Release Notes
This is the next feature release of cert-manager, containing a number of additions that have been in the works for a while now.
As you will notice from the release notes below, we are seeing a lot more community contributions to the project which is brilliant! smile
A massive thank you to everyone involved in making this release a reality.
We have moved to a more regular minor-release schedule, and aim to cut new feature
releases monthly. That means the next minor release (v0.5
) is scheduled for
around the 11th August.
Highlights
Resource validation for Issuers
, ClusterIssuers
and Certificates
A common pain point for users has been around submitting invalid resources to the API, which cannot be handled or processed.
Other Kubernetes API types handle this well by applying ‘validation’ before the resource is persisted or operated upon, and up until now we have not supported this.
When submitting your resources to the Kubernetes apiserver, they will now be validated and if invalid, cert-manager will inform you of why and how they are invalid and suspend processing of that resource.
In the next release, this validation will be turned into a ValidatingWebhookConfiguration
which will allow us to prevent these resources being persisted into the API in
the first place, similar to all other Kubernetes resource types.
Due to some limitations with the current release of Helm, we have been unable to
support this webhook operation mode in the v0.4
release of cert-manager.
However, releasing validation this way allows us to pilot the new validation rules
we have in place and it allows you to get started with it immediately!
Added reference documentation for API types
Regularly, users ask us “what can I specify on my resources”. In the past, we have
had to recommend users check out our source code (namely types.go
) in order to
find out what can and cannot be specified.
Digging through source code is no longer required! As part of our documentation publishing process, we now generate reference API documentation (similar to the upstream Kubernetes project!). This is available under the ‘Reference documentation -> API documentation’ section of our docs site!
Better support for ‘split horizon’ DNS environments with ACME DNS01 challenges
A number of users have noticed that when running cert-manager with DNS01 challenges in split-horizon DNS environments (using the ACME issuer), the self check stage of the validation process failed as the ‘internal’ DNS resolvers were used to check for challenge record propagation.
We have added a new flag, --dns01-self-check-nameservers
, that allows users to specify
custom recursive DNS servers to use for performing DNS01 self checks.
In these environments, this flag can be set to some external nameserver list that will be used for DNS01 resolution, e.g. 8.8.8.8:53,8.8.4.4:53.
Self-signed Issuers
We recently merged support for ‘self signed’ issuers. This allows users to create the basis for a completely cert-manager managed PKI by ‘self signing’ certificates.
This can be useful when debugging, or once cert-manager also supports setting the
isCA
bit on a Certificate, for creating a self signed root CA!
Read up on how to get started with this new issuer type in the documentation.
Changelog
Action Required
- Check the acme issuer has the ‘HTTP01’ challenge type configured if in use. (#629,
@groner
) ACME HTTP01 validation is no longer attempted using anIssuer
/ClusterIssuer
with no ACME HTTP01 configuration. Note that the minimalhttp01: {}
configuration IS sufficient.
If you rely on ACME HTTP01 validation, you should check your issuers to make sure HTTP01 validation is explicitly enabled as in previous release, this was not verified!
Other notable changes
ACME Issuer
- Add
--dns01-nameservers
flag for setting nameservers for DNS01 check (#710,@kragniz
) - Fix bugs affecting eTLD and CNAMEs during DNS zone resolution (#582,
@ThatWasBrilliant
) - Run
acmesolver
container as non-root user (#585,@klausenbusk
) Support for ACME HTTP01 validations when using
istio-ingress
with a mTLS enabled mesh (#622,@munnerz
)Vault Issuer
Configurable Vault AppRole authentication path using the attribute is
spec.vault.auth.authPath
in the issuer. (#612,@vdesjardins
)Self-signed Issuer
Add ‘self signed’ Issuer type (#637,
@munnerz
)Docs
Add reference documentation for API types (#644,
@munnerz
)Helm
Added configuration variables to set
http_proxy
,https_proxy
andno_proxy
environment variables in Helm chart. (#680,@fllaca
)added option to set additional environment variable values to the Helm chart (#556,
@nazarewk
)Other
Add
certmanager.k8s.io/certificate-name
label to secrets. (#719,@kragniz
)Add resource validation at start of sync loops, and mark resources as not Ready when invalid (#682,
@munnerz
)To disable
ingress-shim
, you can now set this flag:--controllers=issuers,clusterissuers,certificates
(#717,@kragniz
)