v4.2.0-beta.3

Changelog

Features

• 0f01346: feat(k8s, config): add jks.passphraseSecretRef for parity with pkcs12 (@npdgm)
• 0f8672e: feat(k8s, cmd): wire pkcs12 passphraseSecretRef end-to-end with API lookup (@npdgm)
• 0eed4da: feat(chart, docs): expose jks.passphraseSecretRef in schema + examples (@npdgm)
• 58b2ec8: feat(cert/jks): implement native JCEKS reader (keystore-go rejects JCEKS magic) (@npdgm)

Bug Fixes

• a8c305e: fix(lint): pass ctx in onSecret test call sites (@npdgm)
• e69b3d0: fix(lint): contextcheck + gosec nosec + ineffassign + unconvert (@npdgm)

Other

• b4d9c10: bump(dagger): upgrade go dep + renovate (@npdgm)
• ca8e314: bump(ci): upgrade actions (@npdgm)

v4.2.0-beta.2

What's new

• CA bundle watching (kind: cabundle) — the exporter can now watch cluster-scoped Kubernetes resources that carry inline caBundle PEM fields: MutatingWebhookConfiguration, ValidatingWebhookConfiguration, APIService, and CustomResourceDefinition conversion webhooks. Each caBundle field is extracted and tracked as a regular certificate series, with the same label and filtering semantics as Secret-sourced certs. The feature is opt-in (disabled by default in the chart) and each resource kind is independently togglable; the chart's ClusterRole is scoped to exactly the kinds enabled.

• DER format (via format: der) — raw DER-encoded certificate and CRL blobs are now first-class inputs. Point any secretTypes key or file pattern at a .der cert or .crl file (the kind served by HTTP CRL Distribution Points) and the exporter parses it directly, without requiring PEM wrapping. CRLs parsed via DER feed into the x509_crl_* metric family alongside their PEM counterparts.

• CRL freshness monitoring — PEM bundles may now contain X509 CRL blocks freely intermixed with CERTIFICATE blocks. Each CRL found in a bundle is tracked by the new x509_crl_* family: x509_crl_this_update, x509_crl_next_update, x509_crl_number, and the alert-ready x509_crl_stale / relative-time variants. Two new PrometheusRule alerts — CRLNeedsRefresh and CRLStale — are bundled with the chart.

• JKS / JCEKS support (via format: jks) — Java KeyStore and JCEKS keystores and truststores are now parsed natively, using magic-byte auto-detection to distinguish the two formats at runtime. The jks: block in secretTypes mirrors the existing pkcs12: API: passphrase from a sibling Secret key (passphraseKey), an external file, or tryEmptyPassphrase for passwordless stores. A dedicated x509_jks_passphrase_failures_total counter (auto-registered, symmetric to its PKCS#12 counterpart) surfaces wrong-passphrase events per source.

Changelog

Features

• 6f8d783: feat(source/cabundle): watch MWC + VWC caBundles cluster-wide (@npdgm)
• 176e25c: feat(registry): emit x509_crl_* metric family from Bundle.RevocationItems (@npdgm)
• 36aaf39: feat(registry): add x509_jks_passphrase_failures_total + format-aware routing (@npdgm)
• ab1ce3a: feat(k8s): support shell-glob patterns in include/exclude names (@npdgm)
• 19305f0: feat(config, cmd): wire format: jks + jks: passphrase block (@npdgm)
• 9626e52: feat(chart): support glob and recursive (**) patterns in watchDirectories (@npdgm)
• 587d0f1: feat(chart): expose include/exclude secrets and configmaps by name (@npdgm)
• 830ca14: feat(chart): expose cluster-scoped cabundle exporter (opt-in) (@npdgm)
• 3bcafda: feat(chart): add jks format + jks: passphrase block to secretTypes schema (@npdgm)
• 9d4b97f: feat(chart): add CRLNeedsRefresh and CRLStale PrometheusRule alerts (@npdgm)
• fcc6dd2: feat(cert/pem): parse X509 CRL blocks into Bundle.RevocationItems (@npdgm)
• 3d571b6: feat(cert/jks): parse JKS and JCEKS keystores and truststores (@npdgm)
• 7ce1092: feat(cert/der): parse single-blob DER as cert or CRL via x509 stdlib (@npdgm)
• 7610ca6: feat(cabundle): extend source to APIService and CRD conversion webhooks (@npdgm)

Bug Fixes

• 074db88: fix(k8s): trim only CR/LF from secret-sourced passphrases, not all whitespace (@npdgm)
• 2958d64: fix(chart): omit registry segment when image.registry is empty (@npdgm)

Documentation

• 5770c37: docs(readme): announce CRL freshness monitoring in the v4 highlights (@npdgm)
• 9b02f8f: docs(metrics): describe the x509_crl_* family (@npdgm)
• c6e9aec: docs(chart, metrics): document DER format and add a positive schema fixture (@npdgm)
• a163963: docs(README, metrics): announce JKS/JCEKS support and x509_jks_passphrase_failures_total (@npdgm)
• c3a255c: docs(README): don't generalize memory gains in v4 (@npdgm)
• 0e186d8: docs(README): announce support for DER and CRLs (@npdgm)

Other

• 86fb1c1: test+docs(cabundle): e2e scenarios, README + metrics.md, opt-in example (@npdgm)
• 74d0996: bump(deps): upgrade Go dependencies (@npdgm)
• 651723a: bump(deps): update Go dependencies (@npdgm)

v4.2.0-beta.1

What's new

• CA bundle watching (kind: cabundle) — the exporter can now watch cluster-scoped Kubernetes resources that carry inline caBundle PEM fields: MutatingWebhookConfiguration, ValidatingWebhookConfiguration, APIService, and CustomResourceDefinition conversion webhooks. Each caBundle field is extracted and tracked as a regular certificate series, with the same label and filtering semantics as Secret-sourced certs. The feature is opt-in (disabled by default in the chart) and each resource kind is independently togglable; the chart's ClusterRole is scoped to exactly the kinds enabled.

• DER format (via format: der) — raw DER-encoded certificate and CRL blobs are now first-class inputs. Point any secretTypes key or file pattern at a .der cert or .crl file (the kind served by HTTP CRL Distribution Points) and the exporter parses it directly, without requiring PEM wrapping. CRLs parsed via DER feed into the x509_crl_* metric family alongside their PEM counterparts.

• CRL freshness monitoring — PEM bundles may now contain X509 CRL blocks freely intermixed with CERTIFICATE blocks. Each CRL found in a bundle is tracked by the new x509_crl_* family: x509_crl_this_update, x509_crl_next_update, x509_crl_number, and the alert-ready x509_crl_stale / relative-time variants. Two new PrometheusRule alerts — CRLNeedsRefresh and CRLStale — are bundled with the chart.

• JKS / JCEKS support (via format: jks) — Java KeyStore and JCEKS keystores and truststores are now parsed natively, using magic-byte auto-detection to distinguish the two formats at runtime. The jks: block in secretTypes mirrors the existing pkcs12: API: passphrase from a sibling Secret key (passphraseKey), an external file, or tryEmptyPassphrase for passwordless stores. A dedicated x509_jks_passphrase_failures_total counter (auto-registered, symmetric to its PKCS#12 counterpart) surfaces wrong-passphrase events per source.

Changelog

Features

• 6f8d783: feat(source/cabundle): watch MWC + VWC caBundles cluster-wide (@npdgm)
• 176e25c: feat(registry): emit x509_crl_* metric family from Bundle.RevocationItems (@npdgm)
• 36aaf39: feat(registry): add x509_jks_passphrase_failures_total + format-aware routing (@npdgm)
• ab1ce3a: feat(k8s): support shell-glob patterns in include/exclude names (@npdgm)
• 19305f0: feat(config, cmd): wire format: jks + jks: passphrase block (@npdgm)
• 9626e52: feat(chart): support glob and recursive (**) patterns in watchDirectories (@npdgm)
• 587d0f1: feat(chart): expose include/exclude secrets and configmaps by name (@npdgm)
• 830ca14: feat(chart): expose cluster-scoped cabundle exporter (opt-in) (@npdgm)
• 3bcafda: feat(chart): add jks format + jks: passphrase block to secretTypes schema (@npdgm)
• 9d4b97f: feat(chart): add CRLNeedsRefresh and CRLStale PrometheusRule alerts (@npdgm)
• fcc6dd2: feat(cert/pem): parse X509 CRL blocks into Bundle.RevocationItems (@npdgm)
• 3d571b6: feat(cert/jks): parse JKS and JCEKS keystores and truststores (@npdgm)
• 7ce1092: feat(cert/der): parse single-blob DER as cert or CRL via x509 stdlib (@npdgm)
• 7610ca6: feat(cabundle): extend source to APIService and CRD conversion webhooks (@npdgm)

Bug Fixes

• 074db88: fix(k8s): trim only CR/LF from secret-sourced passphrases, not all whitespace (@npdgm)
• 2958d64: fix(chart): omit registry segment when image.registry is empty (@npdgm)

Documentation

• 5770c37: docs(readme): announce CRL freshness monitoring in the v4 highlights (@npdgm)
• 9b02f8f: docs(metrics): describe the x509_crl_* family (@npdgm)
• c6e9aec: docs(chart, metrics): document DER format and add a positive schema fixture (@npdgm)
• a163963: docs(README, metrics): announce JKS/JCEKS support and x509_jks_passphrase_failures_total (@npdgm)
• c3a255c: docs(README): don't generalize memory gains in v4 (@npdgm)
• 0e186d8: docs(README): announce support for DER and CRLs (@npdgm)

Other

• 86fb1c1: test+docs(cabundle): e2e scenarios, README + metrics.md, opt-in example (@npdgm)
• 74d0996: bump(deps): upgrade Go dependencies (@npdgm)
• 651723a: bump(deps): update Go dependencies (@npdgm)

v4.1.0

Changelog

Features

• e4457ef: feat(chart): drop privileged from hostPathsExporter securityContext defaults (@npdgm)

Bug Fixes

• 8f1a1f9: fix(chart): preserve build metadata in pre-upgrade version detection (@npdgm)

v4.0.0

✨ What's new in v4

• Full rewrite around a YAML config file and a pluggable architecture — clean foundations for the project to grow on.
• Memory-safe Kubernetes watch — RAM usage stays flat instead of spiking; expect to set memory limits ~10× lower than before.
• Richer PKCS#12 wiring — full keystore + truststore coverage, flexible passphrase sourcing.
• Surface workload metadata — lift watched resource labels onto emitted certificate series.
• Supply-chain hardened — SLSA Build L3 provenance, cosign-signed binaries, images and chart, SBOM attestations.
• Multi-cluster from a single instance — fan-in metrics from any number of clusters via distinct kubeconfigs.
• Per-source observability — granular health and triage signals, not just a global error counter.

⚠️ BREAKING CHANGES

This new major version introduces changes that may break existing deployments.
Please read the v3 → v4 migration guide before upgrading.

Changes

Exceptionally, this release has no detailed changelog: v4 is the outcome of a deep rewrite spanning over a hundred commits.

v4.0.0-rc.4

FOR TESTING ONLY

⚠ BREAKING CHANGES

Early testers are advised to read the v3 → v4 migration guide

v4.0.0-rc.3

FOR TESTING ONLY

⚠ BREAKING CHANGES

Early testers are advised to read the v3 → v4 migration guide

v4.0.0-rc.2

FOR TESTING ONLY

⚠ BREAKING CHANGES

Early testers are advised to read the v3 → v4 migration guide

v4.0.0-rc.1

FOR TESTING ONLY

⚠ BREAKING CHANGES

Early testers are advised to read the v3 → v4 migration guide

v4.0.0-alpha.8

FOR TESTING ONLY

⚠ BREAKING CHANGES

Early testers are advised to read the v3 → v4 migration guide