The cert-manager maintainers at Jetstack are proud to announce the release of cert-manager 1.5. This release coincides with the recent release of Kubernetes v1.22, and supports every version down to and including Kubernetes 1.16, which includes Openshift Container Platform 4.3 - 4.8.
Major themes
Experimental Features
We’ve included two features in cert-manager 1.5 that we are currently working on. These are marked alpha as the implementation could change in future, so have to be explicitly enabled by passing command-line flags to the cert-manager controller pod.
Gateway API
We have seen many requests from users to support different ways of routing HTTP traffic into their clusters for solving ACME HTTP-01 challenges. As the cloud-native ecosystem has so many different ingress implementations, we searched for a solution that would avoid having to add individual support for every kind of virtual service to the cert-manager API, and settled on the sig-network Gateway API.
The Gateway API project aims to provide a universal API for modelling service
networking in Kubernetes, and while it is still in its alpha stages is already
gaining wide
adoption. By
supporting the Gateway API HTTPRoute, we hope that anyone using Ambassador,
Contour, Gloo, HAProxy, Istio, Kong or Traefik will be able to solve HTTP-01
challenges, with more implementations coming in future.
To go along with the HTTPRoute support, we have also added a gateway-shim controller that will allow
users to annotate their Gateways to get a cert-manager Certificate automatically created, similar
to the current ingress-shim functionality.
To start using the Gateway API with cert-manager, please take a look at the Securing Gateway Resources page on the cert-manager website.
CertificateSigningRequests
CertificateSigningRequest is a built-in Kubernetes resource that was originally aimed at requesting X.509 client certificates and serving certificates for Kubernetes components such as kubelet.
We have seen a rising interest in using the CertificateSigningRequest (CSR) resource as a way to provision workload certificates in service meshes such as Istio and its Istio Custom CA Integration using Kubernetes CSR. For that purpose, the CSR resource needs to be integrated with existing signers such as HashiCorp Vault or Venafi TPP.
Back in cert-manager 1.4, the CA Issuer became the first built-in cert-manager issuer to
support signing CertificateSigningRequest resources. In 1.5, we extended the support to all existing Issuers.
If you are interested in trying this out, please take a look at the Kubernetes CertificateSigningRequest documentation on the cert-manager website.
User Experience
Improvements have also been made to the experience of installing and using cert-manager.
kubectl Plugin
cert-manager comes with a kubectl plugin, kubectl cert-manager, that comes in handy for checking the status of your cert-manager Certificate resources.
In 1.5, the plugin was taught how to install cert-manager. To try it out, run the command:
kubectl cert-manager x install
The plugin is now capable of determining when your cert-manager deployment is ready to be used:
kubectl cert-manager check api
The plugin also learned to guess the version of cert-manager running on your cluster, similarly as to kubectl version:
kubectl cert-manager version
To install the plugin, check out the Kubectl plugin page on the cert-manager website.
Helm Chart
While installing cert-manager using Helm, you might have noticed that the --wait flag does not wait until cert-manager is fully functional.
With 1.5, the --wait flag now works as you would expect. The Helm chart now comes with a small startup job that waits until the cert-manager API becomes ready.
Labels and Annotations on Generated Secret and CertificateRequest Resources
cert-manager now allows you to add custom annotations and labels to the Secret
containing the TLS key pair using the new Certificate field secretTemplate.
This is useful when using third-party solutions such as
kubed to copy Secret resources to multiple
namespaces. The secretTemplate is synced to the Secret when the Certificate is
created or renewed.
Here is an example of Certificate using the secretTemplate field:
apiVersion: cert-manager.io/v1
kind: Certificate
spec:
secretTemplate:
annotations:
my-secret-annotation: "foo"
labels:
my-secret-label: bar
Note that labels and annotations can only be added or replaced, but not removed. Removing any labels or annotations from the template or removing the template itself will have no effect.
Along with the ability to set your own annotations and labels on Secret resources created by cert-manager, you can also tell cert-manager which annotations should be copied from Certificate resources to the generated CertificateRequest resources. By default, cert-manager will skip copying the annotations with the following prefixes:
kubectl.kubernetes.io/,fluxcd.io,argocd.argoproj.io.
If you wish to keep the old behavior and allow all annotations to be copied, you
can pass the flag --copied-annotations=* to the cert-manager controller.
API Deprecation
The recent Kubernetes 1.22 release has removed a number of deprecated APIs. You can read the official blog post Kubernetes API and Feature Removals In 1.22 to learn more about it. If you intend to upgrade to Kubernetes 1.22, you must upgrade to cert-manager 1.5.
To keep compatibility with older Kubernetes versions (down to 1.16), cert-manager 1.5 is now compatible with both Ingress v1 and v1beta1. cert-manager will default to using v1 Ingress, and fall back to v1beta1 when v1 is not available.
Additionally, the cert-manager API versions v1alpha2, v1alpha3 and v1beta1 are now deprecated, and will be removed in cert-manager 1.7. Please change all your YAML manifests that use a deprecated API version to use cert-manager.io/v1 instead, and re-apply them.
Community
This is the first time that cert-manager participated in Google Summer of Code. Congratulations to Arsh and Tim for completing their GSoC projects! We hope you both continue to contribute in future.
Thanks again to all open-source contributors with commits in this release. Please see the release notes for cert-manager 1.5 for a complete list.