-
Notifications
You must be signed in to change notification settings - Fork 402
Add a 1.6 release notes document #730
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
jetstack-bot
merged 4 commits into
cert-manager:release-next
from
wallrj:release-notes-1.6
Oct 27, 2021
Merged
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| --- | ||
| title: "Release 1.6" | ||
| linkTitle: "v1.6" | ||
| weight: 770 | ||
| type: "docs" | ||
| --- | ||
|
|
||
| ## Breaking Changes (You **MUST** read this before you upgrade!) | ||
|
|
||
| ### Legacy cert-manager API versions are no-longer served | ||
|
|
||
| Following their deprecation in version 1.5, the cert-manager APIVersions `v1alpha2, v1alpha3, and v1beta1` are no longer served. | ||
|
|
||
| This means if your deployment manifests contain any of these API versions, you will not be able to deploy them after upgrading. Our new `cmctl` utility or old `kubectl cert-manager` plugin can [convert](https://cert-manager.io/docs/usage/kubectl-plugin/#convert) old manifests to `v1` for you. | ||
|
|
||
| ### JKS Keystore Minimum Password Length | ||
|
|
||
| [JKS Keystores][jks-keystore] now have a minimum password length of 6 characters, | ||
| as an unintended side effect of [upgrading keystore-go from v2 to v4][jks-keystore-upgrade-pr]. | ||
| If you are using a shorter password, certificates will fail to renew, | ||
| and the only observable error will be in the cert-manager logs. | ||
| We are discussing the best remediation for a future v1.6.1 release. | ||
|
|
||
| [jks-keystore]: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateKeystores | ||
| [jks-keystore-upgrade-pr]: https://github.com/jetstack/cert-manager/pull/4428 | ||
|
|
||
| ## Major Themes | ||
|
|
||
| ### Command-line tool User Experience | ||
|
|
||
| The cert-manager kubectl plugin has been redesigned as a standalone utilty: `cmctl` | ||
|
|
||
| While the kubectl plugin functionality remains intact, using `cmctl` allows for full tab completion. See the docs: (Alan please add link) | ||
|
|
||
| ### Supply Chain Security | ||
|
|
||
| As part of the wider ecosystem's push for greater supply chain security we are aiming to achieve [SLSA 3](https://slsa.dev/levels#level-requirements) by the 1.7 release date. cert-manager 1.6 has achieved the requirements for SLSA 2 when installed via helm. Our helm chart's signature can be verified with the cert-manager maintainers' public key [published on our website](../../installation/code-signing/). | ||
|
|
||
| Our container images will be signed using sigstore's [cosign](https://github.com/sigstore/cosign) as soon as our OCI registry supports it. | ||
|
|
||
| ### Toolchain Updates | ||
|
|
||
| cert-manager is now built with go 1.17 ([#4478](https://github.com/jetstack/cert-manager/pull/4478), [@irbekrm](https://github.com/irbekrm)) and is now buildable on Apple Silicon hosts ([#4485](https://github.com/jetstack/cert-manager/pull/4485), [@munnerz](https://github.com/munnerz)). | ||
|
|
||
| ## Changes by Kind | ||
|
|
||
| ### Feature | ||
|
|
||
| - Add Certificate RenewBefore prometheus metrics ([#4419](https://github.com/jetstack/cert-manager/pull/4419), [@artificial-aidan](https://github.com/artificial-aidan)) | ||
| - Add option to specify managed identity id when using azure-dns dns-01 solver ([#4332](https://github.com/jetstack/cert-manager/pull/4332), [@tomasfreund](https://github.com/tomasfreund)) | ||
| - Add support for building & developing on M1 macs ([#4485](https://github.com/jetstack/cert-manager/pull/4485), [@munnerz](https://github.com/munnerz)) | ||
| - Adds release targets for both `cmctl` as well as `kubectl-cert_manager` ([#4523](https://github.com/jetstack/cert-manager/pull/4523), [@JoshVanL](https://github.com/JoshVanL)) | ||
| - Allow setting Helm chart service annotations ([#3639](https://github.com/jetstack/cert-manager/pull/3639), [@treydock](https://github.com/treydock)) | ||
| - CLI: Adds `cmctl completion` command for generating shell completion scripts for bash, zsh, fish, and powershell ([#4408](https://github.com/jetstack/cert-manager/pull/4408), [@JoshVanL](https://github.com/JoshVanL)) | ||
| - CLI: Adds support for auto-completion on runtime objects (Namespaces, CertificateRequests, Certificates etc.) ([#4409](https://github.com/jetstack/cert-manager/pull/4409), [@JoshVanL](https://github.com/JoshVanL)) | ||
| - CLI: Only expose Kubernetes related flags on commands that use them ([#4407](https://github.com/jetstack/cert-manager/pull/4407), [@JoshVanL](https://github.com/JoshVanL)) | ||
| - Enable configuring CLI command name and registering completion subcommand at build time. ([#4522](https://github.com/jetstack/cert-manager/pull/4522), [@JoshVanL](https://github.com/JoshVanL)) | ||
|
|
||
| ### Bug or Regression | ||
|
|
||
| - FIX: Prevent Vault Client from panicing when request to Vault health endpoint fails. ([#4456](https://github.com/jetstack/cert-manager/pull/4456), [@JoshVanL](https://github.com/JoshVanL)) | ||
| - Fix CRDs which were accidentally changed in cert-manager v1.5.0 ([#4353](https://github.com/jetstack/cert-manager/pull/4353), [@SgtCoDFish](https://github.com/SgtCoDFish)) | ||
| - Fix regression in Ingress PathType introduced in v1.5.0 ([#4373](https://github.com/jetstack/cert-manager/pull/4373), [@jakexks](https://github.com/jakexks)) | ||
| - Fixed the HTTP-01 solver creating ClusterIP instead of NodePort services by default. ([#4393](https://github.com/jetstack/cert-manager/pull/4393), [@jakexks](https://github.com/jakexks)) | ||
| - Fixes renewal time issue for certs with skewed duration period. ([#4399](https://github.com/jetstack/cert-manager/pull/4399), [@irbekrm](https://github.com/irbekrm)) | ||
| - Pod Security Policy for startup api check job ([#4364](https://github.com/jetstack/cert-manager/pull/4364), [@ndegory](https://github.com/ndegory)) | ||
| - The `startupapicheck` post-install hook in the Helm chart now deletes any post-install hook resources left after a previous failed install allowing helm install to be re-run after a previous failure. ([#4433](https://github.com/jetstack/cert-manager/pull/4433), [@wallrj](https://github.com/wallrj)) | ||
| - The defaults for leader election parameters are now consistent across cert-manager and cainjector. ([#4359](https://github.com/jetstack/cert-manager/pull/4359), [@johanfleury](https://github.com/johanfleury)) | ||
| - Use GetAuthorization instead of GetChallenge when querying the current state of an ACME challenge. ([#4430](https://github.com/jetstack/cert-manager/pull/4430), [@JoshVanL](https://github.com/JoshVanL)) | ||
|
|
||
| ### Other (Cleanup or Flake) | ||
|
|
||
| - Adds middleware logging back to ACME client for debugging ([#4429](https://github.com/jetstack/cert-manager/pull/4429), [@JoshVanL](https://github.com/JoshVanL)) | ||
| - Deprecation: The API versions: v1alpha2, v1alpha3, and v1beta1, are no longer served in cert-manager 1.6 and will be removed in cert-manager 1.7. ([#4482](https://github.com/jetstack/cert-manager/pull/4482), [@wallrj](https://github.com/wallrj)) | ||
| - Expose error messages (e.g., invalid access token) from the Cloudflare API to users; allow live testing using Cloudflare API token (not just key). ([#4465](https://github.com/jetstack/cert-manager/pull/4465), [@andrewmwhite](https://github.com/andrewmwhite)) | ||
| - Fix manually specified PKCS#10 CSR and X.509 Certificate version numbers (although these were ignored in practice) ([#4392](https://github.com/jetstack/cert-manager/pull/4392), [@SgtCoDFish](https://github.com/SgtCoDFish)) | ||
| - Improves logging for 'owner not found' errors for `CertificateRequest`s owning `Order`s. ([#4369](https://github.com/jetstack/cert-manager/pull/4369), [@irbekrm](https://github.com/irbekrm)) | ||
| - Refactor: move from io/ioutil to io and os package ([#4402](https://github.com/jetstack/cert-manager/pull/4402), [@Juneezee](https://github.com/Juneezee)) | ||
| - Removes status fields from CRD configs ([#4379](https://github.com/jetstack/cert-manager/pull/4379), [@irbekrm](https://github.com/irbekrm)) | ||
| - Update cert-manager base image versions ([#4474](https://github.com/jetstack/cert-manager/pull/4474), [@SgtCoDFish](https://github.com/SgtCoDFish)) | ||
| - Uses Go 1.17 ([#4478](https://github.com/jetstack/cert-manager/pull/4478), [@irbekrm](https://github.com/irbekrm)) | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.