
    • k8s.io/api was updated to v0.33.2
    • k8s.io/apiextensions-apiserver was updated to v0.33.2
    • k8s.io/apimachinery was updated to v0.33.2
    • k8s.io/apiserver was updated to v0.33.2
    • k8s.io/cli-runtime was updated to v0.33.2
    • k8s.io/client-go was updated to v0.33.2
    • k8s.io/component-base was updated to v0.33.2
    • github.com/go-logr/logr was updated to v1.4.3

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.21.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.21.0

Release 0.20.0

Approver Policy v0.20.0 was released on 1 May, 2025.

Key features

  • This release updates the Helm chart to set container port names.

  • Release v0.20.0 of Approver Policy includes a number of dependency updates. The following dependencies were updated in this release:

    • Go was updated to v1.24.2
    • cert-manager was updated to v1.17.2
    • sigs.k8s.io/controller-runtime was updated to v0.20.2
    • k8s.io/api was updated to v0.33.0
    • k8s.io/apiextensions-apiserver was updated to v0.33.0
    • k8s.io/apimachinery was updated to v0.33.0
    • k8s.io/apiserver was updated to v0.33.0
    • k8s.io/cli-runtime was updated to v0.33.0
    • k8s.io/client-go was updated to v0.33.0
    • k8s.io/component-base was updated to v0.33.0
    • google.golang.org/protobuf was updated to v1.36.6
    • github.com/google/cel-go was updated to v0.22.1
    • github.com/spf13/cobra was updated to v1.9.1
    • golang.org/x/ne was updated to v0.38.0
    • github.com/prometheus/client_golang was updated to v1.22.0
    • github.com/onsi/ginkgo/v2 was updated to v2.23.4
    • github.com/onsi/gomega was updated to v1.37.0
    • github.com/google/go-cmp was updated to v0.7.0

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.20.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.20.0

Release 0.19.0

Approver Policy v0.19.0 was released on 3 February, 2025.

Key features

  • Support for client-gen was added so that users can now generate clients for Approver Policy CRDs.
  • The release also includes a fix for an issue where upstream golang crypto/x509 returns a PublicKey instance for ed25519 instead of a PublicKey pointer. The fix now allows Ed25519 to be set in Approver Policy CertificateRequestPolicy constraints.

  • Release v0.19.0 of Approver Policy includes a number of dependency updates. The following dependencies were updated in this release:

    • cert-manager was updated to v1.16.3
    • sigs.k8s.io/controller-runtime was updated to v0.20.1
    • k8s.io/api was updated to v0.32.1
    • k8s.io/apiextensions-apiserver was updated to v0.32.1
    • k8s.io/apimachinery was updated to v0.32.1
    • k8s.io/apiserver was updated to v0.32.1
    • k8s.io/cli-runtime was updated to v0.32.1
    • k8s.io/client-go was updated to v0.32.1
    • k8s.io/component-base was updated to v0.32.1
    • google.golang.org/protobuf was updated to v1.36.4
    • github.com/spf13/pflag was updated to v1.0.6

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.19.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.19.0

Release 0.18.0

Approver Policy v0.18.0 was released on 14 January, 2025.

Fixes and updates

  • Release v0.18.0 of Approver Policy includes a number of dependency updates. The following dependencies were updated in this release:

    • sigs.k8s.io/controller-runtime was updated to v0.19.4
    • github.com/onsi/ginkgo/v2 was updated to v2.22.2
    • github.com/onsi/gomega was updated to v1.36.2
    • k8s.io/api was updated to v0.32.0
    • k8s.io/apiextensions-apiserver was updated to v0.32.0
    • k8s.io/apimachinery was updated to v0.32.0
    • k8s.io/apiserver was updated to v0.32.0
    • k8s.io/cli-runtime was updated to v0.32.0
    • k8s.io/client-go was updated to v0.32.0
    • k8s.io/component-base was updated to v0.32.0
    • k8s.io/utils was updated to v0.0.0-20241104100929-3ea5e8cea738
    • google.golang.org/protobuf was updated to v1.36.2
    • golang.org/x/crypto was updated to 0.31.0

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.18.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.18.0

Release 0.17.0

Approver Policy v0.17.0 was released on 25 November, 2024.

Fixes and updates

  • This release corrects an issue where the Approver Policy did not consider the cert-manager issuer group and kind defaults when matching policies against cert-manager CertificateRequest resources. When referencing issuers in cert-manager Certificate and CertificateRequest, the issuerRef kind and group are optional and defaulted in the cert-manager controller. This becomes problematic in Approver Policy if you want to enforce a policy addressing cert-manager issuers. This release fixes this issue by applying the cert-manager default issuer kind/group when matching policies. Now, if a CertificateRequest does not specify spec.issuerRef.group or spec.issuerRef.kind, Approver Policy defaults to the same values as cert-manager:

    • cert-manager.io for issuer group
    • Issuer for issuer kind

  • This release also fixes a bug in the Helm chart so that the Webhook CA Secret now matches the name override value and the RBAC.

  • The following dependencies were also updated in this release:

    • github.com/cert-manager/cert-manager was updated to v1.16.2
    • sigs.k8s.io/controller-runtime was updated to v0.19.2
    • github.com/onsi/ginkgo/v2 was updated to v2.22.0
    • github.com/onsi/gomega was updated to v1.35.1
    • k8s.io/api was updated to v0.31.3
    • k8s.io/apiextensions-apiserver was updated to v0.31.3
    • k8s.io/apimachinery was updated to v0.31.3
    • k8s.io/apiserver was updated to v0.31.3
    • k8s.io/cli-runtime was updated to v0.31.3
    • k8s.io/client-go was updated to v0.31.3
    • k8s.io/component-base was updated to v0.31.3
    • google.golang.org/protobuf was updated to v1.35.2

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.17.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.17.0

Release 0.16.0

Approver Policy v0.16.0 was released on 28 October, 2024.

Key features

  • Common Expression Language (CEL) validator improvements

    The username field of CertificateRequest (CR) resources is now exposed to CEL, allowing for rich logical operators on the contents of the username.

    This is useful for making complex decisions about whether the user who created the CertificateRequest should be allowed to do so, beyond what is provided by Kubernetes' RBAC mechanism.

    For example, if pods creates their own certificate requests directly using RBAC, you might use this new feature to ensure that the certificate request inludes the Pod's service account in the URIs field (for example, in a SPIFFE ID).

Fixes and updates

  • github.com/cert-manager/cert-manager was updated to v1.16.1
  • github.com/prometheus/client_golang was updated to v1.20.5
  • google.golang.org/protobuf was updated to v1.35.1
  • k8s.io/api was updated to v0.31.2
  • k8s.io/apiextensions-apiserver was updated to v0.31.2
  • k8s.io/apimachinery was updated to v0.31.2
  • k8s.io/cli-runtime was updated to v0.31.2
  • k8s.io/client-go was updated to v0.31.2
  • k8s.io/component-base was updated to v0.31.2
  • k8s.io/utils was updated to 0.0.0-20240921022957-49e7df575cb6
  • sigs.k8s.io/controller-runtime was updated to v0.19.1

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.16.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.16.0

Release 0.15.2

Approver Policy v0.15.2 was released on 25 September, 2024.

Fixes and updates

  • The following dependencies were updated in this release:

    • github.com/onsi/ginkgo/v2 was updated to v2.20.2
    • github.com/onsi/gomega was updated to v1.34.2
    • github.com/prometheus/client_golang was updated to 1.20.4
    • k8s.io/api was updated to v0.31.1
    • k8s.io/apiextensions-apiserver was updated to v0.31.1
    • k8s.io/apimachinery was updated to v0.31.1
    • k8s.io/cli-runtime was updated to v0.31.1
    • k8s.io/client-go was updated to v0.31.1
    • k8s.io/component-base was updated to v0.31.1

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.15.2
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.15.2

Release 0.15.1

Approver Policy v0.15.1 was released on 16 August, 2024.

Fixes and updates

  • Release 0.15.1 of Approver Policy is a patch release that fixes an issue where the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail to renew its CA certificate. Please upgrade before the expiration of this CA certificate is reached.

  • The following dependencies were also updated in this release:

    • github.com/cert-manager/cert-manager was updated to v1.15.3
    • github.com/onsi/ginkgo/v2 was updated to v2.20.0
    • github.com/onsi/gomega was updated to v1.34.1

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.15.1
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.15.1

Release 0.15.0

Approver Policy v0.15.0 was released on 26 July, 2024.

Key features

  • Release 0.15.0 of Approver Policy sets the nodeSelector Helm value to "kubernetes.io/os": "linux" by default.
  • This release also adds support for structured JSON logging.
  • Also in this release the cert-manager Approver Policy webhook server dynamic_source CA duration and leaf certificate duration are now configurable. The default CA Duration is now 1 year and the default leaf certificate duration is now 7 days.

Fixes and updates

  • This release includes a fix for an issue with duplicate Prometheus scrape targets by using a named port in the ServiceMonitor.
  • The version of cert-manager used was updated in this release to v1.15.1.
  • This release is built using Go 1.22.5 to fix some security vulnerabilities in the Go standard library.

  • The following dependencies were also updated in this release:

    • k8s.io/api was updated to v0.30.3
    • k8s.io/apiextensions-apiserver was updated to v0.30.3
    • k8s.io/apimachinery was updated to v0.30.3
    • k8s.io/cli-runtime was updated to v0.30.3
    • k8s.io/client-go was updated to v0.30.3
    • k8s.io/component-base was updated to v0.30.3
    • k8s.io/klog/v2 was updated to v2.130.1
    • google.golang.org/grpc was updated to v1.64.1
    • google.golang.org/protobuf was updated to v1.34.2
    • github.com/go-logr/logr was updated to v1.4.2
    • github.com/onsi/ginkgo/v2 was updated to v2.19.0
    • sigs.k8s.io/controller-runtime was updated to v0.18.4
    • github.com/spf13/cobra was updated to v1.8.1

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.15.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.15.0

Release 0.14.1

Approver Policy v0.14.1 was released on 13 May, 2024.

Fixes and updates

  • This release updates the version of Go used from 1.22.2 to 1.22.3 to fix the following vulnerability: GO-2024-2824 (CVE-2024-24788). All Go-related dependencies were also upgraded in this release.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.14.1
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.1

Release 0.14.0

Approver Policy v0.14.0 was released on 23 April, 2024.

Read before upgrading

The new signer permissions described above take effect by default upon upgrading to Approver Policy v0.14.0 unless you explicitly set the approveSignerNames Helm value. Consider which of the following scenarios fits your use case to determine if you need to take any action:

Scenario 1: No Custom approveSignerNames

If you didn't previously set a value for approveSignerNames then the list of issuers usable by Approver Policy would've been restricted to only the built-in issuers. When upgrading to v0.14.0, that list will expand to include all possible issuers.

If you're happy for Approver Policy to approve for all issuers, no action is required. Most users should fall into this category.

If you for some reason do not want to allow Approver Policy to handle approval for certificates signed by external issuers but you do want to use it for built-in issuers, you need to manually set app.approveSignerNames to its old value.

Scenario 2: Custom app.approveSignerNames

If you're already using external issuers with Approver Policy, you'll have already set a custom value for approveSignerNames.

If you're happy for Approver Policy to approve for all issuers, remove your custom value for approveSignerNames and use the new default.

If you wish to keep restrictions in place, you can leave your custom value in place.

Why should I restrict approveSignerNames?

It makes sense to restrict this value if you have external issuers installed and you want to limit the issuers that Approver Policy can approve. This would imply that you have some other approver running in your cluster which should apply to some issuers.

We believe that for most users it's fine to accept the new default of allowing access for Approver Policy to all issuers.

Key features

  • Approver Policy now accepts all external issuers by default. This makes Approver Policy easier to use with external issuers such as the AWS Private CA Issuer or the Enterprise Issuer for Next-Gen Trust Security. Previously, the Approver Policy required explicitly granted permission to use external issuers via the approveSignerNames Helm value.

    Approver Policy can be used with all issuers. It's still possible to restrict the list if you want to, however doing so would only be helpful in niche scenarios. The scenarios in which you might want to take action are described below, but most users should take no action.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.14.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.14.0

Release 0.13.1

Approver Policy v0.13.1 was released on 26 March, 2024.

Key features

  • You can now configure an HTTP proxy from the Helm chart by using the following values: http_proxy, https_proxy, and no_proxy. If you are using the upstream version of Approver Policy, this may not be useful to you. These variables are useful for projects building plugins on top of Approver Policy and make HTTP calls to the internet.
  • You can now also configure the priorityClassName field in the Helm chart.

Fixes and updates

  • The following vulnerability was fixed by upgrading to google.golang.org/protobuf@v1.33.0: GO-2024-2611 (CVE-2024-24786).

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.13.1
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.1

Release 0.13.0

Approver Policy v0.13.0 was released on 6 March, 2024.

Key features

  • By default, the Helm chart now adds the helm.sh/resource-policy: keep annotation to all CRDs. This prevents accidental deletion of CRDs when uninstalling the component using Helm.

    Note

    This feature introduces an additional uninstall step:

    $ kubectl delete crd certificaterequestpolicies.policy.cert-manager.io

    To avoid using the annotation, add --set crds.keep=false to your installation. To exclude the CRD from the Helm installation use --set crds.enabled=false.

  • This release also adds an optional PodDisruptionBudget helm value that can be used in your values.yaml file:

        podDisruptionBudget:
        enabled: true

  • To help avoid disk exhaustion attacks, a size limit of 50mb has been set on the emptyDir used for the /tmp directory. A /tmp directory is used for the TLS certificate which it generates for the webhook, as well as by some Approver Policy plugins for creating temporary configuration files.

  • Platform engineers can now set Topology Spread Constraints using Helm chart values.

  • All Approver Policy deployment-related Helm values have been made global in this release.

  • The replicaCount Helm value can now be set to either an integer or a string.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.13.0
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.13.0

Release 0.12.1

Approver Policy v0.12.1 was released on 1 February, 2024.

Fixes and updates

  • This patch release improves the Helm chart README and metadata properties.

    Note

    This release of Approver Policy changes how containers are built, which in turn changes the path at which the binary can be found inside the container. This means that new container images can't be used with older Helm charts, or with any software which expects the old path.

    For the simplest upgrade experience, use the latest helm chart with the latest image.

Downloads

  • Helm chart: oci://registry.ngts.paloaltonetworks.com/charts/cert-manager-approver-policy:v0.12.1
  • Container image: registry.ngts.paloaltonetworks.com/cert-manager-approver-policy/cert-manager-approver-policy:v0.12.1