cert-manager

Changes by Kind

Other (Bug, Cleanup or Flake)

• Default to O = cert-manager in the Venafi issuer if DN is empty (#2955, @meyskens)

The v0.15 release has a few focus areas:

• Experimental new Certificate controller design
• New installCRDs option in the Helm chart
• Support for Red Hat's Operator Lifecycle Manager for easier deployment in OpenShift environments
• Improved deployment process for webhook component
• General Availability of JKS and PKCS#12 keystore support
• kubectl cert-manager CLI plugin allowing manual renewal and API version conversion

As usual, please read the upgrade notes before upgrading.

Experimental controllers

The Certificate controller is one of the most commonly used controllers in the project.
It represents the 'full lifecycle' of an x509 private key and certificate, including
private key management and renewal.

As the project is maturing, more requirements around this controller are starting to become
apparent in order to implement feature requests such as private key rotation, JKS/PKCS#12
keystores and manual certificate renewal triggering.

This new controller aims to facilitate the above features, as well as make it easier to develop
individual areas of the controller over time and continue to make improvements.

For more information on this we invite you to read our design document.

Using the experimental controllers

We are looking for feedback on the use of these new controllers in different environments.
If you are able to run these in your cluster and report any issues you're seeing that would
be very helpful to the further development of the project.

The experimental controllers are currently feature gated and disabled by default.
You can enable these by the following steps, in the Helm values set:

featureGates: "ExperimentalCertificateControllers=true"

If you're using the static manifests you need to edit the cert-manager Deployment using kubectl -n cert-manager edit deploy cert-manager
and edit the args to include --feature-gates=ExperimentalCertificateControllers=true:

      containers:
      - args:
        - --v=2
        - --cluster-resource-namespace=$(POD_NAMESPACE)
        - --leader-election-namespace=kube-system
        - --feature-gates=ExperimentalCertificateControllers=true

Helm chart installCRDs option

It's been a long-standing feature request to bundle our CRD resources as part
of our Helm chart, to make it easier for users installing with Helm to manage
the lifecycle of the CRDs we create.

To facilitate this, and to help resolve common deployment issues, we have added
a new installCRDs option to the Helm chart which will mean the CRD resources
will be managed by your regular Helm installation.

This feature is disabled by default, and can be enabled either in your
values.yaml file or as a flag with helm install --set installCRDs=true.

Support for OpenShift's Operator Lifecycle Manager

cert-manager can now be deployed as a Red Hat Certified OpenShift Operator.
This is done using the cert-manager operator.
More information on this can be found on the OpenShift Installation page.

Improved deployment of the webhook

In order to improve start up time of the webhook pod, as well as improved reliability and operability,
cert-manager v0.15 includes a new DynamicAuthority structure in the webhook that is used to manage the
CA used to secure the webhook.

Instances of the webhook will keep this CA up to date and use it to generate serving certificates which
are used to secure incoming connections.

This means that the cert-manager-controller component is no longer required to be running in order for webhook startup to succeed.
This also means that users should no longer see long start up times for this pod unless there is a genuine issue/error that needs resolving.

General Availability of JKS and PKCS#12 keystores

v0.14 added experimental 'bundle format' support for JKS and PKCS#12.
In v0.15 the keystore got added to the Certificate spec which makes cert-manager
add an additional keystore in your Certificate's Secret resource.
No additional feature gates need to be set anymore.

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: crt
spec:
  secretName: crt-secret
  dnsNames:
  - foo.example.com
  - bar.example.com
  issuerRef:
    name: letsencrypt-prod
  keystores:
    jks:
      create: true
      passwordSecretRef: # Password used to encrypt the keystore
        key: password-key
        name: jks-password-secret
    pkcs12:
      create: true
      passwordSecretRef: # Password used to encrypt the keystore
        key: password-key
        name: pkcs12-password-secret

For JKS this adds the files: keystore.jks and truststore.jks to the target spec.secretName.
For PKCS#12, it adds the file keystore.p12.

kubectl cert-manager tool

kubectl cert-manager is a kubectl plugin that assists with controlling cert-manager inside your
Kubernetes cluster. The kubectl cert-manager binary can be downloaded from the GitHub release page.
In v0.15 the use is currently limited to the convert and renew commands.

kubectl cert-manager renew can be used to manually trigger renewal of your certificates. This required the ExperimentalCertificateControllers feature gate to be set.

kubectl cert-manager convert can be used to convert cert-manager config files between different API versions
if your cluster does not support the conversion webhook (i.e. running the 'legacy' release)
or if you want to upgrade all your local cert-manager configuration files.

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Remove serverAuth key usage from set of defaults. If your configured issuer does not automatically set this usage and you do require it, you will need to manually update your Certificate & CertificateRequest resources to contain the serverAuth usage (#2864, @munnerz)

Changes by Kind

Feature

• Add Red Hat Universal Base Image based image release targets (#2746, @munnerz)
• Add certificate.spec.keystores stanza and allowing configuring JKS and PKCS12 issuing on a per-Certificate basis (#2824, @munnerz)
• Add installCRDs option to Helm chart to enable managing CRDs as part of regular Helm chart (#2775, @munnerz)
• Add option to set custom annotations and labels for HTTP01 resolver Ingress resources. (#2023, @zeeZ)
• Add support for Azure Managed Identity (#2681, @gitirabassi)
• Add support for private key rotation when renewing or re-issuing certificates. This feature requires use of the new 'experimental' certificates controller. Set certificate.spec.privateKey.rotationPolicy to Always to enable this functionality. (#2814, @munnerz)
• Added 'CRL Distribution Points' fields to Self-signed and CA issuers (#2625, @srbraun)
• Adds Temporary Certificate support to Issuing controller (#2843, @JoshVanL)
• Adds cert-manager-ctl convert command. (#2758, @JoshVanL)
• Adds cert-manager-ctl command with version (#2725, @JoshVanL)
• Adds ctl renew command to mark Certificates for manual renewal (#2845, @JoshVanL)
• Move TLS bootstrapping into the webhook binary to drastically improve webhook start up times and reduce operational complexity. (#2743, @munnerz)
• Release cert-manager ctl binaries (#2836, @meyskens)
• Support the AuditSink kind in auditregistration.k8s.io/v1alpha1 to be a ca injector target. (#2027, @pepov)
• Venafi issuer: add origin tag to requests (#2825, @meyskens)
• nameserver field in RFC2136 providers now supports hostname, FQDN, and IPv6 address in addition to IPv4 address. (#2682, @johanfleury)

Design

• Adds new extensible issuing certificate (#2782, @JoshVanL)

Documentation

• Update Helm chart README to properly explain legacy manifests (#2734, @munnerz)

Other (Bug, Cleanup or Flake)

• Add webhook service account customization
  • Add cainjector service account customization (#2841, @rmb938)
• Add license files to /licences/ in Docker images (#2816, @meyskens)
• Adds acme client timeout of 30 seconds (#2713, @JoshVanL)
• Bump Go version to 1.14.1 (#2719, @munnerz)
• Bump Go version to 1.14.2 (#2880, @meyskens)
• Expose webhook deployment container port (#2806, @dewet22)
• Fix bug causing the experimental PKCS12 and JKS keystore feature to not work (#2723, @munnerz)
• Fix bug in webhook based validation on Kubernetes API servers older than 1.15 (#2851, @munnerz)
• Fix bug that could cause ACME Orders that contain already valid Authorizations to not be completed (#2869, @munnerz)
• Fix bug that could cause the webhookbootstrap controller to fail to Update webhook TLS resources in certain cases (#2739, @munnerz)
• Fix build system issue causing docker images to use user ID 0 (root) instead of '1000' as before (#2708, @munnerz)
• Fix case where cert-manager.io/issuer doesn't set Issuer kind (#2837, @meyskens)
• Fix incorrect service name being used in the --webhook-dns-names flag (#2733, @munnerz)
• Fix issuing causing CRDs to added to the static manifests twice (#2790, @munnerz)
• Fix validatingwebhookconfiguration to use correct URL path and to suport v1alpha3 API objects. (#2831, @wallrj)
• Limit per_page to 100 in Cloudfare API calls (#2856, @sileht)
• Properly fix user ID used for Docker images in release targets (#2771, @munnerz)
• Release kubectl cert-manager as .tar.gz (#2871, @meyskens)
• This change will create a limited scope role for the configmaps used in leadership election. This limits the role to just the 3 configmaps used for leadership election. (#2807, @HoogWater)
• Update k8s.io/* dependencies to v1.18.0 (#2731, @munnerz)
• Webhook: add --tls-min-version to allow configuring the minimum allowed TLS version and fix default ciphers list. (#2769, @munnerz)

Changes by Kind

Other (Bug, Cleanup or Flake)

• Bump Go version to 1.14.2 (#2880, @meyskens)
• Fix bug that could cause ACME Orders that contain already valid Authorizations to not be completed (#2869, @munnerz)
• Release kubectl cert-manager as .tar.gz (#2871, @meyskens)

Note: the cert-manager-ctl binaries are not included in this release due to a naming conflict. In the next release they will be available under a new name to be installed using Krew

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Remove serverAuth key usage from set of defaults. If your configured issuer does not automatically set this usage and you do require it, you will need to manually update your Certificate & CertificateRequest resources to contain the serverAuth usage (#2864, @munnerz)

Changes by Kind

Feature

• Adds Temporary Certificate support to Issuing controller (#2843, @JoshVanL)
• Adds cert-manager-ctl convert command. (#2758, @JoshVanL)
• Adds ctl renew command to mark Certificates for manual renewal (#2845, @JoshVanL)

Other (Bug, Cleanup or Flake)

• Add webhook service account customization
  • Add cainjector service account customization (#2841, @rmb938)
• Fix bug in webhook based validation on Kubernetes API servers older than 1.15 (#2851, @munnerz)

Changes by Kind

Feature

• Release cert-manager ctl binaries (#2836, @meyskens)

Other (Bug, Cleanup or Flake)

• Fix bug in webhook based validation on Kubernetes API servers older than 1.15 (#2851, @munnerz)
• Fix case where cert-manager.io/issuer doesn't set Issuer kind (#2837, @meyskens)
• Fix validatingwebhookconfiguration to use correct URL path and to suport v1alpha3 API objects. (#2831, @wallrj)
• Limit per_page to 100 in Cloudfare API calls (#2856, @sileht)

Changes by Kind

Other (Bug, Cleanup or Flake)

• Fix bug in webhook based validation on Kubernetes API servers older than 1.15 (#2860, @munnerz )
• Fix case where cert-manager.io/issuer doesn't set Issuer kind (#2838, @meyskens)
• Fix validatingwebhookconfiguration to use correct URL path and to suport v1alpha3 API objects. (#2832, @wallrj )
• Limit per_page to 100 in Cloudfare API calls (#2859, @sileht)

Changes by Kind

Feature

• Venafi issuer: add origin tag to requests (#2825, @meyskens)

Other (Bug, Cleanup or Flake)

• Fix validatingwebhookconfiguration to use correct URL path and to suport v1alpha3 API objects. (#2831, @wallrj)

Changes by Kind

Feature

• Add certificate.spec.keystores stanza and allowing configuring JKS and PKCS12 issuing on a per-Certificate basis (#2824, @munnerz)
• Add support for Azure Managed Identity (#2681, @gitirabassi)
• Add support for private key rotation when renewing or re-issuing certificates. This feature requires use of the new 'experimental' certificates controller. Set certificate.spec.privateKey.rotationPolicy to Always to enable this functionality. (#2814, @munnerz)
• Adds cert-manager-ctl command with version (#2725, @JoshVanL)
• Support the AuditSink kind in auditregistration.k8s.io/v1alpha1 to be a ca injector target. (#2027, @pepov)
• Adds new extensible issuing certificate (#2782, @JoshVanL)

Other (Bug, Cleanup or Flake)

• Add license files to /licences/ in Docker images (#2816, @meyskens)
• Expose webhook deployment container port (#2806, @dewet22)
• Fix issuing causing CRDs to added to the static manifests twice (#2790, @munnerz)
• This change will create a limited scope role for the configmaps used in leadership election. This limits the role to just the 3 configmaps used for leadership election. (#2807, @HoogWater)

Changes by Kind

Feature

• Add Red Hat Universal Base Image based image release targets (#2746, @munnerz)
• Add installCRDs option to Helm chart to enable managing CRDs as part of regular Helm chart (#2775, @munnerz)
• Add option to set custom annotations and labels for HTTP01 resolver Ingress resources. (#2023, @zeeZ)
• Added 'CRL Distribution Points' fields to Self-signed and CA issuers (#2625, @srbraun)
• Move TLS bootstrapping into the webhook binary to drastically improve webhook start up times and reduce operational complexity. (#2743, @munnerz)
• nameserver field in RFC2136 providers now supports hostname, FQDN, and IPv6 address in addition to IPv4 address. (#2682, @johanfleury)

Documentation

• Update Helm chart README to properly explain legacy manifests (#2734, @munnerz)

Other (Bug, Cleanup or Flake)

• Adds acme client timeout of 30 seconds (#2713, @JoshVanL)
• Bump Go version to 1.14.1 (#2719, @munnerz)
• Fix bug causing the experimental PKCS12 and JKS keystore feature to not work (#2723, @munnerz)
• Fix bug that could cause the webhookbootstrap controller to fail to Update webhook TLS resources in certain cases (#2739, @munnerz)
• Fix build system issue causing docker images to use user ID 0 (root) instead of '1000' as before (#2708, @munnerz)
• Fix incorrect service name being used in the --webhook-dns-names flag (#2733, @munnerz)
• Properly fix user ID used for Docker images in release targets (#2771, @munnerz)
• Update k8s.io/* dependencies to v1.18.0 (#2731, @munnerz)
• Webhook: add --tls-min-version to allow configuring the minimum allowed TLS version and fix default ciphers list. (#2769, @munnerz)

Changes by Kind

Other (Bug, Cleanup or Flake)

• Properly fix user ID used for Docker images in release targets (#2774, @munnerz)

Changes by Kind

Documentation

• Update Helm chart README to properly explain legacy manifests (#2737, @munnerz)

Other (Bug, Cleanup or Flake)

• Bump Go version to 1.14.1 (#2721, @munnerz)
• Fix bug causing the experimental PKCS12 and JKS keystore feature to not work (#2728, @munnerz)
• Fix bug that could cause the webhookbootstrap controller to fail to Update webhook TLS resources in certain cases (#2742, @munnerz)
• Fix incorrect service name being used in the --webhook-dns-names flag (#2735, @munnerz)
• Fix issue causing cert-manager docker images to run as the root user instead of UID 1000 (#2720, @munnerz)
• Fix issue that could cause the ACME client to block for extended periods when the server responds with a long retry-after header, causing cert-manager to not process new orders or challenges. (#2729, @JoshVanL)

The v0.14 release has a few focus areas:

• Improving the deployment/installation process
• Improving the release process
• CustomResourceDefinition conversion
• Support for older Kubernetes and OpenShift versions
• Experimental 'bundle' output format for Certificates

As usual, please read the upgrade notes before upgrading.

Webhook changes

The webhook component is now required.
The webhook will be automatically enabled by the v0.14 manifests, so no additional action is required.

If you have issues running the webhook in your environment, we'd like to hear from you! We are aware of issues relating to firewall rules from the Kubernetes API server to the webhook pod(s) - we would like to gather together a corpus of configuration snippets that can be used to ensure the webhook is successfully deployed in these environments too.

This change is required in order to support the upcoming changes to our API versions, as we introduce v1alpha3, v1beta1 and v1 over the coming months!

Improving our deployment and release process

After reports of various issues installing on older Kubernetes and OpenShift versions, we've taken some time to revise our installation manifests.

There are now two 'variants' to choose from, 'standard' and the 'legacy', with a simple way to know which to use:

Please be sure to read the upgrade guide for more information on how to upgrade from a previous release.

CustomResourceDefinition conversion webhook + v1alpha3 API version

As part of the effort to mature our API, we are releasing the v1alpha3 API version. This contains a number of small changes, notably moving some fields to the subject stanza on the Certificate resource to be more consistent with how certain options are specified.

With this we have enabled the 'conversion webhook', which enables API clients to utilize both the v1alpha2 and v1alpha3 APIs simultaneously, similar to other core resources in Kubernetes.

Thanks to this conversion webhook, this upgrade and future upgrades after it should be seamless. The ability to make these kinds of changes to our API will enable the v1beta1 API version to be released in a seamless manner in an upcoming release too.

More information on the webhook can be found in the concepts section.

Support for Kubernetes 1.11 and OpenShift 3.11

We've had a number of users who are using OpenShift 3.11 & Kubernetes 1.11 reach out requesting support with installation. In this release, we've expanded the range of Kubernetes versions we support to once again include 1.11, as well as adding support for OpenShift 3.11.

A big thanks to @meyskens for putting this together!

Experimental 'bundle format' support (JKS and PKCS#12)

One of our top feature requests has been for support for JKS and PKCS#12 bundle files as an output from Certificate resources.

In this release, we've added experimental support for both of these bundle formats. This can currently only be configured globally with flags provided to the cert-manager pod (--experimental-issue-jks and --experimental-issue-pkcs12). The password used for this bundle must also be configured using the flags --experimental-jks-password and --experimental-pkcs12-keystore-password respectively.

In the next release, we are aiming to provide native support for these bundle format types as part of the Certificate resource configuration. We have added these flags now in order to gather feedback on the way this feature works, and help guide how this feature should work in future.

Extended support for Venafi features

Users of the Venafi issuer often need to set custom metadata on their certificate requests in order to better associate each request with different business areas, or in order to validate & authorize whether a request should be signed.

In this release, we've added support for setting custom metadata by adding the venafi.cert-manager.io/custom-fields annotation on Certificate and CertificateRequest resources. If using the Venafi TPP integration, version 19.2 or greater is required.

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Update Deployment selector to follow Helm chart best practices. This will require deleting the three cert-manager Deployment resources before upgrading. (#2654, @munnerz)

Changes by Kind

Feature

• Add --experimental-issue-jks flag to enable JKS bundle generation in generated Secret resources. This flag will be replaced with native support for JKS bundles in future and is currently an experimental feature. If enabled, the --experimental-jks-password flag must also be set to the password used to encrypt JKS bundles. (#2647, @munnerz)
• Add --experimental-issue-pkcs12 flag to enable PKCS12 bundle generation in generated Secret resources. This flag will be replaced with native support for PKCS12 bundles in future and is currently an experimental feature. If enabled, the --experimental-pkcs12-keystore-password flag must also be set to the password used to encrypt PKCS12 bundles. (#2643, @munnerz)
• Add venafi.cert-manager.io/custom-fields annotation for Venafi custom fields (#2573, @meyskens)
• Add emailSANs field to Certificate resource (#2597, @meyskens)
• Added --tls-cipher-suites command line flag to the webhook binary with sensible defaults (#2562, @willthames)
• Build OpenShift 3.11 compatible CRDs (#2609, @meyskens)
• Enable CRD conversion webhook and begin serving v1alpha3 (#2563, @munnerz)
• Improve startup time for webhook pod. (#2574, @JoshVanL)
• Replace 00-crds.yaml file with a manifest file published as part of the release (#2665, @munnerz)

Other (Bug, Cleanup or Flake)

• Bump Venafi/vcert dependency to support custom fields in Venafi TPP 19.2 (#2663, @munnerz)
• Fix GroupVersionKind set on OwnerReference of resources created by HTTP01 challenge solver, causing HTTP01 validations to fail on OpenShift 4 (#2546, @munnerz)
• Fix Venafi Cloud URL field being marked required (#2568, @munnerz)
• Fix bug in ingress-shim causing Certificate resources to be rapidly updated if multiple spec.tls[].hosts entries refer to the same Secret name but a different set of hosts (#2611, @munnerz)
• Fix bug that could cause certificates to be incorrectly issued with an invalid public key (#2539, @munnerz)
• Fix cainjector.enabled=False override being ignored by the Helm Chart (#2544, @gtaylor)
• Include license header in manifests attached to GitHub releases (#2684, @munnerz)
• Make the webhook RoleBinding the leader election namespace instead of hard-coded kube-system (#2621, @travisghansen)
• Replace openshift and no-webhook manifest variants with a "legacy" variant (#2648, @meyskens)
• Truncate message display if HTTP01 self check fails (#2613, @munnerz)
• Upgrade to Go 1.14 (#2656, @munnerz)

Other Changes

• Add //build/release-tars targets for generating release artifacts (#2556, @munnerz)
• Improve local testing and development environment setup code (#2534, @munnerz)
• Remove isOpenShift from Helm chart (#2642, @meyskens)
• Remove webhook.enabled variable in Helm chart as the webhook now is a required component (#2649, @meyskens)

Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Update Deployment selector to follow Helm chart best practices. This will require deleting the three cert-manager Deployment resources before upgrading. (#2654, @munnerz)

Changes by Kind

Other (Bug, Cleanup or Flake)

• Upgrade to Go 1.14 (#2656, @munnerz)

Changes by Kind

Feature

• Add --experimental-issue-jks flag to enable JKS bundle generation in generated Secret resources. This flag will be replaced with native support for JKS bundles in future and is currently an experimental feature. If enabled, the --experimental-jks-password flag must also be set to the password used to encrypt JKS bundles. (#2647, @munnerz)
• Add --experimental-issue-pkcs12 flag to enable PKCS12 bundle generation in generated Secret resources. This flag will be replaced with native support for PKCS12 bundles in future and is currently an experimental feature. If enabled, the --experimental-pkcs12-keystore-password flag must also be set to the password used to encrypt PKCS12 bundles. (#2643, @munnerz)
• Add venafi.cert-manager.io/custom-fields annotation for Venafi cutom fields (#2573, @meyskens)
• Add emailSANs field to Certificate resource (#2597, @meyskens)
• Added --tls-cipher-suites command line flag to the webhook binary with sensible defaults (#2562, @willthames)
• Build OpenShift 3.11 compatible CRDs (#2609, @meyskens)
• Enable CRD conversion webhook and begin serving v1alpha3 (#2563, @munnerz)
• Improve startup time for webhook pod. (#2574, @JoshVanL)

Other (Bug, Cleanup or Flake)

• Fix GroupVersionKind set on OwnerReference of resources created by HTTP01 challenge solver, causing HTTP01 validations to fail on OpenShift 4.x (#2546, @munnerz)
• Fix Venafi Cloud URL field being marked required (#2568, @munnerz)
• Fix bug in ingress-shim causing Certificate resources to be rapidly updated if multiple spec.tls[].hosts entries refer to the same Secret name but a different set of hosts (#2611, @munnerz)
• Fix bug that could cause certificates to be incorrectly issued with an invalid public key (#2539, @munnerz)
• Fix cainjector.enabled=False override being ignored by the Helm Chart (#2544, @gtaylor)
• Make the webhook RoleBinding the leader election namespace instead of hard-coded kube-system (#2621, @travisghansen)
• Replace openshift/no-webhook manifest variants with a "legacy" variant (#2648, @meyskens)
• Truncate message display if HTTP01 self check fails (#2613, @munnerz)

Other Changes

• Add //build/release-tars targets for generating release artifacts (#2556, @munnerz)
• Improve local testing and development environment setup code (#2534, @munnerz)
• Remove isOpenShift from Helm chart (#2642, @meyskens)
• Remove webhook.enabled variable in Helm chart as the webhook now is a required component (#2649, @meyskens)

Bug fixes

• Fix Venafi Cloud URL field being marked required (#2583, @munnerz)
• Fix cainjector.enabled=False override being ignored by the Helm Chart (#2552, @gtaylor)
• Fix bug that could cause certificates to be incorrectly issued with an invalid public key (#2543, @munnerz)
• Fix GroupVersionKind set on OwnerReference of resources created by HTTP01 challenge solver, causing HTTP01 validations to fail on OpenShift 4.x (#2554, @munnerz)

The v0.13 contains a number of important bug-fixes and a few notable feature additions. It is a minor, incremental update over v0.12 and does not require any special upgrade steps.

ACME External Account Binding support

Users that wish to use cert-manager with ACME servers other than Let's Encrypt may have found themselves unable to register an account due to the lack of (EAB) 'External Account Binding' support. This allows an ACME server to validate that a user is somehow associated with some other entity, like an account in the CAs customer management system.

With EAB support, it's now possible to specify additional parameters (spec.acme.externalAccountBinding) on your ACME Issuer resource and utilize cert-manager with your preferred ACME provider.

Support for full set of x509 'subject' parameters

In this release, support for the full range of 'subject' parameters as per the x509 specification has been added. This means you can set fields like organizationalUnit, provinces, serialNumber, country, and all other standard x509 subject fields.

A big thanks to @mathianasj for this addition!

InvalidRequest status condition for CertificateRequest resources

For the growing ecosystem of developers creating their own 'external issuer types' for cert-manager, we have added support for a new 'status condition' type InvalidRequest - this can be used to signal from your signer/issuer to cert-manager that the parameters that the user has requested on the x509 CSR are 'invalid' and the CSR should not be retried.

This prevents users expending API quotas and making requests that will never succeed.

Bug Fixes

• Fix invalid service account name used in RBAC resources when manually specifying a service account name (#2509, @castlemilk)
• fixed a bug that in certain cases could cause HTTP01 ingress serviceName fields to be incorrectly set (#2460, @greywolve)
• Fix bug causing ever-increasing CPU usage in webhook component (#2467, @munnerz)
• Fix bug causing temporary certificates to overwrite previously issued certificates when adding a new dnsName to an existing Certificate resource (#2469, @munnerz)
• Fix certmanager_certificate_expiration_timestamp_seconds metric recording (#2416, @munnerz)
• Fixes ClusterIssuers not finding the secret when the secret is in a different namespace than the certificate request using the Venafi issuer type (#2520, @mathianasj)
• Fixes generation if invalid certificate name the the 52nd character in a domain name is a symbol. (#2516, @meyskens)

Other Notable Changes

• Adds InvalidRequest condition type to CertificateRequest, signaling to not retry the request. (#2508, @JoshVanL)
• Add volume and volume mounts field to cert-manager helm chart (#2504, @joshuastern)
• Add support for additional x509 'subject' fields (#2518, @mathianasj)
• Bump k8s.io/* dependencies to Kubernetes 1.17.0 (#2452, @munnerz)
• It is now possible to disable AppArmor when Pod Security Policies are used. (#2489, @czunker)
• Support for arbitrary securityContext parameters (#2455, @nefischer)
• Remove misleading 'error decoding x509 certificate' message (#2470, @munnerz)
• Remove IP address validation on dns01-recursive-nameservers to allow domain names (#2428, @haines)
• Optional webhook.securityContext and cainjector.securityContext chart parameters to specify pods security context. (#2449, @nefischer)
• webhook: register HTTP handlers for pprof debug endpoints (#2450, @munnerz)
• Adds support for chart configurable parameters deploymentAnnotations, webhook.deploymentAnnotations and cainjector.deploymentAnnotations (#2447, @nefischer)
• Adds ACME external account binding support (#2392, @JoshVanL)
• Fix false-y values in helm chart to mitigate kubernetes/kubernetes#66450 (#2383, @colek42)
• Explicitly define containerPort protocol in helm chart (#2405, @bouk)
• Switch to using upstream golang.org/x/crypto/acme ACME client library (#2422, @munnerz)

This is an alpha release of v0.13. This has been cut early on to provide sufficient time for feedback and gather data on ACME API usage since upgrading our ACME client library to use the upstream golang crypto library, as well as to gather feedback on the newly added 'external account binding' feature.

The v0.13 release is not currently 'feature complete', and additional features will be added ahead of the final release.

Features

• Switch to using upstream golang.org/x/crypto/acme ACME client library (#2422, @munnerz)
• Adds ACME external account binding support (#2392, @JoshVanL)

Bug Fixes

• Fix certmanager_certificate_expiration_timestamp_seconds metric recording (#2416, @munnerz)

Other Notable Changes

• Adds support for chart configurable parameters deploymentAnnotations, webhook.deploymentAnnotations and cainjector.deploymentAnnotations (#2447, @nefischer)
• Optional webhook.securityContext and cainjector.securityContext chart parameters to specify pods security context. (#2449, @nefischer)
• webhook: register http handlers for pprof debug endpoints (#2450, @munnerz)
• Remove IP address validation on dns01-recursive-nameservers to allow domain names (#2428, @haines)
• Explicitly define ContainerPort protocol in helm chart (#2405, @bouk)
• Fix falsey values in helm chart to mitigate kubernetes/issues/66450 (#2383, @colek42)

The v0.12.0 release is finally ready! After a KubeCon-induced delay, this
version focuses on usability, user experience, bug-fixes and documentation.

A big notable feature in this release is the new cert-manager.io
website - this has been a long time coming, but we hope that the information
on this site should more clearly walk new and experienced users alike through
the tool, and with it the rewrite into Markdown (with Hugo)
should make external contributions easier!

The rest of the notable features below are all focused on usability, and as
such, the upgrade process from v0.11 should be nice and easy :holiday:.

We'll be doing an in-depth walkthrough of this release and what's planned for
for the next release during the next community call on Wednesday 4th December!
For more details on joining and getting involved, see the
community section.

Contributors

This release has seen code contributions from a number of people in the
community 🎉

• Adrian Mouat
• Benjamin P. Jung
• Bouke van der Bijl
• Christian Groschupp
• Christophe Courtaut
• Eric Bailey
• Harold Drost
• Ingo Gottwald
• James Munnelly
• JayatiGoyal
• Joshua Van Leeuwen
• Krishna Durai
• Luca Berneking
• Matevz Mihalic
• Max Goltzsche
• Nick Parker
• Nils Cant
• Nolan Reisbeck
• Pierre Dorbais
• Sam Cogan
• Thomas
• chenjun.cj
• ismail BASKIN
• walter.goulet

As always, a big thank you to those opening issues, replying to issues and
helping out in the Slack channel. As well as working in other projects to help
users secure services running on Kubernetes.

Notable changes

New website

We have launched a new website to better showcase cert-manager, which can be
found at cert-manager.io.

With this new site, we have also significantly restructured and rewritten the
documentation for the site in order to flow better, and hopefully inform users
more on the inner-workings of cert-manager whilst still making on-boarding to
the project easy.

Whilst this is the first launch of the new website, there is still lots to do!
If you have any feedback, ideas or expertise to improve the site, please open
an issue or make a contribution over in the new
cert-manager/website repository.

Multi-architecture images

If you run a non-homogeneous or alt-architecture cluster (i.e. arm or arm64)
then you may have run into issues when deploying cert-manager.

For almost a year now, we have published Docker images built for these
architectures, but due to limitations in quay.io, using these images has
required changing deployment manifests and passing additional flags to
different cert-manager components.

As of v0.12, we make use of Docker Image Manifests v2.2,
which means that you will no longer have to make any changes to the
deployment manifests in order to deploy cert-manager into your cluster!

This is a big usability win for users of non-amd64 systems, and a big +1
for usability!

Making it easier to debug failing ACME challenges

During the ACME authorization flow, a number of issues can arise such as
mis-configured DNS records or ingress controllers.

This release makes it simpler to identify these issues when they occur,
providing additional debugging information through the user of
kubectl describe challenge <name-of-failing-challenge>.

Whilst this is a small addition, it vastly improves the user experience for
first time users who may have configuration issues with their DNS records or
cert-manager installation, another win for usability!

Simplifying the webhook component

For those of you upgrading from older versions of cert-manager, you may already
be aware of some of the deployment issues with the 'webhook' component in
cert-manager.

In previous releases, this component relied on the creation of an APIService
resource in order for the Kubernetes apiserver to utilise the webhook and
provide additional validation for our CustomResourceDefinition types.

An APIService is a powerful resource, however, due to its nature, can cause
certain core operations (such as garbage collection) to not function if the
webhook becomes unavailable at any point, which can in turn cause cascading
failures in your Kubernetes cluster in the worst of cases.

In v0.12, we have rewritten this component almost entirely, and we no longer
make use of the APIService resource in order to expose it.

This should mean deploying the webhook is far easier, and far less likely to
cause cluster-wide issues.

We have also extended the webhook to support 'API conversions' for our CRD
types. Whilst we don't currently make use of this functionality, when we
release the v1beta1 we will make use of it, at which point the webhook
will be a required component in clusters running Kubernetes 1.15 or greater.

Changelog

Action Required

• ACTION REQUIRED
  Users who have previously set the Kubernetes Auth Mount Path will need to update their manifests to include the entire mount path. The /login endpoint is added for you.

  Changes the Vault Kubernetes Auth Path to require the entire mount path. /login is added to all mount paths when authenticating.
  The default auth path has now changed from kubernetes to /v1/auth/kubernetes (#2349, @JoshVanL)

Bug Fixes

• Fixes issues with Pod Security Policies that prevented pods from running when Pod Security Policy is enabled in Kubernetes (#2234, @sam-cogan)
• Fix issue causing certificates not to be issued when running with OwnerReferencesPermissionEnforcement admission controller enabled (#2325, @CoaxVex)
• Fix bug causing SIGTERM and SIGINT signals to not be respected whilst the controller is performing leader election (#2236, @munnerz)
• Fix setting ownerReference on Challenge resources created by Orders controller (#2324, @CoaxVex)
• Allow clouddns resolvers to be validated correctly without serviceAccountSecretRef to allow ambient permissions to be used. (#2250, @baelish)
• Add missing apiVersion to Chart.yaml (#2270, @yurrriq)
• Perform API resource validation of the 'status' subresource on cert-manager resources (#2283, @munnerz)
• Fix outdated documentation for solver configuration in Issuers and ClusterIssuers (#2210, @nickbp)

Other Notable Changes

• Explicitly define ContainerPort protocol in helm chart (#2405, @bouk)
• Allow permissive acceptance for matching Certificates with Secrets that are using legacy annotations to reduce non-required certificate reissue. (#2400, @JoshVanL)
• Add API token authentication option to Cloudflare issuer (#2170, @matevzmihalic)
• Bump Kubernetes client library dependencies to 1.16.3 (#2290, @munnerz)
• Build using go 1.13.4 (#2366, @munnerz)
• Mark certificaterequest.spec.csr field as required in OpenAPI schema (#2368, @munnerz)
• Add serverAuth extended key usage to Certificates by default (#2351, @JoshVanL)
• Surface more information about ACME authorization failures on Challenge resources (#2261, @munnerz)
• Add documentation for the webhook (#2252, @cgroschupp)
• Add support for API resource conversion to the webhook. NOTE: this feature is *not- currently utilised by cert-manager (#2001, @munnerz)
• Remove nested cainjector subchart and include it in main chart (#2285, @munnerz)
• Change the default webhook listen address to 10250 for better compatibility with GKE private clusters (#2278, @munnerz)
• Bump Helm & Tiller version used during end-to-end tests to 2.15.1 (#2275, @munnerz)
• Make spec.csr, status.url, status.finalizeURL, status.certificate, status.authorizations, status.authorizations[].url, status.authorizations[].identifier, status.authorizations[].wildcard, status.authorizations[].challenges, status.authorizations[].challenges[].url, status.authorizations[].challenges[].type, status.authorizations[].challenges[].token fields on Order resources immutable (#2219, @munnerz)
• No longer use architecture specific acmesolver images (#2242, @munnerz)
• enable cert-manager using --kubeconfig to connect API Server with kubeconfig file (#2224, @answer1991)
• Publish multi-architecture docker manifest lists (#2230, @munnerz)
• Make order.status.authorizations[].wildcard field a *bool (#2225, @munnerz)
• Kubernetes APIServer dry-run is supported. (#2206, @ismailbaskin)

This is the only and final patch release of v0.11. It fixes an issue when upgrading from older versions whereby cert-manager will request a new certificate for all Certificate resources immediately if you do not update the certmanager.k8s.io/issuer-name and certmanager.k8s.io/issuer-kind annotations manually on all Secret resources before upgrading.

It also fixes an issue that will cause Challenge resources to become orphaned if their parent Order resource is deleted.

Notable Changes

• Ensure secrets using deprecated secret annotations do not cause unneeded re-issuance (#2404, @JoshVanL)
• Fix setting ownerReference on Challenge resources created by Orders controller (#2333, @CoaxVex)
• Add missing apiVersion to Chart.yaml (#2300, @yurrriq)
• Kubernetes APIServer dry-run is supported. (#2213, @ismailbaskin)
• Fix outdated documentation for solver configuration in Issuers and ClusterIssuers (#2212, @nickbp)

This is a pre-release version of v0.12. It is considered feature complete, and has been released in order to gather feedback on the upgrade experience.

Full release notes are still TBD.

As part of this release, we have also launched a new documentation website. This website is still under construction, however the majority of the content is now available there.

You can view the documentation for v0.12 by clicking this link!

Action Required

• Users who have previously set the Kubernetes Auth Mount Path will need to update their manifests to include the entire mount path. The /login endpoint is added for you.

  Changes the Vault Kubernetes Auth Path to require the entire mount path. /login is added to all mount paths when authenticating.
  The default auth path has now changed from kubernetes to /v1/auth/kubernetes (#2349, @JoshVanL)

Bug Fixes

• Fixes issues with Pod Security Policies that prevented pods from running when Pod Security Policy is enabled in Kubernetes (#2234, @sam-cogan)
• Fix issue causing certificates not to be issued when running with OwnerReferencesPermissionEnforcement admission controller enabled (#2325, @CoaxVex)
• Fix bug causing SIGTERM and SIGINT signals to not be respected whilst the controller is performing leader election (#2236, @munnerz)
• Fix setting ownerReference on Challenge resources created by Orders controller (#2324, @CoaxVex)
• Allow clouddns resolvers to be validated correctly without serviceAccountSecretRef to allow ambient permissions to be used. (#2250, @baelish)
• Add missing apiVersion to Chart.yaml (#2270, @yurrriq)
• Perform API resource validation of the 'status' subresource on cert-manager resources (#2283, @munnerz)
• Fix outdated documentation for solver configuration in Issuers and ClusterIssuers (#2210, @nickbp)

Other Notable Changes

• Bump Kubernetes client library dependencies to 1.16.3 (#2290, @munnerz)
• Build using go 1.13.4 (#2366, @munnerz)
• Mark certificaterequest.spec.csr field as required in OpenAPI schema (#2368, @munnerz)
• Add serverAuth extended key usage to Certificates by default (#2351, @JoshVanL)
• Surface more information about ACME authorization failures on Challenge resources (#2261, @munnerz)
• Add documentation for the webhook (#2252, @cgroschupp)
• Add support for API resource conversion to the webhook. NOTE: this feature is not currently utilised by cert-manager (#2001, @munnerz)
• Remove nested cainjector subchart and include it in main chart (#2285, @munnerz)
• Change the default webhook listen address to 10250 for better compatibility with GKE private clusters (#2278, @munnerz)
• Bump Helm & Tiller version used during end-to-end tests to 2.15.1 (#2275, @munnerz)
• Make spec.csr, status.url, status.finalizeURL, status.certificate, status.authorizations, status.authorizations[].url, status.authorizations[].identifier, status.authorizations[].wildcard, status.authorizations[].challenges, status.authorizations[].challenges[].url, status.authorizations[].challenges[].type, status.authorizations[].challenges[].token fields on Order resources immutable (#2219, @munnerz)
• No longer use architecture specific acmesolver images (#2242, @munnerz)
• enable cert-manager using --kubeconfig to connect API Server with kubeconfig file (#2224, @answer1991)
• Publish multi-architecture docker manifest lists (#2230, @munnerz)
• Make order.status.authorizations[].wildcard field a *bool (#2225, @munnerz)
• Kubernetes APIServer dry-run is supported. (#2206, @ismailbaskin)