chore(deps): update dependency enix/x509-certificate-exporter to v4 #15

Open

CSRBot wants to merge 1 commits from renovate/enix-x509-certificate-exporter-4.x into master

pull from: renovate/enix-x509-certificate-exporter-4.x

merge into: volker.raschek:master

volker.raschek:master

volker.raschek:renovate/enix-x509-certificate-exporter-3.x

Conversation 0 Commits 1 Files Changed 1

+1 -1

CSRBot commented 2026-05-06 20:16:51 +02:00

Collaborator

Copy Link

Copy Source

This PR contains the following updates:

Package	Update	Change
enix/x509-certificate-exporter	major	3.18.1 → 4.1.0

---

Release Notes

enix/x509-certificate-exporter (enix/x509-certificate-exporter)

v4.1.0

Compare Source

Changelog

Features

• e4457ef: feat(chart): drop privileged from hostPathsExporter securityContext defaults (@​npdgm)

Bug Fixes

• 8f1a1f9: fix(chart): preserve build metadata in pre-upgrade version detection (@​npdgm)

v4.0.0

Compare Source

⚠ BREAKING CHANGES

• add new metric gates, diags and not_before off by defaut,

• container: switch default variant from busybox to scratch (floating tags)

• chart: make the Service headless by default (no ClusterIP)

• the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at https://charts.enix.io is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so helm install / helm upgrade will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the busybox and scratch variants on linux/amd64,arm64,riscv64. Users pulling *-alpine tags must switch to one of the new variants — busybox is the closest functional replacement (still has a shell), scratch is the minimal distroless option.

• release 4.0.0-alpha.1 (410319d)

• release 4.0.0-alpha.1 (3f5d581)

• release 4.0.0-alpha.2 (c43ed24)

• release 4.0.0-alpha.3 (39d54d6)

Features

• add new metric gates, diags and not_before off by defaut, (a719113)
• add opt-in flag to skip symlinks (85c97e3)
• build: bump all Go dependencies (fc3bff2)
• build: bump all Go dependencies (e3b6c74)
• build: bump Go to version 1.26.1 (06d47be)
• build: bump Golang to version 1.20.7 (f2a7a19)
• build: bump Golang to version 1.21 (4014073)
• build: bump Golang to version 1.21.6 (a800033)
• build: bump Golang to version 1.21.8 (05582fc)
• build: bump Golang to version 1.21.9 (61a0f71)
• build: bump Golang to version 1.22.2 (8f15013)
• build: bump Golang to version 1.22.5 (956074c)
• build: bump Golang to version 1.23.0 (862481b)
• build: bump Golang to version 1.23.1 (082a818)
• build: bump Golang to version 1.23.2 (756827c)
• build: bump Golang to version 1.23.4 (1d90a66)
• build: publish OpenVEX documents for new releases (1ed09e5)
• build: publish SBOM documents for new releases (3bf4f4a)
• build: release FreeBSD binaries for RISC-V (0b8db06)
• build: upgrade to golang 1.19 (3916d18)
• build: upgrade to golang 1.20 (16429b9)
• chart: make the Service headless by default (no ClusterIP) (b1d5b5c)
• chart: remove support for legacy apiVersion (k8s < 1.16) (7f560fd)
• charts: add expose-secret-label parameter to exporter deployment (905f789)
• chart: satisfy PSA restricted profile and OpenShift restricted-v2 SCC (3d8b935)
• charts: configurable probes with values (2f58ca0)
• chart: support image digest pinning across all images (fd81d79)
• configurable burst and QPS in k8s client (e002b89)
• container: bump Alpine base image to 3.17.0 (e311864)
• container: bump Alpine base image to 3.18.2 (53ede98)
• container: bump Alpine base image to version 3.17.3 (de23f78)
• container: bump Alpine base image to version 3.18.3 (1d089c6)
• container: bump Alpine base image to version 3.19.0 (fc71664)
• container: bump Alpine base image to version 3.19.1 (9d0f7b5)
• container: bump Alpine base image to version 3.20.1 (500829e)
• container: bump Alpine base image to version 3.20.2 (3d2904a)
• container: bump Alpine base image to version 3.20.2 (1738e29)
• container: bump Alpine base image to version 3.21.0 (476b093)
• container: bump Alpine base image to version 3.22.0 (e0511a0)
• container: bump Alpine base image version to 3.23.3 (29c9c9a)
• container: bump Busybox base image to version 1.36 (29464ca)
• container: bump Busybox base image to version 1.36.1 (8201737)
• container: bump Busybox base image to version 1.37.0 (bf1f613)
• container: images for RISC-V now track Alpine stable (eb7752a)
• container: publish images to GitHub Registry (GHCR) (26f924d)
• container: switch Busybox images to glibc flavor (fix for RISC-V) (8f97b98)
• container: switch default variant from busybox to scratch (floating tags) (5ef7b43)
• container: switch to stable Alpine base images for RISC-V (92860e2)
• deploy,chart: make metricRelabelings configurable in ServiceMonitor and PodMonitor (6f81197)
• exporter: ability to expose k8s labels as prometheus metrics labels (cee171c)
• exporter: add auto tuning of GC memory limit (automemlimit) (cc3b0c0)
• exporter: use automaxprocs to limit threads count (efd7a6e)
• globbing support for -d (cbebdde)
• globbing support for -f option (7fa2298)
• globbing support for -k (30b406e)
• helm: add deployment and daemonSet annotations (5d81768)
• helm: add the Grafana dashboard (f145ffc), closes #​136
• helm: added extraArgs (d2466a1)
• helm: bump kube-rbac-proxy to v0.13.1 and pull new repository (412f225)
• helm: do not use a headless Service by default (a5d2bf8), closes #​50
• helm: increase CPU limits for all containers (902a45e)
• helm: introduce extraDeployVerbatim to skip templating engine (8b88740)
• helm: make revisionHistoryLimit configurable (6fc58ab)
• helm: mount of additional volumes (c3430d4)
• helm: new value to override release namespace (4c34353)
• helm: new value to set HostPath type for DaemonSet volumes (290094a)
• helm: options to set the priority class (f956d29)
• helm: report time left in expiration alert (45d9b15)
• helm: support custom TLS config (ff99541)
• helm: support for "web configuration" (HTTP auth and TLS) (0bc9f17)
• helm: switch to OCI artifacts (still tracked by Helm repository) (c9fd9d0)
• helm: upgrade hook to handle immutable changes with 3.20.0 (6fe7f4a)
• include or exclude namespaces to watch based on their labels (fc47f9b)
• rewrite from scratch with new architecture and toolchain (b4f3f84)
• symlink path mapping and containment (bbd179c)
• unify log format to use structured logs only (645a3ca)

Bug Fixes

• bundle errors not reaching the stats UI (cbd2724)
• chart: add app.kubernetes.io/component label to identify different resources (dad3408)
• ci: print line numbers for golang-ci-lint (e2d8253)
• clusterlevel resources dont need namespaces (4cbacc6)
• consider no match as a read error (8d11d1a)
• deploy,chart: remove cpu limits for secretsExporter and hostPathsExporter (a9d4a86)
• don't delay server initialization while caches are populated (0bf10f5)
• don't list all namespaces if not needed for filtering (d5adc63)
• helm: allow customization of httpGet heathchecks for TLS users (11d8af4), closes #​445
• helm: allow secretsExporter.replicas to be set to 0 (bdcf627)
• helm: DaemonSets inherit global podAnnotations (1a670ed), closes #​106
• helm: extraVolumeMounts omitted if webConfiguration not set (45a55f0)
• helm: grammar in Prometheus alerts descriptions (7803a4b)
• helm: namespace override value in DaemonSet template (26d6a88)
• helm: resolve redundant double slashes (//) in certificate monitoring paths (ce27399)
• kubernetes: fetch ConfigMaps when keys are configured (77f58c1), closes #​368
• linter issues (c2707f5)
• properly resolve relative syminks (a59a7ab)
• properly resolve symlink paths (#​86) (beb88b3)
• shrinkSecret to actually shrink (3bb2ed2)
• use doublestar fork to properly resolve symlinks (f7944e4)

Documentation

• 3to4: fix codeql warning on typescript syntax (584ecdb)
• add a v3 to v4 migration guide (da6ba51)
• add security policy with reporting channels and scope (146d4c0)
• add v3-to-v4 migration guide (d93d187)
• assets: new alternative logo (0a7d655)
• chart: add a menu (1212b90)
• chart: fix image URLs in README (79e927e)
• chart: link to the hardening guide (1a39d3f)
• chart: remove old notes ; link to curated starter values (a393d5a)
• chart: run helm-docs to update values in README.md (3b930c7)
• chart: update README with new project template ; migration to v4 (a90955b)
• clarify that hostPathsExporter was implemented for RKE (bb1dd92)
• dedicated metrics reference under docs/ (6b5078c)
• examples: add curated values.yaml starters for generic and per-distro setups (297fd74)
• Fix Linux deploy README (d3d81e7)
• fix markdown linting issues (5bcb838)
• fix typo (78d54a7)
• helm: emojis not requiring VS16 for colors in anchrored headers (3646831)
• helm: fix english texts (6e033bd)
• helm: fix value description and run helm-docs to update README (dec9be8)
• helm: fix values comment to pass helm linter (d907077)
• helm: refactor the concepts section (e0b9d71)
• helm: strip VS16 from emojis to fix GitHub anchors (2f19db6)
• helm: update values documentation in README (c8395dd)
• helm: update values in README (de59c88)
• helm: use Github generated anchror slugs for headings with VS16 emojis (4485844)
• metrics: new gates ; fixed labels ; better promql snippets ; cardinality clarification (c28eb69)
• new page with frequent questions (ba3bd51)
• README: add logo and refactor badges (efe4de8)
• README: fix broken link for sigstore ; better badge label (30d3015)
• README: fix links to the github project (0a780d9)
• README: new sections and markdown readability (1df03e4)
• readme: refresh file with helm-docs (71ff80c)
• README: relocate hardening to a dedicated page ; add a menu (30d1174)
• relocate grafana dashboard screenshot (9cbeb94)
• SECURITY: drop schedule (7d68bd5)
• SECURITY: restore timeline (b45520f)
• v3-to-v4: clarify the deprecation of CLI flags (3dd744b)
• v3-to-v4: drop hallucinated content (aa87503)
• warning about the relation between getLabels & compareCertificates (563028c)

v3.21.0

Compare Source

⚠ BREAKING CHANGES

• add new metric gates, diags and not_before off by defaut,

• container: switch default variant from busybox to scratch (floating tags)

• chart: make the Service headless by default (no ClusterIP)

• the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at https://charts.enix.io is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so helm install / helm upgrade will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the busybox and scratch variants on linux/amd64,arm64,riscv64. Users pulling *-alpine tags must switch to one of the new variants — busybox is the closest functional replacement (still has a shell), scratch is the minimal distroless option.

• release 4.0.0-alpha.1 (410319d)

• release 4.0.0-alpha.1 (3f5d581)

• release 4.0.0-alpha.2 (c43ed24)

• release 4.0.0-alpha.3 (39d54d6)

Features

• add new metric gates, diags and not_before off by defaut, (a719113)
• add opt-in flag to skip symlinks (85c97e3)
• build: bump all Go dependencies (fc3bff2)
• build: bump all Go dependencies (e3b6c74)
• build: bump Go to version 1.26.1 (06d47be)
• build: bump Golang to version 1.20.7 (f2a7a19)
• build: bump Golang to version 1.21 (4014073)
• build: bump Golang to version 1.21.6 (a800033)
• build: bump Golang to version 1.21.8 (05582fc)
• build: bump Golang to version 1.21.9 (61a0f71)
• build: bump Golang to version 1.22.2 (8f15013)
• build: bump Golang to version 1.22.5 (956074c)
• build: bump Golang to version 1.23.0 (862481b)
• build: bump Golang to version 1.23.1 (082a818)
• build: bump Golang to version 1.23.2 (756827c)
• build: bump Golang to version 1.23.4 (1d90a66)
• build: publish OpenVEX documents for new releases (1ed09e5)
• build: publish SBOM documents for new releases (3bf4f4a)
• build: release FreeBSD binaries for RISC-V (0b8db06)
• build: upgrade to golang 1.19 (3916d18)
• build: upgrade to golang 1.20 (16429b9)
• chart: make the Service headless by default (no ClusterIP) (b1d5b5c)
• chart: remove support for legacy apiVersion (k8s < 1.16) (7f560fd)
• charts: add expose-secret-label parameter to exporter deployment (905f789)
• chart: satisfy PSA restricted profile and OpenShift restricted-v2 SCC (3d8b935)
• charts: configurable probes with values (2f58ca0)
• chart: support image digest pinning across all images (fd81d79)
• configurable burst and QPS in k8s client (e002b89)
• container: bump Alpine base image to 3.17.0 (e311864)
• container: bump Alpine base image to 3.18.2 (53ede98)
• container: bump Alpine base image to version 3.17.3 (de23f78)
• container: bump Alpine base image to version 3.18.3 (1d089c6)
• container: bump Alpine base image to version 3.19.0 (fc71664)
• container: bump Alpine base image to version 3.19.1 (9d0f7b5)
• container: bump Alpine base image to version 3.20.1 (500829e)
• container: bump Alpine base image to version 3.20.2 (3d2904a)
• container: bump Alpine base image to version 3.20.2 (1738e29)
• container: bump Alpine base image to version 3.21.0 (476b093)
• container: bump Alpine base image to version 3.22.0 (e0511a0)
• container: bump Alpine base image version to 3.23.3 (29c9c9a)
• container: bump Busybox base image to version 1.36 (29464ca)
• container: bump Busybox base image to version 1.36.1 (8201737)
• container: bump Busybox base image to version 1.37.0 (bf1f613)
• container: images for RISC-V now track Alpine stable (eb7752a)
• container: publish images to GitHub Registry (GHCR) (26f924d)
• container: switch Busybox images to glibc flavor (fix for RISC-V) (8f97b98)
• container: switch default variant from busybox to scratch (floating tags) (5ef7b43)
• container: switch to stable Alpine base images for RISC-V (92860e2)
• deploy,chart: make metricRelabelings configurable in ServiceMonitor and PodMonitor (6f81197)
• exporter: ability to expose k8s labels as prometheus metrics labels (cee171c)
• exporter: add auto tuning of GC memory limit (automemlimit) (cc3b0c0)
• exporter: use automaxprocs to limit threads count (efd7a6e)
• globbing support for -d (cbebdde)
• globbing support for -f option (7fa2298)
• globbing support for -k (30b406e)
• helm: add deployment and daemonSet annotations (5d81768)
• helm: add the Grafana dashboard (f145ffc), closes #​136
• helm: added extraArgs (d2466a1)
• helm: bump kube-rbac-proxy to v0.13.1 and pull new repository (412f225)
• helm: do not use a headless Service by default (a5d2bf8), closes #​50
• helm: increase CPU limits for all containers (902a45e)
• helm: introduce extraDeployVerbatim to skip templating engine (8b88740)
• helm: make revisionHistoryLimit configurable (6fc58ab)
• helm: mount of additional volumes (c3430d4)
• helm: new value to override release namespace (4c34353)
• helm: new value to set HostPath type for DaemonSet volumes (290094a)
• helm: options to set the priority class (f956d29)
• helm: report time left in expiration alert (45d9b15)
• helm: support custom TLS config (ff99541)
• helm: support for "web configuration" (HTTP auth and TLS) (0bc9f17)
• helm: switch to OCI artifacts (still tracked by Helm repository) (c9fd9d0)
• helm: upgrade hook to handle immutable changes with 3.20.0 (6fe7f4a)
• include or exclude namespaces to watch based on their labels (fc47f9b)
• rewrite from scratch with new architecture and toolchain (b4f3f84)
• symlink path mapping and containment (bbd179c)
• unify log format to use structured logs only (645a3ca)

Bug Fixes

• bundle errors not reaching the stats UI (cbd2724)
• chart: add app.kubernetes.io/component label to identify different resources (dad3408)
• ci: print line numbers for golang-ci-lint (e2d8253)
• clusterlevel resources dont need namespaces (4cbacc6)
• consider no match as a read error (8d11d1a)
• deploy,chart: remove cpu limits for secretsExporter and hostPathsExporter (a9d4a86)
• don't delay server initialization while caches are populated (0bf10f5)
• don't list all namespaces if not needed for filtering (d5adc63)
• helm: allow customization of httpGet heathchecks for TLS users (11d8af4), closes #​445
• helm: allow secretsExporter.replicas to be set to 0 (bdcf627)
• helm: DaemonSets inherit global podAnnotations (1a670ed), closes #​106
• helm: extraVolumeMounts omitted if webConfiguration not set (45a55f0)
• helm: grammar in Prometheus alerts descriptions (7803a4b)
• helm: namespace override value in DaemonSet template (26d6a88)
• helm: resolve redundant double slashes (//) in certificate monitoring paths (ce27399)
• kubernetes: fetch ConfigMaps when keys are configured (77f58c1), closes #​368
• linter issues (c2707f5)
• properly resolve relative syminks (a59a7ab)
• properly resolve symlink paths (#​86) (beb88b3)
• shrinkSecret to actually shrink (3bb2ed2)
• use doublestar fork to properly resolve symlinks (f7944e4)

Documentation

• 3to4: fix codeql warning on typescript syntax (584ecdb)
• add a v3 to v4 migration guide (da6ba51)
• add security policy with reporting channels and scope (146d4c0)
• add v3-to-v4 migration guide (d93d187)
• assets: new alternative logo (0a7d655)
• chart: add a menu (1212b90)
• chart: fix image URLs in README (79e927e)
• chart: link to the hardening guide (1a39d3f)
• chart: remove old notes ; link to curated starter values (a393d5a)
• chart: run helm-docs to update values in README.md (3b930c7)
• chart: update README with new project template ; migration to v4 (a90955b)
• clarify that hostPathsExporter was implemented for RKE (bb1dd92)
• dedicated metrics reference under docs/ (6b5078c)
• examples: add curated values.yaml starters for generic and per-distro setups (297fd74)
• Fix Linux deploy README (d3d81e7)
• fix markdown linting issues (5bcb838)
• fix typo (78d54a7)
• helm: emojis not requiring VS16 for colors in anchrored headers (3646831)
• helm: fix english texts (6e033bd)
• helm: fix value description and run helm-docs to update README (dec9be8)
• helm: fix values comment to pass helm linter (d907077)
• helm: refactor the concepts section (e0b9d71)
• helm: strip VS16 from emojis to fix GitHub anchors (2f19db6)
• helm: update values documentation in README (c8395dd)
• helm: update values in README (de59c88)
• helm: use Github generated anchror slugs for headings with VS16 emojis (4485844)
• metrics: new gates ; fixed labels ; better promql snippets ; cardinality clarification (c28eb69)
• new page with frequent questions (ba3bd51)
• README: add logo and refactor badges (efe4de8)
• README: fix broken link for sigstore ; better badge label (30d3015)
• README: fix links to the github project (0a780d9)
• README: new sections and markdown readability (1df03e4)
• readme: refresh file with helm-docs (71ff80c)
• README: relocate hardening to a dedicated page ; add a menu (30d1174)
• relocate grafana dashboard screenshot (9cbeb94)
• SECURITY: drop schedule (7d68bd5)
• SECURITY: restore timeline (b45520f)
• v3-to-v4: clarify the deprecation of CLI flags (3dd744b)
• v3-to-v4: drop hallucinated content (aa87503)
• warning about the relation between getLabels & compareCertificates (563028c)

v3.20.1

Compare Source

⚠ BREAKING CHANGES

• add new metric gates, diags and not_before off by defaut,

• container: switch default variant from busybox to scratch (floating tags)

• chart: make the Service headless by default (no ClusterIP)

• the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at https://charts.enix.io is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so helm install / helm upgrade will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the busybox and scratch variants on linux/amd64,arm64,riscv64. Users pulling *-alpine tags must switch to one of the new variants — busybox is the closest functional replacement (still has a shell), scratch is the minimal distroless option.

• release 4.0.0-alpha.1 (410319d)

• release 4.0.0-alpha.1 (3f5d581)

• release 4.0.0-alpha.2 (c43ed24)

• release 4.0.0-alpha.3 (39d54d6)

Features

• add new metric gates, diags and not_before off by defaut, (a719113)
• add opt-in flag to skip symlinks (85c97e3)
• build: bump all Go dependencies (fc3bff2)
• build: bump all Go dependencies (e3b6c74)
• build: bump Go to version 1.26.1 (06d47be)
• build: bump Golang to version 1.20.7 (f2a7a19)
• build: bump Golang to version 1.21 (4014073)
• build: bump Golang to version 1.21.6 (a800033)
• build: bump Golang to version 1.21.8 (05582fc)
• build: bump Golang to version 1.21.9 (61a0f71)
• build: bump Golang to version 1.22.2 (8f15013)
• build: bump Golang to version 1.22.5 (956074c)
• build: bump Golang to version 1.23.0 (862481b)
• build: bump Golang to version 1.23.1 (082a818)
• build: bump Golang to version 1.23.2 (756827c)
• build: bump Golang to version 1.23.4 (1d90a66)
• build: publish OpenVEX documents for new releases (1ed09e5)
• build: publish SBOM documents for new releases (3bf4f4a)
• build: release FreeBSD binaries for RISC-V (0b8db06)
• build: upgrade to golang 1.19 (3916d18)
• build: upgrade to golang 1.20 (16429b9)
• chart: make the Service headless by default (no ClusterIP) (b1d5b5c)
• chart: remove support for legacy apiVersion (k8s < 1.16) (7f560fd)
• charts: add expose-secret-label parameter to exporter deployment (905f789)
• chart: satisfy PSA restricted profile and OpenShift restricted-v2 SCC (3d8b935)
• charts: configurable probes with values (2f58ca0)
• chart: support image digest pinning across all images (fd81d79)
• configurable burst and QPS in k8s client (e002b89)
• container: bump Alpine base image to 3.17.0 (e311864)
• container: bump Alpine base image to 3.18.2 (53ede98)
• container: bump Alpine base image to version 3.17.3 (de23f78)
• container: bump Alpine base image to version 3.18.3 (1d089c6)
• container: bump Alpine base image to version 3.19.0 (fc71664)
• container: bump Alpine base image to version 3.19.1 (9d0f7b5)
• container: bump Alpine base image to version 3.20.1 (500829e)
• container: bump Alpine base image to version 3.20.2 (3d2904a)
• container: bump Alpine base image to version 3.20.2 (1738e29)
• container: bump Alpine base image to version 3.21.0 (476b093)
• container: bump Alpine base image to version 3.22.0 (e0511a0)
• container: bump Alpine base image version to 3.23.3 (29c9c9a)
• container: bump Busybox base image to version 1.36 (29464ca)
• container: bump Busybox base image to version 1.36.1 (8201737)
• container: bump Busybox base image to version 1.37.0 (bf1f613)
• container: images for RISC-V now track Alpine stable (eb7752a)
• container: publish images to GitHub Registry (GHCR) (26f924d)
• container: switch Busybox images to glibc flavor (fix for RISC-V) (8f97b98)
• container: switch default variant from busybox to scratch (floating tags) (5ef7b43)
• container: switch to stable Alpine base images for RISC-V (92860e2)
• deploy,chart: make metricRelabelings configurable in ServiceMonitor and PodMonitor (6f81197)
• exporter: ability to expose k8s labels as prometheus metrics labels (cee171c)
• exporter: add auto tuning of GC memory limit (automemlimit) (cc3b0c0)
• exporter: use automaxprocs to limit threads count (efd7a6e)
• globbing support for -d (cbebdde)
• globbing support for -f option (7fa2298)
• globbing support for -k (30b406e)
• helm: add deployment and daemonSet annotations (5d81768)
• helm: add the Grafana dashboard (f145ffc), closes #​136
• helm: added extraArgs (d2466a1)
• helm: bump kube-rbac-proxy to v0.13.1 and pull new repository (412f225)
• helm: do not use a headless Service by default (a5d2bf8), closes #​50
• helm: increase CPU limits for all containers (902a45e)
• helm: introduce extraDeployVerbatim to skip templating engine (8b88740)
• helm: make revisionHistoryLimit configurable (6fc58ab)
• helm: mount of additional volumes (c3430d4)
• helm: new value to override release namespace (4c34353)
• helm: new value to set HostPath type for DaemonSet volumes (290094a)
• helm: options to set the priority class (f956d29)
• helm: report time left in expiration alert (45d9b15)
• helm: support custom TLS config (ff99541)
• helm: support for "web configuration" (HTTP auth and TLS) (0bc9f17)
• helm: switch to OCI artifacts (still tracked by Helm repository) (c9fd9d0)
• helm: upgrade hook to handle immutable changes with 3.20.0 (6fe7f4a)
• include or exclude namespaces to watch based on their labels (fc47f9b)
• rewrite from scratch with new architecture and toolchain (b4f3f84)
• symlink path mapping and containment (bbd179c)
• unify log format to use structured logs only (645a3ca)

Bug Fixes

• bundle errors not reaching the stats UI (cbd2724)
• chart: add app.kubernetes.io/component label to identify different resources (dad3408)
• ci: print line numbers for golang-ci-lint (e2d8253)
• clusterlevel resources dont need namespaces (4cbacc6)
• consider no match as a read error (8d11d1a)
• deploy,chart: remove cpu limits for secretsExporter and hostPathsExporter (a9d4a86)
• don't delay server initialization while caches are populated (0bf10f5)
• don't list all namespaces if not needed for filtering (d5adc63)
• helm: allow customization of httpGet heathchecks for TLS users (11d8af4), closes #​445
• helm: allow secretsExporter.replicas to be set to 0 (bdcf627)
• helm: DaemonSets inherit global podAnnotations (1a670ed), closes #​106
• helm: extraVolumeMounts omitted if webConfiguration not set (45a55f0)
• helm: grammar in Prometheus alerts descriptions (7803a4b)
• helm: namespace override value in DaemonSet template (26d6a88)
• helm: resolve redundant double slashes (//) in certificate monitoring paths (ce27399)
• kubernetes: fetch ConfigMaps when keys are configured (77f58c1), closes #​368
• linter issues (c2707f5)
• properly resolve relative syminks (a59a7ab)
• properly resolve symlink paths (#​86) (beb88b3)
• shrinkSecret to actually shrink (3bb2ed2)
• use doublestar fork to properly resolve symlinks (f7944e4)

Documentation

• 3to4: fix codeql warning on typescript syntax (584ecdb)
• add a v3 to v4 migration guide (da6ba51)
• add security policy with reporting channels and scope (146d4c0)
• add v3-to-v4 migration guide (d93d187)
• assets: new alternative logo (0a7d655)
• chart: add a menu (1212b90)
• chart: fix image URLs in README (79e927e)
• chart: link to the hardening guide (1a39d3f)
• chart: remove old notes ; link to curated starter values (a393d5a)
• chart: run helm-docs to update values in README.md (3b930c7)
• chart: update README with new project template ; migration to v4 (a90955b)
• clarify that hostPathsExporter was implemented for RKE (bb1dd92)
• dedicated metrics reference under docs/ (6b5078c)
• examples: add curated values.yaml starters for generic and per-distro setups (297fd74)
• Fix Linux deploy README (d3d81e7)
• fix markdown linting issues (5bcb838)
• fix typo (78d54a7)
• helm: emojis not requiring VS16 for colors in anchrored headers (3646831)
• helm: fix english texts (6e033bd)
• helm: fix value description and run helm-docs to update README (dec9be8)
• helm: fix values comment to pass helm linter (d907077)
• helm: refactor the concepts section (e0b9d71)
• helm: strip VS16 from emojis to fix GitHub anchors (2f19db6)
• helm: update values documentation in README (c8395dd)
• helm: update values in README (de59c88)
• helm: use Github generated anchror slugs for headings with VS16 emojis (4485844)
• metrics: new gates ; fixed labels ; better promql snippets ; cardinality clarification (c28eb69)
• new page with frequent questions (ba3bd51)
• README: add logo and refactor badges (efe4de8)
• README: fix broken link for sigstore ; better badge label (30d3015)
• README: fix links to the github project (0a780d9)
• README: new sections and markdown readability (1df03e4)
• readme: refresh file with helm-docs (71ff80c)
• README: relocate hardening to a dedicated page ; add a menu (30d1174)
• relocate grafana dashboard screenshot (9cbeb94)
• SECURITY: drop schedule (7d68bd5)
• SECURITY: restore timeline (b45520f)
• v3-to-v4: clarify the deprecation of CLI flags (3dd744b)
• v3-to-v4: drop hallucinated content (aa87503)
• warning about the relation between getLabels & compareCertificates (563028c)

v3.20.0

Compare Source

⚠ BREAKING CHANGES

• add new metric gates, diags and not_before off by defaut,

• container: switch default variant from busybox to scratch (floating tags)

• chart: make the Service headless by default (no ClusterIP)

• the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at https://charts.enix.io is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so helm install / helm upgrade will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the busybox and scratch variants on linux/amd64,arm64,riscv64. Users pulling *-alpine tags must switch to one of the new variants — busybox is the closest functional replacement (still has a shell), scratch is the minimal distroless option.

• release 4.0.0-alpha.1 (410319d)

• release 4.0.0-alpha.1 (3f5d581)

• release 4.0.0-alpha.2 (c43ed24)

• release 4.0.0-alpha.3 (39d54d6)

Features

• add new metric gates, diags and not_before off by defaut, (a719113)
• add opt-in flag to skip symlinks (85c97e3)
• build: bump all Go dependencies (fc3bff2)
• build: bump all Go dependencies (e3b6c74)
• build: bump Go to version 1.26.1 (06d47be)
• build: bump Golang to version 1.20.7 (f2a7a19)
• build: bump Golang to version 1.21 (4014073)
• build: bump Golang to version 1.21.6 (a800033)
• build: bump Golang to version 1.21.8 (05582fc)
• build: bump Golang to version 1.21.9 (61a0f71)
• build: bump Golang to version 1.22.2 (8f15013)
• build: bump Golang to version 1.22.5 (956074c)
• build: bump Golang to version 1.23.0 (862481b)
• build: bump Golang to version 1.23.1 (082a818)
• build: bump Golang to version 1.23.2 (756827c)
• build: bump Golang to version 1.23.4 (1d90a66)
• build: publish OpenVEX documents for new releases (1ed09e5)
• build: publish SBOM documents for new releases (3bf4f4a)
• build: release FreeBSD binaries for RISC-V (0b8db06)
• build: upgrade to golang 1.19 (3916d18)
• build: upgrade to golang 1.20 (16429b9)
• chart: make the Service headless by default (no ClusterIP) (b1d5b5c)
• chart: remove support for legacy apiVersion (k8s < 1.16) (7f560fd)
• charts: add expose-secret-label parameter to exporter deployment (905f789)
• chart: satisfy PSA restricted profile and OpenShift restricted-v2 SCC (3d8b935)
• charts: configurable probes with values (2f58ca0)
• chart: support image digest pinning across all images (fd81d79)
• configurable burst and QPS in k8s client (e002b89)
• container: bump Alpine base image to 3.17.0 (e311864)
• container: bump Alpine base image to 3.18.2 (53ede98)
• container: bump Alpine base image to version 3.17.3 (de23f78)
• container: bump Alpine base image to version 3.18.3 (1d089c6)
• container: bump Alpine base image to version 3.19.0 (fc71664)
• container: bump Alpine base image to version 3.19.1 (9d0f7b5)
• container: bump Alpine base image to version 3.20.1 (500829e)
• container: bump Alpine base image to version 3.20.2 (3d2904a)
• container: bump Alpine base image to version 3.20.2 (1738e29)
• container: bump Alpine base image to version 3.21.0 (476b093)
• container: bump Alpine base image to version 3.22.0 (e0511a0)
• container: bump Alpine base image version to 3.23.3 (29c9c9a)
• container: bump Busybox base image to version 1.36 (29464ca)
• container: bump Busybox base image to version 1.36.1 (8201737)
• container: bump Busybox base image to version 1.37.0 (bf1f613)
• container: images for RISC-V now track Alpine stable (eb7752a)
• container: publish images to GitHub Registry (GHCR) (26f924d)
• container: switch Busybox images to glibc flavor (fix for RISC-V) (8f97b98)
• container: switch default variant from busybox to scratch (floating tags) (5ef7b43)
• container: switch to stable Alpine base images for RISC-V (92860e2)
• deploy,chart: make metricRelabelings configurable in ServiceMonitor and PodMonitor (6f81197)
• exporter: ability to expose k8s labels as prometheus metrics labels (cee171c)
• exporter: add auto tuning of GC memory limit (automemlimit) (cc3b0c0)
• exporter: use automaxprocs to limit threads count (efd7a6e)
• globbing support for -d (cbebdde)
• globbing support for -f option (7fa2298)
• globbing support for -k (30b406e)
• helm: add deployment and daemonSet annotations (5d81768)
• helm: add the Grafana dashboard (f145ffc), closes #​136
• helm: added extraArgs (d2466a1)
• helm: bump kube-rbac-proxy to v0.13.1 and pull new repository (412f225)
• helm: do not use a headless Service by default (a5d2bf8), closes #​50
• helm: increase CPU limits for all containers (902a45e)
• helm: introduce extraDeployVerbatim to skip templating engine (8b88740)
• helm: make revisionHistoryLimit configurable (6fc58ab)
• helm: mount of additional volumes (c3430d4)
• helm: new value to override release namespace (4c34353)
• helm: new value to set HostPath type for DaemonSet volumes (290094a)
• helm: options to set the priority class (f956d29)
• helm: report time left in expiration alert (45d9b15)
• helm: support custom TLS config (ff99541)
• helm: support for "web configuration" (HTTP auth and TLS) (0bc9f17)
• helm: switch to OCI artifacts (still tracked by Helm repository) (c9fd9d0)
• helm: upgrade hook to handle immutable changes with 3.20.0 (6fe7f4a)
• include or exclude namespaces to watch based on their labels (fc47f9b)
• rewrite from scratch with new architecture and toolchain (b4f3f84)
• symlink path mapping and containment (bbd179c)
• unify log format to use structured logs only (645a3ca)

Bug Fixes

• bundle errors not reaching the stats UI (cbd2724)
• chart: add app.kubernetes.io/component label to identify different resources (dad3408)
• ci: print line numbers for golang-ci-lint (e2d8253)
• clusterlevel resources dont need namespaces (4cbacc6)
• consider no match as a read error (8d11d1a)
• deploy,chart: remove cpu limits for secretsExporter and hostPathsExporter (a9d4a86)
• don't delay server initialization while caches are populated (0bf10f5)
• don't list all namespaces if not needed for filtering (d5adc63)
• helm: allow customization of httpGet heathchecks for TLS users (11d8af4), closes #​445
• helm: allow secretsExporter.replicas to be set to 0 (bdcf627)
• helm: DaemonSets inherit global podAnnotations (1a670ed), closes #​106
• helm: extraVolumeMounts omitted if webConfiguration not set (45a55f0)
• helm: grammar in Prometheus alerts descriptions (7803a4b)
• helm: namespace override value in DaemonSet template (26d6a88)
• helm: resolve redundant double slashes (//) in certificate monitoring paths (ce27399)
• kubernetes: fetch ConfigMaps when keys are configured (77f58c1), closes #​368
• linter issues (c2707f5)
• properly resolve relative syminks (a59a7ab)
• properly resolve symlink paths (#​86) (beb88b3)
• shrinkSecret to actually shrink (3bb2ed2)
• use doublestar fork to properly resolve symlinks (f7944e4)

Documentation

• 3to4: fix codeql warning on typescript syntax (584ecdb)
• add a v3 to v4 migration guide (da6ba51)
• add security policy with reporting channels and scope (146d4c0)
• add v3-to-v4 migration guide (d93d187)
• assets: new alternative logo (0a7d655)
• chart: add a menu (1212b90)
• chart: fix image URLs in README (79e927e)
• chart: link to the hardening guide (1a39d3f)
• chart: remove old notes ; link to curated starter values (a393d5a)
• chart: run helm-docs to update values in README.md (3b930c7)
• chart: update README with new project template ; migration to v4 (a90955b)
• clarify that hostPathsExporter was implemented for RKE (bb1dd92)
• dedicated metrics reference under docs/ (6b5078c)
• examples: add curated values.yaml starters for generic and per-distro setups (297fd74)
• Fix Linux deploy README (d3d81e7)
• fix markdown linting issues (5bcb838)
• fix typo (78d54a7)
• helm: emojis not requiring VS16 for colors in anchrored headers (3646831)
• helm: fix english texts (6e033bd)
• helm: fix value description and run helm-docs to update README (dec9be8)
• helm: fix values comment to pass helm linter (d907077)
• helm: refactor the concepts section (e0b9d71)
• helm: strip VS16 from emojis to fix GitHub anchors (2f19db6)
• helm: update values documentation in README (c8395dd)
• helm: update values in README (de59c88)
• helm: use Github generated anchror slugs for headings with VS16 emojis (4485844)
• metrics: new gates ; fixed labels ; better promql snippets ; cardinality clarification (c28eb69)
• new page with frequent questions (ba3bd51)
• README: add logo and refactor badges (efe4de8)
• README: fix broken link for sigstore ; better badge label (30d3015)
• README: fix links to the github project (0a780d9)
• README: new sections and markdown readability (1df03e4)
• readme: refresh file with helm-docs (71ff80c)
• README: relocate hardening to a dedicated page ; add a menu (30d1174)
• relocate grafana dashboard screenshot (9cbeb94)
• SECURITY: drop schedule (7d68bd5)
• SECURITY: restore timeline (b45520f)
• v3-to-v4: clarify the deprecation of CLI flags (3dd744b)
• v3-to-v4: drop hallucinated content (aa87503)
• warning about the relation between getLabels & compareCertificates (563028c)

v3.19.1

Compare Source

⚠ BREAKING CHANGES

• add new metric gates, diags and not_before off by defaut,

• container: switch default variant from busybox to scratch (floating tags)

• chart: make the Service headless by default (no ClusterIP)

• the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at https://charts.enix.io is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so helm install / helm upgrade will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the busybox and scratch variants on linux/amd64,arm64,riscv64. Users pulling *-alpine tags must switch to one of the new variants — busybox is the closest functional replacement (still has a shell), scratch is the minimal distroless option.

• release 4.0.0-alpha.1 (410319d)

• release 4.0.0-alpha.1 (3f5d581)

• release 4.0.0-alpha.2 (c43ed24)

• release 4.0.0-alpha.3 (39d54d6)

Features

• add new metric gates, diags and not_before off by defaut, (a719113)
• add opt-in flag to skip symlinks (85c97e3)
• build: bump all Go dependencies (fc3bff2)
• build: bump all Go dependencies (e3b6c74)
• build: bump Go to version 1.26.1 (06d47be)
• build: bump Golang to version 1.20.7 (f2a7a19)
• build: bump Golang to version 1.21 (4014073)
• build: bump Golang to version 1.21.6 (a800033)
• build: bump Golang to version 1.21.8 (05582fc)
• build: bump Golang to version 1.21.9 (61a0f71)
• build: bump Golang to version 1.22.2 (8f15013)
• build: bump Golang to version 1.22.5 (956074c)
• build: bump Golang to version 1.23.0 (862481b)
• build: bump Golang to version 1.23.1 (082a818)
• build: bump Golang to version 1.23.2 (756827c)
• build: bump Golang to version 1.23.4 (1d90a66)
• build: publish OpenVEX documents for new releases (1ed09e5)
• build: publish SBOM documents for new releases (3bf4f4a)
• build: release FreeBSD binaries for RISC-V (0b8db06)
• build: upgrade to golang 1.19 (3916d18)
• build: upgrade to golang 1.20 (16429b9)
• chart: make the Service headless by default (no ClusterIP) (b1d5b5c)
• chart: remove support for legacy apiVersion (k8s < 1.16) (7f560fd)
• charts: add expose-secret-label parameter to exporter deployment (905f789)
• chart: satisfy PSA restricted profile and OpenShift restricted-v2 SCC (3d8b935)
• charts: configurable probes with values (2f58ca0)
• chart: support image digest pinning across all images (fd81d79)
• configurable burst and QPS in k8s client (e002b89)
• container: bump Alpine base image to 3.17.0 (e311864)
• container: bump Alpine base image to 3.18.2 (53ede98)
• container: bump Alpine base image to version 3.17.3 (de23f78)
• container: bump Alpine base image to version 3.18.3 (1d089c6)
• container: bump Alpine base image to version 3.19.0 (fc71664)
• container: bump Alpine base image to version 3.19.1 (9d0f7b5)
• container: bump Alpine base image to version 3.20.1 (500829e)
• container: bump Alpine base image to version 3.20.2 (3d2904a)
• container: bump Alpine base image to version 3.20.2 (1738e29)
• container: bump Alpine base image to version 3.21.0 (476b093)
• container: bump Alpine base image to version 3.22.0 (e0511a0)
• container: bump Alpine base image version to 3.23.3 (29c9c9a)
• container: bump Busybox base image to version 1.36 (29464ca)
• container: bump Busybox base image to version 1.36.1 (8201737)
• container: bump Busybox base image to version 1.37.0 (bf1f613)
• container: images for RISC-V now track Alpine stable (eb7752a)
• container: publish images to GitHub Registry (GHCR) (26f924d)
• container: switch Busybox images to glibc flavor (fix for RISC-V) (8f97b98)
• container: switch default variant from busybox to scratch (floating tags) (5ef7b43)
• container: switch to stable Alpine base images for RISC-V (92860e2)
• deploy,chart: make metricRelabelings configurable in ServiceMonitor and PodMonitor (6f81197)
• exporter: ability to expose k8s labels as prometheus metrics labels (cee171c)
• exporter: add auto tuning of GC memory limit (automemlimit) (cc3b0c0)
• exporter: use automaxprocs to limit threads count (efd7a6e)
• globbing support for -d (cbebdde)
• globbing support for -f option (7fa2298)
• globbing support for -k (30b406e)
• helm: add deployment and daemonSet annotations (5d81768)
• helm: add the Grafana dashboard (f145ffc), closes #​136
• helm: added extraArgs (d2466a1)
• helm: bump kube-rbac-proxy to v0.13.1 and pull new repository (412f225)
• helm: do not use a headless Service by default (a5d2bf8), closes #​50
• helm: increase CPU limits for all containers (902a45e)
• helm: introduce extraDeployVerbatim to skip templating engine (8b88740)
• helm: make revisionHistoryLimit configurable (6fc58ab)
• helm: mount of additional volumes (c3430d4)
• helm: new value to override release namespace (4c34353)
• helm: new value to set HostPath type for DaemonSet volumes (290094a)
• helm: options to set the priority class (f956d29)
• helm: report time left in expiration alert (45d9b15)
• helm: support custom TLS config (ff99541)
• helm: support for "web configuration" (HTTP auth and TLS) (0bc9f17)
• helm: switch to OCI artifacts (still tracked by Helm repository) (c9fd9d0)
• helm: upgrade hook to handle immutable changes with 3.20.0 (6fe7f4a)
• include or exclude namespaces to watch based on their labels (fc47f9b)
• rewrite from scratch with new architecture and toolchain (b4f3f84)
• symlink path mapping and containment (bbd179c)
• unify log format to use structured logs only (645a3ca)

Bug Fixes

• bundle errors not reaching the stats UI (cbd2724)
• chart: add app.kubernetes.io/component label to identify different resources (dad3408)
• ci: print line numbers for golang-ci-lint (e2d8253)
• clusterlevel resources dont need namespaces (4cbacc6)
• consider no match as a read error (8d11d1a)
• deploy,chart: remove cpu limits for secretsExporter and hostPathsExporter (a9d4a86)
• don't delay server initialization while caches are populated (0bf10f5)
• don't list all namespaces if not needed for filtering (d5adc63)
• helm: allow customization of httpGet heathchecks for TLS users (11d8af4), closes #​445
• helm: allow secretsExporter.replicas to be set to 0 (bdcf627)
• helm: DaemonSets inherit global podAnnotations (1a670ed), closes #​106
• helm: extraVolumeMounts omitted if webConfiguration not set (45a55f0)
• helm: grammar in Prometheus alerts descriptions (7803a4b)
• helm: namespace override value in DaemonSet template (26d6a88)
• helm: resolve redundant double slashes (//) in certificate monitoring paths (ce27399)
• kubernetes: fetch ConfigMaps when keys are configured (77f58c1), closes #​368
• linter issues (c2707f5)
• properly resolve relative syminks (a59a7ab)
• properly resolve symlink paths (#​86) (beb88b3)
• shrinkSecret to actually shrink (3bb2ed2)
• use doublestar fork to properly resolve symlinks (f7944e4)

Documentation

• 3to4: fix codeql warning on typescript syntax (584ecdb)
• add a v3 to v4 migration guide (da6ba51)
• add security policy with reporting channels and scope (146d4c0)
• add v3-to-v4 migration guide (d93d187)
• assets: new alternative logo (0a7d655)
• chart: add a menu (1212b90)
• chart: fix image URLs in README (79e927e)
• chart: link to the hardening guide (1a39d3f)
• chart: remove old notes ; link to curated starter values (a393d5a)
• chart: run helm-docs to update values in README.md (3b930c7)
• chart: update README with new project template ; migration to v4 (a90955b)
• clarify that hostPathsExporter was implemented for RKE (bb1dd92)
• dedicated metrics reference under docs/ (6b5078c)
• examples: add curated values.yaml starters for generic and per-distro setups (297fd74)
• Fix Linux deploy README (d3d81e7)
• fix markdown linting issues (5bcb838)
• fix typo (78d54a7)
• helm: emojis not requiring VS16 for colors in anchrored headers (3646831)
• helm: fix english texts (6e033bd)
• helm: fix value description and run helm-docs to update README (dec9be8)
• helm: fix values comment to pass helm linter (d907077)
• helm: refactor the concepts section (e0b9d71)
• helm: strip VS16 from emojis to fix GitHub anchors (2f19db6)
• helm: update values documentation in README (c8395dd)
• helm: update values in README (de59c88)
• helm: use Github generated anchror slugs for headings with VS16 emojis (4485844)
• metrics: new gates ; fixed labels ; better promql snippets ; cardinality clarification (c28eb69)
• new page with frequent questions (ba3bd51)
• README: add logo and refactor badges (efe4de8)
• README: fix broken link for sigstore ; better badge label (30d3015)
• README: fix links to the github project (0a780d9)
• README: new sections and markdown readability (1df03e4)
• readme: refresh file with helm-docs (71ff80c)
• README: relocate hardening to a dedicated page ; add a menu (30d1174)
• relocate grafana dashboard screenshot (9cbeb94)
• SECURITY: drop schedule (7d68bd5)
• SECURITY: restore timeline (b45520f)
• v3-to-v4: clarify the deprecation of CLI flags (3dd744b)
• v3-to-v4: drop hallucinated content (aa87503)
• warning about the relation between getLabels & compareCertificates (563028c)

v3.19.0

Compare Source

⚠ BREAKING CHANGES

• add new metric gates, diags and not_before off by defaut,

• container: switch default variant from busybox to scratch (floating tags)

• chart: make the Service headless by default (no ClusterIP)

• the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at https://charts.enix.io is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so helm install / helm upgrade will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the busybox and scratch variants on linux/amd64,arm64,riscv64. Users pulling *-alpine tags must switch to one of the new variants — busybox is the closest functional replacement (still has a shell), scratch is the minimal distroless option.

• release 4.0.0-alpha.1 (410319d)

• release 4.0.0-alpha.1 (3f5d581)

• release 4.0.0-alpha.2 (c43ed24)

• release 4.0.0-alpha.3 (39d54d6)

Features

• add new metric gates, diags and not_before off by defaut, (a719113)
• add opt-in flag to skip symlinks (85c97e3)
• build: bump all Go dependencies (fc3bff2)
• build: bump all Go dependencies (e3b6c74)
• build: bump Go to version 1.26.1 (06d47be)
• build: bump Golang to version 1.20.7 (f2a7a19)
• build: bump Golang to version 1.21 (4014073)
• build: bump Golang to version 1.21.6 (a800033)
• build: bump Golang to version 1.21.8 (05582fc)
• build: bump Golang to version 1.21.9 (61a0f71)
• build: bump Golang to version 1.22.2 (8f15013)
• build: bump Golang to version 1.22.5 (956074c)
• build: bump Golang to version 1.23.0 (862481b)
• build: bump Golang to version 1.23.1 (082a818)
• build: bump Golang to version 1.23.2 (756827c)
• build: bump Golang to version 1.23.4 (1d90a66)
• build: publish OpenVEX documents for new releases (1ed09e5)
• build: publish SBOM documents for new releases (3bf4f4a)
• build: release FreeBSD binaries for RISC-V (0b8db06)
• build: upgrade to golang 1.19 (3916d18)
• build: upgrade to golang 1.20 (16429b9)
• chart: make the Service headless by default (no ClusterIP) (b1d5b5c)
• chart: remove support for legacy apiVersion (k8s < 1.16) (7f560fd)
• charts: add expose-secret-label parameter to exporter deployment (905f789)
• chart: satisfy PSA restricted profile and OpenShift restricted-v2 SCC (3d8b935)
• charts: configurable probes with values (2f58ca0)
• chart: support image digest pinning across all images (fd81d79)
• configurable burst and QPS in k8s client (e002b89)
• container: bump Alpine base image to 3.17.0 (e311864)
• container: bump Alpine base image to 3.18.2 (53ede98)
• container: bump Alpine base image to version 3.17.3 (de23f78)
• container: bump Alpine base image to version 3.18.3 (1d089c6)
• container: bump Alpine base image to version 3.19.0 (fc71664)
• container: bump Alpine base image to version 3.19.1 (9d0f7b5)
• container: bump Alpine base image to version 3.20.1 (500829e)
• container: bump Alpine base image to version 3.20.2 (3d2904a)
• container: bump Alpine base image to version 3.20.2 (1738e29)
• container: bump Alpine base image to version 3.21.0 (476b093)
• container: bump Alpine base image to version 3.22.0 (e0511a0)
• container: bump Alpine base image version to 3.23.3 (29c9c9a)
• container: bump Busybox base image to version 1.36 (29464ca)
• container: bump Busybox base image to version 1.36.1 (8201737)
• container: bump Busybox base image to version 1.37.0 (bf1f613)
• container: images for RISC-V now track Alpine stable (eb7752a)
• container: publish images to GitHub Registry (GHCR) (26f924d)
• container: switch Busybox images to glibc flavor (fix for RISC-V) (8f97b98)
• container: switch default variant from busybox to scratch (floating tags) (5ef7b43)
• container: switch to stable Alpine base images for RISC-V (92860e2)
• deploy,chart: make metricRelabelings configurable in ServiceMonitor and PodMonitor (6f81197)
• exporter: ability to expose k8s labels as prometheus metrics labels (cee171c)
• exporter: add auto tuning of GC memory limit (automemlimit) (cc3b0c0)
• exporter: use automaxprocs to limit threads count (efd7a6e)
• globbing support for -d (cbebdde)
• globbing support for -f option (7fa2298)
• globbing support for -k (30b406e)
• helm: add deployment and daemonSet annotations (5d81768)
• helm: add the Grafana dashboard (f145ffc), closes #​136
• helm: added extraArgs (d2466a1)
• helm: bump kube-rbac-proxy to v0.13.1 and pull new repository (412f225)
• helm: do not use a headless Service by default (a5d2bf8), closes #​50
• helm: increase CPU limits for all containers (902a45e)
• helm: introduce extraDeployVerbatim to skip templating engine (8b88740)
• helm: make revisionHistoryLimit configurable (6fc58ab)
• helm: mount of additional volumes (c3430d4)
• helm: new value to override release namespace (4c34353)
• helm: new value to set HostPath type for DaemonSet volumes (290094a)
• helm: options to set the priority class (f956d29)
• helm: report time left in expiration alert (45d9b15)
• helm: support custom TLS config (ff99541)
• helm: support for "web configuration" (HTTP auth and TLS) (0bc9f17)
• helm: switch to OCI artifacts (still tracked by Helm repository) (c9fd9d0)
• helm: upgrade hook to handle immutable changes with 3.20.0 (6fe7f4a)
• include or exclude namespaces to watch based on their labels (fc47f9b)
• rewrite from scratch with new architecture and toolchain (b4f3f84)
• symlink path mapping and containment (bbd179c)
• unify log format to use structured logs only (645a3ca)

Bug Fixes

• bundle errors not reaching the stats UI (cbd2724)
• chart: add app.kubernetes.io/component label to identify different resources (dad3408)
• ci: print line numbers for golang-ci-lint (e2d8253)
• clusterlevel resources dont need namespaces (4cbacc6)
• consider no match as a read error (8d11d1a)
• deploy,chart: remove cpu limits for secretsExporter and hostPathsExporter (a9d4a86)
• don't delay server initialization while caches are populated (0bf10f5)
• don't list all namespaces if not needed for filtering (d5adc63)
• helm: allow customization of httpGet heathchecks for TLS users (11d8af4), closes #​445
• helm: allow secretsExporter.replicas to be set to 0 (bdcf627)
• helm: DaemonSets inherit global podAnnotations (1a670ed), closes #​106
• helm: extraVolumeMounts omitted if webConfiguration not set (45a55f0)
• helm: grammar in Prometheus alerts descriptions (7803a4b)
• helm: namespace override value in DaemonSet template (26d6a88)
• helm: resolve redundant double slashes (//) in certificate monitoring paths (ce27399)
• kubernetes: fetch ConfigMaps when keys are configured (77f58c1), closes #​368
• linter issues (c2707f5)
• properly resolve relative syminks (a59a7ab)
• properly resolve symlink paths (#​86) (beb88b3)
• shrinkSecret to actually shrink (3bb2ed2)
• use doublestar fork to properly resolve symlinks (f7944e4)

Documentation

• 3to4: fix codeql warning on typescript syntax (584ecdb)
• add a v3 to v4 migration guide (da6ba51)
• add security policy with reporting channels and scope (146d4c0)
• add v3-to-v4 migration guide (d93d187)
• assets: new alternative logo (0a7d655)
• chart: add a menu (1212b90)
• chart: fix image URLs in README (79e927e)
• chart: link to the hardening guide (1a39d3f)
• chart: remove old notes ; link to curated starter values (a393d5a)
• chart: run helm-docs to update values in README.md (3b930c7)
• chart: update README with new project template ; migration to v4 (a90955b)
• clarify that hostPathsExporter was implemented for RKE (bb1dd92)
• dedicated metrics reference under docs/ (6b5078c)
• examples: add curated values.yaml starters for generic and per-distro setups (297fd74)
• Fix Linux deploy README (d3d81e7)
• fix markdown linting issues (5bcb838)
• fix typo (78d54a7)
• helm: emojis not requiring VS16 for colors in anchrored headers (3646831)
• helm: fix english texts (6e033bd)
• helm: fix value description and run helm-docs to update README (dec9be8)
• helm: fix values comment to pass helm linter (d907077)
• helm: refactor the concepts section (e0b9d71)
• helm: strip VS16 from emojis to fix GitHub anchors (2f19db6)
• helm: update values documentation in README (c8395dd)
• helm: update values in README (de59c88)
• helm: use Github generated anchror slugs for headings with VS16 emojis (4485844)
• metrics: new gates ; fixed labels ; better promql snippets ; cardinality clarification (c28eb69)
• new page with frequent questions (ba3bd51)
• README: add logo and refactor badges (efe4de8)
• README: fix broken link for sigstore ; better badge label (30d3015)
• README: fix links to the github project (0a780d9)
• README: new sections and markdown readability (1df03e4)
• readme: refresh file with helm-docs (71ff80c)
• README: relocate hardening to a dedicated page ; add a menu (30d1174)
• relocate grafana dashboard screenshot (9cbeb94)
• SECURITY: drop schedule (7d68bd5)
• SECURITY: restore timeline (b45520f)
• v3-to-v4: clarify the deprecation of CLI flags (3dd744b)
• v3-to-v4: drop hallucinated content (aa87503)
• warning about the relation between getLabels & compareCertificates (563028c)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [enix/x509-certificate-exporter](https://github.com/enix/x509-certificate-exporter) | major | `3.18.1` → `4.1.0` | --- ### Release Notes <details> <summary>enix/x509-certificate-exporter (enix/x509-certificate-exporter)</summary> ### [`v4.1.0`](https://github.com/enix/x509-certificate-exporter/releases/tag/v4.1.0) [Compare Source](https://github.com/enix/x509-certificate-exporter/compare/v4.0.0...v4.1.0) #### Changelog ##### Features - [`e4457ef`](https://github.com/enix/x509-certificate-exporter/commit/e4457ef2c35abf886fb4798e3a40a5584b6b7d01): feat(chart): drop privileged from hostPathsExporter securityContext defaults ([@&#8203;npdgm](https://github.com/npdgm)) ##### Bug Fixes - [`8f1a1f9`](https://github.com/enix/x509-certificate-exporter/commit/8f1a1f95856810403f4c3798beb3522d7bb8e298): fix(chart): preserve build metadata in pre-upgrade version detection ([@&#8203;npdgm](https://github.com/npdgm)) ### [`v4.0.0`](https://github.com/enix/x509-certificate-exporter/blob/HEAD/CHANGELOG.md#400-alpha3-2026-05-03) [Compare Source](https://github.com/enix/x509-certificate-exporter/compare/v3.21.0...v4.0.0) ##### ⚠ BREAKING CHANGES - add new metric gates, diags and not\_before off by defaut, - **container:** switch default variant from busybox to scratch (floating tags) - **chart:** make the Service headless by default (no ClusterIP) - the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at <https://charts.enix.io> is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: `helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>`. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so `helm install` / `helm upgrade` will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the `busybox` and `scratch` variants on linux/amd64,arm64,riscv64. Users pulling `*-alpine` tags must switch to one of the new variants — `busybox` is the closest functional replacement (still has a shell), `scratch` is the minimal distroless option. - release 4.0.0-alpha.1 ([410319d](https://github.com/enix/x509-certificate-exporter/commit/410319df3d2a3e5e45fb884a48f77d85e83ef35b)) - release 4.0.0-alpha.1 ([3f5d581](https://github.com/enix/x509-certificate-exporter/commit/3f5d581ae8b9c04ec30b24c90fa0835326b13d27)) - release 4.0.0-alpha.2 ([c43ed24](https://github.com/enix/x509-certificate-exporter/commit/c43ed24bd81a3d72ef463fcfa3b759a627fc9906)) - release 4.0.0-alpha.3 ([39d54d6](https://github.com/enix/x509-certificate-exporter/commit/39d54d62289867c5ae1e48ac8a305e2427045a64)) ##### Features - add new metric gates, diags and not\_before off by defaut, ([a719113](https://github.com/enix/x509-certificate-exporter/commit/a719113cb832c801c381abf78abb71053002214a)) - add opt-in flag to skip symlinks ([85c97e3](https://github.com/enix/x509-certificate-exporter/commit/85c97e38376aee029c6ec8f2cc2ebafb27afa46a)) - **build:** bump all Go dependencies ([fc3bff2](https://github.com/enix/x509-certificate-exporter/commit/fc3bff2ec35fcfad79b38e829cf9a4e39bc6a2c7)) - **build:** bump all Go dependencies ([e3b6c74](https://github.com/enix/x509-certificate-exporter/commit/e3b6c7440cd72ea4ec8f3d1314e48f66644999c3)) - **build:** bump Go to version 1.26.1 ([06d47be](https://github.com/enix/x509-certificate-exporter/commit/06d47becb7eb64bf6ae340ad25c171cf28f82022)) - **build:** bump Golang to version 1.20.7 ([f2a7a19](https://github.com/enix/x509-certificate-exporter/commit/f2a7a19055cd1b636928f0a71a2acbfa35c19982)) - **build:** bump Golang to version 1.21 ([4014073](https://github.com/enix/x509-certificate-exporter/commit/401407308f76e36d5e46320e199e2e650a9a6f80)) - **build:** bump Golang to version 1.21.6 ([a800033](https://github.com/enix/x509-certificate-exporter/commit/a8000336422fcdb8dc32e8aa2b76948290686fda)) - **build:** bump Golang to version 1.21.8 ([05582fc](https://github.com/enix/x509-certificate-exporter/commit/05582fc90a659b51b59b387824bb1201148274c9)) - **build:** bump Golang to version 1.21.9 ([61a0f71](https://github.com/enix/x509-certificate-exporter/commit/61a0f7155d2d315145b4fd1926a392a1bf5ffb77)) - **build:** bump Golang to version 1.22.2 ([8f15013](https://github.com/enix/x509-certificate-exporter/commit/8f1501353609644b9d1e93eba0548666c47df51f)) - **build:** bump Golang to version 1.22.5 ([956074c](https://github.com/enix/x509-certificate-exporter/commit/956074c9290b2992645c5df8f850e615279251f2)) - **build:** bump Golang to version 1.23.0 ([862481b](https://github.com/enix/x509-certificate-exporter/commit/862481bb51fac6c5fb8c73ee2c484ea66e7b2a87)) - **build:** bump Golang to version 1.23.1 ([082a818](https://github.com/enix/x509-certificate-exporter/commit/082a818fc38798e869d4ccc425e29754375a5339)) - **build:** bump Golang to version 1.23.2 ([756827c](https://github.com/enix/x509-certificate-exporter/commit/756827c6ac17ce7f7f64c7f68118c7e0a9d43074)) - **build:** bump Golang to version 1.23.4 ([1d90a66](https://github.com/enix/x509-certificate-exporter/commit/1d90a66ebb80ba0d86d9c3ca51f057ea8229f64f)) - **build:** publish OpenVEX documents for new releases ([1ed09e5](https://github.com/enix/x509-certificate-exporter/commit/1ed09e50a2be75b91e8dcbd64536c1236cf40368)) - **build:** publish SBOM documents for new releases ([3bf4f4a](https://github.com/enix/x509-certificate-exporter/commit/3bf4f4ac39b1302f0527772cd4d4a3493adedb79)) - **build:** release FreeBSD binaries for RISC-V ([0b8db06](https://github.com/enix/x509-certificate-exporter/commit/0b8db06f9809018ec878eaa51a02250074fc45a3)) - **build:** upgrade to golang 1.19 ([3916d18](https://github.com/enix/x509-certificate-exporter/commit/3916d18e575bd026b00566a6ce631b96f125b0d3)) - **build:** upgrade to golang 1.20 ([16429b9](https://github.com/enix/x509-certificate-exporter/commit/16429b9238badc3be550dfbed7fe44406dc6d6e3)) - **chart:** make the Service headless by default (no ClusterIP) ([b1d5b5c](https://github.com/enix/x509-certificate-exporter/commit/b1d5b5cbe9f23b4080661455b07110dcafa5c002)) - **chart:** remove support for legacy apiVersion (k8s < 1.16) ([7f560fd](https://github.com/enix/x509-certificate-exporter/commit/7f560fd8371fafee4c00163ec6316c8cbd401ac6)) - **charts:** add expose-secret-label parameter to exporter deployment ([905f789](https://github.com/enix/x509-certificate-exporter/commit/905f7895433f75f8c938f80ec0e18354c18c85af)) - **chart:** satisfy PSA restricted profile and OpenShift restricted-v2 SCC ([3d8b935](https://github.com/enix/x509-certificate-exporter/commit/3d8b935f2e6b3c3cf6bc93376996b3cf8fa9cb21)) - **charts:** configurable probes with values ([2f58ca0](https://github.com/enix/x509-certificate-exporter/commit/2f58ca05ebf912b24b97a3fa1c81d9b9818956f1)) - **chart:** support image digest pinning across all images ([fd81d79](https://github.com/enix/x509-certificate-exporter/commit/fd81d79a171616bf1acb3af9e67aa0b1d1c58baa)) - configurable burst and QPS in k8s client ([e002b89](https://github.com/enix/x509-certificate-exporter/commit/e002b89d281261d25b227ab99558a36d4fc2a9c6)) - **container:** bump Alpine base image to 3.17.0 ([e311864](https://github.com/enix/x509-certificate-exporter/commit/e311864d8bae7dc81c25ec0a320eeeeb854a4446)) - **container:** bump Alpine base image to 3.18.2 ([53ede98](https://github.com/enix/x509-certificate-exporter/commit/53ede98e503028ab4cd7e37552f6d6afdc17495c)) - **container:** bump Alpine base image to version 3.17.3 ([de23f78](https://github.com/enix/x509-certificate-exporter/commit/de23f78fbda6c01540d8281d68b0866f0e8d2272)) - **container:** bump Alpine base image to version 3.18.3 ([1d089c6](https://github.com/enix/x509-certificate-exporter/commit/1d089c68cf443e6c32f382626e2e0c288684910d)) - **container:** bump Alpine base image to version 3.19.0 ([fc71664](https://github.com/enix/x509-certificate-exporter/commit/fc71664ac13cc90294ac9043668b0facaca11c53)) - **container:** bump Alpine base image to version 3.19.1 ([9d0f7b5](https://github.com/enix/x509-certificate-exporter/commit/9d0f7b5585f9b50741c4ec6befa237b9da914c30)) - **container:** bump Alpine base image to version 3.20.1 ([500829e](https://github.com/enix/x509-certificate-exporter/commit/500829e5cde81e0dedfd03896ca5e496e3301c2b)) - **container:** bump Alpine base image to version 3.20.2 ([3d2904a](https://github.com/enix/x509-certificate-exporter/commit/3d2904aa0b0cd49dcf2174fb624b27c5f62b9914)) - **container:** bump Alpine base image to version 3.20.2 ([1738e29](https://github.com/enix/x509-certificate-exporter/commit/1738e298e643579ab25d40388795582fca11833f)) - **container:** bump Alpine base image to version 3.21.0 ([476b093](https://github.com/enix/x509-certificate-exporter/commit/476b09364c9429a67d1a1c484448c871e852a08d)) - **container:** bump Alpine base image to version 3.22.0 ([e0511a0](https://github.com/enix/x509-certificate-exporter/commit/e0511a0a483bd91720be62250562c667101300ec)) - **container:** bump Alpine base image version to 3.23.3 ([29c9c9a](https://github.com/enix/x509-certificate-exporter/commit/29c9c9af0274c59573483563e9aed2d281cfaff8)) - **container:** bump Busybox base image to version 1.36 ([29464ca](https://github.com/enix/x509-certificate-exporter/commit/29464caab5d3d8584f4c46dd30e9339b393afa8b)) - **container:** bump Busybox base image to version 1.36.1 ([8201737](https://github.com/enix/x509-certificate-exporter/commit/8201737a8ac37fa59b24c1165b9e03ad52d4e17a)) - **container:** bump Busybox base image to version 1.37.0 ([bf1f613](https://github.com/enix/x509-certificate-exporter/commit/bf1f61308c143e18b849615b015822860d00fe73)) - **container:** images for RISC-V now track Alpine stable ([eb7752a](https://github.com/enix/x509-certificate-exporter/commit/eb7752a93072b3d52d0f7d0e504b3d70e6fbd663)) - **container:** publish images to GitHub Registry (GHCR) ([26f924d](https://github.com/enix/x509-certificate-exporter/commit/26f924dd44fb76eecd12ab69bef2676606da42b0)) - **container:** switch Busybox images to glibc flavor (fix for RISC-V) ([8f97b98](https://github.com/enix/x509-certificate-exporter/commit/8f97b98c862f83d0c25c2994942b1ea90c6459da)) - **container:** switch default variant from busybox to scratch (floating tags) ([5ef7b43](https://github.com/enix/x509-certificate-exporter/commit/5ef7b43913287d37b32a390e5bb2972706c51a83)) - **container:** switch to stable Alpine base images for RISC-V ([92860e2](https://github.com/enix/x509-certificate-exporter/commit/92860e287a63d823c5347b2a78bff5d331800c06)) - **deploy,chart:** make metricRelabelings configurable in ServiceMonitor and PodMonitor ([6f81197](https://github.com/enix/x509-certificate-exporter/commit/6f8119721053fcbcc7c652de5622ac7f838cb771)) - **exporter:** ability to expose k8s labels as prometheus metrics labels ([cee171c](https://github.com/enix/x509-certificate-exporter/commit/cee171c4e49e5964ea12fa9cdce0aff064a908e0)) - **exporter:** add auto tuning of GC memory limit (automemlimit) ([cc3b0c0](https://github.com/enix/x509-certificate-exporter/commit/cc3b0c074b76a4e8e8730a2ff52c70dc3f410f4b)) - **exporter:** use `automaxprocs` to limit threads count ([efd7a6e](https://github.com/enix/x509-certificate-exporter/commit/efd7a6eebcb03f99f34563be306a1629f3514ded)) - globbing support for -d ([cbebdde](https://github.com/enix/x509-certificate-exporter/commit/cbebdde4b57b02f118c1fcc89ef92b9550680e34)) - globbing support for -f option ([7fa2298](https://github.com/enix/x509-certificate-exporter/commit/7fa2298724fe92ce9da656ae2bc52e0e3f83812c)) - globbing support for -k ([30b406e](https://github.com/enix/x509-certificate-exporter/commit/30b406e5d21204335dbb32e58ae0a3075f9c385f)) - **helm:** add deployment and daemonSet annotations ([5d81768](https://github.com/enix/x509-certificate-exporter/commit/5d817685e7de515c756be213a34a71bca75dfe9e)) - **helm:** add the Grafana dashboard ([f145ffc](https://github.com/enix/x509-certificate-exporter/commit/f145ffc4d08b9872fe44bd7a4cc53b967ce3a4e8)), closes [#&#8203;136](https://github.com/enix/x509-certificate-exporter/issues/136) - **helm:** added extraArgs ([d2466a1](https://github.com/enix/x509-certificate-exporter/commit/d2466a1d836d45641ee912a13abc92b96f55f73f)) - **helm:** bump kube-rbac-proxy to v0.13.1 and pull new repository ([412f225](https://github.com/enix/x509-certificate-exporter/commit/412f2259f2e25c1ad1565753f27abd0b60076017)) - **helm:** do not use a headless Service by default ([a5d2bf8](https://github.com/enix/x509-certificate-exporter/commit/a5d2bf8714db30ea2707572148930cdbc4d03125)), closes [#&#8203;50](https://github.com/enix/x509-certificate-exporter/issues/50) - **helm:** increase CPU limits for all containers ([902a45e](https://github.com/enix/x509-certificate-exporter/commit/902a45e03a6532ca84e41256d97ee731fe77dcd8)) - **helm:** introduce `extraDeployVerbatim` to skip templating engine ([8b88740](https://github.com/enix/x509-certificate-exporter/commit/8b88740badfda8a55bf566591f0008c1557b4e9a)) - **helm:** make revisionHistoryLimit configurable ([6fc58ab](https://github.com/enix/x509-certificate-exporter/commit/6fc58abbdb5f8393cf4b32827739effd8ee30f59)) - **helm:** mount of additional volumes ([c3430d4](https://github.com/enix/x509-certificate-exporter/commit/c3430d441c4350e2bd3b6f58e372296cc2c779c6)) - **helm:** new value to override release namespace ([4c34353](https://github.com/enix/x509-certificate-exporter/commit/4c343538c32cc6774086d0b4e3c71bd211cdc944)) - **helm:** new value to set HostPath type for DaemonSet volumes ([290094a](https://github.com/enix/x509-certificate-exporter/commit/290094a8d50a78749801d7c6a81f006aed1d5bba)) - **helm:** options to set the priority class ([f956d29](https://github.com/enix/x509-certificate-exporter/commit/f956d292103c22c142c6df63c5231bb8891c8484)) - **helm:** report time left in expiration alert ([45d9b15](https://github.com/enix/x509-certificate-exporter/commit/45d9b15b6532faab4819fa64efdb3ab9e99fa945)) - **helm:** support custom TLS config ([ff99541](https://github.com/enix/x509-certificate-exporter/commit/ff9954126b5ecea0e550d013554c957e8b93f8aa)) - **helm:** support for "web configuration" (HTTP auth and TLS) ([0bc9f17](https://github.com/enix/x509-certificate-exporter/commit/0bc9f177d66eeb3e23febe1d69fd52a14f3228d5)) - **helm:** switch to OCI artifacts (still tracked by Helm repository) ([c9fd9d0](https://github.com/enix/x509-certificate-exporter/commit/c9fd9d0e646a45055f2ae9742c7caa90d285d9a8)) - **helm:** upgrade hook to handle immutable changes with 3.20.0 ([6fe7f4a](https://github.com/enix/x509-certificate-exporter/commit/6fe7f4a26da26629ce6fe83dee646d7000fee3d5)) - include or exclude namespaces to watch based on their labels ([fc47f9b](https://github.com/enix/x509-certificate-exporter/commit/fc47f9b1abc7741b350c8408ca50a33f1eb12a7c)) - rewrite from scratch with new architecture and toolchain ([b4f3f84](https://github.com/enix/x509-certificate-exporter/commit/b4f3f84086a9feed9f32da678ffe7af2eda1a4fb)) - symlink path mapping and containment ([bbd179c](https://github.com/enix/x509-certificate-exporter/commit/bbd179c05b643d1221e490d1fd2ccb0bae65e574)) - unify log format to use structured logs only ([645a3ca](https://github.com/enix/x509-certificate-exporter/commit/645a3cab43c5a97ee26e0d69bd4edb461e933202)) ##### Bug Fixes - bundle errors not reaching the stats UI ([cbd2724](https://github.com/enix/x509-certificate-exporter/commit/cbd272456ffdfe9f12ccbc4850b94cf3a7f90336)) - **chart:** add `app.kubernetes.io/component` label to identify different resources ([dad3408](https://github.com/enix/x509-certificate-exporter/commit/dad3408f5403fe55c824e17424429e8b14c3d80e)) - **ci:** print line numbers for golang-ci-lint ([e2d8253](https://github.com/enix/x509-certificate-exporter/commit/e2d82531dfeac82d99787c2606ab0242ea47f405)) - clusterlevel resources dont need namespaces ([4cbacc6](https://github.com/enix/x509-certificate-exporter/commit/4cbacc61be5e79fec0cbf1b711330fd4ff3d2a4f)) - consider no match as a read error ([8d11d1a](https://github.com/enix/x509-certificate-exporter/commit/8d11d1a0cc1ffe06798110dabb0e19a3b24674da)) - **deploy,chart:** remove cpu limits for secretsExporter and hostPathsExporter ([a9d4a86](https://github.com/enix/x509-certificate-exporter/commit/a9d4a86ce60543be47824386b2d8ff94b7f721eb)) - don't delay server initialization while caches are populated ([0bf10f5](https://github.com/enix/x509-certificate-exporter/commit/0bf10f5f5a3e4159ac6e02c2c49877cea9224c80)) - don't list all namespaces if not needed for filtering ([d5adc63](https://github.com/enix/x509-certificate-exporter/commit/d5adc6339425381e332832f4e57c7c60b907104d)) - **helm:** allow customization of httpGet heathchecks for TLS users ([11d8af4](https://github.com/enix/x509-certificate-exporter/commit/11d8af41e6dc685344114d10a9cb7c0cdc5adf78)), closes [#&#8203;445](https://github.com/enix/x509-certificate-exporter/issues/445) - **helm:** allow secretsExporter.replicas to be set to 0 ([bdcf627](https://github.com/enix/x509-certificate-exporter/commit/bdcf6275c5bc15c0aaaac4dd0ac953212f7315cc)) - **helm:** DaemonSets inherit global podAnnotations ([1a670ed](https://github.com/enix/x509-certificate-exporter/commit/1a670ed3012050d17237f15df9309db3d9bac071)), closes [#&#8203;106](https://github.com/enix/x509-certificate-exporter/issues/106) - **helm:** extraVolumeMounts omitted if webConfiguration not set ([45a55f0](https://github.com/enix/x509-certificate-exporter/commit/45a55f0cd96ec475367f64737b2b6481084714fd)) - **helm:** grammar in Prometheus alerts descriptions ([7803a4b](https://github.com/enix/x509-certificate-exporter/commit/7803a4b8b762b034c7e7df1e0e40479856647f11)) - **helm:** namespace override value in DaemonSet template ([26d6a88](https://github.com/enix/x509-certificate-exporter/commit/26d6a883c39c7d42e9463ba0321ff037361f228a)) - **helm:** resolve redundant double slashes (//) in certificate monitoring paths ([ce27399](https://github.com/enix/x509-certificate-exporter/commit/ce27399b4c354ed25c02f5828a82ca6c5b30e3be)) - **kubernetes:** fetch ConfigMaps when keys are configured ([77f58c1](https://github.com/enix/x509-certificate-exporter/commit/77f58c10c84021936778adf9f58f833baeddf481)), closes [#&#8203;368](https://github.com/enix/x509-certificate-exporter/issues/368) - linter issues ([c2707f5](https://github.com/enix/x509-certificate-exporter/commit/c2707f53243e09f444310dfd5099079d8723bd54)) - properly resolve relative syminks ([a59a7ab](https://github.com/enix/x509-certificate-exporter/commit/a59a7ab7393137a385434640fce695afda1719f0)) - properly resolve symlink paths ([#&#8203;86](https://github.com/enix/x509-certificate-exporter/issues/86)) ([beb88b3](https://github.com/enix/x509-certificate-exporter/commit/beb88b34b490add4015c8b380d975eb9cb340d44)) - shrinkSecret to actually shrink ([3bb2ed2](https://github.com/enix/x509-certificate-exporter/commit/3bb2ed2ac09853458f887bf1a9659ae921a9d255)) - use doublestar fork to properly resolve symlinks ([f7944e4](https://github.com/enix/x509-certificate-exporter/commit/f7944e4b41abefae9b61f1327e7f3416008fcfe6)) ##### Documentation - **3to4:** fix codeql warning on typescript syntax ([584ecdb](https://github.com/enix/x509-certificate-exporter/commit/584ecdb351e80634b3a369354221b92822ef9e0a)) - add a v3 to v4 migration guide ([da6ba51](https://github.com/enix/x509-certificate-exporter/commit/da6ba51d937d09221b55dc09deafc4a54a32fa49)) - add security policy with reporting channels and scope ([146d4c0](https://github.com/enix/x509-certificate-exporter/commit/146d4c0c3149b86b370b60dd00f3a75b904e2c54)) - add v3-to-v4 migration guide ([d93d187](https://github.com/enix/x509-certificate-exporter/commit/d93d1879fc36f058248a3db31ce3dd18cf2a8d1b)) - **assets:** new alternative logo ([0a7d655](https://github.com/enix/x509-certificate-exporter/commit/0a7d655048928e1b66cccb973907f43f83745f47)) - **chart:** add a menu ([1212b90](https://github.com/enix/x509-certificate-exporter/commit/1212b902d53de19b0068d6b4d23be11199c6af28)) - **chart:** fix image URLs in README ([79e927e](https://github.com/enix/x509-certificate-exporter/commit/79e927ebb2d7538bb9858e88a62b0c3bed93d086)) - **chart:** link to the hardening guide ([1a39d3f](https://github.com/enix/x509-certificate-exporter/commit/1a39d3f736fc017d18c60ffdefa9b3d7411a75fd)) - **chart:** remove old notes ; link to curated starter values ([a393d5a](https://github.com/enix/x509-certificate-exporter/commit/a393d5aaa5d92ee332dc59d14d0f3161531ac7e8)) - **chart:** run helm-docs to update values in README.md ([3b930c7](https://github.com/enix/x509-certificate-exporter/commit/3b930c792cd8318abe65dd1683a6dd05b2720018)) - **chart:** update README with new project template ; migration to v4 ([a90955b](https://github.com/enix/x509-certificate-exporter/commit/a90955b143d806492cce100b1b7735ef33283d7e)) - clarify that hostPathsExporter was implemented for RKE ([bb1dd92](https://github.com/enix/x509-certificate-exporter/commit/bb1dd927b38ce58b139878369521aaaf9e8f4739)) - dedicated metrics reference under docs/ ([6b5078c](https://github.com/enix/x509-certificate-exporter/commit/6b5078cd062e27dcf1cab0c7c072cbd82cdd7542)) - **examples:** add curated values.yaml starters for generic and per-distro setups ([297fd74](https://github.com/enix/x509-certificate-exporter/commit/297fd7489d684188acfa648d3a6773d1b9d6367a)) - Fix Linux deploy README ([d3d81e7](https://github.com/enix/x509-certificate-exporter/commit/d3d81e798deef9c40d0379527f96957700a6565f)) - fix markdown linting issues ([5bcb838](https://github.com/enix/x509-certificate-exporter/commit/5bcb838941fe30dca0b9d8b556daa9a6fc207795)) - fix typo ([78d54a7](https://github.com/enix/x509-certificate-exporter/commit/78d54a757c3c1790ede2689080f2386e37b6ed4f)) - **helm:** emojis not requiring VS16 for colors in anchrored headers ([3646831](https://github.com/enix/x509-certificate-exporter/commit/364683145993d3bd1cf276c8f56e7e516c284d32)) - **helm:** fix english texts ([6e033bd](https://github.com/enix/x509-certificate-exporter/commit/6e033bd18d733340014fec981b6d7721c3b8f82a)) - **helm:** fix value description and run helm-docs to update README ([dec9be8](https://github.com/enix/x509-certificate-exporter/commit/dec9be8a67abb799952e2e57e422458c9374c9a9)) - **helm:** fix values comment to pass helm linter ([d907077](https://github.com/enix/x509-certificate-exporter/commit/d90707708a167ee9097aaccd4da13050a46c5dcc)) - **helm:** refactor the concepts section ([e0b9d71](https://github.com/enix/x509-certificate-exporter/commit/e0b9d7187a8ad5c56c5f204ec762362800e2a165)) - **helm:** strip VS16 from emojis to fix GitHub anchors ([2f19db6](https://github.com/enix/x509-certificate-exporter/commit/2f19db62e4a4e8e174110c19a44f44cd90c773cb)) - **helm:** update values documentation in README ([c8395dd](https://github.com/enix/x509-certificate-exporter/commit/c8395dd75e858ed7c5362de572f4ea1c0e5d149f)) - **helm:** update values in README ([de59c88](https://github.com/enix/x509-certificate-exporter/commit/de59c885f023f7d41f50a8615a226a8328c9a273)) - **helm:** use Github generated anchror slugs for headings with VS16 emojis ([4485844](https://github.com/enix/x509-certificate-exporter/commit/448584425492f390297e8b974767db77e12b3dbf)) - **metrics:** new gates ; fixed labels ; better promql snippets ; cardinality clarification ([c28eb69](https://github.com/enix/x509-certificate-exporter/commit/c28eb69fdac472b49f9a972fd0f808958d9409d7)) - new page with frequent questions ([ba3bd51](https://github.com/enix/x509-certificate-exporter/commit/ba3bd512071bce439545ea784f645bdd413a3de1)) - **README:** add logo and refactor badges ([efe4de8](https://github.com/enix/x509-certificate-exporter/commit/efe4de88a9cd5b7f2d4268a93c775a9ddcd6e0e3)) - **README:** fix broken link for sigstore ; better badge label ([30d3015](https://github.com/enix/x509-certificate-exporter/commit/30d301500f61a5e858b6eba92b3aa5efb6a77aec)) - **README:** fix links to the github project ([0a780d9](https://github.com/enix/x509-certificate-exporter/commit/0a780d941009db3128ed38e9f59000a3c18c62a0)) - **README:** new sections and markdown readability ([1df03e4](https://github.com/enix/x509-certificate-exporter/commit/1df03e450e79fc35e77ad82e04e01c0c03d25fd8)) - **readme:** refresh file with helm-docs ([71ff80c](https://github.com/enix/x509-certificate-exporter/commit/71ff80c6bb66cffb3d3b8b5d68b970b5a1dc90af)) - **README:** relocate hardening to a dedicated page ; add a menu ([30d1174](https://github.com/enix/x509-certificate-exporter/commit/30d1174718c8da2a58e6bdc8891911f4938ff6e4)) - relocate grafana dashboard screenshot ([9cbeb94](https://github.com/enix/x509-certificate-exporter/commit/9cbeb941ee51c45e1d8f2ab19098735d3399325b)) - **SECURITY:** drop schedule ([7d68bd5](https://github.com/enix/x509-certificate-exporter/commit/7d68bd5e37c9df316caf3265d0d1ff7ab68b98bd)) - **SECURITY:** restore timeline ([b45520f](https://github.com/enix/x509-certificate-exporter/commit/b45520f7ff0d3f738391912734054eb6d1d85764)) - **v3-to-v4:** clarify the deprecation of CLI flags ([3dd744b](https://github.com/enix/x509-certificate-exporter/commit/3dd744b8569517d46b57321edbefd35f8b48c3b7)) - **v3-to-v4:** drop hallucinated content ([aa87503](https://github.com/enix/x509-certificate-exporter/commit/aa8750399ae0d112253d280a8b26212faed04221)) - warning about the relation between getLabels & compareCertificates ([563028c](https://github.com/enix/x509-certificate-exporter/commit/563028cb8cbfd1ac896506652a8cb3a5abab1710)) ### [`v3.21.0`](https://github.com/enix/x509-certificate-exporter/blob/HEAD/CHANGELOG.md#400-alpha3-2026-05-03) [Compare Source](https://github.com/enix/x509-certificate-exporter/compare/v3.20.1...v3.21.0) ##### ⚠ BREAKING CHANGES - add new metric gates, diags and not\_before off by defaut, - **container:** switch default variant from busybox to scratch (floating tags) - **chart:** make the Service headless by default (no ClusterIP) - the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at <https://charts.enix.io> is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: `helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>`. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so `helm install` / `helm upgrade` will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the `busybox` and `scratch` variants on linux/amd64,arm64,riscv64. Users pulling `*-alpine` tags must switch to one of the new variants — `busybox` is the closest functional replacement (still has a shell), `scratch` is the minimal distroless option. - release 4.0.0-alpha.1 ([410319d](https://github.com/enix/x509-certificate-exporter/commit/410319df3d2a3e5e45fb884a48f77d85e83ef35b)) - release 4.0.0-alpha.1 ([3f5d581](https://github.com/enix/x509-certificate-exporter/commit/3f5d581ae8b9c04ec30b24c90fa0835326b13d27)) - release 4.0.0-alpha.2 ([c43ed24](https://github.com/enix/x509-certificate-exporter/commit/c43ed24bd81a3d72ef463fcfa3b759a627fc9906)) - release 4.0.0-alpha.3 ([39d54d6](https://github.com/enix/x509-certificate-exporter/commit/39d54d62289867c5ae1e48ac8a305e2427045a64)) ##### Features - add new metric gates, diags and not\_before off by defaut, ([a719113](https://github.com/enix/x509-certificate-exporter/commit/a719113cb832c801c381abf78abb71053002214a)) - add opt-in flag to skip symlinks ([85c97e3](https://github.com/enix/x509-certificate-exporter/commit/85c97e38376aee029c6ec8f2cc2ebafb27afa46a)) - **build:** bump all Go dependencies ([fc3bff2](https://github.com/enix/x509-certificate-exporter/commit/fc3bff2ec35fcfad79b38e829cf9a4e39bc6a2c7)) - **build:** bump all Go dependencies ([e3b6c74](https://github.com/enix/x509-certificate-exporter/commit/e3b6c7440cd72ea4ec8f3d1314e48f66644999c3)) - **build:** bump Go to version 1.26.1 ([06d47be](https://github.com/enix/x509-certificate-exporter/commit/06d47becb7eb64bf6ae340ad25c171cf28f82022)) - **build:** bump Golang to version 1.20.7 ([f2a7a19](https://github.com/enix/x509-certificate-exporter/commit/f2a7a19055cd1b636928f0a71a2acbfa35c19982)) - **build:** bump Golang to version 1.21 ([4014073](https://github.com/enix/x509-certificate-exporter/commit/401407308f76e36d5e46320e199e2e650a9a6f80)) - **build:** bump Golang to version 1.21.6 ([a800033](https://github.com/enix/x509-certificate-exporter/commit/a8000336422fcdb8dc32e8aa2b76948290686fda)) - **build:** bump Golang to version 1.21.8 ([05582fc](https://github.com/enix/x509-certificate-exporter/commit/05582fc90a659b51b59b387824bb1201148274c9)) - **build:** bump Golang to version 1.21.9 ([61a0f71](https://github.com/enix/x509-certificate-exporter/commit/61a0f7155d2d315145b4fd1926a392a1bf5ffb77)) - **build:** bump Golang to version 1.22.2 ([8f15013](https://github.com/enix/x509-certificate-exporter/commit/8f1501353609644b9d1e93eba0548666c47df51f)) - **build:** bump Golang to version 1.22.5 ([956074c](https://github.com/enix/x509-certificate-exporter/commit/956074c9290b2992645c5df8f850e615279251f2)) - **build:** bump Golang to version 1.23.0 ([862481b](https://github.com/enix/x509-certificate-exporter/commit/862481bb51fac6c5fb8c73ee2c484ea66e7b2a87)) - **build:** bump Golang to version 1.23.1 ([082a818](https://github.com/enix/x509-certificate-exporter/commit/082a818fc38798e869d4ccc425e29754375a5339)) - **build:** bump Golang to version 1.23.2 ([756827c](https://github.com/enix/x509-certificate-exporter/commit/756827c6ac17ce7f7f64c7f68118c7e0a9d43074)) - **build:** bump Golang to version 1.23.4 ([1d90a66](https://github.com/enix/x509-certificate-exporter/commit/1d90a66ebb80ba0d86d9c3ca51f057ea8229f64f)) - **build:** publish OpenVEX documents for new releases ([1ed09e5](https://github.com/enix/x509-certificate-exporter/commit/1ed09e50a2be75b91e8dcbd64536c1236cf40368)) - **build:** publish SBOM documents for new releases ([3bf4f4a](https://github.com/enix/x509-certificate-exporter/commit/3bf4f4ac39b1302f0527772cd4d4a3493adedb79)) - **build:** release FreeBSD binaries for RISC-V ([0b8db06](https://github.com/enix/x509-certificate-exporter/commit/0b8db06f9809018ec878eaa51a02250074fc45a3)) - **build:** upgrade to golang 1.19 ([3916d18](https://github.com/enix/x509-certificate-exporter/commit/3916d18e575bd026b00566a6ce631b96f125b0d3)) - **build:** upgrade to golang 1.20 ([16429b9](https://github.com/enix/x509-certificate-exporter/commit/16429b9238badc3be550dfbed7fe44406dc6d6e3)) - **chart:** make the Service headless by default (no ClusterIP) ([b1d5b5c](https://github.com/enix/x509-certificate-exporter/commit/b1d5b5cbe9f23b4080661455b07110dcafa5c002)) - **chart:** remove support for legacy apiVersion (k8s < 1.16) ([7f560fd](https://github.com/enix/x509-certificate-exporter/commit/7f560fd8371fafee4c00163ec6316c8cbd401ac6)) - **charts:** add expose-secret-label parameter to exporter deployment ([905f789](https://github.com/enix/x509-certificate-exporter/commit/905f7895433f75f8c938f80ec0e18354c18c85af)) - **chart:** satisfy PSA restricted profile and OpenShift restricted-v2 SCC ([3d8b935](https://github.com/enix/x509-certificate-exporter/commit/3d8b935f2e6b3c3cf6bc93376996b3cf8fa9cb21)) - **charts:** configurable probes with values ([2f58ca0](https://github.com/enix/x509-certificate-exporter/commit/2f58ca05ebf912b24b97a3fa1c81d9b9818956f1)) - **chart:** support image digest pinning across all images ([fd81d79](https://github.com/enix/x509-certificate-exporter/commit/fd81d79a171616bf1acb3af9e67aa0b1d1c58baa)) - configurable burst and QPS in k8s client ([e002b89](https://github.com/enix/x509-certificate-exporter/commit/e002b89d281261d25b227ab99558a36d4fc2a9c6)) - **container:** bump Alpine base image to 3.17.0 ([e311864](https://github.com/enix/x509-certificate-exporter/commit/e311864d8bae7dc81c25ec0a320eeeeb854a4446)) - **container:** bump Alpine base image to 3.18.2 ([53ede98](https://github.com/enix/x509-certificate-exporter/commit/53ede98e503028ab4cd7e37552f6d6afdc17495c)) - **container:** bump Alpine base image to version 3.17.3 ([de23f78](https://github.com/enix/x509-certificate-exporter/commit/de23f78fbda6c01540d8281d68b0866f0e8d2272)) - **container:** bump Alpine base image to version 3.18.3 ([1d089c6](https://github.com/enix/x509-certificate-exporter/commit/1d089c68cf443e6c32f382626e2e0c288684910d)) - **container:** bump Alpine base image to version 3.19.0 ([fc71664](https://github.com/enix/x509-certificate-exporter/commit/fc71664ac13cc90294ac9043668b0facaca11c53)) - **container:** bump Alpine base image to version 3.19.1 ([9d0f7b5](https://github.com/enix/x509-certificate-exporter/commit/9d0f7b5585f9b50741c4ec6befa237b9da914c30)) - **container:** bump Alpine base image to version 3.20.1 ([500829e](https://github.com/enix/x509-certificate-exporter/commit/500829e5cde81e0dedfd03896ca5e496e3301c2b)) - **container:** bump Alpine base image to version 3.20.2 ([3d2904a](https://github.com/enix/x509-certificate-exporter/commit/3d2904aa0b0cd49dcf2174fb624b27c5f62b9914)) - **container:** bump Alpine base image to version 3.20.2 ([1738e29](https://github.com/enix/x509-certificate-exporter/commit/1738e298e643579ab25d40388795582fca11833f)) - **container:** bump Alpine base image to version 3.21.0 ([476b093](https://github.com/enix/x509-certificate-exporter/commit/476b09364c9429a67d1a1c484448c871e852a08d)) - **container:** bump Alpine base image to version 3.22.0 ([e0511a0](https://github.com/enix/x509-certificate-exporter/commit/e0511a0a483bd91720be62250562c667101300ec)) - **container:** bump Alpine base image version to 3.23.3 ([29c9c9a](https://github.com/enix/x509-certificate-exporter/commit/29c9c9af0274c59573483563e9aed2d281cfaff8)) - **container:** bump Busybox base image to version 1.36 ([29464ca](https://github.com/enix/x509-certificate-exporter/commit/29464caab5d3d8584f4c46dd30e9339b393afa8b)) - **container:** bump Busybox base image to version 1.36.1 ([8201737](https://github.com/enix/x509-certificate-exporter/commit/8201737a8ac37fa59b24c1165b9e03ad52d4e17a)) - **container:** bump Busybox base image to version 1.37.0 ([bf1f613](https://github.com/enix/x509-certificate-exporter/commit/bf1f61308c143e18b849615b015822860d00fe73)) - **container:** images for RISC-V now track Alpine stable ([eb7752a](https://github.com/enix/x509-certificate-exporter/commit/eb7752a93072b3d52d0f7d0e504b3d70e6fbd663)) - **container:** publish images to GitHub Registry (GHCR) ([26f924d](https://github.com/enix/x509-certificate-exporter/commit/26f924dd44fb76eecd12ab69bef2676606da42b0)) - **container:** switch Busybox images to glibc flavor (fix for RISC-V) ([8f97b98](https://github.com/enix/x509-certificate-exporter/commit/8f97b98c862f83d0c25c2994942b1ea90c6459da)) - **container:** switch default variant from busybox to scratch (floating tags) ([5ef7b43](https://github.com/enix/x509-certificate-exporter/commit/5ef7b43913287d37b32a390e5bb2972706c51a83)) - **container:** switch to stable Alpine base images for RISC-V ([92860e2](https://github.com/enix/x509-certificate-exporter/commit/92860e287a63d823c5347b2a78bff5d331800c06)) - **deploy,chart:** make metricRelabelings configurable in ServiceMonitor and PodMonitor ([6f81197](https://github.com/enix/x509-certificate-exporter/commit/6f8119721053fcbcc7c652de5622ac7f838cb771)) - **exporter:** ability to expose k8s labels as prometheus metrics labels ([cee171c](https://github.com/enix/x509-certificate-exporter/commit/cee171c4e49e5964ea12fa9cdce0aff064a908e0)) - **exporter:** add auto tuning of GC memory limit (automemlimit) ([cc3b0c0](https://github.com/enix/x509-certificate-exporter/commit/cc3b0c074b76a4e8e8730a2ff52c70dc3f410f4b)) - **exporter:** use `automaxprocs` to limit threads count ([efd7a6e](https://github.com/enix/x509-certificate-exporter/commit/efd7a6eebcb03f99f34563be306a1629f3514ded)) - globbing support for -d ([cbebdde](https://github.com/enix/x509-certificate-exporter/commit/cbebdde4b57b02f118c1fcc89ef92b9550680e34)) - globbing support for -f option ([7fa2298](https://github.com/enix/x509-certificate-exporter/commit/7fa2298724fe92ce9da656ae2bc52e0e3f83812c)) - globbing support for -k ([30b406e](https://github.com/enix/x509-certificate-exporter/commit/30b406e5d21204335dbb32e58ae0a3075f9c385f)) - **helm:** add deployment and daemonSet annotations ([5d81768](https://github.com/enix/x509-certificate-exporter/commit/5d817685e7de515c756be213a34a71bca75dfe9e)) - **helm:** add the Grafana dashboard ([f145ffc](https://github.com/enix/x509-certificate-exporter/commit/f145ffc4d08b9872fe44bd7a4cc53b967ce3a4e8)), closes [#&#8203;136](https://github.com/enix/x509-certificate-exporter/issues/136) - **helm:** added extraArgs ([d2466a1](https://github.com/enix/x509-certificate-exporter/commit/d2466a1d836d45641ee912a13abc92b96f55f73f)) - **helm:** bump kube-rbac-proxy to v0.13.1 and pull new repository ([412f225](https://github.com/enix/x509-certificate-exporter/commit/412f2259f2e25c1ad1565753f27abd0b60076017)) - **helm:** do not use a headless Service by default ([a5d2bf8](https://github.com/enix/x509-certificate-exporter/commit/a5d2bf8714db30ea2707572148930cdbc4d03125)), closes [#&#8203;50](https://github.com/enix/x509-certificate-exporter/issues/50) - **helm:** increase CPU limits for all containers ([902a45e](https://github.com/enix/x509-certificate-exporter/commit/902a45e03a6532ca84e41256d97ee731fe77dcd8)) - **helm:** introduce `extraDeployVerbatim` to skip templating engine ([8b88740](https://github.com/enix/x509-certificate-exporter/commit/8b88740badfda8a55bf566591f0008c1557b4e9a)) - **helm:** make revisionHistoryLimit configurable ([6fc58ab](https://github.com/enix/x509-certificate-exporter/commit/6fc58abbdb5f8393cf4b32827739effd8ee30f59)) - **helm:** mount of additional volumes ([c3430d4](https://github.com/enix/x509-certificate-exporter/commit/c3430d441c4350e2bd3b6f58e372296cc2c779c6)) - **helm:** new value to override release namespace ([4c34353](https://github.com/enix/x509-certificate-exporter/commit/4c343538c32cc6774086d0b4e3c71bd211cdc944)) - **helm:** new value to set HostPath type for DaemonSet volumes ([290094a](https://github.com/enix/x509-certificate-exporter/commit/290094a8d50a78749801d7c6a81f006aed1d5bba)) - **helm:** options to set the priority class ([f956d29](https://github.com/enix/x509-certificate-exporter/commit/f956d292103c22c142c6df63c5231bb8891c8484)) - **helm:** report time left in expiration alert ([45d9b15](https://github.com/enix/x509-certificate-exporter/commit/45d9b15b6532faab4819fa64efdb3ab9e99fa945)) - **helm:** support custom TLS config ([ff99541](https://github.com/enix/x509-certificate-exporter/commit/ff9954126b5ecea0e550d013554c957e8b93f8aa)) - **helm:** support for "web configuration" (HTTP auth and TLS) ([0bc9f17](https://github.com/enix/x509-certificate-exporter/commit/0bc9f177d66eeb3e23febe1d69fd52a14f3228d5)) - **helm:** switch to OCI artifacts (still tracked by Helm repository) ([c9fd9d0](https://github.com/enix/x509-certificate-exporter/commit/c9fd9d0e646a45055f2ae9742c7caa90d285d9a8)) - **helm:** upgrade hook to handle immutable changes with 3.20.0 ([6fe7f4a](https://github.com/enix/x509-certificate-exporter/commit/6fe7f4a26da26629ce6fe83dee646d7000fee3d5)) - include or exclude namespaces to watch based on their labels ([fc47f9b](https://github.com/enix/x509-certificate-exporter/commit/fc47f9b1abc7741b350c8408ca50a33f1eb12a7c)) - rewrite from scratch with new architecture and toolchain ([b4f3f84](https://github.com/enix/x509-certificate-exporter/commit/b4f3f84086a9feed9f32da678ffe7af2eda1a4fb)) - symlink path mapping and containment ([bbd179c](https://github.com/enix/x509-certificate-exporter/commit/bbd179c05b643d1221e490d1fd2ccb0bae65e574)) - unify log format to use structured logs only ([645a3ca](https://github.com/enix/x509-certificate-exporter/commit/645a3cab43c5a97ee26e0d69bd4edb461e933202)) ##### Bug Fixes - bundle errors not reaching the stats UI ([cbd2724](https://github.com/enix/x509-certificate-exporter/commit/cbd272456ffdfe9f12ccbc4850b94cf3a7f90336)) - **chart:** add `app.kubernetes.io/component` label to identify different resources ([dad3408](https://github.com/enix/x509-certificate-exporter/commit/dad3408f5403fe55c824e17424429e8b14c3d80e)) - **ci:** print line numbers for golang-ci-lint ([e2d8253](https://github.com/enix/x509-certificate-exporter/commit/e2d82531dfeac82d99787c2606ab0242ea47f405)) - clusterlevel resources dont need namespaces ([4cbacc6](https://github.com/enix/x509-certificate-exporter/commit/4cbacc61be5e79fec0cbf1b711330fd4ff3d2a4f)) - consider no match as a read error ([8d11d1a](https://github.com/enix/x509-certificate-exporter/commit/8d11d1a0cc1ffe06798110dabb0e19a3b24674da)) - **deploy,chart:** remove cpu limits for secretsExporter and hostPathsExporter ([a9d4a86](https://github.com/enix/x509-certificate-exporter/commit/a9d4a86ce60543be47824386b2d8ff94b7f721eb)) - don't delay server initialization while caches are populated ([0bf10f5](https://github.com/enix/x509-certificate-exporter/commit/0bf10f5f5a3e4159ac6e02c2c49877cea9224c80)) - don't list all namespaces if not needed for filtering ([d5adc63](https://github.com/enix/x509-certificate-exporter/commit/d5adc6339425381e332832f4e57c7c60b907104d)) - **helm:** allow customization of httpGet heathchecks for TLS users ([11d8af4](https://github.com/enix/x509-certificate-exporter/commit/11d8af41e6dc685344114d10a9cb7c0cdc5adf78)), closes [#&#8203;445](https://github.com/enix/x509-certificate-exporter/issues/445) - **helm:** allow secretsExporter.replicas to be set to 0 ([bdcf627](https://github.com/enix/x509-certificate-exporter/commit/bdcf6275c5bc15c0aaaac4dd0ac953212f7315cc)) - **helm:** DaemonSets inherit global podAnnotations ([1a670ed](https://github.com/enix/x509-certificate-exporter/commit/1a670ed3012050d17237f15df9309db3d9bac071)), closes [#&#8203;106](https://github.com/enix/x509-certificate-exporter/issues/106) - **helm:** extraVolumeMounts omitted if webConfiguration not set ([45a55f0](https://github.com/enix/x509-certificate-exporter/commit/45a55f0cd96ec475367f64737b2b6481084714fd)) - **helm:** grammar in Prometheus alerts descriptions ([7803a4b](https://github.com/enix/x509-certificate-exporter/commit/7803a4b8b762b034c7e7df1e0e40479856647f11)) - **helm:** namespace override value in DaemonSet template ([26d6a88](https://github.com/enix/x509-certificate-exporter/commit/26d6a883c39c7d42e9463ba0321ff037361f228a)) - **helm:** resolve redundant double slashes (//) in certificate monitoring paths ([ce27399](https://github.com/enix/x509-certificate-exporter/commit/ce27399b4c354ed25c02f5828a82ca6c5b30e3be)) - **kubernetes:** fetch ConfigMaps when keys are configured ([77f58c1](https://github.com/enix/x509-certificate-exporter/commit/77f58c10c84021936778adf9f58f833baeddf481)), closes [#&#8203;368](https://github.com/enix/x509-certificate-exporter/issues/368) - linter issues ([c2707f5](https://github.com/enix/x509-certificate-exporter/commit/c2707f53243e09f444310dfd5099079d8723bd54)) - properly resolve relative syminks ([a59a7ab](https://github.com/enix/x509-certificate-exporter/commit/a59a7ab7393137a385434640fce695afda1719f0)) - properly resolve symlink paths ([#&#8203;86](https://github.com/enix/x509-certificate-exporter/issues/86)) ([beb88b3](https://github.com/enix/x509-certificate-exporter/commit/beb88b34b490add4015c8b380d975eb9cb340d44)) - shrinkSecret to actually shrink ([3bb2ed2](https://github.com/enix/x509-certificate-exporter/commit/3bb2ed2ac09853458f887bf1a9659ae921a9d255)) - use doublestar fork to properly resolve symlinks ([f7944e4](https://github.com/enix/x509-certificate-exporter/commit/f7944e4b41abefae9b61f1327e7f3416008fcfe6)) ##### Documentation - **3to4:** fix codeql warning on typescript syntax ([584ecdb](https://github.com/enix/x509-certificate-exporter/commit/584ecdb351e80634b3a369354221b92822ef9e0a)) - add a v3 to v4 migration guide ([da6ba51](https://github.com/enix/x509-certificate-exporter/commit/da6ba51d937d09221b55dc09deafc4a54a32fa49)) - add security policy with reporting channels and scope ([146d4c0](https://github.com/enix/x509-certificate-exporter/commit/146d4c0c3149b86b370b60dd00f3a75b904e2c54)) - add v3-to-v4 migration guide ([d93d187](https://github.com/enix/x509-certificate-exporter/commit/d93d1879fc36f058248a3db31ce3dd18cf2a8d1b)) - **assets:** new alternative logo ([0a7d655](https://github.com/enix/x509-certificate-exporter/commit/0a7d655048928e1b66cccb973907f43f83745f47)) - **chart:** add a menu ([1212b90](https://github.com/enix/x509-certificate-exporter/commit/1212b902d53de19b0068d6b4d23be11199c6af28)) - **chart:** fix image URLs in README ([79e927e](https://github.com/enix/x509-certificate-exporter/commit/79e927ebb2d7538bb9858e88a62b0c3bed93d086)) - **chart:** link to the hardening guide ([1a39d3f](https://github.com/enix/x509-certificate-exporter/commit/1a39d3f736fc017d18c60ffdefa9b3d7411a75fd)) - **chart:** remove old notes ; link to curated starter values ([a393d5a](https://github.com/enix/x509-certificate-exporter/commit/a393d5aaa5d92ee332dc59d14d0f3161531ac7e8)) - **chart:** run helm-docs to update values in README.md ([3b930c7](https://github.com/enix/x509-certificate-exporter/commit/3b930c792cd8318abe65dd1683a6dd05b2720018)) - **chart:** update README with new project template ; migration to v4 ([a90955b](https://github.com/enix/x509-certificate-exporter/commit/a90955b143d806492cce100b1b7735ef33283d7e)) - clarify that hostPathsExporter was implemented for RKE ([bb1dd92](https://github.com/enix/x509-certificate-exporter/commit/bb1dd927b38ce58b139878369521aaaf9e8f4739)) - dedicated metrics reference under docs/ ([6b5078c](https://github.com/enix/x509-certificate-exporter/commit/6b5078cd062e27dcf1cab0c7c072cbd82cdd7542)) - **examples:** add curated values.yaml starters for generic and per-distro setups ([297fd74](https://github.com/enix/x509-certificate-exporter/commit/297fd7489d684188acfa648d3a6773d1b9d6367a)) - Fix Linux deploy README ([d3d81e7](https://github.com/enix/x509-certificate-exporter/commit/d3d81e798deef9c40d0379527f96957700a6565f)) - fix markdown linting issues ([5bcb838](https://github.com/enix/x509-certificate-exporter/commit/5bcb838941fe30dca0b9d8b556daa9a6fc207795)) - fix typo ([78d54a7](https://github.com/enix/x509-certificate-exporter/commit/78d54a757c3c1790ede2689080f2386e37b6ed4f)) - **helm:** emojis not requiring VS16 for colors in anchrored headers ([3646831](https://github.com/enix/x509-certificate-exporter/commit/364683145993d3bd1cf276c8f56e7e516c284d32)) - **helm:** fix english texts ([6e033bd](https://github.com/enix/x509-certificate-exporter/commit/6e033bd18d733340014fec981b6d7721c3b8f82a)) - **helm:** fix value description and run helm-docs to update README ([dec9be8](https://github.com/enix/x509-certificate-exporter/commit/dec9be8a67abb799952e2e57e422458c9374c9a9)) - **helm:** fix values comment to pass helm linter ([d907077](https://github.com/enix/x509-certificate-exporter/commit/d90707708a167ee9097aaccd4da13050a46c5dcc)) - **helm:** refactor the concepts section ([e0b9d71](https://github.com/enix/x509-certificate-exporter/commit/e0b9d7187a8ad5c56c5f204ec762362800e2a165)) - **helm:** strip VS16 from emojis to fix GitHub anchors ([2f19db6](https://github.com/enix/x509-certificate-exporter/commit/2f19db62e4a4e8e174110c19a44f44cd90c773cb)) - **helm:** update values documentation in README ([c8395dd](https://github.com/enix/x509-certificate-exporter/commit/c8395dd75e858ed7c5362de572f4ea1c0e5d149f)) - **helm:** update values in README ([de59c88](https://github.com/enix/x509-certificate-exporter/commit/de59c885f023f7d41f50a8615a226a8328c9a273)) - **helm:** use Github generated anchror slugs for headings with VS16 emojis ([4485844](https://github.com/enix/x509-certificate-exporter/commit/448584425492f390297e8b974767db77e12b3dbf)) - **metrics:** new gates ; fixed labels ; better promql snippets ; cardinality clarification ([c28eb69](https://github.com/enix/x509-certificate-exporter/commit/c28eb69fdac472b49f9a972fd0f808958d9409d7)) - new page with frequent questions ([ba3bd51](https://github.com/enix/x509-certificate-exporter/commit/ba3bd512071bce439545ea784f645bdd413a3de1)) - **README:** add logo and refactor badges ([efe4de8](https://github.com/enix/x509-certificate-exporter/commit/efe4de88a9cd5b7f2d4268a93c775a9ddcd6e0e3)) - **README:** fix broken link for sigstore ; better badge label ([30d3015](https://github.com/enix/x509-certificate-exporter/commit/30d301500f61a5e858b6eba92b3aa5efb6a77aec)) - **README:** fix links to the github project ([0a780d9](https://github.com/enix/x509-certificate-exporter/commit/0a780d941009db3128ed38e9f59000a3c18c62a0)) - **README:** new sections and markdown readability ([1df03e4](https://github.com/enix/x509-certificate-exporter/commit/1df03e450e79fc35e77ad82e04e01c0c03d25fd8)) - **readme:** refresh file with helm-docs ([71ff80c](https://github.com/enix/x509-certificate-exporter/commit/71ff80c6bb66cffb3d3b8b5d68b970b5a1dc90af)) - **README:** relocate hardening to a dedicated page ; add a menu ([30d1174](https://github.com/enix/x509-certificate-exporter/commit/30d1174718c8da2a58e6bdc8891911f4938ff6e4)) - relocate grafana dashboard screenshot ([9cbeb94](https://github.com/enix/x509-certificate-exporter/commit/9cbeb941ee51c45e1d8f2ab19098735d3399325b)) - **SECURITY:** drop schedule ([7d68bd5](https://github.com/enix/x509-certificate-exporter/commit/7d68bd5e37c9df316caf3265d0d1ff7ab68b98bd)) - **SECURITY:** restore timeline ([b45520f](https://github.com/enix/x509-certificate-exporter/commit/b45520f7ff0d3f738391912734054eb6d1d85764)) - **v3-to-v4:** clarify the deprecation of CLI flags ([3dd744b](https://github.com/enix/x509-certificate-exporter/commit/3dd744b8569517d46b57321edbefd35f8b48c3b7)) - **v3-to-v4:** drop hallucinated content ([aa87503](https://github.com/enix/x509-certificate-exporter/commit/aa8750399ae0d112253d280a8b26212faed04221)) - warning about the relation between getLabels & compareCertificates ([563028c](https://github.com/enix/x509-certificate-exporter/commit/563028cb8cbfd1ac896506652a8cb3a5abab1710)) ### [`v3.20.1`](https://github.com/enix/x509-certificate-exporter/blob/HEAD/CHANGELOG.md#400-alpha3-2026-05-03) [Compare Source](https://github.com/enix/x509-certificate-exporter/compare/v3.20.0...v3.20.1) ##### ⚠ BREAKING CHANGES - add new metric gates, diags and not\_before off by defaut, - **container:** switch default variant from busybox to scratch (floating tags) - **chart:** make the Service headless by default (no ClusterIP) - the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at <https://charts.enix.io> is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: `helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>`. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so `helm install` / `helm upgrade` will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the `busybox` and `scratch` variants on linux/amd64,arm64,riscv64. Users pulling `*-alpine` tags must switch to one of the new variants — `busybox` is the closest functional replacement (still has a shell), `scratch` is the minimal distroless option. - release 4.0.0-alpha.1 ([410319d](https://github.com/enix/x509-certificate-exporter/commit/410319df3d2a3e5e45fb884a48f77d85e83ef35b)) - release 4.0.0-alpha.1 ([3f5d581](https://github.com/enix/x509-certificate-exporter/commit/3f5d581ae8b9c04ec30b24c90fa0835326b13d27)) - release 4.0.0-alpha.2 ([c43ed24](https://github.com/enix/x509-certificate-exporter/commit/c43ed24bd81a3d72ef463fcfa3b759a627fc9906)) - release 4.0.0-alpha.3 ([39d54d6](https://github.com/enix/x509-certificate-exporter/commit/39d54d62289867c5ae1e48ac8a305e2427045a64)) ##### Features - add new metric gates, diags and not\_before off by defaut, ([a719113](https://github.com/enix/x509-certificate-exporter/commit/a719113cb832c801c381abf78abb71053002214a)) - add opt-in flag to skip symlinks ([85c97e3](https://github.com/enix/x509-certificate-exporter/commit/85c97e38376aee029c6ec8f2cc2ebafb27afa46a)) - **build:** bump all Go dependencies ([fc3bff2](https://github.com/enix/x509-certificate-exporter/commit/fc3bff2ec35fcfad79b38e829cf9a4e39bc6a2c7)) - **build:** bump all Go dependencies ([e3b6c74](https://github.com/enix/x509-certificate-exporter/commit/e3b6c7440cd72ea4ec8f3d1314e48f66644999c3)) - **build:** bump Go to version 1.26.1 ([06d47be](https://github.com/enix/x509-certificate-exporter/commit/06d47becb7eb64bf6ae340ad25c171cf28f82022)) - **build:** bump Golang to version 1.20.7 ([f2a7a19](https://github.com/enix/x509-certificate-exporter/commit/f2a7a19055cd1b636928f0a71a2acbfa35c19982)) - **build:** bump Golang to version 1.21 ([4014073](https://github.com/enix/x509-certificate-exporter/commit/401407308f76e36d5e46320e199e2e650a9a6f80)) - **build:** bump Golang to version 1.21.6 ([a800033](https://github.com/enix/x509-certificate-exporter/commit/a8000336422fcdb8dc32e8aa2b76948290686fda)) - **build:** bump Golang to version 1.21.8 ([05582fc](https://github.com/enix/x509-certificate-exporter/commit/05582fc90a659b51b59b387824bb1201148274c9)) - **build:** bump Golang to version 1.21.9 ([61a0f71](https://github.com/enix/x509-certificate-exporter/commit/61a0f7155d2d315145b4fd1926a392a1bf5ffb77)) - **build:** bump Golang to version 1.22.2 ([8f15013](https://github.com/enix/x509-certificate-exporter/commit/8f1501353609644b9d1e93eba0548666c47df51f)) - **build:** bump Golang to version 1.22.5 ([956074c](https://github.com/enix/x509-certificate-exporter/commit/956074c9290b2992645c5df8f850e615279251f2)) - **build:** bump Golang to version 1.23.0 ([862481b](https://github.com/enix/x509-certificate-exporter/commit/862481bb51fac6c5fb8c73ee2c484ea66e7b2a87)) - **build:** bump Golang to version 1.23.1 ([082a818](https://github.com/enix/x509-certificate-exporter/commit/082a818fc38798e869d4ccc425e29754375a5339)) - **build:** bump Golang to version 1.23.2 ([756827c](https://github.com/enix/x509-certificate-exporter/commit/756827c6ac17ce7f7f64c7f68118c7e0a9d43074)) - **build:** bump Golang to version 1.23.4 ([1d90a66](https://github.com/enix/x509-certificate-exporter/commit/1d90a66ebb80ba0d86d9c3ca51f057ea8229f64f)) - **build:** publish OpenVEX documents for new releases ([1ed09e5](https://github.com/enix/x509-certificate-exporter/commit/1ed09e50a2be75b91e8dcbd64536c1236cf40368)) - **build:** publish SBOM documents for new releases ([3bf4f4a](https://github.com/enix/x509-certificate-exporter/commit/3bf4f4ac39b1302f0527772cd4d4a3493adedb79)) - **build:** release FreeBSD binaries for RISC-V ([0b8db06](https://github.com/enix/x509-certificate-exporter/commit/0b8db06f9809018ec878eaa51a02250074fc45a3)) - **build:** upgrade to golang 1.19 ([3916d18](https://github.com/enix/x509-certificate-exporter/commit/3916d18e575bd026b00566a6ce631b96f125b0d3)) - **build:** upgrade to golang 1.20 ([16429b9](https://github.com/enix/x509-certificate-exporter/commit/16429b9238badc3be550dfbed7fe44406dc6d6e3)) - **chart:** make the Service headless by default (no ClusterIP) ([b1d5b5c](https://github.com/enix/x509-certificate-exporter/commit/b1d5b5cbe9f23b4080661455b07110dcafa5c002)) - **chart:** remove support for legacy apiVersion (k8s < 1.16) ([7f560fd](https://github.com/enix/x509-certificate-exporter/commit/7f560fd8371fafee4c00163ec6316c8cbd401ac6)) - **charts:** add expose-secret-label parameter to exporter deployment ([905f789](https://github.com/enix/x509-certificate-exporter/commit/905f7895433f75f8c938f80ec0e18354c18c85af)) - **chart:** satisfy PSA restricted profile and OpenShift restricted-v2 SCC ([3d8b935](https://github.com/enix/x509-certificate-exporter/commit/3d8b935f2e6b3c3cf6bc93376996b3cf8fa9cb21)) - **charts:** configurable probes with values ([2f58ca0](https://github.com/enix/x509-certificate-exporter/commit/2f58ca05ebf912b24b97a3fa1c81d9b9818956f1)) - **chart:** support image digest pinning across all images ([fd81d79](https://github.com/enix/x509-certificate-exporter/commit/fd81d79a171616bf1acb3af9e67aa0b1d1c58baa)) - configurable burst and QPS in k8s client ([e002b89](https://github.com/enix/x509-certificate-exporter/commit/e002b89d281261d25b227ab99558a36d4fc2a9c6)) - **container:** bump Alpine base image to 3.17.0 ([e311864](https://github.com/enix/x509-certificate-exporter/commit/e311864d8bae7dc81c25ec0a320eeeeb854a4446)) - **container:** bump Alpine base image to 3.18.2 ([53ede98](https://github.com/enix/x509-certificate-exporter/commit/53ede98e503028ab4cd7e37552f6d6afdc17495c)) - **container:** bump Alpine base image to version 3.17.3 ([de23f78](https://github.com/enix/x509-certificate-exporter/commit/de23f78fbda6c01540d8281d68b0866f0e8d2272)) - **container:** bump Alpine base image to version 3.18.3 ([1d089c6](https://github.com/enix/x509-certificate-exporter/commit/1d089c68cf443e6c32f382626e2e0c288684910d)) - **container:** bump Alpine base image to version 3.19.0 ([fc71664](https://github.com/enix/x509-certificate-exporter/commit/fc71664ac13cc90294ac9043668b0facaca11c53)) - **container:** bump Alpine base image to version 3.19.1 ([9d0f7b5](https://github.com/enix/x509-certificate-exporter/commit/9d0f7b5585f9b50741c4ec6befa237b9da914c30)) - **container:** bump Alpine base image to version 3.20.1 ([500829e](https://github.com/enix/x509-certificate-exporter/commit/500829e5cde81e0dedfd03896ca5e496e3301c2b)) - **container:** bump Alpine base image to version 3.20.2 ([3d2904a](https://github.com/enix/x509-certificate-exporter/commit/3d2904aa0b0cd49dcf2174fb624b27c5f62b9914)) - **container:** bump Alpine base image to version 3.20.2 ([1738e29](https://github.com/enix/x509-certificate-exporter/commit/1738e298e643579ab25d40388795582fca11833f)) - **container:** bump Alpine base image to version 3.21.0 ([476b093](https://github.com/enix/x509-certificate-exporter/commit/476b09364c9429a67d1a1c484448c871e852a08d)) - **container:** bump Alpine base image to version 3.22.0 ([e0511a0](https://github.com/enix/x509-certificate-exporter/commit/e0511a0a483bd91720be62250562c667101300ec)) - **container:** bump Alpine base image version to 3.23.3 ([29c9c9a](https://github.com/enix/x509-certificate-exporter/commit/29c9c9af0274c59573483563e9aed2d281cfaff8)) - **container:** bump Busybox base image to version 1.36 ([29464ca](https://github.com/enix/x509-certificate-exporter/commit/29464caab5d3d8584f4c46dd30e9339b393afa8b)) - **container:** bump Busybox base image to version 1.36.1 ([8201737](https://github.com/enix/x509-certificate-exporter/commit/8201737a8ac37fa59b24c1165b9e03ad52d4e17a)) - **container:** bump Busybox base image to version 1.37.0 ([bf1f613](https://github.com/enix/x509-certificate-exporter/commit/bf1f61308c143e18b849615b015822860d00fe73)) - **container:** images for RISC-V now track Alpine stable ([eb7752a](https://github.com/enix/x509-certificate-exporter/commit/eb7752a93072b3d52d0f7d0e504b3d70e6fbd663)) - **container:** publish images to GitHub Registry (GHCR) ([26f924d](https://github.com/enix/x509-certificate-exporter/commit/26f924dd44fb76eecd12ab69bef2676606da42b0)) - **container:** switch Busybox images to glibc flavor (fix for RISC-V) ([8f97b98](https://github.com/enix/x509-certificate-exporter/commit/8f97b98c862f83d0c25c2994942b1ea90c6459da)) - **container:** switch default variant from busybox to scratch (floating tags) ([5ef7b43](https://github.com/enix/x509-certificate-exporter/commit/5ef7b43913287d37b32a390e5bb2972706c51a83)) - **container:** switch to stable Alpine base images for RISC-V ([92860e2](https://github.com/enix/x509-certificate-exporter/commit/92860e287a63d823c5347b2a78bff5d331800c06)) - **deploy,chart:** make metricRelabelings configurable in ServiceMonitor and PodMonitor ([6f81197](https://github.com/enix/x509-certificate-exporter/commit/6f8119721053fcbcc7c652de5622ac7f838cb771)) - **exporter:** ability to expose k8s labels as prometheus metrics labels ([cee171c](https://github.com/enix/x509-certificate-exporter/commit/cee171c4e49e5964ea12fa9cdce0aff064a908e0)) - **exporter:** add auto tuning of GC memory limit (automemlimit) ([cc3b0c0](https://github.com/enix/x509-certificate-exporter/commit/cc3b0c074b76a4e8e8730a2ff52c70dc3f410f4b)) - **exporter:** use `automaxprocs` to limit threads count ([efd7a6e](https://github.com/enix/x509-certificate-exporter/commit/efd7a6eebcb03f99f34563be306a1629f3514ded)) - globbing support for -d ([cbebdde](https://github.com/enix/x509-certificate-exporter/commit/cbebdde4b57b02f118c1fcc89ef92b9550680e34)) - globbing support for -f option ([7fa2298](https://github.com/enix/x509-certificate-exporter/commit/7fa2298724fe92ce9da656ae2bc52e0e3f83812c)) - globbing support for -k ([30b406e](https://github.com/enix/x509-certificate-exporter/commit/30b406e5d21204335dbb32e58ae0a3075f9c385f)) - **helm:** add deployment and daemonSet annotations ([5d81768](https://github.com/enix/x509-certificate-exporter/commit/5d817685e7de515c756be213a34a71bca75dfe9e)) - **helm:** add the Grafana dashboard ([f145ffc](https://github.com/enix/x509-certificate-exporter/commit/f145ffc4d08b9872fe44bd7a4cc53b967ce3a4e8)), closes [#&#8203;136](https://github.com/enix/x509-certificate-exporter/issues/136) - **helm:** added extraArgs ([d2466a1](https://github.com/enix/x509-certificate-exporter/commit/d2466a1d836d45641ee912a13abc92b96f55f73f)) - **helm:** bump kube-rbac-proxy to v0.13.1 and pull new repository ([412f225](https://github.com/enix/x509-certificate-exporter/commit/412f2259f2e25c1ad1565753f27abd0b60076017)) - **helm:** do not use a headless Service by default ([a5d2bf8](https://github.com/enix/x509-certificate-exporter/commit/a5d2bf8714db30ea2707572148930cdbc4d03125)), closes [#&#8203;50](https://github.com/enix/x509-certificate-exporter/issues/50) - **helm:** increase CPU limits for all containers ([902a45e](https://github.com/enix/x509-certificate-exporter/commit/902a45e03a6532ca84e41256d97ee731fe77dcd8)) - **helm:** introduce `extraDeployVerbatim` to skip templating engine ([8b88740](https://github.com/enix/x509-certificate-exporter/commit/8b88740badfda8a55bf566591f0008c1557b4e9a)) - **helm:** make revisionHistoryLimit configurable ([6fc58ab](https://github.com/enix/x509-certificate-exporter/commit/6fc58abbdb5f8393cf4b32827739effd8ee30f59)) - **helm:** mount of additional volumes ([c3430d4](https://github.com/enix/x509-certificate-exporter/commit/c3430d441c4350e2bd3b6f58e372296cc2c779c6)) - **helm:** new value to override release namespace ([4c34353](https://github.com/enix/x509-certificate-exporter/commit/4c343538c32cc6774086d0b4e3c71bd211cdc944)) - **helm:** new value to set HostPath type for DaemonSet volumes ([290094a](https://github.com/enix/x509-certificate-exporter/commit/290094a8d50a78749801d7c6a81f006aed1d5bba)) - **helm:** options to set the priority class ([f956d29](https://github.com/enix/x509-certificate-exporter/commit/f956d292103c22c142c6df63c5231bb8891c8484)) - **helm:** report time left in expiration alert ([45d9b15](https://github.com/enix/x509-certificate-exporter/commit/45d9b15b6532faab4819fa64efdb3ab9e99fa945)) - **helm:** support custom TLS config ([ff99541](https://github.com/enix/x509-certificate-exporter/commit/ff9954126b5ecea0e550d013554c957e8b93f8aa)) - **helm:** support for "web configuration" (HTTP auth and TLS) ([0bc9f17](https://github.com/enix/x509-certificate-exporter/commit/0bc9f177d66eeb3e23febe1d69fd52a14f3228d5)) - **helm:** switch to OCI artifacts (still tracked by Helm repository) ([c9fd9d0](https://github.com/enix/x509-certificate-exporter/commit/c9fd9d0e646a45055f2ae9742c7caa90d285d9a8)) - **helm:** upgrade hook to handle immutable changes with 3.20.0 ([6fe7f4a](https://github.com/enix/x509-certificate-exporter/commit/6fe7f4a26da26629ce6fe83dee646d7000fee3d5)) - include or exclude namespaces to watch based on their labels ([fc47f9b](https://github.com/enix/x509-certificate-exporter/commit/fc47f9b1abc7741b350c8408ca50a33f1eb12a7c)) - rewrite from scratch with new architecture and toolchain ([b4f3f84](https://github.com/enix/x509-certificate-exporter/commit/b4f3f84086a9feed9f32da678ffe7af2eda1a4fb)) - symlink path mapping and containment ([bbd179c](https://github.com/enix/x509-certificate-exporter/commit/bbd179c05b643d1221e490d1fd2ccb0bae65e574)) - unify log format to use structured logs only ([645a3ca](https://github.com/enix/x509-certificate-exporter/commit/645a3cab43c5a97ee26e0d69bd4edb461e933202)) ##### Bug Fixes - bundle errors not reaching the stats UI ([cbd2724](https://github.com/enix/x509-certificate-exporter/commit/cbd272456ffdfe9f12ccbc4850b94cf3a7f90336)) - **chart:** add `app.kubernetes.io/component` label to identify different resources ([dad3408](https://github.com/enix/x509-certificate-exporter/commit/dad3408f5403fe55c824e17424429e8b14c3d80e)) - **ci:** print line numbers for golang-ci-lint ([e2d8253](https://github.com/enix/x509-certificate-exporter/commit/e2d82531dfeac82d99787c2606ab0242ea47f405)) - clusterlevel resources dont need namespaces ([4cbacc6](https://github.com/enix/x509-certificate-exporter/commit/4cbacc61be5e79fec0cbf1b711330fd4ff3d2a4f)) - consider no match as a read error ([8d11d1a](https://github.com/enix/x509-certificate-exporter/commit/8d11d1a0cc1ffe06798110dabb0e19a3b24674da)) - **deploy,chart:** remove cpu limits for secretsExporter and hostPathsExporter ([a9d4a86](https://github.com/enix/x509-certificate-exporter/commit/a9d4a86ce60543be47824386b2d8ff94b7f721eb)) - don't delay server initialization while caches are populated ([0bf10f5](https://github.com/enix/x509-certificate-exporter/commit/0bf10f5f5a3e4159ac6e02c2c49877cea9224c80)) - don't list all namespaces if not needed for filtering ([d5adc63](https://github.com/enix/x509-certificate-exporter/commit/d5adc6339425381e332832f4e57c7c60b907104d)) - **helm:** allow customization of httpGet heathchecks for TLS users ([11d8af4](https://github.com/enix/x509-certificate-exporter/commit/11d8af41e6dc685344114d10a9cb7c0cdc5adf78)), closes [#&#8203;445](https://github.com/enix/x509-certificate-exporter/issues/445) - **helm:** allow secretsExporter.replicas to be set to 0 ([bdcf627](https://github.com/enix/x509-certificate-exporter/commit/bdcf6275c5bc15c0aaaac4dd0ac953212f7315cc)) - **helm:** DaemonSets inherit global podAnnotations ([1a670ed](https://github.com/enix/x509-certificate-exporter/commit/1a670ed3012050d17237f15df9309db3d9bac071)), closes [#&#8203;106](https://github.com/enix/x509-certificate-exporter/issues/106) - **helm:** extraVolumeMounts omitted if webConfiguration not set ([45a55f0](https://github.com/enix/x509-certificate-exporter/commit/45a55f0cd96ec475367f64737b2b6481084714fd)) - **helm:** grammar in Prometheus alerts descriptions ([7803a4b](https://github.com/enix/x509-certificate-exporter/commit/7803a4b8b762b034c7e7df1e0e40479856647f11)) - **helm:** namespace override value in DaemonSet template ([26d6a88](https://github.com/enix/x509-certificate-exporter/commit/26d6a883c39c7d42e9463ba0321ff037361f228a)) - **helm:** resolve redundant double slashes (//) in certificate monitoring paths ([ce27399](https://github.com/enix/x509-certificate-exporter/commit/ce27399b4c354ed25c02f5828a82ca6c5b30e3be)) - **kubernetes:** fetch ConfigMaps when keys are configured ([77f58c1](https://github.com/enix/x509-certificate-exporter/commit/77f58c10c84021936778adf9f58f833baeddf481)), closes [#&#8203;368](https://github.com/enix/x509-certificate-exporter/issues/368) - linter issues ([c2707f5](https://github.com/enix/x509-certificate-exporter/commit/c2707f53243e09f444310dfd5099079d8723bd54)) - properly resolve relative syminks ([a59a7ab](https://github.com/enix/x509-certificate-exporter/commit/a59a7ab7393137a385434640fce695afda1719f0)) - properly resolve symlink paths ([#&#8203;86](https://github.com/enix/x509-certificate-exporter/issues/86)) ([beb88b3](https://github.com/enix/x509-certificate-exporter/commit/beb88b34b490add4015c8b380d975eb9cb340d44)) - shrinkSecret to actually shrink ([3bb2ed2](https://github.com/enix/x509-certificate-exporter/commit/3bb2ed2ac09853458f887bf1a9659ae921a9d255)) - use doublestar fork to properly resolve symlinks ([f7944e4](https://github.com/enix/x509-certificate-exporter/commit/f7944e4b41abefae9b61f1327e7f3416008fcfe6)) ##### Documentation - **3to4:** fix codeql warning on typescript syntax ([584ecdb](https://github.com/enix/x509-certificate-exporter/commit/584ecdb351e80634b3a369354221b92822ef9e0a)) - add a v3 to v4 migration guide ([da6ba51](https://github.com/enix/x509-certificate-exporter/commit/da6ba51d937d09221b55dc09deafc4a54a32fa49)) - add security policy with reporting channels and scope ([146d4c0](https://github.com/enix/x509-certificate-exporter/commit/146d4c0c3149b86b370b60dd00f3a75b904e2c54)) - add v3-to-v4 migration guide ([d93d187](https://github.com/enix/x509-certificate-exporter/commit/d93d1879fc36f058248a3db31ce3dd18cf2a8d1b)) - **assets:** new alternative logo ([0a7d655](https://github.com/enix/x509-certificate-exporter/commit/0a7d655048928e1b66cccb973907f43f83745f47)) - **chart:** add a menu ([1212b90](https://github.com/enix/x509-certificate-exporter/commit/1212b902d53de19b0068d6b4d23be11199c6af28)) - **chart:** fix image URLs in README ([79e927e](https://github.com/enix/x509-certificate-exporter/commit/79e927ebb2d7538bb9858e88a62b0c3bed93d086)) - **chart:** link to the hardening guide ([1a39d3f](https://github.com/enix/x509-certificate-exporter/commit/1a39d3f736fc017d18c60ffdefa9b3d7411a75fd)) - **chart:** remove old notes ; link to curated starter values ([a393d5a](https://github.com/enix/x509-certificate-exporter/commit/a393d5aaa5d92ee332dc59d14d0f3161531ac7e8)) - **chart:** run helm-docs to update values in README.md ([3b930c7](https://github.com/enix/x509-certificate-exporter/commit/3b930c792cd8318abe65dd1683a6dd05b2720018)) - **chart:** update README with new project template ; migration to v4 ([a90955b](https://github.com/enix/x509-certificate-exporter/commit/a90955b143d806492cce100b1b7735ef33283d7e)) - clarify that hostPathsExporter was implemented for RKE ([bb1dd92](https://github.com/enix/x509-certificate-exporter/commit/bb1dd927b38ce58b139878369521aaaf9e8f4739)) - dedicated metrics reference under docs/ ([6b5078c](https://github.com/enix/x509-certificate-exporter/commit/6b5078cd062e27dcf1cab0c7c072cbd82cdd7542)) - **examples:** add curated values.yaml starters for generic and per-distro setups ([297fd74](https://github.com/enix/x509-certificate-exporter/commit/297fd7489d684188acfa648d3a6773d1b9d6367a)) - Fix Linux deploy README ([d3d81e7](https://github.com/enix/x509-certificate-exporter/commit/d3d81e798deef9c40d0379527f96957700a6565f)) - fix markdown linting issues ([5bcb838](https://github.com/enix/x509-certificate-exporter/commit/5bcb838941fe30dca0b9d8b556daa9a6fc207795)) - fix typo ([78d54a7](https://github.com/enix/x509-certificate-exporter/commit/78d54a757c3c1790ede2689080f2386e37b6ed4f)) - **helm:** emojis not requiring VS16 for colors in anchrored headers ([3646831](https://github.com/enix/x509-certificate-exporter/commit/364683145993d3bd1cf276c8f56e7e516c284d32)) - **helm:** fix english texts ([6e033bd](https://github.com/enix/x509-certificate-exporter/commit/6e033bd18d733340014fec981b6d7721c3b8f82a)) - **helm:** fix value description and run helm-docs to update README ([dec9be8](https://github.com/enix/x509-certificate-exporter/commit/dec9be8a67abb799952e2e57e422458c9374c9a9)) - **helm:** fix values comment to pass helm linter ([d907077](https://github.com/enix/x509-certificate-exporter/commit/d90707708a167ee9097aaccd4da13050a46c5dcc)) - **helm:** refactor the concepts section ([e0b9d71](https://github.com/enix/x509-certificate-exporter/commit/e0b9d7187a8ad5c56c5f204ec762362800e2a165)) - **helm:** strip VS16 from emojis to fix GitHub anchors ([2f19db6](https://github.com/enix/x509-certificate-exporter/commit/2f19db62e4a4e8e174110c19a44f44cd90c773cb)) - **helm:** update values documentation in README ([c8395dd](https://github.com/enix/x509-certificate-exporter/commit/c8395dd75e858ed7c5362de572f4ea1c0e5d149f)) - **helm:** update values in README ([de59c88](https://github.com/enix/x509-certificate-exporter/commit/de59c885f023f7d41f50a8615a226a8328c9a273)) - **helm:** use Github generated anchror slugs for headings with VS16 emojis ([4485844](https://github.com/enix/x509-certificate-exporter/commit/448584425492f390297e8b974767db77e12b3dbf)) - **metrics:** new gates ; fixed labels ; better promql snippets ; cardinality clarification ([c28eb69](https://github.com/enix/x509-certificate-exporter/commit/c28eb69fdac472b49f9a972fd0f808958d9409d7)) - new page with frequent questions ([ba3bd51](https://github.com/enix/x509-certificate-exporter/commit/ba3bd512071bce439545ea784f645bdd413a3de1)) - **README:** add logo and refactor badges ([efe4de8](https://github.com/enix/x509-certificate-exporter/commit/efe4de88a9cd5b7f2d4268a93c775a9ddcd6e0e3)) - **README:** fix broken link for sigstore ; better badge label ([30d3015](https://github.com/enix/x509-certificate-exporter/commit/30d301500f61a5e858b6eba92b3aa5efb6a77aec)) - **README:** fix links to the github project ([0a780d9](https://github.com/enix/x509-certificate-exporter/commit/0a780d941009db3128ed38e9f59000a3c18c62a0)) - **README:** new sections and markdown readability ([1df03e4](https://github.com/enix/x509-certificate-exporter/commit/1df03e450e79fc35e77ad82e04e01c0c03d25fd8)) - **readme:** refresh file with helm-docs ([71ff80c](https://github.com/enix/x509-certificate-exporter/commit/71ff80c6bb66cffb3d3b8b5d68b970b5a1dc90af)) - **README:** relocate hardening to a dedicated page ; add a menu ([30d1174](https://github.com/enix/x509-certificate-exporter/commit/30d1174718c8da2a58e6bdc8891911f4938ff6e4)) - relocate grafana dashboard screenshot ([9cbeb94](https://github.com/enix/x509-certificate-exporter/commit/9cbeb941ee51c45e1d8f2ab19098735d3399325b)) - **SECURITY:** drop schedule ([7d68bd5](https://github.com/enix/x509-certificate-exporter/commit/7d68bd5e37c9df316caf3265d0d1ff7ab68b98bd)) - **SECURITY:** restore timeline ([b45520f](https://github.com/enix/x509-certificate-exporter/commit/b45520f7ff0d3f738391912734054eb6d1d85764)) - **v3-to-v4:** clarify the deprecation of CLI flags ([3dd744b](https://github.com/enix/x509-certificate-exporter/commit/3dd744b8569517d46b57321edbefd35f8b48c3b7)) - **v3-to-v4:** drop hallucinated content ([aa87503](https://github.com/enix/x509-certificate-exporter/commit/aa8750399ae0d112253d280a8b26212faed04221)) - warning about the relation between getLabels & compareCertificates ([563028c](https://github.com/enix/x509-certificate-exporter/commit/563028cb8cbfd1ac896506652a8cb3a5abab1710)) ### [`v3.20.0`](https://github.com/enix/x509-certificate-exporter/blob/HEAD/CHANGELOG.md#400-alpha3-2026-05-03) [Compare Source](https://github.com/enix/x509-certificate-exporter/compare/v3.19.1...v3.20.0) ##### ⚠ BREAKING CHANGES - add new metric gates, diags and not\_before off by defaut, - **container:** switch default variant from busybox to scratch (floating tags) - **chart:** make the Service headless by default (no ClusterIP) - the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at <https://charts.enix.io> is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: `helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>`. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so `helm install` / `helm upgrade` will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the `busybox` and `scratch` variants on linux/amd64,arm64,riscv64. Users pulling `*-alpine` tags must switch to one of the new variants — `busybox` is the closest functional replacement (still has a shell), `scratch` is the minimal distroless option. - release 4.0.0-alpha.1 ([410319d](https://github.com/enix/x509-certificate-exporter/commit/410319df3d2a3e5e45fb884a48f77d85e83ef35b)) - release 4.0.0-alpha.1 ([3f5d581](https://github.com/enix/x509-certificate-exporter/commit/3f5d581ae8b9c04ec30b24c90fa0835326b13d27)) - release 4.0.0-alpha.2 ([c43ed24](https://github.com/enix/x509-certificate-exporter/commit/c43ed24bd81a3d72ef463fcfa3b759a627fc9906)) - release 4.0.0-alpha.3 ([39d54d6](https://github.com/enix/x509-certificate-exporter/commit/39d54d62289867c5ae1e48ac8a305e2427045a64)) ##### Features - add new metric gates, diags and not\_before off by defaut, ([a719113](https://github.com/enix/x509-certificate-exporter/commit/a719113cb832c801c381abf78abb71053002214a)) - add opt-in flag to skip symlinks ([85c97e3](https://github.com/enix/x509-certificate-exporter/commit/85c97e38376aee029c6ec8f2cc2ebafb27afa46a)) - **build:** bump all Go dependencies ([fc3bff2](https://github.com/enix/x509-certificate-exporter/commit/fc3bff2ec35fcfad79b38e829cf9a4e39bc6a2c7)) - **build:** bump all Go dependencies ([e3b6c74](https://github.com/enix/x509-certificate-exporter/commit/e3b6c7440cd72ea4ec8f3d1314e48f66644999c3)) - **build:** bump Go to version 1.26.1 ([06d47be](https://github.com/enix/x509-certificate-exporter/commit/06d47becb7eb64bf6ae340ad25c171cf28f82022)) - **build:** bump Golang to version 1.20.7 ([f2a7a19](https://github.com/enix/x509-certificate-exporter/commit/f2a7a19055cd1b636928f0a71a2acbfa35c19982)) - **build:** bump Golang to version 1.21 ([4014073](https://github.com/enix/x509-certificate-exporter/commit/401407308f76e36d5e46320e199e2e650a9a6f80)) - **build:** bump Golang to version 1.21.6 ([a800033](https://github.com/enix/x509-certificate-exporter/commit/a8000336422fcdb8dc32e8aa2b76948290686fda)) - **build:** bump Golang to version 1.21.8 ([05582fc](https://github.com/enix/x509-certificate-exporter/commit/05582fc90a659b51b59b387824bb1201148274c9)) - **build:** bump Golang to version 1.21.9 ([61a0f71](https://github.com/enix/x509-certificate-exporter/commit/61a0f7155d2d315145b4fd1926a392a1bf5ffb77)) - **build:** bump Golang to version 1.22.2 ([8f15013](https://github.com/enix/x509-certificate-exporter/commit/8f1501353609644b9d1e93eba0548666c47df51f)) - **build:** bump Golang to version 1.22.5 ([956074c](https://github.com/enix/x509-certificate-exporter/commit/956074c9290b2992645c5df8f850e615279251f2)) - **build:** bump Golang to version 1.23.0 ([862481b](https://github.com/enix/x509-certificate-exporter/commit/862481bb51fac6c5fb8c73ee2c484ea66e7b2a87)) - **build:** bump Golang to version 1.23.1 ([082a818](https://github.com/enix/x509-certificate-exporter/commit/082a818fc38798e869d4ccc425e29754375a5339)) - **build:** bump Golang to version 1.23.2 ([756827c](https://github.com/enix/x509-certificate-exporter/commit/756827c6ac17ce7f7f64c7f68118c7e0a9d43074)) - **build:** bump Golang to version 1.23.4 ([1d90a66](https://github.com/enix/x509-certificate-exporter/commit/1d90a66ebb80ba0d86d9c3ca51f057ea8229f64f)) - **build:** publish OpenVEX documents for new releases ([1ed09e5](https://github.com/enix/x509-certificate-exporter/commit/1ed09e50a2be75b91e8dcbd64536c1236cf40368)) - **build:** publish SBOM documents for new releases ([3bf4f4a](https://github.com/enix/x509-certificate-exporter/commit/3bf4f4ac39b1302f0527772cd4d4a3493adedb79)) - **build:** release FreeBSD binaries for RISC-V ([0b8db06](https://github.com/enix/x509-certificate-exporter/commit/0b8db06f9809018ec878eaa51a02250074fc45a3)) - **build:** upgrade to golang 1.19 ([3916d18](https://github.com/enix/x509-certificate-exporter/commit/3916d18e575bd026b00566a6ce631b96f125b0d3)) - **build:** upgrade to golang 1.20 ([16429b9](https://github.com/enix/x509-certificate-exporter/commit/16429b9238badc3be550dfbed7fe44406dc6d6e3)) - **chart:** make the Service headless by default (no ClusterIP) ([b1d5b5c](https://github.com/enix/x509-certificate-exporter/commit/b1d5b5cbe9f23b4080661455b07110dcafa5c002)) - **chart:** remove support for legacy apiVersion (k8s < 1.16) ([7f560fd](https://github.com/enix/x509-certificate-exporter/commit/7f560fd8371fafee4c00163ec6316c8cbd401ac6)) - **charts:** add expose-secret-label parameter to exporter deployment ([905f789](https://github.com/enix/x509-certificate-exporter/commit/905f7895433f75f8c938f80ec0e18354c18c85af)) - **chart:** satisfy PSA restricted profile and OpenShift restricted-v2 SCC ([3d8b935](https://github.com/enix/x509-certificate-exporter/commit/3d8b935f2e6b3c3cf6bc93376996b3cf8fa9cb21)) - **charts:** configurable probes with values ([2f58ca0](https://github.com/enix/x509-certificate-exporter/commit/2f58ca05ebf912b24b97a3fa1c81d9b9818956f1)) - **chart:** support image digest pinning across all images ([fd81d79](https://github.com/enix/x509-certificate-exporter/commit/fd81d79a171616bf1acb3af9e67aa0b1d1c58baa)) - configurable burst and QPS in k8s client ([e002b89](https://github.com/enix/x509-certificate-exporter/commit/e002b89d281261d25b227ab99558a36d4fc2a9c6)) - **container:** bump Alpine base image to 3.17.0 ([e311864](https://github.com/enix/x509-certificate-exporter/commit/e311864d8bae7dc81c25ec0a320eeeeb854a4446)) - **container:** bump Alpine base image to 3.18.2 ([53ede98](https://github.com/enix/x509-certificate-exporter/commit/53ede98e503028ab4cd7e37552f6d6afdc17495c)) - **container:** bump Alpine base image to version 3.17.3 ([de23f78](https://github.com/enix/x509-certificate-exporter/commit/de23f78fbda6c01540d8281d68b0866f0e8d2272)) - **container:** bump Alpine base image to version 3.18.3 ([1d089c6](https://github.com/enix/x509-certificate-exporter/commit/1d089c68cf443e6c32f382626e2e0c288684910d)) - **container:** bump Alpine base image to version 3.19.0 ([fc71664](https://github.com/enix/x509-certificate-exporter/commit/fc71664ac13cc90294ac9043668b0facaca11c53)) - **container:** bump Alpine base image to version 3.19.1 ([9d0f7b5](https://github.com/enix/x509-certificate-exporter/commit/9d0f7b5585f9b50741c4ec6befa237b9da914c30)) - **container:** bump Alpine base image to version 3.20.1 ([500829e](https://github.com/enix/x509-certificate-exporter/commit/500829e5cde81e0dedfd03896ca5e496e3301c2b)) - **container:** bump Alpine base image to version 3.20.2 ([3d2904a](https://github.com/enix/x509-certificate-exporter/commit/3d2904aa0b0cd49dcf2174fb624b27c5f62b9914)) - **container:** bump Alpine base image to version 3.20.2 ([1738e29](https://github.com/enix/x509-certificate-exporter/commit/1738e298e643579ab25d40388795582fca11833f)) - **container:** bump Alpine base image to version 3.21.0 ([476b093](https://github.com/enix/x509-certificate-exporter/commit/476b09364c9429a67d1a1c484448c871e852a08d)) - **container:** bump Alpine base image to version 3.22.0 ([e0511a0](https://github.com/enix/x509-certificate-exporter/commit/e0511a0a483bd91720be62250562c667101300ec)) - **container:** bump Alpine base image version to 3.23.3 ([29c9c9a](https://github.com/enix/x509-certificate-exporter/commit/29c9c9af0274c59573483563e9aed2d281cfaff8)) - **container:** bump Busybox base image to version 1.36 ([29464ca](https://github.com/enix/x509-certificate-exporter/commit/29464caab5d3d8584f4c46dd30e9339b393afa8b)) - **container:** bump Busybox base image to version 1.36.1 ([8201737](https://github.com/enix/x509-certificate-exporter/commit/8201737a8ac37fa59b24c1165b9e03ad52d4e17a)) - **container:** bump Busybox base image to version 1.37.0 ([bf1f613](https://github.com/enix/x509-certificate-exporter/commit/bf1f61308c143e18b849615b015822860d00fe73)) - **container:** images for RISC-V now track Alpine stable ([eb7752a](https://github.com/enix/x509-certificate-exporter/commit/eb7752a93072b3d52d0f7d0e504b3d70e6fbd663)) - **container:** publish images to GitHub Registry (GHCR) ([26f924d](https://github.com/enix/x509-certificate-exporter/commit/26f924dd44fb76eecd12ab69bef2676606da42b0)) - **container:** switch Busybox images to glibc flavor (fix for RISC-V) ([8f97b98](https://github.com/enix/x509-certificate-exporter/commit/8f97b98c862f83d0c25c2994942b1ea90c6459da)) - **container:** switch default variant from busybox to scratch (floating tags) ([5ef7b43](https://github.com/enix/x509-certificate-exporter/commit/5ef7b43913287d37b32a390e5bb2972706c51a83)) - **container:** switch to stable Alpine base images for RISC-V ([92860e2](https://github.com/enix/x509-certificate-exporter/commit/92860e287a63d823c5347b2a78bff5d331800c06)) - **deploy,chart:** make metricRelabelings configurable in ServiceMonitor and PodMonitor ([6f81197](https://github.com/enix/x509-certificate-exporter/commit/6f8119721053fcbcc7c652de5622ac7f838cb771)) - **exporter:** ability to expose k8s labels as prometheus metrics labels ([cee171c](https://github.com/enix/x509-certificate-exporter/commit/cee171c4e49e5964ea12fa9cdce0aff064a908e0)) - **exporter:** add auto tuning of GC memory limit (automemlimit) ([cc3b0c0](https://github.com/enix/x509-certificate-exporter/commit/cc3b0c074b76a4e8e8730a2ff52c70dc3f410f4b)) - **exporter:** use `automaxprocs` to limit threads count ([efd7a6e](https://github.com/enix/x509-certificate-exporter/commit/efd7a6eebcb03f99f34563be306a1629f3514ded)) - globbing support for -d ([cbebdde](https://github.com/enix/x509-certificate-exporter/commit/cbebdde4b57b02f118c1fcc89ef92b9550680e34)) - globbing support for -f option ([7fa2298](https://github.com/enix/x509-certificate-exporter/commit/7fa2298724fe92ce9da656ae2bc52e0e3f83812c)) - globbing support for -k ([30b406e](https://github.com/enix/x509-certificate-exporter/commit/30b406e5d21204335dbb32e58ae0a3075f9c385f)) - **helm:** add deployment and daemonSet annotations ([5d81768](https://github.com/enix/x509-certificate-exporter/commit/5d817685e7de515c756be213a34a71bca75dfe9e)) - **helm:** add the Grafana dashboard ([f145ffc](https://github.com/enix/x509-certificate-exporter/commit/f145ffc4d08b9872fe44bd7a4cc53b967ce3a4e8)), closes [#&#8203;136](https://github.com/enix/x509-certificate-exporter/issues/136) - **helm:** added extraArgs ([d2466a1](https://github.com/enix/x509-certificate-exporter/commit/d2466a1d836d45641ee912a13abc92b96f55f73f)) - **helm:** bump kube-rbac-proxy to v0.13.1 and pull new repository ([412f225](https://github.com/enix/x509-certificate-exporter/commit/412f2259f2e25c1ad1565753f27abd0b60076017)) - **helm:** do not use a headless Service by default ([a5d2bf8](https://github.com/enix/x509-certificate-exporter/commit/a5d2bf8714db30ea2707572148930cdbc4d03125)), closes [#&#8203;50](https://github.com/enix/x509-certificate-exporter/issues/50) - **helm:** increase CPU limits for all containers ([902a45e](https://github.com/enix/x509-certificate-exporter/commit/902a45e03a6532ca84e41256d97ee731fe77dcd8)) - **helm:** introduce `extraDeployVerbatim` to skip templating engine ([8b88740](https://github.com/enix/x509-certificate-exporter/commit/8b88740badfda8a55bf566591f0008c1557b4e9a)) - **helm:** make revisionHistoryLimit configurable ([6fc58ab](https://github.com/enix/x509-certificate-exporter/commit/6fc58abbdb5f8393cf4b32827739effd8ee30f59)) - **helm:** mount of additional volumes ([c3430d4](https://github.com/enix/x509-certificate-exporter/commit/c3430d441c4350e2bd3b6f58e372296cc2c779c6)) - **helm:** new value to override release namespace ([4c34353](https://github.com/enix/x509-certificate-exporter/commit/4c343538c32cc6774086d0b4e3c71bd211cdc944)) - **helm:** new value to set HostPath type for DaemonSet volumes ([290094a](https://github.com/enix/x509-certificate-exporter/commit/290094a8d50a78749801d7c6a81f006aed1d5bba)) - **helm:** options to set the priority class ([f956d29](https://github.com/enix/x509-certificate-exporter/commit/f956d292103c22c142c6df63c5231bb8891c8484)) - **helm:** report time left in expiration alert ([45d9b15](https://github.com/enix/x509-certificate-exporter/commit/45d9b15b6532faab4819fa64efdb3ab9e99fa945)) - **helm:** support custom TLS config ([ff99541](https://github.com/enix/x509-certificate-exporter/commit/ff9954126b5ecea0e550d013554c957e8b93f8aa)) - **helm:** support for "web configuration" (HTTP auth and TLS) ([0bc9f17](https://github.com/enix/x509-certificate-exporter/commit/0bc9f177d66eeb3e23febe1d69fd52a14f3228d5)) - **helm:** switch to OCI artifacts (still tracked by Helm repository) ([c9fd9d0](https://github.com/enix/x509-certificate-exporter/commit/c9fd9d0e646a45055f2ae9742c7caa90d285d9a8)) - **helm:** upgrade hook to handle immutable changes with 3.20.0 ([6fe7f4a](https://github.com/enix/x509-certificate-exporter/commit/6fe7f4a26da26629ce6fe83dee646d7000fee3d5)) - include or exclude namespaces to watch based on their labels ([fc47f9b](https://github.com/enix/x509-certificate-exporter/commit/fc47f9b1abc7741b350c8408ca50a33f1eb12a7c)) - rewrite from scratch with new architecture and toolchain ([b4f3f84](https://github.com/enix/x509-certificate-exporter/commit/b4f3f84086a9feed9f32da678ffe7af2eda1a4fb)) - symlink path mapping and containment ([bbd179c](https://github.com/enix/x509-certificate-exporter/commit/bbd179c05b643d1221e490d1fd2ccb0bae65e574)) - unify log format to use structured logs only ([645a3ca](https://github.com/enix/x509-certificate-exporter/commit/645a3cab43c5a97ee26e0d69bd4edb461e933202)) ##### Bug Fixes - bundle errors not reaching the stats UI ([cbd2724](https://github.com/enix/x509-certificate-exporter/commit/cbd272456ffdfe9f12ccbc4850b94cf3a7f90336)) - **chart:** add `app.kubernetes.io/component` label to identify different resources ([dad3408](https://github.com/enix/x509-certificate-exporter/commit/dad3408f5403fe55c824e17424429e8b14c3d80e)) - **ci:** print line numbers for golang-ci-lint ([e2d8253](https://github.com/enix/x509-certificate-exporter/commit/e2d82531dfeac82d99787c2606ab0242ea47f405)) - clusterlevel resources dont need namespaces ([4cbacc6](https://github.com/enix/x509-certificate-exporter/commit/4cbacc61be5e79fec0cbf1b711330fd4ff3d2a4f)) - consider no match as a read error ([8d11d1a](https://github.com/enix/x509-certificate-exporter/commit/8d11d1a0cc1ffe06798110dabb0e19a3b24674da)) - **deploy,chart:** remove cpu limits for secretsExporter and hostPathsExporter ([a9d4a86](https://github.com/enix/x509-certificate-exporter/commit/a9d4a86ce60543be47824386b2d8ff94b7f721eb)) - don't delay server initialization while caches are populated ([0bf10f5](https://github.com/enix/x509-certificate-exporter/commit/0bf10f5f5a3e4159ac6e02c2c49877cea9224c80)) - don't list all namespaces if not needed for filtering ([d5adc63](https://github.com/enix/x509-certificate-exporter/commit/d5adc6339425381e332832f4e57c7c60b907104d)) - **helm:** allow customization of httpGet heathchecks for TLS users ([11d8af4](https://github.com/enix/x509-certificate-exporter/commit/11d8af41e6dc685344114d10a9cb7c0cdc5adf78)), closes [#&#8203;445](https://github.com/enix/x509-certificate-exporter/issues/445) - **helm:** allow secretsExporter.replicas to be set to 0 ([bdcf627](https://github.com/enix/x509-certificate-exporter/commit/bdcf6275c5bc15c0aaaac4dd0ac953212f7315cc)) - **helm:** DaemonSets inherit global podAnnotations ([1a670ed](https://github.com/enix/x509-certificate-exporter/commit/1a670ed3012050d17237f15df9309db3d9bac071)), closes [#&#8203;106](https://github.com/enix/x509-certificate-exporter/issues/106) - **helm:** extraVolumeMounts omitted if webConfiguration not set ([45a55f0](https://github.com/enix/x509-certificate-exporter/commit/45a55f0cd96ec475367f64737b2b6481084714fd)) - **helm:** grammar in Prometheus alerts descriptions ([7803a4b](https://github.com/enix/x509-certificate-exporter/commit/7803a4b8b762b034c7e7df1e0e40479856647f11)) - **helm:** namespace override value in DaemonSet template ([26d6a88](https://github.com/enix/x509-certificate-exporter/commit/26d6a883c39c7d42e9463ba0321ff037361f228a)) - **helm:** resolve redundant double slashes (//) in certificate monitoring paths ([ce27399](https://github.com/enix/x509-certificate-exporter/commit/ce27399b4c354ed25c02f5828a82ca6c5b30e3be)) - **kubernetes:** fetch ConfigMaps when keys are configured ([77f58c1](https://github.com/enix/x509-certificate-exporter/commit/77f58c10c84021936778adf9f58f833baeddf481)), closes [#&#8203;368](https://github.com/enix/x509-certificate-exporter/issues/368) - linter issues ([c2707f5](https://github.com/enix/x509-certificate-exporter/commit/c2707f53243e09f444310dfd5099079d8723bd54)) - properly resolve relative syminks ([a59a7ab](https://github.com/enix/x509-certificate-exporter/commit/a59a7ab7393137a385434640fce695afda1719f0)) - properly resolve symlink paths ([#&#8203;86](https://github.com/enix/x509-certificate-exporter/issues/86)) ([beb88b3](https://github.com/enix/x509-certificate-exporter/commit/beb88b34b490add4015c8b380d975eb9cb340d44)) - shrinkSecret to actually shrink ([3bb2ed2](https://github.com/enix/x509-certificate-exporter/commit/3bb2ed2ac09853458f887bf1a9659ae921a9d255)) - use doublestar fork to properly resolve symlinks ([f7944e4](https://github.com/enix/x509-certificate-exporter/commit/f7944e4b41abefae9b61f1327e7f3416008fcfe6)) ##### Documentation - **3to4:** fix codeql warning on typescript syntax ([584ecdb](https://github.com/enix/x509-certificate-exporter/commit/584ecdb351e80634b3a369354221b92822ef9e0a)) - add a v3 to v4 migration guide ([da6ba51](https://github.com/enix/x509-certificate-exporter/commit/da6ba51d937d09221b55dc09deafc4a54a32fa49)) - add security policy with reporting channels and scope ([146d4c0](https://github.com/enix/x509-certificate-exporter/commit/146d4c0c3149b86b370b60dd00f3a75b904e2c54)) - add v3-to-v4 migration guide ([d93d187](https://github.com/enix/x509-certificate-exporter/commit/d93d1879fc36f058248a3db31ce3dd18cf2a8d1b)) - **assets:** new alternative logo ([0a7d655](https://github.com/enix/x509-certificate-exporter/commit/0a7d655048928e1b66cccb973907f43f83745f47)) - **chart:** add a menu ([1212b90](https://github.com/enix/x509-certificate-exporter/commit/1212b902d53de19b0068d6b4d23be11199c6af28)) - **chart:** fix image URLs in README ([79e927e](https://github.com/enix/x509-certificate-exporter/commit/79e927ebb2d7538bb9858e88a62b0c3bed93d086)) - **chart:** link to the hardening guide ([1a39d3f](https://github.com/enix/x509-certificate-exporter/commit/1a39d3f736fc017d18c60ffdefa9b3d7411a75fd)) - **chart:** remove old notes ; link to curated starter values ([a393d5a](https://github.com/enix/x509-certificate-exporter/commit/a393d5aaa5d92ee332dc59d14d0f3161531ac7e8)) - **chart:** run helm-docs to update values in README.md ([3b930c7](https://github.com/enix/x509-certificate-exporter/commit/3b930c792cd8318abe65dd1683a6dd05b2720018)) - **chart:** update README with new project template ; migration to v4 ([a90955b](https://github.com/enix/x509-certificate-exporter/commit/a90955b143d806492cce100b1b7735ef33283d7e)) - clarify that hostPathsExporter was implemented for RKE ([bb1dd92](https://github.com/enix/x509-certificate-exporter/commit/bb1dd927b38ce58b139878369521aaaf9e8f4739)) - dedicated metrics reference under docs/ ([6b5078c](https://github.com/enix/x509-certificate-exporter/commit/6b5078cd062e27dcf1cab0c7c072cbd82cdd7542)) - **examples:** add curated values.yaml starters for generic and per-distro setups ([297fd74](https://github.com/enix/x509-certificate-exporter/commit/297fd7489d684188acfa648d3a6773d1b9d6367a)) - Fix Linux deploy README ([d3d81e7](https://github.com/enix/x509-certificate-exporter/commit/d3d81e798deef9c40d0379527f96957700a6565f)) - fix markdown linting issues ([5bcb838](https://github.com/enix/x509-certificate-exporter/commit/5bcb838941fe30dca0b9d8b556daa9a6fc207795)) - fix typo ([78d54a7](https://github.com/enix/x509-certificate-exporter/commit/78d54a757c3c1790ede2689080f2386e37b6ed4f)) - **helm:** emojis not requiring VS16 for colors in anchrored headers ([3646831](https://github.com/enix/x509-certificate-exporter/commit/364683145993d3bd1cf276c8f56e7e516c284d32)) - **helm:** fix english texts ([6e033bd](https://github.com/enix/x509-certificate-exporter/commit/6e033bd18d733340014fec981b6d7721c3b8f82a)) - **helm:** fix value description and run helm-docs to update README ([dec9be8](https://github.com/enix/x509-certificate-exporter/commit/dec9be8a67abb799952e2e57e422458c9374c9a9)) - **helm:** fix values comment to pass helm linter ([d907077](https://github.com/enix/x509-certificate-exporter/commit/d90707708a167ee9097aaccd4da13050a46c5dcc)) - **helm:** refactor the concepts section ([e0b9d71](https://github.com/enix/x509-certificate-exporter/commit/e0b9d7187a8ad5c56c5f204ec762362800e2a165)) - **helm:** strip VS16 from emojis to fix GitHub anchors ([2f19db6](https://github.com/enix/x509-certificate-exporter/commit/2f19db62e4a4e8e174110c19a44f44cd90c773cb)) - **helm:** update values documentation in README ([c8395dd](https://github.com/enix/x509-certificate-exporter/commit/c8395dd75e858ed7c5362de572f4ea1c0e5d149f)) - **helm:** update values in README ([de59c88](https://github.com/enix/x509-certificate-exporter/commit/de59c885f023f7d41f50a8615a226a8328c9a273)) - **helm:** use Github generated anchror slugs for headings with VS16 emojis ([4485844](https://github.com/enix/x509-certificate-exporter/commit/448584425492f390297e8b974767db77e12b3dbf)) - **metrics:** new gates ; fixed labels ; better promql snippets ; cardinality clarification ([c28eb69](https://github.com/enix/x509-certificate-exporter/commit/c28eb69fdac472b49f9a972fd0f808958d9409d7)) - new page with frequent questions ([ba3bd51](https://github.com/enix/x509-certificate-exporter/commit/ba3bd512071bce439545ea784f645bdd413a3de1)) - **README:** add logo and refactor badges ([efe4de8](https://github.com/enix/x509-certificate-exporter/commit/efe4de88a9cd5b7f2d4268a93c775a9ddcd6e0e3)) - **README:** fix broken link for sigstore ; better badge label ([30d3015](https://github.com/enix/x509-certificate-exporter/commit/30d301500f61a5e858b6eba92b3aa5efb6a77aec)) - **README:** fix links to the github project ([0a780d9](https://github.com/enix/x509-certificate-exporter/commit/0a780d941009db3128ed38e9f59000a3c18c62a0)) - **README:** new sections and markdown readability ([1df03e4](https://github.com/enix/x509-certificate-exporter/commit/1df03e450e79fc35e77ad82e04e01c0c03d25fd8)) - **readme:** refresh file with helm-docs ([71ff80c](https://github.com/enix/x509-certificate-exporter/commit/71ff80c6bb66cffb3d3b8b5d68b970b5a1dc90af)) - **README:** relocate hardening to a dedicated page ; add a menu ([30d1174](https://github.com/enix/x509-certificate-exporter/commit/30d1174718c8da2a58e6bdc8891911f4938ff6e4)) - relocate grafana dashboard screenshot ([9cbeb94](https://github.com/enix/x509-certificate-exporter/commit/9cbeb941ee51c45e1d8f2ab19098735d3399325b)) - **SECURITY:** drop schedule ([7d68bd5](https://github.com/enix/x509-certificate-exporter/commit/7d68bd5e37c9df316caf3265d0d1ff7ab68b98bd)) - **SECURITY:** restore timeline ([b45520f](https://github.com/enix/x509-certificate-exporter/commit/b45520f7ff0d3f738391912734054eb6d1d85764)) - **v3-to-v4:** clarify the deprecation of CLI flags ([3dd744b](https://github.com/enix/x509-certificate-exporter/commit/3dd744b8569517d46b57321edbefd35f8b48c3b7)) - **v3-to-v4:** drop hallucinated content ([aa87503](https://github.com/enix/x509-certificate-exporter/commit/aa8750399ae0d112253d280a8b26212faed04221)) - warning about the relation between getLabels & compareCertificates ([563028c](https://github.com/enix/x509-certificate-exporter/commit/563028cb8cbfd1ac896506652a8cb3a5abab1710)) ### [`v3.19.1`](https://github.com/enix/x509-certificate-exporter/blob/HEAD/CHANGELOG.md#400-alpha3-2026-05-03) [Compare Source](https://github.com/enix/x509-certificate-exporter/compare/v3.19.0...v3.19.1) ##### ⚠ BREAKING CHANGES - add new metric gates, diags and not\_before off by defaut, - **container:** switch default variant from busybox to scratch (floating tags) - **chart:** make the Service headless by default (no ClusterIP) - the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at <https://charts.enix.io> is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: `helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>`. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so `helm install` / `helm upgrade` will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the `busybox` and `scratch` variants on linux/amd64,arm64,riscv64. Users pulling `*-alpine` tags must switch to one of the new variants — `busybox` is the closest functional replacement (still has a shell), `scratch` is the minimal distroless option. - release 4.0.0-alpha.1 ([410319d](https://github.com/enix/x509-certificate-exporter/commit/410319df3d2a3e5e45fb884a48f77d85e83ef35b)) - release 4.0.0-alpha.1 ([3f5d581](https://github.com/enix/x509-certificate-exporter/commit/3f5d581ae8b9c04ec30b24c90fa0835326b13d27)) - release 4.0.0-alpha.2 ([c43ed24](https://github.com/enix/x509-certificate-exporter/commit/c43ed24bd81a3d72ef463fcfa3b759a627fc9906)) - release 4.0.0-alpha.3 ([39d54d6](https://github.com/enix/x509-certificate-exporter/commit/39d54d62289867c5ae1e48ac8a305e2427045a64)) ##### Features - add new metric gates, diags and not\_before off by defaut, ([a719113](https://github.com/enix/x509-certificate-exporter/commit/a719113cb832c801c381abf78abb71053002214a)) - add opt-in flag to skip symlinks ([85c97e3](https://github.com/enix/x509-certificate-exporter/commit/85c97e38376aee029c6ec8f2cc2ebafb27afa46a)) - **build:** bump all Go dependencies ([fc3bff2](https://github.com/enix/x509-certificate-exporter/commit/fc3bff2ec35fcfad79b38e829cf9a4e39bc6a2c7)) - **build:** bump all Go dependencies ([e3b6c74](https://github.com/enix/x509-certificate-exporter/commit/e3b6c7440cd72ea4ec8f3d1314e48f66644999c3)) - **build:** bump Go to version 1.26.1 ([06d47be](https://github.com/enix/x509-certificate-exporter/commit/06d47becb7eb64bf6ae340ad25c171cf28f82022)) - **build:** bump Golang to version 1.20.7 ([f2a7a19](https://github.com/enix/x509-certificate-exporter/commit/f2a7a19055cd1b636928f0a71a2acbfa35c19982)) - **build:** bump Golang to version 1.21 ([4014073](https://github.com/enix/x509-certificate-exporter/commit/401407308f76e36d5e46320e199e2e650a9a6f80)) - **build:** bump Golang to version 1.21.6 ([a800033](https://github.com/enix/x509-certificate-exporter/commit/a8000336422fcdb8dc32e8aa2b76948290686fda)) - **build:** bump Golang to version 1.21.8 ([05582fc](https://github.com/enix/x509-certificate-exporter/commit/05582fc90a659b51b59b387824bb1201148274c9)) - **build:** bump Golang to version 1.21.9 ([61a0f71](https://github.com/enix/x509-certificate-exporter/commit/61a0f7155d2d315145b4fd1926a392a1bf5ffb77)) - **build:** bump Golang to version 1.22.2 ([8f15013](https://github.com/enix/x509-certificate-exporter/commit/8f1501353609644b9d1e93eba0548666c47df51f)) - **build:** bump Golang to version 1.22.5 ([956074c](https://github.com/enix/x509-certificate-exporter/commit/956074c9290b2992645c5df8f850e615279251f2)) - **build:** bump Golang to version 1.23.0 ([862481b](https://github.com/enix/x509-certificate-exporter/commit/862481bb51fac6c5fb8c73ee2c484ea66e7b2a87)) - **build:** bump Golang to version 1.23.1 ([082a818](https://github.com/enix/x509-certificate-exporter/commit/082a818fc38798e869d4ccc425e29754375a5339)) - **build:** bump Golang to version 1.23.2 ([756827c](https://github.com/enix/x509-certificate-exporter/commit/756827c6ac17ce7f7f64c7f68118c7e0a9d43074)) - **build:** bump Golang to version 1.23.4 ([1d90a66](https://github.com/enix/x509-certificate-exporter/commit/1d90a66ebb80ba0d86d9c3ca51f057ea8229f64f)) - **build:** publish OpenVEX documents for new releases ([1ed09e5](https://github.com/enix/x509-certificate-exporter/commit/1ed09e50a2be75b91e8dcbd64536c1236cf40368)) - **build:** publish SBOM documents for new releases ([3bf4f4a](https://github.com/enix/x509-certificate-exporter/commit/3bf4f4ac39b1302f0527772cd4d4a3493adedb79)) - **build:** release FreeBSD binaries for RISC-V ([0b8db06](https://github.com/enix/x509-certificate-exporter/commit/0b8db06f9809018ec878eaa51a02250074fc45a3)) - **build:** upgrade to golang 1.19 ([3916d18](https://github.com/enix/x509-certificate-exporter/commit/3916d18e575bd026b00566a6ce631b96f125b0d3)) - **build:** upgrade to golang 1.20 ([16429b9](https://github.com/enix/x509-certificate-exporter/commit/16429b9238badc3be550dfbed7fe44406dc6d6e3)) - **chart:** make the Service headless by default (no ClusterIP) ([b1d5b5c](https://github.com/enix/x509-certificate-exporter/commit/b1d5b5cbe9f23b4080661455b07110dcafa5c002)) - **chart:** remove support for legacy apiVersion (k8s < 1.16) ([7f560fd](https://github.com/enix/x509-certificate-exporter/commit/7f560fd8371fafee4c00163ec6316c8cbd401ac6)) - **charts:** add expose-secret-label parameter to exporter deployment ([905f789](https://github.com/enix/x509-certificate-exporter/commit/905f7895433f75f8c938f80ec0e18354c18c85af)) - **chart:** satisfy PSA restricted profile and OpenShift restricted-v2 SCC ([3d8b935](https://github.com/enix/x509-certificate-exporter/commit/3d8b935f2e6b3c3cf6bc93376996b3cf8fa9cb21)) - **charts:** configurable probes with values ([2f58ca0](https://github.com/enix/x509-certificate-exporter/commit/2f58ca05ebf912b24b97a3fa1c81d9b9818956f1)) - **chart:** support image digest pinning across all images ([fd81d79](https://github.com/enix/x509-certificate-exporter/commit/fd81d79a171616bf1acb3af9e67aa0b1d1c58baa)) - configurable burst and QPS in k8s client ([e002b89](https://github.com/enix/x509-certificate-exporter/commit/e002b89d281261d25b227ab99558a36d4fc2a9c6)) - **container:** bump Alpine base image to 3.17.0 ([e311864](https://github.com/enix/x509-certificate-exporter/commit/e311864d8bae7dc81c25ec0a320eeeeb854a4446)) - **container:** bump Alpine base image to 3.18.2 ([53ede98](https://github.com/enix/x509-certificate-exporter/commit/53ede98e503028ab4cd7e37552f6d6afdc17495c)) - **container:** bump Alpine base image to version 3.17.3 ([de23f78](https://github.com/enix/x509-certificate-exporter/commit/de23f78fbda6c01540d8281d68b0866f0e8d2272)) - **container:** bump Alpine base image to version 3.18.3 ([1d089c6](https://github.com/enix/x509-certificate-exporter/commit/1d089c68cf443e6c32f382626e2e0c288684910d)) - **container:** bump Alpine base image to version 3.19.0 ([fc71664](https://github.com/enix/x509-certificate-exporter/commit/fc71664ac13cc90294ac9043668b0facaca11c53)) - **container:** bump Alpine base image to version 3.19.1 ([9d0f7b5](https://github.com/enix/x509-certificate-exporter/commit/9d0f7b5585f9b50741c4ec6befa237b9da914c30)) - **container:** bump Alpine base image to version 3.20.1 ([500829e](https://github.com/enix/x509-certificate-exporter/commit/500829e5cde81e0dedfd03896ca5e496e3301c2b)) - **container:** bump Alpine base image to version 3.20.2 ([3d2904a](https://github.com/enix/x509-certificate-exporter/commit/3d2904aa0b0cd49dcf2174fb624b27c5f62b9914)) - **container:** bump Alpine base image to version 3.20.2 ([1738e29](https://github.com/enix/x509-certificate-exporter/commit/1738e298e643579ab25d40388795582fca11833f)) - **container:** bump Alpine base image to version 3.21.0 ([476b093](https://github.com/enix/x509-certificate-exporter/commit/476b09364c9429a67d1a1c484448c871e852a08d)) - **container:** bump Alpine base image to version 3.22.0 ([e0511a0](https://github.com/enix/x509-certificate-exporter/commit/e0511a0a483bd91720be62250562c667101300ec)) - **container:** bump Alpine base image version to 3.23.3 ([29c9c9a](https://github.com/enix/x509-certificate-exporter/commit/29c9c9af0274c59573483563e9aed2d281cfaff8)) - **container:** bump Busybox base image to version 1.36 ([29464ca](https://github.com/enix/x509-certificate-exporter/commit/29464caab5d3d8584f4c46dd30e9339b393afa8b)) - **container:** bump Busybox base image to version 1.36.1 ([8201737](https://github.com/enix/x509-certificate-exporter/commit/8201737a8ac37fa59b24c1165b9e03ad52d4e17a)) - **container:** bump Busybox base image to version 1.37.0 ([bf1f613](https://github.com/enix/x509-certificate-exporter/commit/bf1f61308c143e18b849615b015822860d00fe73)) - **container:** images for RISC-V now track Alpine stable ([eb7752a](https://github.com/enix/x509-certificate-exporter/commit/eb7752a93072b3d52d0f7d0e504b3d70e6fbd663)) - **container:** publish images to GitHub Registry (GHCR) ([26f924d](https://github.com/enix/x509-certificate-exporter/commit/26f924dd44fb76eecd12ab69bef2676606da42b0)) - **container:** switch Busybox images to glibc flavor (fix for RISC-V) ([8f97b98](https://github.com/enix/x509-certificate-exporter/commit/8f97b98c862f83d0c25c2994942b1ea90c6459da)) - **container:** switch default variant from busybox to scratch (floating tags) ([5ef7b43](https://github.com/enix/x509-certificate-exporter/commit/5ef7b43913287d37b32a390e5bb2972706c51a83)) - **container:** switch to stable Alpine base images for RISC-V ([92860e2](https://github.com/enix/x509-certificate-exporter/commit/92860e287a63d823c5347b2a78bff5d331800c06)) - **deploy,chart:** make metricRelabelings configurable in ServiceMonitor and PodMonitor ([6f81197](https://github.com/enix/x509-certificate-exporter/commit/6f8119721053fcbcc7c652de5622ac7f838cb771)) - **exporter:** ability to expose k8s labels as prometheus metrics labels ([cee171c](https://github.com/enix/x509-certificate-exporter/commit/cee171c4e49e5964ea12fa9cdce0aff064a908e0)) - **exporter:** add auto tuning of GC memory limit (automemlimit) ([cc3b0c0](https://github.com/enix/x509-certificate-exporter/commit/cc3b0c074b76a4e8e8730a2ff52c70dc3f410f4b)) - **exporter:** use `automaxprocs` to limit threads count ([efd7a6e](https://github.com/enix/x509-certificate-exporter/commit/efd7a6eebcb03f99f34563be306a1629f3514ded)) - globbing support for -d ([cbebdde](https://github.com/enix/x509-certificate-exporter/commit/cbebdde4b57b02f118c1fcc89ef92b9550680e34)) - globbing support for -f option ([7fa2298](https://github.com/enix/x509-certificate-exporter/commit/7fa2298724fe92ce9da656ae2bc52e0e3f83812c)) - globbing support for -k ([30b406e](https://github.com/enix/x509-certificate-exporter/commit/30b406e5d21204335dbb32e58ae0a3075f9c385f)) - **helm:** add deployment and daemonSet annotations ([5d81768](https://github.com/enix/x509-certificate-exporter/commit/5d817685e7de515c756be213a34a71bca75dfe9e)) - **helm:** add the Grafana dashboard ([f145ffc](https://github.com/enix/x509-certificate-exporter/commit/f145ffc4d08b9872fe44bd7a4cc53b967ce3a4e8)), closes [#&#8203;136](https://github.com/enix/x509-certificate-exporter/issues/136) - **helm:** added extraArgs ([d2466a1](https://github.com/enix/x509-certificate-exporter/commit/d2466a1d836d45641ee912a13abc92b96f55f73f)) - **helm:** bump kube-rbac-proxy to v0.13.1 and pull new repository ([412f225](https://github.com/enix/x509-certificate-exporter/commit/412f2259f2e25c1ad1565753f27abd0b60076017)) - **helm:** do not use a headless Service by default ([a5d2bf8](https://github.com/enix/x509-certificate-exporter/commit/a5d2bf8714db30ea2707572148930cdbc4d03125)), closes [#&#8203;50](https://github.com/enix/x509-certificate-exporter/issues/50) - **helm:** increase CPU limits for all containers ([902a45e](https://github.com/enix/x509-certificate-exporter/commit/902a45e03a6532ca84e41256d97ee731fe77dcd8)) - **helm:** introduce `extraDeployVerbatim` to skip templating engine ([8b88740](https://github.com/enix/x509-certificate-exporter/commit/8b88740badfda8a55bf566591f0008c1557b4e9a)) - **helm:** make revisionHistoryLimit configurable ([6fc58ab](https://github.com/enix/x509-certificate-exporter/commit/6fc58abbdb5f8393cf4b32827739effd8ee30f59)) - **helm:** mount of additional volumes ([c3430d4](https://github.com/enix/x509-certificate-exporter/commit/c3430d441c4350e2bd3b6f58e372296cc2c779c6)) - **helm:** new value to override release namespace ([4c34353](https://github.com/enix/x509-certificate-exporter/commit/4c343538c32cc6774086d0b4e3c71bd211cdc944)) - **helm:** new value to set HostPath type for DaemonSet volumes ([290094a](https://github.com/enix/x509-certificate-exporter/commit/290094a8d50a78749801d7c6a81f006aed1d5bba)) - **helm:** options to set the priority class ([f956d29](https://github.com/enix/x509-certificate-exporter/commit/f956d292103c22c142c6df63c5231bb8891c8484)) - **helm:** report time left in expiration alert ([45d9b15](https://github.com/enix/x509-certificate-exporter/commit/45d9b15b6532faab4819fa64efdb3ab9e99fa945)) - **helm:** support custom TLS config ([ff99541](https://github.com/enix/x509-certificate-exporter/commit/ff9954126b5ecea0e550d013554c957e8b93f8aa)) - **helm:** support for "web configuration" (HTTP auth and TLS) ([0bc9f17](https://github.com/enix/x509-certificate-exporter/commit/0bc9f177d66eeb3e23febe1d69fd52a14f3228d5)) - **helm:** switch to OCI artifacts (still tracked by Helm repository) ([c9fd9d0](https://github.com/enix/x509-certificate-exporter/commit/c9fd9d0e646a45055f2ae9742c7caa90d285d9a8)) - **helm:** upgrade hook to handle immutable changes with 3.20.0 ([6fe7f4a](https://github.com/enix/x509-certificate-exporter/commit/6fe7f4a26da26629ce6fe83dee646d7000fee3d5)) - include or exclude namespaces to watch based on their labels ([fc47f9b](https://github.com/enix/x509-certificate-exporter/commit/fc47f9b1abc7741b350c8408ca50a33f1eb12a7c)) - rewrite from scratch with new architecture and toolchain ([b4f3f84](https://github.com/enix/x509-certificate-exporter/commit/b4f3f84086a9feed9f32da678ffe7af2eda1a4fb)) - symlink path mapping and containment ([bbd179c](https://github.com/enix/x509-certificate-exporter/commit/bbd179c05b643d1221e490d1fd2ccb0bae65e574)) - unify log format to use structured logs only ([645a3ca](https://github.com/enix/x509-certificate-exporter/commit/645a3cab43c5a97ee26e0d69bd4edb461e933202)) ##### Bug Fixes - bundle errors not reaching the stats UI ([cbd2724](https://github.com/enix/x509-certificate-exporter/commit/cbd272456ffdfe9f12ccbc4850b94cf3a7f90336)) - **chart:** add `app.kubernetes.io/component` label to identify different resources ([dad3408](https://github.com/enix/x509-certificate-exporter/commit/dad3408f5403fe55c824e17424429e8b14c3d80e)) - **ci:** print line numbers for golang-ci-lint ([e2d8253](https://github.com/enix/x509-certificate-exporter/commit/e2d82531dfeac82d99787c2606ab0242ea47f405)) - clusterlevel resources dont need namespaces ([4cbacc6](https://github.com/enix/x509-certificate-exporter/commit/4cbacc61be5e79fec0cbf1b711330fd4ff3d2a4f)) - consider no match as a read error ([8d11d1a](https://github.com/enix/x509-certificate-exporter/commit/8d11d1a0cc1ffe06798110dabb0e19a3b24674da)) - **deploy,chart:** remove cpu limits for secretsExporter and hostPathsExporter ([a9d4a86](https://github.com/enix/x509-certificate-exporter/commit/a9d4a86ce60543be47824386b2d8ff94b7f721eb)) - don't delay server initialization while caches are populated ([0bf10f5](https://github.com/enix/x509-certificate-exporter/commit/0bf10f5f5a3e4159ac6e02c2c49877cea9224c80)) - don't list all namespaces if not needed for filtering ([d5adc63](https://github.com/enix/x509-certificate-exporter/commit/d5adc6339425381e332832f4e57c7c60b907104d)) - **helm:** allow customization of httpGet heathchecks for TLS users ([11d8af4](https://github.com/enix/x509-certificate-exporter/commit/11d8af41e6dc685344114d10a9cb7c0cdc5adf78)), closes [#&#8203;445](https://github.com/enix/x509-certificate-exporter/issues/445) - **helm:** allow secretsExporter.replicas to be set to 0 ([bdcf627](https://github.com/enix/x509-certificate-exporter/commit/bdcf6275c5bc15c0aaaac4dd0ac953212f7315cc)) - **helm:** DaemonSets inherit global podAnnotations ([1a670ed](https://github.com/enix/x509-certificate-exporter/commit/1a670ed3012050d17237f15df9309db3d9bac071)), closes [#&#8203;106](https://github.com/enix/x509-certificate-exporter/issues/106) - **helm:** extraVolumeMounts omitted if webConfiguration not set ([45a55f0](https://github.com/enix/x509-certificate-exporter/commit/45a55f0cd96ec475367f64737b2b6481084714fd)) - **helm:** grammar in Prometheus alerts descriptions ([7803a4b](https://github.com/enix/x509-certificate-exporter/commit/7803a4b8b762b034c7e7df1e0e40479856647f11)) - **helm:** namespace override value in DaemonSet template ([26d6a88](https://github.com/enix/x509-certificate-exporter/commit/26d6a883c39c7d42e9463ba0321ff037361f228a)) - **helm:** resolve redundant double slashes (//) in certificate monitoring paths ([ce27399](https://github.com/enix/x509-certificate-exporter/commit/ce27399b4c354ed25c02f5828a82ca6c5b30e3be)) - **kubernetes:** fetch ConfigMaps when keys are configured ([77f58c1](https://github.com/enix/x509-certificate-exporter/commit/77f58c10c84021936778adf9f58f833baeddf481)), closes [#&#8203;368](https://github.com/enix/x509-certificate-exporter/issues/368) - linter issues ([c2707f5](https://github.com/enix/x509-certificate-exporter/commit/c2707f53243e09f444310dfd5099079d8723bd54)) - properly resolve relative syminks ([a59a7ab](https://github.com/enix/x509-certificate-exporter/commit/a59a7ab7393137a385434640fce695afda1719f0)) - properly resolve symlink paths ([#&#8203;86](https://github.com/enix/x509-certificate-exporter/issues/86)) ([beb88b3](https://github.com/enix/x509-certificate-exporter/commit/beb88b34b490add4015c8b380d975eb9cb340d44)) - shrinkSecret to actually shrink ([3bb2ed2](https://github.com/enix/x509-certificate-exporter/commit/3bb2ed2ac09853458f887bf1a9659ae921a9d255)) - use doublestar fork to properly resolve symlinks ([f7944e4](https://github.com/enix/x509-certificate-exporter/commit/f7944e4b41abefae9b61f1327e7f3416008fcfe6)) ##### Documentation - **3to4:** fix codeql warning on typescript syntax ([584ecdb](https://github.com/enix/x509-certificate-exporter/commit/584ecdb351e80634b3a369354221b92822ef9e0a)) - add a v3 to v4 migration guide ([da6ba51](https://github.com/enix/x509-certificate-exporter/commit/da6ba51d937d09221b55dc09deafc4a54a32fa49)) - add security policy with reporting channels and scope ([146d4c0](https://github.com/enix/x509-certificate-exporter/commit/146d4c0c3149b86b370b60dd00f3a75b904e2c54)) - add v3-to-v4 migration guide ([d93d187](https://github.com/enix/x509-certificate-exporter/commit/d93d1879fc36f058248a3db31ce3dd18cf2a8d1b)) - **assets:** new alternative logo ([0a7d655](https://github.com/enix/x509-certificate-exporter/commit/0a7d655048928e1b66cccb973907f43f83745f47)) - **chart:** add a menu ([1212b90](https://github.com/enix/x509-certificate-exporter/commit/1212b902d53de19b0068d6b4d23be11199c6af28)) - **chart:** fix image URLs in README ([79e927e](https://github.com/enix/x509-certificate-exporter/commit/79e927ebb2d7538bb9858e88a62b0c3bed93d086)) - **chart:** link to the hardening guide ([1a39d3f](https://github.com/enix/x509-certificate-exporter/commit/1a39d3f736fc017d18c60ffdefa9b3d7411a75fd)) - **chart:** remove old notes ; link to curated starter values ([a393d5a](https://github.com/enix/x509-certificate-exporter/commit/a393d5aaa5d92ee332dc59d14d0f3161531ac7e8)) - **chart:** run helm-docs to update values in README.md ([3b930c7](https://github.com/enix/x509-certificate-exporter/commit/3b930c792cd8318abe65dd1683a6dd05b2720018)) - **chart:** update README with new project template ; migration to v4 ([a90955b](https://github.com/enix/x509-certificate-exporter/commit/a90955b143d806492cce100b1b7735ef33283d7e)) - clarify that hostPathsExporter was implemented for RKE ([bb1dd92](https://github.com/enix/x509-certificate-exporter/commit/bb1dd927b38ce58b139878369521aaaf9e8f4739)) - dedicated metrics reference under docs/ ([6b5078c](https://github.com/enix/x509-certificate-exporter/commit/6b5078cd062e27dcf1cab0c7c072cbd82cdd7542)) - **examples:** add curated values.yaml starters for generic and per-distro setups ([297fd74](https://github.com/enix/x509-certificate-exporter/commit/297fd7489d684188acfa648d3a6773d1b9d6367a)) - Fix Linux deploy README ([d3d81e7](https://github.com/enix/x509-certificate-exporter/commit/d3d81e798deef9c40d0379527f96957700a6565f)) - fix markdown linting issues ([5bcb838](https://github.com/enix/x509-certificate-exporter/commit/5bcb838941fe30dca0b9d8b556daa9a6fc207795)) - fix typo ([78d54a7](https://github.com/enix/x509-certificate-exporter/commit/78d54a757c3c1790ede2689080f2386e37b6ed4f)) - **helm:** emojis not requiring VS16 for colors in anchrored headers ([3646831](https://github.com/enix/x509-certificate-exporter/commit/364683145993d3bd1cf276c8f56e7e516c284d32)) - **helm:** fix english texts ([6e033bd](https://github.com/enix/x509-certificate-exporter/commit/6e033bd18d733340014fec981b6d7721c3b8f82a)) - **helm:** fix value description and run helm-docs to update README ([dec9be8](https://github.com/enix/x509-certificate-exporter/commit/dec9be8a67abb799952e2e57e422458c9374c9a9)) - **helm:** fix values comment to pass helm linter ([d907077](https://github.com/enix/x509-certificate-exporter/commit/d90707708a167ee9097aaccd4da13050a46c5dcc)) - **helm:** refactor the concepts section ([e0b9d71](https://github.com/enix/x509-certificate-exporter/commit/e0b9d7187a8ad5c56c5f204ec762362800e2a165)) - **helm:** strip VS16 from emojis to fix GitHub anchors ([2f19db6](https://github.com/enix/x509-certificate-exporter/commit/2f19db62e4a4e8e174110c19a44f44cd90c773cb)) - **helm:** update values documentation in README ([c8395dd](https://github.com/enix/x509-certificate-exporter/commit/c8395dd75e858ed7c5362de572f4ea1c0e5d149f)) - **helm:** update values in README ([de59c88](https://github.com/enix/x509-certificate-exporter/commit/de59c885f023f7d41f50a8615a226a8328c9a273)) - **helm:** use Github generated anchror slugs for headings with VS16 emojis ([4485844](https://github.com/enix/x509-certificate-exporter/commit/448584425492f390297e8b974767db77e12b3dbf)) - **metrics:** new gates ; fixed labels ; better promql snippets ; cardinality clarification ([c28eb69](https://github.com/enix/x509-certificate-exporter/commit/c28eb69fdac472b49f9a972fd0f808958d9409d7)) - new page with frequent questions ([ba3bd51](https://github.com/enix/x509-certificate-exporter/commit/ba3bd512071bce439545ea784f645bdd413a3de1)) - **README:** add logo and refactor badges ([efe4de8](https://github.com/enix/x509-certificate-exporter/commit/efe4de88a9cd5b7f2d4268a93c775a9ddcd6e0e3)) - **README:** fix broken link for sigstore ; better badge label ([30d3015](https://github.com/enix/x509-certificate-exporter/commit/30d301500f61a5e858b6eba92b3aa5efb6a77aec)) - **README:** fix links to the github project ([0a780d9](https://github.com/enix/x509-certificate-exporter/commit/0a780d941009db3128ed38e9f59000a3c18c62a0)) - **README:** new sections and markdown readability ([1df03e4](https://github.com/enix/x509-certificate-exporter/commit/1df03e450e79fc35e77ad82e04e01c0c03d25fd8)) - **readme:** refresh file with helm-docs ([71ff80c](https://github.com/enix/x509-certificate-exporter/commit/71ff80c6bb66cffb3d3b8b5d68b970b5a1dc90af)) - **README:** relocate hardening to a dedicated page ; add a menu ([30d1174](https://github.com/enix/x509-certificate-exporter/commit/30d1174718c8da2a58e6bdc8891911f4938ff6e4)) - relocate grafana dashboard screenshot ([9cbeb94](https://github.com/enix/x509-certificate-exporter/commit/9cbeb941ee51c45e1d8f2ab19098735d3399325b)) - **SECURITY:** drop schedule ([7d68bd5](https://github.com/enix/x509-certificate-exporter/commit/7d68bd5e37c9df316caf3265d0d1ff7ab68b98bd)) - **SECURITY:** restore timeline ([b45520f](https://github.com/enix/x509-certificate-exporter/commit/b45520f7ff0d3f738391912734054eb6d1d85764)) - **v3-to-v4:** clarify the deprecation of CLI flags ([3dd744b](https://github.com/enix/x509-certificate-exporter/commit/3dd744b8569517d46b57321edbefd35f8b48c3b7)) - **v3-to-v4:** drop hallucinated content ([aa87503](https://github.com/enix/x509-certificate-exporter/commit/aa8750399ae0d112253d280a8b26212faed04221)) - warning about the relation between getLabels & compareCertificates ([563028c](https://github.com/enix/x509-certificate-exporter/commit/563028cb8cbfd1ac896506652a8cb3a5abab1710)) ### [`v3.19.0`](https://github.com/enix/x509-certificate-exporter/blob/HEAD/CHANGELOG.md#400-alpha3-2026-05-03) [Compare Source](https://github.com/enix/x509-certificate-exporter/compare/v3.18.1...v3.19.0) ##### ⚠ BREAKING CHANGES - add new metric gates, diags and not\_before off by defaut, - **container:** switch default variant from busybox to scratch (floating tags) - **chart:** make the Service headless by default (no ClusterIP) - the Helm chart is now published exclusively as an OCI artifact at oci://quay.io/enix/charts/x509-certificate-exporter. The legacy Helm repository at <https://charts.enix.io> is no longer updated; users must switch to the OCI reference (Helm 3.8+ required). Installation: `helm install x509-certificate-exporter oci://quay.io/enix/charts/x509-certificate-exporter --version <vX.Y.Z>`. the Helm chart's values schema may diverge from v3 in edge cases despite a best-effort to preserve backwards compatibility. Review your existing values against the updated chart/values.yaml before upgrading. A JSON schema (chart/values.schema.json) is shipped with the chart so `helm install` / `helm upgrade` will reject any values that no longer match the expected shape, surfacing regressions early instead of at runtime. Alpine-based container images are no longer published. The release pipeline now ships only the `busybox` and `scratch` variants on linux/amd64,arm64,riscv64. Users pulling `*-alpine` tags must switch to one of the new variants — `busybox` is the closest functional replacement (still has a shell), `scratch` is the minimal distroless option. - release 4.0.0-alpha.1 ([410319d](https://github.com/enix/x509-certificate-exporter/commit/410319df3d2a3e5e45fb884a48f77d85e83ef35b)) - release 4.0.0-alpha.1 ([3f5d581](https://github.com/enix/x509-certificate-exporter/commit/3f5d581ae8b9c04ec30b24c90fa0835326b13d27)) - release 4.0.0-alpha.2 ([c43ed24](https://github.com/enix/x509-certificate-exporter/commit/c43ed24bd81a3d72ef463fcfa3b759a627fc9906)) - release 4.0.0-alpha.3 ([39d54d6](https://github.com/enix/x509-certificate-exporter/commit/39d54d62289867c5ae1e48ac8a305e2427045a64)) ##### Features - add new metric gates, diags and not\_before off by defaut, ([a719113](https://github.com/enix/x509-certificate-exporter/commit/a719113cb832c801c381abf78abb71053002214a)) - add opt-in flag to skip symlinks ([85c97e3](https://github.com/enix/x509-certificate-exporter/commit/85c97e38376aee029c6ec8f2cc2ebafb27afa46a)) - **build:** bump all Go dependencies ([fc3bff2](https://github.com/enix/x509-certificate-exporter/commit/fc3bff2ec35fcfad79b38e829cf9a4e39bc6a2c7)) - **build:** bump all Go dependencies ([e3b6c74](https://github.com/enix/x509-certificate-exporter/commit/e3b6c7440cd72ea4ec8f3d1314e48f66644999c3)) - **build:** bump Go to version 1.26.1 ([06d47be](https://github.com/enix/x509-certificate-exporter/commit/06d47becb7eb64bf6ae340ad25c171cf28f82022)) - **build:** bump Golang to version 1.20.7 ([f2a7a19](https://github.com/enix/x509-certificate-exporter/commit/f2a7a19055cd1b636928f0a71a2acbfa35c19982)) - **build:** bump Golang to version 1.21 ([4014073](https://github.com/enix/x509-certificate-exporter/commit/401407308f76e36d5e46320e199e2e650a9a6f80)) - **build:** bump Golang to version 1.21.6 ([a800033](https://github.com/enix/x509-certificate-exporter/commit/a8000336422fcdb8dc32e8aa2b76948290686fda)) - **build:** bump Golang to version 1.21.8 ([05582fc](https://github.com/enix/x509-certificate-exporter/commit/05582fc90a659b51b59b387824bb1201148274c9)) - **build:** bump Golang to version 1.21.9 ([61a0f71](https://github.com/enix/x509-certificate-exporter/commit/61a0f7155d2d315145b4fd1926a392a1bf5ffb77)) - **build:** bump Golang to version 1.22.2 ([8f15013](https://github.com/enix/x509-certificate-exporter/commit/8f1501353609644b9d1e93eba0548666c47df51f)) - **build:** bump Golang to version 1.22.5 ([956074c](https://github.com/enix/x509-certificate-exporter/commit/956074c9290b2992645c5df8f850e615279251f2)) - **build:** bump Golang to version 1.23.0 ([862481b](https://github.com/enix/x509-certificate-exporter/commit/862481bb51fac6c5fb8c73ee2c484ea66e7b2a87)) - **build:** bump Golang to version 1.23.1 ([082a818](https://github.com/enix/x509-certificate-exporter/commit/082a818fc38798e869d4ccc425e29754375a5339)) - **build:** bump Golang to version 1.23.2 ([756827c](https://github.com/enix/x509-certificate-exporter/commit/756827c6ac17ce7f7f64c7f68118c7e0a9d43074)) - **build:** bump Golang to version 1.23.4 ([1d90a66](https://github.com/enix/x509-certificate-exporter/commit/1d90a66ebb80ba0d86d9c3ca51f057ea8229f64f)) - **build:** publish OpenVEX documents for new releases ([1ed09e5](https://github.com/enix/x509-certificate-exporter/commit/1ed09e50a2be75b91e8dcbd64536c1236cf40368)) - **build:** publish SBOM documents for new releases ([3bf4f4a](https://github.com/enix/x509-certificate-exporter/commit/3bf4f4ac39b1302f0527772cd4d4a3493adedb79)) - **build:** release FreeBSD binaries for RISC-V ([0b8db06](https://github.com/enix/x509-certificate-exporter/commit/0b8db06f9809018ec878eaa51a02250074fc45a3)) - **build:** upgrade to golang 1.19 ([3916d18](https://github.com/enix/x509-certificate-exporter/commit/3916d18e575bd026b00566a6ce631b96f125b0d3)) - **build:** upgrade to golang 1.20 ([16429b9](https://github.com/enix/x509-certificate-exporter/commit/16429b9238badc3be550dfbed7fe44406dc6d6e3)) - **chart:** make the Service headless by default (no ClusterIP) ([b1d5b5c](https://github.com/enix/x509-certificate-exporter/commit/b1d5b5cbe9f23b4080661455b07110dcafa5c002)) - **chart:** remove support for legacy apiVersion (k8s < 1.16) ([7f560fd](https://github.com/enix/x509-certificate-exporter/commit/7f560fd8371fafee4c00163ec6316c8cbd401ac6)) - **charts:** add expose-secret-label parameter to exporter deployment ([905f789](https://github.com/enix/x509-certificate-exporter/commit/905f7895433f75f8c938f80ec0e18354c18c85af)) - **chart:** satisfy PSA restricted profile and OpenShift restricted-v2 SCC ([3d8b935](https://github.com/enix/x509-certificate-exporter/commit/3d8b935f2e6b3c3cf6bc93376996b3cf8fa9cb21)) - **charts:** configurable probes with values ([2f58ca0](https://github.com/enix/x509-certificate-exporter/commit/2f58ca05ebf912b24b97a3fa1c81d9b9818956f1)) - **chart:** support image digest pinning across all images ([fd81d79](https://github.com/enix/x509-certificate-exporter/commit/fd81d79a171616bf1acb3af9e67aa0b1d1c58baa)) - configurable burst and QPS in k8s client ([e002b89](https://github.com/enix/x509-certificate-exporter/commit/e002b89d281261d25b227ab99558a36d4fc2a9c6)) - **container:** bump Alpine base image to 3.17.0 ([e311864](https://github.com/enix/x509-certificate-exporter/commit/e311864d8bae7dc81c25ec0a320eeeeb854a4446)) - **container:** bump Alpine base image to 3.18.2 ([53ede98](https://github.com/enix/x509-certificate-exporter/commit/53ede98e503028ab4cd7e37552f6d6afdc17495c)) - **container:** bump Alpine base image to version 3.17.3 ([de23f78](https://github.com/enix/x509-certificate-exporter/commit/de23f78fbda6c01540d8281d68b0866f0e8d2272)) - **container:** bump Alpine base image to version 3.18.3 ([1d089c6](https://github.com/enix/x509-certificate-exporter/commit/1d089c68cf443e6c32f382626e2e0c288684910d)) - **container:** bump Alpine base image to version 3.19.0 ([fc71664](https://github.com/enix/x509-certificate-exporter/commit/fc71664ac13cc90294ac9043668b0facaca11c53)) - **container:** bump Alpine base image to version 3.19.1 ([9d0f7b5](https://github.com/enix/x509-certificate-exporter/commit/9d0f7b5585f9b50741c4ec6befa237b9da914c30)) - **container:** bump Alpine base image to version 3.20.1 ([500829e](https://github.com/enix/x509-certificate-exporter/commit/500829e5cde81e0dedfd03896ca5e496e3301c2b)) - **container:** bump Alpine base image to version 3.20.2 ([3d2904a](https://github.com/enix/x509-certificate-exporter/commit/3d2904aa0b0cd49dcf2174fb624b27c5f62b9914)) - **container:** bump Alpine base image to version 3.20.2 ([1738e29](https://github.com/enix/x509-certificate-exporter/commit/1738e298e643579ab25d40388795582fca11833f)) - **container:** bump Alpine base image to version 3.21.0 ([476b093](https://github.com/enix/x509-certificate-exporter/commit/476b09364c9429a67d1a1c484448c871e852a08d)) - **container:** bump Alpine base image to version 3.22.0 ([e0511a0](https://github.com/enix/x509-certificate-exporter/commit/e0511a0a483bd91720be62250562c667101300ec)) - **container:** bump Alpine base image version to 3.23.3 ([29c9c9a](https://github.com/enix/x509-certificate-exporter/commit/29c9c9af0274c59573483563e9aed2d281cfaff8)) - **container:** bump Busybox base image to version 1.36 ([29464ca](https://github.com/enix/x509-certificate-exporter/commit/29464caab5d3d8584f4c46dd30e9339b393afa8b)) - **container:** bump Busybox base image to version 1.36.1 ([8201737](https://github.com/enix/x509-certificate-exporter/commit/8201737a8ac37fa59b24c1165b9e03ad52d4e17a)) - **container:** bump Busybox base image to version 1.37.0 ([bf1f613](https://github.com/enix/x509-certificate-exporter/commit/bf1f61308c143e18b849615b015822860d00fe73)) - **container:** images for RISC-V now track Alpine stable ([eb7752a](https://github.com/enix/x509-certificate-exporter/commit/eb7752a93072b3d52d0f7d0e504b3d70e6fbd663)) - **container:** publish images to GitHub Registry (GHCR) ([26f924d](https://github.com/enix/x509-certificate-exporter/commit/26f924dd44fb76eecd12ab69bef2676606da42b0)) - **container:** switch Busybox images to glibc flavor (fix for RISC-V) ([8f97b98](https://github.com/enix/x509-certificate-exporter/commit/8f97b98c862f83d0c25c2994942b1ea90c6459da)) - **container:** switch default variant from busybox to scratch (floating tags) ([5ef7b43](https://github.com/enix/x509-certificate-exporter/commit/5ef7b43913287d37b32a390e5bb2972706c51a83)) - **container:** switch to stable Alpine base images for RISC-V ([92860e2](https://github.com/enix/x509-certificate-exporter/commit/92860e287a63d823c5347b2a78bff5d331800c06)) - **deploy,chart:** make metricRelabelings configurable in ServiceMonitor and PodMonitor ([6f81197](https://github.com/enix/x509-certificate-exporter/commit/6f8119721053fcbcc7c652de5622ac7f838cb771)) - **exporter:** ability to expose k8s labels as prometheus metrics labels ([cee171c](https://github.com/enix/x509-certificate-exporter/commit/cee171c4e49e5964ea12fa9cdce0aff064a908e0)) - **exporter:** add auto tuning of GC memory limit (automemlimit) ([cc3b0c0](https://github.com/enix/x509-certificate-exporter/commit/cc3b0c074b76a4e8e8730a2ff52c70dc3f410f4b)) - **exporter:** use `automaxprocs` to limit threads count ([efd7a6e](https://github.com/enix/x509-certificate-exporter/commit/efd7a6eebcb03f99f34563be306a1629f3514ded)) - globbing support for -d ([cbebdde](https://github.com/enix/x509-certificate-exporter/commit/cbebdde4b57b02f118c1fcc89ef92b9550680e34)) - globbing support for -f option ([7fa2298](https://github.com/enix/x509-certificate-exporter/commit/7fa2298724fe92ce9da656ae2bc52e0e3f83812c)) - globbing support for -k ([30b406e](https://github.com/enix/x509-certificate-exporter/commit/30b406e5d21204335dbb32e58ae0a3075f9c385f)) - **helm:** add deployment and daemonSet annotations ([5d81768](https://github.com/enix/x509-certificate-exporter/commit/5d817685e7de515c756be213a34a71bca75dfe9e)) - **helm:** add the Grafana dashboard ([f145ffc](https://github.com/enix/x509-certificate-exporter/commit/f145ffc4d08b9872fe44bd7a4cc53b967ce3a4e8)), closes [#&#8203;136](https://github.com/enix/x509-certificate-exporter/issues/136) - **helm:** added extraArgs ([d2466a1](https://github.com/enix/x509-certificate-exporter/commit/d2466a1d836d45641ee912a13abc92b96f55f73f)) - **helm:** bump kube-rbac-proxy to v0.13.1 and pull new repository ([412f225](https://github.com/enix/x509-certificate-exporter/commit/412f2259f2e25c1ad1565753f27abd0b60076017)) - **helm:** do not use a headless Service by default ([a5d2bf8](https://github.com/enix/x509-certificate-exporter/commit/a5d2bf8714db30ea2707572148930cdbc4d03125)), closes [#&#8203;50](https://github.com/enix/x509-certificate-exporter/issues/50) - **helm:** increase CPU limits for all containers ([902a45e](https://github.com/enix/x509-certificate-exporter/commit/902a45e03a6532ca84e41256d97ee731fe77dcd8)) - **helm:** introduce `extraDeployVerbatim` to skip templating engine ([8b88740](https://github.com/enix/x509-certificate-exporter/commit/8b88740badfda8a55bf566591f0008c1557b4e9a)) - **helm:** make revisionHistoryLimit configurable ([6fc58ab](https://github.com/enix/x509-certificate-exporter/commit/6fc58abbdb5f8393cf4b32827739effd8ee30f59)) - **helm:** mount of additional volumes ([c3430d4](https://github.com/enix/x509-certificate-exporter/commit/c3430d441c4350e2bd3b6f58e372296cc2c779c6)) - **helm:** new value to override release namespace ([4c34353](https://github.com/enix/x509-certificate-exporter/commit/4c343538c32cc6774086d0b4e3c71bd211cdc944)) - **helm:** new value to set HostPath type for DaemonSet volumes ([290094a](https://github.com/enix/x509-certificate-exporter/commit/290094a8d50a78749801d7c6a81f006aed1d5bba)) - **helm:** options to set the priority class ([f956d29](https://github.com/enix/x509-certificate-exporter/commit/f956d292103c22c142c6df63c5231bb8891c8484)) - **helm:** report time left in expiration alert ([45d9b15](https://github.com/enix/x509-certificate-exporter/commit/45d9b15b6532faab4819fa64efdb3ab9e99fa945)) - **helm:** support custom TLS config ([ff99541](https://github.com/enix/x509-certificate-exporter/commit/ff9954126b5ecea0e550d013554c957e8b93f8aa)) - **helm:** support for "web configuration" (HTTP auth and TLS) ([0bc9f17](https://github.com/enix/x509-certificate-exporter/commit/0bc9f177d66eeb3e23febe1d69fd52a14f3228d5)) - **helm:** switch to OCI artifacts (still tracked by Helm repository) ([c9fd9d0](https://github.com/enix/x509-certificate-exporter/commit/c9fd9d0e646a45055f2ae9742c7caa90d285d9a8)) - **helm:** upgrade hook to handle immutable changes with 3.20.0 ([6fe7f4a](https://github.com/enix/x509-certificate-exporter/commit/6fe7f4a26da26629ce6fe83dee646d7000fee3d5)) - include or exclude namespaces to watch based on their labels ([fc47f9b](https://github.com/enix/x509-certificate-exporter/commit/fc47f9b1abc7741b350c8408ca50a33f1eb12a7c)) - rewrite from scratch with new architecture and toolchain ([b4f3f84](https://github.com/enix/x509-certificate-exporter/commit/b4f3f84086a9feed9f32da678ffe7af2eda1a4fb)) - symlink path mapping and containment ([bbd179c](https://github.com/enix/x509-certificate-exporter/commit/bbd179c05b643d1221e490d1fd2ccb0bae65e574)) - unify log format to use structured logs only ([645a3ca](https://github.com/enix/x509-certificate-exporter/commit/645a3cab43c5a97ee26e0d69bd4edb461e933202)) ##### Bug Fixes - bundle errors not reaching the stats UI ([cbd2724](https://github.com/enix/x509-certificate-exporter/commit/cbd272456ffdfe9f12ccbc4850b94cf3a7f90336)) - **chart:** add `app.kubernetes.io/component` label to identify different resources ([dad3408](https://github.com/enix/x509-certificate-exporter/commit/dad3408f5403fe55c824e17424429e8b14c3d80e)) - **ci:** print line numbers for golang-ci-lint ([e2d8253](https://github.com/enix/x509-certificate-exporter/commit/e2d82531dfeac82d99787c2606ab0242ea47f405)) - clusterlevel resources dont need namespaces ([4cbacc6](https://github.com/enix/x509-certificate-exporter/commit/4cbacc61be5e79fec0cbf1b711330fd4ff3d2a4f)) - consider no match as a read error ([8d11d1a](https://github.com/enix/x509-certificate-exporter/commit/8d11d1a0cc1ffe06798110dabb0e19a3b24674da)) - **deploy,chart:** remove cpu limits for secretsExporter and hostPathsExporter ([a9d4a86](https://github.com/enix/x509-certificate-exporter/commit/a9d4a86ce60543be47824386b2d8ff94b7f721eb)) - don't delay server initialization while caches are populated ([0bf10f5](https://github.com/enix/x509-certificate-exporter/commit/0bf10f5f5a3e4159ac6e02c2c49877cea9224c80)) - don't list all namespaces if not needed for filtering ([d5adc63](https://github.com/enix/x509-certificate-exporter/commit/d5adc6339425381e332832f4e57c7c60b907104d)) - **helm:** allow customization of httpGet heathchecks for TLS users ([11d8af4](https://github.com/enix/x509-certificate-exporter/commit/11d8af41e6dc685344114d10a9cb7c0cdc5adf78)), closes [#&#8203;445](https://github.com/enix/x509-certificate-exporter/issues/445) - **helm:** allow secretsExporter.replicas to be set to 0 ([bdcf627](https://github.com/enix/x509-certificate-exporter/commit/bdcf6275c5bc15c0aaaac4dd0ac953212f7315cc)) - **helm:** DaemonSets inherit global podAnnotations ([1a670ed](https://github.com/enix/x509-certificate-exporter/commit/1a670ed3012050d17237f15df9309db3d9bac071)), closes [#&#8203;106](https://github.com/enix/x509-certificate-exporter/issues/106) - **helm:** extraVolumeMounts omitted if webConfiguration not set ([45a55f0](https://github.com/enix/x509-certificate-exporter/commit/45a55f0cd96ec475367f64737b2b6481084714fd)) - **helm:** grammar in Prometheus alerts descriptions ([7803a4b](https://github.com/enix/x509-certificate-exporter/commit/7803a4b8b762b034c7e7df1e0e40479856647f11)) - **helm:** namespace override value in DaemonSet template ([26d6a88](https://github.com/enix/x509-certificate-exporter/commit/26d6a883c39c7d42e9463ba0321ff037361f228a)) - **helm:** resolve redundant double slashes (//) in certificate monitoring paths ([ce27399](https://github.com/enix/x509-certificate-exporter/commit/ce27399b4c354ed25c02f5828a82ca6c5b30e3be)) - **kubernetes:** fetch ConfigMaps when keys are configured ([77f58c1](https://github.com/enix/x509-certificate-exporter/commit/77f58c10c84021936778adf9f58f833baeddf481)), closes [#&#8203;368](https://github.com/enix/x509-certificate-exporter/issues/368) - linter issues ([c2707f5](https://github.com/enix/x509-certificate-exporter/commit/c2707f53243e09f444310dfd5099079d8723bd54)) - properly resolve relative syminks ([a59a7ab](https://github.com/enix/x509-certificate-exporter/commit/a59a7ab7393137a385434640fce695afda1719f0)) - properly resolve symlink paths ([#&#8203;86](https://github.com/enix/x509-certificate-exporter/issues/86)) ([beb88b3](https://github.com/enix/x509-certificate-exporter/commit/beb88b34b490add4015c8b380d975eb9cb340d44)) - shrinkSecret to actually shrink ([3bb2ed2](https://github.com/enix/x509-certificate-exporter/commit/3bb2ed2ac09853458f887bf1a9659ae921a9d255)) - use doublestar fork to properly resolve symlinks ([f7944e4](https://github.com/enix/x509-certificate-exporter/commit/f7944e4b41abefae9b61f1327e7f3416008fcfe6)) ##### Documentation - **3to4:** fix codeql warning on typescript syntax ([584ecdb](https://github.com/enix/x509-certificate-exporter/commit/584ecdb351e80634b3a369354221b92822ef9e0a)) - add a v3 to v4 migration guide ([da6ba51](https://github.com/enix/x509-certificate-exporter/commit/da6ba51d937d09221b55dc09deafc4a54a32fa49)) - add security policy with reporting channels and scope ([146d4c0](https://github.com/enix/x509-certificate-exporter/commit/146d4c0c3149b86b370b60dd00f3a75b904e2c54)) - add v3-to-v4 migration guide ([d93d187](https://github.com/enix/x509-certificate-exporter/commit/d93d1879fc36f058248a3db31ce3dd18cf2a8d1b)) - **assets:** new alternative logo ([0a7d655](https://github.com/enix/x509-certificate-exporter/commit/0a7d655048928e1b66cccb973907f43f83745f47)) - **chart:** add a menu ([1212b90](https://github.com/enix/x509-certificate-exporter/commit/1212b902d53de19b0068d6b4d23be11199c6af28)) - **chart:** fix image URLs in README ([79e927e](https://github.com/enix/x509-certificate-exporter/commit/79e927ebb2d7538bb9858e88a62b0c3bed93d086)) - **chart:** link to the hardening guide ([1a39d3f](https://github.com/enix/x509-certificate-exporter/commit/1a39d3f736fc017d18c60ffdefa9b3d7411a75fd)) - **chart:** remove old notes ; link to curated starter values ([a393d5a](https://github.com/enix/x509-certificate-exporter/commit/a393d5aaa5d92ee332dc59d14d0f3161531ac7e8)) - **chart:** run helm-docs to update values in README.md ([3b930c7](https://github.com/enix/x509-certificate-exporter/commit/3b930c792cd8318abe65dd1683a6dd05b2720018)) - **chart:** update README with new project template ; migration to v4 ([a90955b](https://github.com/enix/x509-certificate-exporter/commit/a90955b143d806492cce100b1b7735ef33283d7e)) - clarify that hostPathsExporter was implemented for RKE ([bb1dd92](https://github.com/enix/x509-certificate-exporter/commit/bb1dd927b38ce58b139878369521aaaf9e8f4739)) - dedicated metrics reference under docs/ ([6b5078c](https://github.com/enix/x509-certificate-exporter/commit/6b5078cd062e27dcf1cab0c7c072cbd82cdd7542)) - **examples:** add curated values.yaml starters for generic and per-distro setups ([297fd74](https://github.com/enix/x509-certificate-exporter/commit/297fd7489d684188acfa648d3a6773d1b9d6367a)) - Fix Linux deploy README ([d3d81e7](https://github.com/enix/x509-certificate-exporter/commit/d3d81e798deef9c40d0379527f96957700a6565f)) - fix markdown linting issues ([5bcb838](https://github.com/enix/x509-certificate-exporter/commit/5bcb838941fe30dca0b9d8b556daa9a6fc207795)) - fix typo ([78d54a7](https://github.com/enix/x509-certificate-exporter/commit/78d54a757c3c1790ede2689080f2386e37b6ed4f)) - **helm:** emojis not requiring VS16 for colors in anchrored headers ([3646831](https://github.com/enix/x509-certificate-exporter/commit/364683145993d3bd1cf276c8f56e7e516c284d32)) - **helm:** fix english texts ([6e033bd](https://github.com/enix/x509-certificate-exporter/commit/6e033bd18d733340014fec981b6d7721c3b8f82a)) - **helm:** fix value description and run helm-docs to update README ([dec9be8](https://github.com/enix/x509-certificate-exporter/commit/dec9be8a67abb799952e2e57e422458c9374c9a9)) - **helm:** fix values comment to pass helm linter ([d907077](https://github.com/enix/x509-certificate-exporter/commit/d90707708a167ee9097aaccd4da13050a46c5dcc)) - **helm:** refactor the concepts section ([e0b9d71](https://github.com/enix/x509-certificate-exporter/commit/e0b9d7187a8ad5c56c5f204ec762362800e2a165)) - **helm:** strip VS16 from emojis to fix GitHub anchors ([2f19db6](https://github.com/enix/x509-certificate-exporter/commit/2f19db62e4a4e8e174110c19a44f44cd90c773cb)) - **helm:** update values documentation in README ([c8395dd](https://github.com/enix/x509-certificate-exporter/commit/c8395dd75e858ed7c5362de572f4ea1c0e5d149f)) - **helm:** update values in README ([de59c88](https://github.com/enix/x509-certificate-exporter/commit/de59c885f023f7d41f50a8615a226a8328c9a273)) - **helm:** use Github generated anchror slugs for headings with VS16 emojis ([4485844](https://github.com/enix/x509-certificate-exporter/commit/448584425492f390297e8b974767db77e12b3dbf)) - **metrics:** new gates ; fixed labels ; better promql snippets ; cardinality clarification ([c28eb69](https://github.com/enix/x509-certificate-exporter/commit/c28eb69fdac472b49f9a972fd0f808958d9409d7)) - new page with frequent questions ([ba3bd51](https://github.com/enix/x509-certificate-exporter/commit/ba3bd512071bce439545ea784f645bdd413a3de1)) - **README:** add logo and refactor badges ([efe4de8](https://github.com/enix/x509-certificate-exporter/commit/efe4de88a9cd5b7f2d4268a93c775a9ddcd6e0e3)) - **README:** fix broken link for sigstore ; better badge label ([30d3015](https://github.com/enix/x509-certificate-exporter/commit/30d301500f61a5e858b6eba92b3aa5efb6a77aec)) - **README:** fix links to the github project ([0a780d9](https://github.com/enix/x509-certificate-exporter/commit/0a780d941009db3128ed38e9f59000a3c18c62a0)) - **README:** new sections and markdown readability ([1df03e4](https://github.com/enix/x509-certificate-exporter/commit/1df03e450e79fc35e77ad82e04e01c0c03d25fd8)) - **readme:** refresh file with helm-docs ([71ff80c](https://github.com/enix/x509-certificate-exporter/commit/71ff80c6bb66cffb3d3b8b5d68b970b5a1dc90af)) - **README:** relocate hardening to a dedicated page ; add a menu ([30d1174](https://github.com/enix/x509-certificate-exporter/commit/30d1174718c8da2a58e6bdc8891911f4938ff6e4)) - relocate grafana dashboard screenshot ([9cbeb94](https://github.com/enix/x509-certificate-exporter/commit/9cbeb941ee51c45e1d8f2ab19098735d3399325b)) - **SECURITY:** drop schedule ([7d68bd5](https://github.com/enix/x509-certificate-exporter/commit/7d68bd5e37c9df316caf3265d0d1ff7ab68b98bd)) - **SECURITY:** restore timeline ([b45520f](https://github.com/enix/x509-certificate-exporter/commit/b45520f7ff0d3f738391912734054eb6d1d85764)) - **v3-to-v4:** clarify the deprecation of CLI flags ([3dd744b](https://github.com/enix/x509-certificate-exporter/commit/3dd744b8569517d46b57321edbefd35f8b48c3b7)) - **v3-to-v4:** drop hallucinated content ([aa87503](https://github.com/enix/x509-certificate-exporter/commit/aa8750399ae0d112253d280a8b26212faed04221)) - warning about the relation between getLabels & compareCertificates ([563028c](https://github.com/enix/x509-certificate-exporter/commit/563028cb8cbfd1ac896506652a8cb3a5abab1710)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzYuMyIsInVwZGF0ZWRJblZlciI6IjQzLjEzNi4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

volker.raschek was assigned by CSRBot 2026-05-06 20:16:52 +02:00

CSRBot added 1 commit 2026-05-07 14:13:44 +02:00

chore(deps): update dependency enix/x509-certificate-exporter to v4 fde24617cb

CSRBot force-pushed renovate/enix-x509-certificate-exporter-4.x from 4bc0321dd1 to fde24617cb 2026-05-07 14:13:44 +02:00 Compare

Some required checks are missing.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/enix-x509-certificate-exporter-4.x:renovate/enix-x509-certificate-exporter-4.x

git checkout renovate/enix-x509-certificate-exporter-4.x

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

CSRBot (CSRBot) volker.raschek (Markus Pesch)

No Assignees volker.raschek

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: volker.raschek/prometheus-x509-certificate-exporter-pkg#15