From 5eefde8e462c0adde660faa4fdb239f6d16205c7 Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Mon, 2 Sep 2019 11:26:50 +0100 Subject: [PATCH] Add v0.10.0 release notes and bump versions Signed-off-by: James Munnelly --- deploy/charts/cert-manager/README.md | 6 +- .../release-0.10/draft-release-notes.md | 138 ++++++++++++++++++ docs/getting-started/install/kubernetes.rst | 4 +- docs/getting-started/install/openshift.rst | 2 +- docs/getting-started/webhook.rst | 8 +- docs/tutorials/acme/quick-start/index.rst | 2 +- 6 files changed, 149 insertions(+), 11 deletions(-) create mode 100644 design/release-notes/release-0.10/draft-release-notes.md diff --git a/deploy/charts/cert-manager/README.md b/deploy/charts/cert-manager/README.md index f891a77aa..10ff70ed0 100644 --- a/deploy/charts/cert-manager/README.md +++ b/deploy/charts/cert-manager/README.md @@ -83,7 +83,7 @@ The following table lists the configurable parameters of the cert-manager chart | `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` | | `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` | | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | -| `image.tag` | Image tag | `v0.10.0-alpha.0` | +| `image.tag` | Image tag | `v0.10.0` | | `image.pullPolicy` | Image pull policy | `IfNotPresent` | | `replicaCount` | Number of cert-manager replicas | `1` | | `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod @@ -127,7 +127,7 @@ The following table lists the configurable parameters of the cert-manager chart | `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | | | `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` | | `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | -| `webhook.image.tag` | Webhook image tag | `v0.10.0-alpha.0` | +| `webhook.image.tag` | Webhook image tag | `v0.10.0` | | `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | | `webhook.injectAPIServerCA` | if true, the apiserver's CABundle will be automatically injected into the ValidatingWebhookConfiguration resource | `true` | | `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` | @@ -137,7 +137,7 @@ The following table lists the configurable parameters of the cert-manager chart | `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | | | `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` | | `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | -| `cainjector.image.tag` | cainjector image tag | `v0.10.0-alpha.0` | +| `cainjector.image.tag` | cainjector image tag | `v0.10.0` | | `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. diff --git a/design/release-notes/release-0.10/draft-release-notes.md b/design/release-notes/release-0.10/draft-release-notes.md new file mode 100644 index 000000000..706144027 --- /dev/null +++ b/design/release-notes/release-0.10/draft-release-notes.md @@ -0,0 +1,138 @@ +The v0.10 release comes quick on the heels of v0.9. It continues the work on +the new CertificateRequest resource type, moving us towards a world where +out-of-tree Issuer types are first class citizens. + +As a project, we're pushing towards a 'stable' API release and eventually, a +v1.0 release. This release, and the releases to follow over the coming months, +lay the foundation for these milestones. Keep an eye on the releases page over +the coming months for some exciting new developments! + +You can get started using the new CertificateRequest controllers by enabling +the `CertificateRequestControllers` feature gate - all Issuer types are now +supported, and your feedback is extremely valuable before we switch the new +implementation to be the default in v0.11! + +We've also simplified the way we bootstrap TLS certificates for the 'webhook' +component. Now, instead of creating an Issuer and Certificate resource for the +webhook (requiring you to disable validation on the cert-manager namespace), +we've implemented a dedicated 'webhookbootstrap' controller which will manage +TLS assets for the webhook. + +--- + +This release includes changes from: + +* Alejandro Garrido Mota +* Alpha +* Hans Kristian Flaatten +* James Munnelly +* Jonas-Taha El Sesiy +* JoshVanL +* Marcello Romani +* Moritz Johner +* Nicolas Kowenski +* Olaf Klischat +* Vasilis Remmas +* stuart.warren +* zeeZ + +## Notable Items + +### All Issuer types now supported with CertificateRequests + +The CertificateRequest design proposal, first implemented in v0.9, changes the +way we request certificates from Issuers in order to allow out-of-tree Issuer +types. +This required us to refactor and adapt our existing in-tree Issuer types to +follow a similar pattern. + +The v0.10 release finishes this refactoring so that all Issuer types now +support the new format. + +As the feature is currently still in an 'alpha' state, you must set the +`issuerRef.group` field on your Certificate resources to `certmanager.k8s.io`, +as well as enabling the `CertificateRequestControllers` feature gate on the +`controller` component of cert-manager. + +### Simplified webhook TLS bootstrapping + +In past releases, we've managed TLS for the webhook component by creating an +internal self signed and CA issuer that is used to mint serving certificates +for the apiserver to authenticate the webhook's identity. + +This introduced a number of complexities in our installation process and has +caused trouble for users in the past. + +In order to simplify this process and to support running a CRD conversion +webhook in future (to provide seamless migration between API versions), we've +introduced a dedicated `webhookbootstrap` controller that relies on flags and +Secret resources in order to configure TLS for the webhook. + +This will mean easier installation as well as future-proofing for our upcoming +plans in future releases. + +### KeyUsages on Certificate resources + +In order to support a more diverse set of applications, including apps that +require client-auth certificates, a new field `keyUsages` has been added which +accepts a list of usages that must be present on a Certificate. + +These will be automatically added when certificates are issued, just like any +other field on the Certificate. + +Thanks to Stuart Warren from Ocado for this change! + +### Preparation for v1alpha2 and beyond + +Over the last few releases, we've been making a number of significant changes +to our API types (i.e. moving ACME configuration from Certificate resources +onto the Issuer resource). This has involved deprecating some old API fields. + +In a future release, we'll be removing these deprecated fields altogether, +requiring users to update their manifests to utilise the new way to specify +configuration. + +A number of steps have been taken in our own codebase to support this change, +and in a future release, you'll be required to update *all* your manifests for +this new format. Future API revisions (e.g. v1beta1 and v1) will be +automatically converted using a Kubernetes conversion webhook (available in +beta from Kubernetes 1.15 onwards). + +## Action Required + +No special actions are required as part of this release. + +## Changelog + +### General + +- Add DisableDeprecatedACMECertificates feature gate to disable the old deprecated ACME config format ([#1923](https://github.com/jetstack/cert-manager/pull/1923), [@munnerz](https://github.com/munnerz)) +- chart: fix formatting of values table in README.md ([#1936](https://github.com/jetstack/cert-manager/pull/1936), [@Starefossen](https://github.com/Starefossen)) +- Add internal API version and implement machinery for defaulting & conversion ([#2002](https://github.com/jetstack/cert-manager/pull/2002), [@munnerz](https://github.com/munnerz)) +- Fix concurrent map write panic in certificates controller ([#1980](https://github.com/jetstack/cert-manager/pull/1980), [@munnerz](https://github.com/munnerz)) +- cainjector: allow injecting CAs directly from Secret resources ([#1990](https://github.com/jetstack/cert-manager/pull/1990), [@munnerz](https://github.com/munnerz)) +- Mark 'spec' and 'status' as non-required fields in CRDs ([#1957](https://github.com/jetstack/cert-manager/pull/1957), [@munnerz](https://github.com/munnerz)) +- Add ability to specify key usages and extended key usages in certificates ([#1996](https://github.com/jetstack/cert-manager/pull/1996), [@stuart-warren](https://github.com/stuart-warren)) + +### ACME Issuer + +- Add option to assume role in Route53 DNS01 provider ([#1917](https://github.com/jetstack/cert-manager/pull/1917), [@moolen](https://github.com/moolen)) +- Fix documentation for AzureDNS service principal creation ([#1960](https://github.com/jetstack/cert-manager/pull/1960), [@elsesiy](https://github.com/elsesiy)) + +### Webhook + +- Use dedicated controller for webhook TLS bootstrapping ([#1993](https://github.com/jetstack/cert-manager/pull/1993), [@munnerz](https://github.com/munnerz)) + +### CertificateRequest + +- Add ACME CertificateRequest controller implementation ([#1943](https://github.com/jetstack/cert-manager/pull/1943), [@JoshVanL](https://github.com/JoshVanL)) +- Add Vault CertificateRequest controller implementation ([#1934](https://github.com/jetstack/cert-manager/pull/1934), [@JoshVanL](https://github.com/JoshVanL)) +- Add SelfSigned CertificateRequest controller implementation ([#1906](https://github.com/jetstack/cert-manager/pull/1906), [@JoshVanL](https://github.com/JoshVanL)) +- Add Venafi CertificateRequest controller implementation ([#1968](https://github.com/jetstack/cert-manager/pull/1968), [@JoshVanL](https://github.com/JoshVanL)) +- Don't validate issuerRef.kind field if issuerRef.group is set in order to support out-of-tree Issuer types ([#1949](https://github.com/jetstack/cert-manager/pull/1949), [@munnerz](https://github.com/munnerz)) +- Adds CertificateRequest FailureTime. The Certificate controller will re-try failed CertificateRequests at least one hour after this failed time. ([#1979](https://github.com/jetstack/cert-manager/pull/1979), [@JoshVanL](https://github.com/JoshVanL)) + +### Monitoring + +- Added variable to specify custom namespace where to deploy ServiceMonitor resource ([#1970](https://github.com/jetstack/cert-manager/pull/1970), [@mogaal](https://github.com/mogaal)) +- helm: fix labels and add Service for Prometheus ServiceMonitor ([#1942](https://github.com/jetstack/cert-manager/pull/1942), [@Starefossen](https://github.com/Starefossen)) diff --git a/docs/getting-started/install/kubernetes.rst b/docs/getting-started/install/kubernetes.rst index b8f7e5b23..10411a773 100644 --- a/docs/getting-started/install/kubernetes.rst +++ b/docs/getting-started/install/kubernetes.rst @@ -57,7 +57,7 @@ are included in a single YAML manifest file: .. code-block:: shell # Install the CustomResourceDefinitions and cert-manager itself - kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager.yaml + kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager.yaml .. note:: If you are running kubectl v1.12 or below, you will need to add the @@ -133,7 +133,7 @@ In order to install the Helm chart, you must run: helm install \ --name cert-manager \ --namespace cert-manager \ - --version v0.10.0-alpha.0 \ + --version v0.10.0 \ jetstack/cert-manager The default cert-manager configuration is good for the majority of users, but a diff --git a/docs/getting-started/install/openshift.rst b/docs/getting-started/install/openshift.rst index d8ca501df..58680627b 100644 --- a/docs/getting-started/install/openshift.rst +++ b/docs/getting-started/install/openshift.rst @@ -69,7 +69,7 @@ are included in a single YAML manifest file: .. code-block:: shell # Install the CustomResourceDefinitions and cert-manager itself - oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager-openshift.yaml + oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager-openshift.yaml .. note:: The ``--validate=false`` flag is added to the ``oc apply`` command above diff --git a/docs/getting-started/webhook.rst b/docs/getting-started/webhook.rst index 2a3583bce..75733c4b8 100644 --- a/docs/getting-started/webhook.rst +++ b/docs/getting-started/webhook.rst @@ -193,14 +193,14 @@ To re-install cert-manager without the webhook, run: .. code-block:: shell - kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager.yaml + kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager.yaml - kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager-no-webhook.yaml + kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager-no-webhook.yaml Once you have re-installed cert-manager, you should then :doc:`restore your configuration `. -.. _`cert-manager.yaml`: https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager.yaml -.. _`cert-manager-no-webhook.yaml`: https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager-no-webhook.yaml +.. _`cert-manager.yaml`: https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager.yaml +.. _`cert-manager-no-webhook.yaml`: https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager-no-webhook.yaml .. _`GKE docs`: https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules .. _`ValidatingWebhookConfiguration`: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/ diff --git a/docs/tutorials/acme/quick-start/index.rst b/docs/tutorials/acme/quick-start/index.rst index 0408913a8..8689db434 100644 --- a/docs/tutorials/acme/quick-start/index.rst +++ b/docs/tutorials/acme/quick-start/index.rst @@ -370,7 +370,7 @@ install cert-manager. This example installed cert-manager into the $ helm install \ --name cert-manager \ --namespace cert-manager \ - --version v0.10.0-alpha.0 \ + --version v0.10.0 \ jetstack/cert-manager NAME: cert-manager