GRADUATION: Write up the Governance and Steering documents #6260

maelvls · 2023-08-09T10:21:53Z

This PR is part of #6132.

To apply for graduation, cert-manager is required to perform the two following steps:

Explicitly define a project governance and committer process. The committer process should cover the full committer lifecycle including onboarding and offboarding or emeritus criteria. This preferably is laid out in a GOVERNANCE.md file and references an OWNERS.md file showing the current and emeritus committers.

Explicitly define the criteria, process and offboarding or emeritus conditions for project maintainers; or those who may interact with the CNCF on behalf of the project. The list of maintainers should be preferably be stored in a MAINTAINERS.md file and audited at a minimum of an annual cadence.

In the cert-manager project, we don't make a distinction between "committer" and "maintainer". In the GOVERNANCE.md document, I use the term "maintainer" for simplicity. Since committers and maintainers are the same in our project, we will not have a MAINTAINERS.md file.

Back in 15 June 2023, I had presented the first proposal of GOVERNANCE.md [OLD, FOR REFERENCE ONLY] (hosted on HackMD); this PR is the "second iteration" of that proposal.

Regarding the list of steering committee members, I propose that we update the STEERING.md as we go. For context, we have 1 volunteer and the goal is to have at least 3 (out of the 7 seats available).

For this PR to be merged, all maintainers need to approve by posting a message such as "As a maintainer, I approve with this change" or a comment with a thumbs up emoji or a comment saying /approve. Since many things in these two documents had not been defined previously, I propose to have the documents adopted via a lazy consensus that ends on 12 Sept 2023 23:59 UTC+2 involving the cert-manager maintainers.

/kind documentation

NONE

Signed-off-by: Maël Valais <mael@vls.dev>

GOVERNANCE.md

STEERING.md

Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> Signed-off-by: Maël Valais <mael@vls.dev>

GOVERNANCE.md

… requirements, privileges and responsibilities for each role Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

inteon · 2023-08-11T12:41:39Z

I updated the GOVERNANCE file with all the different roles we discussed (partially based on this document: https://github.com/kubernetes/community/blob/master/community-membership.md).
PTAL

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

maelvls · 2023-08-16T14:49:53Z

Thanks for the changes @inteon.

I have looked at the Kubernetes membership document and I think we need to separate the governance-related roles (i.e., who can decide on behalf of the project) from the community-related roles (i.e., how people can contribute to the project, for example by reviewing, approving, or opening a PR; "committers" are part of this group).

Governance-related roles, including the role of maintainer, should be laid out in GOVERNANCE.md and the list of maintainers should be in MAINTAINERS.md.
Contribution-related roles should be laid out somewhere else, e.g., CONTRIBUTING.md and OWNERS.

What do you think?

inteon · 2023-08-16T17:55:14Z

I think I understand what you mean.
However, because a maintainer has to be an approver and an Admin has to be a maintainer (in my proposal), I feel like it does make sense to put all these roles in one single document.
Maybe the GOVERNANCE file should just refer to this document?

GOVERNANCE.md

inteon · 2023-08-18T12:39:41Z

@maelvls I think this is a very good set of resources that we could use: https://github.com/cncf/project-template/blob/main/GOVERNANCE.md

Source: https://hackmd.io/YkDBYQP1Qlekdx4NS11iIg?edit Signed-off-by: Maël Valais <mael@vls.dev>

Signed-off-by: Maël Valais <mael@vls.dev>

Source: https://hackmd.io/YkDBYQP1Qlekdx4NS11iIg Signed-off-by: Maël Valais <mael@vls.dev>

Signed-off-by: Maël Valais <mael@vls.dev>

…s.csv Hey. We haven't updated the maintainers in this document for a while. I propose to update it with the "upstream" list of maintainers: cert-manager/cert-manager#6260. Signed-off-by: Maël Valais <mael@vls.dev>

jakexks

As a maintainer I approve this PR

GOVERNANCE.md

Signed-off-by: Maël Valais <mael@vls.dev>

inteon

As a maintainer I approve this PR

wallrj

/approve

munnerz

Thanks for working on this @maelvls and everyone else who has reviewed, commented, approved and participated 😄 🚀

jetstack-bot · 2023-09-12T09:04:14Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon, jakexks, munnerz, wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [inteon,jakexks,munnerz,wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://github.com/cert-manager/cert-manager) | minor | `v1.12.4` -> `v1.13.0` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.0`](https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](cert-manager/cert-manager@v1.12.4...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! #### Community Welcome to these new cert-manager members (more info - cert-manager/cert-manager#6260): [@jsoref](https://github.com/jsoref) [@FlorianLiebhart](https://github.com/FlorianLiebhart) [@hawksight](https://github.com/hawksight) [@erikgb](https://github.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@AcidLeroy](https://github.com/AcidLeroy) [@FlorianLiebhart](https://github.com/FlorianLiebhart) [@lucacome](https://github.com/lucacome) [@cypres](https://github.com/cypres) [@erikgb](https://github.com/erikgb) [@ubergesundheit](https://github.com/ubergesundheit) [@jkroepke](https://github.com/jkroepke) [@jsoref](https://github.com/jsoref) [@gdvalle](https://github.com/gdvalle) [@rouke-broersma](https://github.com/rouke-broersma) [@schrodit](https://github.com/schrodit) [@zhangzhiqiangcs](https://github.com/zhangzhiqiangcs) [@arukiidou](https://github.com/arukiidou) [@hawksight](https://github.com/hawksight) [@Richardds](https://github.com/Richardds) [@kahirokunn](https://github.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@SgtCoDFish](https://github.com/SgtCoDFish) [@maelvls](https://github.com/maelvls) [@irbekrm](https://github.com/irbekrm) [@inteon](https://github.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@AcidLeroy](https://github.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see cert-manager/cert-manager#5337) Also, thanks a lot to [@FlorianLiebhart](https://github.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://github.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#6243](cert-manager/cert-manager#6243), [@inteon](https://github.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#6241](cert-manager/cert-manager#6241), [@erikgb](https://github.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#6267](cert-manager/cert-manager#6267), [@zhangzhiqiangcs](https://github.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#6049](cert-manager/cert-manager#6049), [@SgtCoDFish](https://github.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#6292](cert-manager/cert-manager#6292), [@ubergesundheit](https://github.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#6298](cert-manager/cert-manager#6298), [@inteon](https://github.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#5337](cert-manager/cert-manager#5337), [@AcidLeroy](https://github.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#6199](cert-manager/cert-manager#6199), [@inteon](https://github.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#6110](cert-manager/cert-manager#6110), [@jkroepke](https://github.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#5003](cert-manager/cert-manager#5003), [@FlorianLiebhart](https://github.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#6087](cert-manager/cert-manager#6087), [@rouke-broersma](https://github.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#6109](cert-manager/cert-manager#6109), [@inteon](https://github.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#6147](cert-manager/cert-manager#6147), [@inteon](https://github.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#6232](cert-manager/cert-manager#6232), [@inteon](https://github.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#6088](cert-manager/cert-manager#6088), [@cypres](https://github.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#6220](cert-manager/cert-manager#6220), [@ubergesundheit](https://github.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#6191](cert-manager/cert-manager#6191), [@Richardds](https://github.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates. ⚠️ ⚠️ BREAKING ⚠️ ⚠️ : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#6093](cert-manager/cert-manager#6093), [@irbekrm](https://github.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#6293](cert-manager/cert-manager#6293), [@SgtCoDFish](https://github.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#6143](cert-manager/cert-manager#6143), [@schrodit](https://github.com/schrodit)) - ⚠️ possibly breaking: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#6182](cert-manager/cert-manager#6182), [@inteon](https://github.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#5879](cert-manager/cert-manager#5879), [@maelvls](https://github.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#6144](cert-manager/cert-manager#6144), [@schrodit](https://github.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#6168](cert-manager/cert-manager#6168), [@inteon](https://github.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#6156](cert-manager/cert-manager#6156), [@kahirokunn](https://github.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#6242](cert-manager/cert-manager#6242), [@inteon](https://github.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#6085](cert-manager/cert-manager#6085), [@irbekrm](https://github.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#6225](cert-manager/cert-manager#6225), [@arukiidou](https://github.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#6034](cert-manager/cert-manager#6034), [@gdvalle](https://github.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#6176](cert-manager/cert-manager#6176), [@inteon](https://github.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#6247](cert-manager/cert-manager#6247), [@inteon](https://github.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#6077](cert-manager/cert-manager#6077), [@lucacome](https://github.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#6227](cert-manager/cert-manager#6227), [@lucacome](https://github.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#6152](cert-manager/cert-manager#6152), [@inteon](https://github.com/inteon)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.home/nrdufour/home-ops/pulls/84 Co-authored-by: Renovate <renovate@ptinem.io> Co-committed-by: Renovate <renovate@ptinem.io>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://togithub.com/cert-manager/cert-manager) | minor | `v1.12.4` -> `v1.13.0` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.4...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! #### Community Welcome to these new cert-manager members (more info - [cert-manager/cert-manager#6260): [@jsoref](https://togithub.com/jsoref) [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@hawksight](https://togithub.com/hawksight) [@erikgb](https://togithub.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@AcidLeroy](https://togithub.com/AcidLeroy) [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@lucacome](https://togithub.com/lucacome) [@cypres](https://togithub.com/cypres) [@erikgb](https://togithub.com/erikgb) [@ubergesundheit](https://togithub.com/ubergesundheit) [@jkroepke](https://togithub.com/jkroepke) [@jsoref](https://togithub.com/jsoref) [@gdvalle](https://togithub.com/gdvalle) [@rouke-broersma](https://togithub.com/rouke-broersma) [@schrodit](https://togithub.com/schrodit) [@zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs) [@arukiidou](https://togithub.com/arukiidou) [@hawksight](https://togithub.com/hawksight) [@Richardds](https://togithub.com/Richardds) [@kahirokunn](https://togithub.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@SgtCoDFish](https://togithub.com/SgtCoDFish) [@maelvls](https://togithub.com/maelvls) [@irbekrm](https://togithub.com/irbekrm) [@inteon](https://togithub.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@AcidLeroy](https://togithub.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see [cert-manager/cert-manager#5337) Also, thanks a lot to [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see [cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#6243](https://togithub.com/cert-manager/cert-manager/issues/6243), [@inteon](https://togithub.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#6241](https://togithub.com/cert-manager/cert-manager/issues/6241), [@erikgb](https://togithub.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#6267](https://togithub.com/cert-manager/cert-manager/issues/6267), [@zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#6049](https://togithub.com/cert-manager/cert-manager/issues/6049), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#6292](https://togithub.com/cert-manager/cert-manager/issues/6292), [@ubergesundheit](https://togithub.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#6298](https://togithub.com/cert-manager/cert-manager/issues/6298), [@inteon](https://togithub.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#5337](https://togithub.com/cert-manager/cert-manager/issues/5337), [@AcidLeroy](https://togithub.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#6199](https://togithub.com/cert-manager/cert-manager/issues/6199), [@inteon](https://togithub.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#6110](https://togithub.com/cert-manager/cert-manager/issues/6110), [@jkroepke](https://togithub.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#5003](https://togithub.com/cert-manager/cert-manager/issues/5003), [@FlorianLiebhart](https://togithub.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#6087](https://togithub.com/cert-manager/cert-manager/issues/6087), [@rouke-broersma](https://togithub.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#6109](https://togithub.com/cert-manager/cert-manager/issues/6109), [@inteon](https://togithub.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#6147](https://togithub.com/cert-manager/cert-manager/issues/6147), [@inteon](https://togithub.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#6232](https://togithub.com/cert-manager/cert-manager/issues/6232), [@inteon](https://togithub.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#6088](https://togithub.com/cert-manager/cert-manager/issues/6088), [@cypres](https://togithub.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#6220](https://togithub.com/cert-manager/cert-manager/issues/6220), [@ubergesundheit](https://togithub.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#6191](https://togithub.com/cert-manager/cert-manager/issues/6191), [@Richardds](https://togithub.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates. ⚠️ ⚠️ BREAKING ⚠️ ⚠️ : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#6293](https://togithub.com/cert-manager/cert-manager/issues/6293), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#6143](https://togithub.com/cert-manager/cert-manager/issues/6143), [@schrodit](https://togithub.com/schrodit)) - ⚠️ possibly breaking: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#5879](https://togithub.com/cert-manager/cert-manager/issues/5879), [@maelvls](https://togithub.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#6144](https://togithub.com/cert-manager/cert-manager/issues/6144), [@schrodit](https://togithub.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#6168](https://togithub.com/cert-manager/cert-manager/issues/6168), [@inteon](https://togithub.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#6156](https://togithub.com/cert-manager/cert-manager/issues/6156), [@kahirokunn](https://togithub.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#6242](https://togithub.com/cert-manager/cert-manager/issues/6242), [@inteon](https://togithub.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#6085](https://togithub.com/cert-manager/cert-manager/issues/6085), [@irbekrm](https://togithub.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#6225](https://togithub.com/cert-manager/cert-manager/issues/6225), [@arukiidou](https://togithub.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#6034](https://togithub.com/cert-manager/cert-manager/issues/6034), [@gdvalle](https://togithub.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#6176](https://togithub.com/cert-manager/cert-manager/issues/6176), [@inteon](https://togithub.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#6247](https://togithub.com/cert-manager/cert-manager/issues/6247), [@inteon](https://togithub.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#6077](https://togithub.com/cert-manager/cert-manager/issues/6077), [@lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#6227](https://togithub.com/cert-manager/cert-manager/issues/6227), [@lucacome](https://togithub.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#6152](https://togithub.com/cert-manager/cert-manager/issues/6152), [@inteon](https://togithub.com/inteon)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate).  Co-authored-by: lumiere-bot <98047013+lumiere-bot[bot]@users.noreply.github.com>

maelvls · 2023-09-13T09:08:57Z

Hi all, the lazy consensus deliberation period has ended yesterday at 23:59 UTC. I'd like to thank everyone who participated and contributed to this governance charter! The governance charter is now live:

Note: one of the decisions made in this PR was to move these documents to the repository cert-manager/community. I closed this PR and created cert-manager/community#1 with the exact same contents as this one.

🎉 Congratulations to the cert-manager community for achieving this milestone. We aren't far from graduating!

/close

jetstack-bot · 2023-09-13T09:09:00Z

@maelvls: Closed this PR.

In response to this:

Hi all, the lazy consensus deliberation period has ended yesterday at 23:59 UTC. I'd like to thank everyone who participated and contributed to this governance charter!

One of the decisions made in this PR was to move these documents to the repository cert-manager/community. I will thus close this PR and create another PR in the community repository with the exact same contents as this one.

Congratulations to the cert-manager community for achieving this milestone. We aren't far from graduating!

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

These files have been copied from cert-manager/cert-manager#6260

These files have been copied from cert-manager/cert-manager#6260 Signed-off-by: Maël Valais <mael@vls.dev>

inteon · 2023-09-13T12:15:29Z

Hi all, the lazy consensus deliberation period has ended yesterday at 23:59 UTC. I'd like to thank everyone who participated and contributed to this governance charter! The governance charter is now live:

GOVERNANCE.md

STEERING.md

MAINTAINERS.md

maintainers.csv

Note: one of the decisions made in this PR was to move these documents to the repository cert-manager/community. I closed this PR and created cert-manager/community#1 with the exact same contents as this one.

🎉 Congratulations to the cert-manager community for achieving this milestone. We aren't far from graduating!

/close

This is amazing work! Thanks for doing this.
Would it make sense to also update this repo and add references to the documents in https://github.com/cert-manager/community? Could we maybe also move some other documents to that repo (like https://github.com/cert-manager/cert-manager/blob/master/CODE_OF_CONDUCT.md and https://github.com/cert-manager/cert-manager/blob/master/SECURITY.md)?

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://togithub.com/cert-manager/cert-manager) | minor | `v1.12.4` -> `v1.13.0` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.4...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned config file for the cert-manager controller, and more. This release also includes the promotion of the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta. #### Breaking Changes (You MUST read this before you upgrade!) 1. **BREAKING** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) 2. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) 3. **Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@inteon](https://togithub.com/inteon)) #### Community Welcome to these new cert-manager members (more info - [cert-manager/cert-manager#6260): [@jsoref](https://togithub.com/jsoref) [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@hawksight](https://togithub.com/hawksight) [@erikgb](https://togithub.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@AcidLeroy](https://togithub.com/AcidLeroy) [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@lucacome](https://togithub.com/lucacome) [@cypres](https://togithub.com/cypres) [@erikgb](https://togithub.com/erikgb) [@ubergesundheit](https://togithub.com/ubergesundheit) [@jkroepke](https://togithub.com/jkroepke) [@jsoref](https://togithub.com/jsoref) [@gdvalle](https://togithub.com/gdvalle) [@rouke-broersma](https://togithub.com/rouke-broersma) [@schrodit](https://togithub.com/schrodit) [@zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs) [@arukiidou](https://togithub.com/arukiidou) [@hawksight](https://togithub.com/hawksight) [@Richardds](https://togithub.com/Richardds) [@kahirokunn](https://togithub.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@SgtCoDFish](https://togithub.com/SgtCoDFish) [@maelvls](https://togithub.com/maelvls) [@irbekrm](https://togithub.com/irbekrm) [@inteon](https://togithub.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@AcidLeroy](https://togithub.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see [cert-manager/cert-manager#5337) Also, thanks a lot to [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see [cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#6243](https://togithub.com/cert-manager/cert-manager/issues/6243), [@inteon](https://togithub.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#6241](https://togithub.com/cert-manager/cert-manager/issues/6241), [@erikgb](https://togithub.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#6267](https://togithub.com/cert-manager/cert-manager/issues/6267), [@zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#6049](https://togithub.com/cert-manager/cert-manager/issues/6049), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#6292](https://togithub.com/cert-manager/cert-manager/issues/6292), [@ubergesundheit](https://togithub.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#6298](https://togithub.com/cert-manager/cert-manager/issues/6298), [@inteon](https://togithub.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#5337](https://togithub.com/cert-manager/cert-manager/issues/5337), [@AcidLeroy](https://togithub.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#6199](https://togithub.com/cert-manager/cert-manager/issues/6199), [@inteon](https://togithub.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#6110](https://togithub.com/cert-manager/cert-manager/issues/6110), [@jkroepke](https://togithub.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#5003](https://togithub.com/cert-manager/cert-manager/issues/5003), [@FlorianLiebhart](https://togithub.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#6087](https://togithub.com/cert-manager/cert-manager/issues/6087), [@rouke-broersma](https://togithub.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#6109](https://togithub.com/cert-manager/cert-manager/issues/6109), [@inteon](https://togithub.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#6147](https://togithub.com/cert-manager/cert-manager/issues/6147), [@inteon](https://togithub.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#6232](https://togithub.com/cert-manager/cert-manager/issues/6232), [@inteon](https://togithub.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#6088](https://togithub.com/cert-manager/cert-manager/issues/6088), [@cypres](https://togithub.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#6220](https://togithub.com/cert-manager/cert-manager/issues/6220), [@ubergesundheit](https://togithub.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#6191](https://togithub.com/cert-manager/cert-manager/issues/6191), [@Richardds](https://togithub.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates. **⚠️ ⚠️ BREAKING ⚠️ ⚠️** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **⚠️Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#6293](https://togithub.com/cert-manager/cert-manager/issues/6293), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#6143](https://togithub.com/cert-manager/cert-manager/issues/6143), [@schrodit](https://togithub.com/schrodit)) - **⚠️Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#5879](https://togithub.com/cert-manager/cert-manager/issues/5879), [@maelvls](https://togithub.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#6144](https://togithub.com/cert-manager/cert-manager/issues/6144), [@schrodit](https://togithub.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#6168](https://togithub.com/cert-manager/cert-manager/issues/6168), [@inteon](https://togithub.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#6156](https://togithub.com/cert-manager/cert-manager/issues/6156), [@kahirokunn](https://togithub.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#6242](https://togithub.com/cert-manager/cert-manager/issues/6242), [@inteon](https://togithub.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#6085](https://togithub.com/cert-manager/cert-manager/issues/6085), [@irbekrm](https://togithub.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#6225](https://togithub.com/cert-manager/cert-manager/issues/6225), [@arukiidou](https://togithub.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#6034](https://togithub.com/cert-manager/cert-manager/issues/6034), [@gdvalle](https://togithub.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#6176](https://togithub.com/cert-manager/cert-manager/issues/6176), [@inteon](https://togithub.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#6247](https://togithub.com/cert-manager/cert-manager/issues/6247), [@inteon](https://togithub.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#6077](https://togithub.com/cert-manager/cert-manager/issues/6077), [@lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#6227](https://togithub.com/cert-manager/cert-manager/issues/6227), [@lucacome](https://togithub.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#6152](https://togithub.com/cert-manager/cert-manager/issues/6152), [@inteon](https://togithub.com/inteon)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate).  Co-authored-by: repo-jeeves <106431701+repo-jeeves[bot]@users.noreply.github.com>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://togithub.com/cert-manager/cert-manager) | minor | `v1.12.3` -> `v1.13.1` | | [clickhouse](https://truecharts.org/charts/dependency/clickhouse) ([source](https://togithub.com/truecharts/charts)) | patch | `7.0.1` -> `7.0.8` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.1` -> `14.0.6` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.3` -> `14.0.6` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.4` -> `14.0.6` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `13.2.1` -> `13.2.2` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.2` -> `14.0.6` | | [redis](https://truecharts.org/charts/dependency/redis) ([source](https://togithub.com/truecharts/charts)) | patch | `8.0.0` -> `8.0.27` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.1`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.1) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.13.0...v1.13.1) v1.13.1 contains a bugfix for a name collision bug in the StableCertificateRequestName feature that was enabled by default in v1.13.0. ##### ⚠️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version! #### Changes since v1.13.0 ##### Bug or Regression - BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. ([#6358](https://togithub.com/cert-manager/cert-manager/issues/6358), [@jetstack-bot](https://togithub.com/jetstack-bot)) ##### Other (Cleanup or Flake) - Upgrade `github.com/emicklei/go-restful/v3` to `v3.11.0` because `v3.10.2` is labeled as "DO NOT USE". ([#6368](https://togithub.com/cert-manager/cert-manager/issues/6368), [@inteon](https://togithub.com/inteon)) - Upgrade Go from 1.20.7 to 1.20.8. ([#6370](https://togithub.com/cert-manager/cert-manager/issues/6370), [@jetstack-bot](https://togithub.com/jetstack-bot)) ### [`v1.13.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.5...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned config file for the cert-manager controller, and more. This release also includes the promotion of the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta. #### Known issues The `StableCertificateRequestName` that was promoted to Beta contains a "name collision" bug: [cert-manager/cert-manager#6342 This will be fixed in v1.13.1. #### Breaking Changes (You MUST read this before you upgrade!) 1. **BREAKING** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) 2. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) 3. **Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@inteon](https://togithub.com/inteon)) #### Community Welcome to these new cert-manager members (more info - [cert-manager/cert-manager#6260): [@jsoref](https://togithub.com/jsoref) [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@hawksight](https://togithub.com/hawksight) [@erikgb](https://togithub.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@AcidLeroy](https://togithub.com/AcidLeroy) [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@lucacome](https://togithub.com/lucacome) [@cypres](https://togithub.com/cypres) [@erikgb](https://togithub.com/erikgb) [@ubergesundheit](https://togithub.com/ubergesundheit) [@jkroepke](https://togithub.com/jkroepke) [@jsoref](https://togithub.com/jsoref) [@gdvalle](https://togithub.com/gdvalle) [@rouke-broersma](https://togithub.com/rouke-broersma) [@schrodit](https://togithub.com/schrodit) [@zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs) [@arukiidou](https://togithub.com/arukiidou) [@hawksight](https://togithub.com/hawksight) [@Richardds](https://togithub.com/Richardds) [@kahirokunn](https://togithub.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@SgtCoDFish](https://togithub.com/SgtCoDFish) [@maelvls](https://togithub.com/maelvls) [@irbekrm](https://togithub.com/irbekrm) [@inteon](https://togithub.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@AcidLeroy](https://togithub.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see [cert-manager/cert-manager#5337) Also, thanks a lot to [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see [cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#6243](https://togithub.com/cert-manager/cert-manager/issues/6243), [@inteon](https://togithub.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#6241](https://togithub.com/cert-manager/cert-manager/issues/6241), [@erikgb](https://togithub.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#6267](https://togithub.com/cert-manager/cert-manager/issues/6267), [@zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#6049](https://togithub.com/cert-manager/cert-manager/issues/6049), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#6292](https://togithub.com/cert-manager/cert-manager/issues/6292), [@ubergesundheit](https://togithub.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#6298](https://togithub.com/cert-manager/cert-manager/issues/6298), [@inteon](https://togithub.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#5337](https://togithub.com/cert-manager/cert-manager/issues/5337), [@AcidLeroy](https://togithub.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#6199](https://togithub.com/cert-manager/cert-manager/issues/6199), [@inteon](https://togithub.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#6110](https://togithub.com/cert-manager/cert-manager/issues/6110), [@jkroepke](https://togithub.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#5003](https://togithub.com/cert-manager/cert-manager/issues/5003), [@FlorianLiebhart](https://togithub.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#6087](https://togithub.com/cert-manager/cert-manager/issues/6087), [@rouke-broersma](https://togithub.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#6109](https://togithub.com/cert-manager/cert-manager/issues/6109), [@inteon](https://togithub.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#6147](https://togithub.com/cert-manager/cert-manager/issues/6147), [@inteon](https://togithub.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#6232](https://togithub.com/cert-manager/cert-manager/issues/6232), [@inteon](https://togithub.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#6088](https://togithub.com/cert-manager/cert-manager/issues/6088), [@cypres](https://togithub.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#6220](https://togithub.com/cert-manager/cert-manager/issues/6220), [@ubergesundheit](https://togithub.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#6191](https://togithub.com/cert-manager/cert-manager/issues/6191), [@Richardds](https://togithub.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates. **⚠️ ⚠️ BREAKING ⚠️ ⚠️** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **⚠️Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#6293](https://togithub.com/cert-manager/cert-manager/issues/6293), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#6143](https://togithub.com/cert-manager/cert-manager/issues/6143), [@schrodit](https://togithub.com/schrodit)) - **⚠️Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#5879](https://togithub.com/cert-manager/cert-manager/issues/5879), [@maelvls](https://togithub.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#6144](https://togithub.com/cert-manager/cert-manager/issues/6144), [@schrodit](https://togithub.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#6168](https://togithub.com/cert-manager/cert-manager/issues/6168), [@inteon](https://togithub.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#6156](https://togithub.com/cert-manager/cert-manager/issues/6156), [@kahirokunn](https://togithub.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#6242](https://togithub.com/cert-manager/cert-manager/issues/6242), [@inteon](https://togithub.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#6085](https://togithub.com/cert-manager/cert-manager/issues/6085), [@irbekrm](https://togithub.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#6225](https://togithub.com/cert-manager/cert-manager/issues/6225), [@arukiidou](https://togithub.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#6034](https://togithub.com/cert-manager/cert-manager/issues/6034), [@gdvalle](https://togithub.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#6176](https://togithub.com/cert-manager/cert-manager/issues/6176), [@inteon](https://togithub.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#6247](https://togithub.com/cert-manager/cert-manager/issues/6247), [@inteon](https://togithub.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#6077](https://togithub.com/cert-manager/cert-manager/issues/6077), [@lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#6227](https://togithub.com/cert-manager/cert-manager/issues/6227), [@lucacome](https://togithub.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#6152](https://togithub.com/cert-manager/cert-manager/issues/6152), [@inteon](https://togithub.com/inteon)) ### [`v1.12.5`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.5) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.4...v1.12.5) v1.12.5 contains a backport for a name collision bug that was found in v1.13.0 #### Changes since v1.12.4 ##### Bug or Regression - BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. ([#6359](https://togithub.com/cert-manager/cert-manager/issues/6359), [@jetstack-bot](https://togithub.com/jetstack-bot)) ##### Other (Cleanup or Flake) - Updated base images to the latest version. ([#6372](https://togithub.com/cert-manager/cert-manager/issues/6372), [@inteon](https://togithub.com/inteon)) - Upgrade Go from 1.20.7 to 1.20.8. ([#6371](https://togithub.com/cert-manager/cert-manager/issues/6371), [@jetstack-bot](https://togithub.com/jetstack-bot)) ### [`v1.12.4`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.4) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.3...v1.12.4) v1.12.4 contains an important security fix that addresses [CVE-2023-29409](https://cve.report/CVE-2023-29409). #### Changes since v1.12.3 - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should hav e compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#6297](https://togithub.com/cert-manager/cert-manager/issues/6297), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Use Go 1.20.7 to fix a security issue in Go's `crypto/tls` library. ([#6318](https://togithub.com/cert-manager/cert-manager/issues/6318), [@maelvls](https://togithub.com/maelvls)) </details> <details> <summary>truecharts/charts (clickhouse)</summary> ### [`v7.0.8`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.8) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.7...clickhouse-7.0.8) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.7`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.7) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.6...clickhouse-7.0.7) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.6`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.6) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.5...clickhouse-7.0.6) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.5`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.5) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.4...clickhouse-7.0.5) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.4`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.4) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.3...clickhouse-7.0.4) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.3`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.3) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.2...clickhouse-7.0.3) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.2`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.2) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.1...clickhouse-7.0.2) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). </details> <details> <summary>truecharts/library-charts (common)</summary> ### [`v14.0.6`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.6) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.5...common-14.0.6) Function library for TrueCharts ### [`v14.0.5`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.5) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.4...common-14.0.5) Function library for TrueCharts ### [`v14.0.4`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.4) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.3...common-14.0.4) Function library for TrueCharts ### [`v14.0.3`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.3) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.2...common-14.0.3) Function library for TrueCharts ### [`v14.0.2`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.2) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.1...common-14.0.2) Function library for TrueCharts </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10pm on tuesday" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate).

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://togithub.com/cert-manager/cert-manager) | minor | `v1.12.3` -> `v1.13.1` | | [clickhouse](https://truecharts.org/charts/dependency/clickhouse) ([source](https://togithub.com/truecharts/charts)) | patch | `7.0.1` -> `7.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.1` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.6` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.3` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.4` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `13.2.1` -> `13.2.2` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.2` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.8` -> `14.0.9` | | [kube-state-metrics](https://truecharts.org/charts/dependency/kube-state-metrics) ([source](https://togithub.com/truecharts/charts)) | patch | `3.0.22` -> `3.0.23` | | [mariadb](https://truecharts.org/charts/dependency/mariadb) ([source](https://togithub.com/truecharts/charts)) | patch | `9.0.25` -> `9.0.26` | | [node-exporter](https://truecharts.org/charts/dependency/node-exporter) ([source](https://togithub.com/truecharts/charts)) | patch | `3.0.24` -> `3.0.25` | | [redis](https://truecharts.org/charts/dependency/redis) ([source](https://togithub.com/truecharts/charts)) | patch | `8.0.0` -> `8.0.29` | | [redis](https://truecharts.org/charts/dependency/redis) ([source](https://togithub.com/truecharts/charts)) | patch | `8.0.28` -> `8.0.29` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.1`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.1) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.13.0...v1.13.1) v1.13.1 contains a bugfix for a name collision bug in the StableCertificateRequestName feature that was enabled by default in v1.13.0. ##### ⚠️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version! #### Changes since v1.13.0 ##### Bug or Regression - BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. ([#6358](https://togithub.com/cert-manager/cert-manager/issues/6358), [@jetstack-bot](https://togithub.com/jetstack-bot)) ##### Other (Cleanup or Flake) - Upgrade `github.com/emicklei/go-restful/v3` to `v3.11.0` because `v3.10.2` is labeled as "DO NOT USE". ([#6368](https://togithub.com/cert-manager/cert-manager/issues/6368), [@inteon](https://togithub.com/inteon)) - Upgrade Go from 1.20.7 to 1.20.8. ([#6370](https://togithub.com/cert-manager/cert-manager/issues/6370), [@jetstack-bot](https://togithub.com/jetstack-bot)) ### [`v1.13.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.5...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned config file for the cert-manager controller, and more. This release also includes the promotion of the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta. #### Known issues The `StableCertificateRequestName` that was promoted to Beta contains a "name collision" bug: [cert-manager/cert-manager#6342 This will be fixed in v1.13.1. #### Breaking Changes (You MUST read this before you upgrade!) 1. **BREAKING** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) 2. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) 3. **Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@inteon](https://togithub.com/inteon)) #### Community Welcome to these new cert-manager members (more info - [cert-manager/cert-manager#6260): [@jsoref](https://togithub.com/jsoref) [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@hawksight](https://togithub.com/hawksight) [@erikgb](https://togithub.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@AcidLeroy](https://togithub.com/AcidLeroy) [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@lucacome](https://togithub.com/lucacome) [@cypres](https://togithub.com/cypres) [@erikgb](https://togithub.com/erikgb) [@ubergesundheit](https://togithub.com/ubergesundheit) [@jkroepke](https://togithub.com/jkroepke) [@jsoref](https://togithub.com/jsoref) [@gdvalle](https://togithub.com/gdvalle) [@rouke-broersma](https://togithub.com/rouke-broersma) [@schrodit](https://togithub.com/schrodit) [@zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs) [@arukiidou](https://togithub.com/arukiidou) [@hawksight](https://togithub.com/hawksight) [@Richardds](https://togithub.com/Richardds) [@kahirokunn](https://togithub.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@SgtCoDFish](https://togithub.com/SgtCoDFish) [@maelvls](https://togithub.com/maelvls) [@irbekrm](https://togithub.com/irbekrm) [@inteon](https://togithub.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@AcidLeroy](https://togithub.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see [cert-manager/cert-manager#5337) Also, thanks a lot to [@FlorianLiebhart](https://togithub.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see [cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#6243](https://togithub.com/cert-manager/cert-manager/issues/6243), [@inteon](https://togithub.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#6241](https://togithub.com/cert-manager/cert-manager/issues/6241), [@erikgb](https://togithub.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#6267](https://togithub.com/cert-manager/cert-manager/issues/6267), [@zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#6049](https://togithub.com/cert-manager/cert-manager/issues/6049), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#6292](https://togithub.com/cert-manager/cert-manager/issues/6292), [@ubergesundheit](https://togithub.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#6298](https://togithub.com/cert-manager/cert-manager/issues/6298), [@inteon](https://togithub.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#5337](https://togithub.com/cert-manager/cert-manager/issues/5337), [@AcidLeroy](https://togithub.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#6199](https://togithub.com/cert-manager/cert-manager/issues/6199), [@inteon](https://togithub.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#6110](https://togithub.com/cert-manager/cert-manager/issues/6110), [@jkroepke](https://togithub.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#5003](https://togithub.com/cert-manager/cert-manager/issues/5003), [@FlorianLiebhart](https://togithub.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#6087](https://togithub.com/cert-manager/cert-manager/issues/6087), [@rouke-broersma](https://togithub.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#6109](https://togithub.com/cert-manager/cert-manager/issues/6109), [@inteon](https://togithub.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#6147](https://togithub.com/cert-manager/cert-manager/issues/6147), [@inteon](https://togithub.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#6232](https://togithub.com/cert-manager/cert-manager/issues/6232), [@inteon](https://togithub.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#6088](https://togithub.com/cert-manager/cert-manager/issues/6088), [@cypres](https://togithub.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#6220](https://togithub.com/cert-manager/cert-manager/issues/6220), [@ubergesundheit](https://togithub.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#6191](https://togithub.com/cert-manager/cert-manager/issues/6191), [@Richardds](https://togithub.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates. **⚠️ ⚠️ BREAKING ⚠️ ⚠️** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **⚠️Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@irbekrm](https://togithub.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#6293](https://togithub.com/cert-manager/cert-manager/issues/6293), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#6143](https://togithub.com/cert-manager/cert-manager/issues/6143), [@schrodit](https://togithub.com/schrodit)) - **⚠️Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#5879](https://togithub.com/cert-manager/cert-manager/issues/5879), [@maelvls](https://togithub.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#6144](https://togithub.com/cert-manager/cert-manager/issues/6144), [@schrodit](https://togithub.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#6168](https://togithub.com/cert-manager/cert-manager/issues/6168), [@inteon](https://togithub.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#6156](https://togithub.com/cert-manager/cert-manager/issues/6156), [@kahirokunn](https://togithub.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#6242](https://togithub.com/cert-manager/cert-manager/issues/6242), [@inteon](https://togithub.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#6085](https://togithub.com/cert-manager/cert-manager/issues/6085), [@irbekrm](https://togithub.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#6225](https://togithub.com/cert-manager/cert-manager/issues/6225), [@arukiidou](https://togithub.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#6034](https://togithub.com/cert-manager/cert-manager/issues/6034), [@gdvalle](https://togithub.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#6176](https://togithub.com/cert-manager/cert-manager/issues/6176), [@inteon](https://togithub.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#6247](https://togithub.com/cert-manager/cert-manager/issues/6247), [@inteon](https://togithub.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#6077](https://togithub.com/cert-manager/cert-manager/issues/6077), [@lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#6227](https://togithub.com/cert-manager/cert-manager/issues/6227), [@lucacome](https://togithub.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#6152](https://togithub.com/cert-manager/cert-manager/issues/6152), [@inteon](https://togithub.com/inteon)) ### [`v1.12.5`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.5) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.4...v1.12.5) v1.12.5 contains a backport for a name collision bug that was found in v1.13.0 #### Changes since v1.12.4 ##### Bug or Regression - BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. ([#6359](https://togithub.com/cert-manager/cert-manager/issues/6359), [@jetstack-bot](https://togithub.com/jetstack-bot)) ##### Other (Cleanup or Flake) - Updated base images to the latest version. ([#6372](https://togithub.com/cert-manager/cert-manager/issues/6372), [@inteon](https://togithub.com/inteon)) - Upgrade Go from 1.20.7 to 1.20.8. ([#6371](https://togithub.com/cert-manager/cert-manager/issues/6371), [@jetstack-bot](https://togithub.com/jetstack-bot)) ### [`v1.12.4`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.4) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.3...v1.12.4) v1.12.4 contains an important security fix that addresses [CVE-2023-29409](https://cve.report/CVE-2023-29409). #### Changes since v1.12.3 - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#6297](https://togithub.com/cert-manager/cert-manager/issues/6297), [@SgtCoDFish](https://togithub.com/SgtCoDFish)) - Use Go 1.20.7 to fix a security issue in Go's `crypto/tls` library. ([#6318](https://togithub.com/cert-manager/cert-manager/issues/6318), [@maelvls](https://togithub.com/maelvls)) </details> <details> <summary>truecharts/charts (clickhouse)</summary> ### [`v7.0.9`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.9) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.8...clickhouse-7.0.9) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.8`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.8) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.7...clickhouse-7.0.8) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.7`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.7) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.6...clickhouse-7.0.7) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.6`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.6) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.5...clickhouse-7.0.6) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.5`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.5) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.4...clickhouse-7.0.5) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.4`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.4) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.3...clickhouse-7.0.4) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.3`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.3) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.2...clickhouse-7.0.3) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.2`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.2) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.1...clickhouse-7.0.2) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). </details> <details> <summary>truecharts/library-charts (common)</summary> ### [`v14.0.9`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.9) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.8...common-14.0.9) Function library for TrueCharts ### [`v14.0.8`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.8) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.7...common-14.0.8) Function library for TrueCharts ### [`v14.0.7`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.7) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.6...common-14.0.7) Function library for TrueCharts ### [`v14.0.6`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.6) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.5...common-14.0.6) Function library for TrueCharts ### [`v14.0.5`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.5) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.4...common-14.0.5) Function library for TrueCharts ### [`v14.0.4`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.4) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.3...common-14.0.4) Function library for TrueCharts ### [`v14.0.3`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.3) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.2...common-14.0.3) Function library for TrueCharts ### [`v14.0.2`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.2) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.1...common-14.0.2) Function library for TrueCharts </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10pm on tuesday" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate).  --------- Signed-off-by: TrueCharts-Bot <bot@truecharts.org> Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>

governance: write up the governance and steering documents

3370f8b

Signed-off-by: Maël Valais <mael@vls.dev>

inteon reviewed Aug 9, 2023

View reviewed changes

GOVERNANCE.md Outdated Show resolved Hide resolved

inteon reviewed Aug 9, 2023

View reviewed changes

GOVERNANCE.md Outdated Show resolved Hide resolved

inteon reviewed Aug 9, 2023

View reviewed changes

STEERING.md Outdated Show resolved Hide resolved

Apply suggestions from code review

5741111

Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> Signed-off-by: Maël Valais <mael@vls.dev>

inteon reviewed Aug 11, 2023

View reviewed changes

GOVERNANCE.md Outdated Show resolved Hide resolved

inteon reviewed Aug 11, 2023

View reviewed changes

GOVERNANCE.md Outdated Show resolved Hide resolved

inteon reviewed Aug 11, 2023

View reviewed changes

GOVERNANCE.md Show resolved Hide resolved

inteon reviewed Aug 11, 2023

View reviewed changes

GOVERNANCE.md Show resolved Hide resolved

inteon reviewed Aug 11, 2023

View reviewed changes

GOVERNANCE.md Show resolved Hide resolved

inteon self-assigned this Aug 11, 2023

add more roles to the GOVERNANCE.md document and clearly indicate the…

7456e0f

… requirements, privileges and responsibilities for each role Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

fix file links

b089f7f

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

inteon force-pushed the governance branch from a360cc2 to b089f7f Compare August 14, 2023 07:15

jetstack-bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. and removed dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Aug 18, 2023

inteon reviewed Aug 18, 2023

View reviewed changes

GOVERNANCE.md Outdated Show resolved Hide resolved

inteon reviewed Aug 18, 2023

View reviewed changes

GOVERNANCE.md Show resolved Hide resolved

maelvls added 3 commits August 21, 2023 15:04

Copy contents from the HackMD file

1900d80

Source: https://hackmd.io/YkDBYQP1Qlekdx4NS11iIg?edit Signed-off-by: Maël Valais <mael@vls.dev>

Update MAINTAINERS.md

40005ef

Signed-off-by: Maël Valais <mael@vls.dev>

Update GOVERNANCE.md with the latest changes from HackMD

5cf8beb

Source: https://hackmd.io/YkDBYQP1Qlekdx4NS11iIg Signed-off-by: Maël Valais <mael@vls.dev>

governance: standardize style for the Slack channel names

401c398

Signed-off-by: Maël Valais <mael@vls.dev>

maelvls mentioned this pull request Sep 7, 2023

Checklist: CNCF Graduation #6132

Open

6 tasks

governance: add a section "responsibilities for github members"

5c7ec3f

Signed-off-by: Maël Valais <mael@vls.dev>

maelvls mentioned this pull request Sep 11, 2023

cert-manager: sync the maintainer list with cert-manager's maintainers.csv cncf/foundation#634

Merged

jakexks approved these changes Sep 11, 2023

View reviewed changes

inteon reviewed Sep 11, 2023

View reviewed changes

GOVERNANCE.md Outdated Show resolved Hide resolved

governance: the PR to OWNERS should be created on each repo

6ed09fa

Signed-off-by: Maël Valais <mael@vls.dev>

maelvls force-pushed the governance branch from 32c1394 to 6ed09fa Compare September 11, 2023 14:05

inteon approved these changes Sep 11, 2023

View reviewed changes

inteon requested review from wallrj, hawksight, SgtCoDFish and erikgb September 11, 2023 14:23

wallrj approved these changes Sep 12, 2023

View reviewed changes

munnerz approved these changes Sep 12, 2023

View reviewed changes

p-linnane mentioned this pull request Sep 13, 2023

cmctl 1.13.0 Homebrew/homebrew-core#142149

Merged

jetstack-bot closed this Sep 13, 2023

maelvls added a commit to maelvls/community-1 that referenced this pull request Sep 13, 2023

governance: add the governance and steering documents

7ff4a5a

These files have been copied from cert-manager/cert-manager#6260

maelvls deleted the governance branch September 13, 2023 11:16

maelvls added a commit to maelvls/community-1 that referenced this pull request Sep 13, 2023

governance: add the governance and steering documents

4ae6845

These files have been copied from cert-manager/cert-manager#6260 Signed-off-by: Maël Valais <mael@vls.dev>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GRADUATION: Write up the Governance and Steering documents #6260

GRADUATION: Write up the Governance and Steering documents #6260

maelvls commented Aug 9, 2023 •

edited

inteon commented Aug 11, 2023

maelvls commented Aug 16, 2023 •

edited

inteon commented Aug 16, 2023

inteon commented Aug 18, 2023

jakexks left a comment

inteon left a comment

wallrj left a comment

munnerz left a comment

jetstack-bot commented Sep 12, 2023

maelvls commented Sep 13, 2023 •

edited

jetstack-bot commented Sep 13, 2023

inteon commented Sep 13, 2023

GRADUATION: Write up the Governance and Steering documents #6260

GRADUATION: Write up the Governance and Steering documents #6260

Conversation

maelvls commented Aug 9, 2023 • edited

inteon commented Aug 11, 2023

maelvls commented Aug 16, 2023 • edited

inteon commented Aug 16, 2023

inteon commented Aug 18, 2023

jakexks left a comment

Choose a reason for hiding this comment

inteon left a comment

Choose a reason for hiding this comment

wallrj left a comment

Choose a reason for hiding this comment

munnerz left a comment

Choose a reason for hiding this comment

jetstack-bot commented Sep 12, 2023

maelvls commented Sep 13, 2023 • edited

jetstack-bot commented Sep 13, 2023

inteon commented Sep 13, 2023

maelvls commented Aug 9, 2023 •

edited

maelvls commented Aug 16, 2023 •

edited

maelvls commented Sep 13, 2023 •

edited