Release Notes

The v0.9 release is one of our biggest yet, packed with new features and bug fixes!

The introduction of the new CertificateRequest resource type is significant as it is a step towards where we want to be for 1.0, defining an API specification for Certificates and allowing anyone to implement their own issuers and CAs as first class citizens.

This release includes changes from:

  • Aaron Gershman
  • Aled James
  • Artem Yarmoluk
  • Carlos Panato
  • Chris Abiad
  • Christopher Abiad
  • Crystal-Chun
  • Dan
  • Dobes Vandermeer
  • Hans Kristian Flaatten
  • Hays Clark
  • Ivan Wallis
  • James Munnelly
  • Joshua Van Leeuwen
  • Kevin Woo
  • Lachlan Cooper
  • Louis Taylor
  • Michael Cristina
  • Michael Tsang
  • PirateBread
  • Qiu Yu
  • Sergej Nikolaev
  • Solly Ross
  • Stefan Kolb
  • Steven Tobias
  • Stuart Hu
  • Till Wiese
  • kfoozminus

Notable Items

New CertificateRequest Resource

A new resource has been introduced - CertificateRequest - that is used to request certificates using a raw x509 certificate signing request. This resource is not typically used by humans but rather by other controllers or services. For example, the Certificate controller will now create a CertificateRequest resource to resolve its own Spec.

Controllers to resolve CertificateRequests are currently disabled by default and enabled via the feature gate CertificateRequestControllers. This feature is currently in Alpha and only the CA issuer has been implemented.

This resource is going to enable out of tree, external issuer controllers to resolve requests. Other issuer implementations and details on how to develop an out of tree issuer will follow in later releases. You can read more on the motivations and road map in the enhancement proposal or how this resource is used in the docs.

DNS Zones support for ACME challenge solver selector

A list of DNS zones can now be added to the ACME challenge solver selector. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.

Certificate Readiness Prometheus Metrics

Cert-manager now exposes Prometheus metrics on Certificate ready statuses as certmanager_certificate_ready_status. This is useful for monitoring Certificate resources to ensure they have a Ready=True status.

Prometheus Operator ServiceMonitor

Support has been added to include a Prometheus ServiceMonitor for cert-manager in the helm chart. This enables monitoring of cert-manager when in conjunction with the Prometheus Operator. This is disabled by default but can be enabled via the helm configuration.

ACMEv2 POST-as-GET

We have now switched to use the new POST-as-GET feature that was introduced into the latest version of the ACME spec a few months ago.

If you are running your own ACME server, please ensure it supports POST-as-GET as we no longer supported the old behavior.

ACME Issuer Solver Pod Template

The ACME Solver Pod Spec now exposes a template that can be used to change metadata about that pod. Currently, a template will expose labels, annotations, node selector, tolerations, and affinity. This is useful when running cert-manager in multi-arch clusters, or when you run workloads across different types of nodes and need to restrict where the acmesolver pod runs.

Action Required

Length limit for Common Names

Common names with a character length of over 63 will be rejected during validation. This is due to the upper limit being detailed in RFC 5280.

Distroless Cert-Manager Base Images

For each container, cert-manager ships with the base image gcr.io/distroless/static which is a minimal image that includes no binaries. Users who want to debug from within the cert-manager pod will need to attach an additional container with their debug utilities to the pod’s namespace.

CSRs in Order Resources now PEM Encoded

CSRs in Order resources have previously been incorrectly DER encoded due to an error in implementation. This has now been corrected to PEM encoding. Current orders that were created with a previous version of cert-manager will fail to validate and so will be recreated. This should resume the order normally.

Changelog

General

  • Reduce cert-manager’s RBAC permissions (#1658, @munnerz)
  • commented-out extraArg for enable-certificate-owner-ref (#1828, @aegershman)
  • Validate that Certificates in a namespace have unique secretName (#1689, @cheukwing)
  • Feature addition: Support for PKCS#8 keys. (#1308, @Crystal-Chun)
  • Add the removal of certificates when no longer required by the owner ingress (#1705, @cheukwing)
  • Fix bug causing ECDSA certificates to be issued using 2048 bit RSA private keys (#1757, @munnerz)
  • Updated the labels in the helm charts to use the newer ones. (#1769, @cpanato)
  • Allow disabling issuing temporary certificates with feature flag --feature-gates=IssueTemporaryCertificate=false (#1764, @gordonbondon)
  • Switch to using Distroless for base images (#1663, @munnerz)
  • Limit length for CommonName to 63 bytes (#1818, @cheukwing)

ACME Issuer

  • Properly encode the CSR field on Order resources as PEM data instead of DER (#1884, @munnerz)
  • Fire informational Event if an ACME solver cannot be chosen for a domain on an Order (#1856, @munnerz)
  • Fix bug with auto-generated Order names being longer than 63 characters (#1765, @cheukwing)
  • Fix a panic when a misconfigured Issuer is used for HTTP01 challenge solving (#1758, @munnerz)
  • Fix a bug where the logic to select a solver would always return the last solver and may return the wrong kind of solver for the challenge that it returned. (#1717, @dobesv)
  • Fix indentation on ACME setup examples (#1785, @lachlancooper)
  • Fix a the logic to select the most specific solver from an issuer if multiple matched (#1715, @dobesv)
  • Adds support for nodeSelector and tolerations in podTemplate.spec (#1803, @cheukwing)
  • support azure non-public regions (#1830, @stuarthu)
  • Fix issue causing challenge controller to attempt to list Secrets across all namespaces even when –namespace is specified (#1849, @munnerz)
  • Adds the handling of updates to the spec.acme.email field in Issuers (#1763, @cheukwing)
  • Fix issue with private managed-zone being picked in CloudDNS (#1704, @cheukwing)
  • Expose pod template for the ACME issuer solver pod (#1749, @JoshVanL)
  • Ingress skips updating Certificate resource if already exists and not owned (#1670, @cheukwing)
  • Add support for ACMEv2 POST-as-GET (#1648, @munnerz)
  • Fix incorrect handling of issuewild tag when verifying CAA (#1777, @cheukwing)
  • Add support for selecting ACME challenge solver to use by specifying dnsZones in the selector (#1806, @munnerz)
  • Use proxy environment variables in self-check request (#1850, @kinolaev)

Venafi Issuer

Webhook

CA Issuer

CertificateRequest

  • Adds CertificateRequest resource (#1789, @JoshVanL)
  • Adds CA issuer controller to resolve CertificateRequests where CA is the issuer reference (#1836, @JoshVanL)
  • Adds Sign interface to Issuers (#1807, @JoshVanL)
  • Adds group to issuerRef in CertificateRequest resources to distinguish resource ownership of incoming CertificateRequests so enabling full external issuer support. (#1860, @JoshVanL)

Documentation

Monitoring

  • Prometheus metrics for deleted Certificates are cleaned up (#1681, @cheukwing)
  • Adds ControllerSyncCallCount Prometheus metric to count sync calls from each controller (#1692, @cheukwing)
  • Add support for Prometheus Operator ServiceMonitor object in Helm Chart (#1761, @Starefossen)
  • Add Prometheus metrics for tracking Certificate readiness (#1811, @cheukwing)