search

hashbang / gitops

gitops repo for our kubernetes cluster
23 stars 8 forks source link

cert-manager: update Helm release cert-manager to v1.12.0 #173

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Type Update Change
cert-manager HelmChart minor v1.11.2 -> v1.12.0

Release Notes

cert-manager/cert-manager ### [`v1.12.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.11.2...v1.12.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. cert-manager v1.12 brings support for JSON logging, a lower memory footprint, support for ephemeral service account tokens with Vault, improved dependency management and support for the ingressClassName field. ### Community Thanks again to all open-source contributors with commits in this release, including: - [@​malovme](https://togithub.com/malovme) - [@​e96wic](https://togithub.com/e96wic) - [@​ExNG](https://togithub.com/ExNG) - [@​waterfoul](https://togithub.com/waterfoul) - [@​jkroepke](https://togithub.com/jkroepke) - [@​andrewsomething](https://togithub.com/andrewsomething) - [@​yulng](https://togithub.com/yulng) - [@​tobotg](https://togithub.com/tobotg) - [@​maumontesilva](https://togithub.com/maumontesilva) - [@​avi-08](https://togithub.com/avi-08) - [@​vinzent](https://togithub.com/vinzent) - [@​TrilokGeer](https://togithub.com/TrilokGeer) - [@​g-gaston](https://togithub.com/g-gaston) - [@​james-callahan](https://togithub.com/james-callahan) - [@​lucacome](https://togithub.com/lucacome) - [@​yanggangtony](https://togithub.com/yanggangtony) - [@​vidarno](https://togithub.com/vidarno) - [@​ctrought](https://togithub.com/ctrought) - [@​Robfz](https://togithub.com/Robfz) - [@​dsonck92](https://togithub.com/dsonck92) - [@​rayandas](https://togithub.com/rayandas) - [@​olekfur](https://togithub.com/olekfur) - [@​ptrc-n](https://togithub.com/ptrc-n) - [@​bradjones1](https://togithub.com/bradjones1) - [@​gdvalle](https://togithub.com/gdvalle) Thanks also to the following cert-manager maintainers for their contributions during this release: - [@​inteon](https://togithub.com/inteon) - [@​wallrj](https://togithub.com/wallrj) - [@​maelvls](https://togithub.com/maelvls) - [@​SgtCoDFish](https://togithub.com/SgtCoDFish) - [@​irbekrm](https://togithub.com/irbekrm) - [@​jakexks](https://togithub.com/jakexks) - [@​JoshVanL](https://togithub.com/JoshVanL) - [@​munnerz](https://togithub.com/munnerz) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack, joined our meetings and talked to us at Kubecon! Special thanks to [@​erikgb](https://togithub.com/erikgb) for continuously great input and feedback and to [@​lucacome](https://togithub.com/lucacome) for always ensuring that our kube deps are up to date! Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Jetstack](https://www.jetstack.io/) (by [Venafi](https://www.venafi.com/)) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes by Kind ##### Feature - **POTENTIALLY BREAKING**: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Go, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details. ([#​5880](https://togithub.com/cert-manager/cert-manager/pull/5880), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Added support for JSON logging (using --logging-format=json) ([#​5828](https://togithub.com/cert-manager/cert-manager/pull/5828), [@​malovme](https://togithub.com/malovme)) - Added the `--concurrent-workers` flag that lets you control the number of concurrent workers for each of our controllers. ([#​5936](https://togithub.com/cert-manager/cert-manager/pull/5936), [@​inteon](https://togithub.com/inteon)) - Adds `acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets` field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. ([#​5801](https://togithub.com/cert-manager/cert-manager/pull/5801), [@​malovme](https://togithub.com/malovme)) - Cainjector: - New flags were added to the cainjector binary. They can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectable resources; disabling the rest can improve memory consumption. By default all are enabled. - The `--watch-certs` flag was renamed to `--enable-certificates-data-source`. ([#​5766](https://togithub.com/cert-manager/cert-manager/pull/5766), [@​irbekrm](https://togithub.com/irbekrm)) - Helm: Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). ([#​3931](https://togithub.com/cert-manager/cert-manager/pull/3931), [@​e96wic](https://togithub.com/e96wic)) - Helm: Egress 6443/TCP is now allowed in the webhook. This is required for OpenShift and OKD clusters for which the Kubernetes API server listens on port 6443 instead of 443. ([#​5788](https://togithub.com/cert-manager/cert-manager/pull/5788), [@​ExNG](https://togithub.com/ExNG)) - Helm: you can now add volumes and volume mounts via Helm variables for the cainjector, webhook, and startupapicheck. ([#​5668](https://togithub.com/cert-manager/cert-manager/pull/5668), [@​waterfoul](https://togithub.com/waterfoul)) - Helm: you can now enable the flags `--dns01-recursive-nameservers`, `--enable-certificate-owner-ref`, and `--dns01-recursive-nameservers-only` through Helm values. ([#​5614](https://togithub.com/cert-manager/cert-manager/pull/5614), [@​jkroepke](https://togithub.com/jkroepke)) - The DigitalOcean issuer now sets a cert-manager user agent string. ([#​5869](https://togithub.com/cert-manager/cert-manager/pull/5869), [@​andrewsomething](https://togithub.com/andrewsomething)) - The HTTP-01 solver can now be configured to create Ingresses with an `ingressClassName`. The credit goes to [@​dsonck92](https://togithub.com/dsonck92) for implementing the initial PR. ([#​5849](https://togithub.com/cert-manager/cert-manager/pull/5849), [@​maelvls](https://togithub.com/maelvls)) - The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new `serviceAccountRef` field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the `vault.auth` field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for `vault.auth`. ([#​5502](https://togithub.com/cert-manager/cert-manager/pull/5502), [@​maelvls](https://togithub.com/maelvls)) - The cert-manager controller container of the controller Pod now has a `/livez` endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. ([#​5962](https://togithub.com/cert-manager/cert-manager/pull/5962), [@​wallrj](https://togithub.com/wallrj)) - Upgraded Gateway API to v0.6.0. ([#​5768](https://togithub.com/cert-manager/cert-manager/pull/5768), [@​yulng](https://togithub.com/yulng)) - Webhook now logs requests to mutating/validating webhook (with `--v=5` flag) ([#​5975](https://togithub.com/cert-manager/cert-manager/pull/5975), [@​tobotg](https://togithub.com/tobotg)) ##### Design - Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests. This is not necessarily a breaking change as due to a race condition this may already have been the case. ([#​5887](https://togithub.com/cert-manager/cert-manager/pull/5887), [@​irbekrm](https://togithub.com/irbekrm)) - The cainjector controller can now use server-side apply to patch mutatingwebhookconfigurations, validatingwebhookconfigurations, apiservices, and customresourcedefinitions. This feature is currently in alpha and is not enabled by default. To enable server-side apply for the cainjector, add the flag --feature-gates=ServerSideApply=true to the deployment. ([#​5991](https://togithub.com/cert-manager/cert-manager/pull/5991), [@​inteon](https://togithub.com/inteon)) ##### Documentation - Helm: the dead links in `values.yaml` are now working ([#​5999](https://togithub.com/cert-manager/cert-manager/pull/5999), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) ##### Bug or Regression - Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied ([#​5896](https://togithub.com/cert-manager/cert-manager/pull/5896), [@​maumontesilva](https://togithub.com/maumontesilva)) - Cmctl: In order work around a hardcoded Kubernetes version in Helm, we now use a fake kube-apiserver version when generating the helm template when running `cmctl x install`. ([#​5720](https://togithub.com/cert-manager/cert-manager/pull/5720), [@​irbekrm](https://togithub.com/irbekrm)) - Fix development environment and go vendoring on Linux arm64. ([#​5810](https://togithub.com/cert-manager/cert-manager/pull/5810), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Fix ordering of remote git tags when preparing integration tests ([#​5910](https://togithub.com/cert-manager/cert-manager/pull/5910), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Helm: the flag `--acme-http01-solver-image` given to the variable `acmesolver.extraArgs` now has precedence over the variable `acmesolver.image`. ([#​5693](https://togithub.com/cert-manager/cert-manager/pull/5693), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Ingress and Gateway resources will not be synced if deleted via [foreground cascading](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion). ([#​5878](https://togithub.com/cert-manager/cert-manager/pull/5878), [@​avi-08](https://togithub.com/avi-08)) - The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 ([#​5674](https://togithub.com/cert-manager/cert-manager/issues/5674)) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. ([#​5805](https://togithub.com/cert-manager/cert-manager/pull/5805), [@​inteon](https://togithub.com/inteon)) - Upgrade to go 1.19.6 along with newer helm and containerd versions and updated base images ([#​5813](https://togithub.com/cert-manager/cert-manager/pull/5813), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - When using the `jks` and `pkcs12` fields on a Certificate resource with a CA issuer that doesn't set the `ca.crt` in the Secret resource, cert-manager no longer loop trying to copy `ca.crt` into `truststore.jks` or `truststore.p12`. ([#​5972](https://togithub.com/cert-manager/cert-manager/pull/5972), [@​vinzent](https://togithub.com/vinzent)) - When using the `literalSubject` field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. ([#​5747](https://togithub.com/cert-manager/cert-manager/pull/5747), [@​inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - ACME account registration is now re-verified if account key is manually changed. ([#​5949](https://togithub.com/cert-manager/cert-manager/pull/5949), [@​TrilokGeer](https://togithub.com/TrilokGeer)) - Add `make go-workspace` target for generating a go.work file for local development ([#​5935](https://togithub.com/cert-manager/cert-manager/pull/5935), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Added a Makefile target to build a standalone E2E test binary: make e2e-build ([#​5804](https://togithub.com/cert-manager/cert-manager/pull/5804), [@​wallrj](https://togithub.com/wallrj)) - Bump keystore-go to v4.4.1 to work around an upstream rewrite of history ([#​5724](https://togithub.com/cert-manager/cert-manager/pull/5724), [@​g-gaston](https://togithub.com/g-gaston)) - Bump the distroless base images ([#​5929](https://togithub.com/cert-manager/cert-manager/pull/5929), [@​maelvls](https://togithub.com/maelvls)) - Bumps base images ([#​5793](https://togithub.com/cert-manager/cert-manager/pull/5793), [@​irbekrm](https://togithub.com/irbekrm)) - Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half. \*\*BREAKING:\*- users who are relying on cainjector to work when `certificates.cert-manager.io` CRD is not installed in the cluster, now need to pass `--watch-certificates=false` flag to cainjector else it will not start. Users who only use cainjector as cert-manager's internal component and have a large number of `Certificate` resources in cluster can pass `--watch-certificates=false` to avoid cainjector from caching `Certificate` resources and save some memory. ([#​5746](https://togithub.com/cert-manager/cert-manager/pull/5746), [@​irbekrm](https://togithub.com/irbekrm)) - Cainjector now only reconciles annotated objects of injectable kind. ([#​5764](https://togithub.com/cert-manager/cert-manager/pull/5764), [@​irbekrm](https://togithub.com/irbekrm)) - Container images are have an OCI source label ([#​5722](https://togithub.com/cert-manager/cert-manager/pull/5722), [@​james-callahan](https://togithub.com/james-callahan)) - Enable cmctl to be imported by third parties ([#​6050](https://togithub.com/cert-manager/cert-manager/pull/6050), [@​jetstack-bot](https://togithub.com/jetstack-bot)) - The acmesolver pods created by cert-manager now have `automountServiceAccountToken` turned off. ([#​5754](https://togithub.com/cert-manager/cert-manager/pull/5754), [@​wallrj](https://togithub.com/wallrj)) - The controller binary now uses much less memory on Kubernetes clusters with large or numerous Secret resources. The controller now ignores the contents of Secrets that aren't relevant to cert-manager. This functionality is currently placed behind `SecretsFilteredCaching` feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with the `controller.cert-manager.io/fao: true` label. ([#​5824](https://togithub.com/cert-manager/cert-manager/pull/5824), [@​irbekrm](https://togithub.com/irbekrm)) - The controller memory usage has been further decreased by ignoring annotations, labels and managed fields when caching Secret resources. ([#​5966](https://togithub.com/cert-manager/cert-manager/pull/5966), [@​irbekrm](https://togithub.com/irbekrm)) - The controller now makes fewer calls to the ACME server. **POTENTIALLY BREAKING**: this PR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. ([#​5901](https://togithub.com/cert-manager/cert-manager/pull/5901), [@​irbekrm](https://togithub.com/irbekrm)) - The memory usage of the controller has been reduced by only caching the metadata of Pods and Services. ([#​5976](https://togithub.com/cert-manager/cert-manager/pull/5976), [@​irbekrm](https://togithub.com/irbekrm)) - The number of calls made to the ACME server during the controller startup has been reduced by storing the private key hash in the Issuer's status. ([#​6006](https://togithub.com/cert-manager/cert-manager/pull/6006), [@​vidarno](https://togithub.com/vidarno)) - Updates Kubernetes libraries to `v0.26.2`. ([#​5820](https://togithub.com/cert-manager/cert-manager/pull/5820), [@​lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.26.3`. ([#​5907](https://togithub.com/cert-manager/cert-manager/pull/5907), [@​lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.1`. ([#​5961](https://togithub.com/cert-manager/cert-manager/pull/5961), [@​lucacome](https://togithub.com/lucacome)) - Updates base images ([#​5832](https://togithub.com/cert-manager/cert-manager/pull/5832), [@​irbekrm](https://togithub.com/irbekrm)) - Upgrade to Go 1.20 ([#​5969](https://togithub.com/cert-manager/cert-manager/pull/5969), [@​wallrj](https://togithub.com/wallrj)) - Upgrade to go 1.19.5 ([#​5712](https://togithub.com/cert-manager/cert-manager/pull/5712), [@​yanggangtony](https://togithub.com/yanggangtony)) - Validates that `certificate.spec.secretName` is a valid `Secret` name ([#​5967](https://togithub.com/cert-manager/cert-manager/pull/5967), [@​avi-08](https://togithub.com/avi-08)) - We are now testing with Kubernetes v1.27.1 by default. ([#​5979](https://togithub.com/cert-manager/cert-manager/pull/5979), [@​irbekrm](https://togithub.com/irbekrm)) - `certificate.spec.secretName` Secrets will now be labelled with `controller.cert-manager.io/fao` label ([#​5660](https://togithub.com/cert-manager/cert-manager/pull/5660), [@​irbekrm](https://togithub.com/irbekrm)) ##### Uncategorized - We have replaced our python boilerplate checker with an installed Go version, removing the need to have Python installed when developing or building cert-manager. ([#​6000](https://togithub.com/cert-manager/cert-manager/pull/6000), [@​SgtCoDFish](https://togithub.com/SgtCoDFish))

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.