Automatically provision and manage TLS certificates in Kubernetes
APACHE-2.0 License
Bot releases are visible (Hide)
Published by jetstack-release-bot over 4 years ago
The v0.15
release has a few focus areas:
installCRDs
option in the Helm chartAs usual, please read the upgrade notes before upgrading.
The Certificate controller is one of the most commonly used controllers in the project.
It represents the 'full lifecycle' of an x509 private key and certificate, including
private key management and renewal.
As the project is maturing, more requirements around this controller are starting to become
apparent in order to implement feature requests such as private key rotation, JKS/PKCS#12
keystores and manual certificate renewal triggering.
This new controller aims to facilitate the above features, as well as make it easier to develop
individual areas of the controller over time and continue to make improvements.
For more information on this we invite you to read our design document.
We are looking for feedback on the use of these new controllers in different environments.
If you are able to run these in your cluster and report any issues you're seeing that would
be very helpful to the further development of the project.
The experimental controllers are currently feature gated and disabled by default.
You can enable these by the following steps, in the Helm values set:
featureGates: "ExperimentalCertificateControllers=true"
If you're using the static manifests you need to edit the cert-manager Deployment using kubectl -n cert-manager edit deploy cert-manager
and edit the args
to include --feature-gates=ExperimentalCertificateControllers=true
:
containers:
- args:
- --v=2
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --leader-election-namespace=kube-system
- --feature-gates=ExperimentalCertificateControllers=true
installCRDs
optionIt's been a long-standing feature request to bundle our CRD resources as part
of our Helm chart, to make it easier for users installing with Helm to manage
the lifecycle of the CRDs we create.
To facilitate this, and to help resolve common deployment issues, we have added
a new installCRDs
option to the Helm chart which will mean the CRD resources
will be managed by your regular Helm installation.
This feature is disabled by default, and can be enabled either in your
values.yaml
file or as a flag with helm install --set installCRDs=true
.
cert-manager can now be deployed as a Red Hat Certified OpenShift Operator.
This is done using the cert-manager operator.
More information on this can be found on the OpenShift Installation page.
In order to improve start up time of the webhook pod, as well as improved reliability and operability,
cert-manager v0.15
includes a new DynamicAuthority
structure in the webhook that is used to manage the
CA used to secure the webhook.
Instances of the webhook will keep this CA up to date and use it to generate serving certificates which
are used to secure incoming connections.
This means that the cert-manager-controller component is no longer required to be running in order for webhook startup to succeed.
This also means that users should no longer see long start up times for this pod unless there is a genuine issue/error that needs resolving.
v0.14
added experimental 'bundle format' support for JKS and PKCS#12.
In v0.15
the keystore
got added to the Certificate spec which makes cert-manager
add an additional keystore in your Certificate's Secret resource.
No additional feature gates need to be set anymore.
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: crt
spec:
secretName: crt-secret
dnsNames:
- foo.example.com
- bar.example.com
issuerRef:
name: letsencrypt-prod
keystores:
jks:
create: true
passwordSecretRef: # Password used to encrypt the keystore
key: password-key
name: jks-password-secret
pkcs12:
create: true
passwordSecretRef: # Password used to encrypt the keystore
key: password-key
name: pkcs12-password-secret
For JKS this adds the files: keystore.jks
and truststore.jks
to the target spec.secretName
.
For PKCS#12, it adds the file keystore.p12
.
kubectl cert-manager is a kubectl plugin that assists with controlling cert-manager inside your
Kubernetes cluster. The kubectl cert-manager binary can be downloaded from the GitHub release page.
In v0.15
the use is currently limited to the convert
and renew
commands.
kubectl cert-manager renew
can be used to manually trigger renewal of your certificates. This required the ExperimentalCertificateControllers
feature gate to be set.
kubectl cert-manager convert
can be used to convert cert-manager config files between different API versions
if your cluster does not support the conversion webhook (i.e. running the 'legacy' release)
or if you want to upgrade all your local cert-manager configuration files.
serverAuth
key usage from set of defaults. If your configured issuer does not automatically set this usage and you do require it, you will need to manually update your Certificate & CertificateRequest resources to contain the serverAuth
usage (#2864, @munnerz)certificate.spec.keystores
stanza and allowing configuring JKS and PKCS12 issuing on a per-Certificate basis (#2824, @munnerz)certificate.spec.privateKey.rotationPolicy
to Always
to enable this functionality. (#2814, @munnerz)cert-manager-ctl convert
command. (#2758, @JoshVanL)AuditSink
kind in auditregistration.k8s.io/v1alpha1
to be a ca injector target. (#2027, @pepov)nameserver
field in RFC2136 providers now supports hostname, FQDN, and IPv6 address in addition to IPv4 address. (#2682, @johanfleury)webhookbootstrap
controller to fail to Update webhook TLS resources in certain cases (#2739, @munnerz)Issuer
kind (#2837, @meyskens)per_page
to 100 in Cloudfare API calls (#2856, @sileht)k8s.io/*
dependencies to v1.18.0
(#2731, @munnerz)--tls-min-version
to allow configuring the minimum allowed TLS version and fix default ciphers list. (#2769, @munnerz)Published by jetstack-release-bot over 4 years ago
Published by jetstack-release-bot over 4 years ago
Note: the cert-manager-ctl
binaries are not included in this release due to a naming conflict. In the next release they will be available under a new name to be installed using Krew
serverAuth
key usage from set of defaults. If your configured issuer does not automatically set this usage and you do require it, you will need to manually update your Certificate & CertificateRequest resources to contain the serverAuth
usage (#2864, @munnerz)cert-manager-ctl convert
command. (#2758, @JoshVanL)Published by jetstack-release-bot over 4 years ago
Issuer
kind (#2837, @meyskens)per_page
to 100 in Cloudfare API calls (#2856, @sileht)Published by jetstack-release-bot over 4 years ago
Issuer
kind (#2838, @meyskens)per_page
to 100 in Cloudfare API calls (#2859, @sileht)Published by jetstack-release-bot over 4 years ago
Published by jetstack-release-bot over 4 years ago
certificate.spec.keystores
stanza and allowing configuring JKS and PKCS12 issuing on a per-Certificate basis (#2824, @munnerz)certificate.spec.privateKey.rotationPolicy
to Always
to enable this functionality. (#2814, @munnerz)AuditSink
kind in auditregistration.k8s.io/v1alpha1
to be a ca injector target. (#2027, @pepov)Published by jetstack-release-bot over 4 years ago
nameserver
field in RFC2136 providers now supports hostname, FQDN, and IPv6 address in addition to IPv4 address. (#2682, @johanfleury)webhookbootstrap
controller to fail to Update webhook TLS resources in certain cases (#2739, @munnerz)k8s.io/*
dependencies to v1.18.0
(#2731, @munnerz)--tls-min-version
to allow configuring the minimum allowed TLS version and fix default ciphers list. (#2769, @munnerz)Published by jetstack-release-bot over 4 years ago
webhookbootstrap
controller to fail to Update webhook TLS resources in certain cases (#2742, @munnerz)retry-after
header, causing cert-manager to not process new orders or challenges. (#2729, @JoshVanL)Published by jetstack-release-bot over 4 years ago
The v0.14
release has a few focus areas:
CustomResourceDefinition
conversionAs usual, please read the upgrade notes before upgrading.
The webhook component is now required.
The webhook will be automatically enabled by the v0.14
manifests, so no additional action is required.
If you have issues running the webhook in your environment, we'd like to hear from you! We are aware of issues relating to firewall rules from the Kubernetes API server to the webhook pod(s) - we would like to gather together a corpus of configuration snippets that can be used to ensure the webhook is successfully deployed in these environments too.
This change is required in order to support the upcoming changes to our API versions, as we introduce v1alpha3
, v1beta1
and v1
over the coming months!
After reports of various issues installing on older Kubernetes and OpenShift versions, we've taken some time to revise our installation manifests.
There are now two 'variants' to choose from, 'standard' and the 'legacy', with a simple way to know which to use:
Environment | Variant to use |
---|---|
Kubernetes 1.15+ | cert-manager.yaml |
OpenShift 4 | cert-manager.yaml |
Kubernetes 1.11-1.14 | cert-manager-legacy.yaml |
OpenShift 3.11 | cert-manager-legacy.yaml |
Please be sure to read the upgrade guide for more information on how to upgrade from a previous release.
CustomResourceDefinition
conversion webhook + v1alpha3
API versionAs part of the effort to mature our API, we are releasing the v1alpha3
API version. This contains a number of small changes, notably moving some fields to the subject
stanza on the Certificate resource to be more consistent with how certain options are specified.
With this we have enabled the 'conversion webhook', which enables API clients to utilize both the v1alpha2
and v1alpha3
APIs simultaneously, similar to other core resources in Kubernetes.
Thanks to this conversion webhook, this upgrade and future upgrades after it should be seamless. The ability to make these kinds of changes to our API will enable the v1beta1
API version to be released in a seamless manner in an upcoming release too.
More information on the webhook can be found in the concepts section.
We've had a number of users who are using OpenShift 3.11 & Kubernetes 1.11 reach out requesting support with installation. In this release, we've expanded the range of Kubernetes versions we support to once again include 1.11, as well as adding support for OpenShift 3.11.
A big thanks to @meyskens
for putting this together!
One of our top feature requests has been for support for JKS and PKCS#12 bundle files as an output from Certificate resources.
In this release, we've added experimental support for both of these bundle formats. This can currently only be configured globally with flags provided to the cert-manager
pod (--experimental-issue-jks
and --experimental-issue-pkcs12
). The password used for this bundle must also be configured using the flags --experimental-jks-password
and --experimental-pkcs12-keystore-password
respectively.
In the next release, we are aiming to provide native support for these bundle format types as part of the Certificate resource configuration. We have added these flags now in order to gather feedback on the way this feature works, and help guide how this feature should work in future.
Users of the Venafi issuer often need to set custom metadata on their certificate requests in order to better associate each request with different business areas, or in order to validate & authorize whether a request should be signed.
In this release, we've added support for setting custom metadata by adding the venafi.cert-manager.io/custom-fields
annotation on Certificate
and CertificateRequest
resources. If using the Venafi TPP integration, version 19.2 or greater is required.
@munnerz
)--experimental-issue-jks
flag to enable JKS bundle generation in generated Secret resources. This flag will be replaced with native support for JKS bundles in future and is currently an experimental feature. If enabled, the --experimental-jks-password
flag must also be set to the password used to encrypt JKS bundles. (#2647, @munnerz
)--experimental-issue-pkcs12
flag to enable PKCS12 bundle generation in generated Secret resources. This flag will be replaced with native support for PKCS12 bundles in future and is currently an experimental feature. If enabled, the --experimental-pkcs12-keystore-password
flag must also be set to the password used to encrypt PKCS12 bundles. (#2643, @munnerz
)venafi.cert-manager.io/custom-fields
annotation for Venafi custom fields (#2573, @meyskens
)emailSANs
field to Certificate resource (#2597, @meyskens
)--tls-cipher-suites
command line flag to the webhook binary with sensible defaults (#2562, @willthames
)@meyskens
)v1alpha3
(#2563, @munnerz
)@JoshVanL
)00-crds.yaml
file with a manifest file published as part of the release (#2665, @munnerz
)Venafi/vcert
dependency to support custom fields in Venafi TPP 19.2 (#2663, @munnerz
)GroupVersionKind
set on OwnerReference
of resources created by HTTP01 challenge solver, causing HTTP01 validations to fail on OpenShift 4 (#2546, @munnerz
)@munnerz
)spec.tls[].hosts
entries refer to the same Secret name but a different set of hosts (#2611, @munnerz
)@munnerz
)cainjector.enabled=False
override being ignored by the Helm Chart (#2544, @gtaylor
)@munnerz
)RoleBinding
the leader election namespace instead of hard-coded kube-system
(#2621, @travisghansen
)openshift
and no-webhook
manifest variants with a "legacy" variant (#2648, @meyskens
)@munnerz
)@munnerz
)//build/release-tars
targets for generating release artifacts (#2556, @munnerz
)@munnerz
)isOpenShift
from Helm chart (#2642, @meyskens
)webhook.enabled
variable in Helm chart as the webhook now is a required component (#2649, @meyskens
)Published by jetstack-release-bot over 4 years ago
Published by jetstack-release-bot over 4 years ago
--experimental-issue-jks
flag to enable JKS bundle generation in generated Secret resources. This flag will be replaced with native support for JKS bundles in future and is currently an experimental feature. If enabled, the --experimental-jks-password
flag must also be set to the password used to encrypt JKS bundles. (#2647, @munnerz)--experimental-issue-pkcs12
flag to enable PKCS12 bundle generation in generated Secret resources. This flag will be replaced with native support for PKCS12 bundles in future and is currently an experimental feature. If enabled, the --experimental-pkcs12-keystore-password
flag must also be set to the password used to encrypt PKCS12 bundles. (#2643, @munnerz)venafi.cert-manager.io/custom-fields
annotation for Venafi cutom fields (#2573, @meyskens)spec.tls[].hosts
entries refer to the same Secret name but a different set of hosts (#2611, @munnerz)RoleBinding
the leader election namespace instead of hard-coded kube-system
(#2621, @travisghansen)//build/release-tars
targets for generating release artifacts (#2556, @munnerz)isOpenShift
from Helm chart (#2642, @meyskens)webhook.enabled
variable in Helm chart as the webhook now is a required component (#2649, @meyskens)Published by munnerz over 4 years ago
Published by munnerz over 4 years ago
The v0.13
contains a number of important bug-fixes and a few notable feature additions. It is a minor, incremental update over v0.12
and does not require any special upgrade steps.
Users that wish to use cert-manager with ACME servers other than Let's Encrypt may have found themselves unable to register an account due to the lack of (EAB) 'External Account Binding' support. This allows an ACME server to validate that a user is somehow associated with some other entity, like an account in the CAs customer management system.
With EAB support, it's now possible to specify additional parameters (spec.acme.externalAccountBinding
) on your ACME Issuer resource and utilize cert-manager with your preferred ACME provider.
In this release, support for the full range of 'subject' parameters as per the x509 specification has been added. This means you can set fields like organizationalUnit
, provinces
, serialNumber
, country
, and all other standard x509 subject fields.
A big thanks to @mathianasj
for this addition!
InvalidRequest
status condition for CertificateRequest
resourcesFor the growing ecosystem of developers creating their own 'external issuer types' for cert-manager, we have added support for a new 'status condition' type InvalidRequest
- this can be used to signal from your signer/issuer to cert-manager that the parameters that the user has requested on the x509 CSR are 'invalid' and the CSR should not be retried.
This prevents users expending API quotas and making requests that will never succeed.
@castlemilk
)serviceName
fields to be incorrectly set (#2460, @greywolve
)@munnerz
)dnsName
to an existing Certificate resource (#2469, @munnerz
)certmanager_certificate_expiration_timestamp_seconds
metric recording (#2416, @munnerz
)ClusterIssuers
not finding the secret when the secret is in a different namespace than the certificate request using the Venafi issuer type (#2520, @mathianasj
)@meyskens
)InvalidRequest
condition type to CertificateRequest
, signaling to not retry the request. (#2508, @JoshVanL
)@joshuastern
)@mathianasj
)k8s.io/*
dependencies to Kubernetes 1.17.0 (#2452, @munnerz
)AppArmor
when Pod Security Policies are used. (#2489, @czunker
)securityContext
parameters (#2455, @nefischer
)@munnerz
)dns01-recursive-nameservers
to allow domain names (#2428, @haines
)webhook.securityContext
and cainjector.securityContext
chart parameters to specify pods security context. (#2449, @nefischer
)pprof
debug endpoints (#2450, @munnerz
)deploymentAnnotations
, webhook.deploymentAnnotations
and cainjector.deploymentAnnotations
(#2447, @nefischer
)@JoshVanL
)kubernetes/kubernetes#66450
(#2383, @colek42
)containerPort
protocol in helm chart (#2405, @bouk
)golang.org/x/crypto/acme
ACME client library (#2422, @munnerz
)Published by munnerz almost 5 years ago
This is an alpha release of v0.13. This has been cut early on to provide sufficient time for feedback and gather data on ACME API usage since upgrading our ACME client library to use the upstream golang crypto
library, as well as to gather feedback on the newly added 'external account binding' feature.
The v0.13 release is not currently 'feature complete', and additional features will be added ahead of the final release.
golang.org/x/crypto/acme
ACME client library (#2422, @munnerz)deploymentAnnotations
, webhook.deploymentAnnotations
and cainjector.deploymentAnnotations
(#2447, @nefischer)webhook.securityContext
and cainjector.securityContext
chart parameters to specify pods security context. (#2449, @nefischer)Published by munnerz almost 5 years ago
The v0.12.0 release is finally ready! After a KubeCon-induced delay, this
version focuses on usability, user experience, bug-fixes and documentation.
A big notable feature in this release is the new cert-manager.io
website - this has been a long time coming, but we hope that the information
on this site should more clearly walk new and experienced users alike through
the tool, and with it the rewrite into Markdown (with Hugo)
should make external contributions easier!
The rest of the notable features below are all focused on usability, and as
such, the upgrade process from v0.11 should be nice and easy :holiday:.
We'll be doing an in-depth walkthrough of this release and what's planned for
for the next release during the next community call on Wednesday 4th December!
For more details on joining and getting involved, see the
community section.
This release has seen code contributions from a number of people in the
community 🎉
As always, a big thank you to those opening issues, replying to issues and
helping out in the Slack channel. As well as working in other projects to help
users secure services running on Kubernetes.
We have launched a new website to better showcase cert-manager, which can be
found at cert-manager.io.
With this new site, we have also significantly restructured and rewritten the
documentation for the site in order to flow better, and hopefully inform users
more on the inner-workings of cert-manager whilst still making on-boarding to
the project easy.
Whilst this is the first launch of the new website, there is still lots to do!
If you have any feedback, ideas or expertise to improve the site, please open
an issue or make a contribution over in the new
cert-manager/website repository.
If you run a non-homogeneous or alt-architecture cluster (i.e. arm or arm64)
then you may have run into issues when deploying cert-manager.
For almost a year now, we have published Docker images built for these
architectures, but due to limitations in quay.io
, using these images has
required changing deployment manifests and passing additional flags to
different cert-manager components.
As of v0.12, we make use of Docker Image Manifests v2.2,
which means that you will no longer have to make any changes to the
deployment manifests in order to deploy cert-manager into your cluster!
This is a big usability win for users of non-amd64
systems, and a big +1
for usability!
During the ACME authorization flow, a number of issues can arise such as
mis-configured DNS records or ingress controllers.
This release makes it simpler to identify these issues when they occur,
providing additional debugging information through the user of
kubectl describe challenge <name-of-failing-challenge>
.
Whilst this is a small addition, it vastly improves the user experience for
first time users who may have configuration issues with their DNS records or
cert-manager installation, another win for usability!
For those of you upgrading from older versions of cert-manager, you may already
be aware of some of the deployment issues with the 'webhook' component in
cert-manager.
In previous releases, this component relied on the creation of an APIService
resource in order for the Kubernetes apiserver to utilise the webhook and
provide additional validation for our CustomResourceDefinition types.
An APIService
is a powerful resource, however, due to its nature, can cause
certain core operations (such as garbage collection) to not function if the
webhook becomes unavailable at any point, which can in turn cause cascading
failures in your Kubernetes cluster in the worst of cases.
In v0.12, we have rewritten this component almost entirely, and we no longer
make use of the APIService
resource in order to expose it.
This should mean deploying the webhook is far easier, and far less likely to
cause cluster-wide issues.
We have also extended the webhook to support 'API conversions' for our CRD
types. Whilst we don't currently make use of this functionality, when we
release the v1beta1
we will make use of it, at which point the webhook
will be a required component in clusters running Kubernetes 1.15 or greater.
ACTION REQUIRED
Users who have previously set the Kubernetes Auth Mount Path will need to update their manifests to include the entire mount path. The /login
endpoint is added for you.
Changes the Vault Kubernetes Auth Path to require the entire mount path. /login
is added to all mount paths when authenticating.
The default auth path has now changed from kubernetes
to /v1/auth/kubernetes
(#2349, @JoshVanL)
OwnerReferencesPermissionEnforcement
admission controller enabled (#2325, @CoaxVex)serviceAccountSecretRef
to allow ambient permissions to be used. (#2250, @baelish)certificaterequest.spec.csr
field as required in OpenAPI schema (#2368, @munnerz)spec.csr
, status.url
, status.finalizeURL
, status.certificate
, status.authorizations
, status.authorizations[].url
, status.authorizations[].identifier
, status.authorizations[].wildcard
, status.authorizations[].challenges
, status.authorizations[].challenges[].url
, status.authorizations[].challenges[].type
, status.authorizations[].challenges[].token
fields on Order resources immutable (#2219, @munnerz)order.status.authorizations[].wildcard
field a *bool
(#2225, @munnerz)Published by munnerz almost 5 years ago
This is the only and final patch release of v0.11. It fixes an issue when upgrading from older versions whereby cert-manager will request a new certificate for all Certificate resources immediately if you do not update the certmanager.k8s.io/issuer-name
and certmanager.k8s.io/issuer-kind
annotations manually on all Secret resources before upgrading.
It also fixes an issue that will cause Challenge resources to become orphaned if their parent Order resource is deleted.
Published by munnerz almost 5 years ago
This is a pre-release version of v0.12. It is considered feature complete, and has been released in order to gather feedback on the upgrade experience.
Full release notes are still TBD.
As part of this release, we have also launched a new documentation website. This website is still under construction, however the majority of the content is now available there.
You can view the documentation for v0.12 by clicking this link!
Users who have previously set the Kubernetes Auth Mount Path will need to update their manifests to include the entire mount path. The /login
endpoint is added for you.
Changes the Vault Kubernetes Auth Path to require the entire mount path. /login
is added to all mount paths when authenticating.
The default auth path has now changed from kubernetes
to /v1/auth/kubernetes
(#2349, @JoshVanL)
OwnerReferencesPermissionEnforcement
admission controller enabled (#2325, @CoaxVex)serviceAccountSecretRef
to allow ambient permissions to be used. (#2250, @baelish)certificaterequest.spec.csr
field as required in OpenAPI schema (#2368, @munnerz)spec.csr
, status.url
, status.finalizeURL
, status.certificate
, status.authorizations
, status.authorizations[].url
, status.authorizations[].identifier
, status.authorizations[].wildcard
, status.authorizations[].challenges
, status.authorizations[].challenges[].url
, status.authorizations[].challenges[].type
, status.authorizations[].challenges[].token
fields on Order resources immutable (#2219, @munnerz)order.status.authorizations[].wildcard
field a *bool
(#2225, @munnerz)