You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: security/cert_manager_operator/cert-manager-operator-release-notes.adoc
+1-316Lines changed: 1 addition & 316 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -54,319 +54,4 @@ By default, this feature is disabled to prevent connectivity issues during upgra
54
54
=== Known issues
55
55
56
56
* The upstream cert-manager `v1.18` release updated the ACME HTTP-01 challenge ingress path type from `ImplementationSpecific` to `Exact`. The OpenShift Route API does not have an equivalent for the `Exact` path type, which prevents the ingress-to-route controller from supporting it. As a result, ingress resources created for HTTP-01 challenges cannot route traffic to the solver pod, causing the challenge to fail with a 503 error.
57
-
To mitigate this issue, the `ACMEHTTP01IngressPathTypeExact` feature gate is disabled by default in this release.
Version `1.17.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.17.4`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.17#v1174[cert-manager project release notes for v1.17.4].
* Previously, the `status` field in the `IstioCSR` custom resource (CR) was not set to `Ready` even after the successful deployment of Istio‑CSR. With this fix, the `status` field is correctly set to `Ready`, ensuring consistent and reliable status reporting. (link:https://issues.redhat.com/browse/CM-546[CM-546])
*Support to configure resource requests and limits for ACME HTTP‑01 solver pods*
81
-
82
-
With this release, the {cert-manager-operator} supports configuring CPU and memory resource requests and limits for ACME HTTP‑01 solver pods. You can configure the CPU and memory resource requests and limits by using the following overridable arguments in the `CertManager` custom resource (CR):
83
-
84
-
* `--acme-http01-solver-resource-limits-cpu`
85
-
* `--acme-http01-solver-resource-limits-memory`
86
-
* `--acme-http01-solver-resource-request-cpu`
87
-
* `--acme-http01-solver-resource-request-memory`
88
-
89
-
For more information, see xref:../../security/cert_manager_operator/cert-manager-customizing-api-fields.adoc#cert-manager-overridable-arguments_cert-manager-customizing-api-fields[Overridable arguments for the cert‑manager components].
Version `1.16.2` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.16.5`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.16#v1165[cert-manager project release notes for v1.16.5].
Version `1.16.1` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.16.5`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.16#v1165[cert-manager project release notes for v1.16.5].
Previously, {cert-manager-operator} failed to create the `cert-manager-tokenrequest` role due to insufficient RBAC permissions. This resulted in `RoleCreateFailed` errors and a degraded static-resource controller. With this release, the issue is resolved by adding the necessary `serviceaccounts/token` create permission to the RBAC configuration. As a result, the `cert-manager-tokenrequest` role and role binding are now successfully created, and `RoleCreateFailed` errors no longer appear in the operator logs. link:https://issues.redhat.com/browse/OCPBUGS-56758[(OCPBUGS-56758)]
Version `1.16.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.16.4`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.16/#v1164[cert-manager project release notes for v1.16.4].
With this release, the {cert-manager-operator} has been verified to be mirrored to and installed in a disconnected environment.
176
-
177
-
The Operator has also been validated to work with the following issuer types in disconnected environments: ACME, CA, Self-signed, and Vault.
178
-
Specifically, private or self-hosted ACME servers have been validated, as Let's Encrypt or other public ACME services are not feasible options in disconnected environments.
179
-
The oc-mirror plugin v2 is the preferred method to mirror Operator images.
180
-
For more information, see xref:../../disconnected/about-installing-oc-mirror-v2.adoc#about-installing-oc-mirror-v2[Mirroring images for a disconnected installation by using the oc-mirror plugin v2].
181
-
182
-
*Extended operand metrics support*
183
-
184
-
With this release, cert-manager webhook and cainjector operands now expose Prometheus metrics on port 9402 by default via the `/metrics` service endpoint.
185
-
You can configure OpenShift Monitoring to collect metrics from all cert-manager operands by enabling the built-in user workload monitoring stack.
186
-
For more information, see xref:../../security/cert_manager_operator/cert-manager-monitoring.adoc#cert-manager-monitoring[Monitoring {cert-manager-operator}].
187
-
188
-
*Streaming Lists enablement*
189
-
190
-
With this release, the {cert-manager-operator} now uses the new upstream WatchListClient feature.
191
-
This enables use of the Streaming Lists feature of the Kubernetes API server, which reduces the load on the API server.
192
-
The peak memory use of the cert-manager components when they start up is optimized on {product-title} 4.14 and later.
When using the Venafi issuer with username and password authentication in cert-manager version 1.16.0, the default client ID is hard-coded as `cert-manager.io` and cannot be customized. This limitation can affect users requiring a specific client ID for authentication with the Venafi platform.
Version `1.15.1` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.15.5`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.15/#v1155[cert-manager project release notes for v1.15.5].
*Integrating the {cert-manager-operator} with Istio-CSR* (Technology Preview)
224
-
225
-
The {cert-manager-operator} now supports the Istio-CSR. With this integration, cert-manager Operator's issuers can issue, sign, and renew certificates for mutual TLS (mTLS) communication. {SMProductName} and `Istio` can now request these certificates directly from the cert-manager Operator.
226
-
227
-
For more information, see xref:../../security/cert_manager_operator/cert-manager-operator-integrating-istio.adoc#cert-manager-operator-istio-csr-installing_cert-manager-operator-integrating-istio[Integrating the cert-manager Operator with Istio-CSR].
Version `1.15.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.15.4`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.15/#v1154[cert-manager project release notes for v1.15.4].
*Scheduling overrides for {cert-manager-operator}*
253
-
254
-
With this release, you can configure scheduling overrides for {cert-manager-operator}, including the cert-manager controller, webhook, and CA injector.
255
-
256
-
*Google CAS issuer*
257
-
258
-
The {cert-manager-operator} now supports the Google Certificate Authority Service (CAS) issuer. The `google-cas-issuer` is an external issuer for cert-manager that automates certificate lifecycle management, including issuance and renewal, with CAS-managed private certificate authorities.
259
-
260
-
[NOTE]
261
-
====
262
-
The Google CAS issuer is validated only with version 0.9.0 and {cert-manager-operator} version 1.15.0. These versions support tasks such as issuing, renewing, and managing certificates for the API server and ingress controller in {product-title} clusters.
263
-
====
264
-
265
-
*Default `installMode` updated to `AllNamespaces`*
266
-
267
-
Starting from version 1.15.0, the default and recommended Operator Lifecycle Manager (OLM) `installMode` is `AllNamespaces`. Previously, the default was `SingleNamespace`. This change aligns with best practices for multi-namespace Operator management.
268
-
For more information, see link:https://issues.redhat.com/browse/OCPBUGS-23406[OCPBUGS-23406].
269
-
270
-
*Redundant `kube-rbac-proxy` sidecar removed*
271
-
272
-
The Operator no longer includes the redundant `kube-rbac-proxy` sidecar container, reducing resource usage and complexity.
273
-
For more information, see link:https://issues.redhat.com/browse/CM-436[CM-436].
Version `1.14.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.14.5`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.14/#v1145[cert-manager project release notes for v1.14.5].
296
-
297
-
[id="cert-manager-operator-new-features-1-14-0"]
298
-
=== New features and enhancements
299
-
300
-
*FIPS compliance support*
301
-
302
-
With this release, FIPS mode is now automatically enabled for {cert-manager-operator}. When installed on an {product-title} cluster in FIPS mode, {cert-manager-operator} ensures compatibility without affecting the cluster's FIPS support status.
303
-
304
-
*Securing routes with cert-manager managed certificates (Technology Preview)*
305
-
306
-
With this release, you can manage certificates referenced in `Route` resources by using the {cert-manager-operator}. For more information, see xref:../../security/cert_manager_operator/cert-manager-securing-routes.adoc#cert-manager-securing-routes[Securing routes with the {cert-manager-operator}].
307
-
308
-
*NCM issuer*
309
-
310
-
The {cert-manager-operator} now supports the Nokia NetGuard Certificate Manager (NCM) issuer. The `ncm-issuer` is a cert-manager external issuer that integrates with the NCM PKI system using a Kubernetes controller to sign certificate requests. This integration streamlines the process of obtaining non-self-signed certificates for applications, ensuring their validity and keeping them updated.
311
-
312
-
[NOTE]
313
-
====
314
-
The NCM issuer is validated only with version 1.1.1 and the {cert-manager-operator} version 1.14.0. This version handles tasks such as issuance, renewal, and managing certificates for the API server and ingress controller of {product-title} clusters.
Version `1.13.1` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.13.6`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.13#v1136[cert-manager project release notes for v1.13.6].
Version `1.13.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.13.3`. For more information, see the link:https://cert-manager.io/docs/release-notes/release-notes-1.13/#v1133[cert-manager project release notes for v1.13.0].
354
-
355
-
[id="cert-manager-operator-new-features-1-13-0"]
356
-
=== New features and enhancements
357
-
358
-
* You can now manage certificates for API Server and Ingress Controller by using the {cert-manager-operator}.
359
-
For more information, see xref:../../security/cert_manager_operator/cert-manager-creating-certificate.adoc#cert-manager-creating-certificate[Configuring certificates with an issuer].
360
-
361
-
* With this release, the scope of the {cert-manager-operator}, which was previously limited to the {product-title} on AMD64 architecture, has now been expanded to include support for managing certificates on {product-title} running on {ibm-z-name} (`s390x`), {ibm-power-name} (`ppc64le`) and ARM64 architectures.
362
-
363
-
* With this release, you can use DNS over HTTPS (DoH) for performing the self-checks during the ACME DNS-01 challenge verification. The DNS self-check method can be controlled by using the command-line flags, `--dns01-recursive-nameservers-only` and `--dns01-recursive-nameservers`.
364
-
For more information, see xref:../../security/cert_manager_operator/cert-manager-customizing-api-fields.html#cert-manager-override-arguments_cert-manager-customizing-api-fields[Customizing cert-manager by overriding arguments from the cert-manager Operator API].
0 commit comments