Release v1.3.0

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

Venafi Cloud Issuer

This release updates the Venafi Cloud Issuer to use OutagePREDICT instead of DevOpsACCELERATE. The only impact to Venafi Cloud users is the change in zone syntax. The zone is now <Application Name>\<Issuing Template Alias> (e.g. My Application\My CIT).

cert-manager controller

The --renew-before-expiration-duration flag has been removed from the cert-manager controller, having been deprecated in the previous release.

cert-manager CRDs

CertificateRequests are now immutable - the spec and metadata.annotations fields cannot be changed after creation. They were always designed to be immutable but this behavior is now enforced by the cert-manager webhook.

Changes by Kind

Feature

  • Add automountServiceAccountToken field to service accounts in helm chart (#3725, @joshuastern)

  • Adds Approved condition type to CertificateRequest (#3735, @JoshVanL)

  • Adds ObservedGeneration field to all Issuer conditions (#3754, @JoshVanL)

  • Adds RevisionHistoryLimit field to Certificates to optionally garbage collect old CertificateRequests (#3773, @JoshVanL)

  • Adds UserInfo fields to CertificateRequests containing the UserInfo of the requester: Username, Groups, UID, Extra. (#3641, @JoshVanL)

  • Adds `kubectl cert-manager [approve|deny] CLI commands to manually approve or deny CertificateRequests (#3792, @JoshVanL)

  • Adds an observedGeneration field to all Certificate conditions. This is set to the generation of that Certificate at the time of updating. (#3613, @JoshVanL)

  • Allows disabling enabled cert-manager-controller controller, for example ‘–controllers=*,-foo’ (#3791, @JoshVanL)

  • Enforce CertificateRequest approvers have the permissions: verb=\approve\ resource=\signers\ group=\cert-manager.io\ name=./[*|[.]] at the Cluster level. (#3785, @JoshVanL)

  • Retry issuance of Denied CertificateRequests after 1 hour. (#3795, @JoshVanL)

  • The Venafi issuer in cert-manager is now compatible with Venafi Cloud OutagePREDICT. (#3831, @wallrj)

  • kubectl get certificaterequest now outputs the Issuer name and the username of the requestor by default (#3774, @JoshVanL)

Documentation

Bug or Regression

  • Allow the usage of hostNetwork in the webhook PSP (#3454, @Kirill-Garbar)

  • Correct permissions on edit aggregate role (#3697, @yann-soubeyrand)

  • Fix a bug that prevented the immediate re-issuance of a failing certificate: even when the user edited the certificate to fix an incorrect field, no certificate request would get created. Editing a failed certificate now properly re-issues immediately. (#3444, @maelvls)

  • Fixed approle login when namespaces were used in HashiCorp Vault Fixed incorrectly failing health check that was caused when the Vault token did not have sufficient permission to call /sys/- endpoints (#3582, @lalitadithya)

  • Fixes Helm upgrade bug (#3647, @irbekrm)

  • Fixes multiple Certificate Requests issue - see #3603 (#3665, @irbekrm)

  • Handle CA issuer working as intermediate correctly (#3847, @erikgb)

  • Improve error messages when Vault Issuer has misconfigured auth method (#3763, @JoshVanL)

  • Selfsigned issuer: warn when certs have empty issuer DNs, in violation of TLS RFC 5280 (#3760, @SgtCoDFish)

  • Skip Google Cloud DNS test when gcloud hasn’t been configured (#3752, @SgtCoDFish)

  • Use port from helm values for service targetPort (#3652, @7opf)

Other (Cleanup or Flake)

  • Bumps go version to v1.16 (#3823, @irbekrm)

  • Removes –renew-before-expiry flag that was deprecated in release v1.2.0 (#3693, @irbekrm)

  • Standardise controller names across the project (#3789, @JoshVanL)

  • Update distroless/static base image (#3741, @teejaded)

  • Updated cainjector to use v1 API versions of admissionregistration, apiextensions and apiregistration. (#3838, @wallrj)

Dependencies

Added

  • github.com/pavel-v-chernykh/keystore-go/v4: v4.1.0

Changed

Removed

Nothing has changed.