Merge pull request #2028 from munnerz/010-release

Add v0.10.0 release notes and bump versions

deploy/charts/cert-manager/README.md

@@ -83,7 +83,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
 | `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
 | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
-| `image.tag` | Image tag | `v0.10.0-alpha.0` |
+| `image.tag` | Image tag | `v0.10.0` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
 | `replicaCount`  | Number of cert-manager replicas  | `1` |
 | `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod
@@ -127,7 +127,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | |
 | `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` |
 | `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
-| `webhook.image.tag` | Webhook image tag | `v0.10.0-alpha.0` |
+| `webhook.image.tag` | Webhook image tag | `v0.10.0` |
 | `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
 | `webhook.injectAPIServerCA` | if true, the apiserver's CABundle will be automatically injected into the ValidatingWebhookConfiguration resource | `true` |
 | `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` |
@@ -137,7 +137,7 @@ The following table lists the configurable parameters of the cert-manager chart
 | `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | |
 | `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` |
 | `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` |
-| `cainjector.image.tag` | cainjector image tag | `v0.10.0-alpha.0` |
+| `cainjector.image.tag` | cainjector image tag | `v0.10.0` |
 | `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

design/release-notes/release-0.10/draft-release-notes.md

@@ -0,0 +1,138 @@
+The v0.10 release comes quick on the heels of v0.9. It continues the work on
+the new CertificateRequest resource type, moving us towards a world where
+out-of-tree Issuer types are first class citizens.
+
+As a project, we're pushing towards a 'stable' API release and eventually, a
+v1.0 release. This release, and the releases to follow over the coming months,
+lay the foundation for these milestones. Keep an eye on the releases page over
+the coming months for some exciting new developments!
+
+You can get started using the new CertificateRequest controllers by enabling
+the `CertificateRequestControllers` feature gate - all Issuer types are now
+supported, and your feedback is extremely valuable before we switch the new
+implementation to be the default in v0.11!
+
+We've also simplified the way we bootstrap TLS certificates for the 'webhook'
+component. Now, instead of creating an Issuer and Certificate resource for the
+webhook (requiring you to disable validation on the cert-manager namespace),
+we've implemented a dedicated 'webhookbootstrap' controller which will manage
+TLS assets for the webhook.
+
+---
+
+This release includes changes from:
+
+* Alejandro Garrido Mota
+* Alpha
+* Hans Kristian Flaatten
+* James Munnelly
+* Jonas-Taha El Sesiy
+* JoshVanL
+* Marcello Romani
+* Moritz Johner
+* Nicolas Kowenski
+* Olaf Klischat
+* Vasilis Remmas
+* stuart.warren
+* zeeZ
+
+## Notable Items
+
+### All Issuer types now supported with CertificateRequests
+
+The CertificateRequest design proposal, first implemented in v0.9, changes the
+way we request certificates from Issuers in order to allow out-of-tree Issuer
+types.
+This required us to refactor and adapt our existing in-tree Issuer types to
+follow a similar pattern.
+
+The v0.10 release finishes this refactoring so that all Issuer types now
+support the new format.
+
+As the feature is currently still in an 'alpha' state, you must set the
+`issuerRef.group` field on your Certificate resources to `certmanager.k8s.io`,
+as well as enabling the `CertificateRequestControllers` feature gate on the
+`controller` component of cert-manager.
+
+### Simplified webhook TLS bootstrapping
+
+In past releases, we've managed TLS for the webhook component by creating an
+internal self signed and CA issuer that is used to mint serving certificates
+for the apiserver to authenticate the webhook's identity.
+
+This introduced a number of complexities in our installation process and has
+caused trouble for users in the past.
+
+In order to simplify this process and to support running a CRD conversion
+webhook in future (to provide seamless migration between API versions), we've
+introduced a dedicated `webhookbootstrap` controller that relies on flags and
+Secret resources in order to configure TLS for the webhook.
+
+This will mean easier installation as well as future-proofing for our upcoming
+plans in future releases.
+
+### KeyUsages on Certificate resources
+
+In order to support a more diverse set of applications, including apps that
+require client-auth certificates, a new field `keyUsages` has been added which
+accepts a list of usages that must be present on a Certificate.
+
+These will be automatically added when certificates are issued, just like any
+other field on the Certificate.
+
+Thanks to Stuart Warren from Ocado for this change!
+
+### Preparation for v1alpha2 and beyond
+
+Over the last few releases, we've been making a number of significant changes
+to our API types (i.e. moving ACME configuration from Certificate resources
+onto the Issuer resource). This has involved deprecating some old API fields.
+
+In a future release, we'll be removing these deprecated fields altogether,
+requiring users to update their manifests to utilise the new way to specify
+configuration.
+
+A number of steps have been taken in our own codebase to support this change,
+and in a future release, you'll be required to update **all** your manifests for
+this new format. Future API revisions (e.g. v1beta1 and v1) will be
+automatically converted using a Kubernetes conversion webhook (available in
+beta from Kubernetes 1.15 onwards).
+
+## Action Required
+
+No special actions are required as part of this release.
+
+## Changelog
+
+### General
+
+- Add DisableDeprecatedACMECertificates feature gate to disable the old deprecated ACME config format ([#1923](https://github.com/jetstack/cert-manager/pull/1923), [@munnerz](https://github.com/munnerz))
+- chart: fix formatting of values table in README.md ([#1936](https://github.com/jetstack/cert-manager/pull/1936), [@Starefossen](https://github.com/Starefossen))
+- Add internal API version and implement machinery for defaulting & conversion ([#2002](https://github.com/jetstack/cert-manager/pull/2002), [@munnerz](https://github.com/munnerz))
+- Fix concurrent map write panic in certificates controller ([#1980](https://github.com/jetstack/cert-manager/pull/1980), [@munnerz](https://github.com/munnerz))
+- cainjector: allow injecting CAs directly from Secret resources ([#1990](https://github.com/jetstack/cert-manager/pull/1990), [@munnerz](https://github.com/munnerz))
+- Mark 'spec' and 'status' as non-required fields in CRDs ([#1957](https://github.com/jetstack/cert-manager/pull/1957), [@munnerz](https://github.com/munnerz))
+- Add ability to specify key usages and extended key usages in certificates ([#1996](https://github.com/jetstack/cert-manager/pull/1996), [@stuart-warren](https://github.com/stuart-warren))
+
+### ACME Issuer
+
+- Add option to assume role in Route53 DNS01 provider ([#1917](https://github.com/jetstack/cert-manager/pull/1917), [@moolen](https://github.com/moolen))
+- Fix documentation for AzureDNS service principal creation ([#1960](https://github.com/jetstack/cert-manager/pull/1960), [@elsesiy](https://github.com/elsesiy))
+
+### Webhook
+
+- Use dedicated controller for webhook TLS bootstrapping ([#1993](https://github.com/jetstack/cert-manager/pull/1993), [@munnerz](https://github.com/munnerz))
+
+### CertificateRequest
+
+- Add ACME CertificateRequest controller implementation ([#1943](https://github.com/jetstack/cert-manager/pull/1943), [@JoshVanL](https://github.com/JoshVanL))
+- Add Vault CertificateRequest controller implementation ([#1934](https://github.com/jetstack/cert-manager/pull/1934), [@JoshVanL](https://github.com/JoshVanL))
+- Add SelfSigned CertificateRequest controller implementation ([#1906](https://github.com/jetstack/cert-manager/pull/1906), [@JoshVanL](https://github.com/JoshVanL))
+- Add Venafi CertificateRequest controller implementation ([#1968](https://github.com/jetstack/cert-manager/pull/1968), [@JoshVanL](https://github.com/JoshVanL))
+- Don't validate issuerRef.kind field if issuerRef.group is set in order to support out-of-tree Issuer types ([#1949](https://github.com/jetstack/cert-manager/pull/1949), [@munnerz](https://github.com/munnerz))
+- Adds CertificateRequest FailureTime. The Certificate controller will re-try failed CertificateRequests at least one hour after this failed time. ([#1979](https://github.com/jetstack/cert-manager/pull/1979), [@JoshVanL](https://github.com/JoshVanL))
+
+### Monitoring
+
+- Added variable to specify custom namespace where to deploy ServiceMonitor resource ([#1970](https://github.com/jetstack/cert-manager/pull/1970), [@mogaal](https://github.com/mogaal))
+- helm: fix labels and add Service for Prometheus ServiceMonitor ([#1942](https://github.com/jetstack/cert-manager/pull/1942), [@Starefossen](https://github.com/Starefossen))

docs/getting-started/install/kubernetes.rst

@@ -57,7 +57,7 @@ are included in a single YAML manifest file:
 .. code-block:: shell
 
    # Install the CustomResourceDefinitions and cert-manager itself
-   kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager.yaml
+   kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager.yaml
 
 .. note::
    If you are running kubectl v1.12 or below, you will need to add the
@@ -133,7 +133,7 @@ In order to install the Helm chart, you must run:
    helm install \
      --name cert-manager \
      --namespace cert-manager \
-     --version v0.10.0-alpha.0 \
+     --version v0.10.0 \
      jetstack/cert-manager
 
 The default cert-manager configuration is good for the majority of users, but a

docs/getting-started/install/openshift.rst

@@ -69,7 +69,7 @@ are included in a single YAML manifest file:
 .. code-block:: shell
 
    # Install the CustomResourceDefinitions and cert-manager itself
-   oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager-openshift.yaml
+   oc apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager-openshift.yaml
 
 .. note::
    The ``--validate=false`` flag is added to the ``oc apply`` command above

docs/getting-started/webhook.rst

@@ -193,14 +193,14 @@ To re-install cert-manager without the webhook, run:
 
 .. code-block:: shell
 
-   kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager.yaml
+   kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager.yaml
 
-   kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager-no-webhook.yaml
+   kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager-no-webhook.yaml
 
 Once you have re-installed cert-manager, you should then
 :doc:`restore your configuration </tasks/backup-restore-crds>`.
 
-.. _`cert-manager.yaml`: https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager.yaml
-.. _`cert-manager-no-webhook.yaml`: https://github.com/jetstack/cert-manager/releases/download/v0.10.0-alpha.0/cert-manager-no-webhook.yaml
+.. _`cert-manager.yaml`: https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager.yaml
+.. _`cert-manager-no-webhook.yaml`: https://github.com/jetstack/cert-manager/releases/download/v0.10.0/cert-manager-no-webhook.yaml
 .. _`GKE docs`: https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules
 .. _`ValidatingWebhookConfiguration`: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/

docs/tasks/backup-restore-crds.rst

@@ -15,7 +15,7 @@ To backup all of your cert-manager configuration resources, run:
 
    kubectl get -o yaml \
       --all-namespaces \
-      issuer,clusterissuer,certificates,orders,challenges > cert-manager-backup.yaml
+      issuer,clusterissuer,certificates,orders,challenges,certificaterequests > cert-manager-backup.yaml
 
 If you are transferring data to a new cluster, you may also need to copy across
 additional Secret resources that are referenced by your configured Issuers,
@@ -39,7 +39,7 @@ ACME Issuers
 
 * The ACME account private key Secret referenced by ``issuer.acme.privateKeySecretRef``
 * Any Secrets referenced by DNS providers configured under the
-  ``issuer.acme.dns01.providers`` field
+  ``issuer.acme.dns01.providers`` and ``issuer.acme.solvers.dns01`` fields.
 
 Restoring
 =========

docs/tasks/upgrading/index.rst

@@ -97,6 +97,7 @@ version number you want to install:
    upgrading-0.6-0.7
    upgrading-0.7-0.8
    upgrading-0.8-0.9
+   upgrading-0.9-0.10
 
 .. _`official Helm charts repository`: https://hub.helm.sh/charts/jetstack
 .. _`static deployment manifests`: https://github.com/jetstack/cert-manager/blob/release-0.10/deploy/manifests

docs/tasks/upgrading/upgrading-0.9-0.10.rst

@@ -0,0 +1,5 @@
+============================
+Upgrading from v0.9 to v0.10
+============================
+
+There are no special notes or considerations when upgrading from v0.9 to v0.10.

docs/tutorials/acme/quick-start/index.rst

@@ -370,7 +370,7 @@ install cert-manager. This example installed cert-manager into the
     $ helm install \
       --name cert-manager \
       --namespace cert-manager \
-      --version v0.10.0-alpha.0 \
+      --version v0.10.0 \
       jetstack/cert-manager
 
     NAME:   cert-manager