v0.9 release is one of our biggest yet, packed with new features and bug
The introduction of the new
CertificateRequest resource type is significant as
it is a step towards where we want to be for 1.0, defining an API specification
for Certificates and allowing anyone to implement their own issuers and CAs as
first class citizens.
This release includes changes from:
Hans Kristian Flaatten
Joshua Van Leeuwen
A new resource has been introduced -
CertificateRequest - that is used to
request certificates using a raw x509 certificate signing request. This resource
is not typically used by humans but rather by other controllers or services. For
Certificate controller will now create a
resource to resolve its own Spec.
Controllers to resolve
CertificateRequests are currently disabled by default
and enabled via the feature gate
CertificateRequestControllers. This feature
is currently in Alpha and only the CA issuer has been implemented.
This resource is going to enable out of tree, external issuer controllers to resolve requests. Other issuer implementations and details on how to develop an out of tree issuer will follow in later releases. You can read more on the motivations and road map in the enhancement proposal or how this resource is used in the docs.
DNS Zones support for ACME challenge solver selector
A list of DNS zones can now be added to the ACME challenge solver selector. The
most specific DNS zone match specified here will take precedence over other DNS
zone matches, so a solver specifying
sys.example.com will be selected over one
example.com for the domain
www.sys.example.com. If multiple
solvers match with the same
dnsZones value, the solver with the most matching
matchLabels will be selected. If neither has more matches, the solver
defined earlier in the list will be selected.
Certificate Readiness Prometheus Metrics
Cert-manager now exposes Prometheus metrics on Certificate ready statuses as
certmanager_certificate_ready_status. This is useful for monitoring
Certificate resources to ensure they have a
Support has been added to include a Prometheus
ServiceMonitor for cert-manager
in the helm chart. This enables monitoring of cert-manager when in conjunction
with the Prometheus Operator.
This is disabled by default but can be enabled via the helm configuration.
We have now switched to use the new POST-as-GET feature that was introduced into the latest version of the ACME spec a few months ago.
If you are running your own ACME server, please ensure it supports POST-as-GET as we no longer supported the old behavior.
ACME Issuer Solver Pod Template
The ACME Solver Pod Spec now exposes a template that can be used to change
metadata about that pod. Currently, a template will expose labels, annotations,
node selector, tolerations, and affinity. This is useful when running
cert-manager in multi-arch clusters, or when you run workloads across different
types of nodes and need to restrict where the
acmesolver pod runs.
Length limit for Common Names
Common names with a character length of over 63 will be rejected during validation. This is due to the upper limit being detailed in RFC 5280.
Distroless Cert-Manager Base Images
For each container, cert-manager ships with the base image
gcr.io/distroless/static which is a minimal image that includes no binaries.
Users who want to debug from within the cert-manager pod will need to attach an
additional container with their debug utilities to the pod’s namespace.
CSRs in Order Resources now PEM Encoded
CSRs in Order resources have previously been incorrectly DER encoded due to an error in implementation. This has now been corrected to PEM encoding. Current orders that were created with a previous version of cert-manager will fail to validate and so will be recreated. This should resume the order normally.
- Reduce cert-manager’s RBAC permissions (#1658,
- Validate that Certificates in a namespace have unique
- Feature addition: Support for PKCS#8 keys. (#1308,
- Add the removal of certificates when no longer required by the owner ingress (#1705,
- Fix bug causing ECDSA certificates to be issued using 2048 bit RSA private keys (#1757,
- Updated the labels in the helm charts to use the newer ones. (#1769,
- Allow disabling issuing temporary certificates with feature flag
- Switch to using Distroless for base images (#1663,
- Limit length for
CommonNameto 63 bytes (#1818,
- Properly encode the CSR field on Order resources as PEM data instead of DER (#1884,
- Fire informational Event if an ACME solver cannot be chosen for a domain on an Order (#1856,
- Fix bug with auto-generated Order names being longer than 63 characters (#1765,
- Fix a panic when a misconfigured Issuer is used for HTTP01 challenge solving (#1758,
- Fix a bug where the logic to select a solver would always return the last solver and may return the wrong kind of solver for the challenge that it returned. (#1717,
- Fix indentation on ACME setup examples (#1785,
- Fix a the logic to select the most specific solver from an issuer if multiple matched (#1715,
- Adds support for
- support azure non-public regions (#1830,
- Fix issue causing challenge controller to attempt to list Secrets across all namespaces even when –namespace is specified (#1849,
- Adds the handling of updates to the
spec.acme.emailfield in Issuers (#1763,
- Fix issue with private managed-zone being picked in CloudDNS (#1704,
- Expose pod template for the ACME issuer solver pod (#1749,
- Ingress skips updating Certificate resource if already exists and not owned (#1670,
- Add support for ACMEv2 POST-as-GET (#1648,
- Fix incorrect handling of
issuewildtag when verifying CAA (#1777,
- Add support for selecting ACME challenge solver to use by specifying
dnsZonesin the selector (#1806,
- Use proxy environment variables in self-check request (#1850,
- Venafi: use vCert
- Bump Venafi vCert dependency to latest version (#1754,
cert-manager-webhooksecret exists in cert-manager namespace (#1791,
- Support CRD conversion webhooks in the CA injector controller. (#1505,
- Adds CA issuer controller to resolve
CertificateRequestswhere CA is the issuer reference (#1836,
- Adds Sign interface to Issuers (#1807,
CertificateRequestresources to distinguish resource ownership of incoming
CertificateRequestsso enabling full external issuer support. (#1860,
- Adds Design and Proposals page to website docs (#1876,
- Prometheus metrics for deleted Certificates are cleaned up (#1681,
ControllerSyncCallCountPrometheus metric to count sync calls from each controller (#1692,
- Add support for Prometheus Operator
ServiceMonitorobject in Helm Chart (#1761,
- Add Prometheus metrics for tracking Certificate readiness (#1811,