From 1d838a82c9ef4a553423f5f105a6f8e673608af3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 30 Sep 2022 13:12:24 +0200 Subject: [PATCH 01/31] vault: document the new field "serviceAccountRef" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- content/docs/configuration/vault.md | 97 +++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/content/docs/configuration/vault.md b/content/docs/configuration/vault.md index c2dd25aee5..ad1a181895 100644 --- a/content/docs/configuration/vault.md +++ b/content/docs/configuration/vault.md @@ -144,6 +144,8 @@ spec: key: token ``` + + ### Authenticating with Kubernetes Service Accounts Vault can be configured so that applications can authenticate using Kubernetes @@ -254,6 +256,101 @@ Kubernetes 1.24 and above. key: token ``` +### Authenticating with a Kubernetes Service Account Without A Secret + +The [previous method](#static-service-account-token) of authenticating with +Vault has a major disadvantage: it relies on a less secure "static" token (by +"static", we mean a token that does not have an expiry time). + +Using the field `serviceAccountRef` instead of `secretRef`, you can let +cert-manager request ephemeral tokens. + +The first step is to create a `ServiceAccount` resource, like in the `secretRef` +method: + +```sh +kubectl create serviceaccount -n sandbox vault-issuer +``` + +Then, you will need to add an RBAC Role so that cert-manager can use the service +account: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-issuer + namespace: sandbox +rules: + - apiGroups: [''] + resources: ['serviceaccounts/token'] + resourceNames: ['vault-issuer'] + verbs: ['create'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-issuer + namespace: sandbox +subjects: + - kind: ServiceAccount + name: cert-manager + namespace: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-issuer +``` + +Finally, you can create the Issuer resource: + +```yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: vault-issuer + namespace: sandbox +spec: + vault: + path: pki_int/sign/example-dot-com + server: https://vault.local + auth: + kubernetes: + role: my-app-1 + mountPath: /v1/auth/kubernetes + serviceAccountRef: + name: vault-issuer +``` + +To create the role in Vault, you can use the following command: + +```bash +vault write auth/kubernetes/role/vault-issuer \ + bound_service_account_names=vault-issuer \ + bound_service_account_namespaces=sandbox \ + audience="vault://sandbox/vault-issuer" \ + policies=vault-issuer \ + ttl=1m +``` + +It is recommended to use a different Vault role each per Issuer or +ClusterIssuer. The `audience` allows you to restrict the Vault role to a single +Issuer or ClusterIssuer. The syntax is the following: + +```yaml +"vault:///" # For an Issuer. +"vault://" # For a ClusterIssuer. +``` + +The expiration duration for the Kubernetes tokens that are requested is +hard-coded to 10 minutes (that's the minimum accepted). The `ttl` field can be +as short as possible, since cert-manager requests a new token every time it +needs to talks to Vault. + +Although it is not recommended, you can also use the same Vault role for all of +your Issuers and ClusterIssuers by omitting the `audience` field and re-using +the same service account. + ## Verifying the issuer Deployment Once the Vault issuer has been deployed, it will be marked as ready if the From ab117a71944748c4dcd16a4c63014578d01ec92d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 21 Feb 2023 18:47:21 +0100 Subject: [PATCH 02/31] serviceAccountRef: address Richard's comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- content/docs/configuration/vault.md | 217 +++++++++++++++------------- 1 file changed, 116 insertions(+), 101 deletions(-) diff --git a/content/docs/configuration/vault.md b/content/docs/configuration/vault.md index ad1a181895..94bdfd9588 100644 --- a/content/docs/configuration/vault.md +++ b/content/docs/configuration/vault.md @@ -144,15 +144,125 @@ spec: key: token ``` - + ### Authenticating with Kubernetes Service Accounts -Vault can be configured so that applications can authenticate using Kubernetes -[`Service Account -Tokens`](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin). -You find documentation on how to configure Vault to authenticate using Service -Account Tokens [here](https://www.vaultproject.io/docs/auth/kubernetes.html). +The [Vault Kubernetes +Auth](https://developer.hashicorp.com/vault/docs/auth/kubernetes) allows +cert-manager to authenticate to Vault using a Kubernetes Service Account Token +in order to issue certificates using Vault as a certification authority. The +Kubernetes service account token can be provided in two ways: + +- [Secretless Authentication with a Service Account](#secretless-authentication-with-a-service-account) (recommended), +- [Authentication with a Static Service Account Token](#static-service-account-token). + +#### Secretless Authentication with a Service Account + +ℹ️ This feature is available in cert-manager >= v1.12.0. + +With the secretless authentication with a service account, cert-manager creates +an ephemeral service account token using the TokenRequest API and uses it to +authenticates with Vault. These tokens are short-lived (10 minutes) and are +never stored to disk. + +This is the recommended authentication method because it does not rely on the +deprecated static service account tokens. The static service account tokens pose +a threat due to their infinite lifetime. Static service account tokens have been +disabled by default on Kubernetes 1.24. + +The first step is to create a `ServiceAccount` resource: + +```sh +kubectl create serviceaccount -n sandbox vault-issuer +``` + +Then add an RBAC Role so that cert-manager can get tokens for the +ServiceAccount: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vault-issuer + namespace: sandbox +rules: + - apiGroups: [''] + resources: ['serviceaccounts/token'] + resourceNames: ['vault-issuer'] + verbs: ['create'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vault-issuer + namespace: sandbox +subjects: + - kind: ServiceAccount + name: cert-manager + namespace: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vault-issuer +``` + +Finally, create the Issuer resource: + +```yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: vault-issuer + namespace: sandbox +spec: + vault: + path: pki_int/sign/example-dot-com + server: https://vault.local + auth: + kubernetes: + role: my-app-1 + mountPath: /v1/auth/kubernetes + serviceAccountRef: + name: vault-issuer +``` + +> **Issuer vs. ClusterIssuer:** With an Issuer resource, you can only refer to a +> service account located in the same namespace as the Issuer. With a +> ClusterIssuer, the service account must be located in the namespace that is +> configured by the flag `--cluster-scoped namespace`. + +To create the role in Vault, you can use the following command: + +```bash +vault write auth/kubernetes/role/vault-issuer \ + bound_service_account_names=vault-issuer \ + bound_service_account_namespaces=sandbox \ + audience="vault://sandbox/vault-issuer" \ + policies=vault-issuer \ + ttl=1m +``` + +It is recommended to use a different Vault role each per Issuer or +ClusterIssuer. The `audience` allows you to restrict the Vault role to a single +Issuer or ClusterIssuer. The syntax is the following: + +```yaml +"vault:///" # For an Issuer. +"vault://" # For a ClusterIssuer. +``` + +The expiration duration for the Kubernetes tokens that are requested is +hard-coded to 10 minutes (that's the minimum accepted). The `ttl` field can be +as short as possible, since cert-manager requests a new token every time it +needs to talks to Vault. + +Although it is not recommended, you can also use the same Vault role for all of +your Issuers and ClusterIssuers by omitting the `audience` field and re-using +the same service account. + + +#### Authentication with a Static Service Account Token For the Vault issuer to use this authentication, cert-manager must get access to the token that is stored in a Kubernetes `Secret`. Kubernetes Service Account @@ -256,101 +366,6 @@ Kubernetes 1.24 and above. key: token ``` -### Authenticating with a Kubernetes Service Account Without A Secret - -The [previous method](#static-service-account-token) of authenticating with -Vault has a major disadvantage: it relies on a less secure "static" token (by -"static", we mean a token that does not have an expiry time). - -Using the field `serviceAccountRef` instead of `secretRef`, you can let -cert-manager request ephemeral tokens. - -The first step is to create a `ServiceAccount` resource, like in the `secretRef` -method: - -```sh -kubectl create serviceaccount -n sandbox vault-issuer -``` - -Then, you will need to add an RBAC Role so that cert-manager can use the service -account: - -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: vault-issuer - namespace: sandbox -rules: - - apiGroups: [''] - resources: ['serviceaccounts/token'] - resourceNames: ['vault-issuer'] - verbs: ['create'] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: vault-issuer - namespace: sandbox -subjects: - - kind: ServiceAccount - name: cert-manager - namespace: cert-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: vault-issuer -``` - -Finally, you can create the Issuer resource: - -```yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: vault-issuer - namespace: sandbox -spec: - vault: - path: pki_int/sign/example-dot-com - server: https://vault.local - auth: - kubernetes: - role: my-app-1 - mountPath: /v1/auth/kubernetes - serviceAccountRef: - name: vault-issuer -``` - -To create the role in Vault, you can use the following command: - -```bash -vault write auth/kubernetes/role/vault-issuer \ - bound_service_account_names=vault-issuer \ - bound_service_account_namespaces=sandbox \ - audience="vault://sandbox/vault-issuer" \ - policies=vault-issuer \ - ttl=1m -``` - -It is recommended to use a different Vault role each per Issuer or -ClusterIssuer. The `audience` allows you to restrict the Vault role to a single -Issuer or ClusterIssuer. The syntax is the following: - -```yaml -"vault:///" # For an Issuer. -"vault://" # For a ClusterIssuer. -``` - -The expiration duration for the Kubernetes tokens that are requested is -hard-coded to 10 minutes (that's the minimum accepted). The `ttl` field can be -as short as possible, since cert-manager requests a new token every time it -needs to talks to Vault. - -Although it is not recommended, you can also use the same Vault role for all of -your Issuers and ClusterIssuers by omitting the `audience` field and re-using -the same service account. - ## Verifying the issuer Deployment Once the Vault issuer has been deployed, it will be marked as ready if the From 803891f5fee0f9132bb19ed9aedb5ebcecfbf3d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 27 Feb 2023 16:41:59 +0100 Subject: [PATCH 03/31] serviceAccoutRef: PR review suggestions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Richard Wall Signed-off-by: Maël Valais --- content/docs/configuration/vault.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/docs/configuration/vault.md b/content/docs/configuration/vault.md index 94bdfd9588..cc274b20a9 100644 --- a/content/docs/configuration/vault.md +++ b/content/docs/configuration/vault.md @@ -230,7 +230,7 @@ spec: > **Issuer vs. ClusterIssuer:** With an Issuer resource, you can only refer to a > service account located in the same namespace as the Issuer. With a > ClusterIssuer, the service account must be located in the namespace that is -> configured by the flag `--cluster-scoped namespace`. +> configured by the flag `--cluster-resource-namespace`. To create the role in Vault, you can use the following command: @@ -249,7 +249,7 @@ Issuer or ClusterIssuer. The syntax is the following: ```yaml "vault:///" # For an Issuer. -"vault://" # For a ClusterIssuer. +"vault://" # For a ClusterIssuer. ``` The expiration duration for the Kubernetes tokens that are requested is From 46cdf9c29ae8ff76b1096b69e84407784a8e6fc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 27 Feb 2023 16:42:47 +0100 Subject: [PATCH 04/31] serviceAccoutRef: PR review suggestions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Richard Wall Signed-off-by: Maël Valais --- content/docs/configuration/vault.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/configuration/vault.md b/content/docs/configuration/vault.md index cc274b20a9..c5d6df0923 100644 --- a/content/docs/configuration/vault.md +++ b/content/docs/configuration/vault.md @@ -163,7 +163,7 @@ Kubernetes service account token can be provided in two ways: With the secretless authentication with a service account, cert-manager creates an ephemeral service account token using the TokenRequest API and uses it to -authenticates with Vault. These tokens are short-lived (10 minutes) and are +authenticate with Vault. These tokens are short-lived (10 minutes) and are never stored to disk. This is the recommended authentication method because it does not rely on the From dcef30124e98d72efb53c4a5c8c6d24191fd2e25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 27 Feb 2023 17:00:00 +0100 Subject: [PATCH 05/31] serviceAccountRef: add a release-note page for v1.12 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .spelling | 4 + content/docs/manifest.json | 132 +++++++++--------- content/docs/release-notes/README.md | 1 + .../docs/release-notes/release-notes-1.12.md | 19 +++ 4 files changed, 92 insertions(+), 64 deletions(-) create mode 100644 content/docs/release-notes/release-notes-1.12.md diff --git a/.spelling b/.spelling index 06298e9023..1c68e6ca77 100644 --- a/.spelling +++ b/.spelling @@ -553,6 +553,10 @@ NetworkPolicy mjudeikis rgl 1password +secretless +TokenRequest +v1.12.0 +v1.12.0. # TEMPORARY # these are temporarily ignored because the spellchecker diff --git a/content/docs/manifest.json b/content/docs/manifest.json index 66c12a4c27..0250d16ace 100644 --- a/content/docs/manifest.json +++ b/content/docs/manifest.json @@ -8,8 +8,8 @@ "path": "/docs/README.md" }, { - "title": "Getting Started", - "path": "/docs/getting-started/README.md" + "title": "Getting Started", + "path": "/docs/getting-started/README.md" }, { "title": "Installation", @@ -70,8 +70,8 @@ "path": "/docs/installation/upgrading/upgrading-1.10-1.11.md" }, { - "title": "v1.9 to v1.10", - "path": "/docs/installation/upgrading/upgrading-1.9-1.10.md" + "title": "v1.9 to v1.10", + "path": "/docs/installation/upgrading/upgrading-1.9-1.10.md" }, { "title": "v1.8 to v1.9", @@ -353,12 +353,12 @@ "title": "trust-manager", "routes": [ { - "title": "Introduction", - "path": "/docs/projects/trust-manager/README.md" + "title": "Introduction", + "path": "/docs/projects/trust-manager/README.md" }, { - "title": "API Reference", - "path": "/docs/projects/trust-manager/api-reference.md" + "title": "API Reference", + "path": "/docs/projects/trust-manager/api-reference.md" } ] } @@ -372,20 +372,20 @@ "path": "/docs/tutorials/README.md" }, { - "title": "Securing NGINX-ingress", - "path": "/docs/tutorials/acme/nginx-ingress.md" + "title": "Securing NGINX-ingress", + "path": "/docs/tutorials/acme/nginx-ingress.md" }, { - "title": "GKE + Ingress + Let's Encrypt", - "path": "/docs/tutorials/getting-started-with-cert-manager-on-google-kubernetes-engine-using-lets-encrypt-for-ingress-ssl/README.md" + "title": "GKE + Ingress + Let's Encrypt", + "path": "/docs/tutorials/getting-started-with-cert-manager-on-google-kubernetes-engine-using-lets-encrypt-for-ingress-ssl/README.md" }, { - "title": "AKS + LoadBalancer + Let's Encrypt", - "path": "/docs/tutorials/getting-started-aks-letsencrypt/README.md" + "title": "AKS + LoadBalancer + Let's Encrypt", + "path": "/docs/tutorials/getting-started-aks-letsencrypt/README.md" }, { - "title": "Migrating from Kube-LEGO", - "path": "/docs/tutorials/acme/migrating-from-kube-lego.md" + "title": "Migrating from Kube-LEGO", + "path": "/docs/tutorials/acme/migrating-from-kube-lego.md" }, { "title": "Backup and Restore Resources", @@ -421,22 +421,22 @@ } ] }, - { - "title": "Troubleshooting", - "routes": [ - { - "title": "Introduction", - "path": "/docs/troubleshooting/README.md" + { + "title": "Troubleshooting", + "routes": [ + { + "title": "Introduction", + "path": "/docs/troubleshooting/README.md" }, { - "title": "Troubleshooting ACME / Let's Encrypt Certificates", - "path": "/docs/troubleshooting/acme.md" + "title": "Troubleshooting ACME / Let's Encrypt Certificates", + "path": "/docs/troubleshooting/acme.md" }, { - "title": "Troubleshooting webhook", - "path": "/docs/troubleshooting/webhook.md" + "title": "Troubleshooting webhook", + "path": "/docs/troubleshooting/webhook.md" } - ] + ] }, { "title": "FAQ", @@ -544,13 +544,17 @@ "title": "Introduction", "path": "/docs/release-notes/README.md" }, + { + "title": "v1.12", + "path": "/docs/release-notes/release-notes-1.12.md" + }, { "title": "v1.11", "path": "/docs/release-notes/release-notes-1.11.md" }, { - "title": "v1.10", - "path": "/docs/release-notes/release-notes-1.10.md" + "title": "v1.10", + "path": "/docs/release-notes/release-notes-1.10.md" }, { "title": "v1.9", @@ -691,56 +695,56 @@ } ] }, - { - "title": "Reference", - "routes": [ + { + "title": "Reference", + "routes": [ { - "title": "Introduction", - "path": "/docs/reference/README.md" + "title": "Introduction", + "path": "/docs/reference/README.md" }, { - "title": "Command Line Tool (cmctl)", - "path": "/docs/reference/cmctl.md" + "title": "Command Line Tool (cmctl)", + "path": "/docs/reference/cmctl.md" }, - { - "title": "TLS Terminology", - "path": "/docs/reference/tls-terminology.md" + { + "title": "TLS Terminology", + "path": "/docs/reference/tls-terminology.md" }, + { + "title": "Components / Docker Images", + "routes": [ { - "title": "Components / Docker Images", - "routes": [ - { - "title": "Introduction", - "path": "/docs/cli/README.md" + "title": "Introduction", + "path": "/docs/cli/README.md" }, - { - "title": "acmesolver", - "path": "/docs/cli/acmesolver.md" + { + "title": "acmesolver", + "path": "/docs/cli/acmesolver.md" }, - { - "title": "cainjector", - "path": "/docs/cli/cainjector.md" + { + "title": "cainjector", + "path": "/docs/cli/cainjector.md" }, - { - "title": "cmctl", - "path": "/docs/cli/cmctl.md" + { + "title": "cmctl", + "path": "/docs/cli/cmctl.md" }, - { - "title": "controller", - "path": "/docs/cli/controller.md" + { + "title": "controller", + "path": "/docs/cli/controller.md" }, - { - "title": "webhook", - "path": "/docs/cli/webhook.md" + { + "title": "webhook", + "path": "/docs/cli/webhook.md" } - ] + ] }, - { - "title": "API Reference", - "path": "/docs/reference/api-docs.md" + { + "title": "API Reference", + "path": "/docs/reference/api-docs.md" } - ] + ] } ] } diff --git a/content/docs/release-notes/README.md b/content/docs/release-notes/README.md index 5af72409f9..eccfdd07a1 100644 --- a/content/docs/release-notes/README.md +++ b/content/docs/release-notes/README.md @@ -3,6 +3,7 @@ title: Release Notes description: 'cert-manager release notes: Overview' --- +- [`v1.12`](./release-notes-1.12.md) - [`v1.11`](./release-notes-1.11.md) - [`v1.10`](./release-notes-1.10.md) - [`v1.9`](./release-notes-1.9.md) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md new file mode 100644 index 0000000000..691e939c4a --- /dev/null +++ b/content/docs/release-notes/release-notes-1.12.md @@ -0,0 +1,19 @@ +--- +title: Release 1.12 +description: 'cert-manager release notes: cert-manager 1.12' +--- + +## Major Themes + +### Support for ephemeral service account tokens in Vault + +cert-manager can now authenticate to Vault using ephemeral service account +tokens. cert-manager already knew to authenticate to Vault using the [Vault +Kubernetes Auth +Method](https://developer.hashicorp.com/vault/docs/auth/kubernetes) but relied +on insecure service account tokens stored in Secrets. You can now configure +cert-manager in a secretless manner. With this new feature, cert-manager will +create an ephemeral service account token on your behalf and use that to +authenticate to Vault. + +> 📖 Read about [Secretless Authentication with a Service Account](../configuration/vault#secretless-authentication-with-a-service-account). From c399aae52becfd2780a909ce2d62e8182ad91f01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 27 Feb 2023 17:13:54 +0100 Subject: [PATCH 06/31] package.json: use "npm exec" for running the "concurrently" tool MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index d78fcaebda..fe016ee889 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "generate:sitemap": "next-sitemap", "export": "next export", "start": "next start", - "check": "concurrently --group --timings npm:check:* # Run all the npm check:* scripts in parallel", + "check": "npm exec concurrently -y -- --group --timings npm:check:* # Run all the npm check:* scripts in parallel", "check:next-lint": "next lint", "check:links": "find content/docs -type f -name '*.md' | xargs markdown-link-check --quiet --config markdown-link-check.json 2>&1 | awk -v RS=FILE: '/ERROR/{f=1; print RS $0} END{exit f}' # Split into records based on the word FILE and print only records containing word ERROR", "check:spelling": "FORCE_COLOR=1 mdspell --report --en-us --ignore-numbers --ignore-acronyms 'content/**/*.md' 'content/**/*.html' '_layouts/*.html' '_includes/*.html' '*.html' '!**/api-docs.md' # Force color output in mdspell. # See https://github.com/lukeapage/node-markdown-spellcheck/issues/36#issuecomment-482649408 ", From fe917001fab1f6506684b450d2864184683c1a29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 27 Feb 2023 17:19:45 +0100 Subject: [PATCH 07/31] fix dead link MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- content/docs/release-notes/release-notes-1.12.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index 691e939c4a..dfc65ed60c 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -16,4 +16,4 @@ cert-manager in a secretless manner. With this new feature, cert-manager will create an ephemeral service account token on your behalf and use that to authenticate to Vault. -> 📖 Read about [Secretless Authentication with a Service Account](../configuration/vault#secretless-authentication-with-a-service-account). +> 📖 Read about [Secretless Authentication with a Service Account](../configuration/vault.md#secretless-authentication-with-a-service-account). From 32a3e8b2dd1a93db0a0f3b64a2f43ffd3f18d1f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 7 Mar 2023 10:32:57 +0100 Subject: [PATCH 08/31] Revert "package.json: use "npm exec" for running the "concurrently" tool" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit c399aae52becfd2780a909ce2d62e8182ad91f01. I mistakenly forgot to run "npm i" before running ./scripts/verify. Signed-off-by: Maël Valais --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index fe016ee889..d78fcaebda 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ "generate:sitemap": "next-sitemap", "export": "next export", "start": "next start", - "check": "npm exec concurrently -y -- --group --timings npm:check:* # Run all the npm check:* scripts in parallel", + "check": "concurrently --group --timings npm:check:* # Run all the npm check:* scripts in parallel", "check:next-lint": "next lint", "check:links": "find content/docs -type f -name '*.md' | xargs markdown-link-check --quiet --config markdown-link-check.json 2>&1 | awk -v RS=FILE: '/ERROR/{f=1; print RS $0} END{exit f}' # Split into records based on the word FILE and print only records containing word ERROR", "check:spelling": "FORCE_COLOR=1 mdspell --report --en-us --ignore-numbers --ignore-acronyms 'content/**/*.md' 'content/**/*.html' '_layouts/*.html' '_includes/*.html' '*.html' '!**/api-docs.md' # Force color output in mdspell. # See https://github.com/lukeapage/node-markdown-spellcheck/issues/36#issuecomment-482649408 ", From 09fd33b83ed1a58c0a34e8e16ead105397b038f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 7 Mar 2023 11:31:20 +0100 Subject: [PATCH 09/31] ingressClassName: swap the "class" for the "ingressClassName" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- content/docs/configuration/acme/README.md | 7 +- .../docs/configuration/acme/http01/README.md | 2 +- .../upgrading/ingress-class-compatibility.md | 91 ------------------- .../upgrading/upgrading-0.7-0.8.md | 4 +- .../acme/example/ingress-tls-final.yaml | 2 +- .../tutorials/acme/example/ingress-tls.yaml | 2 +- .../docs/tutorials/acme/example/ingress.yaml | 5 +- .../example/pomerium-production-issuer.yaml | 6 +- .../acme/example/pomerium-staging-issuer.yaml | 2 +- .../acme/example/production-issuer.yaml | 36 ++++---- .../acme/example/staging-issuer.yaml | 2 +- .../docs/tutorials/acme/http-validation.md | 2 +- .../acme/migrating-from-kube-lego.md | 2 +- content/docs/tutorials/venafi/venafi.md | 3 +- 14 files changed, 37 insertions(+), 129 deletions(-) delete mode 100644 content/docs/installation/upgrading/ingress-class-compatibility.md diff --git a/content/docs/configuration/acme/README.md b/content/docs/configuration/acme/README.md index 3c658510e0..51a9014ac1 100644 --- a/content/docs/configuration/acme/README.md +++ b/content/docs/configuration/acme/README.md @@ -65,7 +65,7 @@ spec: solvers: - http01: ingress: - class: nginx + ingressClassName: nginx ``` Solvers come in the form of [`dns01`](./dns01/README.md) and @@ -123,8 +123,9 @@ spec: solvers: - http01: ingress: - class: nginx + ingressClassName: nginx ``` + > Note: cert-manager versions pre-`v1.3.0` also required users to specify the > MAC algorithm for EAB by setting > `Issuer.spec.acme.externalAccountBinding.keyAlgorithm` field. This field is @@ -296,7 +297,7 @@ spec: solvers: - http01: ingress: - class: nginx + ingressClassName: nginx selector: matchLabels: "use-http01-solver": "true" diff --git a/content/docs/configuration/acme/http01/README.md b/content/docs/configuration/acme/http01/README.md index ee46fdbe40..af26949f17 100644 --- a/content/docs/configuration/acme/http01/README.md +++ b/content/docs/configuration/acme/http01/README.md @@ -43,7 +43,7 @@ spec: solvers: - http01: ingress: - class: nginx + ingressClassName: nginx ``` ## Options diff --git a/content/docs/installation/upgrading/ingress-class-compatibility.md b/content/docs/installation/upgrading/ingress-class-compatibility.md deleted file mode 100644 index 9cfe183000..0000000000 --- a/content/docs/installation/upgrading/ingress-class-compatibility.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: Notes on Ingress Class Compatibility -description: 'cert-manager installation: Notes on ingress classes and safe upgrades' ---- - -In cert-manager v1.5.4 we made a change to the HTTP-01 code which was not backwards compatible. -See [Regression: HTTP-01 challenges fail with Istio, Traefik, ingress-gce and Azure AGIC]. - -[Regression: HTTP-01 challenges fail with Istio, Traefik, ingress-gce and Azure AGIC]: https://github.com/cert-manager/cert-manager/issues/4537 - -In v1.5.5, v1.6.2 and 1.7.1 we fixed this problem. - -If you have cert-manager v1.5.3 (or below) you should skip v1.5.4 and instead: - -- upgrade to v1.5.5 -- then the newest version of cert-manager 1.6 -- and then the newest version of cert-manager 1.7 - -and you can ignore the rest of this document. - -The following notes apply to anyone upgrading from cert-manager v1.5.4, v1.6.0, v1.6.1 on Kubernetes v1.19 or later. - -# Background - -cert-manager 1.5 was released to coincide with Kubernetes 1.22, which -[removed](https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/) the `v1beta1` -Ingress API. As cert-manager creates Ingress resources to solve HTTP-01 challenges, this code path -needed to be updated. - -In the `v1beta1` spec, Ingress Class was a string annotation that was adopted by all popular -Ingress controllers by convention. In the `v1` spec, `IngressClass` is now its own resource type, -and the `.spec.ingressClassName` field on `v1` Ingresses is now a reference to that object. -As the Kubernetes documentation points out, the old and new specs are not directly equivalent. - -During the 1.5 and 1.6 cert-manager release cycles, we discovered that ingress controllers have -handled the graduation of Ingress to `v1` differently. Some treat the class as an opaque string, -similarly to the annotation. Some were unintentionally broken, as their default ingress class name -contains characters that are disallowed in object references, e.g. (`/`). Some now require you to -create an `IngressClass` object matching the field to work. - -cert-manager aims to be compatible with as many ingress controllers as possible. According to the -Ingress v1 [Kubernetes enhancement proposal], the deprecated annotation, if present, takes -precedence over the new field. From our perspective, the option that maintains the highest -compatibility is to only use the annotation, even when creating `v1` Ingresses. - -[Kubernetes enhancement proposal]: https://github.com/kubernetes/enhancements/tree/44dd2975dc6cdad96ca73e7b0ba1794f1196f604/keps/sig-network/1453-ingress-api#interoperability-with-previous-annotation - -# Notes For Specific Ingress Controllers - -## ingress-nginx - -If you chose not to use the IngressClass `nginx` that is created by default by the Helm chart -(e.g., you named the IngressClass `nginx-outside`), you will need to add the flags -`--ingress-class` and `--ingress-class-by-name` to your ingress-nginx deployment: - -``` ---ingress-class=nginx-outside --ingress-class-by-name=true -``` - -In case you are using the Helm chart, you will need to use at least these values: - -```yaml -ingressClassResource: - name: nginx-outside - controllerValue: k8s.io/ingress-nginx-outside -ingressClassByName: true -ingressClass: nginx-outside -``` - -## Istio - -If you are using Istio and you had to create an IngressClass while migrating to cert-manager 1.5 or 1.6 -and you chose to create an IngressClass that isn't named `istio` (e.g., you named it `istio-internal`), -you will need to change the `class` field on those Issuers back to `istio`. - -## Traefik - -If you are using Traefik and you had to create an IngressClass while migrating to cert-manager 1.5 -or 1.6 and the IngressClass you created isn't named `traefik` (for example, you called -the IngressClass `traefik-external`), you will need to add a command-line argument to your -Traefik deployment: - -``` ---providers.kubernetesingress.ingressclass=traefik-external -``` - -## Ambassador - -If you are using Ambassador and you had to create an IngressClass while migrating to -cert-manager 1.5 or 1.6, and the IngressClass you created isn't named `ambassador` -(e.g., `ambassador-internal`), you will need to change the `class` field on the affected Issuers back to `ambassador`. diff --git a/content/docs/installation/upgrading/upgrading-0.7-0.8.md b/content/docs/installation/upgrading/upgrading-0.7-0.8.md index e3fabdca71..d77a253205 100644 --- a/content/docs/installation/upgrading/upgrading-0.7-0.8.md +++ b/content/docs/installation/upgrading/upgrading-0.7-0.8.md @@ -78,7 +78,7 @@ spec: - selector: {} http01: ingress: - class: nginx + ingressClassName: nginx - selector: # Any Certificate resources, or Ingress resources that use # ingress-shim and match the below label selector will use this @@ -204,7 +204,7 @@ spec: - selector: {} http01: ingress: - class: nginx + ingressClassName: nginx - selector: # Any Certificate resources, or Ingress resources that use # ingress-shim and match the below label selector will use this diff --git a/content/docs/tutorials/acme/example/ingress-tls-final.yaml b/content/docs/tutorials/acme/example/ingress-tls-final.yaml index 5c90402c41..48f8094a85 100644 --- a/content/docs/tutorials/acme/example/ingress-tls-final.yaml +++ b/content/docs/tutorials/acme/example/ingress-tls-final.yaml @@ -3,10 +3,10 @@ kind: Ingress metadata: name: kuard annotations: - kubernetes.io/ingress.class: "nginx" cert-manager.io/issuer: "letsencrypt-prod" spec: + ingressClassName: nginx tls: - hosts: - example.example.com diff --git a/content/docs/tutorials/acme/example/ingress-tls.yaml b/content/docs/tutorials/acme/example/ingress-tls.yaml index f888087d67..60fef7448b 100644 --- a/content/docs/tutorials/acme/example/ingress-tls.yaml +++ b/content/docs/tutorials/acme/example/ingress-tls.yaml @@ -3,10 +3,10 @@ kind: Ingress metadata: name: kuard annotations: - kubernetes.io/ingress.class: "nginx" cert-manager.io/issuer: "letsencrypt-staging" spec: + ingressClassName: nginx tls: - hosts: - example.example.com diff --git a/content/docs/tutorials/acme/example/ingress.yaml b/content/docs/tutorials/acme/example/ingress.yaml index a2b8f8c4bd..0651471ca0 100644 --- a/content/docs/tutorials/acme/example/ingress.yaml +++ b/content/docs/tutorials/acme/example/ingress.yaml @@ -2,11 +2,10 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: kuard - annotations: - kubernetes.io/ingress.class: "nginx" + annotations: {} #cert-manager.io/issuer: "letsencrypt-staging" - spec: + ingressClassName: nginx tls: - hosts: - example.example.com diff --git a/content/docs/tutorials/acme/example/pomerium-production-issuer.yaml b/content/docs/tutorials/acme/example/pomerium-production-issuer.yaml index d802d4d07f..f15a289904 100644 --- a/content/docs/tutorials/acme/example/pomerium-production-issuer.yaml +++ b/content/docs/tutorials/acme/example/pomerium-production-issuer.yaml @@ -14,6 +14,6 @@ spec: name: letsencrypt-prod # Enable the HTTP-01 challenge provider solvers: - - http01: - ingress: - class: pomerium \ No newline at end of file + - http01: + ingress: + ingressClassName: pomerium diff --git a/content/docs/tutorials/acme/example/pomerium-staging-issuer.yaml b/content/docs/tutorials/acme/example/pomerium-staging-issuer.yaml index f7756ed4bb..8f8b91992a 100644 --- a/content/docs/tutorials/acme/example/pomerium-staging-issuer.yaml +++ b/content/docs/tutorials/acme/example/pomerium-staging-issuer.yaml @@ -16,4 +16,4 @@ spec: solvers: - http01: ingress: - class: pomerium \ No newline at end of file + ingressClassName: pomerium diff --git a/content/docs/tutorials/acme/example/production-issuer.yaml b/content/docs/tutorials/acme/example/production-issuer.yaml index 38933376db..16ed60e210 100644 --- a/content/docs/tutorials/acme/example/production-issuer.yaml +++ b/content/docs/tutorials/acme/example/production-issuer.yaml @@ -1,18 +1,18 @@ - apiVersion: cert-manager.io/v1 - kind: Issuer - metadata: - name: letsencrypt-prod - spec: - acme: - # The ACME server URL - server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: user@example.com - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-prod - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: nginx +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt-prod +spec: + acme: + # The ACME server URL + server: https://acme-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: user@example.com + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-prod + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + ingressClassName: nginx diff --git a/content/docs/tutorials/acme/example/staging-issuer.yaml b/content/docs/tutorials/acme/example/staging-issuer.yaml index 064eb04688..baea1537f9 100644 --- a/content/docs/tutorials/acme/example/staging-issuer.yaml +++ b/content/docs/tutorials/acme/example/staging-issuer.yaml @@ -15,4 +15,4 @@ solvers: - http01: ingress: - class: nginx + ingressClassName: nginx diff --git a/content/docs/tutorials/acme/http-validation.md b/content/docs/tutorials/acme/http-validation.md index d5cda8e658..192c0b6cec 100644 --- a/content/docs/tutorials/acme/http-validation.md +++ b/content/docs/tutorials/acme/http-validation.md @@ -41,7 +41,7 @@ spec: - selector: {} http01: ingress: - class: nginx + ingressClassName: nginx ``` We have specified the ACME server URL for Let's Encrypt's [staging diff --git a/content/docs/tutorials/acme/migrating-from-kube-lego.md b/content/docs/tutorials/acme/migrating-from-kube-lego.md index 89b3ffebc9..84992cb0fb 100644 --- a/content/docs/tutorials/acme/migrating-from-kube-lego.md +++ b/content/docs/tutorials/acme/migrating-from-kube-lego.md @@ -156,7 +156,7 @@ spec: solvers: - http01: ingress: - class: nginx + ingressClassName: nginx ``` We then submit this file to our Kubernetes cluster: diff --git a/content/docs/tutorials/venafi/venafi.md b/content/docs/tutorials/venafi/venafi.md index 505276f626..fd7f9dddea 100644 --- a/content/docs/tutorials/venafi/venafi.md +++ b/content/docs/tutorials/venafi/venafi.md @@ -553,9 +553,8 @@ kind: Ingress metadata: name: frontend-ingress namespace: demo - annotations: - kubernetes.io/ingress.class: "nginx" spec: + ingressClassName: nginx tls: - hosts: - example.com From 66cd7eb7be7b1d757f746f961c08d61556b5b935 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 7 Mar 2023 13:52:54 +0100 Subject: [PATCH 10/31] guide: fix incorrect fields "ingress" and "ingressClass" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit They should be "name" and "class". Signed-off-by: Maël Valais --- .../docs/tutorials/acme/http-validation.md | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/content/docs/tutorials/acme/http-validation.md b/content/docs/tutorials/acme/http-validation.md index 192c0b6cec..f5b084d599 100644 --- a/content/docs/tutorials/acme/http-validation.md +++ b/content/docs/tutorials/acme/http-validation.md @@ -108,10 +108,10 @@ verify domain ownership. To verify ownership of each domain mentioned in an `http01` stanza, cert-manager will create a Pod, Service and Ingress that exposes an HTTP endpoint that satisfies the HTTP01 challenge. -The fields `ingress` and `ingressClass` in the `http01` stanza can be used to -control how cert-manager interacts with Ingress resources: +The fields `name`, `ingressClassName`, and `class` in the `http01` stanza can be +used to control how cert-manager interacts with Ingress resources: -- If the `ingress` field is specified, then an Ingress resource with the same +- If the `name` field is specified, then an Ingress resource with the same name in the same namespace as the Certificate must already exist and it will be modified only to add the appropriate rules to solve the challenge. This field is useful for the Google Cloud Loadbalancer ingress controller, @@ -119,11 +119,17 @@ control how cert-manager interacts with Ingress resources: each ingress resource. Without manual intervention, creating a new ingress resource would cause any challenges to fail. -- If the `ingressClass` field is specified, a new ingress resource with a - randomly generated name will be created in order to solve the challenge. - This new resource will have an annotation with key `kubernetes.io/ingress.class` - and value set to the value of the `ingressClass` field. - This works for the likes of the NGINX ingress controller. +- If the `ingressClassName` field is specified, a new ingress resource with a + randomly generated name will be created in order to solve the challenge. This + new resource will have the field `ingressClassName` with with the value of the + `ingressClassName` field. This is the recommended way of configuring which + Ingress controller should be used. This works for the likes of the NGINX + ingress controller. +- If the `class` field is specified, a new ingress resource with a randomly + generated name will be created in order to solve the challenge. This new + resource will have an annotation with key `kubernetes.io/ingress.class` and + value set to the value of the `class` field. This field is only recommended + with ingress-gce which doesn't support the `ingressClassName` field. - If neither are specified, new ingress resources will be created with a randomly generated name, but they will not have the ingress class annotation set. - If both are specified, then the `ingress` field will take precedence. From a1dfb91dbf3953f7b18e10f1386c294096c7aa24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 7 Mar 2023 14:02:15 +0100 Subject: [PATCH 11/31] update the http01 does with ingressClassName MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .../docs/configuration/acme/http01/README.md | 33 ++++++++++++++----- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/content/docs/configuration/acme/http01/README.md b/content/docs/configuration/acme/http01/README.md index af26949f17..6dbc62195a 100644 --- a/content/docs/configuration/acme/http01/README.md +++ b/content/docs/configuration/acme/http01/README.md @@ -52,18 +52,33 @@ The HTTP01 Issuer supports a number of additional options. For full details on the range of options available, read the [reference documentation](../../../reference/api-docs.md#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01). -### `class` +### `ingressClassName` + +> The field `ingressClassName` was added in cert-manager 1.12. + +If the `ingressClassName` field is specified, cert-manager will create new +`Ingress` resources in order to route traffic to the `acmesolver` pods, which +are responsible for responding to ACME challenge validation requests. -If the `class` field is specified, cert-manager will create new `Ingress` -resources in order to route traffic to the `acmesolver` pods, which are -responsible for responding to ACME challenge validation requests. +This is the recommended way of configuring the Ingress controller. Most Ingress +controllers support `ingressClassName`, with the notable exception of +ingress-gce. + +If `class` and `ingressClassName` are not specified, and `name` is also not +specified, cert-manager will default to create *new* `Ingress` resources but +will **not** set the ingress class on these resources, meaning *all* ingress +controllers installed in your cluster will serve traffic for the challenge +solver, potentially incurring additional cost. + +### `class` -If this field is not specified, and `name` is also not specified, -cert-manager will default to create *new* `Ingress` resources but will **not** -set the ingress class on these resources, meaning *all* ingress controllers -installed in your cluster will serve traffic for the challenge solver, -potentially incurring additional cost. +If the `class` field is specified, a new ingress resource with a randomly +generated name will be created in order to solve the challenge. This new +resource will have an annotation with key `kubernetes.io/ingress.class` and +value set to the value of the `class` field. +This field is only recommended with ingress-gce. ingress-gce doesn't support the +`ingressClassName` field. ### `name` From aa00c3c018ad84f892a4b6f71e05ab0653a38771 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 7 Mar 2023 14:08:18 +0100 Subject: [PATCH 12/31] add a mention in the release notes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- content/docs/release-notes/release-notes-1.12.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index dfc65ed60c..cd6ab09024 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -17,3 +17,9 @@ create an ephemeral service account token on your behalf and use that to authenticate to Vault. > 📖 Read about [Secretless Authentication with a Service Account](../configuration/vault.md#secretless-authentication-with-a-service-account). + +### Support for `ingressClassName` in the HTTP-01 solver + +cert-manager now supports the `ingressClassName` field in the HTTP-01 solver. We +recommend using `ingressClassName` instead of the field `class` in your Issuers +and ClusterIssuers. From ef98aecbc971193b57c3a9867019e6aa8a78f814 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Thu, 9 Mar 2023 15:06:08 +0100 Subject: [PATCH 13/31] ingressClassName: update the API reference documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- content/docs/reference/api-docs.md | 84 ++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 4 deletions(-) diff --git a/content/docs/reference/api-docs.md b/content/docs/reference/api-docs.md index 35d0f49d6c..4943e086a6 100644 --- a/content/docs/reference/api-docs.md +++ b/content/docs/reference/api-docs.md @@ -785,6 +785,17 @@ description: >-

Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.

+ + + ingressClassName +
+ string + + + (Optional) +

This field configures the field ingressClassName on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of class, name or ingressClassName may be specified.

+ + class @@ -793,7 +804,7 @@ description: >- (Optional) -

The ingress class to use when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of ‘class’ or ‘name’ may be specified.

+

This field configures the annotation kubernetes.io/ingress.class when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of class, name or ingressClassName may be specified.

@@ -975,6 +986,19 @@ description: >-

If specified, the pod’s service account

+ + + imagePullSecrets +
+ + []Kubernetes core/v1.LocalObjectReference + + + + (Optional) +

If specified, the pod’s imagePullSecrets

+ +

ACMEChallengeSolverHTTP01IngressPodTemplate

@@ -1011,7 +1035,7 @@ description: >- (Optional) -

PodSpec defines overrides for the HTTP01 challenge solver pod. Only the ‘priorityClassName’, ‘nodeSelector’, ‘affinity’, ‘serviceAccountName’ and ‘tolerations’ fields are supported currently. All other fields will be ignored.

+

PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.



@@ -1074,6 +1098,19 @@ description: >-

If specified, the pod’s service account

+ + + +
+ imagePullSecrets +
+ + []Kubernetes core/v1.LocalObjectReference + + 		+ (Optional) +

If specified, the pod’s imagePullSecrets

+
@@ -4796,6 +4833,31 @@ description: >- +

ServiceAccountRef

+

(Appears on: VaultKubernetesAuth)

+
+

ServiceAccountRef is a service account used by cert-manager to request a token. The audience cannot be configured. The audience is generated by cert-manager and takes the form vault://namespace-name/issuer-name for an Issuer and vault://issuer-name for a ClusterIssuer. The expiration of the token is also set by cert-manager to 10 minutes.

+
+ + + + + + + + + + + + + +
FieldDescription
+ name +
+ string + 		+

Name of the ServiceAccount used to request a token.

+

VaultAppRole

(Appears on: VaultAuth)

@@ -4846,7 +4908,7 @@ description: >-

VaultAuth

(Appears on: VaultIssuer)

-

Configuration used to authenticate with a Vault server. Only one of tokenSecretRef, appRole or kubernetes may be specified.

+

VaultAuth is configuration used to authenticate with a Vault server. The order of precedence is [tokenSecretRef, appRole or kubernetes].

@@ -5012,9 +5074,23 @@ description: >- + + + +
+ (Optional)

The required Secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. Use of ‘ambient credentials’ is not supported.
+ serviceAccountRef +
+ + ServiceAccountRef + + 		+ (Optional) +

A reference to a service account that will be used to request a bound token (also known as “projected token”). Compared to using “secretRef”, using this field means that you don’t rely on statically bound tokens. To use this field, you must configure an RBAC rule to let cert-manager request a token.

+
role @@ -5670,5 +5746,5 @@ description: >-

- Generated with gen-crd-api-reference-docs on git commit 7ebb5f515. + Generated with gen-crd-api-reference-docs on git commit ca9aaa0.

From 2b69ad6498aa5b401acf349286c55507a6960f37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Thu, 9 Mar 2023 15:06:24 +0100 Subject: [PATCH 14/31] ingressClassName: re-add the ingress-class-compatibility page MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .../upgrading/ingress-class-compatibility.md | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 content/docs/installation/upgrading/ingress-class-compatibility.md diff --git a/content/docs/installation/upgrading/ingress-class-compatibility.md b/content/docs/installation/upgrading/ingress-class-compatibility.md new file mode 100644 index 0000000000..65173f578c --- /dev/null +++ b/content/docs/installation/upgrading/ingress-class-compatibility.md @@ -0,0 +1,106 @@ +--- +title: Notes on the breaking change with the `class` field that happened in cert-manager v1.5.4 +description: 'cert-manager installation: Notes on ingress classes and safe upgrades' +--- + +
+ +⚠️ This document focuses on the `class` field of the Issuer and ClusterIssuer +resources and the annotation `kubernetes.io/ingress.class`. + +If you are interested in using `ingressClassName` on your Ingress resources +when using cert-manager's HTTP-01 solver, see the page [Securing Ingress +Resources](../../configuration/acme/http01#ingressclassname). + +
+ +In cert-manager v1.5.4 we made a change to the HTTP-01 code which was not +backwards compatible. Before v1.5.4, cert-manager was using the `class` field on +the Issuer and ClusterIssuer to add the annotation +`kubernetes.io/ingress.class`. In cert-manager v1.5.4, cert-manager stopped +setting the annotation. See [Regression: HTTP-01 challenges fail with Istio, +Traefik, ingress-gce and Azure AGIC]. + +In v1.5.5, v1.6.2 and 1.7.1 we fixed this problem. + +If you have cert-manager v1.5.3 (or below) you should skip v1.5.4 and instead: + +- upgrade to v1.5.5 +- then the newest version of cert-manager 1.6 +- and then the newest version of cert-manager 1.7 + +and you can ignore the rest of this document. + +[Regression: HTTP-01 challenges fail with Istio, Traefik, ingress-gce and Azure AGIC]: https://github.com/cert-manager/cert-manager/issues/4537 + +The following notes apply to anyone upgrading from cert-manager v1.5.4, v1.6.0, v1.6.1 on Kubernetes v1.19 or later. + +# Background + +cert-manager 1.5 was released to coincide with Kubernetes 1.22, which +[removed](https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/) the `v1beta1` +Ingress API. As cert-manager creates Ingress resources to solve HTTP-01 challenges, this code path +needed to be updated. + +In the `v1beta1` spec, Ingress Class was a string annotation that was adopted by all popular +Ingress controllers by convention. In the `v1` spec, `IngressClass` is now its own resource type, +and the `.spec.ingressClassName` field on `v1` Ingresses is now a reference to that object. +As the Kubernetes documentation points out, the old and new specs are not directly equivalent. + +During the 1.5 and 1.6 cert-manager release cycles, we discovered that ingress controllers have +handled the graduation of Ingress to `v1` differently. Some treat the class as an opaque string, +similarly to the annotation. Some were unintentionally broken, as their default ingress class name +contains characters that are disallowed in object references, e.g. (`/`). Some now require you to +create an `IngressClass` object matching the field to work. + +cert-manager aims to be compatible with as many ingress controllers as possible. According to the +Ingress v1 [Kubernetes enhancement proposal], the deprecated annotation, if present, takes +precedence over the new field. From our perspective, the option that maintains the highest +compatibility is to only use the annotation, even when creating `v1` Ingresses. + +[Kubernetes enhancement proposal]: https://github.com/kubernetes/enhancements/tree/44dd2975dc6cdad96ca73e7b0ba1794f1196f604/keps/sig-network/1453-ingress-api#interoperability-with-previous-annotation + +# Notes For Specific Ingress Controllers + +## ingress-nginx + +If you chose not to use the IngressClass `nginx` that is created by default by +the Helm chart (e.g., you named the IngressClass `nginx-outside`), you will need +to add the flags `--ingress-class` to your ingress-nginx deployment: + +``` +--ingress-class=nginx-outside --ingress-class-by-name=true +``` + +In case you are using the Helm chart, you will need to use at least these values: + +```yaml +ingressClassResource: + name: nginx-outside + controllerValue: k8s.io/ingress-nginx-outside +ingressClassByName: true +ingressClass: nginx-outside +``` + +## Istio + +If you are using Istio and you had to create an IngressClass while migrating to cert-manager 1.5 or 1.6 +and you chose to create an IngressClass that isn't named `istio` (e.g., you named it `istio-internal`), +you will need to change the `class` field on those Issuers back to `istio`. + +## Traefik + +If you are using Traefik and you had to create an IngressClass while migrating to cert-manager 1.5 +or 1.6 and the IngressClass you created isn't named `traefik` (for example, you called +the IngressClass `traefik-external`), you will need to add a command-line argument to your +Traefik deployment: + +``` +--providers.kubernetesingress.ingressclass=traefik-external +``` + +## Ambassador + +If you are using Ambassador and you had to create an IngressClass while migrating to +cert-manager 1.5 or 1.6, and the IngressClass you created isn't named `ambassador` +(e.g., `ambassador-internal`), you will need to change the `class` field on the affected Issuers back to `ambassador`. From ab1b9daafb41d5808f04908583b9f0317761a328 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 27 Mar 2023 10:54:17 +0200 Subject: [PATCH 15/31] ingressClassName: add div and icon MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais Co-Authored-By: Richard Wall --- content/docs/configuration/acme/http01/README.md | 6 +++++- .../upgrading/ingress-class-compatibility.md | 10 +++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/content/docs/configuration/acme/http01/README.md b/content/docs/configuration/acme/http01/README.md index 6dbc62195a..6c6621a5a7 100644 --- a/content/docs/configuration/acme/http01/README.md +++ b/content/docs/configuration/acme/http01/README.md @@ -54,7 +54,11 @@ documentation](../../../reference/api-docs.md#acme.cert-manager.io/v1.ACMEChalle ### `ingressClassName` -> The field `ingressClassName` was added in cert-manager 1.12. +
+ +📌 The field `ingressClassName` was added in cert-manager 1.12. + +
If the `ingressClassName` field is specified, cert-manager will create new `Ingress` resources in order to route traffic to the `acmesolver` pods, which diff --git a/content/docs/installation/upgrading/ingress-class-compatibility.md b/content/docs/installation/upgrading/ingress-class-compatibility.md index 65173f578c..5f52b15793 100644 --- a/content/docs/installation/upgrading/ingress-class-compatibility.md +++ b/content/docs/installation/upgrading/ingress-class-compatibility.md @@ -8,11 +8,11 @@ description: 'cert-manager installation: Notes on ingress classes and safe upgra ⚠️ This document focuses on the `class` field of the Issuer and ClusterIssuer resources and the annotation `kubernetes.io/ingress.class`. -If you are interested in using `ingressClassName` on your Ingress resources -when using cert-manager's HTTP-01 solver, see the page [Securing Ingress -Resources](../../configuration/acme/http01#ingressclassname). - -
+> ⚠️ This document focuses on the `class` field of the Issuer and ClusterIssuer +> resources and the annotation `kubernetes.io/ingress.class`. If you are +> interested in using `ingressClassName` on your Ingress resources when using +> cert-manager's HTTP-01 solver, see the page [Securing Ingress +> Resources](../../configuration/acme/http01#ingressclassname). In cert-manager v1.5.4 we made a change to the HTTP-01 code which was not backwards compatible. Before v1.5.4, cert-manager was using the `class` field on From 33bdb9488536fd5eff678ee10862233046eff5ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 27 Mar 2023 10:56:56 +0200 Subject: [PATCH 16/31] ingressClassName: consistent warning using quote block MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais Co-Authored-By: Richard Wall --- .../installation/upgrading/ingress-class-compatibility.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/content/docs/installation/upgrading/ingress-class-compatibility.md b/content/docs/installation/upgrading/ingress-class-compatibility.md index 5f52b15793..2f9d360d61 100644 --- a/content/docs/installation/upgrading/ingress-class-compatibility.md +++ b/content/docs/installation/upgrading/ingress-class-compatibility.md @@ -3,10 +3,6 @@ title: Notes on the breaking change with the `class` field that happened in cert description: 'cert-manager installation: Notes on ingress classes and safe upgrades' --- -
- -⚠️ This document focuses on the `class` field of the Issuer and ClusterIssuer -resources and the annotation `kubernetes.io/ingress.class`. > ⚠️ This document focuses on the `class` field of the Issuer and ClusterIssuer > resources and the annotation `kubernetes.io/ingress.class`. If you are From 4de800f0885a5045c6f4760e8cf4c862da77b0c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 27 Mar 2023 11:20:11 +0200 Subject: [PATCH 17/31] ingressClassName: address PR comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais Co-Authored-By: Richard Wall --- .../docs/configuration/acme/http01/README.md | 11 +++++---- .../docs/tutorials/acme/http-validation.md | 23 ++++++++++--------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/content/docs/configuration/acme/http01/README.md b/content/docs/configuration/acme/http01/README.md index 6c6621a5a7..01029d52d2 100644 --- a/content/docs/configuration/acme/http01/README.md +++ b/content/docs/configuration/acme/http01/README.md @@ -66,7 +66,8 @@ are responsible for responding to ACME challenge validation requests. This is the recommended way of configuring the Ingress controller. Most Ingress controllers support `ingressClassName`, with the notable exception of -ingress-gce. +ingress-gce (as per the page [Configure Ingress for external load +balancing](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress)). If `class` and `ingressClassName` are not specified, and `name` is also not specified, cert-manager will default to create *new* `Ingress` resources but @@ -76,13 +77,13 @@ solver, potentially incurring additional cost. ### `class` -If the `class` field is specified, a new ingress resource with a randomly +If the `class` field is specified, a new Ingress resource with a randomly generated name will be created in order to solve the challenge. This new resource will have an annotation with key `kubernetes.io/ingress.class` and -value set to the value of the `class` field. +value set to the value of the `class` field. -This field is only recommended with ingress-gce. ingress-gce doesn't support the -`ingressClassName` field. +This field is only recommended with ingress-gce. ingress-gce [doesn't support the +`ingressClassName` field](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress). ### `name` diff --git a/content/docs/tutorials/acme/http-validation.md b/content/docs/tutorials/acme/http-validation.md index f5b084d599..b61bf7c14b 100644 --- a/content/docs/tutorials/acme/http-validation.md +++ b/content/docs/tutorials/acme/http-validation.md @@ -108,20 +108,12 @@ verify domain ownership. To verify ownership of each domain mentioned in an `http01` stanza, cert-manager will create a Pod, Service and Ingress that exposes an HTTP endpoint that satisfies the HTTP01 challenge. -The fields `name`, `ingressClassName`, and `class` in the `http01` stanza can be +The fields `ingressClassName`, `class`, and `name` in the `http01` stanza can be used to control how cert-manager interacts with Ingress resources: -- If the `name` field is specified, then an Ingress resource with the same - name in the same namespace as the Certificate must already exist and it will - be modified only to add the appropriate rules to solve the challenge. - This field is useful for the Google Cloud Loadbalancer ingress controller, - as well as a number of others, that assign a single public IP address for - each ingress resource. - Without manual intervention, creating a new ingress resource would cause any - challenges to fail. - If the `ingressClassName` field is specified, a new ingress resource with a randomly generated name will be created in order to solve the challenge. This - new resource will have the field `ingressClassName` with with the value of the + new resource will have the field `ingressClassName` with the value of the `ingressClassName` field. This is the recommended way of configuring which Ingress controller should be used. This works for the likes of the NGINX ingress controller. @@ -129,7 +121,16 @@ used to control how cert-manager interacts with Ingress resources: generated name will be created in order to solve the challenge. This new resource will have an annotation with key `kubernetes.io/ingress.class` and value set to the value of the `class` field. This field is only recommended - with ingress-gce which doesn't support the `ingressClassName` field. + with ingress-gce which [does not support the `ingressClassName` + field](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress). +- If the `name` field is specified, then an Ingress resource with the same name + in the same namespace as the Certificate must already exist and it will be + modified only to add the appropriate rules to solve the challenge. This field + is useful for the Google Cloud Loadbalancer ingress controller, as well as a + number of others, that assign a single public IP address for each ingress + resource. Without manual intervention, creating a new ingress resource would + cause any challenges to fail. + - If neither are specified, new ingress resources will be created with a randomly generated name, but they will not have the ingress class annotation set. - If both are specified, then the `ingress` field will take precedence. From 0b99aa00e8b1ce00d2f21a9e192c4c0eae7e2190 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Mon, 27 Mar 2023 11:26:14 +0200 Subject: [PATCH 18/31] ingressClassName: move the warning to below the sections MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais Co-Authored-By: Richard Wall --- content/docs/configuration/acme/http01/README.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/content/docs/configuration/acme/http01/README.md b/content/docs/configuration/acme/http01/README.md index 01029d52d2..e8663f6fdd 100644 --- a/content/docs/configuration/acme/http01/README.md +++ b/content/docs/configuration/acme/http01/README.md @@ -69,12 +69,6 @@ controllers support `ingressClassName`, with the notable exception of ingress-gce (as per the page [Configure Ingress for external load balancing](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress)). -If `class` and `ingressClassName` are not specified, and `name` is also not -specified, cert-manager will default to create *new* `Ingress` resources but -will **not** set the ingress class on these resources, meaning *all* ingress -controllers installed in your cluster will serve traffic for the challenge -solver, potentially incurring additional cost. - ### `class` If the `class` field is specified, a new Ingress resource with a randomly @@ -97,6 +91,16 @@ This mode should be avoided when using ingress controllers that expose a single IP for all ingress resources, as it can create compatibility problems with certain ingress-controller specific annotations. +
+ +If `class` and `ingressClassName` are not specified, and `name` is also not +specified, cert-manager will default to create *new* `Ingress` resources but +will **not** set the ingress class on these resources, meaning *all* ingress +controllers installed in your cluster will serve traffic for the challenge +solver, potentially incurring additional cost. + +
+

`serviceType`

In rare cases it might be not possible/desired to use `NodePort` as type for the From 2e2a42536f283a2cddea19cbead65af07d3cdc3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 5 May 2023 15:06:37 +0200 Subject: [PATCH 19/31] write the release notes for 1.12 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .spelling | 2 + .../docs/release-notes/release-notes-1.12.md | 96 +++++++++++++++++++ 2 files changed, 98 insertions(+) diff --git a/.spelling b/.spelling index 1c68e6ca77..bbbf87d7d9 100644 --- a/.spelling +++ b/.spelling @@ -475,6 +475,8 @@ v1.8.2 v1.9.0 v1.9.1 v1.10 +v1.11.0 +v1.12.0 v1alpha1 v1alpha2 v1alpha3 diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index cd6ab09024..b1e7f1249a 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -3,8 +3,20 @@ title: Release 1.12 description: 'cert-manager release notes: cert-manager 1.12' --- +cert-manager 1.12 brings support for JSON logging, a lower memory footprint, the +support for ephemeral service account tokens with Vault, and the support of the +`ingressClassName` field. + ## Major Themes +### Support for JSON logging + +TBD + +### Lower memory footprint + +TBD + ### Support for ephemeral service account tokens in Vault cert-manager can now authenticate to Vault using ephemeral service account @@ -23,3 +35,87 @@ authenticate to Vault. cert-manager now supports the `ingressClassName` field in the HTTP-01 solver. We recommend using `ingressClassName` instead of the field `class` in your Issuers and ClusterIssuers. + +## Community + +Once again, we extend our gratitude to all the open-source contributors who have made commits in this release, including: + +- [@andrewsomething](https://github.com/andrewsomething) +- [@avi-08](https://github.com/avi-08) +- [@e96wic](https://github.com/e96wic) +- [@ExNG](https://github.com/ExNG) +- [@g-gaston](https://github.com/g-gaston) +- [@james-callahan](https://github.com/james-callahan) +- [@jkroepke](https://github.com/jkroepke) +- [@lucacome](https://github.com/lucacome) +- [@malovme](https://github.com/malovme) +- [@maumontesilva](https://github.com/maumontesilva) +- [@tobotg](https://github.com/tobotg) +- [@TrilokGeer](https://github.com/TrilokGeer) +- [@waterfoul](https://github.com/waterfoul) +- [@yanggangtony](https://github.com/yanggangtony) +- [@yulng](https://github.com/yulng) + +## Changes since v1.11.0 + +### Feature + +- Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). (#3931, @e96wic) +- Added the --concurrent-workers flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon) +- Adds `acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets` field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme) +- Cainjector: + - adds a couple new flags to cainjector that can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectables- disabling the rest can improve memory consumption. By default all are enabled. + - renames --watch-certs flag to --enable-certificates-data-source (#5766, @irbekrm) +- Helm: you can now add volumes and volumeMounts via Helm variables for the cainjector, webhook, and startupapicheck. (#5668, @waterfoul) +- Helm: you can now enable the flags `--dns01-recursive-nameservers`, `--enable-certificate-owner-ref`, and `--dns01-recursive-nameservers-only` through Helm values. (#5614, @jkroepke) +- POTENTIALLY BREAKING: Separates cert-manager binaries and some tests into separate go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Golang, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details (#5880, @SgtCoDFish) +- The DigitalOcean issuer now sets a cert-manager user agent string. (#5869, @andrewsomething) +- The HTTP-01 solver can now be configured to create Ingresses with an `ingressClassName`. The credit goes to @dsonck92 for implementing the initial PR. (#5849, @maelvls) +- The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new `serviceAccountRef` field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the `vault.auth` field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for `vault.auth`. (#5502, @maelvls) +- Upgraded Gateway API to v0.6.0. (#5768, @yulng) +- Webhook now logs requests to mutating/validating webhook (with `--v=5` flag) (#5975, @tobotg) + +### Bug or Regression + +- Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests. + This is not necessarily a breaking change as due to a race condition this may already have been the case. (#5887, @irbekrm) +- Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied (#5896, @maumontesilva) +- Fix development environment and go vendoring on Linux ARM64. (#5810, @SgtCoDFish) +- Fix ordering of remote git tags when preparing integration tests (#5910, @SgtCoDFish) +- Helm: the flag `--acme-http01-solver-image` given to the variable `acmesolver.extraArgs` now has precedence over the variable `acmesolver.image`. (#5693, @SgtCoDFish) +- Ingress and Gateway resources will not be synced if deleted via [foreground cascading](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion). (#5878, @avi-08) +- The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 (#5674) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. (#5805, @inteon) +- Upgrade to go 1.19.6 along with newer helm and containerd versions and updated base images (#5813, @SgtCoDFish) +- Use a fake kube apiserver version when generating helm template in `cmctl x install`, to work around a hardcoded Kubernetes version in Helm. (#5720, @irbekrm) + +### Other (Cleanup or Flake) + +- ACME account registration is now re-verified if account key is manually changed. (#5949, @TrilokGeer) +- Add `make go-workspace` target for generating a go.work file for local development (#5935, @SgtCoDFish) +- Added a Makefile target to build a standalone E2E test binary: make e2e-build (#5804, @wallrj) +- Bump keystore-go to v4.4.1 to work around an upstream rewrite of history (#5724, @g-gaston) +- Bump the distroless base images (#5929, @maelvls) +- Bumps base images (#5793, @irbekrm) +- Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half. + BREAKING: users who are relying on cainjector to work when `certificates.cert-manager.io` CRD is not installed in the cluster, now need to pass `--watch-certificates=false` flag to cainjector else it will not start. + Users who only use cainjector as cert-manager's internal component and have a large number of `Certificate` resources in cluster can pass `--watch-certificates=false` to avoid cainjector from caching `Certificate` resources and save some memory. (#5746, @irbekrm) +- Cainjector now only reconciles annotated objects of injectable kind. (#5764, @irbekrm) +- Container images are have an OCI source label (#5722, @james-callahan) +- Disable automountServiceAccountToken in the ACME HTTP01 solver Pod (#5754, @wallrj) +- Ensures that annotations, labels and managed fields are not cached for partial metadata `Secret`s. (#5966, @irbekrm) +- Filters Secret caching to ensure only relevant Secrets are cached in full. This should reduce controller's memory consumption in clusters with a large number of cert-manager unrelated `Secret` resources. The filtering functionality is currently placed behind `SecretsFilteredCaching` feature flag. + The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube apiserver, because unlabelled `Secret`s that cert-manager controller needs will now be retrieved from kube apiserver instead of being cached locally. To prevent this from happening, users can label all issuer `Secret`s with `controller.cert-manager.io/fao: true` label. (#5824, @irbekrm) +- Reduces the amount of ACME calls during an ACME certificate issuance. + **Warning**: this PR slightly changes how `Challenge` names are calculated. To avoid duplicate issuances due to `Challenge`s being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm) +- Tests on Kubernetes v1.27.1 by default. (#5979, @irbekrm) +- Updates Kubernetes libraries to `v0.26.2`. (#5820, @lucacome) +- Updates Kubernetes libraries to `v0.26.3`. (#5907, @lucacome) +- Updates base images (#5832, @irbekrm) +- Upgrade to Go 1.20 (#5969, @wallrj) +- Upgrade to go 1.19.5 (#5712, @yanggangtony) +- Validates that `certificate.spec.secretName` is a valid `Secret` name (#5967, @avi-08) +- `certificate.spec.secretName` Secrets will now be labelled with `controller.cert-manager.io/fao` label (#5660, @irbekrm) + +### Uncategorized + +- Add 6443/TCP to webhook egress rules (#5788, @ExNG) From f69c9dacef592acd4a4cb454c583d1c2a32ed9ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 9 May 2023 17:11:13 +0200 Subject: [PATCH 20/31] release-notes: add the latest changes to the release notes for 1.12 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .../docs/release-notes/release-notes-1.12.md | 41 ++++++++++++++++--- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index b1e7f1249a..78e6b6172e 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -11,7 +11,21 @@ support for ephemeral service account tokens with Vault, and the support of the ### Support for JSON logging -TBD +JSON logs are now available in cert-manager! A massive thank you to [@malovme](https://github.com/malovme) for going the extra mile to get #5828 merged! + +To enable JSON logs, add the flag `--logging-format=json` to the three +deployments (`cert-manager`, `cert-manager-webhook`, and +`cert-manager-cainjector`). + +For example, if you are using the Helm chart: + +```bash +helm repo add --force-update jetstack https://charts.jetstack.io +helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager \ + --set extraArgs='{--logging-format=json}' \ + --set webhook.extraArgs='{--logging-format=json}' \ + --set cainjector.extraArgs='{--logging-format=json}' +``` ### Lower memory footprint @@ -55,30 +69,41 @@ Once again, we extend our gratitude to all the open-source contributors who have - [@waterfoul](https://github.com/waterfoul) - [@yanggangtony](https://github.com/yanggangtony) - [@yulng](https://github.com/yulng) +- [@vidarno](https://github.com/vidarno) ## Changes since v1.11.0 + ### Feature -- Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). (#3931, @e96wic) +- Helm: Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). (#3931, @e96wic) +- Added support for JSON logging (using `--logging-format=json`) (#5828, @malovme) - Added the --concurrent-workers flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon) - Adds `acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets` field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme) -- Cainjector: +- Cainjector: - adds a couple new flags to cainjector that can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectables- disabling the rest can improve memory consumption. By default all are enabled. - renames --watch-certs flag to --enable-certificates-data-source (#5766, @irbekrm) - Helm: you can now add volumes and volumeMounts via Helm variables for the cainjector, webhook, and startupapicheck. (#5668, @waterfoul) - Helm: you can now enable the flags `--dns01-recursive-nameservers`, `--enable-certificate-owner-ref`, and `--dns01-recursive-nameservers-only` through Helm values. (#5614, @jkroepke) -- POTENTIALLY BREAKING: Separates cert-manager binaries and some tests into separate go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Golang, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details (#5880, @SgtCoDFish) +- POTENTIALLY BREAKING: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Golang, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details (#5880, @SgtCoDFish) - The DigitalOcean issuer now sets a cert-manager user agent string. (#5869, @andrewsomething) - The HTTP-01 solver can now be configured to create Ingresses with an `ingressClassName`. The credit goes to @dsonck92 for implementing the initial PR. (#5849, @maelvls) - The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new `serviceAccountRef` field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the `vault.auth` field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for `vault.auth`. (#5502, @maelvls) +- The cert-manager controller container of the controller Pod now has a `/livez` endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. (#5962, @wallrj) - Upgraded Gateway API to v0.6.0. (#5768, @yulng) - Webhook now logs requests to mutating/validating webhook (with `--v=5` flag) (#5975, @tobotg) +- Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests. + This is not necessarily a breaking change as due to a race condition this may already have been the case. (#5887, @irbekrm) +- ServerSideApply: The feature gate `ServerSideApply=true` configures the ca-injector controller to use Kubernetes Server Side Apply on CA Injector injectable target resources. (#5991, @inteon) + +### Documentation + +- Helm: the dead links in `values.yaml` are now working (#5999, @SgtCoDFish) ### Bug or Regression -- Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests. - This is not necessarily a breaking change as due to a race condition this may already have been the case. (#5887, @irbekrm) +- Adds missing comparisons for certain fields which were incorrectly skipped if a LiteralSubject was set (#5747, @inteon) +- Check JKS/PKCS12 truststore in Secrets only if issuer provides the CA (#5972, @vinzent) - Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied (#5896, @maumontesilva) - Fix development environment and go vendoring on Linux ARM64. (#5810, @SgtCoDFish) - Fix ordering of remote git tags when preparing integration tests (#5910, @SgtCoDFish) @@ -96,6 +121,7 @@ Once again, we extend our gratitude to all the open-source contributors who have - Bump keystore-go to v4.4.1 to work around an upstream rewrite of history (#5724, @g-gaston) - Bump the distroless base images (#5929, @maelvls) - Bumps base images (#5793, @irbekrm) +- Caches metadata only for filtered Pods and Services (#5976, @irbekrm) - Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half. BREAKING: users who are relying on cainjector to work when `certificates.cert-manager.io` CRD is not installed in the cluster, now need to pass `--watch-certificates=false` flag to cainjector else it will not start. Users who only use cainjector as cert-manager's internal component and have a large number of `Certificate` resources in cluster can pass `--watch-certificates=false` to avoid cainjector from caching `Certificate` resources and save some memory. (#5746, @irbekrm) @@ -107,9 +133,11 @@ Once again, we extend our gratitude to all the open-source contributors who have The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube apiserver, because unlabelled `Secret`s that cert-manager controller needs will now be retrieved from kube apiserver instead of being cached locally. To prevent this from happening, users can label all issuer `Secret`s with `controller.cert-manager.io/fao: true` label. (#5824, @irbekrm) - Reduces the amount of ACME calls during an ACME certificate issuance. **Warning**: this PR slightly changes how `Challenge` names are calculated. To avoid duplicate issuances due to `Challenge`s being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm) +- Storing the latest private key hash on issuer status prevents unnecessary calls to ACME server during controller startup (#6006, @vidarno) - Tests on Kubernetes v1.27.1 by default. (#5979, @irbekrm) - Updates Kubernetes libraries to `v0.26.2`. (#5820, @lucacome) - Updates Kubernetes libraries to `v0.26.3`. (#5907, @lucacome) +- Updates Kubernetes libraries to `v0.27.1`. (#5961, @lucacome) - Updates base images (#5832, @irbekrm) - Upgrade to Go 1.20 (#5969, @wallrj) - Upgrade to go 1.19.5 (#5712, @yanggangtony) @@ -119,3 +147,4 @@ Once again, we extend our gratitude to all the open-source contributors who have ### Uncategorized - Add 6443/TCP to webhook egress rules (#5788, @ExNG) +- Replaces our python boilerplate checker with an installed golang version, removing the need to have Python installed when developing or building cert-manager (#6000, @SgtCoDFish) From 9fe0b571bff7725f765fcd4a13d948bdb9db9070 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Tue, 16 May 2023 13:50:27 +0100 Subject: [PATCH 21/31] Add a release note for memory improvements Signed-off-by: irbekrm --- .../docs/release-notes/release-notes-1.12.md | 55 ++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index 78e6b6172e..a3a277ed72 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -29,7 +29,60 @@ helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manag ### Lower memory footprint -TBD +In 1.12 we continued the work started in 1.11 to reduce cert-manager component's memory consumption. + +### Controller + +Caching of the full contents of all cluster `Secret`s can now be disabled by +setting a `SecretsFilteredCaching` alpha feature gate to true. This will ensure +that only `Secret` resources that are labelled with +`controller.cert-manager.io/fao` label are cached in full. Cert-manager +automatically adds this label to all `Certificate` `Secret`s. + +This change has been placed behind alpha feature gate as it could potentially +slow down large scale issuance because issuer credentials `Secret`s will now be +retrieved from kube apiserver instead of local cache. To prevent the slow down, +users can manually label issuer `Secret`s with a +`controller.cert-manager.io/fao` label. +See the +[design](https://github.com/cert-manager/cert-manager/blob/master/design/20221205-memory-management.md) +and [implementation](https://github.com/cert-manager/cert-manager/pull/5824) for +additional details. +We would like to gather some feedback on this change before +it can graduate- please leave your comments on +(`cert-manager#6074`)[https://github.com/cert-manager/cert-manager/issues/6074]. + +Additionally, controller no longer watches and caches all `Pod` and `Service` +resources. +See [`cert-manager#5976`](https://github.com/cert-manager/cert-manager/pull/5976) for implementation. + +### Cainjector + +[Cainjector's](../concepts/ca-injector.md) control loops have been refactored, so by default it should +consume up to twice less memory, see +[`cert-manager#5746`](https://github.com/cert-manager/cert-manager/pull/5746). + +Additionally, a number of flags have been added to cainjector that can be used +to scope down what resources it watches and caches. + +If cainjector is only used as part of cert-manager installation, it only needs +to inject CA certs to cert-manager's `MutatingWebhookConfiguration` and +`ValidatingWebhookConfiguration` from a `Secret` in cert-manager's installation +namespace so all the other injectable/source types can be turned off and +cainjector can be scoped to a single namespace, see the relevant flags below: + +```go +// cainjector flags +--namespace= \ +--enable-customresourcedefinitions-injectable=false \ +--enable-certificates-data-source=false \ +--enable-apiservices-injectable=false +``` + +See [`cert-manager#5766`](https://github.com/cert-manager/cert-manager/pull/5766) for more detail. + +A big thanks to everyone who put in time reporting and writing up issues +describing performance problems in large scale installations. ### Support for ephemeral service account tokens in Vault From ed440d3ed01d63f63ced4f51b6991b86bbc3fb2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 16 May 2023 16:09:19 +0200 Subject: [PATCH 22/31] release-notes-1.12: talk about the go.mod changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .../docs/release-notes/release-notes-1.12.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index a3a277ed72..0d9d3693e9 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -31,7 +31,7 @@ helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manag In 1.12 we continued the work started in 1.11 to reduce cert-manager component's memory consumption. -### Controller +#### Controller Caching of the full contents of all cluster `Secret`s can now be disabled by setting a `SecretsFilteredCaching` alpha feature gate to true. This will ensure @@ -56,7 +56,7 @@ Additionally, controller no longer watches and caches all `Pod` and `Service` resources. See [`cert-manager#5976`](https://github.com/cert-manager/cert-manager/pull/5976) for implementation. -### Cainjector +#### Cainjector [Cainjector's](../concepts/ca-injector.md) control loops have been refactored, so by default it should consume up to twice less memory, see @@ -84,6 +84,21 @@ See [`cert-manager#5766`](https://github.com/cert-manager/cert-manager/pull/5766 A big thanks to everyone who put in time reporting and writing up issues describing performance problems in large scale installations. +### Improved Security with Independent Go Modules for Each Binary + +With cert-manager 1.12, we have made significant changes aimed at improving our +reaction time to vulnerability reports. Each binary now has its own `go.mod` +file, providing us with more flexibility to react to CVEs. + +In the past, we have been unable to offer security patches due to unsupported +dependencies. An example of this was seen with Helm: in cert-manager 1.10, we +were unable to fix a CVE reported in Helm because Helm only offers security +patches for its latest minor version. + +While this doesn't decrease the dependency attack surface for any of the +binaries, it does allow us to react more quickly and effectively when a +vulnerability is reported. + ### Support for ephemeral service account tokens in Vault cert-manager can now authenticate to Vault using ephemeral service account From 6ca15f0a7f8c511b289af7676705e58b6e473e0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 16 May 2023 18:10:23 +0200 Subject: [PATCH 23/31] use the official typography for VCert (instead of vCert) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .spelling | 2 +- content/docs/release-notes/release-notes-0.9.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.spelling b/.spelling index bbbf87d7d9..a81f0149b6 100644 --- a/.spelling +++ b/.spelling @@ -483,7 +483,7 @@ v1alpha3 v1beta1 v2 v3 -vCert +VCert vendoring vendored versioning diff --git a/content/docs/release-notes/release-notes-0.9.md b/content/docs/release-notes/release-notes-0.9.md index d9a9be4aaa..564eb9c6e7 100644 --- a/content/docs/release-notes/release-notes-0.9.md +++ b/content/docs/release-notes/release-notes-0.9.md @@ -163,8 +163,8 @@ validate and so will be recreated. This should resume the order normally. ### Venafi Issuer -- Venafi: use vCert `v4.1.0` ([#1827](https://github.com/cert-manager/cert-manager/pull/1827), [`@munnerz`](https://github.com/munnerz)) -- Bump Venafi vCert dependency to latest version ([#1754](https://github.com/cert-manager/cert-manager/pull/1754), [`@munnerz`](https://github.com/munnerz)) +- Venafi: use VCert `v4.1.0` ([#1827](https://github.com/cert-manager/cert-manager/pull/1827), [`@munnerz`](https://github.com/munnerz)) +- Bump Venafi VCert dependency to latest version ([#1754](https://github.com/cert-manager/cert-manager/pull/1754), [`@munnerz`](https://github.com/munnerz)) ### Webhook From 444b74f602e037606bf54cd0c3eb6d9c276d28f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 16 May 2023 19:42:53 +0200 Subject: [PATCH 24/31] turn commit-like release notes into release notes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .spelling | 23 ++++++++++++ .../docs/release-notes/release-notes-1.12.md | 36 +++++++++---------- 2 files changed, 41 insertions(+), 18 deletions(-) diff --git a/.spelling b/.spelling index a81f0149b6..bf60569384 100644 --- a/.spelling +++ b/.spelling @@ -559,6 +559,29 @@ secretless TokenRequest v1.12.0 v1.12.0. +PodDisruptionBudgets +andrewsomething +avi-08 +e96wic +ExNG +g-gaston +jkroepke +malovme +maumontesilva +tobotg +TrilokGeer +waterfoul +yulng +vidarno +vinzent +go.work +go.mod +validatingwebhookconfigurations +mutatingwebhookconfigurations +unlabelled +v1.27.1 +v0.6.0. +v4.4.1 # TEMPORARY # these are temporarily ignored because the spellchecker diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index 0d9d3693e9..1ed5168709 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -134,10 +134,11 @@ Once again, we extend our gratitude to all the open-source contributors who have - [@maumontesilva](https://github.com/maumontesilva) - [@tobotg](https://github.com/tobotg) - [@TrilokGeer](https://github.com/TrilokGeer) +- [@vidarno](https://github.com/vidarno) +- [@vinzent](https://github.com/vinzent) - [@waterfoul](https://github.com/waterfoul) - [@yanggangtony](https://github.com/yanggangtony) - [@yulng](https://github.com/yulng) -- [@vidarno](https://github.com/vidarno) ## Changes since v1.11.0 @@ -148,9 +149,9 @@ Once again, we extend our gratitude to all the open-source contributors who have - Added support for JSON logging (using `--logging-format=json`) (#5828, @malovme) - Added the --concurrent-workers flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon) - Adds `acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets` field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme) -- Cainjector: - - adds a couple new flags to cainjector that can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectables- disabling the rest can improve memory consumption. By default all are enabled. - - renames --watch-certs flag to --enable-certificates-data-source (#5766, @irbekrm) +- cainjector: + - New flags were added to the cainjector binary. They can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectables; disabling the rest can improve memory consumption. By default all are enabled. + - The `--watch-certs` flag was renamed to `--enable-certificates-data-source`. (#5766, @irbekrm) - Helm: you can now add volumes and volumeMounts via Helm variables for the cainjector, webhook, and startupapicheck. (#5668, @waterfoul) - Helm: you can now enable the flags `--dns01-recursive-nameservers`, `--enable-certificate-owner-ref`, and `--dns01-recursive-nameservers-only` through Helm values. (#5614, @jkroepke) - POTENTIALLY BREAKING: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Golang, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details (#5880, @SgtCoDFish) @@ -162,7 +163,8 @@ Once again, we extend our gratitude to all the open-source contributors who have - Webhook now logs requests to mutating/validating webhook (with `--v=5` flag) (#5975, @tobotg) - Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests. This is not necessarily a breaking change as due to a race condition this may already have been the case. (#5887, @irbekrm) -- ServerSideApply: The feature gate `ServerSideApply=true` configures the ca-injector controller to use Kubernetes Server Side Apply on CA Injector injectable target resources. (#5991, @inteon) +- The cainjector controller can now use server-side apply to patch mutatingwebhookconfigurations, validatingwebhookconfigurations, apiservices, and customresourcedefinitions. This feature is currently in alpha and is not enabled by default. To enable server-side apply for the cainjector, add the flag --feature-gates=ServerSideApply=true to the deployment. (#5991, @inteon) +- Helm: Egress 6443/TCP is now allowed in the webhook. This is required for OpenShift and OKD clusters for which the Kubernetes API server listens on port 6443 instead of 443. (#5788, @ExNG) ### Documentation @@ -170,7 +172,7 @@ Once again, we extend our gratitude to all the open-source contributors who have ### Bug or Regression -- Adds missing comparisons for certain fields which were incorrectly skipped if a LiteralSubject was set (#5747, @inteon) +- When using the literalSubject field on a Certificate resource, the IPs, URIs, DNSNames, and EmailAddresses segments are now properly compared. (#5747, @inteon) - Check JKS/PKCS12 truststore in Secrets only if issuer provides the CA (#5972, @vinzent) - Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied (#5896, @maumontesilva) - Fix development environment and go vendoring on Linux ARM64. (#5810, @SgtCoDFish) @@ -179,7 +181,7 @@ Once again, we extend our gratitude to all the open-source contributors who have - Ingress and Gateway resources will not be synced if deleted via [foreground cascading](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion). (#5878, @avi-08) - The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 (#5674) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. (#5805, @inteon) - Upgrade to go 1.19.6 along with newer helm and containerd versions and updated base images (#5813, @SgtCoDFish) -- Use a fake kube apiserver version when generating helm template in `cmctl x install`, to work around a hardcoded Kubernetes version in Helm. (#5720, @irbekrm) +- cmctl: In order work around a hardcoded Kubernetes version in Helm, we now use a fake kube-apiserver version when generating the helm template when running `cmctl x install`. (#5720, @irbekrm) ### Other (Cleanup or Flake) @@ -189,20 +191,19 @@ Once again, we extend our gratitude to all the open-source contributors who have - Bump keystore-go to v4.4.1 to work around an upstream rewrite of history (#5724, @g-gaston) - Bump the distroless base images (#5929, @maelvls) - Bumps base images (#5793, @irbekrm) -- Caches metadata only for filtered Pods and Services (#5976, @irbekrm) +- The memory usage of the controller has been reduced by only caching the metadata of Pods and Services. (#5976, @irbekrm) - Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half. BREAKING: users who are relying on cainjector to work when `certificates.cert-manager.io` CRD is not installed in the cluster, now need to pass `--watch-certificates=false` flag to cainjector else it will not start. Users who only use cainjector as cert-manager's internal component and have a large number of `Certificate` resources in cluster can pass `--watch-certificates=false` to avoid cainjector from caching `Certificate` resources and save some memory. (#5746, @irbekrm) - Cainjector now only reconciles annotated objects of injectable kind. (#5764, @irbekrm) - Container images are have an OCI source label (#5722, @james-callahan) -- Disable automountServiceAccountToken in the ACME HTTP01 solver Pod (#5754, @wallrj) -- Ensures that annotations, labels and managed fields are not cached for partial metadata `Secret`s. (#5966, @irbekrm) -- Filters Secret caching to ensure only relevant Secrets are cached in full. This should reduce controller's memory consumption in clusters with a large number of cert-manager unrelated `Secret` resources. The filtering functionality is currently placed behind `SecretsFilteredCaching` feature flag. - The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube apiserver, because unlabelled `Secret`s that cert-manager controller needs will now be retrieved from kube apiserver instead of being cached locally. To prevent this from happening, users can label all issuer `Secret`s with `controller.cert-manager.io/fao: true` label. (#5824, @irbekrm) -- Reduces the amount of ACME calls during an ACME certificate issuance. - **Warning**: this PR slightly changes how `Challenge` names are calculated. To avoid duplicate issuances due to `Challenge`s being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm) -- Storing the latest private key hash on issuer status prevents unnecessary calls to ACME server during controller startup (#6006, @vidarno) -- Tests on Kubernetes v1.27.1 by default. (#5979, @irbekrm) +- The acmesolver pods created by cert-manager now have `automountServiceAccountToken` turned off. (#5754, @wallrj) +- The controller memory usage has been further decreased by ignoring annotations, labels and managed fields when caching Secret resources. (#5966, @irbekrm) +- The controller binary now uses much less memory on Kubernetes clusters with large or numerous Secret resources. The controller now ignores the contents of Secrets that aren't relevant to cert-manager. This functionality is currently placed behind `SecretsFilteredCaching` feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with the `controller.cert-manager.io/fao: true` label. (#5824, @irbekrm) +- The controller now makes fewer calls to the ACME server. + **Warning**: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. +- The number of calls made to the ACME server during the controller startup has been reduced by storing the private key hash in the Issuer's status. (#6006, @vidarno) +- We are now testing with Kubernetes v1.27.1 by default. (#5979, @irbekrm) - Updates Kubernetes libraries to `v0.26.2`. (#5820, @lucacome) - Updates Kubernetes libraries to `v0.26.3`. (#5907, @lucacome) - Updates Kubernetes libraries to `v0.27.1`. (#5961, @lucacome) @@ -214,5 +215,4 @@ Once again, we extend our gratitude to all the open-source contributors who have ### Uncategorized -- Add 6443/TCP to webhook egress rules (#5788, @ExNG) -- Replaces our python boilerplate checker with an installed golang version, removing the need to have Python installed when developing or building cert-manager (#6000, @SgtCoDFish) +- We have replaced our python boilerplate checker with an installed Go version, removing the need to have Python installed when developing or building cert-manager. (#6000, @SgtCoDFish) From f75ba884c4773717d245344b24f680eb7dc5430d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 16 May 2023 19:56:32 +0200 Subject: [PATCH 25/31] rephrase the section about CVEs and Go modules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Ashley Davis Signed-off-by: Maël Valais --- .../docs/release-notes/release-notes-1.12.md | 35 +++++++++++++------ 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index 1ed5168709..b6241dda81 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -84,20 +84,33 @@ See [`cert-manager#5766`](https://github.com/cert-manager/cert-manager/pull/5766 A big thanks to everyone who put in time reporting and writing up issues describing performance problems in large scale installations. -### Improved Security with Independent Go Modules for Each Binary +### Faster Response to CVEs By Reducing Transitive Dependencies -With cert-manager 1.12, we have made significant changes aimed at improving our -reaction time to vulnerability reports. Each binary now has its own `go.mod` -file, providing us with more flexibility to react to CVEs. +In cert-manager 1.12, we have worked on reducing the impacts that unsupported +dependencies have on our ability to patch CVEs. -In the past, we have been unable to offer security patches due to unsupported -dependencies. An example of this was seen with Helm: in cert-manager 1.10, we -were unable to fix a CVE reported in Helm because Helm only offers security -patches for its latest minor version. +Each binary now has its own `go.mod` file. When a CVE is declared in an +unsupported minor version of a dependency, and that the only solution is to bump +the minor version of the dependency, we can now choose to make an exception and +bump that minor version but limit the impact to a single binary. -While this doesn't decrease the dependency attack surface for any of the -binaries, it does allow us to react more quickly and effectively when a -vulnerability is reported. +For example, in cert-manager 1.10, we chose not to fix a CVE reported in Helm +because it was forcing us to bump the minor versions of `k8s.io/api` and many +other dependencies. + +A side effect of the new `go.mod` layout is that it's now easier to import +cert-manager in Go, in terms of transitive dependencies that might show up in +your `go.mod` files or potential version conflicts between cert-manager and your +other dependencies. + +The caveat here is that we still only recommend importing cert-manager in [very +specific circumstances](../contributing/importing.md), and the module changes +mean that if you imported some paths (specifically under `cmd` or some paths +under `test`) you might see broken imports when you try to upgrade. + +If you experience a break as part of this, we're sorry and we'd be interested to +chat about it. The vast majority of projects using cert-manager should notice no +impact, and there should be no runtime impact either. ### Support for ephemeral service account tokens in Vault From 68ba75525e4810d3e8b40b3a6b0ddd7832e92d2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Tue, 16 May 2023 20:22:09 +0200 Subject: [PATCH 26/31] edit more release notes to make them user-friendly MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .spelling | 5 +++++ .../docs/release-notes/release-notes-1.12.md | 20 +++++++++---------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/.spelling b/.spelling index bf60569384..2056c3e01f 100644 --- a/.spelling +++ b/.spelling @@ -574,14 +574,19 @@ waterfoul yulng vidarno vinzent +dsonck92 go.work go.mod validatingwebhookconfigurations mutatingwebhookconfigurations +customresourcedefinitions unlabelled v1.27.1 v0.6.0. v4.4.1 +liveness +apiservices +arm64 # TEMPORARY # these are temporarily ignored because the spellchecker diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index b6241dda81..04c6be2e91 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -41,7 +41,7 @@ automatically adds this label to all `Certificate` `Secret`s. This change has been placed behind alpha feature gate as it could potentially slow down large scale issuance because issuer credentials `Secret`s will now be -retrieved from kube apiserver instead of local cache. To prevent the slow down, +retrieved from kube-apiserver instead of local cache. To prevent the slow down, users can manually label issuer `Secret`s with a `controller.cert-manager.io/fao` label. See the @@ -137,6 +137,7 @@ Once again, we extend our gratitude to all the open-source contributors who have - [@andrewsomething](https://github.com/andrewsomething) - [@avi-08](https://github.com/avi-08) +- [@dsonck92](https://github.com/dsonck92) - [@e96wic](https://github.com/e96wic) - [@ExNG](https://github.com/ExNG) - [@g-gaston](https://github.com/g-gaston) @@ -155,7 +156,6 @@ Once again, we extend our gratitude to all the open-source contributors who have ## Changes since v1.11.0 - ### Feature - Helm: Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). (#3931, @e96wic) @@ -163,11 +163,11 @@ Once again, we extend our gratitude to all the open-source contributors who have - Added the --concurrent-workers flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon) - Adds `acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets` field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme) - cainjector: - - New flags were added to the cainjector binary. They can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectables; disabling the rest can improve memory consumption. By default all are enabled. + - New flags were added to the cainjector binary. They can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectable resources; disabling the rest can improve memory consumption. By default all are enabled. - The `--watch-certs` flag was renamed to `--enable-certificates-data-source`. (#5766, @irbekrm) -- Helm: you can now add volumes and volumeMounts via Helm variables for the cainjector, webhook, and startupapicheck. (#5668, @waterfoul) +- Helm: you can now add volumes and volume mounts via Helm variables for the cainjector, webhook, and startupapicheck. (#5668, @waterfoul) - Helm: you can now enable the flags `--dns01-recursive-nameservers`, `--enable-certificate-owner-ref`, and `--dns01-recursive-nameservers-only` through Helm values. (#5614, @jkroepke) -- POTENTIALLY BREAKING: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Golang, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details (#5880, @SgtCoDFish) +- **POTENTIALLY BREAKING**: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Go, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details. (#5880, @SgtCoDFish) - The DigitalOcean issuer now sets a cert-manager user agent string. (#5869, @andrewsomething) - The HTTP-01 solver can now be configured to create Ingresses with an `ingressClassName`. The credit goes to @dsonck92 for implementing the initial PR. (#5849, @maelvls) - The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new `serviceAccountRef` field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the `vault.auth` field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for `vault.auth`. (#5502, @maelvls) @@ -185,10 +185,10 @@ Once again, we extend our gratitude to all the open-source contributors who have ### Bug or Regression -- When using the literalSubject field on a Certificate resource, the IPs, URIs, DNSNames, and EmailAddresses segments are now properly compared. (#5747, @inteon) -- Check JKS/PKCS12 truststore in Secrets only if issuer provides the CA (#5972, @vinzent) +- When using the `literalSubject` field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. (#5747, @inteon) +- When using the `jks` and `pkcs12` fields on a Certificate resource with a CA issuer that doesn't set the `ca.crt` in the Secret resource, cert-manager no longer loop trying to copy `ca.crt` into `truststore.jks` or `truststore.p12`. (#5972, @vinzent) - Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied (#5896, @maumontesilva) -- Fix development environment and go vendoring on Linux ARM64. (#5810, @SgtCoDFish) +- Fix development environment and go vendoring on Linux arm64. (#5810, @SgtCoDFish) - Fix ordering of remote git tags when preparing integration tests (#5910, @SgtCoDFish) - Helm: the flag `--acme-http01-solver-image` given to the variable `acmesolver.extraArgs` now has precedence over the variable `acmesolver.image`. (#5693, @SgtCoDFish) - Ingress and Gateway resources will not be synced if deleted via [foreground cascading](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion). (#5878, @avi-08) @@ -206,7 +206,7 @@ Once again, we extend our gratitude to all the open-source contributors who have - Bumps base images (#5793, @irbekrm) - The memory usage of the controller has been reduced by only caching the metadata of Pods and Services. (#5976, @irbekrm) - Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half. - BREAKING: users who are relying on cainjector to work when `certificates.cert-manager.io` CRD is not installed in the cluster, now need to pass `--watch-certificates=false` flag to cainjector else it will not start. + **BREAKING:** users who are relying on cainjector to work when `certificates.cert-manager.io` CRD is not installed in the cluster, now need to pass `--watch-certificates=false` flag to cainjector else it will not start. Users who only use cainjector as cert-manager's internal component and have a large number of `Certificate` resources in cluster can pass `--watch-certificates=false` to avoid cainjector from caching `Certificate` resources and save some memory. (#5746, @irbekrm) - Cainjector now only reconciles annotated objects of injectable kind. (#5764, @irbekrm) - Container images are have an OCI source label (#5722, @james-callahan) @@ -214,7 +214,7 @@ Once again, we extend our gratitude to all the open-source contributors who have - The controller memory usage has been further decreased by ignoring annotations, labels and managed fields when caching Secret resources. (#5966, @irbekrm) - The controller binary now uses much less memory on Kubernetes clusters with large or numerous Secret resources. The controller now ignores the contents of Secrets that aren't relevant to cert-manager. This functionality is currently placed behind `SecretsFilteredCaching` feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with the `controller.cert-manager.io/fao: true` label. (#5824, @irbekrm) - The controller now makes fewer calls to the ACME server. - **Warning**: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. + **POTENTIALLY BREAKING**: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm) - The number of calls made to the ACME server during the controller startup has been reduced by storing the private key hash in the Issuer's status. (#6006, @vidarno) - We are now testing with Kubernetes v1.27.1 by default. (#5979, @irbekrm) - Updates Kubernetes libraries to `v0.26.2`. (#5820, @lucacome) From 26aa94d7c64917cbdbfb333ab01adc608635681a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 19 May 2023 13:32:22 +0200 Subject: [PATCH 27/31] release-notes-1.12: address feedback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Ashley Davis Signed-off-by: Maël Valais --- content/docs/release-notes/release-notes-1.12.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index 04c6be2e91..4eb1e1532c 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -59,7 +59,7 @@ See [`cert-manager#5976`](https://github.com/cert-manager/cert-manager/pull/5976 #### Cainjector [Cainjector's](../concepts/ca-injector.md) control loops have been refactored, so by default it should -consume up to twice less memory, see +consume up to half as much memory as before, see [`cert-manager#5746`](https://github.com/cert-manager/cert-manager/pull/5746). Additionally, a number of flags have been added to cainjector that can be used From 2879046af4d32eb02ab3f4409620afe46b896877 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 19 May 2023 15:04:16 +0200 Subject: [PATCH 28/31] release-notes: add links to documentation, PRs and designs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .../docs/release-notes/release-notes-1.12.md | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index 4eb1e1532c..7a5398b42d 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -5,13 +5,16 @@ description: 'cert-manager release notes: cert-manager 1.12' cert-manager 1.12 brings support for JSON logging, a lower memory footprint, the support for ephemeral service account tokens with Vault, and the support of the -`ingressClassName` field. +`ingressClassName` field. We also improved on our ability to patch +vulnerabilities. ## Major Themes ### Support for JSON logging -JSON logs are now available in cert-manager! A massive thank you to [@malovme](https://github.com/malovme) for going the extra mile to get #5828 merged! +JSON logs are now available in cert-manager! A massive thank you to +[@malovme](https://github.com/malovme) for going the extra mile to get +[#5828](https://github.com/cert-manager/cert-manager/pull/5828) merged! To enable JSON logs, add the flag `--logging-format=json` to the three deployments (`cert-manager`, `cert-manager-webhook`, and @@ -29,7 +32,8 @@ helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manag ### Lower memory footprint -In 1.12 we continued the work started in 1.11 to reduce cert-manager component's memory consumption. +In 1.12 we continued the work started in 1.11 to reduce cert-manager component's +memory consumption. #### Controller @@ -112,11 +116,14 @@ If you experience a break as part of this, we're sorry and we'd be interested to chat about it. The vast majority of projects using cert-manager should notice no impact, and there should be no runtime impact either. +You can read more about this change in the design document at +[20230302.gomod.md](https://github.com/cert-manager/cert-manager/blob/master/design/20230302.gomod.md). + ### Support for ephemeral service account tokens in Vault cert-manager can now authenticate to Vault using ephemeral service account -tokens. cert-manager already knew to authenticate to Vault using the [Vault -Kubernetes Auth +tokens (JWT). cert-manager already knew to authenticate to Vault using the +[Vault Kubernetes Auth Method](https://developer.hashicorp.com/vault/docs/auth/kubernetes) but relied on insecure service account tokens stored in Secrets. You can now configure cert-manager in a secretless manner. With this new feature, cert-manager will @@ -125,12 +132,17 @@ authenticate to Vault. > 📖 Read about [Secretless Authentication with a Service Account](../configuration/vault.md#secretless-authentication-with-a-service-account). +This change was implemented in the pull request +[`cert-manager#5502`](https://github.com/cert-manager/cert-manager/pull/5502). + ### Support for `ingressClassName` in the HTTP-01 solver cert-manager now supports the `ingressClassName` field in the HTTP-01 solver. We recommend using `ingressClassName` instead of the field `class` in your Issuers and ClusterIssuers. +> 📖 Read more about `ingressClassName` in the documentation page [HTTP01](../configuration/acme/http01/#ingressclassname). + ## Community Once again, we extend our gratitude to all the open-source contributors who have made commits in this release, including: From df01bd8be0ededf74d58338988070273dd40ed89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 19 May 2023 15:11:38 +0200 Subject: [PATCH 29/31] release-notes: transform PR numbers and GitHub handles into links MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .../docs/release-notes/release-notes-1.12.md | 106 +++++++++--------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index 7a5398b42d..8c76b9fd6d 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -170,74 +170,74 @@ Once again, we extend our gratitude to all the open-source contributors who have ### Feature -- Helm: Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). (#3931, @e96wic) -- Added support for JSON logging (using `--logging-format=json`) (#5828, @malovme) -- Added the --concurrent-workers flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon) -- Adds `acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets` field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme) +- Helm: Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). ([#3931](https://github.com/cert-manager/cert-manager/pull/3931), [@e96wic](https://github.com/e96wic)) +- Added support for JSON logging (using `--logging-format=json`) ([#5828](https://github.com/cert-manager/cert-manager/pull/5828), [@malovme](https://github.com/malovme)) +- Added the --concurrent-workers flag that lets you control the number of concurrent workers for each of our controllers. ([#5936](https://github.com/cert-manager/cert-manager/pull/5936), [@inteon](https://github.com/inteon)) +- Adds `acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets` field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. ([#5801](https://github.com/cert-manager/cert-manager/pull/5801), [@malovme](https://github.com/malovme)) - cainjector: - New flags were added to the cainjector binary. They can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectable resources; disabling the rest can improve memory consumption. By default all are enabled. - - The `--watch-certs` flag was renamed to `--enable-certificates-data-source`. (#5766, @irbekrm) -- Helm: you can now add volumes and volume mounts via Helm variables for the cainjector, webhook, and startupapicheck. (#5668, @waterfoul) -- Helm: you can now enable the flags `--dns01-recursive-nameservers`, `--enable-certificate-owner-ref`, and `--dns01-recursive-nameservers-only` through Helm values. (#5614, @jkroepke) -- **POTENTIALLY BREAKING**: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Go, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details. (#5880, @SgtCoDFish) -- The DigitalOcean issuer now sets a cert-manager user agent string. (#5869, @andrewsomething) -- The HTTP-01 solver can now be configured to create Ingresses with an `ingressClassName`. The credit goes to @dsonck92 for implementing the initial PR. (#5849, @maelvls) -- The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new `serviceAccountRef` field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the `vault.auth` field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for `vault.auth`. (#5502, @maelvls) -- The cert-manager controller container of the controller Pod now has a `/livez` endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. (#5962, @wallrj) -- Upgraded Gateway API to v0.6.0. (#5768, @yulng) -- Webhook now logs requests to mutating/validating webhook (with `--v=5` flag) (#5975, @tobotg) + - The `--watch-certs` flag was renamed to `--enable-certificates-data-source`. ([#5766](https://github.com/cert-manager/cert-manager/pull/5766), [@irbekrm](https://github.com/irbekrm)) +- Helm: you can now add volumes and volume mounts via Helm variables for the cainjector, webhook, and startupapicheck. ([#5668](https://github.com/cert-manager/cert-manager/pull/5668), [@waterfoul](https://github.com/waterfoul)) +- Helm: you can now enable the flags `--dns01-recursive-nameservers`, `--enable-certificate-owner-ref`, and `--dns01-recursive-nameservers-only` through Helm values. ([#5614](https://github.com/cert-manager/cert-manager/pull/5614), [@jkroepke](https://github.com/jkroepke)) +- **POTENTIALLY BREAKING**: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Go, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details. ([#5880](https://github.com/cert-manager/cert-manager/pull/5880), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- The DigitalOcean issuer now sets a cert-manager user agent string. ([#5869](https://github.com/cert-manager/cert-manager/pull/5869), [@andrewsomething](https://github.com/andrewsomething)) +- The HTTP-01 solver can now be configured to create Ingresses with an `ingressClassName`. The credit goes to @dsonck92 for implementing the initial PR. ([#5849](https://github.com/cert-manager/cert-manager/pull/5849), [@maelvls](https://github.com/maelvls)) +- The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new `serviceAccountRef` field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the `vault.auth` field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for `vault.auth`. ([#5502](https://github.com/cert-manager/cert-manager/pull/5502), [@maelvls](https://github.com/maelvls)) +- The cert-manager controller container of the controller Pod now has a `/livez` endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. ([#5962](https://github.com/cert-manager/cert-manager/pull/5962), [@wallrj](https://github.com/wallrj)) +- Upgraded Gateway API to v0.6.0. ([#5768](https://github.com/cert-manager/cert-manager/pull/5768), [@yulng](https://github.com/yulng)) +- Webhook now logs requests to mutating/validating webhook (with `--v=5` flag) ([#5975](https://github.com/cert-manager/cert-manager/pull/5975), [@tobotg](https://github.com/tobotg)) - Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests. - This is not necessarily a breaking change as due to a race condition this may already have been the case. (#5887, @irbekrm) -- The cainjector controller can now use server-side apply to patch mutatingwebhookconfigurations, validatingwebhookconfigurations, apiservices, and customresourcedefinitions. This feature is currently in alpha and is not enabled by default. To enable server-side apply for the cainjector, add the flag --feature-gates=ServerSideApply=true to the deployment. (#5991, @inteon) -- Helm: Egress 6443/TCP is now allowed in the webhook. This is required for OpenShift and OKD clusters for which the Kubernetes API server listens on port 6443 instead of 443. (#5788, @ExNG) + This is not necessarily a breaking change as due to a race condition this may already have been the case. ([#5887](https://github.com/cert-manager/cert-manager/pull/5887), [@irbekrm](https://github.com/irbekrm)) +- The cainjector controller can now use server-side apply to patch mutatingwebhookconfigurations, validatingwebhookconfigurations, apiservices, and customresourcedefinitions. This feature is currently in alpha and is not enabled by default. To enable server-side apply for the cainjector, add the flag --feature-gates=ServerSideApply=true to the deployment. ([#5991](https://github.com/cert-manager/cert-manager/pull/5991), [@inteon](https://github.com/inteon)) +- Helm: Egress 6443/TCP is now allowed in the webhook. This is required for OpenShift and OKD clusters for which the Kubernetes API server listens on port 6443 instead of 443. ([#5788](https://github.com/cert-manager/cert-manager/pull/5788), [@ExNG](https://github.com/ExNG)) ### Documentation -- Helm: the dead links in `values.yaml` are now working (#5999, @SgtCoDFish) +- Helm: the dead links in `values.yaml` are now working ([#5999](https://github.com/cert-manager/cert-manager/pull/5999), [@SgtCoDFish](https://github.com/SgtCoDFish)) ### Bug or Regression -- When using the `literalSubject` field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. (#5747, @inteon) -- When using the `jks` and `pkcs12` fields on a Certificate resource with a CA issuer that doesn't set the `ca.crt` in the Secret resource, cert-manager no longer loop trying to copy `ca.crt` into `truststore.jks` or `truststore.p12`. (#5972, @vinzent) -- Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied (#5896, @maumontesilva) -- Fix development environment and go vendoring on Linux arm64. (#5810, @SgtCoDFish) -- Fix ordering of remote git tags when preparing integration tests (#5910, @SgtCoDFish) -- Helm: the flag `--acme-http01-solver-image` given to the variable `acmesolver.extraArgs` now has precedence over the variable `acmesolver.image`. (#5693, @SgtCoDFish) -- Ingress and Gateway resources will not be synced if deleted via [foreground cascading](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion). (#5878, @avi-08) -- The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 (#5674) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. (#5805, @inteon) -- Upgrade to go 1.19.6 along with newer helm and containerd versions and updated base images (#5813, @SgtCoDFish) -- cmctl: In order work around a hardcoded Kubernetes version in Helm, we now use a fake kube-apiserver version when generating the helm template when running `cmctl x install`. (#5720, @irbekrm) +- When using the `literalSubject` field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. ([#5747](https://github.com/cert-manager/cert-manager/pull/5747), [@inteon](https://github.com/inteon)) +- When using the `jks` and `pkcs12` fields on a Certificate resource with a CA issuer that doesn't set the `ca.crt` in the Secret resource, cert-manager no longer loop trying to copy `ca.crt` into `truststore.jks` or `truststore.p12`. ([#5972](https://github.com/cert-manager/cert-manager/pull/5972), [@vinzent](https://github.com/vinzent)) +- Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied ([#5896](https://github.com/cert-manager/cert-manager/pull/5896), [@maumontesilva](https://github.com/maumontesilva)) +- Fix development environment and go vendoring on Linux arm64. ([#5810](https://github.com/cert-manager/cert-manager/pull/5810), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Fix ordering of remote git tags when preparing integration tests ([#5910](https://github.com/cert-manager/cert-manager/pull/5910), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Helm: the flag `--acme-http01-solver-image` given to the variable `acmesolver.extraArgs` now has precedence over the variable `acmesolver.image`. ([#5693](https://github.com/cert-manager/cert-manager/pull/5693), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Ingress and Gateway resources will not be synced if deleted via [foreground cascading](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion). ([#5878](https://github.com/cert-manager/cert-manager/pull/5878), [@avi-08](https://github.com/avi-08)) +- The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 (#5674) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. ([#5805](https://github.com/cert-manager/cert-manager/pull/5805), [@inteon](https://github.com/inteon)) +- Upgrade to go 1.19.6 along with newer helm and containerd versions and updated base images ([#5813](https://github.com/cert-manager/cert-manager/pull/5813), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- cmctl: In order work around a hardcoded Kubernetes version in Helm, we now use a fake kube-apiserver version when generating the helm template when running `cmctl x install`. ([#5720](https://github.com/cert-manager/cert-manager/pull/5720), [@irbekrm](https://github.com/irbekrm)) ### Other (Cleanup or Flake) -- ACME account registration is now re-verified if account key is manually changed. (#5949, @TrilokGeer) -- Add `make go-workspace` target for generating a go.work file for local development (#5935, @SgtCoDFish) -- Added a Makefile target to build a standalone E2E test binary: make e2e-build (#5804, @wallrj) -- Bump keystore-go to v4.4.1 to work around an upstream rewrite of history (#5724, @g-gaston) -- Bump the distroless base images (#5929, @maelvls) -- Bumps base images (#5793, @irbekrm) -- The memory usage of the controller has been reduced by only caching the metadata of Pods and Services. (#5976, @irbekrm) +- ACME account registration is now re-verified if account key is manually changed. ([#5949](https://github.com/cert-manager/cert-manager/pull/5949), [@TrilokGeer](https://github.com/TrilokGeer)) +- Add `make go-workspace` target for generating a go.work file for local development ([#5935](https://github.com/cert-manager/cert-manager/pull/5935), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Added a Makefile target to build a standalone E2E test binary: make e2e-build ([#5804](https://github.com/cert-manager/cert-manager/pull/5804), [@wallrj](https://github.com/wallrj)) +- Bump keystore-go to v4.4.1 to work around an upstream rewrite of history ([#5724](https://github.com/cert-manager/cert-manager/pull/5724), [@g-gaston](https://github.com/g-gaston)) +- Bump the distroless base images ([#5929](https://github.com/cert-manager/cert-manager/pull/5929), [@maelvls](https://github.com/maelvls)) +- Bumps base images ([#5793](https://github.com/cert-manager/cert-manager/pull/5793), [@irbekrm](https://github.com/irbekrm)) +- The memory usage of the controller has been reduced by only caching the metadata of Pods and Services. ([#5976](https://github.com/cert-manager/cert-manager/pull/5976), [@irbekrm](https://github.com/irbekrm)) - Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half. **BREAKING:** users who are relying on cainjector to work when `certificates.cert-manager.io` CRD is not installed in the cluster, now need to pass `--watch-certificates=false` flag to cainjector else it will not start. - Users who only use cainjector as cert-manager's internal component and have a large number of `Certificate` resources in cluster can pass `--watch-certificates=false` to avoid cainjector from caching `Certificate` resources and save some memory. (#5746, @irbekrm) -- Cainjector now only reconciles annotated objects of injectable kind. (#5764, @irbekrm) -- Container images are have an OCI source label (#5722, @james-callahan) -- The acmesolver pods created by cert-manager now have `automountServiceAccountToken` turned off. (#5754, @wallrj) -- The controller memory usage has been further decreased by ignoring annotations, labels and managed fields when caching Secret resources. (#5966, @irbekrm) -- The controller binary now uses much less memory on Kubernetes clusters with large or numerous Secret resources. The controller now ignores the contents of Secrets that aren't relevant to cert-manager. This functionality is currently placed behind `SecretsFilteredCaching` feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with the `controller.cert-manager.io/fao: true` label. (#5824, @irbekrm) + Users who only use cainjector as cert-manager's internal component and have a large number of `Certificate` resources in cluster can pass `--watch-certificates=false` to avoid cainjector from caching `Certificate` resources and save some memory. ([#5746](https://github.com/cert-manager/cert-manager/pull/5746), [@irbekrm](https://github.com/irbekrm)) +- Cainjector now only reconciles annotated objects of injectable kind. ([#5764](https://github.com/cert-manager/cert-manager/pull/5764), [@irbekrm](https://github.com/irbekrm)) +- Container images are have an OCI source label ([#5722](https://github.com/cert-manager/cert-manager/pull/5722), [@james-callahan](https://github.com/james-callahan)) +- The acmesolver pods created by cert-manager now have `automountServiceAccountToken` turned off. ([#5754](https://github.com/cert-manager/cert-manager/pull/5754), [@wallrj](https://github.com/wallrj)) +- The controller memory usage has been further decreased by ignoring annotations, labels and managed fields when caching Secret resources. ([#5966](https://github.com/cert-manager/cert-manager/pull/5966), [@irbekrm](https://github.com/irbekrm)) +- The controller binary now uses much less memory on Kubernetes clusters with large or numerous Secret resources. The controller now ignores the contents of Secrets that aren't relevant to cert-manager. This functionality is currently placed behind `SecretsFilteredCaching` feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with the `controller.cert-manager.io/fao: true` label. ([#5824](https://github.com/cert-manager/cert-manager/pull/5824), [@irbekrm](https://github.com/irbekrm)) - The controller now makes fewer calls to the ACME server. - **POTENTIALLY BREAKING**: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm) -- The number of calls made to the ACME server during the controller startup has been reduced by storing the private key hash in the Issuer's status. (#6006, @vidarno) -- We are now testing with Kubernetes v1.27.1 by default. (#5979, @irbekrm) -- Updates Kubernetes libraries to `v0.26.2`. (#5820, @lucacome) -- Updates Kubernetes libraries to `v0.26.3`. (#5907, @lucacome) -- Updates Kubernetes libraries to `v0.27.1`. (#5961, @lucacome) -- Updates base images (#5832, @irbekrm) -- Upgrade to Go 1.20 (#5969, @wallrj) -- Upgrade to go 1.19.5 (#5712, @yanggangtony) -- Validates that `certificate.spec.secretName` is a valid `Secret` name (#5967, @avi-08) -- `certificate.spec.secretName` Secrets will now be labelled with `controller.cert-manager.io/fao` label (#5660, @irbekrm) + **POTENTIALLY BREAKING**: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. ([#5901](https://github.com/cert-manager/cert-manager/pull/5901), [@irbekrm](https://github.com/irbekrm)) +- The number of calls made to the ACME server during the controller startup has been reduced by storing the private key hash in the Issuer's status. ([#6006](https://github.com/cert-manager/cert-manager/pull/6006), [@vidarno](https://github.com/vidarno)) +- We are now testing with Kubernetes v1.27.1 by default. ([#5979](https://github.com/cert-manager/cert-manager/pull/5979), [@irbekrm](https://github.com/irbekrm)) +- Updates Kubernetes libraries to `v0.26.2`. ([#5820](https://github.com/cert-manager/cert-manager/pull/5820), [@lucacome](https://github.com/lucacome)) +- Updates Kubernetes libraries to `v0.26.3`. ([#5907](https://github.com/cert-manager/cert-manager/pull/5907), [@lucacome](https://github.com/lucacome)) +- Updates Kubernetes libraries to `v0.27.1`. ([#5961](https://github.com/cert-manager/cert-manager/pull/5961), [@lucacome](https://github.com/lucacome)) +- Updates base images ([#5832](https://github.com/cert-manager/cert-manager/pull/5832), [@irbekrm](https://github.com/irbekrm)) +- Upgrade to Go 1.20 ([#5969](https://github.com/cert-manager/cert-manager/pull/5969), [@wallrj](https://github.com/wallrj)) +- Upgrade to go 1.19.5 ([#5712](https://github.com/cert-manager/cert-manager/pull/5712), [@yanggangtony](https://github.com/yanggangtony)) +- Validates that `certificate.spec.secretName` is a valid `Secret` name ([#5967](https://github.com/cert-manager/cert-manager/pull/5967), [@avi-08](https://github.com/avi-08)) +- `certificate.spec.secretName` Secrets will now be labelled with `controller.cert-manager.io/fao` label ([#5660](https://github.com/cert-manager/cert-manager/pull/5660), [@irbekrm](https://github.com/irbekrm)) ### Uncategorized -- We have replaced our python boilerplate checker with an installed Go version, removing the need to have Python installed when developing or building cert-manager. (#6000, @SgtCoDFish) +- We have replaced our python boilerplate checker with an installed Go version, removing the need to have Python installed when developing or building cert-manager. ([#6000](https://github.com/cert-manager/cert-manager/pull/6000), [@SgtCoDFish](https://github.com/SgtCoDFish)) From e43ed153a0d4aea85bd2bfe1ea055689f8d96cbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 19 May 2023 15:16:05 +0200 Subject: [PATCH 30/31] release-notes: copy the "thank you" section from the GitHub release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- .../docs/release-notes/release-notes-1.12.md | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index 8c76b9fd6d..4ee0fbbac1 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -145,13 +145,15 @@ and ClusterIssuers. ## Community -Once again, we extend our gratitude to all the open-source contributors who have made commits in this release, including: +We extend our gratitude to all the open-source contributors who have made +commits in this release, including: - [@andrewsomething](https://github.com/andrewsomething) - [@avi-08](https://github.com/avi-08) - [@dsonck92](https://github.com/dsonck92) - [@e96wic](https://github.com/e96wic) - [@ExNG](https://github.com/ExNG) +- [@erikgb](https://github.com/erikgb) - [@g-gaston](https://github.com/g-gaston) - [@james-callahan](https://github.com/james-callahan) - [@jkroepke](https://github.com/jkroepke) @@ -166,6 +168,31 @@ Once again, we extend our gratitude to all the open-source contributors who have - [@yanggangtony](https://github.com/yanggangtony) - [@yulng](https://github.com/yulng) +Thanks also to the following cert-manager maintainers for their contributions during this release: + +- [@inteon](https://github.com/inteon) +- [@wallrj](https://github.com/wallrj) +- [@maelvls](https://github.com/maelvls) +- [@SgtCoDFish](https://github.com/SgtCoDFish) +- [@irbekrm](https://github.com/irbekrm) +- [@jakexks](https://github.com/jakexks) +- [@JoshVanL](https://github.com/JoshVanL) +- [@munnerz](https://github.com/munnerz) + +Equally thanks to everyone who provided feedback, helped users and raised issues +on Github and Slack, joined our meetings and talked to us at Kubecon! + +Special thanks to [@erikgb](https://github.com/erikgb) for continuously great +input and feedback and to [@lucacome](https://github.com/lucacome) for always +ensuring that our Kubernetes dependencies are up to date! + +Thanks also to the CNCF, which provides resources and support, and to the AWS +open source team for being good community members and for their maintenance of +the PrivateCA Issuer. + +In addition, massive thanks to Jetstack (by Venafi) for contributing developer +time and resources towards the continued maintenance of cert-manager projects. + ## Changes since v1.11.0 ### Feature From 5835a2ef193528c575ea7768929a03333838bb3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 19 May 2023 15:18:18 +0200 Subject: [PATCH 31/31] release-notes: fix spelling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maël Valais --- content/docs/release-notes/release-notes-1.12.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/docs/release-notes/release-notes-1.12.md b/content/docs/release-notes/release-notes-1.12.md index 4ee0fbbac1..9a048ec28e 100644 --- a/content/docs/release-notes/release-notes-1.12.md +++ b/content/docs/release-notes/release-notes-1.12.md @@ -116,8 +116,8 @@ If you experience a break as part of this, we're sorry and we'd be interested to chat about it. The vast majority of projects using cert-manager should notice no impact, and there should be no runtime impact either. -You can read more about this change in the design document at -[20230302.gomod.md](https://github.com/cert-manager/cert-manager/blob/master/design/20230302.gomod.md). +You can read more about this change in the design document +[`20230302.gomod.md`](https://github.com/cert-manager/cert-manager/blob/master/design/20230302.gomod.md). ### Support for ephemeral service account tokens in Vault @@ -180,7 +180,7 @@ Thanks also to the following cert-manager maintainers for their contributions du - [@munnerz](https://github.com/munnerz) Equally thanks to everyone who provided feedback, helped users and raised issues -on Github and Slack, joined our meetings and talked to us at Kubecon! +on GitHub and Slack, joined our meetings and talked to us at KubeCon! Special thanks to [@erikgb](https://github.com/erikgb) for continuously great input and feedback and to [@lucacome](https://github.com/lucacome) for always @@ -188,7 +188,7 @@ ensuring that our Kubernetes dependencies are up to date! Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of -the PrivateCA Issuer. +the Private CA Issuer. In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.