helm/cert-manager/cert-manager 0.9.0

v0.9.0

on Artifact Hub

The v0.9 release is one of our biggest yet, packed with new features and bug
fixes!

The introduction of the new CertificateRequest resource type is significant as
it is a step towards where we want to be for 1.0, defining an API specification
for Certificates and allowing anyone to implement their own issuers and CAs as
first class citizens.

This release includes changes from:

• Aaron Gershman
• Aled James
• Artem Yarmoluk
• Carlos Panato
• Chris Abiad
• Christopher Abiad
• Crystal-Chun
• Dan
• Dobes Vandermeer
• Hans Kristian Flaatten
• Hays Clark
• Ivan Wallis
• James Munnelly
• Joshua Van Leeuwen
• Kevin Woo
• Lachlan Cooper
• Louis Taylor
• Michael Cristina
• Michael Tsang
• PirateBread
• Qiu Yu
• Sergej Nikolaev
• Solly Ross
• Stefan Kolb
• Steven Tobias
• Stuart Hu
• Till Wiese
• kfoozminus

Notable Items

New CertificateRequest Resource

A new resource has been introduced - CertificateRequest - that is used to
request certificates using a raw x509 certificate signing request. This resource
is not typically used by humans but rather by other controllers or services. For
example, the Certificate controller will now create a CertificateRequest
resource to resolve its own Spec.

Controllers to resolve CertificateRequests are currently disabled by default
and enabled via the feature gate CertificateRequestControllers. This feature
is currently in Alpha and only the CA issuer has been implemented.

This resource is going to enable out of tree, external issuer controllers to
resolve requests. Other issuer implementations and details on how to develop an
out of tree issuer will follow in later releases. You can read more on the
motivations and road map in the enhancement proposal or how this resource is
used in the docs.

DNS Zones support for ACME challenge solver selector

A list of DNS zones can now be added to the ACME challenge solver selector. The
most specific DNS zone match specified here will take precedence over other DNS
zone matches, so a solver specifying sys.example.com will be selected over one
specifying example.com for the domain www.sys.example.com. If multiple
solvers match with the same dnsZones value, the solver with the most matching
labels in matchLabels will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.

Certificate Readiness Prometheus Metrics

Cert-manager now exposes Prometheus metrics on Certificate ready statuses as
certmanager_certificate_ready_status. This is useful for monitoring
Certificate resources to ensure they have a Ready=True status.

Prometheus Operator ServiceMonitor

Support has been added to include a Prometheus ServiceMonitor for cert-manager
in the helm chart. This enables monitoring of cert-manager when in conjunction
with the Prometheus Operator.
This is disabled by default but can be enabled via the helm configuration.

ACMEv2 POST-as-GET

We have now switched to use the new POST-as-GET feature that was introduced
into the latest version of the ACME spec a few months ago.

If you are running your own ACME server, please ensure it supports POST-as-GET
as we no longer supported the old behaviour.

ACME Issuer Solver Pod Template

The ACME Solver Pod Spec now exposes a template that can be used to change
metadata about that pod. Currently, a template will expose labels, annotations,
node selector, tolerations, and affinity. This is useful when running
cert-manager in multi-arch clusters, or when you run workloads across different
types of nodes and need to restrict where the acmesolver pod runs.

Action Required

Length limit for Common Names

Common names with a character length of over 63 will be rejected during
validation. This is due to the upper limit being detailed in RFC 5280.

Distroless Cert-Manager Base Images

For each container, cert-manager ships with the base image
'gcr.io/distroless/static' which is a minimal image that includes no binaries.
Users who want to debug from within the cert-manager pod will need to attach an
additional container with their debug utilities to the pod's namespace.

CSRs in Order Resources now PEM Encoded

CSRs in Order resources have previously been incorrectly DER encoded due to an
error in implementation. This has now been corrected to PEM encoding. Current
orders that were created with a previous version of cert-manager will fail to
validate and so will be recreated. This should resume the order normally.

Changelog

General

• Reduce cert-manager's RBAC permissions (#1658, @munnerz)
• commented-out extraArg for enable-certificate-owner-ref (#1828, @aegershman)
• Validate that Certificates in a namespace have unique secretName (#1689, @cheukwing)
• Feature addition: Support for PKCS#8 keys. (#1308, @Crystal-Chun)
• Add the removal of certificates when no longer required by the owner ingress (#1705, @cheukwing)
• Fix bug causing ECDSA certificates to be issued using 2048-bit RSA private keys (#1757, @munnerz)
• Updated the labels in the helm charts to use the newer ones. (#1769, @cpanato)
• Allow disabling issuing temporary certificates with feature flag --feature-gates=IssueTemporaryCertificate=false (#1764, @gordonbondon)
• Switch to using distroless for base images (#1663, @munnerz)
• Limit length for CommonName to 63 bytes (#1818, @cheukwing)

ACME Issuer

• Properly encode the CSR field on Order resources as PEM data instead of DER (#1884, @munnerz)
• Fire informational Event if an ACME solver cannot be chosen for a domain on an Order (#1856, @munnerz)
• Fix bug with auto-generated Order names being longer than 63 characters (#1765, @cheukwing)
• Fix a panic when a misconfigured Issuer is used for HTTP01 challenge solving (#1758, @munnerz)
• Fix a bug where the logic to select a solver would always return the last solver and may return the wrong kind of solver for the challenge that it returned. (#1717, @dobesv)
• Fix indentation on ACME setup examples (#1785, @lachlancooper)
• Fix a the logic to select the most specific solver from an issuer if multiple matched (#1715, @dobesv)
• Adds support for nodeSelector and tolerations in podTemplate.spec (#1803, @cheukwing)
• support azure non-public regions (#1830, @stuarthu)
• Fix issue causing challenge controller to attempt to list Secrets across all namespaces even when --namespace is specified (#1849, @munnerz)
• Adds the handling of updates to the spec.acme.email field in Issuers (#1763, @cheukwing)
• Fix issue with private managed-zone being picked in CloudDNS (#1704, @cheukwing)
• Expose pod template for the ACME issuer solver pod (#1749, @JoshVanL)
• Ingress skips updating Certificate resource if already exists and not owned (#1670, @cheukwing)
• Add support for ACMEv2 POST-as-GET (#1648, @munnerz)
• Fix incorrect handling of issuewild tag when verifying CAA (#1777, @cheukwing)
• Add support for selecting ACME challenge solver to use by specifying 'dnsZones' in the selector (#1806, @munnerz)
• Use proxy environment variables in self-check request (#1850, @kinolaev)

Venafi Issuer

• Venafi: use vCert v4.1.0 (#1827, @munnerz)
• Bump Venafi vcert dependency to latest version (#1754, @munnerz)

Webhook

• cert-manager-webhook secret exists in cert-manager ns (#1791, @jetstack-bot)
• Support CRD conversion webhooks in the CA injector controller. (#1505, @DirectXMan12)

CA Issuer

• Adds CSR signing to CA issuer (#1835, @JoshVanL)

CertificateRequest

• Adds CertificateRequest resource (#1789, @JoshVanL)
• Adds CA issuer controller to resolve CertificateRequests where CA is the issuer reference (#1836, @JoshVanL)
• Adds Sign interface to Issuers (#1807, @JoshVanL)
• Adds group to issuerRef in CertificateRequest resources to distinguish resource ownership of incoming CertificateRequests so enabling full external issuer support. (#1860, @JoshVanL)

Documentation

• Adds Design and Proposals page to website docs (#1876, @JoshVanL)
• Adds CertificateRequest proposal (#1866, @JoshVanL)

Monitoring

• Prometheus metrics for deleted Certificates are cleaned up (#1681, @cheukwing)
• Adds ControllerSyncCallCount prometheus metric to count sync calls from each controller (#1692, @cheukwing)
• Add support for Prometheus Operator ServiceMonitor object in Helm Chart (#1761, @Starefossen)
• Add Prometheus metrics for tracking Certificate readiness (#1811, @cheukwing)