Release Notes
The v0.14
release has a few focus areas:
- Improving the deployment/installation process
- Improving the release process
CustomResourceDefinition
conversion- Support for older Kubernetes and OpenShift versions
- Experimental ‘bundle’ output format for Certificates
As usual, please read the upgrade notes before upgrading.
Webhook changes
The webhook component is now required.
The webhook will be automatically enabled by the v0.14
manifests, so no additional action is required.
If you have issues running the webhook in your environment, we’d like to hear from you! We are aware of issues relating to firewall rules from the Kubernetes API server to the webhook pod(s) - we would like to gather together a corpus of configuration snippets that can be used to ensure the webhook is successfully deployed in these environments too.
This change is required in order to support the upcoming changes to our API versions, as we introduce v1alpha3
,
v1beta1
and v1
over the coming months!
Improving our deployment and release process
After reports of various issues installing on older Kubernetes and OpenShift versions, we’ve taken some time to revise our installation manifests.
There are now two ‘variants’ to choose from, ‘standard’ and the ‘legacy’, with a simple way to know which to use:
Environment | Variant to use |
---|---|
Kubernetes 1.15+ | cert-manager.yaml |
OpenShift 4 | cert-manager.yaml |
Kubernetes 1.11-1.14 | cert-manager-legacy.yaml |
OpenShift 3.11 | cert-manager-legacy.yaml |
Please be sure to read the upgrade guide for more information on how to upgrade from a previous release.
CustomResourceDefinition
conversion webhook + v1alpha3
API version
As part of the effort to mature our API, we are releasing the v1alpha3
API version. This contains a number of small
changes, notably moving some fields to the subject
stanza on the Certificate resource to be more consistent with how
certain options are specified.
With this we have enabled the ‘conversion webhook’, which enables API clients to utilize both the v1alpha2
and
v1alpha3
APIs simultaneously, similar to other core resources in Kubernetes.
Thanks to this conversion webhook, this upgrade and future upgrades after it should be seamless. The ability to make
these kinds of changes to our API will enable the v1beta1
API version to be released in a seamless manner in an
upcoming release too.
More information on the webhook can be found in the concepts section.
Support for Kubernetes 1.11 and OpenShift 3.11
We’ve had a number of users who are using OpenShift 3.11 & Kubernetes 1.11 reach out requesting support with installation. In this release, we’ve expanded the range of Kubernetes versions we support to once again include 1.11, as well as adding support for OpenShift 3.11.
A big thanks to @meyskens
for putting this together!
Experimental ‘bundle format’ support (JKS and PKCS#12)
One of our top feature requests has been for support for JKS and PKCS#12 bundle files as an output from Certificate resources.
In this release, we’ve added experimental support for both of these bundle formats. This can currently only be
configured globally with flags provided to the cert-manager
pod (--experimental-issue-jks
and
--experimental-issue-pkcs12
). The password used for this bundle must also be configured using the flags
--experimental-jks-password
and --experimental-pkcs12-keystore-password
respectively.
In the next release, we are aiming to provide native support for these bundle format types as part of the Certificate resource configuration. We have added these flags now in order to gather feedback on the way this feature works, and help guide how this feature should work in future.
Extended support for Venafi features
Users of the Venafi issuer often need to set custom metadata on their certificate requests in order to better associate each request with different business areas, or in order to validate & authorize whether a request should be signed.
In this release, we’ve added support for setting custom metadata by adding the venafi.cert-manager.io/custom-fields
annotation on Certificate
and CertificateRequest
resources. If using the Venafi TPP integration, version 19.2 or
greater is required.
Urgent Upgrade Notes
(No, really, you MUST read this before you upgrade)
- Update Deployment selector to follow Helm chart best practices. This will require deleting the three cert-manager Deployment resources before upgrading. (#2654,
@munnerz
)
Changes by Kind
Feature
- Add
--experimental-issue-jks
flag to enable JKS bundle generation in generated Secret resources. This flag will be replaced with native support for JKS bundles in future and is currently an experimental feature. If enabled, the--experimental-jks-password
flag must also be set to the password used to encrypt JKS bundles. (#2647,@munnerz
) - Add
--experimental-issue-pkcs12
flag to enable PKCS12 bundle generation in generated Secret resources. This flag will be replaced with native support for PKCS12 bundles in future and is currently an experimental feature. If enabled, the--experimental-pkcs12-keystore-password
flag must also be set to the password used to encrypt PKCS12 bundles. (#2643,@munnerz
) - Add
venafi.cert-manager.io/custom-fields
annotation for Venafi custom fields (#2573,@meyskens
) - Add
emailSANs
field to Certificate resource (#2597,@meyskens
) - Added
--tls-cipher-suites
command line flag to the webhook binary with sensible defaults (#2562,@willthames
) - Build OpenShift 3.11 compatible CRDs (#2609,
@meyskens
) - Enable CRD conversion webhook and begin serving
v1alpha3
(#2563,@munnerz
) - Improve startup time for webhook pod. (#2574,
@JoshVanL
) - Replace
00-crds.yaml
file with a manifest file published as part of the release (#2665,@munnerz
)
Other (Bug, Cleanup or Flake)
- Bump
Venafi/vcert
dependency to support custom fields in Venafi TPP 19.2 (#2663,@munnerz
) - Fix
GroupVersionKind
set onOwnerReference
of resources created by HTTP01 challenge solver, causing HTTP01 validations to fail on OpenShift 4 (#2546,@munnerz
) - Fix Venafi Cloud URL field being marked required (#2568,
@munnerz
) - Fix bug in ingress-shim causing Certificate resources to be rapidly updated if multiple
spec.tls[].hosts
entries refer to the same Secret name but a different set of hosts (#2611,@munnerz
) - Fix bug that could cause certificates to be incorrectly issued with an invalid public key (#2539,
@munnerz
) - Fix
cainjector.enabled=False
override being ignored by the Helm Chart (#2544,@gtaylor
) - Include license header in manifests attached to GitHub releases (#2684,
@munnerz
) - Make the webhook
RoleBinding
the leader election namespace instead of hard-codedkube-system
(#2621,@travisghansen
) - Replace
openshift
andno-webhook
manifest variants with a “legacy” variant (#2648,@meyskens
) - Truncate message display if HTTP01 self check fails (#2613,
@munnerz
) - Upgrade to Go 1.14 (#2656,
@munnerz
)
Other Changes
- Add
//build/release-tars
targets for generating release artifacts (#2556,@munnerz
) - Improve local testing and development environment setup code (#2534,
@munnerz
) - Remove
isOpenShift
from Helm chart (#2642,@meyskens
) - Remove
webhook.enabled
variable in Helm chart as the webhook now is a required component (#2649,@meyskens
)