v0.9.0-beta.0

Release notes TBD, view draft here

v0.9.0-alpha.0

Merge pull request #1863 from munnerz/09-bump

Bump version strings for v0.9 alpha

v0.8.1

Changelog since v0.8.0

• cert-manager-webhook secret exists in cert-manager ns (#1753, @kevinawoo)
• Fix indentation on ACME setup examples (#1785, @lachlancooper)
• Fix ECDSA certificate issuance with ACME issuer (#1757, @munnerz)
• Fix panic in HTTP01 solver if ingress field is not specified (#1758, @munnerz)
• Fix solver selection logic to return the selected solver rather than always returning the last one (#1717, @dobesv)
• Fix logic to select the solver that has the most labels (#1715, @dobesv)

v0.8.0

Following on from the v0.7.x releases and a series of pre-release candidates,
cert-manager v0.8.0 is available at last!

This release packs in a tonne of stability improvements, as well as a whole load
of new features 😀

As part of this release, we're updating our API format in order to better
support the 1.0 release, which we hope to reach within the next few months.
This has been accomplished in a backwards-compatible for now, to make the
upgrade process easier, especially for users that manage large numbers of
certificate resources.

As well as the new release, we've also finally created a project logo!
For those of you who are attending KubeCon EU, we'll be handing out stickers
at the Jetstack booth from tomorrow onwards!

Action required

The deployment manifests have now moved from being a part of our GitHub
repository and are now published alongside each image tag. Please double
check the installation guide for more information on where the manifests
can now be found. This change does not affect the Helm chart!

New ACME configuration format

As part of stabilising our API surface, we've made a change to the way
you configure your ACME based certificates.

Instead of Certificate resources containing an extra certificate.spec.acme
field, which is only relevant for ACME certificates, the configuration has now
moved over to the Issuer resource instead. More details on this change can be
found in the upgrade notes.

OpenShift installation instructions

In order to make it easier for users to run cert-manager on platforms other
than Kubernetes, we've improved our OpenShift support, including an official
installation guide for users of OpenShift.

If you use OpenShift in your organisation, check out the getting started section
for more information on how to get up and running!

Webhook based ACME DNS01 solver

Over the last year and a half, we've had more than 15 pull requests to add new
ACME DNS01 providers to our codebase. It's been brilliant to see such vibrant
community involvement, however it's become infeasible for us to continue to
accept, test and maintain such a rapidly growing matrix of providers.

As a result, we've put together a new 'webhook' DNS01 solver type.
This allows you to create and install your own DNS01 providers without having
to make changes in cert-manager itself.

You can see an example repository to get started building your own over in the
cert-manager-webhook-example repo on GitHub.

This is a new and experimental feature, however we're excited to see the community
move to this new model of extending cert-manager.

Switch to structured logging

As the project has grown, we've also increased the verbosity and frequency of our log messages.
Over time, this has become difficult to manage and work with, and so with the v0.8 release
we have begun the process of switching over our codebase to structured logging.

This should make it far easier to index, search and grep through log messages that cert-manager
emits.

Your feedback here is really valuable, so please open issues and comment on Slack if you
have any issues!

Changelog

• make email address an optional field in ACME issuers (#1483, @DanielMorsing)
• Fix bug when handling resources that have lastTransitionTime set to null (#1628, @munnerz)
• Allow Openshift to install cert-manager chart (#1395, @JGodin-C2C)
• Update documentation for new 'solvers' field (#1623, @munnerz)
• Fix issue where ingress-shim would not clear old configuration when migrating to the new 'solvers' field (#1620, @munnerz)
• Add new issuer.spec.acme.solvers field that replaces certificate.spec.acme'in order to make all certificate resources portable between issuer types. The previously syntax is still supported to allow easy migration to the new configuration format. (#1450, @munnerz)
• Fixes additionalPrinterColumn formatting for Certificate resources (#1616, @munnerz)
• Fix update loop in certificates controller and add additional debug logging (#1602, @munnerz)
• Automatically retry expired Challenge resources (#1603, @munnerz)
• Build under MacOS. (#1601, @michaelfig)
• Disable the CAA check by default, and introduce a new --feature-gates=ValidateCAA=true option to enable it (#1585, @munnerz)
• Improve error handling when ACME challenges fail to Present or CleanUp (#1597, @munnerz)
• • add static label for solver identification to allow usage of custom service (#1575, @christianhuening)
• Fix issues running the cainjector controller on Kubernetes 1.9 (#1579, @munnerz)
• Fix upgrade bug where lastTransitionTime may be set to nil, rendering cert-manager inoperable without manual intervention (#1576, @munnerz)
• Add webhook based DNS01 provider (#1563, @munnerz)
• Add DNS01 provider conformance test suite (#1562, @munnerz)
• • fix typo in the deployment template (#1546, @cpanato)
• Automatically generate LICENSES file (#1549, @munnerz)
• Switch to go modules for dependency management (#1523, @munnerz)
• Bump to use Go 1.12 (#1429, @munnerz)
• use authoritative nameservers for CAA checks (#1521, @DanielMorsing)
• Update certificate if issuer changes (#1512, @lentzi90)
• also whitelist ipv6 (#1497, @mdonoughe)
• Set default acmesolver image based on arch (#1494, @lentzi90)
• Improve logging in ACME HTTP01 solver (#1474, @munnerz)
• Run metrics server on cert-manager instances that have not been elected as leader (#1482, @kragniz)
• Switch to structured logging using logr (#1409, @munnerz)
• fixing the quickstart documentation to use the new helm chart repo charts.jetstack.io (#1468, @BradErz)
• Removes need for hostedZoneName to be specified. Uses discovered DNS zone name instead. (#1466, @logicfox)

v0.8.0-beta.0

This should be the final pre-GA release of v0.8, pending no new issues being raised this week.

Manual testing and feedback from users on v0.8.0-alpha.0 showed consistent, successful results barring a fix that was made in #1620.

As part of this release, we will no longer be publishing 'static deployment manifests' as part of the repository. Instead, these will be published via GitHub Releases.

Documentation changes will be made this week to account for the new options, including updated deployment instructions for users of the 'static deployment manifests'.

Thanks to all those that have tried the v0.8 pre-releases 😄

Changelog since v0.8.0-alpha.0

• make email address an optional field in ACME issuers (#1483, @DanielMorsing)
• Fix bug when handling resources that have lastTransitionTime set to null (#1628, @munnerz)
• Allow Openshift to install cert-manager chart (#1395, @JGodin-C2C)
• Update documentation for new 'solvers' field (#1623, @munnerz)
• Fix issue where ingress-shim would not clear old configuration when migrating to the new 'solvers' field (#1620, @munnerz)

v0.8.0-alpha.0

Documentation

Full release notes TBC.

Changelog since v0.7.0

• Add new issuer.spec.acme.solvers field that replaces certificate.spec.acme'in order to make all certificate resources portable between issuer types. The previously syntax is still supported to allow easy migration to the new configuration format. (#1450, @munnerz)
• Fixes additionalPrinterColumn formatting for Certificate resources (#1616, @munnerz)
• Fix update loop in certificates controller and add additional debug logging (#1602, @munnerz)
• Automatically retry expired Challenge resources (#1603, @munnerz)
• Build under MacOS. (#1601, @michaelfig)
• Disable the CAA check by default, and introduce a new --feature-gates=ValidateCAA=true option to enable it (#1585, @munnerz)
• Improve error handling when ACME challenges fail to Present or CleanUp (#1597, @munnerz)
• • add static label for solver identification to allow usage of custom service (#1575, @christianhuening)
• Fix issues running the cainjector controller on Kubernetes 1.9 (#1579, @munnerz)
• Fix upgrade bug where lastTransitionTime may be set to nil, rendering cert-manager inoperable without manual intervention (#1576, @munnerz)
• Add webhook based DNS01 provider (#1563, @munnerz)
• Add DNS01 provider conformance test suite (#1562, @munnerz)
• • fix typo in the deployment template (#1546, @cpanato)
• Automatically generate LICENSES file (#1549, @munnerz)
• Switch to go modules for dependency management (#1523, @munnerz)
• Bump to use Go 1.12 (#1429, @munnerz)
• use authoritative nameservers for CAA checks (#1521, @DanielMorsing)
• Update certificate if issuer changes (#1512, @lentzi90)
• also whitelist ipv6 (#1497, @mdonoughe)
• Set default acmesolver image based on arch (#1494, @lentzi90)
• Improve logging in ACME HTTP01 solver (#1474, @munnerz)
• Run metrics server on cert-manager instances that have not been elected as leader (#1482, @kragniz)
• Switch to structured logging using logr (#1409, @munnerz)
• fixing the quickstart documentation to use the new helm chart repo charts.jetstack.io (#1468, @BradErz)
• Removes need for hostedZoneName to be specified. Uses discovered DNS zone name instead. (#1466, @logicfox)

v0.7.2

This is a bugfix release for v0.7 and it is recommended all v0.7 users upgrade as soon as possible.

Notably, the newly introduced CAA record check has been disabled by default whilst we investigate issues with certain DNS resolvers that could cause the self-check to fail despite having passed in previous versions.

The new CAA check behaviour can be re-enabled by setting the --feature-gates=ValidateCAA=true flag on the cert-manager controller pod (or via --set extraArgs='[--feature-gates=ValidateCAA=true]' flag when running helm install).

Changelog since v0.7.1

• Fix update loop in certificates controller and add additional debug logging (#1602, @munnerz)
• Fixes additionalPrinterColumn formatting for Certificate resources (#1616, @munnerz)
• Disable the CAA check by default, and introduce a new --feature-gates=ValidateCAA=true option to enable it (#1585, @munnerz)
• Fix issues running the cainjector controller on Kubernetes 1.9 (#1579, @munnerz)

v0.7.1

This is a patch release that fixes a number of important issues that could cause ACME validations to fail in certain DNS configurations, as well as rare issues when upgrading from v0.6.x.

Changelog since v0.7.0

• Fix issues running the cainjector controller on Kubernetes 1.9 (#1579, @munnerz)
• Fix upgrade bug where lastTransitionTime may be set to nil, rendering cert-manager inoperable without manual intervention (#1576, @munnerz)
• acme: use authoritative nameservers for CAA checks (#1521, @DanielMorsing)
• fixing the quickstart documentation to use the new helm chart repo charts.jetstack.io (#1468, @BradErz)

v0.7.0

Documentation

Action Required

• The Helm chart rbac.create option has moved to be global.rbac.create.
  Users of the Helm chart will need to update their install overrides to use
  the new format.

• The Helm chart has now moved to be hosted on charts.jetstack.io, and
  exposed via the Helm Hub. This allows us to make
  and test changes to the Helm chart more easily, and better manage versioning.

Highlights

Venafi Issuer type

This release introduces a new issuer type for Venafi Cloud and Venafi Trust
Protection Platform.

The Venafi adapter will be built out over the coming months to improve the
integration and expose more of the Venafi platform's advanced functionality.

New cainjector controller

This release introduces support for injecting CA bundles into Kubernetes
{Validating,Mutating}WebhookConfiguration & APIService resources.

You can utilise the new controller by adding the certmanager.k8s.io/inject-ca-from
annotation to your webhook and APIService resources.

This was needed in order to improve our own deployment of the 'webhook'
component as part of this release.

Improved webhook deployment

The v0.6 release utilised an additional ca-sync CronJob resource that allowed
us to secure the webhook component automatically using cert-manager itself.

Thanks to the new cainjector controller described above, we have now removed
this CronJob altogether in favour of using the far more reliable controller.

Experimental ARM support

Support for ARM was adding as part of this release (#1212). We do not currently
have automated testing using ARM platforms, so this feature is still marked
experimental.

To utilise the new ARM support, you'll need to update your manifests and append
the architecture to the image name (i.e. quay.io/jetstack/cert-manager-controller-arm64:v0.7.0).

Easier debugging of failing ACME challenges

The introduction of the Challenge resource in the last release has allowed us
to provide better means for debugging failures.

In the v0.7.0 release, if a self check or ACME validation is failing for some
reason, this information will be displayed when running kubectl get and
kubectl describe.

Changelog since v0.6.0

• Add Venafi Cloud & TPP issuer type (#1250, @munnerz)
• cainjector: add support for injecting apiserver CA (#1420, @munnerz)
• Generate temporary self signed certificate whilst waiting for issuer to issue certificate (#1392, @munnerz)
• Added kubeprod as an alternative way to deploy cert-manager to the documentation (#1421, @arapulido)
• Use new cainjector controller for webhook APIService resource (#1415, @munnerz)
• Adds a controller for injecting CA data into webhooks and APIServices (#1398, @DirectXMan12)
• Bump Kubernetes dependencies to v1.13 (#1268, @munnerz)
• Use charts.jetstack.io instead of the helm/charts repository to publish Helm chart (#1377, @munnerz)
• Recreate dead solver pods during self-check (#1388, @DanielMorsing)
• Improve RFC2136 DNS01 provider documentation (#944, @briantopping)
• Add more information to Google CloudDNS guide (#1295, @wwwil)
• Add validation schema to CRD resources (#1322, @munnerz)
• Fire additional events when syncing ACME certificates fails (#1327, @munnerz)
• Publish arm32 and arm64 images for all cert-manager components (#1212, @munnerz)
• Extend ACME self check to check CAA records (#1325, @DanielMorsing)
• Bump Kubernetes apimachinery dependencies to v1.10.12 (#1344, @munnerz)
• Increase acmesolver default cpu resource limit to 100m (#1335, @munnerz)
• Fix potential race when updating secret resource (#1318, @munnerz)
• Fix bug causing certficates to be re-issued endlessly in certain edge cases (#1280, @munnerz)
• Fix bug when specify certificate keyAlgorithm without an explicit keySize (#1309, @munnerz)
• Bump Go version to 1.11.5 (#1304, @munnerz)
• Fix typo in SelfSigned Issuer in webhook deployment manifests (#1294, @munnerz)
• Add IP Address in CSR (#1128, @lrolaz)
• Allow to use PKCS#8 encoded private keys in CA issuers. (#1191, @chr-fritz)
• Add webhook troubleshooting guide (#1288, @munnerz)
• Overhaul documentation and add additional content (#1279, @munnerz)
• Increase x509 certificate duration from 90d to 1y for webhook component certificates (#1276, @munnerz)
• Fix bug where --dns01-recursive-nameservers flag was not respected when looking up the zone to update for a DNS01 challenge (#1266, @munnerz)
• Reuse acme clients to limit use of nonce/directory/accounts endpoints (#1265, @DanielMorsing)
• Surface self-check errors in challenge resource (#1244, @DanielMorsing)

v0.6.2

This patch release of cert-manager resolves issues when running the webhook component on Amazon EKS.

You can find more information in #1220

Changelog since v0.6.1

• Bump Kubernetes apimachinery dependencies to v1.10.12 (#1344, @munnerz)