v1.1 release is our first release in the
v1 series with a few focus areas:
- New features and fixes in the ACME Issuer
- Improved Venafi TPP Authentication
We also want to thank several new contributors to the project for their PRs!
All help is very appreciated and very welcome!
Interested in knowing what will happen in the next releases of cert-manager? Go check out our road map!
As usual, please read the upgrade notes before upgrading.
The ACME issuer is the most used cert-manager issuer. While most use it to talk to Let’s Encrypt we are seeing a growing number of new ACME endpoints by certificate authorities, PKI software exposing ACME endpoints and even ACME proxies to allow ACME being used to talk to other APIs. In this release we focused on adding new features into the ACME issuer to make even more possible!
In RFC8738 the support for IP Address validation was added to the ACME spec. This allows cert-manager to use HTTP-01 validation to get certificates for the IP(s) of your ingress controller.
This can be done using the
ipAddresses field of the Certificate resource.
Note: Let’s Encrypt has announced plans to support this soon!
cert-manager now allows you to request certificates with a certain validity period from an ACME issuer. This allows you to get shorter or longer lived certificates from ACME solutions such as Step-CA. You can enable this by setting
true in the ACME Issuer configuration. Be careful, if your ACME issuer does not support this feature it is allowed by the ACME spec to hard fail the Order causing your certificate renewal or creation to stop.
Note: Let’s Encrypt has announced intention to look into the possibilities of implementing this.
We improved the recognition and handling of errors given by the ACME server. We are now able to quickly retry transient errors and surface any fatal errors faster in the Kubernetes events and logs. This allows you to get more insight into any rate limiting or other errors your ACME issuer provides us.
Improvements for Venafi TPP Authentication
It is now possible to use a long lived access-token for authentication when configuring Venafi TPP
This authentication mechanism is supported by
Venafi TPP >= 19.2.