Urgent Upgrade Notes
(No, really, you MUST read this before you upgrade)
helm users
If you install cert-manager with helm, upgrade directly to v1.3.1 to avoid a CRD type conversion issue. (#3880)
Venafi Cloud Issuer
This release updates the Venafi Cloud Issuer to use OutagePREDICT
instead of DevOpsACCELERATE
.
The only impact to Venafi Cloud users is the change in zone syntax.
The zone is now <Application Name>\<Issuing Template Alias>
(e.g. My Application\My CIT
).
cert-manager controller
The --renew-before-expiration-duration
flag has been removed from the cert-manager controller, having been deprecated in the previous release.
cert-manager CRDs
CertificateRequests
are now immutable - the spec
and metadata.annotations
fields cannot be changed after creation. They were always designed to be immutable but this behavior is now enforced by the cert-manager webhook.
Changes by Kind
Feature
- Add automountServiceAccountToken field to service accounts in helm chart (#3725, @joshuastern)
- Adds Approved condition type to CertificateRequest (#3735, @JoshVanL)
- Adds ObservedGeneration field to all Issuer conditions (#3754, @JoshVanL)
- Adds RevisionHistoryLimit field to Certificates to optionally garbage collect old CertificateRequests (#3773, @JoshVanL)
- Adds UserInfo fields to CertificateRequests containing the UserInfo of the requester:
Username
,Groups
,UID
,Extra
. (#3641, @JoshVanL) - Adds `kubectl cert-manager [approve|deny] CLI commands to manually approve or deny CertificateRequests (#3792, @JoshVanL)
- Adds an observedGeneration field to all Certificate conditions. This is set to the generation of that Certificate at the time of updating. (#3613, @JoshVanL)
- Allows disabling enabled cert-manager-controller controller, for example '--controllers=*,-foo' (#3791, @JoshVanL)
- Enforce CertificateRequest approvers have the permissions: verb="approve" resource="signers" group="cert-manager.io" name=./[*|[.]] at the Cluster level. You can find out more information about this syntax here. (#3785, @JoshVanL)
- Retry issuance of Denied CertificateRequests after 1 hour. (#3795, @JoshVanL)
- The Venafi issuer in cert-manager is now compatible with Venafi Cloud OutagePREDICT. (#3831, @wallrj)
kubectl get certificaterequest
now outputs the Issuer name and the username of the requestor by default (#3774, @JoshVanL)
Documentation
- Add a vulnerability reporting process in SECURITY.md (#3818, @SgtCoDFish)
Bug or Regression
- Allow the usage of hostNetwork in the webhook PSP (#3454, @Kirill-Garbar)
- Correct permissions on edit aggregate role (#3697, @yann-soubeyrand)
- Fix a bug that prevented the immediate re-issuance of a failing certificate: even when the user
edited the certificate to fix an incorrect field, no certificate request would get created. Editing
a failed certificate now properly re-issues immediately. (#3444, @maelvls) - Fixed approle login when namespaces were used in HashiCorp Vault
Fixed incorrectly failing health check that was caused when the Vault token did not have sufficient permission to call /sys/- endpoints (#3582, @lalitadithya) - Fixes Helm upgrade bug (#3647, @irbekrm)
- Fixes multiple Certificate Requests issue - see #3603 (#3665, @irbekrm)
- Handle CA issuer working as intermediate correctly (#3847, @erikgb)
- Improve error messages when Vault Issuer has misconfigured auth method (#3763, @JoshVanL)
- Selfsigned issuer: warn when certs have empty issuer DNs, in violation of TLS RFC 5280 (#3760, @SgtCoDFish)
- Skip Google Cloud DNS test when gcloud hasn't been configured (#3752, @SgtCoDFish)
- Use port from helm values for service targetPort (#3652, @7opf)
Other (Cleanup or Flake)
- Bumps go version to v1.16 (#3823, @irbekrm)
- Removes --renew-before-expiry flag that was deprecated in release v1.2.0 (#3693, @irbekrm)
- Standardise controller names across the project (#3789, @JoshVanL)
- Update distroless/static base image (#3741, @teejaded)
- Updated
cainjector
to use v1 API versions of admissionregistration, apiextensions and apiregistration. (#3838, @wallrj)
Dependencies
Added
- github.com/pavel-v-chernykh/keystore-go/v4: v4.1.0
Changed
- github.com/Venafi/vcert/v4: v4.11.0 → v4.13.1
- gopkg.in/yaml.v2: v2.3.0 → v2.4.0
Removed
Nothing has changed.