Skip to content

What's changed

ncm-issuer 1.2.1 is a security and reliability focused release that hardens the controller to the Pod Security Standards "restricted" profile (non-root, read-only rootfs, all capabilities dropped), makes issuer health checks trustworthy and moves images to ghcr.io/nokia with multi-arch (amd64/arm64) support. It also adds Kubernetes 1.36 support with Go 1.26.4.

Improvements and fixes

  • Fixed NCM REST API health check to actually probe the /v1/cas endpoint with authentication and to treat only 2xx responses as healthy. Previously the probe targeted the base URL and considered any non-5xx response (including authentication failures and other 4xx) as healthy, which masked misconfigured endpoints and credentials
  • Gated Issuer / ClusterIssuer Ready condition on a synchronous health probe during reconciliation. An unreachable or misconfigured NCM REST API is now surfaced immediately as Ready=False with reason Error and a descriptive message instead of being marked Ready=True until the first periodic check (which by default could take up to one minute)
  • Hardened the controller container to Pod Security Standards "restricted" by default. The CSR PEM is now streamed directly into the NCM multipart upload instead of being round-tripped through a temporary file under /tmp, which removes a data-leakage surface and lets the chart ship with readOnlyRootFilesystem: true, capabilities.drop: [ALL], allowPrivilegeEscalation: false and seccompProfile: RuntimeDefault on the controller container, plus seccompProfile: RuntimeDefault at the pod level
  • Split chart securityContext into pod-level and container-level blocks. Pod-level fields now live under .Values.podSecurityContext, container-level fields for the controller stay under .Values.securityContext. The troubleshooting sidecar gets its own .Values.sidecar.securityContext that drops all capabilities and re-adds only NET_RAW, NET_ADMIN and SYS_PTRACE so tcpdump and strace keep working under a non-root user. Breaking: chart overrides that previously set .Values.securityContext to control both pod-level and container-level fields will need to be split accordingly
  • Updated ncm-issuer-utils troubleshooting image to apply matching file capabilities (cap_net_raw,cap_net_admin+ep on tcpdump, cap_sys_ptrace+ep on strace) so the non-root sidecar user can actually use them without granting the whole container privileged caps
  • Published multi-architecture container images for linux/amd64 and linux/arm64. The release workflow now builds and pushes a multi-arch manifest, and the Dockerfile cross-compiles the manager binary for the target platform (TARGETOS/TARGETARCH) instead of hardcoding amd64. This enables running ncm-issuer on ARM64 nodes such as AWS Graviton, ARM bare metal and Apple Silicon dev clusters
  • Moved the default container registry from a Docker Hub namespace to the Nokia-owned GitHub Container Registry (ghcr.io/nokia). The Helm chart now defaults image.repository to ghcr.io/nokia/ncm-issuer and the troubleshooting sidecar to ghcr.io/nokia/ncm-issuer-utils. The release workflow publishes both images to ghcr.io/nokia using the built-in GITHUB_TOKEN instead of Docker Hub credentials. The troubleshooting sidecar is now rebuilt on every release so it ships with up-to-date OS packages. Migration: pull images from ghcr.io/nokia/ncm-issuer. Deployments that already override image.repository are unaffected
  • Added support for Kubernetes 1.36 (supported versions: 1.26 - 1.36)
  • Updated go.mod dependencies: Kubernetes API to 0.36, controller-runtime to 0.24.1, cert-manager to 1.20.3
  • Upgraded Go version used for building the binary and Docker image from 1.25.6 to 1.26.4