-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Azure SDK and remove deprecated autorest dependency #5452
Update Azure SDK and remove deprecated autorest dependency #5452
Conversation
Hi @phillebaba. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There are still things that need to be done before this can be merged. The major thing is verifying this with different Azure cloud types. The method that the cloud environment is configured has changed and I am doubtful my changes will work first try. Additionally it seems like some of the cloud types are missing from the new SDK. |
return nil, err | ||
} | ||
c := cloud.AzurePublic | ||
if environment != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
German cloud missing from this list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like German cloud was closed in October 2021
Additionally, on Sept 30th, 2020, we announced that the Microsoft Cloud Germany would be closing on October 29th, 2021
https://learn.microsoft.com/en-us/previous-versions/azure/germany/germany-welcome
So perhaps we need to trim this list of supported Azure cloud environments:
cert-manager/pkg/apis/acme/v1/types_issuer.go
Lines 550 to 558 in 8deaca7
// +kubebuilder:validation:Enum=AzurePublicCloud;AzureChinaCloud;AzureGermanCloud;AzureUSGovernmentCloud | |
type AzureDNSEnvironment string | |
const ( | |
AzurePublicCloud AzureDNSEnvironment = "AzurePublicCloud" | |
AzureChinaCloud AzureDNSEnvironment = "AzureChinaCloud" | |
AzureGermanCloud AzureDNSEnvironment = "AzureGermanCloud" | |
AzureUSGovernmentCloud AzureDNSEnvironment = "AzureUSGovernmentCloud" | |
) |
} | ||
logf.Log.V(logf.InfoLevel).Info("No ClientID found: authenticating azuredns with managed identity (MSI)") | ||
if !ambient { | ||
return nil, fmt.Errorf("ClientID is not set but neither `--cluster-issuer-ambient-credentials` nor `--issuer-ambient-credentials` are set. These are necessary to enable Azure Managed Identities") | ||
} | ||
|
||
opt := adal.ManagedIdentityOptions{} | ||
|
||
// TODO: msi ID resource id or client id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am unsure if resource ID should even be set at all? The client will deal with this now so there should be no need to configure it.
You'll need to resolve conflicts here - thanks for doing this work 😄 I'm not sure if anyone on the core development team has tonnes of experience with Azure, so any advice you and/or peers in this space can provide would be greatly appreciated 🙌 /ok-to-test |
@munnerz no problem. I have realized over the years that there is not a massive overlap of Kubernetes - Go - Azure experience. I have done this migration for other projects already so have some experience with the common issues. I have sadly been busy with other pressing matters but will get to this when I have some more time again. Aiming to get everything tested and ready before the end of Q4. I have a PR going in kubernetes-sigs/external-dns/pull/3040 which is very similar to this. |
286cd38
to
e5952e5
Compare
f077fe4
to
f361421
Compare
This change is blocked until Azure/azure-sdk-for-go#15615 unless we want to implement the workaround suggested in the issue. |
f361421
to
4b06e97
Compare
I see that there's a beta release containing the workload identity credential We're releasing cert-manager 1.11 in mid January 2023 so there still might be time to get this into that release. Might also be worth coordinating with @weisdd who is working on the workload identity federation feature |
@wallrj we actually had a brief discussion with @phillebaba in another project regarding the Microsoft's plan to release this functionality in beta version of azidentity closer to the end of the year, which already happened like you mentioned. As a side note, I've recently had to prepare a workload identity-enabled setup of external-secrets operator (https://external-secrets.io/v0.7.0/provider/azure-key-vault/), and they have an interesting concept of using |
@inteon Will you rebase this? Sorry for all the recent changes to the |
Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> Signed-off-by: Philip Laine <philip.laine@gmail.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
b5cdd07
to
67f8a03
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've finally been able to test this on my Azure account and it seems to work.
Let's merge this and create another Alpha release so that others can test it too:
/lgtm
/approve
Here's some evidence
Upgraded from v1.13.3
Where I'd previously verified the AKS + LetsEncrypt tutorial
export KO_REGISTRY=ttl.sh/$(uuidgen)/cert-manager-5452
make ko-deploy-certmanager KO_HELM_VALUES_FILES=values.yaml
...
/home/richard/projects/cert-manager/cert-manager/_bin/tools/helm upgrade cert-manager _bin/cert-manager.tgz \
--install \
--create-namespace \
--wait \
--namespace cert-manager \
--values values.yaml \
--set image.repository="ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-controller" \
--set image.digest="sha256:6456ec28d55a7fd2f562124079ddedb2c3697c8d8fe91479ff307842e9b0032d" \
--set cainjector.image.repository="ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-cainjector" \
--set cainjector.image.digest="sha256:2419dfeaa5f8ceb0e03691490d9f24400c69a6092174eef5d59a1b8ddb5a6b74" \
--set webhook.image.repository="ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-webhook" \
--set webhook.image.digest="sha256:010e4c3ec428500750b3d1084241d78347b3e2848ed5ea7e4e0e1ec44369ca36" \
--set startupapicheck.image.repository="ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-ctl" \
--set startupapicheck.image.digest="sha256:8be51255ab5e59e673a274d8e11f633fe62f75aa8da3c3081c9d33c5c99dd466" \
--set installCRDs=true \
--set "extraArgs={--acme-http01-solver-image=ttl.sh/44b32c94-6a7c-4673-be7c-eb19ed2e07d5/cert-manager-5452/cert-manager-acmesolver@sha256:25a2c496185a7e7d1892b68db0c7b85ae7a00109dfee273cf7f17d90fe428e6e}"
Release "cert-manager" has been upgraded. Happy Helming!
NAME: cert-manager
LAST DEPLOYED: Fri Jan 12 12:01:09 2024
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 3
TEST SUITE: None
NOTES:
cert-manager v1.14.0-alpha.0-72-g67f8a03cae35ee has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
cmctl renew certificate
$ cmctl status certificate www
Name: www
Namespace: default
Created at: 2024-01-12T09:45:09Z
Conditions:
Ready: True, Reason: Ready, Message: Certificate is up to date and has not expired
DNS Names:
- www.azure-tutorial.richard-gcp.jetstacker.net
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 52m cert-manager-certificates-trigger Issuing certificate as Secret was previously issued by "ClusterIssuer.cert-manager.io/selfsigned"
Normal Generated 52m cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "www-szrgp"
Normal Requested 52m cert-manager-certificates-request-manager Created new CertificateRequest resource "www-2"
Normal Issuing 38m cert-manager-certificates-trigger Issuing certificate as Secret was previously issued by "ClusterIssuer.cert-manager.io/letsencrypt-staging"
Normal Generated 38m cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "www-8p7b8"
Normal Requested 38m cert-manager-certificates-request-manager Created new CertificateRequest resource "www-3"
Normal Issuing 36m (x2 over 51m) cert-manager-certificates-issuing The certificate has been successfully issued
Normal Generated 15m cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "www-tmbbd"
Normal Requested 15m cert-manager-certificates-request-manager Created new CertificateRequest resource "www-4"
Normal Generated 13m cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "www-bs9zl"
Normal Requested 13m cert-manager-certificates-request-manager Created new CertificateRequest resource "www-5"
Normal Issuing 12m cert-manager-certificates-trigger Issuing certificate as Secret was previously issued by "ClusterIssuer.cert-manager.io/letsencrypt-production"
Normal Generated 12m cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "www-bq2f4"
Normal Requested 12m cert-manager-certificates-request-manager Created new CertificateRequest resource "www-6"
Normal Issuing 12m (x3 over 15m) cert-manager-certificates-issuing The certificate has been successfully issued
Normal Generated 9m22s cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "www-bghw6"
Normal Requested 9m22s cert-manager-certificates-request-manager Created new CertificateRequest resource "www-7"
Normal Generated 7m41s cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "www-zn9hz"
Normal Requested 7m41s cert-manager-certificates-request-manager Created new CertificateRequest resource "www-8"
Normal Issuing 6m3s (x2 over 9m18s) cert-manager-certificates-issuing The certificate has been successfully issued
Issuer:
Name: letsencrypt-staging
Kind: ClusterIssuer
Conditions:
Ready: True, Reason: ACMEAccountRegistered, Message: The ACME account was registered with the ACME server
Events: <none>
Secret:
Name: www-tls
Issuer Country: US
Issuer Organisation: (STAGING) Let's Encrypt
Issuer Common Name: (STAGING) Artificial Apricot R3
Key Usage: Digital Signature, Key Encipherment
Extended Key Usages: Server Authentication, Client Authentication
Public Key Algorithm: RSA
Signature Algorithm: SHA256-RSA
Subject Key ID: 47a41791a5935aa42a89f9e60f8a38dd3cfa5a42
Authority Key ID: de727a48df31c3a650df9f8523df57374b5d2e65
Serial Number: 2b46b18b91e7cccb1cdaed99d865f4305e6c
Events: <none>
Not Before: 2024-01-12T11:13:33Z
Not After: 2024-04-11T12:13:32+01:00
Renewal Time: 2024-03-12T11:13:32Z
No CertificateRequest found for this Certificate
Logs
I0112 12:11:59.215658 1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-key-manager" key="default/www" error="Operation cannot be fulfilled on certificates.cert-manager.io \"www\": the object has been modified; please apply your changes to the latest version and try again"
I0112 12:11:59.269922 1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "www-8" condition "Approved" to 2024-01-12 12:11:59.2699091 +0000 UTC m=+143.869409803
I0112 12:11:59.295401 1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "www-8" condition "Ready" to 2024-01-12 12:11:59.295392141 +0000 UTC m=+143.894892744
I0112 12:11:59.308885 1 conditions.go:263] Setting lastTransitionTime for CertificateRequest "www-8" condition "Ready" to 2024-01-12 12:11:59.308876422 +0000 UTC m=+143.908377025
I0112 12:11:59.316128 1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificaterequests-issuer-acme" key="default/www-8" error="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"www-8\": the object has been modified; please apply your changes to the latest version and try again"
E0112 12:12:02.864226 1 sync.go:190] "propagation check failed" err="DNS record for \"www.azure-tutorial.richard-gcp.jetstacker.net\" not yet propagated" logger="cert-manager.challenges" resource_name="www-8-3709051279-993529634" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.azure-tutorial.richard-gcp.jetstacker.net" type="DNS-01"
E0112 12:12:02.966005 1 sync.go:190] "propagation check failed" err="DNS record for \"www.azure-tutorial.richard-gcp.jetstacker.net\" not yet propagated" logger="cert-manager.challenges" resource_name="www-8-3709051279-993529634" resource_namespace="default" resource_kind="Challenge" resource_version="v1" dnsName="www.azure-tutorial.richard-gcp.jetstacker.net" type="DNS-01"
I0112 12:13:37.355816 1 conditions.go:252] Found status change for CertificateRequest "www-8" condition "Ready": "False" -> "True"; setting lastTransitionTime to 2024-01-12 12:13:37.355806327 +0000 UTC m=+241.955307030
I0112 12:13:37.387727 1 conditions.go:192] Found status change for Certificate "www" condition "Ready": "True" -> "False"; setting lastTransitionTime to 2024-01-12 12:13:37.387719353 +0000 UTC m=+241.987220056
I0112 12:13:37.400168 1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-readiness" key="default/www" error="Operation cannot be fulfilled on certificates.cert-manager.io \"www\": the object has been modified; please apply your changes to the latest version and try again"
I0112 12:13:37.409398 1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-issuing" key="default/www" error="Operation cannot be fulfilled on certificates.cert-manager.io \"www\": the object has been modified; please apply your changes to the latest version and try again"
I0112 12:13:37.417687 1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.certificates-key-manager" key="default/www" error="Operation cannot be fulfilled on certificates.cert-manager.io \"www\": the object has been modified; please apply your changes to the latest version and try again"
E0112 12:13:37.630843 1 sync.go:73] "failed to update status" logger="cert-manager.orders" resource_name="www-8-3709051279" resource_namespace="default" resource_kind="Order" resource_version="v1"
I0112 12:13:37.630881 1 controller.go:162] "re-queuing item due to optimistic locking on resource" logger="cert-manager.orders" key="default/www-8-3709051279" error="Operation cannot be fulfilled on orders.acme.cert-manager.io \"www-8-3709051279\": the object has been modified; please apply your changes to the latest version and try again"
E0112 12:13:37.655328 1 controller.go:208] "challenge in work queue no longer exists" err="challenge.acme.cert-manager.io \"www-8-3709051279-993529634\" not found" logger="cert-manager.challenges"
Events
0s Normal Generated certificate/www Stored new private key in temporary Secret resource "www-zn9hz"
0s Normal Requested certificate/www Created new CertificateRequest resource "www-8"
0s Normal WaitingForApproval certificaterequest/www-8 Not signing CertificateRequest until it is Approved
0s Normal WaitingForApproval certificaterequest/www-8 Not signing CertificateRequest until it is Approved
0s Normal WaitingForApproval certificaterequest/www-8 Not signing CertificateRequest until it is Approved
0s Normal WaitingForApproval certificaterequest/www-8 Not signing CertificateRequest until it is Approved
0s Normal WaitingForApproval certificaterequest/www-8 Not signing CertificateRequest until it is Approved
0s Normal cert-manager.io certificaterequest/www-8 Certificate request has been approved by cert-manager.io
0s Normal OrderCreated certificaterequest/www-8 Created Order resource default/www-8-3709051279
0s Normal OrderPending certificaterequest/www-8 Waiting on certificate issuance from order default/www-8-3709051279: ""
0s Normal Created order/www-8-3709051279 Created Challenge resource "www-8-3709051279-993529634" for domain "www.azure-tutorial.richard-gcp.jetstacker.net"
0s Normal Started challenge/www-8-3709051279-993529634 Challenge scheduled for processing
0s Normal Presented challenge/www-8-3709051279-993529634 Presented challenge using DNS-01 challenge mechanism
0s Normal DomainVerified challenge/www-8-3709051279-993529634 Domain "www.azure-tutorial.richard-gcp.jetstacker.net" verified with "DNS-01" validation
0s Normal Complete order/www-8-3709051279 Order completed successfully
0s Normal CertificateIssued certificaterequest/www-8 Certificate fetched from issuer successfully
0s Normal Issuing certificate/www The certificate has been successfully issued
0s Normal Complete order/www-8-3709051279 Order completed successfully
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/kind cleanup |
@pinkfloydx33 I've published https://github.com/cert-manager/cert-manager/releases/tag/v1.14.0-alpha.1 Please test the Azure features if you have time. |
I'm not sure if I'll get to it today, but I can definitely get it done before Friday. |
@wallrj sorry I didn't get to this. I've been out sick the last few days. If I can bring myself to sit down at my desk I'll try and do it today or tomorrow if you still need me to. |
No worries. Do please test the latest pre-release if you have time: So that we can iron out any bugs before the 1.14 release on Jan 31. |
@wallrj sorry for this huge delay, I was on my first vacation in about 4 years :) Two things that I can say right away:
reason: |-
WorkloadIdentityCredential authentication failed
POST https://login.microsoftonline.com/bb9ebc7f-b105-4532-95ca-abf3431ff466/oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 401 Unauthorized
--------------------------------------------------------------------------------
{
"error": "invalid_client",
"error_description": "AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://westeurope.oic.prod-aks.azure.com/bb9ebc7f-b105-4532-95ca-abf3431ff466/c216c7d6-ab39-4c03-9132-d24bdc087a2b/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: 33e79a89-4774-49de-afb1-3cf2993d9200 Correlation ID: 3d932552-f952-4087-92c5-db36ba10389f Timestamp: 2024-01-29 13:58:19Z",
"error_codes": [
700211
],
"timestamp": "2024-01-29 13:58:19Z",
"trace_id": "33e79a89-4774-49de-afb1-3cf2993d9200",
"correlation_id": "3d932552-f952-4087-92c5-db36ba10389f"
}
-------------------------------- So, for ease of implementation, I would suggest following the same strategy as before. - The original error should be printed as is in logs while the function should return something less specific (e.g. "Failed to obtain a token. Please, check logs for more details"). |
I addressed that point in: |
@inteon @wallrj I tried to build a controller image from master and deploy the controller without federated identity credential ( status:
presented: false
processing: true
reason: |-
WorkloadIdentityCredential authentication failed
POST https://login.microsoftonline.com/bb9ebc7f-b105-4532-95ca-abf3431ff466/oauth2/v2.0/token
--------------------------------------------------------------------------------
RESPONSE 401 Unauthorized
--------------------------------------------------------------------------------
{
"error": "invalid_client",
"error_description": "AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://westeurope.oic.prod-aks.azure.com/bb9ebc7f-b105-4532-95ca-abf3431ff466/d6adbd0b-b258-40e2-9d82-f8001990e9bb/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: af6f9023-3cae-44f0-bbd4-ed23185c0000 Correlation ID: bfc356f6-1cfa-41c0-86da-d851e152ebe9 Timestamp: 2024-01-30 20:08:05Z",
"error_codes": [
700211
],
"timestamp": "2024-01-30 20:08:05Z",
"trace_id": "af6f9023-3cae-44f0-bbd4-ed23185c0000",
"correlation_id": "bfc356f6-1cfa-41c0-86da-d851e152ebe9"
}
--------------------------------------------------------------------------------
To troubleshoot, visit https://aka.ms/azsdk/go/identity/troubleshoot#workload
state: pending |
@inteon The returned error in this case is |
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://github.com/cert-manager/cert-manager) | minor | `v1.13.3` -> `v1.14.1` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.14.1`](https://github.com/cert-manager/cert-manager/releases/tag/v1.14.1) [Compare Source](cert-manager/cert-manager@v1.14.0...v1.14.1) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions. > 📢 cert-manager `v1.14.1` fixes bugs found *during* the release of `v1.14.0`. > > When upgrading to cert-manager release 1.14, please skip `v1.14.0` and install this patch version instead. ##### Documentation - [Release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.14) - [Upgrade notes](https://cert-manager.io/docs/releases/upgrading/upgrading-1.13-1.14) - [Installation instructions](https://cert-manager.io/docs/installation/) ##### Changes since `v1.14.0` ##### Bug or Regression - Fix broken cainjector image value in Helm chart ([#​6693](cert-manager/cert-manager#6693), [@​SgtCoDFish](https://github.com/SgtCoDFish)) - Fix bug in cmctl namespace detection which prevented it being used as a startupapicheck image in namespaces other than cert-manager. ([#​6706](cert-manager/cert-manager#6706), [@​inteon](https://github.com/inteon)) - Fix bug in cmctl which caused `cmctl experimental install` to panic. ([#​6706](cert-manager/cert-manager#6706), [@​inteon](https://github.com/inteon)) ### [`v1.14.0`](https://github.com/cert-manager/cert-manager/releases/tag/v1.14.0) [Compare Source](cert-manager/cert-manager@v1.13.3...v1.14.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions. >⚠️ This version has known issues. Please install `v1.14.1` instead. > > During the release of `v1.14.0`, the Helm chart was found to use the wrong OCI image for the `cainjector` Deployment, > which caused the Helm installation and the static manifest based installation to fail. > Upon discovery of this bug, the release of `v1.14.0` was paused before the Helm chart or GitHub release were published; > but the Git tag and the OCI images had already been published. > > The cert-manager team next fixed the Helm chart and two other bugs which are listed in the "Known Issues" section below, > and then released `v1.14.1`, which is the version that users are strongly advised to install when they upgrade to 1.14. > > In order to complete the stalled `v1.14.0` release, > the Helm chart and static YAML installation files were regenerated on a team member's laptop, > using exactly the same build scripts as are used in the automated release process, > and using the `v1.14.1` version of the code. > The working `v1.14.0` Helm chart was published, > and the working versions of the static manifest files attached to the draft `v1.14.0` GitHub release, > and that was then published. > > For these reasons, users are strongly advised to skip this version and install the `v1.14.1` Helm chart instead. ##### Known Issues - During the release of `v1.14.0`, the Helm chart for this version was found to use the wrong OCI image for the `cainjector` Deployment, which caused the Helm installation to fail. In order to complete the release, the cert-manager team have manually updated the Helm chart for this version, which contains all the Helm chart fixes which are in `v1.14.1`. But users are strongly advised to skip this version and install the `v1.14.1` Helm chart instead. - A bug in cmctl namespace detection prevents it being used as a `startupapicheck` image in namespaces other than cert-manager. - A bug in cmctl causes `cmctl experimental install` to panic. ##### Breaking Changes The startupapicheck job uses a new OCI image called "startupapicheck", instead of the ctl image. If you run in an environment in which images cannot be pulled, be sure to include the new image. The KeyUsage and BasicConstraints extensions will now be encoded as critical in the CertificateRequest's CSR blob. ##### Major Themes ##### New X.509 Features The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs, which are described in the [Subject Alternative Name section of RFC 5280](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6) (on page 37). We specifically support any `otherName` type with a `UTF-8` value, such as the [User Principal Name](https://docs.venafi.com/Docs/current/TopNav/Content/Certificates/r-UEP-support-SANs.php) or [`sAMAccountName`](https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties). These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. For example you can create certificates with this block in the spec: otherNames: - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID utf8Value: upn@domain.local The feature is still in alpha stage and requires you to [enable the `OtherName` feature flag in the controller and webhook components](../../installation/configuring-components.md#feature-gates). ##### New CA certificate Features You can now specify the X.509 v3 Authority Information Accessors extension, with URLs for certificates issued by the CA issuer. Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC section https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 ##### Security An ongoing security audit of the cert-manager code revealed some weaknesses which we have addressed in this release, such as using more secure default settings in the HTTP servers that serve metrics, healthz and pprof endpoints. This will help mitigate denial-of-service attacks against those important services. All the cert-manager containers are now configured with read only root file system by default, to prevent unexpected changes to the file system of the OCI image. And it is now possible to configure the metrics server to use HTTPS rather than HTTP, so that clients can verify the identity of the metrics server. ##### Other The liveness probe of the cert-manager controller Pod is now enabled by default. There is a new option `.spec.keystores.pkcs12.algorithms` to specify encryption and MAC algorithms for PKCS. ##### Community Thanks again to all open-source contributors with commits in this release, including: - [@​ABWassim](https://github.com/ABWassim) - [@​JoeNorth](https://github.com/JoeNorth) - [@​allenmunC1](https://github.com/allenmunC1) - [@​asapekia](https://github.com/asapekia) - [@​jeremycampbell](https://github.com/jeremycampbell) - [@​jkroepke](https://github.com/jkroepke) - [@​jsoref](https://github.com/jsoref) - [@​lauraseidler](https://github.com/lauraseidler) - [@​pevidex](https://github.com/pevidex) - [@​phillebaba](https://github.com/phillebaba) - [@​snorwin](https://github.com/snorwin) - [@​tanujd11](https://github.com/tanujd11) - [@​tberreis](https://github.com/tberreis) - [@​vinny](https://github.com/vinny) Thanks also to the following cert-manager maintainers for their contributions during this release: - [@​SgtCoDFish](https://github.com/SgtCoDFish) - [@​SpectralHiss](https://github.com/SpectralHiss) - [@​ThatsMrTalbot](https://github.com/ThatsMrTalbot) - [@​hawksight](https://github.com/hawksight) - [@​inteon](https://github.com/inteon) - [@​maelvls](https://github.com/maelvls) - [@​wallrj](https://github.com/wallrj) Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings! Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://github.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. ##### Changes ##### Feature - ACME challenge solver Pod for HTTP01 will get a default annotation of `"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"`. You can provide an annotation of `"cluster-autoscaler.kubernetes.io/safe-to-evict": "false"` in your `podTemplate` if you don't like this. ([#​6349](cert-manager/cert-manager#6349), [@​jsoref](https://github.com/jsoref)) - Added a clock skew detector liveness probe that will force a restart in case we detect a skew between the internal monotonic clock and the system clock of more than 5 minutes. Also, the controller's liveness probe is now enabled by default. ([#​6328](cert-manager/cert-manager#6328), [@​inteon](https://github.com/inteon)) - Added a new flag (--dynamic-serving-leaf-duration) that can adjust the lifetime of the dynamic leaf certificates ([#​6552](cert-manager/cert-manager#6552), [@​allenmunC1](https://github.com/allenmunC1)) - Added support for `otherName` SANS in Certificates ([#​6404](cert-manager/cert-manager#6404), [@​SpectralHiss](https://github.com/SpectralHiss)) - Added the option to specify the X.509 v3 Authority Information Accessors extension CA Issuers URLs for certificates issued by the CA issuer. ([#​6486](cert-manager/cert-manager#6486), [@​jeremycampbell](https://github.com/jeremycampbell-okta)) - Adds cert-manager's new core infrastructure initiative badge! See more details on https://www.bestpractices.dev/projects/8079 ([#​6497](cert-manager/cert-manager#6497), [@​SgtCoDFish](https://github.com/SgtCoDFish)) - All Pods are now configured with `readOnlyRootFilesystem` by default. ([#​6453](cert-manager/cert-manager#6453), [@​wallrj](https://github.com/wallrj)) - MAYBE BREAKING: The startupapicheck job is now handled by an entirely new container called "startupapicheck". This replaces the previous ctl container. If you run in an environment in which images cannot be pulled, be sure to include the new container. ([#​6549](cert-manager/cert-manager#6549), [@​SgtCoDFish](https://github.com/SgtCoDFish)) - New option `.spec.keystores.pkcs12.algorithms` to specify encryption and MAC algorithms for PKCS[#​12](cert-manager/cert-manager#12) keystores. Fixes issues [#​5957](cert-manager/cert-manager#5957) and [#​6523](cert-manager/cert-manager#6523). ([#​6548](cert-manager/cert-manager#6548), [@​snorwin](https://github.com/snorwin)) - The ACME HTTP01 solver Pod is now configured with `readOnlyRootFilesystem: true` ([#​6462](cert-manager/cert-manager#6462), [@​wallrj](https://github.com/wallrj)) - Updates the AWS SDK for Go to 1.48.7 to support Amazon EKS Pod Identity ([#​6519](cert-manager/cert-manager#6519), [@​JoeNorth](https://github.com/JoeNorth)) - Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC section https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 ([#​6500](cert-manager/cert-manager#6500), [@​tanujd11](https://github.com/tanujd11)) -⚠️ potentially breaking⚠️ : The KeyUsage and BasicConstraints extensions will now be encoded as critical in the CertificateRequest's CSR blob. ([#​6053](cert-manager/cert-manager#6053), [@​inteon](https://github.com/inteon)) - Add TLS support to the metrics endpoint through either a certificate file or through dynamically issued certificates ([#​6574](cert-manager/cert-manager#6574), [@​ThatsMrTalbot](https://github.com/ThatsMrTalbot)) - Helm Chart: allow changing the default Deployment `revisionHistoryLimit` ([#​6248](cert-manager/cert-manager#6248), [@​tberreis](https://github.com/tberreis)) - Security: Limit the size of the response body read from HTTP requests by cert-manager. ([#​6619](cert-manager/cert-manager#6619), [@​ThatsMrTalbot](https://github.com/ThatsMrTalbot)) - Support custom `spec.namespaceSelector` for webhooks ([#​6638](cert-manager/cert-manager#6638), [@​jkroepke](https://github.com/jkroepke)) ##### Bug or Regression - BUGFIX\[helm]: Fix issue where webhook feature gates were only set if controller feature gates are set. ([#​6380](cert-manager/cert-manager#6380), [@​asapekia](https://github.com/asapekia)) - Controller ConfigMap is now created only if `.Values.config` is set. ([#​6357](cert-manager/cert-manager#6357), [@​ABWassim](https://github.com/ABWassim)) - Fix runaway bug caused by multiple Certificate resources that point to the same Secret resource. ([#​6406](cert-manager/cert-manager#6406), [@​inteon](https://github.com/inteon)) - Fix(helm): templating of required value in controller and webhook ConfigMap resources ([#​6435](cert-manager/cert-manager#6435), [@​ABWassim](https://github.com/ABWassim)) - Fixed a webhook validation error message when the key algorithm was invalid. ([#​6571](cert-manager/cert-manager#6571), [@​pevidex](https://github.com/pevidex)) - Fixed error messaging when setting up vault issuer ([#​6433](cert-manager/cert-manager#6433), [@​vinny](https://github.com/vinny-sabatini)) - `GHSA-vgf6-pvf4-34rq`: The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size `>= 3MiB`. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. ([#​6498](cert-manager/cert-manager#6498), [@​inteon](https://github.com/inteon)) - Increase the default webhook timeout to its maximum value of 30 seconds, so that the underlying timeout error message has more chance of being returned to the end user. ([#​6488](cert-manager/cert-manager#6488), [@​wallrj](https://github.com/wallrj)) - Listeners that do not support TLS on Gateway resources will now not raise `BadConfig` warnings anymore ([#​6347](cert-manager/cert-manager#6347), [@​lauraseidler](https://github.com/lauraseidler)) - Mitigate potential Slowloris attacks by setting `ReadHeaderTimeout` in all `http.Server` instances ([#​6534](cert-manager/cert-manager#6534), [@​wallrj](https://github.com/wallrj)) - The Venafi issuer now properly resets the certificate and should no longer get stuck with `WebSDK CertRequest Module Requested Certificate` or `This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.`. ([#​6398](cert-manager/cert-manager#6398), [@​maelvls](https://github.com/maelvls)) - Update experimental install and uninstall commands to have flag parity with the rest of the CLI ([#​6562](cert-manager/cert-manager#6562), [@​ThatsMrTalbot](https://github.com/ThatsMrTalbot)) - Webhook ConfigMap if now created only if `.Values.webhook.config` is set. ([#​6360](cert-manager/cert-manager#6360), [@​ABWassim](https://github.com/ABWassim)) - BUGFIX: Ensure `otherName` SAN changes in Certificate resources trigger re-issuance. ([#​6620](cert-manager/cert-manager#6620), [@​SpectralHiss](https://github.com/SpectralHiss)) - Bugfix: Publish the `startupapicheck` image to `quay.io` ([#​6609](cert-manager/cert-manager#6609), [@​wallrj](https://github.com/wallrj)) ##### Other (Cleanup or Flake) - Cert-manager is now built with Go 1.21.5 ([#​6545](cert-manager/cert-manager#6545), [@​wallrj](https://github.com/wallrj)) - Bump Go to `1.21.3` to address `CVE-2023-39325`. Also bumps base images. ([#​6410](cert-manager/cert-manager#6410), [@​SgtCoDFish](https://github.com/SgtCoDFish)) - Bump `golang.org/x/net v0.15.0 => v0.17.0` as part of addressing `CVE-2023-44487` / `CVE-2023-39325` ([#​6427](cert-manager/cert-manager#6427), [@​SgtCoDFish](https://github.com/SgtCoDFish)) - Check code for unintended use of `crypto/md5`, a weak cryptographic primitive; using `golangci-lint` / `gosec` (G501). ([#​6581](cert-manager/cert-manager#6581), [@​wallrj](https://github.com/wallrj)) - Check code for unintended use of `crypto/sha1`, a weak cryptographic primitive; using `golangci-lint` / `gosec` (G505). ([#​6579](cert-manager/cert-manager#6579), [@​wallrj](https://github.com/wallrj)) - Check code for unintended use of weak random number generator (`math/rand` instead of `crypto/rand`); using `golangci-lint` / `gosec` (G404). ([#​6582](cert-manager/cert-manager#6582), [@​wallrj](https://github.com/wallrj)) - Cleanup: Restrict MutatingWebhookConfiguration to only CertificateRequest resources ([#​6311](cert-manager/cert-manager#6311), [@​hawksight](https://github.com/hawksight)) - Deprecated `pkg/util.RandStringRunes` and `pkg/controller/test.RandStringBytes`. Use `k8s.io/apimachinery/pkg/util/rand.String` instead. ([#​6585](cert-manager/cert-manager#6585), [@​wallrj](https://github.com/wallrj)) - Enabled verbose logging in startupapicheck by default, so that if it fails, users can know exactly what caused the failure. ([#​6495](cert-manager/cert-manager#6495), [@​wallrj](https://github.com/wallrj)) - Fix gosec G601: Implicit memory aliasing of items from a range statement ([#​6551](cert-manager/cert-manager#6551), [@​wallrj](https://github.com/wallrj)) - Fix handling of serial numbers in literal certificate subjects. Previously a serial number could be specified in `subject.serialNumber` while using a literal certificate subject. This was a mistake and has been fixed. ([#​6533](cert-manager/cert-manager#6533), [@​inteon](https://github.com/inteon)) - The end-to-end tests can now test the cert-manager Vault Issuer on an OpenShift cluster. ([#​6391](cert-manager/cert-manager#6391), [@​wallrj](https://github.com/wallrj)) - Update cert-manager's distroless base images from Debian 11 to Debian 12. This should have no practical effects on users. ([#​6583](cert-manager/cert-manager#6583), [@​inteon](https://github.com/inteon)) - Updated all code using GatewayAPI to use the now GA v1 APIs ([#​6559](cert-manager/cert-manager#6559), [@​ThatsMrTalbot](https://github.com/ThatsMrTalbot)) - Upgrade Go from 1.20.7 to 1.20.8. ([#​6369](cert-manager/cert-manager#6369), [@​inteon](https://github.com/inteon)) - Upgrade `github.com/emicklei/go-restful/v3` to `v3.11.0` because `v3.10.2` is labeled as "DO NOT USE". ([#​6366](cert-manager/cert-manager#6366), [@​inteon](https://github.com/inteon)) - Use the new generic `sets.Set` type in place of the deprecated `sets.String`. ([#​6586](cert-manager/cert-manager#6586), [@​wallrj](https://github.com/wallrj)) - cert-manager is now built with Go `v1.21.6` ([#​6628](cert-manager/cert-manager#6628), [@​SgtCoDFish](https://github.com/SgtCoDFish)) - Update the Azure SDK and remove deprecated `autorest` dependency ([#​5452](cert-manager/cert-manager#5452), [@​phillebaba](https://github.com/phillebaba)) - The cert-manager E2E tests can now be run on Kubernetes 1.29 ([#​6641](cert-manager/cert-manager#6641), [@​wallrj](https://github.com/wallrj)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNjUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE2NS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Reviewed-on: https://git.home/nrdufour/home-ops/pulls/358 Co-authored-by: Renovate <renovate@ptinem.io> Co-committed-by: Renovate <renovate@ptinem.io>
Pull Request Motivation
This change will update the Azure implementation by updating the SDK to the new version and replacing deprecated go-autorest with azidentity. This is required to keep cert manager working next year as autorest will no longer be supported after March 2023. Additionally there are other changes coming to Azure AD and workload identies that need to be supported.
Kind
cleanup
Release Note