What's Changed
🆕 issuer-lib
The project is now based on cert-manager's issuer-lib a project to standardize the behavior of external issuers. The retry and backoff behavior should now more closely match that of cert-manager's in-tree issuers. Fixes #161.
🆕 Leader Election
The controller now implements leader election, implemented with Kubernetes lease objects. This now allow multiple replicas without duplicative Origin CA certificates being created. Fixes #181.
🆕 Validate Origin Issuer Authentication
The .spec.auth of OriginIssuers and ClusterOriginIssuers now enforces that only one of serviceKeyRef or tokenRef is set, enforced by the API server with CEL validation.
We continue to recommend the use of scoped API tokens over that of API service keys.
⚠️ Certificate Default Durations
The default duration of certificates, if not specified on the Certificate resources, is now 90 days, up from 7. This matches the default validity of in-tree issuers, and the cert-manager FAQ.
Durations are still rounded the the nearest values accepted by the Cloudflare API.
Full Changelog: v0.12.1...v0.13.0