Merge pull request #1494 from cert-manager/release-next

Release 1.15
cert-manager · Jun 5, 2024 · 1c66836 · 1c66836
2 parents 8745d99 + f55f709
commit 1c66836
Show file tree

Hide file tree

Showing 147 changed files with 29,823 additions and 688 deletions.
diff --git a/.spelling b/.spelling
@@ -11,6 +11,16 @@ vinny
 lauraseidler
 ABWassim
 ThatsMrTalbot
+Pionerd
+andrey-dubnik
+bwaldrep
+eplightning
+findnature
+gplessis
+import-shiburin
+lunarwhite
+mangeshhambarde
+pwhitehead-splunk
 yann-soubeyrand
 pinkfloydx33
 karlschriek
@@ -171,6 +181,7 @@ GCP
 Git-Jiro
 GKE
 GitOps
+github-actions
 gRPC
 GSoC
 Gloo
@@ -253,17 +264,23 @@ Ramlot
 RinkiyaKeDad
 Robusta
 Route53
+API_AssumeRoleWithWebIdentity
+AssumeRoleWithWebIdentity
 Runtime
 roadmap
 SGX
 SOA
 SecretTemplate
+secretTemplate
 ServerSideApply
 SelfSigned
 SgtCoDFish
 Slowloris
 Smallstep
 SubjectAccessReview
+literalSubject
+LiteralSubject
+LiteralSubjects
 SVIDs
 stevehipwell
 TLDs
@@ -353,6 +370,7 @@ hardcoded
 healthz
 honour
 hostname
+hostAliases
 https
 homebrew
 Homebrew
@@ -481,6 +499,7 @@ unschedule
 untrusted
 upstream
 userinfo
+util
 vhosakot
 v0.5.0
 v0.7.0
@@ -535,6 +554,7 @@ v1.12.0
 v1.12.1.
 v1.12.2.
 v1.12.3.
+v1.15.0.
 v1alpha1
 v1alpha2
 v1alpha3

diff --git a/content/docs/cli/controller.md b/content/docs/cli/controller.md
@@ -36,15 +36,15 @@ Flags:
       --dns01-recursive-nameservers <ip address>:<port>      A list of comma separated dns server endpoints used for DNS01 and DNS-over-HTTPS (DoH) check requests. This should be a list containing entries of the following formats: <ip address>:<port> or `https://<DoH RFC 8484 server address>`. For example: `8.8.8.8:53,8.8.4.4:53` or `https://1.1.1.1/dns-query,https://8.8.8.8/dns-query`. To make sure ALL DNS requests happen through DoH, `dns01-recursive-nameservers-only` should also be set to true.
       --dns01-recursive-nameservers-only                     When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers.
       --enable-certificate-owner-ref                         Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.
+      --enable-gateway-api                                   Whether gateway API integration is enabled within cert-manager. The ExperimentalGatewayAPISupport feature gate must also be enabled (default as of 1.15).
       --enable-profiling                                     Enable profiling for controller.
       --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                             AdditionalCertificateOutputFormats=true|false (ALPHA - default=false)
+                                                             AdditionalCertificateOutputFormats=true|false (BETA - default=true)
                                                              AllAlpha=true|false (ALPHA - default=false)
                                                              AllBeta=true|false (BETA - default=false)
-                                                             DisallowInsecureCSRUsageDefinition=true|false (BETA - default=true)
                                                              ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
-                                                             ExperimentalGatewayAPISupport=true|false (ALPHA - default=false)
-                                                             LiteralCertificateSubject=true|false (ALPHA - default=false)
+                                                             ExperimentalGatewayAPISupport=true|false (BETA - default=true)
+                                                             LiteralCertificateSubject=true|false (BETA - default=true)
                                                              NameConstraints=true|false (ALPHA - default=false)
                                                              OtherNames=true|false (ALPHA - default=false)
                                                              SecretsFilteredCaching=true|false (BETA - default=true)
@@ -66,10 +66,10 @@ Flags:
       --logging-format string                                Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
       --master string                                        Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
       --max-concurrent-challenges int                        The maximum number of challenges that can be scheduled as 'processing' at once. (default 60)
-      --metrics-dynamic-serving-ca-secret-name string        name of the secret used to store the CA that signs serving certificates certificates
+      --metrics-dynamic-serving-ca-secret-name string        name of the secret used to store the CA that signs serving certificates
       --metrics-dynamic-serving-ca-secret-namespace string   namespace of the secret used to store the CA that signs serving certificates
       --metrics-dynamic-serving-dns-names strings            DNS names that should be present on certificates generated by the dynamic serving CA
-      --metrics-dynamic-serving-leaf-duration duration       leaf duration of serving certificates
+      --metrics-dynamic-serving-leaf-duration duration       leaf duration of serving certificates (default 168h0m0s)
       --metrics-listen-address string                        The host and port that the metrics endpoint should listen on. (default "0.0.0.0:9402")
       --metrics-tls-cert-file string                         path to the file containing the TLS certificate to serve with
       --metrics-tls-cipher-suites strings                    Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.  Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA

diff --git a/content/docs/cli/startupapicheck.md b/content/docs/cli/startupapicheck.md
@@ -10,6 +10,7 @@ Usage:
 
 Available Commands:
   check       Check cert-manager components
+  completion  Generate the autocompletion script for the specified shell
   help        Help about any command
 
 Flags:

diff --git a/content/docs/cli/webhook.md b/content/docs/cli/webhook.md
@@ -16,17 +16,16 @@ Usage:
 Flags:
       --api-server-host string                       Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
       --config string                                Path to a file containing a WebhookConfiguration object used to configure the webhook
-      --dynamic-serving-ca-secret-name string        name of the secret used to store the CA that signs serving certificates certificates
+      --dynamic-serving-ca-secret-name string        name of the secret used to store the CA that signs serving certificates
       --dynamic-serving-ca-secret-namespace string   namespace of the secret used to store the CA that signs serving certificates
       --dynamic-serving-dns-names strings            DNS names that should be present on certificates generated by the dynamic serving CA
-      --dynamic-serving-leaf-duration duration       leaf duration of serving certificates
+      --dynamic-serving-leaf-duration duration       leaf duration of serving certificates (default 168h0m0s)
       --enable-profiling                             Enable profiling for webhook.
       --feature-gates mapStringBool                  A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                     AdditionalCertificateOutputFormats=true|false (ALPHA - default=false)
+                                                     AdditionalCertificateOutputFormats=true|false (BETA - default=true)
                                                      AllAlpha=true|false (ALPHA - default=false)
                                                      AllBeta=true|false (BETA - default=false)
-                                                     DisallowInsecureCSRUsageDefinition=true|false (BETA - default=true)
-                                                     LiteralCertificateSubject=true|false (ALPHA - default=false)
+                                                     LiteralCertificateSubject=true|false (BETA - default=true)
                                                      NameConstraints=true|false (ALPHA - default=false)
                                                      OtherNames=true|false (ALPHA - default=false)
       --healthz-port int32                           port number to listen on for insecure healthz connections (default 6080)

diff --git a/content/docs/configuration/acme/dns01/route53.md b/content/docs/configuration/acme/dns01/route53.md
@@ -188,11 +188,18 @@ Note that, as mentioned above, the pod is using `arn:aws:iam::XXXXXXXXXXX:role/c
 
 While [`kiam`](https://github.com/uswitch/kiam) / [`kube2iam`](https://github.com/jtblin/kube2iam) work directly with cert-manager, some special attention is needed for using the [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) feature available on EKS.
 
-### OIDC provider
+This feature uses Kubernetes `ServiceAccount` tokens to authenticate with AWS using the [API_AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html). 
 
-First follow the AWS documentation [Enabling IAM roles for service accounts on your cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html) to ensure that the OIDC provider for the EKS cluster is enabled. The OIDC information is needed to create the trust relationship for the cert-manager role below.
+> **Note**: For using IRSA with cert-manager you must first enable the feature for your cluster. You can do this by
+> following the [official documentation(https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html).
 
-### IAM role trust policy
+Because `ServiceAccount` tokens are used to authenticate there are two modes of operation, you can either use cert-manager's own `ServiceAccount` to authenticate or you can reference your own `ServiceAccount` within your `Issuer`/`ClusterIssuer` config. Each option is described below.
+
+### Using the cert-manager ServiceAccount
+
+In this configuration an IAM role is mapped to the cert-manager `ServiceAccount` allowing it to authenticate with AWS. The IAM role you map to the `ServiceAccount` will need permissions on any and all Route53 zones cert-manager will be using.
+
+#### IAM role trust policy
 
 The cert-manager role needs the following trust relationship attached to the role in order to use the IRSA method. Replace the following:
 
@@ -224,7 +231,7 @@ The cert-manager role needs the following trust relationship attached to the rol
 
 **Note:** If you're following the Cross Account example above, this trust policy is attached to the cert-manager role in Account X with ARN `arn:aws:iam::XXXXXXXXXXX:role/cert-manager`. The permissions policy is the same as above.
 
-### Service annotation
+#### Service annotation
 
 Annotate the `ServiceAccount` created by cert-manager:
 
@@ -257,3 +264,121 @@ securityContext:
 ```
 
 **Note:** If you're following the Cross Account example above, modify the `ClusterIssuer` in the same way as above with the role from Account Y.
+
+### Referencing your own ServiceAccount within Issuer/ClusterIssuer config 
+
+In this configuration you can reference your own `ServiceAccounts` within your `Issuer`/`ClusterIssuer` and cert-manager will issue itself temporary credentials using these `ServiceAccounts`. Because each issuer can reference a different `ServiceAccount` you can lock down permissions much more, with each `ServiceAccount` mapped to an IAM role that only has permission on the zones it needs for that particular issuer.
+
+
+#### Creating a ServiceAccount
+
+In order to reference a `ServiceAccount` it must first exist. Unlike normal IRSA the `eks.amazonaws.com/role-arn` annotation is not required, however you may wish to set it as a reference.
+
+```yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: <service-account-name>
+  annotation:
+    eks.amazonaws.com/role-arn: <iam-role-arn>
+```
+
+#### IAM role trust policy
+
+For every `ServiceAccount` you want to use for AWS authentication you must first set up a trust policy. Replace the following:
+
+- `<aws-account-id>` with the AWS account ID of the EKS cluster.
+- `<aws-region>` with the region where the EKS cluster is located.
+- `<eks-hash>` with the hash in the EKS API URL; this will be a random 32 character hex string (example: `45DABD88EEE3A227AF0FA468BE4EF0B5`)
+- `<namespace>` with the namespace of the `ServiceAccount` object.
+- `<service-account-name>` with the name of the `ServiceAccount` object.
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Principal": {
+        "Federated": "arn:aws:iam::<aws-account-id>:oidc-provider/oidc.eks.<aws-region>.amazonaws.com/id/<eks-hash>"
+      },
+      "Condition": {
+        "StringEquals": {
+          "oidc.eks.<aws-region>.amazonaws.com/id/<eks-hash>:sub": "system:serviceaccount:<namespace>:<service-account-name>"
+        }
+      }
+    }
+  ]
+}
+```
+
+**Note:** If you're following the Cross Account example above, this trust policy is attached to the cert-manager role in Account X with ARN `arn:aws:iam::XXXXXXXXXXX:role/cert-manager`. The permissions policy is the same as above.
+
+#### RBAC
+
+In order to allow cert-manager to issue a token using your `ServiceAccount` you must deploy some RBAC to the cluster. Replace the following:
+
+- `<service-account-name>` name of the `ServiceAccount` object.
+- `<service-account-namespace>` namespace of the `ServiceAccount` object.
+- `<cert-manager-service-account-name>` name of cert-managers `ServiceAccount` object, as created during cert-manager installation.
+- `<cert-manager-namespace>` namespace that cert-manager is deployed into.
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: <service-account-name>-tokenrequest
+  namespace: <service-account-namespace>
+rules:
+  - apiGroups: ['']
+    resources: ['serviceaccounts/token']
+    resourceNames: ['<service-account-name>']
+    verbs: ['create']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-<service-account-name>-tokenrequest
+  namespace: <service-account-namespace>
+subjects:
+  - kind: ServiceAccount
+    name: <cert-manager-service-account-name>
+    namespace: <cert-manager-namespace>
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: <service-account-name>-tokenrequest
+```
+
+#### Issuer/ClusterIssuer config
+
+Once you have completed the above you should have:
+- An IAM role with permissions required to on the Route53 zone.
+- A Kubernetes `ServiceAccount`.
+- A trust policy to allow the Kubernetes `ServiceAccount` access to your IAM role.
+- RBAC to allow cert-manager to issue a token using the Kubernetes `ServiceAccount`.
+
+You should be ready at this point to configure an Issuer to use the new `ServiceAccount`. You can see example config for this below:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: example
+spec:
+  acme:
+    ...
+    solvers:
+    - selector:
+        dnsZones:
+          - "example.com"
+      dns01:
+        route53:
+          region: us-east-1
+          role: <iam-role-arn> # This must be set so cert-manager what role to attempt to authenticate with
+          auth:
+            kubernetes:
+              serviceAccountRef: 
+                name: <service-account-name> # The name of the service account created
+```
diff --git a/content/docs/configuration/acme/http01/README.md b/content/docs/configuration/acme/http01/README.md
@@ -195,7 +195,7 @@ No other fields of the ingress can be edited.
 
 ## Configuring the HTTP-01 Gateway API solver
 
-**FEATURE STATE**: cert-manager 1.5 [alpha]
+**FEATURE STATE**: cert-manager 1.15 [beta]
 
 The Gateway and HTTPRoute resources are part of the [Gateway API][gwapi], a set
 of CRDs that you install on your Kubernetes cluster that provide various
@@ -205,8 +205,8 @@ improvements over the Ingress API.
 
 <div className="info">
 
-📌  This feature requires the installation of the [Gateway API bundle](https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller) and passing a
-feature flag to the cert-manager controller.
+📌  This feature requires the installation of the [Gateway API bundle](https://gateway-api.sigs.k8s.io/guides/#installing-a-gateway-controller) and passing an
+additional flag to the cert-manager controller.
 
 To install v1.5.1 Gateway API bundle (Gateway CRDs and webhook), run the following command:
 
@@ -220,15 +220,15 @@ To enable the feature in cert-manager, turn on the `GatewayAPI` feature gate:
 
   ```sh
   helm upgrade --install cert-manager jetstack/cert-manager --namespace cert-manager \
-    --set "extraArgs={--feature-gates=ExperimentalGatewayAPISupport=true}"
+    --set "extraArgs={--enable-gateway-api}"
   ```
 
 - If you are using the raw cert-manager manifests, add the following flag to the
   cert-manager controller Deployment:
 
   ```yaml
   args:
-    - --feature-gates=ExperimentalGatewayAPISupport=true
+    - --enable-gateway-api
   ```
 
 The Gateway API CRDs should either be installed before cert-manager starts or
@@ -246,8 +246,8 @@ kubectl rollout restart deployment cert-manager -n cert-manager
 
 <div className="info">
 
-🚧   cert-manager 1.8+ is tested with v1alpha2 Kubernetes Gateway API. It should also work
-with v1beta1 because of resource conversion, but has not been tested with it.
+🚧   cert-manager 1.14+ is tested with v1 Kubernetes Gateway API. It should also work
+with v1beta1 and v1alpha2 because of resource conversion, but has not been tested with it.
 </div>
 
 The Gateway API HTTPRoute HTTP-01 solver creates a temporary HTTPRoute using the