helm/cert-manager/cert-manager 0.15.0

v0.15.0

on Artifact Hub

The v0.15 release has a few focus areas:

• Experimental new Certificate controller design
• New installCRDs option in the Helm chart
• Support for Red Hat's Operator Lifecycle Manager for easier deployment in OpenShift environments
• Improved deployment process for webhook component
• General Availability of JKS and PKCS#12 keystore support
• kubectl cert-manager CLI plugin allowing manual renewal and API version conversion

As usual, please read the upgrade notes before upgrading.

Experimental controllers

The Certificate controller is one of the most commonly used controllers in the project.
It represents the 'full lifecycle' of an x509 private key and certificate, including
private key management and renewal.

As the project is maturing, more requirements around this controller are starting to become
apparent in order to implement feature requests such as private key rotation, JKS/PKCS#12
keystores and manual certificate renewal triggering.

This new controller aims to facilitate the above features, as well as make it easier to develop
individual areas of the controller over time and continue to make improvements.

For more information on this we invite you to read our design document.

Using the experimental controllers

We are looking for feedback on the use of these new controllers in different environments.
If you are able to run these in your cluster and report any issues you're seeing that would
be very helpful to the further development of the project.

The experimental controllers are currently feature gated and disabled by default.
You can enable these by the following steps, in the Helm values set:

featureGates: "ExperimentalCertificateControllers=true"

If you're using the static manifests you need to edit the cert-manager Deployment using kubectl -n cert-manager edit deploy cert-manager
and edit the args to include --feature-gates=ExperimentalCertificateControllers=true:

      containers:
      - args:
        - --v=2
        - --cluster-resource-namespace=$(POD_NAMESPACE)
        - --leader-election-namespace=kube-system
        - --feature-gates=ExperimentalCertificateControllers=true

Helm chart installCRDs option

It's been a long-standing feature request to bundle our CRD resources as part
of our Helm chart, to make it easier for users installing with Helm to manage
the lifecycle of the CRDs we create.

To facilitate this, and to help resolve common deployment issues, we have added
a new installCRDs option to the Helm chart which will mean the CRD resources
will be managed by your regular Helm installation.

This feature is disabled by default, and can be enabled either in your
values.yaml file or as a flag with helm install --set installCRDs=true.

Support for OpenShift's Operator Lifecycle Manager

cert-manager can now be deployed as a Red Hat Certified OpenShift Operator.
This is done using the cert-manager operator.
More information on this can be found on the OpenShift Installation page.

Improved deployment of the webhook

In order to improve start up time of the webhook pod, as well as improved reliability and operability,
cert-manager v0.15 includes a new DynamicAuthority structure in the webhook that is used to manage the
CA used to secure the webhook.

Instances of the webhook will keep this CA up to date and use it to generate serving certificates which
are used to secure incoming connections.

This means that the cert-manager-controller component is no longer required to be running in order for webhook startup to succeed.
This also means that users should no longer see long start up times for this pod unless there is a genuine issue/error that needs resolving.

General Availability of JKS and PKCS#12 keystores

v0.14 added experimental 'bundle format' support for JKS and PKCS#12.
In v0.15 the keystore got added to the Certificate spec which makes cert-manager
add an additional keystore in your Certificate's Secret resource.
No additional feature gates need to be set anymore.

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: crt
spec:
  secretName: crt-secret
  dnsNames:
  - foo.example.com
  - bar.example.com
  issuerRef:
    name: letsencrypt-prod
  keystores:
    jks:
      create: true
      passwordSecretRef: # Password used to encrypt the keystore
        key: password-key
        name: jks-password-secret
    pkcs12:
      create: true
      passwordSecretRef: # Password used to encrypt the keystore
        key: password-key
        name: pkcs12-password-secret

For JKS this adds the files: keystore.jks and truststore.jks to the target spec.secretName.
For PKCS#12, it adds the file keystore.p12.

kubectl cert-manager tool

kubectl cert-manager is a kubectl plugin that assists with controlling cert-manager inside your
Kubernetes cluster. The kubectl cert-manager binary can be downloaded from the GitHub release page.
In v0.15 the use is currently limited to the convert and renew commands.

kubectl cert-manager renew can be used to manually trigger renewal of your certificates. This required the ExperimentalCertificateControllers feature gate to be set.

kubectl cert-manager convert can be used to convert cert-manager config files between different API versions
if your cluster does not support the conversion webhook (i.e. running the 'legacy' release)
or if you want to upgrade all your local cert-manager configuration files.

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Remove serverAuth key usage from set of defaults. If your configured issuer does not automatically set this usage and you do require it, you will need to manually update your Certificate & CertificateRequest resources to contain the serverAuth usage (#2864, @munnerz)

Changes by Kind

Feature

• Add Red Hat Universal Base Image based image release targets (#2746, @munnerz)
• Add certificate.spec.keystores stanza and allowing configuring JKS and PKCS12 issuing on a per-Certificate basis (#2824, @munnerz)
• Add installCRDs option to Helm chart to enable managing CRDs as part of regular Helm chart (#2775, @munnerz)
• Add option to set custom annotations and labels for HTTP01 resolver Ingress resources. (#2023, @zeeZ)
• Add support for Azure Managed Identity (#2681, @gitirabassi)
• Add support for private key rotation when renewing or re-issuing certificates. This feature requires use of the new 'experimental' certificates controller. Set certificate.spec.privateKey.rotationPolicy to Always to enable this functionality. (#2814, @munnerz)
• Added 'CRL Distribution Points' fields to Self-signed and CA issuers (#2625, @srbraun)
• Adds Temporary Certificate support to Issuing controller (#2843, @JoshVanL)
• Adds cert-manager-ctl convert command. (#2758, @JoshVanL)
• Adds cert-manager-ctl command with version (#2725, @JoshVanL)
• Adds ctl renew command to mark Certificates for manual renewal (#2845, @JoshVanL)
• Move TLS bootstrapping into the webhook binary to drastically improve webhook start up times and reduce operational complexity. (#2743, @munnerz)
• Release cert-manager ctl binaries (#2836, @meyskens)
• Support the AuditSink kind in auditregistration.k8s.io/v1alpha1 to be a ca injector target. (#2027, @pepov)
• Venafi issuer: add origin tag to requests (#2825, @meyskens)
• nameserver field in RFC2136 providers now supports hostname, FQDN, and IPv6 address in addition to IPv4 address. (#2682, @johanfleury)

Design

• Adds new extensible issuing certificate (#2782, @JoshVanL)

Documentation

• Update Helm chart README to properly explain legacy manifests (#2734, @munnerz)

Other (Bug, Cleanup or Flake)

• Add webhook service account customization
  • Add cainjector service account customization (#2841, @rmb938)
• Add license files to /licences/ in Docker images (#2816, @meyskens)
• Adds acme client timeout of 30 seconds (#2713, @JoshVanL)
• Bump Go version to 1.14.1 (#2719, @munnerz)
• Bump Go version to 1.14.2 (#2880, @meyskens)
• Expose webhook deployment container port (#2806, @dewet22)
• Fix bug causing the experimental PKCS12 and JKS keystore feature to not work (#2723, @munnerz)
• Fix bug in webhook based validation on Kubernetes API servers older than 1.15 (#2851, @munnerz)
• Fix bug that could cause ACME Orders that contain already valid Authorizations to not be completed (#2869, @munnerz)
• Fix bug that could cause the webhookbootstrap controller to fail to Update webhook TLS resources in certain cases (#2739, @munnerz)
• Fix build system issue causing docker images to use user ID 0 (root) instead of '1000' as before (#2708, @munnerz)
• Fix case where cert-manager.io/issuer doesn't set Issuer kind (#2837, @meyskens)
• Fix incorrect service name being used in the --webhook-dns-names flag (#2733, @munnerz)
• Fix issuing causing CRDs to added to the static manifests twice (#2790, @munnerz)
• Fix validatingwebhookconfiguration to use correct URL path and to suport v1alpha3 API objects. (#2831, @wallrj)
• Limit per_page to 100 in Cloudfare API calls (#2856, @sileht)
• Properly fix user ID used for Docker images in release targets (#2771, @munnerz)
• Release kubectl cert-manager as .tar.gz (#2871, @meyskens)
• This change will create a limited scope role for the configmaps used in leadership election. This limits the role to just the 3 configmaps used for leadership election. (#2807, @HoogWater)
• Update k8s.io/* dependencies to v1.18.0 (#2731, @munnerz)
• Webhook: add --tls-min-version to allow configuring the minimum allowed TLS version and fix default ciphers list. (#2769, @munnerz)