diff --git a/.spelling b/.spelling index 2f52de86597..56bcae48472 100644 --- a/.spelling +++ b/.spelling @@ -1,3 +1,16 @@ +phillebaba +tberreis +allenmunC1 +jeremycampbell +snorwin +JoeNorth +tanujd11 +asapekia +pevidex +vinny +lauraseidler +ABWassim +ThatsMrTalbot yann-soubeyrand pinkfloydx33 karlschriek @@ -72,6 +85,7 @@ Arsh ArtifactHUB ArtifactHub AzureDNS +BasicConstraints BKPR Bazel Bitnami @@ -149,6 +163,7 @@ Fargate FastDNS FreeIPA fs-group +GatewayAPI GCE GCLB GCP @@ -186,6 +201,7 @@ Juneezee JoooostB Keyfactor KeySelector +KeyUsage KUARD Kirill-Garbar Knative @@ -269,6 +285,7 @@ ControllerConfiguration WIP YAML YAMLs +accessors acme-dns ad-hoc allowlist @@ -327,6 +344,7 @@ gcloud goimports google-cas-issuer goroutine +gosec hardcodes hardcoded healthz @@ -427,6 +445,7 @@ retryable retweets routable runtime +runtimes signoff sigstore stdout @@ -634,6 +653,8 @@ v1.13. v1.12.5 v1.12.6 v1.12.7 +v1.14.0 +v1.14.x liveness apiservices arm64 diff --git a/content/docs/cli/acmesolver.md b/content/docs/cli/acmesolver.md index 799941ec2d8..baee31aff49 100644 --- a/content/docs/cli/acmesolver.md +++ b/content/docs/cli/acmesolver.md @@ -2,7 +2,6 @@ title: acmesolver CLI reference description: "cert-manager acmesolver CLI documentation" --- - ``` HTTP server used to solve ACME challenges. diff --git a/content/docs/cli/cainjector.md b/content/docs/cli/cainjector.md index 757eb98bde2..5eb3586ce1f 100644 --- a/content/docs/cli/cainjector.md +++ b/content/docs/cli/cainjector.md @@ -2,8 +2,8 @@ title: cainjector CLI reference description: "cert-manager cainjector CLI documentation" --- - ``` + cert-manager CA injector is a Kubernetes addon to automate the injection of CA data into webhooks and APIServices from cert-manager certificates. @@ -15,8 +15,7 @@ Usage: cainjector [flags] Flags: - --add_dir_header If true, adds the file directory to the header of the log messages (DEPRECATED: this flag may be removed in the future) - --alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) + --config string Path to a file containing a CAInjectorConfiguration object used to configure the controller --enable-apiservices-injectable Inject CA data to annotated APIServices. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might reduce memory consumption (default true) --enable-certificates-data-source Enable configuring cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. This data source can be disabled to reduce memory consumption if you only use cainjector as part of cert-manager's installation (default true) --enable-customresourcedefinitions-injectable Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjecor is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption (default true) @@ -35,18 +34,9 @@ Flags: --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) - --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) (DEPRECATED: this flag may be removed in the future) - --log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --log_file string If non-empty, use this log file (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) (DEPRECATED: this flag may be removed in the future) --logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text") - --logtostderr log to standard error instead of files (default true) (DEPRECATED: this flag may be removed in the future) --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace. - --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) --profiler-address string The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060") - --skip_headers If true, avoid header prefixes in the log messages (DEPRECATED: this flag may be removed in the future) - --skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) (DEPRECATED: this flag may be removed in the future) -v, --v Level number for the log level verbosity --vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format) ``` diff --git a/content/docs/cli/cmctl.md b/content/docs/cli/cmctl.md index ca992f37ca0..88281c4a317 100644 --- a/content/docs/cli/cmctl.md +++ b/content/docs/cli/cmctl.md @@ -2,8 +2,8 @@ title: cmctl CLI reference description: "cert-manager cmctl CLI documentation" --- - ``` + cmctl is a CLI tool manage and configure cert-manager resources for Kubernetes Usage: cmctl [command] @@ -11,7 +11,6 @@ Usage: cmctl [command] Available Commands: approve Approve a CertificateRequest check Check cert-manager components - completion Generate completion scripts for the cert-manager CLI convert Convert cert-manager config files between different API versions create Create cert-manager resources deny Deny a CertificateRequest diff --git a/content/docs/cli/controller.md b/content/docs/cli/controller.md index 8c654ddc3b1..30fa2b7604b 100644 --- a/content/docs/cli/controller.md +++ b/content/docs/cli/controller.md @@ -2,8 +2,8 @@ title: controller CLI reference description: "cert-manager controller CLI documentation" --- - ``` + cert-manager is a Kubernetes addon to automate the management and issuance of TLS certificates from various issuing sources. @@ -14,70 +14,69 @@ Usage: controller [flags] Flags: - --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:v1.13.3") - --acme-http01-solver-nameservers strings A list of comma separated dns server endpoints used for ACME HTTP01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 - --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") - --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") - --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") - --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") - --acme-http01-solver-run-as-non-root Defines the ability to run the http01 solver as root for troubleshooting issues (default true) - --add_dir_header If true, adds the file directory to the header of the log messages (DEPRECATED: this flag may be removed in the future) - --alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) - --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) - --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") - --concurrent-workers int The number of concurrent workers for each controller. (default 5) - --config string Path to a file containing a ControllerConfiguration object used to configure the controller - --controllers strings A list of controllers to enable. '--controllers=*' enables all on-by-default controllers, '--controllers=foo' enables just the controller named 'foo', '--controllers=*,-foo' disables the controller named 'foo'. - All controllers: issuers, clusterissuers, certificates-metrics, ingress-shim, gateway-shim, orders, challenges, certificaterequests-issuer-acme, certificaterequests-approver, certificaterequests-issuer-ca, certificaterequests-issuer-selfsigned, certificaterequests-issuer-vault, certificaterequests-issuer-venafi, certificates-trigger, certificates-issuing, certificates-key-manager, certificates-request-manager, certificates-readiness, certificates-revision-manager (default [*]) - --copied-annotation-prefixes strings Specify which annotations should/shouldn't be copiedfrom Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes.A prefix starting with a dash(-) specifies an annotation that shouldn't be copied. Example: '*,-kubectl.kuberenetes.io/'- all annotationswill be copied apart from the ones where the key is prefixed with 'kubectl.kubernetes.io/'. (default [*,-kubectl.kubernetes.io/,-fluxcd.io/,-argocd.argoproj.io/]) - --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") - --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") - --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. - --dns01-check-retry-period duration The duration the controller should wait between a propagation check. Despite the name, this flag is used to configure the wait period for both DNS01 and HTTP01 challenge propagation checks. For DNS01 challenges the propagation check verifies that a TXT record with the challenge token has been created. For HTTP01 challenges the propagation check verifies that the challenge token is served at the challenge URL.This should be a valid duration string, for example 180s or 1h (default 10s) - --dns01-recursive-nameservers : A list of comma separated dns server endpoints used for DNS01 and DNS-over-HTTPS (DoH) check requests. This should be a list containing entries of the following formats: : or `https://`. For example: `8.8.8.8:53,8.8.4.4:53` or `https://1.1.1.1/dns-query,https://8.8.8.8/dns-query`. To make sure ALL DNS requests happen through DoH, `dns01-recursive-nameservers-only` should also be set to true. - --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. - --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. - --enable-profiling Enable profiling for controller. - --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: - AdditionalCertificateOutputFormats=true|false (ALPHA - default=false) - AllAlpha=true|false (ALPHA - default=false) - AllBeta=true|false (BETA - default=false) - DisallowInsecureCSRUsageDefinition=true|false (BETA - default=true) - ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false) - ExperimentalGatewayAPISupport=true|false (ALPHA - default=false) - LiteralCertificateSubject=true|false (ALPHA - default=false) - SecretsFilteredCaching=true|false (BETA - default=true) - ServerSideApply=true|false (ALPHA - default=false) - StableCertificateRequestName=true|false (BETA - default=true) - UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false) - ValidateCAA=true|false (ALPHA - default=false) - -h, --help help for controller - --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. - --kube-api-burst int the maximum burst queries-per-second of requests sent to the Kubernetes apiserver (default 50) - --kube-api-qps float32 indicates the maximum queries-per-second requests to the Kubernetes apiserver (default 20) - --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. - --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) - --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) - --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") - --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) - --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) - --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) - --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) (DEPRECATED: this flag may be removed in the future) - --log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --log_file string If non-empty, use this log file (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) (DEPRECATED: this flag may be removed in the future) - --logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text") - --logtostderr log to standard error instead of files (default true) (DEPRECATED: this flag may be removed in the future) - --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. - --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) - --metrics-listen-address string The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402") - --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched - --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --profiler-address string The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060") - --skip_headers If true, avoid header prefixes in the log messages (DEPRECATED: this flag may be removed in the future) - --skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) (DEPRECATED: this flag may be removed in the future) - -v, --v Level number for the log level verbosity - --vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format) + --acme-http01-solver-image string The docker image to use to solve ACME HTTP01 challenges. You most likely will not need to change this parameter unless you are testing a new feature or developing cert-manager. (default "quay.io/jetstack/cert-manager-acmesolver:canary") + --acme-http01-solver-nameservers strings A list of comma separated dns server endpoints used for ACME HTTP01 check requests. This should be a list containing host and port, for example 8.8.8.8:53,8.8.4.4:53 + --acme-http01-solver-resource-limits-cpu string Defines the resource limits CPU size when spawning new ACME HTTP01 challenge solver pods. (default "100m") + --acme-http01-solver-resource-limits-memory string Defines the resource limits Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m") + --acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi") + --acme-http01-solver-run-as-non-root Defines the ability to run the http01 solver as root for troubleshooting issues (default true) + --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme]) + --cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true) + --cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system") + --concurrent-workers int The number of concurrent workers for each controller. (default 5) + --config string Path to a file containing a ControllerConfiguration object used to configure the controller + --controllers strings A list of controllers to enable. '--controllers=*' enables all on-by-default controllers, '--controllers=foo' enables just the controller named 'foo', '--controllers=*,-foo' disables the controller named 'foo'. + All controllers: issuers, clusterissuers, certificates-metrics, ingress-shim, gateway-shim, orders, challenges, certificaterequests-issuer-acme, certificaterequests-approver, certificaterequests-issuer-ca, certificaterequests-issuer-selfsigned, certificaterequests-issuer-vault, certificaterequests-issuer-venafi, certificates-trigger, certificates-issuing, certificates-key-manager, certificates-request-manager, certificates-readiness, certificates-revision-manager (default [*]) + --copied-annotation-prefixes strings Specify which annotations should/shouldn't be copiedfrom Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes.A prefix starting with a dash(-) specifies an annotation that shouldn't be copied. Example: '*,-kubectl.kuberenetes.io/'- all annotationswill be copied apart from the ones where the key is prefixed with 'kubectl.kubernetes.io/'. (default [*,-kubectl.kubernetes.io/,-fluxcd.io/,-argocd.argoproj.io/]) + --default-issuer-group string Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io") + --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") + --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. + --dns01-check-retry-period duration The duration the controller should wait between a propagation check. Despite the name, this flag is used to configure the wait period for both DNS01 and HTTP01 challenge propagation checks. For DNS01 challenges the propagation check verifies that a TXT record with the challenge token has been created. For HTTP01 challenges the propagation check verifies that the challenge token is served at the challenge URL.This should be a valid duration string, for example 180s or 1h (default 10s) + --dns01-recursive-nameservers : A list of comma separated dns server endpoints used for DNS01 and DNS-over-HTTPS (DoH) check requests. This should be a list containing entries of the following formats: : or `https://`. For example: `8.8.8.8:53,8.8.4.4:53` or `https://1.1.1.1/dns-query,https://8.8.8.8/dns-query`. To make sure ALL DNS requests happen through DoH, `dns01-recursive-nameservers-only` should also be set to true. + --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. + --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. + --enable-profiling Enable profiling for controller. + --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: + AdditionalCertificateOutputFormats=true|false (ALPHA - default=false) + AllAlpha=true|false (ALPHA - default=false) + AllBeta=true|false (BETA - default=false) + DisallowInsecureCSRUsageDefinition=true|false (BETA - default=true) + ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false) + ExperimentalGatewayAPISupport=true|false (ALPHA - default=false) + LiteralCertificateSubject=true|false (ALPHA - default=false) + NameConstraints=true|false (ALPHA - default=false) + OtherNames=true|false (ALPHA - default=false) + SecretsFilteredCaching=true|false (BETA - default=true) + ServerSideApply=true|false (ALPHA - default=false) + StableCertificateRequestName=true|false (BETA - default=true) + UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false) + ValidateCAA=true|false (ALPHA - default=false) + -h, --help help for controller + --issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. + --kube-api-burst int the maximum burst queries-per-second of requests sent to the Kubernetes apiserver (default 50) + --kube-api-qps float32 indicates the maximum queries-per-second requests to the Kubernetes apiserver (default 20) + --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster. + --leader-elect If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time (default true) + --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s) + --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system") + --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s) + --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s) + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text") + --master string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. + --max-concurrent-challenges int The maximum number of challenges that can be scheduled as 'processing' at once. (default 60) + --metrics-dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates + --metrics-dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates + --metrics-dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA + --metrics-dynamic-serving-leaf-duration duration leaf duration of serving certificates + --metrics-listen-address string The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402") + --metrics-tls-cert-file string path to the file containing the TLS certificate to serve with + --metrics-tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA + --metrics-tls-min-version string Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 + --metrics-tls-private-key-file string path to the file containing the TLS private key to serve with + --namespace string If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched + --profiler-address string The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060") + -v, --v Level number for the log level verbosity + --vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format) ``` diff --git a/content/docs/cli/startupapicheck.md b/content/docs/cli/startupapicheck.md new file mode 100644 index 00000000000..cf87ff92b27 --- /dev/null +++ b/content/docs/cli/startupapicheck.md @@ -0,0 +1,23 @@ +--- +title: startupapicheck CLI reference +description: "cert-manager startupapicheck CLI documentation" +--- +``` +Check that cert-manager started successfully + +Usage: + startupapicheck [command] + +Available Commands: + check Check cert-manager components + help Help about any command + +Flags: + -h, --help help for startupapicheck + --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) + --logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text") + -v, --v Level[=2] number for the log level verbosity + --vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format) + +Use "startupapicheck [command] --help" for more information about a command. +``` diff --git a/content/docs/cli/webhook.md b/content/docs/cli/webhook.md index 8adb4add42c..6b19d336b6e 100644 --- a/content/docs/cli/webhook.md +++ b/content/docs/cli/webhook.md @@ -2,8 +2,8 @@ title: webhook CLI reference description: "cert-manager webhook CLI documentation" --- - ``` + cert-manager is a Kubernetes addon to automate the management and issuance of TLS certificates from various issuing sources. @@ -14,13 +14,12 @@ Usage: webhook [flags] Flags: - --add_dir_header If true, adds the file directory to the header of the log messages (DEPRECATED: this flag may be removed in the future) - --alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) --api-server-host string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted. --config string Path to a file containing a WebhookConfiguration object used to configure the webhook --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates certificates --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA + --dynamic-serving-leaf-duration duration leaf duration of serving certificates --enable-profiling Enable profiling for webhook. --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are: AdditionalCertificateOutputFormats=true|false (ALPHA - default=false) @@ -28,25 +27,18 @@ Flags: AllBeta=true|false (BETA - default=false) DisallowInsecureCSRUsageDefinition=true|false (BETA - default=true) LiteralCertificateSubject=true|false (ALPHA - default=false) + NameConstraints=true|false (ALPHA - default=false) + OtherNames=true|false (ALPHA - default=false) --healthz-port int32 port number to listen on for insecure healthz connections (default 6080) -h, --help help for webhook --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) - --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) (DEPRECATED: this flag may be removed in the future) - --log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --log_file string If non-empty, use this log file (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) (DEPRECATED: this flag may be removed in the future) --logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text") - --logtostderr log to standard error instead of files (default true) (DEPRECATED: this flag may be removed in the future) - --one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) --profiler-address string Address of the Go profiler (pprof). This should never be exposed on a public interface. If this flag is not set, the profiler is not run. (default "localhost:6060") --secure-port int32 port number to listen on for secure TLS connections (default 6443) - --skip_headers If true, avoid header prefixes in the log messages (DEPRECATED: this flag may be removed in the future) - --skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true) (DEPRECATED: this flag may be removed in the future) - --stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) (DEPRECATED: this flag may be removed in the future) --tls-cert-file string path to the file containing the TLS certificate to serve with - --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be use. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA - --tls-min-version string Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 + --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA + --tls-min-version string Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 --tls-private-key-file string path to the file containing the TLS private key to serve with -v, --v Level number for the log level verbosity --vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format) diff --git a/content/docs/configuration/acme/http01/README.md b/content/docs/configuration/acme/http01/README.md index 2e3e8242aff..6c028a6161e 100644 --- a/content/docs/configuration/acme/http01/README.md +++ b/content/docs/configuration/acme/http01/README.md @@ -211,7 +211,7 @@ feature flag to the cert-manager controller. To install v1.5.1 Gateway API bundle (Gateway CRDs and webhook), run the following command: ```sh -kubectl apply -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/v0.5.1/standard-install.yaml" +kubectl apply -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml" ``` To enable the feature in cert-manager, turn on the `GatewayAPI` feature gate: @@ -279,7 +279,7 @@ does not edit Gateway resources. For example, the following Gateway will allow the Issuer to solve the challenge: ```yaml -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: traefik @@ -324,7 +324,7 @@ spec: You will see an HTTPRoute appear: ```yaml -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: cm-acme-http-solver-gdhvg @@ -337,9 +337,9 @@ spec: hostnames: - example.net rules: - - forwardTo: + - backendRefs: - port: 8089 - serviceName: cm-acme-http-solver-gdhvg + name: cm-acme-http-solver-gdhvg weight: 1 matches: - path: diff --git a/content/docs/devops-tips/prometheus-metrics.md b/content/docs/devops-tips/prometheus-metrics.md index 968ce2077db..d3d897798e1 100644 --- a/content/docs/devops-tips/prometheus-metrics.md +++ b/content/docs/devops-tips/prometheus-metrics.md @@ -60,10 +60,88 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: "controller" podMetricsEndpoints: - - port: http + - port: http-metrics honorLabels: true ``` +### TLS + +TLS can be enabled on the metrics endpoint for end-to-end encryption. This is achieved either using pre-signed static certificates, or using the internal dynamic certificate signing. + +#### Static certificates + +Static certificates can be provided to the cert-manager controller to use when listening on the metric endpoint. If the certificate files are changed then cert-manager will reload the certificates for zero-downtime rotation. + +Static certificates can be specified via the flags `--metrics-tls-cert-file` and `--metrics-tls-private-key-file` or the corresponding config file parameters `metricsTLSConfig.filesystem.certFile` and `metricsTLSConfig.filesystem.keyFile`. + +The certificate and private key must be mounted into the controller pod for this to work, if cert-manager is deployed using helm the `.volumes[]` and `.mounts[]` properties can facilitate this. + +An example config file would be: + +```yaml +apiVersion: controller.config.cert-manager.io/v1alpha1 +kind: ControllerConfiguration +metricsTLSConfig: + filesystem: + certFile: "/path/to/cert.pem" + keyFile: "/path/to/key.pem" +``` + +#### Dynamic certificates + +In this mode cert-manager will create a CA in a named secret, then use this CA to sign the metrics endpoint certificate. This mode will also take care of rotation, auto rotating the certificate as required. + +Dynamic certificates can be specified via the flags `--metrics-dynamic-serving-ca-secret-namespace`, `--metrics-dynamic-serving-ca-secret-name` and `--metrics-dynamic-serving-dns-names` or the corresponding config file parameters `metricsTLSConfig.dynamic.secretNamespace`, `metricsTLSConfig.dynamic.secretName` and `metricsTLSConfig.dynamic.dnsNames`. + +An example config file would be: + +```yaml +apiVersion: controller.config.cert-manager.io/v1alpha1 +kind: ControllerConfiguration +metricsTLSConfig: + dynamic: + secretNamespace: "cert-manager" + secretName: "cert-manager-metrics-ca" + dnsNames: + - cert-manager-metrics + - cert-manager-metrics.cert-manager + - cert-manager-metrics.cert-manager.svc +``` + +When using Prometheus the CA generated by the generated certificate authority can be trusted as part of the `PodMonitor` or `ServiceMonitor` spec: + +```yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: cert-manager + namespace: cert-manager + labels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" +spec: + jobLabel: app.kubernetes.io/name + selector: + matchLabels: + app: cert-manager + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: "controller" + podMetricsEndpoints: + - port: http-metrics + scheme: https + honorLabels: true + # TLS config trusting the CA and specifying the server name + tlsConfig: + serverName: cert-manager-metrics + ca: + secret: + name: cert-manager-metrics-ca + key: "tls.crt" +``` + ## Monitoring Mixin Monitoring mixins are a way to bundle common alerts, rules, and dashboards for an application in a configurable and extensible way, using the Jsonnet data templating language. A cert-manager monitoring mixin can be found here https://gitlab.com/uneeq-oss/cert-manager-mixin. Documentation on usage can be found with the `cert-manager-mixin` project. diff --git a/content/docs/installation/README.md b/content/docs/installation/README.md index 15704e010cc..24e3037acef 100644 --- a/content/docs/installation/README.md +++ b/content/docs/installation/README.md @@ -12,7 +12,7 @@ Learn about the various ways you can install cert-manager and how to choose betw The default static configuration can be installed as follows: ```bash -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.yaml ``` 📖 Read more about [installing cert-manager using kubectl apply and static manifests](./kubectl.md). diff --git a/content/docs/installation/best-practice.md b/content/docs/installation/best-practice.md index 6ab631b73bb..49064ed226d 100644 --- a/content/docs/installation/best-practice.md +++ b/content/docs/installation/best-practice.md @@ -392,8 +392,7 @@ An example of this recommendation is found in the Datree Documentation: > Liveness probes allow Kubernetes to determine when a pod should be replaced. > They are fundamental in configuring a resilient cluster architecture. -The cert-manager webhook and controller Pods do have liveness probes, -but only the webhook liveness probe is enabled by default. +The cert-manager webhook and controller Pods do have liveness probes. The cainjector Pod does not have a liveness probe, yet. More information below. @@ -404,19 +403,9 @@ and the [timings and thresholds can be configured using Helm values](https://git ### controller -> ℹī¸ The cert-manager controller liveness probe was introduced in cert-manager release `1.12`. - -The cert-manager controller has a liveness probe, but it is **disabled by default**. -You can enable it using the Helm chart value `livenessProbe.enabled=true`, -but first read the background information below. - -> đŸ“ĸ The controller liveness probe is a new feature in cert-manager release 1.12 -> and it is disabled by default, as a precaution, in case it causes problems in the field. -> [Please get in touch](../contributing/README.md) -> and tell us if you have enabled the controller liveness probe in production -> and whether you would like it to be turned on by default. -> Please also include any circumstances where the controller has become stuck -> and where the liveness probe has been necessary to automatically restart the process. +> đŸ“ĸ The cert-manager controller liveness probe was introduced in cert-manager release `1.12` and +> enabled by default in release `1.14`. In case it causes problems in the field, +> [Please get in touch](../contributing/README.md). The liveness probe for the cert-manager controller is an HTTP probe which connects to the `/livez` endpoint of a healthz server which listens on port 9443 and runs in its own thread. @@ -425,6 +414,8 @@ and each sub-system has its own `/livez` endpoint. These are: * `/livez/leaderElection`: Returns an error if the leader election record has not been renewed or if the leader election thread has exited without also crashing the parent process. +* `/livez/clockHealth`: Returns an error if a clock skew is detected between the system clock + and the monotonic clock used by Go to schedule timers. > ℹī¸ In future more sub-systems could be checked by the `/livez` endpoint, > similar to how Kubernetes [ensure logging is not blocked](https://github.com/kubernetes/kubernetes/pull/64946) @@ -460,10 +451,6 @@ there will be increasing time delays between successive restarts. For this reason, the liveness probe should only be needed if there is a bug in this orderly shutdown process, or if there is a bug in one of the other threads which causes the process to deadlock and not shutdown. -You may want to enable the liveness probe anyway, for defense against unforeseen bugs and deadlocks, -but you will need to monitor the processes closely and, -tweak the [various liveness probe time settings and thresholds](https://github.com/cert-manager/cert-manager/blob/eafe0d0aae4b7a9411825424f6b43fb623e1ba65/deploy/charts/cert-manager/values.yaml#L254-L268), if necessary. - > 📖 Read [Configure Liveness, Readiness and Startup Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#before-you-begin) in the Kubernetes documentation, paying particular attention to the notes and cautions in that document. > > 📖 Read [Shooting Yourself in the Foot with Liveness Probes](https://blog.colinbreck.com/kubernetes-liveness-and-readiness-probes-how-to-avoid-shooting-yourself-in-the-foot/#shootingyourselfinthefootwithlivenessprobes) for more cautionary information about liveness probes. diff --git a/content/docs/installation/code-signing.md b/content/docs/installation/code-signing.md index ea7f92458b5..9bac01c861c 100644 --- a/content/docs/installation/code-signing.md +++ b/content/docs/installation/code-signing.md @@ -19,11 +19,12 @@ key. For all cert-manager versions from `v1.8.0` and later, cert-manager container images are signed and verifiable using [`cosign`](https://docs.sigstore.dev/cosign/overview). ```console -IMAGE_TAG=v1.13.3 # change as needed +IMAGE_TAG=v1.14.1 # change as needed KEY=https://cert-manager.io/public-keys/cert-manager-pubkey-2021-09-20.pem cosign verify --signature-digest-algorithm sha512 --insecure-ignore-tlog --key $KEY quay.io/jetstack/cert-manager-acmesolver:$IMAGE_TAG cosign verify --signature-digest-algorithm sha512 --insecure-ignore-tlog --key $KEY quay.io/jetstack/cert-manager-cainjector:$IMAGE_TAG cosign verify --signature-digest-algorithm sha512 --insecure-ignore-tlog --key $KEY quay.io/jetstack/cert-manager-ctl:$IMAGE_TAG +cosign verify --signature-digest-algorithm sha512 --insecure-ignore-tlog --key $KEY quay.io/jetstack/cert-manager-startupapicheck:$IMAGE_TAG cosign verify --signature-digest-algorithm sha512 --insecure-ignore-tlog --key $KEY quay.io/jetstack/cert-manager-controller:$IMAGE_TAG cosign verify --signature-digest-algorithm sha512 --insecure-ignore-tlog --key $KEY quay.io/jetstack/cert-manager-webhook:$IMAGE_TAG ``` diff --git a/content/docs/installation/configuring-components.md b/content/docs/installation/configuring-components.md index d10ba2d555a..6b7e3aa7a7e 100644 --- a/content/docs/installation/configuring-components.md +++ b/content/docs/installation/configuring-components.md @@ -52,6 +52,7 @@ featureGates: ServerSideApply: true LiteralCertificateSubject: true UseCertificateRequestBasicConstraints: true + OtherNames: true ``` > **Note:** This is included as an example only and not intended to be used as default settings. @@ -76,6 +77,7 @@ healthzPort: 6080 featureGates: AdditionalCertificateOutputFormats: true LiteralCertificateSubject: true + OtherNames: true ``` > **Note:** This is included as an example only and not intended to be used as default settings. diff --git a/content/docs/installation/helm.md b/content/docs/installation/helm.md index 93fc421b7a2..7b4392d1221 100644 --- a/content/docs/installation/helm.md +++ b/content/docs/installation/helm.md @@ -47,7 +47,7 @@ section below for details on each method. > Recommended for production installations ```bash -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.crds.yaml +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.crds.yaml ``` ##### Option 2: install CRDs as part of the Helm release @@ -70,7 +70,7 @@ helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ - --version v1.13.3 \ + --version v1.14.1 \ # --set installCRDs=true ``` @@ -83,7 +83,7 @@ helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ - --version v1.13.3 \ + --version v1.14.1 \ # --set installCRDs=true --set prometheus.enabled=false \ # Example: disabling prometheus using a Helm parameter --set webhook.timeoutSeconds=4 # Example: changing the webhook timeout using a Helm parameter @@ -114,7 +114,7 @@ version: 0.1.0 appVersion: "0.1.0" dependencies: - name: cert-manager - version: v1.13.3 + version: v1.14.1 repository: https://charts.jetstack.io alias: cert-manager condition: cert-manager.enabled @@ -148,7 +148,7 @@ helm template \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ - --version v1.13.3 \ + --version v1.14.1 \ # --set prometheus.enabled=false \ # Example: disabling prometheus using a Helm parameter # --set installCRDs=true \ # Uncomment to also template CRDs > cert-manager.custom.yaml diff --git a/content/docs/installation/kubectl.md b/content/docs/installation/kubectl.md index 628b50fe991..a78b533bd7c 100644 --- a/content/docs/installation/kubectl.md +++ b/content/docs/installation/kubectl.md @@ -21,7 +21,7 @@ are included in a single YAML manifest file: Install all cert-manager components: ```bash -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.1/cert-manager.yaml ``` By default, cert-manager will be installed into the `cert-manager` diff --git a/content/docs/installation/operator-lifecycle-manager.md b/content/docs/installation/operator-lifecycle-manager.md index e10fa6c3760..b38ad5daf94 100644 --- a/content/docs/installation/operator-lifecycle-manager.md +++ b/content/docs/installation/operator-lifecycle-manager.md @@ -218,7 +218,7 @@ The following JSON patch will append `-v=6` to command line arguments of the cer (the first container of the first Deployment). ```bash -kubectl patch csv cert-manager.v1.13.3 \ +kubectl patch csv cert-manager.v1.14.1 \ --type json \ -p '[{"op": "add", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/0/args/-", "value": "-v=6" }]' ``` diff --git a/content/docs/manifest.json b/content/docs/manifest.json index 6a18b7cb22c..e6ca68dbc47 100644 --- a/content/docs/manifest.json +++ b/content/docs/manifest.json @@ -19,6 +19,14 @@ "title": "Supported Releases", "path": "/docs/releases/README.md" }, + { + "title": "1.14", + "path": "/docs/releases/release-notes/release-notes-1.14.md" + }, + { + "title": "Upgrade 1.13 to 1.14", + "path": "/docs/releases/upgrading/upgrading-1.13-1.14.md" + }, { "title": "1.13", "path": "/docs/releases/release-notes/release-notes-1.13.md" @@ -578,6 +586,10 @@ { "title": "Managing public trust in kubernetes with trust-manager", "path": "/docs/tutorials/getting-started-with-trust-manager/README.md" + }, + { + "title": "Setting default certificate values", + "path": "/docs/tutorials/certificate-defaults/README.md" } ] }, diff --git a/content/docs/reference/api-docs.md b/content/docs/reference/api-docs.md index b3d73a0e550..f4b1e18dd51 100644 --- a/content/docs/reference/api-docs.md +++ b/content/docs/reference/api-docs.md @@ -10,6 +10,9 @@ description: >-
  • acme.cert-manager.io/v1
    • +
  • + cainjector.config.cert-manager.io/v1alpha1 +
  • cert-manager.io/v1
    • @@ -753,7 +756,7 @@ description: >- parentRefs
    - []sigs.k8s.io/gateway-api/apis/v1beta1.ParentReference + []sigs.k8s.io/gateway-api/apis/v1.ParentReference

    @@ -1462,7 +1465,7 @@ description: >- (Optional) -

    if both this and ClientSecret are left unset MSI will be used

    +

    Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.

    @@ -1475,7 +1478,7 @@ description: >- (Optional) -

    if both this and ClientID are left unset MSI will be used

    +

    Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.

    @@ -1496,7 +1499,7 @@ description: >- (Optional) -

    when specifying ClientID and ClientSecret then this field is also needed

    +

    Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.

    @@ -1543,7 +1546,7 @@ description: >- (Optional) -

    managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID

    +

    Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.

    @@ -1948,7 +1951,9 @@ description: >-

    AzureManagedIdentity

    (Appears on: ACMEIssuerDNS01ProviderAzureDNS)

    -
    +
    +

    AzureManagedIdentity contains the configuration for Azure Workload Identity or Azure Managed Service Identity If the AZURE_FEDERATED_TOKEN_FILE environment variable is set, the Azure Workload Identity will be used. Otherwise, we fall-back to using Azure Managed Service Identity.

    +
    @@ -1976,7 +1981,7 @@ description: >- @@ -2501,6 +2506,264 @@ description: >-
    (Optional) -

    resource ID of the managed identity, can not be used at the same time as clientID

    +

    resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity
    +

    cainjector.config.cert-manager.io/v1alpha1

    +
    +

    Package v1alpha1 is the v1alpha1 version of the cainjector config API.

    +
    +

    Resource Types:

    +
      +

      CAInjectorConfiguration

      +
      + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      FieldDescription
      + kubeConfig +
      + string +       		+

      kubeConfig is the kubeconfig file used to connect to the Kubernetes apiserver. If not specified, the cainjector will attempt to load the in-cluster-config.

      +
      + namespace +
      + string +       		+

      If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace.

      +
      + leaderElectionConfig +
      + + LeaderElectionConfig + +       		+

      LeaderElectionConfig configures the behaviour of the leader election

      +
      + enableDataSourceConfig +
      + + EnableDataSourceConfig + +       		+

      EnableDataSourceConfig determines whether cainjector’s control loops will watch cert-manager resources as potential sources of CA data.

      +
      + enableInjectableConfig +
      + + EnableInjectableConfig + +       		+

      EnableInjectableConfig determines whether cainjector’s control loops will watch cert-manager resources as potential targets for CA data injection.

      +
      + enablePprof +
      + bool +       		+

      Enable profiling for cainjector.

      +
      + pprofAddress +
      + string +       		+

      The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof.

      +
      + logging +
      + k8s.io/component-base/logs/api/v1.LoggingConfiguration +       		+

      + logging configures the logging behaviour of the cainjector. + https://pkg.go.dev/k8s.io/component-base@v0.27.3/logs/api/v1#LoggingConfiguration +

      +
      + featureGates +
      + map[string]bool +       		+ (Optional) +

      featureGates is a map of feature names to bools that enable or disable experimental features.

      +
      +

      EnableDataSourceConfig

      +

      (Appears on: CAInjectorConfiguration)

      +
      + + + + + + + + + + + + + +
      FieldDescription
      + certificates +
      + bool +       		+

      Certificates detemines whether cainjector’s control loops will watch cert-manager Certificate resources as potential sources of CA data. If not set, defaults to true.

      +
      +

      EnableInjectableConfig

      +

      (Appears on: CAInjectorConfiguration)

      +
      + + + + + + + + + + + + + + + + + + + + + + + + + +
      FieldDescription
      + validatingWebhookConfigurations +
      + bool +       		+

      ValidatingWebhookConfigurations determines whether cainjector will spin up a control loop to inject CA data to annotated ValidatingWebhookConfigurations If not set, defaults to true.

      +
      + mutatingWebhookConfigurations +
      + bool +       		+

      MutatingWebhookConfigurations determines whether cainjector will spin up a control loop to inject CA data to annotated MutatingWebhookConfigurations If not set, defaults to true.

      +
      + customResourceDefinitions +
      + bool +       		+

      CustomResourceDefinitions determines whether cainjector will spin up a control loop to inject CA data to annotated CustomResourceDefinitions If not set, defaults to true.

      +
      + apiServices +
      + bool +       		+

      APIServices determines whether cainjector will spin up a control loop to inject CA data to annotated APIServices If not set, defaults to true.

      +
      +

      LeaderElectionConfig

      +

      (Appears on: CAInjectorConfiguration)

      +
      + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      FieldDescription
      + enabled +
      + bool +       		+

      If true, cert-manager will perform leader election between instances to ensure no more than one instance of cert-manager operates at a time

      +
      + namespace +
      + string +       		+

      Namespace used to perform leader election. Only used if leader election is enabled

      +
      + leaseDuration +
      + time.Duration +       		+

      The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled.

      +
      + renewDeadline +
      + time.Duration +       		+

      The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled.

      +
      + retryPeriod +
      + time.Duration +       		+

      The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.

      +
      +

      cert-manager.io/v1

      Package v1 is the v1 version of the API.

      @@ -2685,6 +2948,19 @@ description: >-

      Requested URI subject alternative names.

      + + + otherNames +
      + + []OtherName + + + + (Optional) +

      otherNames is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for otherName. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.

      + + emailAddresses @@ -2828,6 +3104,23 @@ description: >-

      + + + nameConstraints +
      + + NameConstraints + + + + (Optional) +

      x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10

      +

      + This is an Alpha Feature and is only enabled with the + --feature-gates=NameConstraints=true option set on both the controller and webhook components. +

      + + @@ -3258,7 +3551,18 @@ description: >-

      The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be “http://ocsp.int-x3.letsencrypt.org”.

      - + + + issuingCertificateURLs +
      + []string + + + (Optional) +

      IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be “http://ca.domain.com/ca.crt”.

      + + +

      CertificateAdditionalOutputFormat

      (Appears on: CertificateSpec)

      @@ -4030,6 +4334,19 @@ description: >-

      Requested URI subject alternative names.

      + + + otherNames +
      + + []OtherName + + + + (Optional) +

      otherNames is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for otherName. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.

      + + emailAddresses @@ -4173,6 +4490,23 @@ description: >-

      + + + nameConstraints +
      + + NameConstraints + + + + (Optional) +

      x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10

      +

      + This is an Alpha Feature and is only enabled with the + --feature-gates=NameConstraints=true option set on both the controller and webhook components. +

      + +

      CertificateStatus

      @@ -4756,6 +5090,148 @@ description: >- +

      NameConstraintItem

      +

      (Appears on: NameConstraints)

      +
      + + + + + + + + + + + + + + + + + + + + + + + + + +
      FieldDescription
      + dnsDomains +
      + []string +       		+ (Optional) +

      DNSDomains is a list of DNS domains that are permitted or excluded.

      +
      + ipRanges +
      + []string +       		+ (Optional) +

      IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation.

      +
      + emailAddresses +
      + []string +       		+ (Optional) +

      EmailAddresses is a list of Email Addresses that are permitted or excluded.

      +
      + uriDomains +
      + []string +       		+ (Optional) +

      URIDomains is a list of URI domains that are permitted or excluded.

      +
      +

      NameConstraints

      +

      (Appears on: CertificateSpec)

      +
      +

      NameConstraints is a type to represent x509 NameConstraints

      +
      + + + + + + + + + + + + + + + + + + + + + +
      FieldDescription
      + critical +
      + bool +       		+ (Optional) +

      if true then the name constraints are marked critical.

      +
      + permitted +
      + + NameConstraintItem + +       		+ (Optional) +

      Permitted contains the constraints in which the names must be located.

      +
      + excluded +
      + + NameConstraintItem + +       		+ (Optional) +

      Excluded contains the constraints which must be disallowed. Any name matching a restriction in the excluded field is invalid regardless of information appearing in the permitted

      +
      +

      OtherName

      +

      (Appears on: CertificateSpec)

      +
      + + + + + + + + + + + + + + + + + +
      FieldDescription
      + oid +
      + string +       		+

      OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, “1.2.840.113556.1.4.221”.

      +
      + utf8Value +
      + string +       		+

      utf8Value is the string value of the otherName SAN. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN.

      +

      PKCS12Keystore

      (Appears on: CertificateKeystores)

      @@ -4794,6 +5270,60 @@ description: >-

      PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.

      + + + profile +
      + + PKCS12Profile + + + + (Optional) +

      Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is LegacyRC2 for backward compatibility.

      +

      + If provided, allowed values are: + LegacyRC2: Deprecated. Not supported by default in OpenSSL 3 or Java 20. LegacyDES: Less secure algorithm. Use this option for maximal compatibility. Modern2023: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret. +

      + + + + +

      PKCS12Profile (string alias)

      +

      (Appears on: PKCS12Keystore)

      +
      + + + + + + + + + + + + + + + + + + + +
      ValueDescription
      +

      "LegacyDES"

      +       		+

      see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyDES

      +
      +

      "LegacyRC2"

      +       		+

      see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#LegacyRC2

      +
      +

      "Modern2023"

      +       		+

      see: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12#Modern2023

      +

      PrivateKeyAlgorithm (string alias)

      @@ -5553,7 +6083,7 @@ description: >- string -

      kubeConfig is the kubeconfig file used to connect to the Kubernetes apiserver. If not specified, the webhook will attempt to load the in-cluster-config.

      +

      kubeConfig is the kubeconfig file used to connect to the Kubernetes apiserver. If not specified, the controller will attempt to load the in-cluster-config.

      @@ -5698,6 +6228,18 @@ description: >-

      The host and port that the metrics endpoint should listen on.

      + + + metricsTLSConfig +
      + + TLSConfig + + + +

      TLS config for the metrics endpoint

      + + healthzListenAddress @@ -5749,7 +6291,7 @@ description: >- (Optional) -

      featureGates is a map of feature names to bools that enable or disable experimental features. Default: nil

      +

      featureGates is a map of feature names to bools that enable or disable experimental features.

      @@ -5790,6 +6332,96 @@ description: >- +

      DynamicServingConfig

      +

      (Appears on: TLSConfig)

      +
      +

      DynamicServingConfig makes the controller generate a CA and persist it into Secret resources. This CA will be used by all instances of the controller for signing serving certificates.

      +
      + + + + + + + + + + + + + + + + + + + + + + + + + +
      FieldDescription
      + secretNamespace +
      + string +       		+

      Namespace of the Kubernetes Secret resource containing the TLS certificate used as a CA to sign dynamic serving certificates.

      +
      + secretName +
      + string +       		+

      Namespace of the Kubernetes Secret resource containing the TLS certificate used as a CA to sign dynamic serving certificates.

      +
      + dnsNames +
      + []string +       		+

      DNSNames that must be present on serving certificates signed by the CA.

      +
      + LeafDuration +
      + time.Duration +       		+

      LeafDuration is a customizable duration on serving certificates signed by the CA.

      +
      +

      FilesystemServingConfig

      +

      (Appears on: TLSConfig)

      +
      +

      FilesystemServingConfig enables using a certificate and private key found on the local filesystem. These files will be periodically polled in case they have changed, and dynamically reloaded.

      +
      + + + + + + + + + + + + + + + + + +
      FieldDescription
      + certFile +
      + string +       		+

      Path to a file containing TLS certificate & chain to serve with

      +
      + keyFile +
      + string +       		+

      Path to a file containing a TLS private key to serve with

      +

      IngressShimConfig

      (Appears on: ControllerConfiguration)

      @@ -5960,6 +6592,65 @@ description: >- +

      TLSConfig

      +

      (Appears on: ControllerConfiguration)

      +
      +

      TLSConfig configures how TLS certificates are sourced for serving. Only one of ‘filesystem’ or ‘dynamic’ may be specified.

      +
      + + + + + + + + + + + + + + + + + + + + + + + + + +
      FieldDescription
      + cipherSuites +
      + []string +       		+

      cipherSuites is the list of allowed cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If not specified, the default for the Go version will be used and may change over time.

      +
      + minTLSVersion +
      + string +       		+

      minTLSVersion is the minimum TLS version supported. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If not specified, the default for the Go version will be used and may change over time.

      +
      + filesystem +
      + + FilesystemServingConfig + +       		+

      Filesystem enables using a certificate and private key found on the local filesystem. These files will be periodically polled in case they have changed, and dynamically reloaded.

      +
      + dynamic +
      + + DynamicServingConfig + +       		+

      When Dynamic serving is enabled, the controller will generate a CA used to sign certificates and persist it into a Kubernetes Secret resource (for other replicas of the controller to consume). It will then generate a certificate in-memory for itself using this CA to serve with.

      +

      meta.cert-manager.io/v1

      @@ -6170,6 +6861,16 @@ description: >-

      DNSNames that must be present on serving certificates signed by the CA.

      + + + LeafDuration +
      + time.Duration + + +

      LeafDuration is a customizable duration on serving certificates signed by the CA.

      + +

      FilesystemServingConfig

      @@ -6202,7 +6903,7 @@ description: >- string -

      Path to a file containing a TLS private key to server with

      +

      Path to a file containing a TLS private key to serve with

      @@ -6369,12 +7070,12 @@ description: >- (Optional) -

      featureGates is a map of feature names to bools that enable or disable experimental features. Default: nil

      +

      featureGates is a map of feature names to bools that enable or disable experimental features.

      - Generated with gen-crd-api-reference-docs on git commit d34bd7a. + Generated with gen-crd-api-reference-docs on git commit 2c14e5f.

      diff --git a/content/docs/reference/cmctl.md b/content/docs/reference/cmctl.md index d180dec3e3b..a50911894ae 100644 --- a/content/docs/reference/cmctl.md +++ b/content/docs/reference/cmctl.md @@ -6,6 +6,19 @@ description: | `cmctl` is a command line tool that can help you manage cert-manager and its resources inside your cluster. +> đŸ“ĸ The cert-manager CLI is moving to a new GitHub repository +> +> The cert-manager team have decided to move the `cmctl` code to a new GitHub repository. +> This will allow us to release new features and bug fixes for `cmctl` independently of cert-manager. +> It will simplify the Go package dependencies of cert-manager +> so there should be fewer security patch releases of cert-manager. +> It will make it easier for us to extend `cmctl` with features for managing `trust-manager` and `approver-policy`. +> And it will allow us to write more E2E tests for `cmctl` without further slowing down the test suite of cert-manager. +> +> ⚠ī¸ cert-manager 1.14 is the last release that will still include a `cert-manager-ctl` container image, go package and GitHub release binary. +> +> Visit the new [cmctl repository on GitHub to find out more](https://github.com/cert-manager/cmctl). + ## Installation ### Homebrew diff --git a/content/docs/releases/README.md b/content/docs/releases/README.md index bb9ed7e8096..5b2e309a9e0 100644 --- a/content/docs/releases/README.md +++ b/content/docs/releases/README.md @@ -25,9 +25,10 @@ cert-manager 1.12 is a Long Term Support (LTS) release sponsored by [Venafi](htt ## Upcoming releases -| Release | Release Date | End of Life | [Supported Kubernetes versions][s] | [Supported OpenShift versions][s] | +| Release | Release Date | End of Life | [Supported Kubernetes versions][s] | [Supported OpenShift versions][s] | |----------|:------------:|:----------------------:|:----------------------------------:|:---------------------------------:| | [1.14][] | Jan 31, 2024 | ~4 months post release | 1.24 → 1.29 | 4.11 → 4.15 | +| [1.15][] | TBD | TBD | TBD | TBD | Dates in the future are uncertain and might change. @@ -55,7 +56,8 @@ Dates in the future are uncertain and might change. | [0.11][] | Oct 10, 2019 | Jan 21, 2020 | 1.9 → 1.21 | 3.09 → 4.7 | [s]: #kubernetes-supported-versions -[1.14]: https://github.com/cert-manager/cert-manager/milestone/35 +[1.15]: https://github.com/cert-manager/cert-manager/milestone/36 +[1.14]: ./release-notes/release-notes-1.14.md [1.13]: ./release-notes/release-notes-1.13.md [1.12 LTS]: ./release-notes/release-notes-1.12.md [1.11]: ./release-notes/release-notes-1.11.md diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md new file mode 100644 index 00000000000..36993bfdb25 --- /dev/null +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -0,0 +1,545 @@ +--- +title: Release 1.14 +description: 'cert-manager release notes: cert-manager 1.14' +--- + +cert-manager 1.14 brings a variety of [features](#feature), [security improvements](#security) and [bug fixes](#bug-or-regression-1), including: +support for creating [X.509 certificates with "Other Name" fields](#new-x509-features), and +support for creating [CA certificates with "Name Constraints" and "Authority Information Accessors" extensions](#new-ca-certificate-features). + +> đŸ“ĸ The cert-manager CLI is moving to a new GitHub repository +> +> After this release, `cmctl` will no longer be released with `cert-manager` itself, +> and there will no further `quay.io/jetstack/cert-manager-ctl` OCI images. +> +> Read [The cert-manager Command Line Tool (cmctl) page](../../reference/cmctl.md) to learn more. + +## `v1.14.1` + +cert-manager `v1.14.1` fixes bugs found *during* the release of `v1.14.0`. + +> đŸ“ĸ When upgrading to cert-manager release 1.14, please skip `v1.14.0` and install this patch version instead. + +### Changes since `v1.14.0` + +#### Bug or Regression + +- Fix broken cainjector image value in Helm chart ([#6693](https://github.com/cert-manager/cert-manager/pull/6693), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Fix bug in cmctl namespace detection which prevented it being used as a startupapicheck image in namespaces other than cert-manager. ([#6706](https://github.com/cert-manager/cert-manager/pull/6706), [@inteon](https://github.com/inteon)) +- Fix bug in cmctl which caused `cmctl experimental install` to panic. ([#6706](https://github.com/cert-manager/cert-manager/pull/6706), [@inteon](https://github.com/inteon)) + +## `v1.14.0` + +> ⚠ī¸ This version has known issues. Please install `v1.14.1` instead. +> +> During the release of `v1.14.0`, the Helm chart was found to use the wrong OCI image for the `cainjector` Deployment, +> which caused the Helm installation and the static manifest based installation to fail. +> Upon discovery of this bug, the release of `v1.14.0` was paused before the Helm chart or GitHub release were published; +> but the Git tag and the OCI images had already been published. +> +> The cert-manager team next fixed the Helm chart and two other bugs which are listed in the "Known Issues" section below, +> and then released `v1.14.1`, which is the version that users are strongly advised to install when they upgrade to 1.14. +> +> In order to complete the stalled `v1.14.0` release, +> the Helm chart and static YAML installation files were regenerated on a team member's laptop, +> using exactly the same build scripts as are used in the automated release process, +> and using the `v1.14.1` version of the code. +> The working `v1.14.0` Helm chart was published, +> and the working versions of the static manifest files attached to the draft `v1.14.0` GitHub release, +> and that was then published. +> +> For these reasons, users are strongly advised to skip this version and install the `v1.14.1` Helm chart instead. + +### Known Issues +- During the release of `v1.14.0`, the Helm chart for this version was found to use the wrong OCI image for the `cainjector` Deployment, + which caused the Helm installation to fail. + In order to complete the release, the cert-manager team have manually updated the Helm chart for this version, + which contains all the Helm chart fixes which are in `v1.14.1`. + But users are strongly advised to skip this version and install the `v1.14.1` Helm chart instead. +- A bug in cmctl namespace detection prevents it being used as a `startupapicheck` image in namespaces other than cert-manager. +- A bug in cmctl causes `cmctl experimental install` to panic. + +### Breaking Changes + +The startupapicheck job uses a new OCI image called "startupapicheck", instead of the ctl image. +If you run in an environment in which images cannot be pulled, be sure to include the new image. + +The KeyUsage and BasicConstraints extensions will now be encoded as critical in the CertificateRequest's CSR blob. + +### Major Themes + +#### New X.509 Features + +The cert-manager [Certificate resource](../../usage/certificate.md##creating-certificate-resources) now allows you to [configure a subset of "Other Name" SANs](../../reference/api-docs.md#cert-manager.io/v1.OtherName), +which are described in the [Subject Alternative Name section of RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6) (on page 37). + +We specifically support any `otherName` type with a `UTF-8` value, such as the [User Principal Name](https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/r-UEP-support-SANs.php) or [`sAMAccountName`](https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties). +These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. +For example you can create certificates with this block in the spec: +``` + otherNames: + - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID + utf8Value: upn@domain.local +``` +The feature is still in alpha stage and requires you to [enable the `OtherNames` feature flag in the controller and webhook components](../../installation/configuring-components.md#feature-gates). + +#### New CA certificate Features + +You can now specify the [X.509 v3 Authority Information Accessors](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1) extension, +with URLs for certificates issued by the [CA Issuer](../../configuration/ca.md), +using the new [`issuingCertificateURLs` field](../../reference/api-docs.md#cert-manager.io/v1.CAIssuer). + +Users can now use name constraints in CA certificates. +To know more details on name constraints check out RFC section https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 + +#### Security + +An [ongoing CNCF security audit of the cert-manager code](https://github.com/cert-manager/cert-manager/issues/6132) revealed some weaknesses which we have addressed in this release, +such as using more secure default settings in the HTTP servers that serve metrics, healthz and pprof endpoints. +This will help mitigate denial-of-service attacks against those important services. + +All the cert-manager containers are now configured with [read only root file system](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) by default, +to prevent unexpected changes to the file system of the OCI image. + +And it is now possible to [configure the metrics server to use HTTPS](../../devops-tips/prometheus-metrics.md#tls) rather than HTTP, +so that clients can verify the identity of the metrics server. + +#### Other + +The liveness probe of the cert-manager controller Pod is now enabled by default. + +There is a new option `.spec.keystores.pkcs12.profile` to specify encryption and HMAC algorithms for PKCS keystores. +See the [API reference](../../../docs/reference/api-docs.md#cert-manager.io/v1.PKCS12Profile) for configuration options. + +### Community + +Thanks again to all open-source contributors with commits in this release, including: +- [@ABWassim](https://github.com/ABWassim) +- [@JoeNorth](https://github.com/JoeNorth) +- [@allenmunC1](https://github.com/allenmunC1) +- [@asapekia](https://github.com/asapekia) +- [@jeremycampbell](https://github.com/jeremycampbell) +- [@jkroepke](https://github.com/jkroepke) +- [@jsoref](https://github.com/jsoref) +- [@lauraseidler](https://github.com/lauraseidler) +- [@pevidex](https://github.com/pevidex) +- [@phillebaba](https://github.com/phillebaba) +- [@snorwin](https://github.com/snorwin) +- [@tanujd11](https://github.com/tanujd11) +- [@tberreis](https://github.com/tberreis) +- [@vinny](https://github.com/vinny) + +Thanks also to the following cert-manager maintainers for their contributions during this release: +- [@SgtCoDFish](https://github.com/SgtCoDFish) +- [@SpectralHiss](https://github.com/SpectralHiss) +- [@ThatsMrTalbot](https://github.com/ThatsMrTalbot) +- [@hawksight](https://github.com/hawksight) +- [@inteon](https://github.com/inteon) +- [@maelvls](https://github.com/maelvls) +- [@wallrj](https://github.com/wallrj) + +Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings! + +Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://github.com/cert-manager/aws-privateca-issuer). + +In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. + +### Changes + +#### Feature + +- ACME challenge solver Pod for HTTP01 will get a default annotation of `"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"`. You can provide an annotation of `"cluster-autoscaler.kubernetes.io/safe-to-evict": "false"` in your `podTemplate` if you don't like this. ([#6349](https://github.com/cert-manager/cert-manager/pull/6349), [@jsoref](https://github.com/jsoref)) +- Added a clock skew detector liveness probe that will force a restart in case we detect a skew between the internal monotonic clock and the system clock of more than 5 minutes. + Also, the controller's liveness probe is now enabled by default. ([#6328](https://github.com/cert-manager/cert-manager/pull/6328), [@inteon](https://github.com/inteon)) +- Added a new flag (--dynamic-serving-leaf-duration) that can adjust the lifetime of the dynamic leaf certificates ([#6552](https://github.com/cert-manager/cert-manager/pull/6552), [@allenmunC1](https://github.com/allenmunC1)) +- Added support for `otherName` SANS in Certificates ([#6404](https://github.com/cert-manager/cert-manager/pull/6404), [@SpectralHiss](https://github.com/SpectralHiss)) +- Added the option to specify the X.509 v3 Authority Information Accessors extension CA Issuers URLs for certificates issued by the CA issuer. ([#6486](https://github.com/cert-manager/cert-manager/pull/6486), [@jeremycampbell](https://github.com/jeremycampbell-okta)) +- Adds cert-manager's new core infrastructure initiative badge! See more details on https://www.bestpractices.dev/projects/8079 ([#6497](https://github.com/cert-manager/cert-manager/pull/6497), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- All Pods are now configured with `readOnlyRootFilesystem` by default. ([#6453](https://github.com/cert-manager/cert-manager/pull/6453), [@wallrj](https://github.com/wallrj)) +- MAYBE BREAKING: The startupapicheck job is now handled by an entirely new container called "startupapicheck". This replaces the previous ctl container. If you run in an environment in which images cannot be pulled, be sure to include the new container. ([#6549](https://github.com/cert-manager/cert-manager/pull/6549), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- New option `.spec.keystores.pkcs12.algorithms` to specify encryption and MAC algorithms for PKCS[#12](https://github.com/cert-manager/cert-manager/pull/12) keystores. Fixes issues [#5957](https://github.com/cert-manager/cert-manager/pull/5957) and [#6523](https://github.com/cert-manager/cert-manager/pull/6523). ([#6548](https://github.com/cert-manager/cert-manager/pull/6548), [@snorwin](https://github.com/snorwin)) +- The ACME HTTP01 solver Pod is now configured with `readOnlyRootFilesystem: true` ([#6462](https://github.com/cert-manager/cert-manager/pull/6462), [@wallrj](https://github.com/wallrj)) +- Updates the AWS SDK for Go to 1.48.7 to support Amazon EKS Pod Identity ([#6519](https://github.com/cert-manager/cert-manager/pull/6519), [@JoeNorth](https://github.com/JoeNorth)) +- Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC section https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 ([#6500](https://github.com/cert-manager/cert-manager/pull/6500), [@tanujd11](https://github.com/tanujd11)) +- ⚠ī¸ potentially breaking ⚠ī¸: The KeyUsage and BasicConstraints extensions will now be encoded as critical in the CertificateRequest's CSR blob. ([#6053](https://github.com/cert-manager/cert-manager/pull/6053), [@inteon](https://github.com/inteon)) +- Add TLS support to the metrics endpoint through either a certificate file or through dynamically issued certificates ([#6574](https://github.com/cert-manager/cert-manager/pull/6574), [@ThatsMrTalbot](https://github.com/ThatsMrTalbot)) +- Helm Chart: allow changing the default Deployment `revisionHistoryLimit` ([#6248](https://github.com/cert-manager/cert-manager/pull/6248), [@tberreis](https://github.com/tberreis)) +- Security: Limit the size of the response body read from HTTP requests by cert-manager. ([#6619](https://github.com/cert-manager/cert-manager/pull/6619), [@ThatsMrTalbot](https://github.com/ThatsMrTalbot)) +- Support custom `spec.namespaceSelector` for webhooks ([#6638](https://github.com/cert-manager/cert-manager/pull/6638), [@jkroepke](https://github.com/jkroepke)) + +#### Bug or Regression + +- BUGFIX[helm]: Fix issue where webhook feature gates were only set if controller feature gates are set. ([#6380](https://github.com/cert-manager/cert-manager/pull/6380), [@asapekia](https://github.com/asapekia)) +- Controller ConfigMap is now created only if `.Values.config` is set. ([#6357](https://github.com/cert-manager/cert-manager/pull/6357), [@ABWassim](https://github.com/ABWassim)) +- Fix runaway bug caused by multiple Certificate resources that point to the same Secret resource. ([#6406](https://github.com/cert-manager/cert-manager/pull/6406), [@inteon](https://github.com/inteon)) +- Fix(helm): templating of required value in controller and webhook ConfigMap resources ([#6435](https://github.com/cert-manager/cert-manager/pull/6435), [@ABWassim](https://github.com/ABWassim)) +- Fixed a webhook validation error message when the key algorithm was invalid. ([#6571](https://github.com/cert-manager/cert-manager/pull/6571), [@pevidex](https://github.com/pevidex)) +- Fixed error messaging when setting up vault issuer ([#6433](https://github.com/cert-manager/cert-manager/pull/6433), [@vinny](https://github.com/vinny-sabatini)) +- `GHSA-vgf6-pvf4-34rq`: The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size `>= 3MiB`. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. + The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. + The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. ([#6498](https://github.com/cert-manager/cert-manager/pull/6498), [@inteon](https://github.com/inteon)) +- Increase the default webhook timeout to its maximum value of 30 seconds, so that the underlying timeout error message has more chance of being returned to the end user. ([#6488](https://github.com/cert-manager/cert-manager/pull/6488), [@wallrj](https://github.com/wallrj)) +- Listeners that do not support TLS on Gateway resources will now not raise `BadConfig` warnings anymore ([#6347](https://github.com/cert-manager/cert-manager/pull/6347), [@lauraseidler](https://github.com/lauraseidler)) +- Mitigate potential Slowloris attacks by setting `ReadHeaderTimeout` in all `http.Server` instances ([#6534](https://github.com/cert-manager/cert-manager/pull/6534), [@wallrj](https://github.com/wallrj)) +- The Venafi issuer now properly resets the certificate and should no longer get stuck with `WebSDK CertRequest Module Requested Certificate` or `This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.`. ([#6398](https://github.com/cert-manager/cert-manager/pull/6398), [@maelvls](https://github.com/maelvls)) +- Update experimental install and uninstall commands to have flag parity with the rest of the CLI ([#6562](https://github.com/cert-manager/cert-manager/pull/6562), [@ThatsMrTalbot](https://github.com/ThatsMrTalbot)) +- Webhook ConfigMap if now created only if `.Values.webhook.config` is set. ([#6360](https://github.com/cert-manager/cert-manager/pull/6360), [@ABWassim](https://github.com/ABWassim)) +- BUGFIX: Ensure `otherName` SAN changes in Certificate resources trigger re-issuance. ([#6620](https://github.com/cert-manager/cert-manager/pull/6620), [@SpectralHiss](https://github.com/SpectralHiss)) +- Bugfix: Publish the `startupapicheck` image to `quay.io` ([#6609](https://github.com/cert-manager/cert-manager/pull/6609), [@wallrj](https://github.com/wallrj)) + +#### Other (Cleanup or Flake) + +- Cert-manager is now built with Go 1.21.5 ([#6545](https://github.com/cert-manager/cert-manager/pull/6545), [@wallrj](https://github.com/wallrj)) +- Bump Go to `1.21.3` to address `CVE-2023-39325`. Also bumps base images. ([#6410](https://github.com/cert-manager/cert-manager/pull/6410), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Bump `golang.org/x/net v0.15.0 => v0.17.0` as part of addressing `CVE-2023-44487` / `CVE-2023-39325` ([#6427](https://github.com/cert-manager/cert-manager/pull/6427), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Check code for unintended use of `crypto/md5`, a weak cryptographic primitive; using `golangci-lint` / `gosec` (G501). ([#6581](https://github.com/cert-manager/cert-manager/pull/6581), [@wallrj](https://github.com/wallrj)) +- Check code for unintended use of `crypto/sha1`, a weak cryptographic primitive; using `golangci-lint` / `gosec` (G505). ([#6579](https://github.com/cert-manager/cert-manager/pull/6579), [@wallrj](https://github.com/wallrj)) +- Check code for unintended use of weak random number generator (`math/rand` instead of `crypto/rand`); using `golangci-lint` / `gosec` (G404). ([#6582](https://github.com/cert-manager/cert-manager/pull/6582), [@wallrj](https://github.com/wallrj)) +- Cleanup: Restrict MutatingWebhookConfiguration to only CertificateRequest resources ([#6311](https://github.com/cert-manager/cert-manager/pull/6311), [@hawksight](https://github.com/hawksight)) +- Deprecated `pkg/util.RandStringRunes` and `pkg/controller/test.RandStringBytes`. Use `k8s.io/apimachinery/pkg/util/rand.String` instead. ([#6585](https://github.com/cert-manager/cert-manager/pull/6585), [@wallrj](https://github.com/wallrj)) +- Enabled verbose logging in startupapicheck by default, so that if it fails, users can know exactly what caused the failure. ([#6495](https://github.com/cert-manager/cert-manager/pull/6495), [@wallrj](https://github.com/wallrj)) +- Fix gosec G601: Implicit memory aliasing of items from a range statement ([#6551](https://github.com/cert-manager/cert-manager/pull/6551), [@wallrj](https://github.com/wallrj)) +- Fix handling of serial numbers in literal certificate subjects. Previously a serial number could be specified in `subject.serialNumber` while using a literal certificate subject. This was a mistake and has been fixed. ([#6533](https://github.com/cert-manager/cert-manager/pull/6533), [@inteon](https://github.com/inteon)) +- The end-to-end tests can now test the cert-manager Vault Issuer on an OpenShift cluster. ([#6391](https://github.com/cert-manager/cert-manager/pull/6391), [@wallrj](https://github.com/wallrj)) +- Update cert-manager's distroless base images from Debian 11 to Debian 12. This should have no practical effects on users. ([#6583](https://github.com/cert-manager/cert-manager/pull/6583), [@inteon](https://github.com/inteon)) +- Updated all code using GatewayAPI to use the now GA v1 APIs ([#6559](https://github.com/cert-manager/cert-manager/pull/6559), [@ThatsMrTalbot](https://github.com/ThatsMrTalbot)) +- Upgrade Go from 1.20.7 to 1.20.8. ([#6369](https://github.com/cert-manager/cert-manager/pull/6369), [@inteon](https://github.com/inteon)) +- Upgrade `github.com/emicklei/go-restful/v3` to `v3.11.0` because `v3.10.2` is labeled as "DO NOT USE". ([#6366](https://github.com/cert-manager/cert-manager/pull/6366), [@inteon](https://github.com/inteon)) +- Use the new generic `sets.Set` type in place of the deprecated `sets.String`. ([#6586](https://github.com/cert-manager/cert-manager/pull/6586), [@wallrj](https://github.com/wallrj)) +- cert-manager is now built with Go `v1.21.6` ([#6628](https://github.com/cert-manager/cert-manager/pull/6628), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Update the Azure SDK and remove deprecated `autorest` dependency ([#5452](https://github.com/cert-manager/cert-manager/pull/5452), [@phillebaba](https://github.com/phillebaba)) +- The cert-manager E2E tests can now be run on Kubernetes 1.29 ([#6641](https://github.com/cert-manager/cert-manager/pull/6641), [@wallrj](https://github.com/wallrj)) + +### Dependencies + +#### Added +- `cloud.google.com/go/cloudsqlconn`: `v1.4.3` +- `github.com/Azure/azure-sdk-for-go/sdk/azcore`: [`v1.9.1`](https://github.com/Azure/azure-sdk-for-go/sdk/azcore/tree/v1.9.1) +- `github.com/Azure/azure-sdk-for-go/sdk/azidentity`: [`v1.4.0`](https://github.com/Azure/azure-sdk-for-go/sdk/azidentity/tree/v1.4.0) +- `github.com/Azure/azure-sdk-for-go/sdk/internal`: [`v1.5.1`](https://github.com/Azure/azure-sdk-for-go/sdk/internal/tree/v1.5.1) +- `github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns`: [`v1.2.0`](https://github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns/tree/v1.2.0) +- `github.com/AzureAD/microsoft-authentication-library-for-go`: [`v1.1.1`](https://github.com/AzureAD/microsoft-authentication-library-for-go/tree/v1.1.1) +- `github.com/Masterminds/goutils`: [`v1.1.1`](https://github.com/Masterminds/goutils/tree/v1.1.1) +- `github.com/Masterminds/semver/v3`: [`v3.1.1`](https://github.com/Masterminds/semver/v3/tree/v3.1.1) +- `github.com/Masterminds/sprig/v3`: [`v3.2.1`](https://github.com/Masterminds/sprig/v3/tree/v3.2.1) +- `github.com/Venafi/vcert/v5`: [`v5.3.0`](https://github.com/Venafi/vcert/v5/tree/v5.3.0) +- `github.com/dnaeon/go-vcr`: [`v1.2.0`](https://github.com/dnaeon/go-vcr/tree/v1.2.0) +- `github.com/golang-jwt/jwt/v5`: [`v5.0.0`](https://github.com/golang-jwt/jwt/v5/tree/v5.0.0) +- `github.com/hashicorp/go-secure-stdlib/plugincontainer`: [`v0.2.2`](https://github.com/hashicorp/go-secure-stdlib/plugincontainer/tree/v0.2.2) +- `github.com/huandu/xstrings`: [`v1.3.2`](https://github.com/huandu/xstrings/tree/v1.3.2) +- `github.com/jackc/chunkreader/v2`: [`v2.0.1`](https://github.com/jackc/chunkreader/v2/tree/v2.0.1) +- `github.com/jackc/pgconn`: [`v1.14.0`](https://github.com/jackc/pgconn/tree/v1.14.0) +- `github.com/jackc/pgio`: [`v1.0.0`](https://github.com/jackc/pgio/tree/v1.0.0) +- `github.com/jackc/pgpassfile`: [`v1.0.0`](https://github.com/jackc/pgpassfile/tree/v1.0.0) +- `github.com/jackc/pgproto3/v2`: [`v2.3.2`](https://github.com/jackc/pgproto3/v2/tree/v2.3.2) +- `github.com/jackc/pgservicefile`: [`091c0ba`](https://github.com/jackc/pgservicefile/tree/091c0ba) +- `github.com/jackc/pgtype`: [`v1.14.0`](https://github.com/jackc/pgtype/tree/v1.14.0) +- `github.com/jackc/pgx/v4`: [`v4.18.1`](https://github.com/jackc/pgx/v4/tree/v4.18.1) +- `github.com/kylelemons/godebug`: [`v1.1.0`](https://github.com/kylelemons/godebug/tree/v1.1.0) +- `github.com/matttproud/golang_protobuf_extensions/v2`: [`v2.0.0`](https://github.com/matttproud/golang_protobuf_extensions/v2/tree/v2.0.0) +- `github.com/montanaflynn/stats`: [`v0.7.0`](https://github.com/montanaflynn/stats/tree/v0.7.0) +- `github.com/pkg/browser`: [`681adbf`](https://github.com/pkg/browser/tree/681adbf) +- `github.com/shopspring/decimal`: [`v1.2.0`](https://github.com/shopspring/decimal/tree/v1.2.0) +- `github.com/sosodev/duration`: [`v1.2.0`](https://github.com/sosodev/duration/tree/v1.2.0) +- `github.com/xrash/smetrics`: [`039620a`](https://github.com/xrash/smetrics/tree/039620a) + +#### Changed +- `cloud.google.com/go/accessapproval`: `v1.7.1 → v1.7.4` +- `cloud.google.com/go/accesscontextmanager`: `v1.8.1 → v1.8.4` +- `cloud.google.com/go/aiplatform`: `v1.48.0 → v1.58.0` +- `cloud.google.com/go/analytics`: `v0.21.3 → v0.21.6` +- `cloud.google.com/go/apigateway`: `v1.6.1 → v1.6.4` +- `cloud.google.com/go/apigeeconnect`: `v1.6.1 → v1.6.4` +- `cloud.google.com/go/apigeeregistry`: `v0.7.1 → v0.8.2` +- `cloud.google.com/go/appengine`: `v1.8.1 → v1.8.4` +- `cloud.google.com/go/area120`: `v0.8.1 → v0.8.4` +- `cloud.google.com/go/artifactregistry`: `v1.14.1 → v1.14.6` +- `cloud.google.com/go/asset`: `v1.14.1 → v1.16.0` +- `cloud.google.com/go/assuredworkloads`: `v1.11.1 → v1.11.4` +- `cloud.google.com/go/automl`: `v1.13.1 → v1.13.4` +- `cloud.google.com/go/baremetalsolution`: `v1.1.1 → v1.2.3` +- `cloud.google.com/go/batch`: `v1.3.1 → v1.7.0` +- `cloud.google.com/go/beyondcorp`: `v1.0.0 → v1.0.3` +- `cloud.google.com/go/bigquery`: `v1.53.0 → v1.57.1` +- `cloud.google.com/go/billing`: `v1.16.0 → v1.18.0` +- `cloud.google.com/go/binaryauthorization`: `v1.6.1 → v1.8.0` +- `cloud.google.com/go/certificatemanager`: `v1.7.1 → v1.7.4` +- `cloud.google.com/go/channel`: `v1.16.0 → v1.17.3` +- `cloud.google.com/go/cloudbuild`: `v1.13.0 → v1.15.0` +- `cloud.google.com/go/clouddms`: `v1.6.1 → v1.7.3` +- `cloud.google.com/go/cloudtasks`: `v1.12.1 → v1.12.4` +- `cloud.google.com/go/compute`: `v1.23.0 → v1.23.3` +- `cloud.google.com/go/contactcenterinsights`: `v1.10.0 → v1.12.1` +- `cloud.google.com/go/container`: `v1.24.0 → v1.29.0` +- `cloud.google.com/go/containeranalysis`: `v0.10.1 → v0.11.3` +- `cloud.google.com/go/datacatalog`: `v1.16.0 → v1.19.0` +- `cloud.google.com/go/dataflow`: `v0.9.1 → v0.9.4` +- `cloud.google.com/go/dataform`: `v0.8.1 → v0.9.1` +- `cloud.google.com/go/datafusion`: `v1.7.1 → v1.7.4` +- `cloud.google.com/go/datalabeling`: `v0.8.1 → v0.8.4` +- `cloud.google.com/go/dataplex`: `v1.9.0 → v1.13.0` +- `cloud.google.com/go/dataproc/v2`: `v2.0.1 → v2.3.0` +- `cloud.google.com/go/dataqna`: `v0.8.1 → v0.8.4` +- `cloud.google.com/go/datastore`: `v1.13.0 → v1.15.0` +- `cloud.google.com/go/datastream`: `v1.10.0 → v1.10.3` +- `cloud.google.com/go/deploy`: `v1.13.0 → v1.16.0` +- `cloud.google.com/go/dialogflow`: `v1.40.0 → v1.47.0` +- `cloud.google.com/go/dlp`: `v1.10.1 → v1.11.1` +- `cloud.google.com/go/documentai`: `v1.22.0 → v1.23.7` +- `cloud.google.com/go/domains`: `v0.9.1 → v0.9.4` +- `cloud.google.com/go/edgecontainer`: `v1.1.1 → v1.1.4` +- `cloud.google.com/go/essentialcontacts`: `v1.6.2 → v1.6.5` +- `cloud.google.com/go/eventarc`: `v1.13.0 → v1.13.3` +- `cloud.google.com/go/filestore`: `v1.7.1 → v1.8.0` +- `cloud.google.com/go/firestore`: `v1.11.0 → v1.14.0` +- `cloud.google.com/go/functions`: `v1.15.1 → v1.15.4` +- `cloud.google.com/go/gkebackup`: `v1.3.0 → v1.3.4` +- `cloud.google.com/go/gkeconnect`: `v0.8.1 → v0.8.4` +- `cloud.google.com/go/gkehub`: `v0.14.1 → v0.14.4` +- `cloud.google.com/go/gkemulticloud`: `v1.0.0 → v1.0.3` +- `cloud.google.com/go/gsuiteaddons`: `v1.6.1 → v1.6.4` +- `cloud.google.com/go/iam`: `v1.1.1 → v1.1.5` +- `cloud.google.com/go/iap`: `v1.8.1 → v1.9.3` +- `cloud.google.com/go/ids`: `v1.4.1 → v1.4.4` +- `cloud.google.com/go/iot`: `v1.7.1 → v1.7.4` +- `cloud.google.com/go/kms`: `v1.15.0 → v1.15.5` +- `cloud.google.com/go/language`: `v1.10.1 → v1.12.2` +- `cloud.google.com/go/lifesciences`: `v0.9.1 → v0.9.4` +- `cloud.google.com/go/logging`: `v1.7.0 → v1.9.0` +- `cloud.google.com/go/longrunning`: `v0.5.1 → v0.5.4` +- `cloud.google.com/go/managedidentities`: `v1.6.1 → v1.6.4` +- `cloud.google.com/go/maps`: `v1.4.0 → v1.6.2` +- `cloud.google.com/go/mediatranslation`: `v0.8.1 → v0.8.4` +- `cloud.google.com/go/memcache`: `v1.10.1 → v1.10.4` +- `cloud.google.com/go/metastore`: `v1.12.0 → v1.13.3` +- `cloud.google.com/go/monitoring`: `v1.15.1 → v1.17.0` +- `cloud.google.com/go/networkconnectivity`: `v1.12.1 → v1.14.3` +- `cloud.google.com/go/networkmanagement`: `v1.8.0 → v1.9.3` +- `cloud.google.com/go/networksecurity`: `v0.9.1 → v0.9.4` +- `cloud.google.com/go/notebooks`: `v1.9.1 → v1.11.2` +- `cloud.google.com/go/optimization`: `v1.4.1 → v1.6.2` +- `cloud.google.com/go/orchestration`: `v1.8.1 → v1.8.4` +- `cloud.google.com/go/orgpolicy`: `v1.11.1 → v1.11.4` +- `cloud.google.com/go/osconfig`: `v1.12.1 → v1.12.4` +- `cloud.google.com/go/oslogin`: `v1.10.1 → v1.12.2` +- `cloud.google.com/go/phishingprotection`: `v0.8.1 → v0.8.4` +- `cloud.google.com/go/policytroubleshooter`: `v1.8.0 → v1.10.2` +- `cloud.google.com/go/privatecatalog`: `v0.9.1 → v0.9.4` +- `cloud.google.com/go/recaptchaenterprise/v2`: `v2.7.2 → v2.9.0` +- `cloud.google.com/go/recommendationengine`: `v0.8.1 → v0.8.4` +- `cloud.google.com/go/recommender`: `v1.10.1 → v1.12.0` +- `cloud.google.com/go/redis`: `v1.13.1 → v1.14.1` +- `cloud.google.com/go/resourcemanager`: `v1.9.1 → v1.9.4` +- `cloud.google.com/go/resourcesettings`: `v1.6.1 → v1.6.4` +- `cloud.google.com/go/retail`: `v1.14.1 → v1.14.4` +- `cloud.google.com/go/run`: `v1.2.0 → v1.3.3` +- `cloud.google.com/go/scheduler`: `v1.10.1 → v1.10.5` +- `cloud.google.com/go/secretmanager`: `v1.11.1 → v1.11.4` +- `cloud.google.com/go/security`: `v1.15.1 → v1.15.4` +- `cloud.google.com/go/securitycenter`: `v1.23.0 → v1.24.3` +- `cloud.google.com/go/servicedirectory`: `v1.11.0 → v1.11.3` +- `cloud.google.com/go/shell`: `v1.7.1 → v1.7.4` +- `cloud.google.com/go/spanner`: `v1.47.0 → v1.54.0` +- `cloud.google.com/go/speech`: `v1.19.0 → v1.21.0` +- `cloud.google.com/go/storagetransfer`: `v1.10.0 → v1.10.3` +- `cloud.google.com/go/talent`: `v1.6.2 → v1.6.5` +- `cloud.google.com/go/texttospeech`: `v1.7.1 → v1.7.4` +- `cloud.google.com/go/tpu`: `v1.6.1 → v1.6.4` +- `cloud.google.com/go/trace`: `v1.10.1 → v1.10.4` +- `cloud.google.com/go/translate`: `v1.8.2 → v1.9.3` +- `cloud.google.com/go/video`: `v1.19.0 → v1.20.3` +- `cloud.google.com/go/videointelligence`: `v1.11.1 → v1.11.4` +- `cloud.google.com/go/vision/v2`: `v2.7.2 → v2.7.5` +- `cloud.google.com/go/vmmigration`: `v1.7.1 → v1.7.4` +- `cloud.google.com/go/vmwareengine`: `v1.0.0 → v1.0.3` +- `cloud.google.com/go/vpcaccess`: `v1.7.1 → v1.7.4` +- `cloud.google.com/go/webrisk`: `v1.9.1 → v1.9.4` +- `cloud.google.com/go/websecurityscanner`: `v1.6.1 → v1.6.4` +- `cloud.google.com/go/workflows`: `v1.11.1 → v1.12.3` +- `cloud.google.com/go`: `v0.110.6 → v0.111.0` +- `github.com/asaskevich/govalidator`: [`f61b66f → a9d515a`](https://github.com/asaskevich/govalidator/compare/f61b66f...a9d515a) +- `github.com/aws/aws-sdk-go`: [`v1.44.331 → v1.49.13`](https://github.com/aws/aws-sdk-go/compare/v1.44.331...v1.49.13) +- `github.com/cpuguy83/go-md2man/v2`: [`v2.0.2 → v2.0.3`](https://github.com/cpuguy83/go-md2man/v2/compare/v2.0.2...v2.0.3) +- `github.com/digitalocean/godo`: [`v1.102.1 → v1.107.0`](https://github.com/digitalocean/godo/compare/v1.102.1...v1.107.0) +- `github.com/docker/distribution`: [`v2.8.1+incompatible → v2.8.2+incompatible`](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2) +- `github.com/docker/docker`: [`v23.0.4+incompatible → v24.0.5+incompatible`](https://github.com/docker/docker/compare/v23.0.4...v24.0.5) +- `github.com/emicklei/go-restful/v3`: [`v3.9.0 → v3.11.0`](https://github.com/emicklei/go-restful/v3/compare/v3.9.0...v3.11.0) +- `github.com/envoyproxy/go-control-plane`: [`9239064 → v0.11.1`](https://github.com/envoyproxy/go-control-plane/compare/9239064...v0.11.1) +- `github.com/envoyproxy/protoc-gen-validate`: [`v0.10.1 → v1.0.2`](https://github.com/envoyproxy/protoc-gen-validate/compare/v0.10.1...v1.0.2) +- `github.com/evanphx/json-patch/v5`: [`v5.6.0 → v5.7.0`](https://github.com/evanphx/json-patch/v5/compare/v5.6.0...v5.7.0) +- `github.com/evanphx/json-patch`: [`v5.6.0+incompatible → v5.7.0+incompatible`](https://github.com/evanphx/json-patch/compare/v5.6.0...v5.7.0) +- `github.com/felixge/httpsnoop`: [`v1.0.3 → v1.0.4`](https://github.com/felixge/httpsnoop/compare/v1.0.3...v1.0.4) +- `github.com/frankban/quicktest`: [`v1.11.3 → v1.14.3`](https://github.com/frankban/quicktest/compare/v1.11.3...v1.14.3) +- `github.com/fsnotify/fsnotify`: [`v1.6.0 → v1.7.0`](https://github.com/fsnotify/fsnotify/compare/v1.6.0...v1.7.0) +- `github.com/go-asn1-ber/asn1-ber`: [`v1.5.4 → v1.5.5`](https://github.com/go-asn1-ber/asn1-ber/compare/v1.5.4...v1.5.5) +- `github.com/go-jose/go-jose/v3`: [`v3.0.0 → v3.0.1`](https://github.com/go-jose/go-jose/v3/compare/v3.0.0...v3.0.1) +- `github.com/go-ldap/ldap/v3`: [`v3.4.5 → v3.4.6`](https://github.com/go-ldap/ldap/v3/compare/v3.4.5...v3.4.6) +- `github.com/go-logr/logr`: [`v1.2.4 → v1.4.1`](https://github.com/go-logr/logr/compare/v1.2.4...v1.4.1) +- `github.com/go-logr/zapr`: [`v1.2.4 → v1.3.0`](https://github.com/go-logr/zapr/compare/v1.2.4...v1.3.0) +- `github.com/go-openapi/jsonpointer`: [`v0.19.6 → v0.20.2`](https://github.com/go-openapi/jsonpointer/compare/v0.19.6...v0.20.2) +- `github.com/go-openapi/jsonreference`: [`v0.20.2 → v0.20.4`](https://github.com/go-openapi/jsonreference/compare/v0.20.2...v0.20.4) +- `github.com/go-openapi/swag`: [`v0.22.3 → v0.22.7`](https://github.com/go-openapi/swag/compare/v0.22.3...v0.22.7) +- `github.com/golang/glog`: [`v1.1.0 → v1.1.2`](https://github.com/golang/glog/compare/v1.1.0...v1.1.2) +- `github.com/golang/mock`: [`v1.4.4 → v1.1.1`](https://github.com/golang/mock/compare/v1.4.4...v1.1.1) +- `github.com/google/cel-go`: [`v0.16.0 → v0.17.7`](https://github.com/google/cel-go/compare/v0.16.0...v0.17.7) +- `github.com/google/go-cmp`: [`v0.5.9 → v0.6.0`](https://github.com/google/go-cmp/compare/v0.5.9...v0.6.0) +- `github.com/google/go-pkcs11`: [`v0.2.0 → c6f7932`](https://github.com/google/go-pkcs11/compare/v0.2.0...c6f7932) +- `github.com/google/s2a-go`: [`v0.1.5 → v0.1.7`](https://github.com/google/s2a-go/compare/v0.1.5...v0.1.7) +- `github.com/google/uuid`: [`v1.3.0 → v1.5.0`](https://github.com/google/uuid/compare/v1.3.0...v1.5.0) +- `github.com/googleapis/enterprise-certificate-proxy`: [`v0.2.5 → v0.3.2`](https://github.com/googleapis/enterprise-certificate-proxy/compare/v0.2.5...v0.3.2) +- `github.com/gorilla/websocket`: [`v1.4.2 → v1.5.0`](https://github.com/gorilla/websocket/compare/v1.4.2...v1.5.0) +- `github.com/grpc-ecosystem/grpc-gateway/v2`: [`v2.7.0 → v2.18.1`](https://github.com/grpc-ecosystem/grpc-gateway/v2/compare/v2.7.0...v2.18.1) +- `github.com/hashicorp/go-hclog`: [`v1.4.0 → v1.5.0`](https://github.com/hashicorp/go-hclog/compare/v1.4.0...v1.5.0) +- `github.com/hashicorp/go-plugin`: [`v1.4.8 → v1.5.2`](https://github.com/hashicorp/go-plugin/compare/v1.4.8...v1.5.2) +- `github.com/hashicorp/go-retryablehttp`: [`v0.7.4 → v0.7.5`](https://github.com/hashicorp/go-retryablehttp/compare/v0.7.4...v0.7.5) +- `github.com/hashicorp/go-secure-stdlib/parseutil`: [`v0.1.7 → v0.1.8`](https://github.com/hashicorp/go-secure-stdlib/parseutil/compare/v0.1.7...v0.1.8) +- `github.com/hashicorp/go-sockaddr`: [`v1.0.2 → v1.0.6`](https://github.com/hashicorp/go-sockaddr/compare/v1.0.2...v1.0.6) +- `github.com/hashicorp/vault/api`: [`v1.9.2 → v1.10.0`](https://github.com/hashicorp/vault/api/compare/v1.9.2...v1.10.0) +- `github.com/hashicorp/vault/sdk`: [`v0.9.2 → v0.10.2`](https://github.com/hashicorp/vault/sdk/compare/v0.9.2...v0.10.2) +- `github.com/hashicorp/yamux`: [`0bc27b2 → v0.1.1`](https://github.com/hashicorp/yamux/compare/0bc27b2...v0.1.1) +- `github.com/imdario/mergo`: [`v0.3.12 → v0.3.16`](https://github.com/imdario/mergo/compare/v0.3.12...v0.3.16) +- `github.com/jmespath/go-jmespath`: [`v0.4.0 → b0104c8`](https://github.com/jmespath/go-jmespath/compare/v0.4.0...b0104c8) +- `github.com/miekg/dns`: [`v1.1.55 → v1.1.57`](https://github.com/miekg/dns/compare/v1.1.55...v1.1.57) +- `github.com/mitchellh/cli`: [`v1.0.0 → v1.1.5`](https://github.com/mitchellh/cli/compare/v1.0.0...v1.1.5) +- `github.com/mitchellh/go-wordwrap`: [`v1.0.0 → v1.0.1`](https://github.com/mitchellh/go-wordwrap/compare/v1.0.0...v1.0.1) +- `github.com/onsi/ginkgo/v2`: [`v2.12.0 → v2.13.0`](https://github.com/onsi/ginkgo/v2/compare/v2.12.0...v2.13.0) +- `github.com/onsi/gomega`: [`v1.27.10 → v1.29.0`](https://github.com/onsi/gomega/compare/v1.27.10...v1.29.0) +- `github.com/pavlo-v-chernykh/keystore-go/v4`: [`v4.4.1 → v4.5.0`](https://github.com/pavlo-v-chernykh/keystore-go/v4/compare/v4.4.1...v4.5.0) +- `github.com/prometheus/client_golang`: [`v1.16.0 → v1.18.0`](https://github.com/prometheus/client_golang/compare/v1.16.0...v1.18.0) +- `github.com/prometheus/client_model`: [`v0.4.0 → v0.5.0`](https://github.com/prometheus/client_model/compare/v0.4.0...v0.5.0) +- `github.com/prometheus/common`: [`v0.44.0 → v0.45.0`](https://github.com/prometheus/common/compare/v0.44.0...v0.45.0) +- `github.com/prometheus/procfs`: [`v0.10.1 → v0.12.0`](https://github.com/prometheus/procfs/compare/v0.10.1...v0.12.0) +- `github.com/rogpeppe/go-internal`: [`v1.11.0 → v1.12.0`](https://github.com/rogpeppe/go-internal/compare/v1.11.0...v1.12.0) +- `github.com/ryanuber/columnize`: [`v2.1.0+incompatible → v2.1.2+incompatible`](https://github.com/ryanuber/columnize/compare/v2.1.0...v2.1.2) +- `github.com/sirupsen/logrus`: [`v1.9.0 → v1.9.3`](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.3) +- `github.com/spf13/cast`: [`v1.3.0 → v1.3.1`](https://github.com/spf13/cast/compare/v1.3.0...v1.3.1) +- `github.com/spf13/cobra`: [`v1.7.0 → v1.8.0`](https://github.com/spf13/cobra/compare/v1.7.0...v1.8.0) +- `github.com/stoewer/go-strcase`: [`v1.2.0 → v1.3.0`](https://github.com/stoewer/go-strcase/compare/v1.2.0...v1.3.0) +- `github.com/stretchr/objx`: [`v0.5.0 → v0.5.1`](https://github.com/stretchr/objx/compare/v0.5.0...v0.5.1) +- `github.com/urfave/cli/v2`: [`v2.1.1 → v2.25.7`](https://github.com/urfave/cli/v2/compare/v2.1.1...v2.25.7) +- `go.etcd.io/bbolt`: `v1.3.7 → v1.3.8` +- `go.etcd.io/etcd/api/v3`: `v3.5.9 → v3.5.11` +- `go.etcd.io/etcd/client/pkg/v3`: `v3.5.9 → v3.5.11` +- `go.etcd.io/etcd/client/v2`: `v2.305.9 → v2.305.10` +- `go.etcd.io/etcd/client/v3`: `v3.5.9 → v3.5.11` +- `go.etcd.io/etcd/pkg/v3`: `v3.5.9 → v3.5.10` +- `go.etcd.io/etcd/raft/v3`: `v3.5.9 → v3.5.10` +- `go.etcd.io/etcd/server/v3`: `v3.5.9 → v3.5.10` +- `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc`: `v0.35.0 → v0.46.1` +- `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp`: `v0.39.0 → v0.46.1` +- `go.opentelemetry.io/otel/exporters/otlp/internal/retry`: `v1.15.0 → v1.10.0` +- `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`: `v1.15.0 → v1.21.0` +- `go.opentelemetry.io/otel/exporters/otlp/otlptrace`: `v1.15.0 → v1.21.0` +- `go.opentelemetry.io/otel/metric`: `v0.36.0 → v1.21.0` +- `go.opentelemetry.io/otel/sdk`: `v1.15.0 → v1.21.0` +- `go.opentelemetry.io/otel/trace`: `v1.15.0 → v1.21.0` +- `go.opentelemetry.io/otel`: `v1.15.0 → v1.21.0` +- `go.opentelemetry.io/proto/otlp`: `v0.19.0 → v1.0.0` +- `go.uber.org/goleak`: `v1.2.1 → v1.3.0` +- `go.uber.org/zap`: `v1.25.0 → v1.26.0` +- `golang.org/x/crypto`: `v0.12.0 → v0.17.0` +- `golang.org/x/exp`: `d852ddb → 02704c9` +- `golang.org/x/lint`: `738671d → d0100b6` +- `golang.org/x/mod`: `v0.12.0 → v0.14.0` +- `golang.org/x/net`: `v0.14.0 → v0.19.0` +- `golang.org/x/oauth2`: `v0.11.0 → v0.15.0` +- `golang.org/x/sync`: `v0.3.0 → v0.5.0` +- `golang.org/x/sys`: `v0.11.0 → v0.15.0` +- `golang.org/x/term`: `v0.11.0 → v0.15.0` +- `golang.org/x/text`: `v0.12.0 → v0.14.0` +- `golang.org/x/time`: `v0.3.0 → v0.5.0` +- `golang.org/x/tools`: `74c255b → v0.16.1` +- `google.golang.org/api`: `v0.138.0 → v0.154.0` +- `google.golang.org/appengine`: `v1.6.7 → v1.6.8` +- `google.golang.org/genproto/googleapis/api`: `f966b18 → 50ed04b` +- `google.golang.org/genproto/googleapis/bytestream`: `1744710 → 3a041ad` +- `google.golang.org/genproto/googleapis/rpc`: `1744710 → 50ed04b` +- `google.golang.org/genproto`: `f966b18 → 50ed04b` +- `google.golang.org/grpc`: `v1.57.0 → v1.60.1` +- `google.golang.org/protobuf`: `v1.31.0 → v1.32.0` +- `gopkg.in/ini.v1`: `v1.62.0 → v1.67.0` +- `honnef.co/go/tools`: `v0.0.1-2020.1.4 → ea95bdf` +- `k8s.io/api`: `v0.28.1 → v0.29.0` +- `k8s.io/apiextensions-apiserver`: `v0.28.1 → v0.29.0` +- `k8s.io/apimachinery`: `v0.28.1 → v0.29.0` +- `k8s.io/apiserver`: `v0.28.1 → v0.29.0` +- `k8s.io/client-go`: `v0.28.1 → v0.29.0` +- `k8s.io/code-generator`: `v0.28.1 → v0.29.0` +- `k8s.io/component-base`: `v0.28.1 → v0.29.0` +- `k8s.io/gengo`: `c0856e2 → 9cce18d` +- `k8s.io/klog/v2`: `v2.100.1 → v2.110.1` +- `k8s.io/kms`: `v0.28.1 → v0.29.0` +- `k8s.io/kube-aggregator`: `v0.28.1 → v0.29.0` +- `k8s.io/kube-openapi`: `14e4089 → eec4567` +- `k8s.io/utils`: `3b25d92 → e7106e6` +- `sigs.k8s.io/apiserver-network-proxy/konnectivity-client`: `v0.1.2 → v0.29.0` +- `sigs.k8s.io/controller-runtime`: `v0.16.0 → v0.16.3` +- `sigs.k8s.io/gateway-api`: `v0.7.1 → v1.0.0` +- `sigs.k8s.io/structured-merge-diff/v4`: `v4.3.0 → v4.4.1` +- `sigs.k8s.io/yaml`: `v1.3.0 → v1.4.0` +- `software.sslmate.com/src/go-pkcs12`: `v0.2.1 → v0.4.0` + +#### Removed +- `cloud.google.com/go/storage`: `v1.10.0` +- `dmitri.shuralyov.com/gpu/mtl`: `666a987` +- `github.com/Azure/azure-sdk-for-go`: [`v68.0.0+incompatible`](https://github.com/Azure/azure-sdk-for-go/tree/v68.0.0) +- `github.com/Azure/go-autorest/autorest/adal`: [`v0.9.23`](https://github.com/Azure/go-autorest/autorest/adal/tree/v0.9.23) +- `github.com/Azure/go-autorest/autorest/date`: [`v0.3.0`](https://github.com/Azure/go-autorest/autorest/date/tree/v0.3.0) +- `github.com/Azure/go-autorest/autorest/mocks`: [`v0.4.2`](https://github.com/Azure/go-autorest/autorest/mocks/tree/v0.4.2) +- `github.com/Azure/go-autorest/autorest/to`: [`v0.4.0`](https://github.com/Azure/go-autorest/autorest/to/tree/v0.4.0) +- `github.com/Azure/go-autorest/autorest/validation`: [`v0.3.1`](https://github.com/Azure/go-autorest/autorest/validation/tree/v0.3.1) +- `github.com/Azure/go-autorest/autorest`: [`v0.11.29`](https://github.com/Azure/go-autorest/autorest/tree/v0.11.29) +- `github.com/Azure/go-autorest/logger`: [`v0.2.1`](https://github.com/Azure/go-autorest/logger/tree/v0.2.1) +- `github.com/Azure/go-autorest/tracing`: [`v0.6.0`](https://github.com/Azure/go-autorest/tracing/tree/v0.6.0) +- `github.com/Azure/go-autorest`: [`v14.2.0+incompatible`](https://github.com/Azure/go-autorest/tree/v14.2.0) +- `github.com/BurntSushi/xgb`: [`27f1227`](https://github.com/BurntSushi/xgb/tree/27f1227) +- `github.com/OneOfOne/xxhash`: [`v1.2.2`](https://github.com/OneOfOne/xxhash/tree/v1.2.2) +- `github.com/Venafi/vcert/v4`: [`69f417a`](https://github.com/Venafi/vcert/v4/tree/69f417a) +- `github.com/alecthomas/template`: [`a0175ee`](https://github.com/alecthomas/template/tree/a0175ee) +- `github.com/armon/circbuf`: [`bbbad09`](https://github.com/armon/circbuf/tree/bbbad09) +- `github.com/benbjohnson/clock`: [`v1.3.0`](https://github.com/benbjohnson/clock/tree/v1.3.0) +- `github.com/bketelsen/crypt`: [`5cbc8cc`](https://github.com/bketelsen/crypt/tree/5cbc8cc) +- `github.com/cespare/xxhash`: [`v1.1.0`](https://github.com/cespare/xxhash/tree/v1.1.0) +- `github.com/coreos/bbolt`: [`v1.3.2`](https://github.com/coreos/bbolt/tree/v1.3.2) +- `github.com/coreos/etcd`: [`v3.3.13+incompatible`](https://github.com/coreos/etcd/tree/v3.3.13) +- `github.com/coreos/go-systemd`: [`95778df`](https://github.com/coreos/go-systemd/tree/95778df) +- `github.com/coreos/pkg`: [`399ea9e`](https://github.com/coreos/pkg/tree/399ea9e) +- `github.com/dgrijalva/jwt-go`: [`v3.2.0+incompatible`](https://github.com/dgrijalva/jwt-go/tree/v3.2.0) +- `github.com/dgryski/go-sip13`: [`e10d5fe`](https://github.com/dgryski/go-sip13/tree/e10d5fe) +- `github.com/ghodss/yaml`: [`v1.0.0`](https://github.com/ghodss/yaml/tree/v1.0.0) +- `github.com/go-gl/glfw/v3.3/glfw`: [`6f7a984`](https://github.com/go-gl/glfw/v3.3/glfw/tree/6f7a984) +- `github.com/go-gl/glfw`: [`e6da0ac`](https://github.com/go-gl/glfw/tree/e6da0ac) +- `github.com/go-kit/kit`: [`v0.8.0`](https://github.com/go-kit/kit/tree/v0.8.0) +- `github.com/go-stack/stack`: [`v1.8.0`](https://github.com/go-stack/stack/tree/v1.8.0) +- `github.com/google/gnostic`: [`v0.5.7-v3refs`](https://github.com/google/gnostic/tree/v0.5.7-v3refs) +- `github.com/google/martian/v3`: [`v3.0.0`](https://github.com/google/martian/v3/tree/v3.0.0) +- `github.com/google/martian`: [`v2.1.0+incompatible`](https://github.com/google/martian/tree/v2.1.0) +- `github.com/google/renameio`: [`v0.1.0`](https://github.com/google/renameio/tree/v0.1.0) +- `github.com/hashicorp/consul/api`: [`v1.1.0`](https://github.com/hashicorp/consul/api/tree/v1.1.0) +- `github.com/hashicorp/consul/sdk`: [`v0.1.1`](https://github.com/hashicorp/consul/sdk/tree/v0.1.1) +- `github.com/hashicorp/go-msgpack`: [`v0.5.3`](https://github.com/hashicorp/go-msgpack/tree/v0.5.3) +- `github.com/hashicorp/go-syslog`: [`v1.0.0`](https://github.com/hashicorp/go-syslog/tree/v1.0.0) +- `github.com/hashicorp/go.net`: [`v0.0.1`](https://github.com/hashicorp/go.net/tree/v0.0.1) +- `github.com/hashicorp/logutils`: [`v1.0.0`](https://github.com/hashicorp/logutils/tree/v1.0.0) +- `github.com/hashicorp/mdns`: [`v1.0.0`](https://github.com/hashicorp/mdns/tree/v1.0.0) +- `github.com/hashicorp/memberlist`: [`v0.1.3`](https://github.com/hashicorp/memberlist/tree/v0.1.3) +- `github.com/hashicorp/serf`: [`v0.8.2`](https://github.com/hashicorp/serf/tree/v0.8.2) +- `github.com/jstemmer/go-junit-report`: [`v0.9.1`](https://github.com/jstemmer/go-junit-report/tree/v0.9.1) +- `github.com/kr/logfmt`: [`b84e30a`](https://github.com/kr/logfmt/tree/b84e30a) +- `github.com/mitchellh/gox`: [`v0.4.0`](https://github.com/mitchellh/gox/tree/v0.4.0) +- `github.com/mitchellh/iochan`: [`v1.0.0`](https://github.com/mitchellh/iochan/tree/v1.0.0) +- `github.com/morikuni/aec`: [`v1.0.0`](https://github.com/morikuni/aec/tree/v1.0.0) +- `github.com/oklog/ulid`: [`v1.3.1`](https://github.com/oklog/ulid/tree/v1.3.1) +- `github.com/pascaldekloe/goe`: [`57f6aae`](https://github.com/pascaldekloe/goe/tree/57f6aae) +- `github.com/prometheus/tsdb`: [`v0.7.1`](https://github.com/prometheus/tsdb/tree/v0.7.1) +- `github.com/sean-/seed`: [`e2103e2`](https://github.com/sean-/seed/tree/e2103e2) +- `github.com/shurcooL/sanitized_anchor_name`: [`v1.0.0`](https://github.com/shurcooL/sanitized_anchor_name/tree/v1.0.0) +- `github.com/spaolacci/murmur3`: [`f09979e`](https://github.com/spaolacci/murmur3/tree/f09979e) +- `golang.org/x/image`: `cff245a` +- `golang.org/x/mobile`: `d2bd2a2` +- `gopkg.in/alecthomas/kingpin.v2`: `v2.2.6` +- `gopkg.in/resty.v1`: `v1.12.0` +- `gotest.tools/v3`: `v3.4.0` +- `rsc.io/binaryregexp`: `v0.2.0` +- `rsc.io/quote/v3`: `v3.1.0` +- `rsc.io/sampler`: `v1.3.0` diff --git a/content/docs/releases/upgrading/upgrading-1.13-1.14.md b/content/docs/releases/upgrading/upgrading-1.13-1.14.md new file mode 100644 index 00000000000..facfcd5b9d1 --- /dev/null +++ b/content/docs/releases/upgrading/upgrading-1.13-1.14.md @@ -0,0 +1,26 @@ +--- +title: Upgrading from v1.13 to v1.14 +description: 'cert-manager installation: Upgrading v1.13 to v1.14' +--- + +Before upgrading cert-manager from 1.13 to 1.14 please read the following important notes about breaking changes in 1.14: + +## Please install the latest patch release: `v1.14.1` + +The following bugs were found during the release of `v1.14.0` and have been fixed in `v1.14.1`: + +- During the release of `v1.14.0`, the Helm chart was found to use the wrong OCI image for the `cainjector` Deployment, + which caused the Helm installation to fail. +- A bug in cmctl namespace detection prevents it being used as a startupapicheck image in namespaces other than cert-manager. +- A bug in cmctl causes `cmctl experimental install` to panic. + +Read the [`v1.14.1` release notes](../release-notes/release-notes-1.14.md#v1.14.1) for more information. + +## New startupapicheck image + +The startupapicheck job uses a new OCI image called [startupapicheck](../../cli/startupapicheck.md), instead of the [ctl](../../cli/cmctl.md) image. +If you run in an environment in which images cannot be pulled, be sure to include the new image. + +## Next Steps + +From here on you can follow the [regular upgrade process](../../installation/upgrade.md). diff --git a/content/docs/tutorials/README.md b/content/docs/tutorials/README.md index b286d96594b..d50999605ea 100644 --- a/content/docs/tutorials/README.md +++ b/content/docs/tutorials/README.md @@ -25,6 +25,8 @@ for you to learn from. Take a look! - [Securing an Istio service mesh with cert-manager](./istio-csr/istio-csr.md): Tutorial for securing an Istio service mesh using a cert-manager issuer. - [Obtaining SSL certificates with the ZeroSSL](./zerossl/zerossl.md): Tutorial describing usage of the ZeroSSL as external ACME server. +- [Managing public trust in Kubernetes with trust-manager](./getting-started-with-trust-manager/README.md): Learn how to deploy and configure trust-manager to automatically distribute your approved Public CA configuration to your Kubernetes cluster. +- [Learn how to set Certificate defaults automatically](./certificate-defaults/README.md): Learn how to use Kyverno `ClusterPolicy` to set default values for cert-manager `Certificates`. ### External Tutorials diff --git a/content/docs/tutorials/certificate-defaults/README.md b/content/docs/tutorials/certificate-defaults/README.md new file mode 100644 index 00000000000..a152c9033d2 --- /dev/null +++ b/content/docs/tutorials/certificate-defaults/README.md @@ -0,0 +1,571 @@ +--- +title: Learn how to set Certificate defaults automatically +description: | + Learn how to use Kyverno ClusterPolicy to set default values for cert-manager Certificates cluster wide. +--- + +*Last Verified: 19 January 2024* + +# Objective + +We will set up a cluster where a user specifies as little YAML as possible in `Certificate` resources. +This will be achieved by utilizing Kyverno to apply custom "default" values to the `Certificate` fields, that are not specified by a user. + +There are some benefits to having defaults: + +- `Certificate` consumers minimize their YAML resources. +- `Certificate` consumers retain flexibility to override fields when needed. +- Cluster operators can decide what the default should be, rather than having to rely on built-in defaults from cert-manager. + +## Use cases + +By setting custom defaults across our cluster, we enable platform teams to tackle use cases such as: + +- **To ensure that `CertificateRequest` resources get cleaned up.** + + Use a `ClusterPolicy` to set a custom default value for the `Certificate.Spec.RevisionHistoryLimit` field. + +- **To help your users choose secure default key settings for their `Certificate` resources.** + + Use a `ClusterPolicy` to set custom default values for the `Certificate.Spec.PrivateKey` fields. + +- **To default the `Issuer` for users within the cluster.** + + Use a `ClusterPolicy` to set a custom default for the `Certificate.spec.issuerRef` fields. + +- **To set a default pattern for the naming of the `Secret` where the certificate will be populated.** + + Use a `ClusterPolicy` to set a custom default value for the `spec.secretName` required field. + +- **Make application developers' lives easier by allowing them to create secure X.509 TLS certificates with the minimum of configuration.** + + Use a `ClusterPolicy` to set all other required `Certificate.spec` fields. + Only a single identity specification field will be required, one of: + - `commonName` or `literalSubject` + - `dnsNames` + - `uris` + - `emailAddresses` + - `ipAddresses` + - `otherNames` + +## Process + +We will set up defaults for three different scenarios, getting slightly more advanced each time: + +1. Setting defaults for optional `Certificate` resource fields. +2. Setting defaults for required `Certificate` resource fields. +3. Setting defaults for `Certificate` resource fields, when using `Ingress` annotations to request certificates. + +# Setup + +## Prerequisites + +**đŸ’ģ Software** + +1. [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl): The Kubernetes + command-line tool which allows you to configure Kubernetes clusters. +1. [helm](https://helm.sh/): A package manager for Kubernetes. +1. [kind](https://kind.sigs.k8s.io/) (**OPTIONAL**): For creating a local + Kubernetes environment that runs in Docker or other container runtimes. + +## Local Kubernetes Environment + +> ⚠ī¸ This step can be skipped if you have another Kubernetes environment. + +1. Create a cluster environment using `kind` for this tutorial. + + ```shell + kind create cluster --name defaults + ``` + + > ⏲ It should take less than one minute to create the cluster, depending on your machine. + > + > ⚠ī¸ This cluster is only suitable for learning purposes. It is not suitable for production use. + +## Software Installation + +Once you have your cluster environment, install the required Kubernetes packages using `helm`. + +1. Set some environment variables for the helm chart versions: + + ```shell + export CERT_MANAGER_CHART_VERSION="v1.14.1" \ + KYVERNO_CHART_VERSION="3.1.4" \ + INGRESS_NGINX_CHART_VERSION="4.9.0" + ``` + +1. Install cert-manager + + ```shell + helm upgrade --install cert-manager cert-manager \ + --namespace cert-manager \ + --version $CERT_MANAGER_CHART_VERSION \ + --set installCRDs=true \ + --set startupapicheck.enabled=false \ + --create-namespace \ + --repo https://charts.jetstack.io/ + ``` + +1. Install Kyverno + + ```shell + helm upgrade --install kyverno kyverno \ + --namespace kyverno-system \ + --version $KYVERNO_CHART_VERSION \ + --create-namespace \ + --repo https://kyverno.github.io/kyverno/ + ``` + +1. Install ingress-nginx + + ```shell + helm upgrade --install ingress-nginx ingress-nginx \ + --namespace ingress-nginx \ + --version $INGRESS_NGINX_CHART_VERSION \ + --create-namespace \ + --repo https://kubernetes.github.io/ingress-nginx + ``` + +> For complete installation instructions, please refer to the following links: +> - [cert-manager installation instructions](./../../../docs/installation/helm.md) +> - [Kyverno installation instructions](https://kyverno.io/docs/installation/methods/#install-kyverno-using-helm) +> - [ingress-nginx installation instructions](https://kubernetes.github.io/ingress-nginx/deploy/) + +# Setting Defaults + +The main tutorial starts here with some background, before tackling each of the three scenarios. + +## Required vs Non-required + +The `Certificate` resource has a `spec` section with a number of "required" fields. +This means these fields must be present when you create a `Certificate` resource. +There are also a number of other fields that are not required to be explicitly defined on each `Certificate` resource. +This essentially means the value of one of these fields is either not required, or has defaults defined somewhere else. +That somewhere else could be in the cert-manager code base, or indeed by the issuer that creates and returns the X.509 certificate. +Let's explore how we can manipulate these values to be something custom and make the `Certificate` user's life easier. + +We will set up some `ClusterPolicy` resources and `Certificate` resources in this tutorial. +We will make reference to a `ClusterIssuer` in the `Certificate` spec that doesn't exist, but for this tutorial the `ClusterIssuer` is not required as we will not actually be requesting certificates. +That means anyone can follow this tutorial even without their own domain. + +> ⚠ī¸ To make it easy to get started we are using cluster scoped `ClusterPolicy` resources. +> You can scope your defaults to the namespace level through the use of `Policy` resources in the future, but that will not be covered in this tutorial. + +## 1 - Defaulting optional fields + +In this section we will create rules which set three fields for all `Certificate` resources automatically. +None of the three fields here are required fields, but they might need to be set depending on platform and issuer preferences. +These rules will: + +- Set a default value of: `revisionHistoryLimit: 2`. +- Set a [default value of `Always` under `spec.privateKey.rotationPolicy`](../../usage/certificate.md#the-rotationpolicy-setting). +- Set defaults for all `spec.privateKey` fields. + +> ℹī¸ Note how these rules tackle the first two of our [uses cases](#use-cases). + +1. First take a look at the `ClusterPolicy`: + + ```yaml file=../../../../public/docs/tutorials/certificate-defaults/cpol-mutate-certificates-0.yaml + ``` + 🔗 `cpol-mutate-certificates-0.yaml` + +1. Apply the policy to the cluster and check that it is ready: + + ```shell + kubectl apply -f cpol-mutate-certificates-0.yaml + kubectl get cpol + ``` + + When the `ClusterPolicy` is ready the output should look like this: + + ```log + NAME ADMISSION BACKGROUND VALIDATE ACTION READY AGE MESSAGE + mutate-certificates true true Audit True 0s Ready + ``` + +1. Now inspect the "test-revision" `Certificate`: + + ```yaml file=../../../../public/docs/tutorials/certificate-defaults/cert-test-revision.yaml + ``` + 🔗 `cert-test-revision.yaml` + + You can see that we have set the most minimal configuration currently possible, specifying only a DNS name for the certificate, where to save it (`secretName`) and the issuer to use to request the certificate (`issuerRef`). + +1. Use the following command to *dry-run apply* the certificate and then `diff` it against the original resource, to see how the defaults from our `ClusterPolicy` are applied: + + ```shell + kubectl apply -f cert-test-revision.yaml --dry-run=server -o yaml | diff -uZ cert-test-revision.yaml - + ``` + + This command should return some output similar to this example: + + ```yaml + --- cert-test-revision.yaml 2024-01-08 12:14:59.225074232 +0000 + +++ - 2024-01-12 17:37:51.076593214 +0000 + @@ -1,8 +1,14 @@ + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + + annotations: + + kubectl.kubernetes.io/last-applied-configuration: | + + {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"test-revision","namespace":"default"},"spec":{"dnsNames":["example.com"],"issuerRef":{"group":"cert-manager.io","kind":"ClusterIssuer","name":"not-my-corp-issuer"},"secretName":"test-revision-cert"}} + + creationTimestamp: "2024-01-12T17:37:51Z" + + generation: 1 + name: test-revision + namespace: default + + uid: 9f9a4f0a-4aa7-427d-ae4b-c1716fed8246 + spec: + dnsNames: + - example.com + @@ -10,4 +16,10 @@ + group: cert-manager.io + kind: ClusterIssuer + name: not-my-corp-issuer + + privateKey: + + algorithm: ECDSA + + encoding: PKCS1 + + rotationPolicy: Always + + size: 521 + + revisionHistoryLimit: 2 + secretName: test-revision-cert + ``` + + We have successfully defaulted the `privateKey` and `revisionHistoryLimit` fields! + +1. Let's override all of these defaulted fields, to validate that we can still set what we want as an end user. To test this, let's use the "test-revision-override" `Certificate`: + + ```yaml file=../../../../public/docs/tutorials/certificate-defaults/cert-test-revision-override.yaml + ``` + 🔗 `cert-test-revision-override.yaml` + + As before, *dry-run apply* and `diff` the output with the input file: + + ```shell + kubectl apply -f cert-test-revision-override.yaml --dry-run=server -o yaml | diff -uZ cert-test-revision-override.yaml - + ``` + + Here you can see in the output there are no specification changes for the `Certificate` itself. + The `Certificate` already had all the fields defined that our `ClusterPolicy` rules would have affected. + + ```yaml + --- cert-test-revision-override.yaml 2024-01-05 14:45:14.972562067 +0000 + +++ - 2024-01-12 17:39:57.217028745 +0000 + @@ -1,8 +1,14 @@ + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + + annotations: + + kubectl.kubernetes.io/last-applied-configuration: | + + {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"test-revision-override","namespace":"default"},"spec":{"dnsNames":["example.com"],"issuerRef":{"group":"cert-manager.io","kind":"ClusterIssuer","name":"not-my-corp-issuer"},"privateKey":{"algorithm":"RSA","encoding":"PKCS8","rotationPolicy":"Never","size":4096},"revisionHistoryLimit":44,"secretName":"test-revision-override-cert"}} + + creationTimestamp: "2024-01-12T17:39:57Z" + + generation: 1 + name: test-revision-override + namespace: default + + uid: 83a6ddbc-6903-479e-802d-e11149985338 + spec: + dnsNames: + - example.com + ``` + +## 2 - Defaulting required fields + +> ⚠ī¸ This section requires cert-manager v1.14.x or newer to work properly out of the box. +> See the [Appendix](#cert-manager-version-requirement) section for details. + +Now we can set a Kyverno `ClusterPolicy` to apply default values to any of the `Certificate` fields. +This includes the *required* fields. +In our example `ClusterPolicy` we will do two things: + +- Set the relevant `issuerRef` fields to default to use the "our-corp-issuer" `ClusterIssuer`. +- Apply a default `secretName` that is the name of the `Certificate` object suffixed with "-cert". + +> ℹī¸ Note how these rules are tackling the third and fourth [uses cases](#use-cases). + +1. Here is the `ClusterPolicy` resource to set both fields with defaults: + + ```yaml file=../../../../public/docs/tutorials/certificate-defaults/cpol-mutate-certificates-1.yaml + ``` + 🔗 `cpol-mutate-certificates-1.yaml` + + This `ClusterPolicy` is an extension of the policy we applied previously. + +1. Apply this policy: + + ```shell + kubectl apply -f cpol-mutate-certificates-1.yaml + ``` + + You should see that our existing `ClusterPolicy` has been changed: + + ```shell + clusterpolicy.kyverno.io/mutate-certificates configured + ``` + + Get the `ClusterPolicy` to validate it is "Ready": + + ```shell + kubectl get cpol + ``` + + This command should return some output similar to this example: + + ```shell + NAME ADMISSION BACKGROUND VALIDATE ACTION READY AGE MESSAGE + mutate-certificates true true Audit True 6m21s Ready + ``` + +1. Look at the "test-minimal" `Certificate` designed to validate that all our rules within the policy are operative: + + ```yaml file=../../../../public/docs/tutorials/certificate-defaults/cert-test-minimal.yaml + ``` + 🔗 `cert-test-minimal.yaml` + +1. *Dry-run apply* and `diff` to validate all our defaults have applied to this minimal `Certificate`: + + ```shell + kubectl apply -f cert-test-minimal.yaml --dry-run=server -o yaml | diff -uZ cert-test-minimal.yaml - + ``` + + This command should return some output similar to this example: + + ```yaml + --- cert-test-minimal.yaml 2024-01-05 14:45:07.140668401 +0000 + +++ - 2024-01-12 17:44:08.110290752 +0000 + @@ -1,8 +1,25 @@ + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + + annotations: + + kubectl.kubernetes.io/last-applied-configuration: | + + {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"test-minimal","namespace":"default"},"spec":{"dnsNames":["example.com"]}} + + creationTimestamp: "2024-01-12T17:44:08Z" + + generation: 1 + name: test-minimal + namespace: default + + uid: 792d29c7-8cf3-4f3a-9f12-4fba396e0d6e + spec: + dnsNames: + - example.com + + issuerRef: + + group: cert-manager.io + + kind: ClusterIssuer + + name: our-corp-issuer + + privateKey: + + algorithm: ECDSA + + encoding: PKCS1 + + rotationPolicy: Always + + size: 521 + + revisionHistoryLimit: 2 + + secretName: test-minimal-cert + ``` + + See how we have automatically populated the `spec.issuerRef` and `spec.secretName` field values. + This indicates the Kyverno `ClusterPolicy` has been applied to the supplied `Certificate` resource. + +1. To be absolutely sure we have not enforced any settings, let us explicitly set each property of the `Certificate` for which we have a default rule. We will use the "test-revision-override" `Certificate`: + + ```yaml file=../../../../public/docs/tutorials/certificate-defaults/cert-test-revision-override.yaml + ``` + 🔗 `cert-test-revision-override.yaml` + +1. *Dry-run apply* and `diff` this file: + + ```shell + kubectl apply -f cert-test-revision-override.yaml --dry-run=server -o yaml | diff -uZ cert-test-revision-override.yaml - + ``` + + This command should return some output similar to this example: + + ```yaml + --- cert-test-revision-override.yaml 2024-01-05 14:45:14.972562067 +0000 + +++ - 2024-01-12 17:45:48.261997150 +0000 + @@ -1,8 +1,14 @@ + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + + annotations: + + kubectl.kubernetes.io/last-applied-configuration: | + + {"apiVersion":"cert-manager.io/v1","kind":"Certificate","metadata":{"annotations":{},"name":"test-revision-override","namespace":"default"},"spec":{"dnsNames":["example.com"],"issuerRef":{"group":"cert-manager.io","kind":"ClusterIssuer","name":"not-my-corp-issuer"},"privateKey":{"algorithm":"RSA","encoding":"PKCS8","rotationPolicy":"Never","size":4096},"revisionHistoryLimit":44,"secretName":"test-revision-override-cert"}} + + creationTimestamp: "2024-01-12T17:45:48Z" + + generation: 1 + name: test-revision-override + namespace: default + + uid: d0ad7abe-c703-45f7-acf9-634b3a263cfa + spec: + dnsNames: + - example.com + ``` + + From this command you can see that none of the `Certificate` specification fields have been changed. + Only the metadata section has changed which tells us the policies have applied but not set any defaults because values were already provided. + This shows that you retain the flexibility to override the cluster defaults when needed. + +## 3 - Defaulting through Ingress Annotations + +Many cert-manager users don't create `Certificate` resources directly and instead use the [ingress-shim](https://cert-manager.io/docs/usage/ingress/) functionality. +cert-manager creates `Certificate` resources based on the [supported annotations](https://cert-manager.io/docs/usage/ingress/#supported-annotations) and the `Ingress` specification. +Let's see how we can still use `ClusterPolicy` to apply our defaults in this use case. + +1. This example `Ingress` resource has a `cert-manager.io/cluster-issuer` annotation which instructs cert-manager to create a `Certificate` with an `issuerRef` field pointing at a `ClusterIssuer` called `our-corp-issuer`: + + ```yaml file=../../../../public/docs/tutorials/certificate-defaults/ingress.yaml + ``` + 🔗 `ingress.yaml` + +1. This annotation and the relevant `ingress.spec.tls` configuration are all we need so apply the resource: + + ```shell + kubectl apply -f ingress.yaml + ``` + +1. Now validate that the `Certificate` resource was automatically generated: + + ```shell + kubectl get cert defaults-example-certificate-tls -o yaml + ``` + + This command should return some output similar to this example: + + ```yaml + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + creationTimestamp: "2024-01-12T17:47:04Z" + generation: 1 + name: defaults-example-certificate-tls + namespace: default + ownerReferences: + - apiVersion: networking.k8s.io/v1 + blockOwnerDeletion: true + controller: true + kind: Ingress + name: defaults-example + uid: bea33a55-a9ed-4664-a56a-a679eb8272c3 + resourceVersion: "584260" + uid: 43ced989-723b-4eac-bad0-f8bead6976df + spec: + dnsNames: + - app.example.com + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: our-corp-issuer + privateKey: + algorithm: ECDSA + encoding: PKCS1 + rotationPolicy: Always + size: 521 + revisionHistoryLimit: 2 + secretName: defaults-example-certificate-tls + usages: + - digital signature + - key encipherment + status: + conditions: + - lastTransitionTime: "2024-01-12T17:47:04Z" + message: Issuing certificate as Secret does not exist + observedGeneration: 1 + reason: DoesNotExist + status: "True" + type: Issuing + - lastTransitionTime: "2024-01-12T17:47:04Z" + message: Issuing certificate as Secret does not exist + observedGeneration: 1 + reason: DoesNotExist + status: "False" + type: Ready + nextPrivateKeySecretName: defaults-example-certificate-tls-nbjws + ``` + +1. You can optionally validate that the "mutate-certificates" `ClusterPolicy` has been applied by viewing the logs of the Kyverno admission controller container. + + ```shell + kubectl logs -n kyverno-system $(kubectl get pod -n kyverno-system -l app.kubernetes.io/component=admission-controller -o jsonpath='{.items[0].metadata.name}') -c kyverno --tail 3 + ``` + + This command should return some output similar to this example: + + ```log + I0112 17:47:04.425863 1 mutation.go:113] webhooks/resource/mutate "msg"="mutation rules from policy applied successfully" "clusterroles"=["cert-manager-controller-approve:cert-manager-io","cert-manager-controller-certificates","cert-manager-controller-certificatesigningrequests","cert-manager-controller-challenges","cert-manager-controller-clusterissuers","cert-manager-controller-ingress-shim","cert-manager-controller-issuers","cert-manager-controller-orders","system:basic-user","system:discovery","system:public-info-viewer","system:service-account-issuer-discovery"] "gvk"={"group":"cert-manager.io","version":"v1","kind":"Certificate"} "gvr"={"group":"cert-manager.io","version":"v1","resource":"certificates"} "kind"="Certificate" "name"="defaults-example-certificate-tls" "namespace"="default" "operation"="UPDATE" "policy"="mutate-certificates" "resource.gvk"={"Group":"cert-manager.io","Version":"v1","Kind":"Certificate"} "roles"=["kube-system:cert-manager:leaderelection"] "rules"=["set-revisionHistoryLimit","set-privateKey-rotationPolicy","set-privateKey-details"] "uid"="6f93bd8d-29ca-4eab-8e96-065ea82a1bf2" "user"={"username":"system:serviceaccount:cert-manager:cert-manager","uid":"21cbad67-9d2e-44ee-bb02-7fef9aa2e502","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-648cd49b44-z6g8s"],"authentication.kubernetes.io/pod-uid":["4bd741fa-a8ec-48a1-82d5-26c5b7acce5e"]}} + I0112 17:47:04.458402 1 mutation.go:113] webhooks/resource/mutate "msg"="mutation rules from policy applied successfully" "clusterroles"=["cert-manager-controller-approve:cert-manager-io","cert-manager-controller-certificates","cert-manager-controller-certificatesigningrequests","cert-manager-controller-challenges","cert-manager-controller-clusterissuers","cert-manager-controller-ingress-shim","cert-manager-controller-issuers","cert-manager-controller-orders","system:basic-user","system:discovery","system:public-info-viewer","system:service-account-issuer-discovery"] "gvk"={"group":"cert-manager.io","version":"v1","kind":"Certificate"} "gvr"={"group":"cert-manager.io","version":"v1","resource":"certificates"} "kind"="Certificate" "name"="defaults-example-certificate-tls" "namespace"="default" "operation"="UPDATE" "policy"="mutate-certificates" "resource.gvk"={"Group":"cert-manager.io","Version":"v1","Kind":"Certificate"} "roles"=["kube-system:cert-manager:leaderelection"] "rules"=["set-revisionHistoryLimit","set-privateKey-rotationPolicy","set-privateKey-details"] "uid"="ec61a3c9-df0a-4daf-8bc3-227dc80348a9" "user"={"username":"system:serviceaccount:cert-manager:cert-manager","uid":"21cbad67-9d2e-44ee-bb02-7fef9aa2e502","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-648cd49b44-z6g8s"],"authentication.kubernetes.io/pod-uid":["4bd741fa-a8ec-48a1-82d5-26c5b7acce5e"]}} + I0112 17:47:09.477776 1 mutation.go:113] webhooks/resource/mutate "msg"="mutation rules from policy applied successfully" "clusterroles"=["cert-manager-controller-approve:cert-manager-io","cert-manager-controller-certificates","cert-manager-controller-certificatesigningrequests","cert-manager-controller-challenges","cert-manager-controller-clusterissuers","cert-manager-controller-ingress-shim","cert-manager-controller-issuers","cert-manager-controller-orders","system:basic-user","system:discovery","system:public-info-viewer","system:service-account-issuer-discovery"] "gvk"={"group":"cert-manager.io","version":"v1","kind":"Certificate"} "gvr"={"group":"cert-manager.io","version":"v1","resource":"certificates"} "kind"="Certificate" "name"="defaults-example-certificate-tls" "namespace"="default" "operation"="UPDATE" "policy"="mutate-certificates" "resource.gvk"={"Group":"cert-manager.io","Version":"v1","Kind":"Certificate"} "roles"=["kube-system:cert-manager:leaderelection"] "rules"=["set-revisionHistoryLimit","set-privateKey-rotationPolicy","set-privateKey-details"] "uid"="c4384662-cb2a-49a0-8e83-e590942ec48d" "user"={"username":"system:serviceaccount:cert-manager:cert-manager","uid":"21cbad67-9d2e-44ee-bb02-7fef9aa2e502","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-648cd49b44-z6g8s"],"authentication.kubernetes.io/pod-uid":["4bd741fa-a8ec-48a1-82d5-26c5b7acce5e"]}} + ``` + + Taking the last line as an example you can pull out: + + ```log + "kind"="Certificate" "name"="defaults-example-certificate-tls" "namespace"="default" "operation"="UPDATE" "policy"="mutate-certificates" "resource.gvk"={"Group":"cert-manager.io","Version":"v1","Kind":"Certificate"} "roles"=["kube-system:cert-manager:leaderelection"] "rules"=["set-revisionHistoryLimit","set-privateKey-rotationPolicy","set-privateKey-details"] + ``` + + See the `policy` key indicates that our policy has been applied. + In the `rules` section you can identify that three of our five rules have been applied to the generated "defaults-example-certificate-tls" `Certificate` resource. + +When using an `Ingress` resource, you always need to specify the `secretName` from which to load the certificate. +No defaulting is required in this use case because this is a required part of the `Ingress` specification. + +The only additional YAML that a user is required to specify on the `Ingress` resource is the annotation: + +```yaml +cert-manager.io/cluster-issuer: "our-corp-issuer" +``` + +This annotation serves as both the trigger for cert-manager to act upon this `Ingress` and also as the configuration value for the `Certificate.spec.issuerRef` fields. +This single line replaces the need for the user to create a `Certificate` resource entirely. +This results in a reduction of the total YAML required to secure the application behind this `Ingress`. + +# Summary + +This is a fairly simple example of how easy it can be to setup *defaults* for your cluster `Certificate` resources. +We've shown how a `ClusterPolicy` doesn't have to "enforce" settings, rather it can be used to set and extend the default options. +`Certificate` users can reduce their YAML, whilst maintaining the flexibility to override any value when needed. + +We have shown how a simple `ClusterPolicy` with only 5 rules can change the user experience creating `Certificate` resources from: + +```yaml file=../../../../public/docs/tutorials/certificate-defaults/cert-test-revision-override.yaml +``` +🔗 `cert-test-revision-override.yaml` + +To instead only need to specify the configuration important to them, for example: + +```yaml file=../../../../public/docs/tutorials/certificate-defaults/cert-test-minimal.yaml +``` +🔗 `cert-test-minimal.yaml` + +With this policy we achieved our objective and have enabled users to submit minimal `Certifiate` resources. +This completes our fifth [use case](#use-cases), with only a single field contained within the specification, the `dnsNames` entry. +Every other specified field was automatically defaulted using Kyverno with `ClusterPolicy` which would typically be setup by a platform administrator. + +# Cleanup + +If you created the kind cluster for this tutorial you can simply run: + +```shell +kind delete cluster --name defaults +``` + +Otherwise to remove all resources deployed in this tutorial: + +```shell +# Assuming you are running from this directly or saved all the files to yamls/ +kubectl delete -f ingress.yaml +kubectl delete -f cpol-mutate-certificates-1.yaml +helm uninstall kyverno -n kyverno-system +helm uninstall cert-manager -n cert-manager +helm uninstall ingress-nginx -n ingress-nginx +``` + +# Appendix + +## cert-manager version requirement + +The behavior of cert-manager's mutating webhook has been changed from v1.14.x onward. +For a more complete explanation and details of the change please refer to [PR #6311](https://github.com/cert-manager/cert-manager/pull/6311). +Instructions for a manual fix can be found [in this comment on PR #6311](https://github.com/cert-manager/cert-manager/pull/6311#issuecomment-1889517418). + +## Presets Feature Request + +For further background reading around setting "defaults" or "presets", you can refer to [issue 2239](ttps://github.com/cert-manager/cert-manager/issues/2239). +This tutorial came out of an investigation of that issue. + +The cert-manager team reasoned that the requested solution could be achieved with the use of other, more generic open-source policy tools. +Kyverno is just one example and similar can be achieved with [Gatekeeper](https://github.com/open-policy-agent/gatekeeper) as an alternative tool. diff --git a/content/docs/usage/certificate.md b/content/docs/usage/certificate.md index 264a798067c..a49c0c53ff9 100644 --- a/content/docs/usage/certificate.md +++ b/content/docs/usage/certificate.md @@ -3,7 +3,7 @@ title: Certificate resource description: 'cert-manager usage: Certificates' --- -> **apiVersion:** cert-manager.io/v1 +> **apiVersion:** cert-manager.io/v1 > **kind:** Certificate
      @@ -74,7 +74,7 @@ spec: usages: - server auth - client auth - # At least one of a DNS Name, URI, or IP address is required. + # At least one of a DNS Name, URI, IP address or otherName is required. dnsNames: - example.com - www.example.com @@ -82,6 +82,11 @@ spec: - spiffe://cluster.local/ns/sandbox/sa/example ipAddresses: - 192.168.0.5 + # Needs cert-manager 1.14+ and "OtherNames" feature flag + otherNames: + # Should only supply oid of ut8 valued types + - oid: 1.3.6.1.4.1.311.20.2.3 # User Principal Name "OID" + utf8Value: upn@example.local # Issuer references are always required. issuerRef: name: ca-issuer @@ -91,6 +96,15 @@ spec: # This is optional since cert-manager will default to this value however # if you are using an external issuer, change this to that issuer group. group: cert-manager.io + + # keystores allows adding additional output formats. This is an example for reference only. + keystores: + pkcs12: + create: true + passwordSecretRef: + name: example-com-tls-keystore + key: password + profile: Modern2023 ``` The signed certificate will be stored in a `Secret` resource named @@ -256,6 +270,52 @@ data: ... ``` +### Creating Certificate With Name Constraints + +Root or Intermediate CA certificates can have name constraints. Name constraints indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. +Checkout https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 for more details on this. + +
      + +⛔ī¸ This feature is only enabled by adding it to the +`--feature-gates` flag on the cert-manager controller and webhook components: + +```bash +--feature-gates=useCertificateRequestNameConstraints=true +``` + +
      + +To create a CA Certificate with name constraints use the following configuration: + +```yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ca-cert-example +spec: + secretName: example-ca-key-pair + isCA: true + issuerRef: + name: selfsigned + kind: ClusterIssuer + commonName: "example1.com" + dnsNames: + - example1.com + nameConstraints: + critical: true + permitted: + dnsDomains: ["example1.com", "example2.com"] + ipRanges: ["10.10.0.0/16"] + emailAddress: ["example@example.org"] + excluded: + ipRanges: ["10.10.0.0/24"] +``` + +Note that when used with cert-manager's built-in CA and SelfSigned Issuer, the SANs (DNS name, IP address, URI, and email address) are not checked with the certificate's own name constraints, and are not checked with any of name constraints contained in the chain of certificates the certificate belongs to. + +The certificate may get issued successfully, but be rejected by clients during TLS handshakes. + ## Issuance triggers diff --git a/content/docs/usage/gateway.md b/content/docs/usage/gateway.md index bb4bf0b6821..6f565cd2754 100644 --- a/content/docs/usage/gateway.md +++ b/content/docs/usage/gateway.md @@ -3,7 +3,7 @@ title: Annotated Gateway resource description: 'cert-manager usage: Kubernetes Gateways' --- -> **apiVersion:** gateway.networking.k8s.io/v1alpha2 +> **apiVersion:** gateway.networking.k8s.io/v1 > **kind:** Gateway
      @@ -23,7 +23,7 @@ HTTP-01](../configuration/acme/http01/README.md).
      -🚧 cert-manager 1.8+ is tested with v1alpha2 Kubernetes Gateway API. It should also work +🚧 cert-manager 1.14+ is tested with v1 Kubernetes Gateway API. It should also work with v1beta1 because of resource conversion, but has not been tested with it.
      @@ -51,7 +51,7 @@ feature flag to the cert-manager controller. To install v1.5.1 Gateway API bundle (Gateway CRDs and webhook), run the following command: ```sh -kubectl apply -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/v0.5.1/standard-install.yaml" +kubectl apply -f "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml" ``` To enable the feature in cert-manager, turn on the `GatewayAPI` feature gate: @@ -89,7 +89,7 @@ following Gateway will trigger the creation of a Certificate with the name `example-com-tls`: ```yaml -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: example @@ -157,7 +157,7 @@ In the following example, the first four listener blocks will not be used to generate Certificate resources: ```yaml -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: my-gateway @@ -165,19 +165,29 @@ metadata: annotations: cert-manager.io/issuer: my-issuer spec: + gatewayClassName: foo listeners: # ❌ Missing "tls" block, the following listener is skipped. - - hostname: example.com + - name: example-1 + port: 80 + protocol: HTTP + hostname: example.com # ❌ Missing "hostname", the following listener is skipped. - - tls: + - name: example-2 + port: 443 + protocol: HTTPS + tls: certificateRefs: - name: example-com-tls - kind: Secret" + kind: Secret group: core # ❌ "mode: Passthrough" is not supported, the following listener is skipped. - - hostname: example.com + - name: example-3 + hostname: example.com + port: 8443 + protocol: HTTPS tls: mode: Passthrough certificateRefs: @@ -186,8 +196,9 @@ spec: group: core # ❌ Cross-namespace secret references are not supported, the following listener is skipped. - - hostname: foo.example.com - port: 443 + - name: example-4 + hostname: foo.example.com + port: 8443 protocol: HTTPS allowedRoutes: namespaces: @@ -201,8 +212,9 @@ spec: namespace: other-namespace # ✅ The following listener is valid. - - hostname: foo.example.com # ✅ Required. - port: 443 + - name: example-5 + hostname: bar.example.com # ✅ Required. + port: 8443 protocol: HTTPS allowedRoutes: namespaces: @@ -239,7 +251,7 @@ The same Secret name can be re-used in multiple TLS blocks, regardless of the hostname. Let us imagine that you have these two listeners: ```yaml -apiVersion: gateway.networking.k8s.io/v1alpha2 +apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: example @@ -249,14 +261,10 @@ spec: gatewayClassName: foo listeners: # Listener 1. - - hostname: example.com + - name: example-1 + hostname: example.com port: 443 protocol: HTTPS - routes: - kind: HTTPRoute - parentRefs: - - name: example - kind: Gateway tls: mode: Terminate certificateRefs: @@ -265,14 +273,10 @@ spec: group: core # Listener 2: Same Secret name as Listener 1, with a different hostname. - - hostname: *.example.com + - name: example-2 + hostname: "*.example.com" port: 443 protocol: HTTPS - routes: - kind: HTTPRoute - parentRefs: - - name: example - kind: Gateway tls: mode: Terminate certificateRefs: @@ -281,14 +285,10 @@ spec: group: core # Listener 3: also same Secret name, except the hostname is also the same. - - hostname: *.example.com + - name: example-3 + hostname: "*.example.com" port: 8443 protocol: HTTPS - routes: - kind: HTTPRoute - parentRefs: - - name: example - kind: Gateway tls: mode: Terminate certificateRefs: @@ -297,14 +297,10 @@ spec: group: core # Listener 4: different Secret name. - - hostname: site.org + - name: example-4 + hostname: site.org port: 443 protocol: HTTPS - routes: - kind: HTTPRoute - parentRefs: - - name: example - kind: Gateway tls: mode: Terminate certificateRefs: diff --git a/public/docs/tutorials/certificate-defaults/cert-test-minimal.yaml b/public/docs/tutorials/certificate-defaults/cert-test-minimal.yaml new file mode 100644 index 00000000000..813e070a71a --- /dev/null +++ b/public/docs/tutorials/certificate-defaults/cert-test-minimal.yaml @@ -0,0 +1,8 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: test-minimal + namespace: default +spec: + dnsNames: + - example.com diff --git a/public/docs/tutorials/certificate-defaults/cert-test-revision-override.yaml b/public/docs/tutorials/certificate-defaults/cert-test-revision-override.yaml new file mode 100644 index 00000000000..f901491306a --- /dev/null +++ b/public/docs/tutorials/certificate-defaults/cert-test-revision-override.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: test-revision-override + namespace: default +spec: + dnsNames: + - example.com + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: not-my-corp-issuer + privateKey: + algorithm: RSA + encoding: PKCS8 + rotationPolicy: Never + size: 4096 + revisionHistoryLimit: 44 + secretName: test-revision-override-cert diff --git a/public/docs/tutorials/certificate-defaults/cert-test-revision.yaml b/public/docs/tutorials/certificate-defaults/cert-test-revision.yaml new file mode 100644 index 00000000000..f1f7169169f --- /dev/null +++ b/public/docs/tutorials/certificate-defaults/cert-test-revision.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: test-revision + namespace: default +spec: + dnsNames: + - example.com + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: not-my-corp-issuer + secretName: test-revision-cert diff --git a/public/docs/tutorials/certificate-defaults/cpol-mutate-certificates-0.yaml b/public/docs/tutorials/certificate-defaults/cpol-mutate-certificates-0.yaml new file mode 100644 index 00000000000..82e107082d8 --- /dev/null +++ b/public/docs/tutorials/certificate-defaults/cpol-mutate-certificates-0.yaml @@ -0,0 +1,45 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-certificates +spec: + failurePolicy: Fail + rules: + # Set a sane default for the history field if not already present + - name: set-revisionHistoryLimit + match: + any: + - resources: + kinds: + - Certificate + mutate: + patchStrategicMerge: + spec: + # +(...) This is the clever syntax for if not already set + +(revisionHistoryLimit): 2 + # Set rotation to always if not already set + - name: set-privateKey-rotationPolicy + match: + any: + - resources: + kinds: + - Certificate + mutate: + patchStrategicMerge: + spec: + privateKey: + +(rotationPolicy): Always + # Set private key details for algorithm and size + - name: set-privateKey-details + match: + any: + - resources: + kinds: + - Certificate + mutate: + patchStrategicMerge: + spec: + privateKey: + +(algorithm): ECDSA + +(size): 521 + +(encoding): PKCS1 diff --git a/public/docs/tutorials/certificate-defaults/cpol-mutate-certificates-1.yaml b/public/docs/tutorials/certificate-defaults/cpol-mutate-certificates-1.yaml new file mode 100644 index 00000000000..9ad220a7f4d --- /dev/null +++ b/public/docs/tutorials/certificate-defaults/cpol-mutate-certificates-1.yaml @@ -0,0 +1,72 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-certificates +spec: + failurePolicy: Fail + rules: + # Set a sane default for the history field if not already present + - name: set-revisionHistoryLimit + match: + any: + - resources: + kinds: + - Certificate + mutate: + patchStrategicMerge: + spec: + # +(...) This is the clever syntax for if not already set + +(revisionHistoryLimit): 2 + # Set rotation to always if not already set + - name: set-privateKey-rotationPolicy + match: + any: + - resources: + kinds: + - Certificate + mutate: + patchStrategicMerge: + spec: + privateKey: + +(rotationPolicy): Always + # Set private key details for algorithm and size + - name: set-privateKey-details + match: + any: + - resources: + kinds: + - Certificate + mutate: + patchStrategicMerge: + spec: + privateKey: + +(algorithm): ECDSA + +(size): 521 + +(encoding): PKCS1 + # Set a secretName when one is not provided + - name: set-default-secret-name + match: + any: + - resources: + kinds: + - Certificate + mutate: + patchStrategicMerge: + spec: + # You can read more about this syntax in the Kyverno documentation: + # https://kyverno.io/docs/writing-policies/variables/#variables-from-admission-review-requests + +(secretName): "{{request.object.metadata.name}}-cert" + # Set a default for issuerRef fields + - name: set-default-issuer-ref + match: + any: + - resources: + kinds: + - Certificate + mutate: + patchStrategicMerge: + spec: + +(issuerRef): + name: our-corp-issuer + kind: ClusterIssuer + group: cert-manager.io diff --git a/public/docs/tutorials/certificate-defaults/ingress.yaml b/public/docs/tutorials/certificate-defaults/ingress.yaml new file mode 100644 index 00000000000..d1284808992 --- /dev/null +++ b/public/docs/tutorials/certificate-defaults/ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: "our-corp-issuer" + name: defaults-example + namespace: default +spec: + ingressClassName: nginx + rules: + - host: app.example.com + http: + paths: + - backend: + service: + name: app + port: + number: 80 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - app.example.com + secretName: defaults-example-certificate-tls diff --git a/scripts/gendocs/generate-new-import-path-docs b/scripts/gendocs/generate-new-import-path-docs index 1062e059ea7..7841fbdfd8b 100755 --- a/scripts/gendocs/generate-new-import-path-docs +++ b/scripts/gendocs/generate-new-import-path-docs @@ -73,6 +73,7 @@ genversionwithcli() { genclireference "$2" "cmd/ctl" "cmctl" genclireference "$2" "cmd/controller" "controller" genclireference "$2" "cmd/webhook" "webhook" + genclireference "$2" "cmd/startupapicheck" "startupapicheck" # if any of the above steps succeeded copy over the index file if [ "$2" != "docs" ] && [ -d "$REPO_ROOT/content/$2/cli" ]; then @@ -87,9 +88,11 @@ checkout() { gitdir="${GOPATH}/src/github.com/cert-manager/cert-manager" echo "+++ Cloning cert-manager repository..." git clone "https://github.com/cert-manager/cert-manager.git" "$gitdir" --depth 1 --branch="$branch" - pushd "$gitdir" + cd "$gitdir" echo "+++ Running 'go mod vendor'" go mod vendor + + make go-workspace || true } gendocs() { @@ -105,7 +108,6 @@ gendocs() { "${REPO_ROOT}"/scripts/gendocs/postprocess/api-doc-postprocess.js <"${apidocstmpdir}/${outputdir}/api-docs.md" >"${REPO_ROOT}/content/${outputdir}/reference/api-docs.md" rm -rf vendor/ - popd } # genclireference will attempt to run main.go --help for the target and write the output to a markdown file @@ -115,13 +117,6 @@ genclireference() { return fi - # hacky way to figure out if the target has the correct structure - # differs between older version but this catches the corner cases - if [[ ! -d "$2/app" ]] && [ ! -d "$2/cmd" ]; then - echo "+++ app directory for $2 does not exist, skipping..." - return - fi - outputdir="$1" target="$2" name="$3" @@ -148,15 +143,16 @@ EOF # This script is _only_ for generating docs for versions of cert-manager with the # github.com/cert-manager/cert-manager import path! -LATEST_VERSION="v1.13-docs" +LATEST_VERSION="docs" # to also upgrade a specific version, use v1.13-docs, v1.12-docs, etc. #genversionwithcli "release-1.8" "v1.8-docs" #genversionwithcli "release-1.9" "v1.9-docs" #genversionwithcli "release-1.10" "v1.10-docs" #genversionwithcli "release-1.11" "v1.11-docs" #genversionwithcli "release-1.12" "v1.12-docs" +#genversionwithcli "release-1.13" "v1.13-docs" -genversionwithcli "release-1.13" "$LATEST_VERSION" +genversionwithcli "release-1.14" "$LATEST_VERSION" # Rather than generate the same docs again for /docs, copy from the latest version