diff --git a/.spelling b/.spelling index 8d65e7cecc3..11dc72e5335 100644 --- a/.spelling +++ b/.spelling @@ -1,37 +1,35 @@ +(sub)domains +7opf ACLs ACMEDNS ACMEv1 ACMEv2 -ad-hoc -Akamai AKS ALB -analyse -annerajb -apiGroup -APIs -apiserver APIService APIServices +APIs +AWS +Akamai AppRole Arsh ArtifactHUB -AWS -allowlist -awspca -aws-pca-issuer -aws-privateca-issuer +ArtifactHub AzureDNS -backend -backends -backoff -backported -base64 +BKPR Bazel Bitnami -BKPR -boolean CAs +CNAME +CNAMEs +CNI +CNIs +CNIs +CRD +CRDs +CSI +CSR +CSRs CertificateRequest CertificateRequests CertificateSigningRequest @@ -39,269 +37,285 @@ CertificateSigningRequests Changelog ChartMuseum CloudDNS -Cloudflare CloudFlare -ClusterRole +Cloudflare ClusterIssuer ClusterIssuers -CNAME -CNAMEs -CNI -CNIs -CNIs -codebase -coderanger -config -containerd +ClusterRole CoreDNS -CRD -CRDs CronJob -CSI -CSR -CSRs +CryptoKey Ctrl -customizable +DCO +DHCP +DNS01 +DNSPod +DNSimple DaemonSet DataDog -DCO Dean-Coakley -DHCP DigitalOcean Distroless -DNS01 -DNSimple -DNSPod EC2 ECDSA -Ed25519 -e.g. EKS ELB -enablement -eTLD -external-dns +Ed25519 +Encrypter Fargate FastDNS -francescsanjuanmrf FreeIPA -freeipa-issuer GCE GCLB -gcloud GCP GKE -Gloo -goroutine GSoC -google-cas-issuer +Gloo +GoLand HAProxy +HTTP-01 +HTTP01 +HTTPRoute HashiCorp Helmfile -honour -hostname -HTTP01 -https IAM -i.e. -ingress-nginx -injectable INWX +IPs IPv6 -irbekrm IssuerRef Istio -Jetstack JSON +Jetstack +JetstackHQ +JoshVanL Jsonnet +Juneezee +KUARD +Kirill-Garbar +Knative +Krew +KubeCon +Kubernetes +Kyverno +LuCI +Maartje +MacOS +Makefile +Makefiles +NGINX +NLB +NLBs +Ocado +OmairK +OpenAPI +OpenFaaS +OpenShift +OpenWRT +OperatorHub +OperatorHub.io +PEM +PKCS#12 +PKCS#8 +PowerShell +Prometheus +RBAC +RFC2136 +RFC8555 +RR +RRs +RSA +Ramlot +RinkiyaKeDad +Route53 +Runtime +SOA +SelfSigned +SgtCoDFish +Smallstep +SubjectAccessReview +TLDs +TODO +TPP +TSIG +TSIGs +TXT +Tiller +Traefik +URIs +Uncomment +VPC +VaaS +Velero +Venafi +WIP +YAML +YAMLs +acme-dns +ad-hoc +allowlist +alrs +analyse +andreas-p +andrewmwhite +annerajb +anton-johansson +apiGroup +apiserver +artificial-aidan +aws-pca-issuer +aws-privateca-issuer +awskms-issuer +awspca +backend +backends +backoff +backport +backported +base64 +benlangfeld +boolean +cainjector +cert-manager-dev +clatour +cmrel +codebase +coderanger +config +containerd +customizable +e.g. +e2e +eTLD +eddiehoffman +edglynes +enablement +erikgb +external-dns +foosinn +francescsanjuanmrf +freeipa-issuer +gatewayhttproute-labels +gatewayhttproute-service-type +gcloud +google-cas-issuer +goroutine +hardcodes +honour +hostname +https +i.e. +ingress-nginx +injectable +inteon +io +irbekrm +issuances +istio-csr +jakexks +jandersen-plaid +johanfleury +johejo +jonathansp +jonathansp +joshuastern +jsoref +justinkillen keystore keystores kit837 -Knative -Krew -KUARD -kubebuilder +kms-issuer kube-cert-manager -KubeCon +kube-lego +kubebuilder kubectl kubed -kube-lego kubelet kubelet kubeprod -Kubernetes +kubernetes-supported-versions labelled +lalitadithya ldflag lifecycle loadbalancer longkai -LuCI -MacOS +loopback +mTLS +macOS +manual-rotation-private-key +mechanism metadata +middleware misconfiguration misconfigured mixin mixins mozz-lx -mTLS +munnerz nameserver nameservers namespace namespaced namespaces -NGINX -NLB -NLBs -Ocado -OpenAPI -OpenFaaS -OpenShift -OperatorHub -OperatorHub.io -OpenWRT -PEM -PKCS#12 -PKCS#8 -Prometheus +ndegory +openshift-supported-versions +pre +pre-release +pre-released +pre-releases +prepended +prioritise propagations publicised -RBAC +reStructuredText rebase reissuance remediate +renewBefore repo -reStructuredText -RFC2136 -RFC8555 +retryable +retweets routable -Route53 -RR -RRs -RSA runtime -Runtime -Smallstep -SOA +signoff +sigstore stdout +subchart subdomain -(sub)domains subdomains -SubjectAccessReview +subfolders subresource +tamalsaha +teejaded +templated templating thiscantbeserious -Tiller -TLDs -TODO tolerations -TPP -Traefik -TSIG -TSIGs -TXT +tomasfreund +treydock ulrichgi -Uncomment unencrypted uninstallation +unredacted unschedule untrusted -URIs +upstream +userinfo v0.16 v2 v3 -VaaS vCert -Venafi -VPC +vendoring +versioning +wallrj webhook webhooks whitelist whitespace wildcard wildcards -WIP wpjunior -YAML -YAMLs -kms-issuer -awskms-issuer -GoLand -Makefiles -io -macOS -e2e -IPs -signoff -subfolders -prioritise -HTTP-01 -loopback -mechanism -retryable -vendoring -subchart -cainjector -Velero -istio-csr -pre-released -pre-release -pre -unredacted -ArtifactHub -CryptoKey -Encrypter -cmrel -userinfo -teejaded -7opf yann-soubeyrand -Kirill-Garbar -joshuastern -lalitadithya -johejo -alrs -jsoref -RinkiyaKeDad -jonathansp -OmairK -Makefile -SelfSigned -justinkillen -Maartje -pre-releases -versioning -cert-manager-dev -backport -kubernetes-supported-versions -openshift-supported-versions -prepended -retweets -upstream -JetstackHQ -acme-dns -Ramlot -andreas-p -renewBefore -erikgb -eddiehoffman -inteon -anton-johansson -edglynes -jandersen-plaid -foosinn -clatour -tamalsaha -JoshVanL -Kyverno -hardcodes -templated -jonathansp -benlangfeld -manual-rotation-private-key -issuances -HTTPRoute -gatewayhttproute-labels -gatewayhttproute-service-type # As per https://tools.ietf.org/html/rfc5280, the spelling "X.509" is the # correct spelling. The spelling "x509" and "X509" are incorrect. diff --git a/content/en/docs/release-notes/_index.md b/content/en/docs/release-notes/_index.md index a1c71aec25a..6c2a33c5269 100644 --- a/content/en/docs/release-notes/_index.md +++ b/content/en/docs/release-notes/_index.md @@ -9,6 +9,7 @@ no_list: true Here you will find a link to all release notes for each version release of cert-manager: +- [`v1.6`](./release-notes-1.6/) - [`v1.5`](./release-notes-1.5/) - [`v1.4`](./release-notes-1.4/) - [`v1.3`](./release-notes-1.3/) diff --git a/content/en/docs/release-notes/release-notes-1.6.md b/content/en/docs/release-notes/release-notes-1.6.md new file mode 100644 index 00000000000..1a852ae6fbb --- /dev/null +++ b/content/en/docs/release-notes/release-notes-1.6.md @@ -0,0 +1,82 @@ +--- +title: "Release 1.6" +linkTitle: "v1.6" +weight: 770 +type: "docs" +--- + +## Breaking Changes (You **MUST** read this before you upgrade!) + +### Legacy cert-manager API versions are no-longer served + +Following their deprecation in version 1.5, the cert-manager API versions `v1alpha2, v1alpha3, and v1beta1` are no longer served. + +This means if your deployment manifests contain any of these API versions, you will not be able to deploy them after upgrading. Our new `cmctl` utility or old `kubectl cert-manager` plugin can [convert](https://cert-manager.io/docs/usage/kubectl-plugin/#convert) old manifests to `v1` for you. + +### JKS Keystore Minimum Password Length + +[JKS Keystores][jks-keystore] now have a minimum password length of 6 characters, +as an unintended side effect of [upgrading keystore-go from `v2` to `v4`][jks-keystore-upgrade-pr]. +If you are using a shorter password, certificates will fail to renew, +and the only observable error will be in the cert-manager logs. +We are discussing the best remediation for a future `v1.6.1` release. + +[jks-keystore]: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateKeystores +[jks-keystore-upgrade-pr]: https://github.com/jetstack/cert-manager/pull/4428 + +## Major Themes + +### Command-line tool User Experience + +The cert-manager kubectl plugin has been redesigned as a standalone utility: `cmctl` + +While the kubectl plugin functionality remains intact, using `cmctl` allows for full tab completion. + +### Supply Chain Security + +As part of the wider ecosystem's push for greater supply chain security we are aiming to achieve [SLSA 3](https://slsa.dev/levels#level-requirements) by the 1.7 release date. cert-manager 1.6 has achieved the requirements for SLSA 2 when installed via helm. Our helm chart's signature can be verified with the cert-manager maintainers' public key [published on our website](../../installation/code-signing/). + +Our container images will be signed using sigstore's [cosign](https://github.com/sigstore/cosign) as soon as our OCI registry supports it. + +### Tool Chain Updates + +cert-manager is now built with go 1.17 ([#4478](https://github.com/jetstack/cert-manager/pull/4478), [@irbekrm](https://github.com/irbekrm)) +and can now be compiled on Apple Silicon ([#4485](https://github.com/jetstack/cert-manager/pull/4485), [@munnerz](https://github.com/munnerz)). + +## Changes by Kind + +### Feature + +- Add Certificate `RenewBefore` Prometheus metrics ([#4419](https://github.com/jetstack/cert-manager/pull/4419), [@artificial-aidan](https://github.com/artificial-aidan)) +- Add option to specify managed identity id when using Azure DNS DNS01 solver ([#4332](https://github.com/jetstack/cert-manager/pull/4332), [@tomasfreund](https://github.com/tomasfreund)) +- Add support for building & developing on M1 macs ([#4485](https://github.com/jetstack/cert-manager/pull/4485), [@munnerz](https://github.com/munnerz)) +- Adds release targets for both `cmctl` as well as `kubectl-cert_manager` ([#4523](https://github.com/jetstack/cert-manager/pull/4523), [@JoshVanL](https://github.com/JoshVanL)) +- Allow setting Helm chart service annotations ([#3639](https://github.com/jetstack/cert-manager/pull/3639), [@treydock](https://github.com/treydock)) +- CLI: Adds `cmctl completion` command for generating shell completion scripts for Bash, ZSH, Fish, and PowerShell ([#4408](https://github.com/jetstack/cert-manager/pull/4408), [@JoshVanL](https://github.com/JoshVanL)) +- CLI: Adds support for auto-completion on runtime objects (Namespaces, CertificateRequests, Certificates etc.) ([#4409](https://github.com/jetstack/cert-manager/pull/4409), [@JoshVanL](https://github.com/JoshVanL)) +- CLI: Only expose Kubernetes related flags on commands that use them ([#4407](https://github.com/jetstack/cert-manager/pull/4407), [@JoshVanL](https://github.com/JoshVanL)) +- Enable configuring CLI command name and registering completion sub-command at build time. ([#4522](https://github.com/jetstack/cert-manager/pull/4522), [@JoshVanL](https://github.com/JoshVanL)) + +### Bug or Regression + +- Fix a bug in the Vault client that led to a panic after a request to Vault health endpoint failed. ([#4456](https://github.com/jetstack/cert-manager/pull/4456), [@JoshVanL](https://github.com/JoshVanL)) +- Fix CRDs which were accidentally changed in cert-manager `v1.5.0` ([#4353](https://github.com/jetstack/cert-manager/pull/4353), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Fix regression in Ingress `PathType` introduced in `v1.5.0` ([#4373](https://github.com/jetstack/cert-manager/pull/4373), [@jakexks](https://github.com/jakexks)) +- Fixed the HTTP-01 solver creating `ClusterIP` instead of `NodePort` services by default. ([#4393](https://github.com/jetstack/cert-manager/pull/4393), [@jakexks](https://github.com/jakexks)) +- Fixes renewal time issue for certs with skewed duration period. ([#4399](https://github.com/jetstack/cert-manager/pull/4399), [@irbekrm](https://github.com/irbekrm)) +- Pod Security Policy for startup API check job ([#4364](https://github.com/jetstack/cert-manager/pull/4364), [@ndegory](https://github.com/ndegory)) +- The `startupapicheck` post-install hook in the Helm chart now deletes any post-install hook resources left after a previous failed install allowing helm install to be re-run after a previous failure. ([#4433](https://github.com/jetstack/cert-manager/pull/4433), [@wallrj](https://github.com/wallrj)) +- The defaults for leader election parameters are now consistent across cert-manager and cainjector. ([#4359](https://github.com/jetstack/cert-manager/pull/4359), [@johanfleury](https://github.com/johanfleury)) +- Use `GetAuthorization` instead of `GetChallenge` when querying the current state of an ACME challenge. ([#4430](https://github.com/jetstack/cert-manager/pull/4430), [@JoshVanL](https://github.com/JoshVanL)) + +### Other (Cleanup or Flake) + +- Adds middleware logging back to ACME client for debugging ([#4429](https://github.com/jetstack/cert-manager/pull/4429), [@JoshVanL](https://github.com/JoshVanL)) +- Deprecation: The API versions: `v1alpha2`, `v1alpha3`, and `v1beta1`, are no longer served in cert-manager 1.6 and will be removed in cert-manager 1.7. ([#4482](https://github.com/jetstack/cert-manager/pull/4482), [@wallrj](https://github.com/wallrj)) +- Expose error messages (e.g., invalid access token) from the Cloudflare API to users; allow live testing using Cloudflare API token (not just key). ([#4465](https://github.com/jetstack/cert-manager/pull/4465), [@andrewmwhite](https://github.com/andrewmwhite)) +- Fix manually specified `PKCS#10` CSR and X.509 Certificate version numbers (although these were ignored in practice) ([#4392](https://github.com/jetstack/cert-manager/pull/4392), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Improves logging for 'owner not found' errors for `CertificateRequest`s owning `Order`s. ([#4369](https://github.com/jetstack/cert-manager/pull/4369), [@irbekrm](https://github.com/irbekrm)) +- Refactor: move from `io/ioutil` to `io` and `os` package ([#4402](https://github.com/jetstack/cert-manager/pull/4402), [@Juneezee](https://github.com/Juneezee)) +- Removes status fields from CRD manifests ([#4379](https://github.com/jetstack/cert-manager/pull/4379), [@irbekrm](https://github.com/irbekrm)) +- Update cert-manager base image versions ([#4474](https://github.com/jetstack/cert-manager/pull/4474), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Uses Go 1.17 ([#4478](https://github.com/jetstack/cert-manager/pull/4478), [@irbekrm](https://github.com/irbekrm))