v1.13.0-alpha.0
Pre-releasecert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Welcome to the first alpha of the coming 1.13 release of cert-manager! In this release, you will be able to test the new DNS-over-HTTPS feature.
This new feature, developed by @FlorianLiebhart, allows you to use cert-manager's Let's Encrypt issuer even when UDP port 53 isn't open on egress. DNS-over-HTTPS allows you to use the environment variable HTTPS_PROXY
in the cert-manager controller deployment so that cert-manager can work over a proxy, working around the egress limitations!
That We will soon update the documentation of cert-manager to explain the use-cases and how to set it up. More info is available in the design document at https://hackmd.io/@maelvls/cert-manager-dns-01-using-dns-over-https. A massive thank you to @FlorianLiebhart for his hard work: this work was started one year ago! 🎉
🌟 This version is a pre-release version intended for testing. It might not be suitable for production uses.
Changes since 1.12
Feature
- DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification.
The DNS check method to be used is controlled through the command line flag:--dns01-recursive-nameservers-only=true
in combination with--dns01-recursive-nameservers=https://<DoH-endpoint>
(e.g.https://8.8.8.8/dns-query
). It keeps using DNS lookup as a default method. The design document is visible here: https://hackmd.io/@maelvls/cert-manager-dns-01-using-dns-over-https (#5003, @FlorianLiebhart) - cmctl can now be imported by third parties. (#6049, @SgtCoDFish)
Bug or Regression
cmctl check api --wait 0
exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code (#6109, @inteon)- The issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. (#6147, @inteon)
- Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN (#6088, @cypres)
- Fixes a bug where webhook was pulling in controller's feature gates.
⚠️ ⚠️ BREAKING⚠️ ⚠️ : If you deploy cert-manager using helm and have.featureGates
value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Usewebhook.featureGates
field instead to define features to be enabled on webhook.
Potentially breaking: If you were, for some reason, passing cert-manager controller's features to webhook's--feature-gates
flag, this will now break (unless the webhook actually has a feature by that name). (#6093, @irbekrm)
Other (Cleanup or Flake)
- Don't run API Priority and Fairness controller in webhook's extension apiserver (#6085, @irbekrm)
- Updates Kubernetes libraries to
v0.27.2
. (#6077, @lucacome)
Uncategorized
- All service links in helm chart deployments have been disabled. (#6144, @schrodit)
- Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. (#6034, @gdvalle)
- We disabled the
enableServiceLinks
option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. (#6143, @schrodit)