This is a big feature filled release of cert-manager, and the first since moving to a more frequent release model.
There’s been a huge uptick in community contributions to the project, and this release comprises the combined effort of 38 code contributors and hundreds of users reporting issues, feature requests and bug reports!
There’s quite a few big headline points, so we’ll get straight in:
ACMEv2 and Let’s Encrypt wildcard certificates
This release of cert-manager brings the long-awaited ACMEv2 support, and with it, Let’s Encrypt wildcard certificates!
This allows you to request certificates for wildcard domains, e.g.
*.example.com, which can be used
to secure many different subdomains of your domain!
The introduction of ACMEv2 is a breaking change. Please read the notes below in the Action Required
section for details on how to handle your existing ACME Issuers whilst upgrading from
Alpha support for HashiCorp Vault
This release introduces initial support for HashiCorp Vault as an
Issuer backend! Initially, this includes support for authenticating via AppRole and static token.
The support for this
Issuer is classed as ‘alpha’ - feedback is invaluable at this stage of development, so we are getting it out there in a tagged release to gather usage info.
More information on configuring a Vault Issuer can be found in the Vault Issuer docs.
readthedocs.io documentation site
Whilst this note applies to the
v0.2.x release series also, it is worth noting.
We have now moved to
readthedocs.io and reStructuredText for our documentation.
This should hopefully make it easier for external collaborators to make quick edits
to our documentation, and should provide more structure.
We’d like to take the time to thank all those that have opened issues or opened pull requests against our documentation - it’s a difficult thing to get right, but it’s imperative our documentation is clear for new users adopting the project.
New ACME DNS01 providers
When cert-manager was first released, only CloudDNS and CloudFlare DNS01 providers were supported when solving ACME challenges.
As new users, each using their own DNS providers, have adopted the project; there has been a flurry of contributions adding support for the variety of providers out there.
With this release, we support the following DNS providers when solving ACME DNS01 challenges:
- Akamai FastDNS (#322,
- Amazon Route53
- Azure DNS (#246,
- Google CloudDNS There are pull requests in flight to add support for:
- DNSPod (#486,
- DNSimple (#483,
- DigitalOcean (#345,
- INWX (#336,
- RFC2136 (#245,
Please check the ‘upgrading from 0.2 to 0.3’ guide in the Administrative Tasks section of the docs here before upgrading.
Supporting resources for
ClusterIssuers(e.g. signing CA certificates, or ACME account private keys) will now be stored in the same namespace as cert-manager, instead of
kube-systemin previous versions (#329,
@munnerz): Action required: you will need to ensure to properly manually migrate these referenced resources across into the deployment namespace of cert-manager, else cert-manager may not be able to find account private keys or signing CA certificates.
ConfigMapsfor leader election (#327,
Action required: Before upgrading, scale the cert-manager Deployment to 0, to avoid two controllers attempting to operate on the same resources
Remove support for ACMEv1 in favor of ACMEv2 (#309,
@munnerz): Action required: As this release drops support for ACMEv1, all Issuer resources that use ACMEv1 endpoints (e.g. existing Let’s Encrypt Issuers) will need updating to use equivalent ACMEv2 endpoints. (TODO: link to docs guide)
ingress-shimand link it into cert-manager itself (#502,
@munnerz) Action required: You must change your ‘helm install’ command to use the new
--ingressShim.defaultIssuerKindoptions when upgrading as
--ingressShim.extraArgshas been removed.
certmanager.k8s.io/acme-http01-edit-in-placeannotation and change ingress-shim to set
ingressClasson ACME Certificate resources by default. (#493,
@munnerz) Action required: This is a potentially breaking change for users of ingress controllers that map a single IP address to a single Ingress resource, such as the GCE ingress controller. These users will need to add the following annotation to their ingress:
Other notable changes
- Add ACME DNS01 provider for Akamai FastDNS (#322,
- Add a meaningful user agent to the ACME client to help diagnosing abusive traffic patterns (#422,
- Issuers using the AWS Route53 solver may attempt to find credentials using the environment, EC2 IAM Role, and other sources available to the cert-manager controller. This behavior is on by default for cluster issuers and off by default for issuers. This behavior may be enabled or disabled for all issuers or cluster issuers using the –issuer-ambient-credentials and
--cluster-issuer-ambient-credentialsflags on the cert-manager controller. (#363,
- Add limits to HTTP01 validation pod (#408,
- The ACME DNS01 solver now trims excess whitespace from AWS credentials (#391,
- ACME DNS01 challenge mechanism for Azure DNS (#246,
- Fix panic when ACME server returns an error other than HTTP Status Conflict during registration (#237,
- Add the Key Encipherment purpose to CA Issuer generated certificates (#488,
- Bundle CA certificate with issued certificates (#317,
- Add experimental support for HashiCorp Vault issuers (#292,
- ingress-shim now reconfigures certificates (#386,
- ingress-shim will only sync Ingress resources with
kubernetes.io/tls-acmeannotation if the value of that annotation is true. (#325,
- Rewrite documentation and publish on
- Document the minimum necessary permissions for using cert-manager with Route53 (#359,
- Improve deployment documentation (#264,
clusterResourceNamespaceoption to Helm chart (#547,
- Enhance Helm chart in-line with best practices (#229,
- Add support for node affinity and tolerations in Helm chart (#350,
podAnnotationsto Helm chart (#387,
- Add Certificate CRD short names
certs. This is configurable in the Helm Chart with
- Remove default resource requests in Helm chart. Improve post-deployment informational messages. (#290,
- End-to-end testing now covers the helm chart for cert-manager on Kubernetes 1.7-1.9 (#216,
- Produce a single static manifest instead of a directory when generating deployment manifests (#574,
- Use cert-manager deployment namespace by default for leader election (#548,
- Removed –namespace flag (#433,
- Run cert-manager container as a non root user (#415,
- TLS secrets are now annotated with information about the certificate (#388,
- The static deployment manifests now automatically deploy into the ‘cert-manager’ namespace by default (#330,
- Rename Event types to be prefixed ‘Err’ instead of ‘Error’ for brevity (#332,
- Clearer event logging when issuing a certificate for the first time (#331,
- Provide static deployment manifests as an alternative to a Helm chart based deployment (#276,
- Update existing secrets instead of replacing in order to preserve annotations/labels (#221,
- Update to Go 1.9 (#200,
- Fix a race condition in the package responsible for scheduling renewals (#218,
- Fix a bug that caused ACME certificates to not be automatically renewed (#215,
- Fix a bug in checking certificate validity and improve validation of
- Fix bugs when checking validity of certificate resources (#184,