New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GRADUATION: Write up the Governance and Steering documents #6260
Conversation
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> Signed-off-by: Maël Valais <mael@vls.dev>
… requirements, privileges and responsibilities for each role Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
I updated the GOVERNANCE file with all the different roles we discussed (partially based on this document: https://github.com/kubernetes/community/blob/master/community-membership.md). |
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
Thanks for the changes @inteon. I have looked at the Kubernetes membership document and I think we need to separate the governance-related roles (i.e., who can decide on behalf of the project) from the community-related roles (i.e., how people can contribute to the project, for example by reviewing, approving, or opening a PR; "committers" are part of this group).
What do you think? |
I think I understand what you mean. |
@maelvls I think this is a very good set of resources that we could use: https://github.com/cncf/project-template/blob/main/GOVERNANCE.md |
Source: https://hackmd.io/YkDBYQP1Qlekdx4NS11iIg?edit Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
Source: https://hackmd.io/YkDBYQP1Qlekdx4NS11iIg Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
Signed-off-by: Maël Valais <mael@vls.dev>
…s.csv Hey. We haven't updated the maintainers in this document for a while. I propose to update it with the "upstream" list of maintainers: cert-manager/cert-manager#6260. Signed-off-by: Maël Valais <mael@vls.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a maintainer I approve this PR
Signed-off-by: Maël Valais <mael@vls.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a maintainer I approve this PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this @maelvls and everyone else who has reviewed, commented, approved and participated 😄 🚀
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: inteon, jakexks, munnerz, wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://github.com/cert-manager/cert-manager) | minor | `v1.12.4` -> `v1.13.0` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.0`](https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](cert-manager/cert-manager@v1.12.4...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! #### Community Welcome to these new cert-manager members (more info - cert-manager/cert-manager#6260): [@​jsoref](https://github.com/jsoref) [@​FlorianLiebhart](https://github.com/FlorianLiebhart) [@​hawksight](https://github.com/hawksight) [@​erikgb](https://github.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@​AcidLeroy](https://github.com/AcidLeroy) [@​FlorianLiebhart](https://github.com/FlorianLiebhart) [@​lucacome](https://github.com/lucacome) [@​cypres](https://github.com/cypres) [@​erikgb](https://github.com/erikgb) [@​ubergesundheit](https://github.com/ubergesundheit) [@​jkroepke](https://github.com/jkroepke) [@​jsoref](https://github.com/jsoref) [@​gdvalle](https://github.com/gdvalle) [@​rouke-broersma](https://github.com/rouke-broersma) [@​schrodit](https://github.com/schrodit) [@​zhangzhiqiangcs](https://github.com/zhangzhiqiangcs) [@​arukiidou](https://github.com/arukiidou) [@​hawksight](https://github.com/hawksight) [@​Richardds](https://github.com/Richardds) [@​kahirokunn](https://github.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@​SgtCoDFish](https://github.com/SgtCoDFish) [@​maelvls](https://github.com/maelvls) [@​irbekrm](https://github.com/irbekrm) [@​inteon](https://github.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@​AcidLeroy](https://github.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see cert-manager/cert-manager#5337) Also, thanks a lot to [@​FlorianLiebhart](https://github.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://github.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#​6243](cert-manager/cert-manager#6243), [@​inteon](https://github.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#​6241](cert-manager/cert-manager#6241), [@​erikgb](https://github.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#​6267](cert-manager/cert-manager#6267), [@​zhangzhiqiangcs](https://github.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#​6049](cert-manager/cert-manager#6049), [@​SgtCoDFish](https://github.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#​6292](cert-manager/cert-manager#6292), [@​ubergesundheit](https://github.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#​6298](cert-manager/cert-manager#6298), [@​inteon](https://github.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#​5337](cert-manager/cert-manager#5337), [@​AcidLeroy](https://github.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#​6199](cert-manager/cert-manager#6199), [@​inteon](https://github.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#​6110](cert-manager/cert-manager#6110), [@​jkroepke](https://github.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#​5003](cert-manager/cert-manager#5003), [@​FlorianLiebhart](https://github.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#​6087](cert-manager/cert-manager#6087), [@​rouke-broersma](https://github.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#​6109](cert-manager/cert-manager#6109), [@​inteon](https://github.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#​6147](cert-manager/cert-manager#6147), [@​inteon](https://github.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#​6232](cert-manager/cert-manager#6232), [@​inteon](https://github.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#​6088](cert-manager/cert-manager#6088), [@​cypres](https://github.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#​6220](cert-manager/cert-manager#6220), [@​ubergesundheit](https://github.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#​6191](cert-manager/cert-manager#6191), [@​Richardds](https://github.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates.⚠️ ⚠️ BREAKING⚠️ ⚠️ : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#​6093](cert-manager/cert-manager#6093), [@​irbekrm](https://github.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#​6293](cert-manager/cert-manager#6293), [@​SgtCoDFish](https://github.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#​6143](cert-manager/cert-manager#6143), [@​schrodit](https://github.com/schrodit)) -⚠️ possibly breaking: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#​6182](cert-manager/cert-manager#6182), [@​inteon](https://github.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#​5879](cert-manager/cert-manager#5879), [@​maelvls](https://github.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#​6144](cert-manager/cert-manager#6144), [@​schrodit](https://github.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#​6168](cert-manager/cert-manager#6168), [@​inteon](https://github.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#​6156](cert-manager/cert-manager#6156), [@​kahirokunn](https://github.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#​6242](cert-manager/cert-manager#6242), [@​inteon](https://github.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#​6085](cert-manager/cert-manager#6085), [@​irbekrm](https://github.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#​6225](cert-manager/cert-manager#6225), [@​arukiidou](https://github.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#​6034](cert-manager/cert-manager#6034), [@​gdvalle](https://github.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#​6176](cert-manager/cert-manager#6176), [@​inteon](https://github.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#​6247](cert-manager/cert-manager#6247), [@​inteon](https://github.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#​6077](cert-manager/cert-manager#6077), [@​lucacome](https://github.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#​6227](cert-manager/cert-manager#6227), [@​lucacome](https://github.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#​6152](cert-manager/cert-manager#6152), [@​inteon](https://github.com/inteon)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4yMy4yIiwidXBkYXRlZEluVmVyIjoiMzYuMjMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Reviewed-on: https://git.home/nrdufour/home-ops/pulls/84 Co-authored-by: Renovate <renovate@ptinem.io> Co-committed-by: Renovate <renovate@ptinem.io>
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://togithub.com/cert-manager/cert-manager) | minor | `v1.12.4` -> `v1.13.0` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.4...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! #### Community Welcome to these new cert-manager members (more info - [cert-manager/cert-manager#6260): [@​jsoref](https://togithub.com/jsoref) [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@​hawksight](https://togithub.com/hawksight) [@​erikgb](https://togithub.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@​AcidLeroy](https://togithub.com/AcidLeroy) [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@​lucacome](https://togithub.com/lucacome) [@​cypres](https://togithub.com/cypres) [@​erikgb](https://togithub.com/erikgb) [@​ubergesundheit](https://togithub.com/ubergesundheit) [@​jkroepke](https://togithub.com/jkroepke) [@​jsoref](https://togithub.com/jsoref) [@​gdvalle](https://togithub.com/gdvalle) [@​rouke-broersma](https://togithub.com/rouke-broersma) [@​schrodit](https://togithub.com/schrodit) [@​zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs) [@​arukiidou](https://togithub.com/arukiidou) [@​hawksight](https://togithub.com/hawksight) [@​Richardds](https://togithub.com/Richardds) [@​kahirokunn](https://togithub.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@​SgtCoDFish](https://togithub.com/SgtCoDFish) [@​maelvls](https://togithub.com/maelvls) [@​irbekrm](https://togithub.com/irbekrm) [@​inteon](https://togithub.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@​AcidLeroy](https://togithub.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see [cert-manager/cert-manager#5337) Also, thanks a lot to [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see [cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#​6243](https://togithub.com/cert-manager/cert-manager/issues/6243), [@​inteon](https://togithub.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#​6241](https://togithub.com/cert-manager/cert-manager/issues/6241), [@​erikgb](https://togithub.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#​6267](https://togithub.com/cert-manager/cert-manager/issues/6267), [@​zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#​6049](https://togithub.com/cert-manager/cert-manager/issues/6049), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#​6292](https://togithub.com/cert-manager/cert-manager/issues/6292), [@​ubergesundheit](https://togithub.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#​6298](https://togithub.com/cert-manager/cert-manager/issues/6298), [@​inteon](https://togithub.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#​5337](https://togithub.com/cert-manager/cert-manager/issues/5337), [@​AcidLeroy](https://togithub.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#​6199](https://togithub.com/cert-manager/cert-manager/issues/6199), [@​inteon](https://togithub.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#​6110](https://togithub.com/cert-manager/cert-manager/issues/6110), [@​jkroepke](https://togithub.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#​5003](https://togithub.com/cert-manager/cert-manager/issues/5003), [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#​6087](https://togithub.com/cert-manager/cert-manager/issues/6087), [@​rouke-broersma](https://togithub.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#​6109](https://togithub.com/cert-manager/cert-manager/issues/6109), [@​inteon](https://togithub.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#​6147](https://togithub.com/cert-manager/cert-manager/issues/6147), [@​inteon](https://togithub.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#​6232](https://togithub.com/cert-manager/cert-manager/issues/6232), [@​inteon](https://togithub.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#​6088](https://togithub.com/cert-manager/cert-manager/issues/6088), [@​cypres](https://togithub.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#​6220](https://togithub.com/cert-manager/cert-manager/issues/6220), [@​ubergesundheit](https://togithub.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#​6191](https://togithub.com/cert-manager/cert-manager/issues/6191), [@​Richardds](https://togithub.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates.⚠️ ⚠️ BREAKING⚠️ ⚠️ : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#​6293](https://togithub.com/cert-manager/cert-manager/issues/6293), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#​6143](https://togithub.com/cert-manager/cert-manager/issues/6143), [@​schrodit](https://togithub.com/schrodit)) -⚠️ possibly breaking: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#​6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@​inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#​5879](https://togithub.com/cert-manager/cert-manager/issues/5879), [@​maelvls](https://togithub.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#​6144](https://togithub.com/cert-manager/cert-manager/issues/6144), [@​schrodit](https://togithub.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#​6168](https://togithub.com/cert-manager/cert-manager/issues/6168), [@​inteon](https://togithub.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#​6156](https://togithub.com/cert-manager/cert-manager/issues/6156), [@​kahirokunn](https://togithub.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#​6242](https://togithub.com/cert-manager/cert-manager/issues/6242), [@​inteon](https://togithub.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#​6085](https://togithub.com/cert-manager/cert-manager/issues/6085), [@​irbekrm](https://togithub.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#​6225](https://togithub.com/cert-manager/cert-manager/issues/6225), [@​arukiidou](https://togithub.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#​6034](https://togithub.com/cert-manager/cert-manager/issues/6034), [@​gdvalle](https://togithub.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#​6176](https://togithub.com/cert-manager/cert-manager/issues/6176), [@​inteon](https://togithub.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#​6247](https://togithub.com/cert-manager/cert-manager/issues/6247), [@​inteon](https://togithub.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#​6077](https://togithub.com/cert-manager/cert-manager/issues/6077), [@​lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#​6227](https://togithub.com/cert-manager/cert-manager/issues/6227), [@​lucacome](https://togithub.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#​6152](https://togithub.com/cert-manager/cert-manager/issues/6152), [@​inteon](https://togithub.com/inteon)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi45My4xIiwidXBkYXRlZEluVmVyIjoiMzYuOTMuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: lumiere-bot <98047013+lumiere-bot[bot]@users.noreply.github.com>
Hi all, the lazy consensus deliberation period has ended yesterday at 23:59 UTC. I'd like to thank everyone who participated and contributed to this governance charter! The governance charter is now live: Note: one of the decisions made in this PR was to move these documents to the repository cert-manager/community. I closed this PR and created cert-manager/community#1 with the exact same contents as this one. 🎉 Congratulations to the cert-manager community for achieving this milestone. We aren't far from graduating! /close |
@maelvls: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
These files have been copied from cert-manager/cert-manager#6260
These files have been copied from cert-manager/cert-manager#6260 Signed-off-by: Maël Valais <mael@vls.dev>
This is amazing work! Thanks for doing this. |
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://togithub.com/cert-manager/cert-manager) | minor | `v1.12.4` -> `v1.13.0` | --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.4...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned config file for the cert-manager controller, and more. This release also includes the promotion of the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta. #### Breaking Changes (You MUST read this before you upgrade!) 1. **BREAKING** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) 2. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) 3. **Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#​6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@​inteon](https://togithub.com/inteon)) #### Community Welcome to these new cert-manager members (more info - [cert-manager/cert-manager#6260): [@​jsoref](https://togithub.com/jsoref) [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@​hawksight](https://togithub.com/hawksight) [@​erikgb](https://togithub.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@​AcidLeroy](https://togithub.com/AcidLeroy) [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@​lucacome](https://togithub.com/lucacome) [@​cypres](https://togithub.com/cypres) [@​erikgb](https://togithub.com/erikgb) [@​ubergesundheit](https://togithub.com/ubergesundheit) [@​jkroepke](https://togithub.com/jkroepke) [@​jsoref](https://togithub.com/jsoref) [@​gdvalle](https://togithub.com/gdvalle) [@​rouke-broersma](https://togithub.com/rouke-broersma) [@​schrodit](https://togithub.com/schrodit) [@​zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs) [@​arukiidou](https://togithub.com/arukiidou) [@​hawksight](https://togithub.com/hawksight) [@​Richardds](https://togithub.com/Richardds) [@​kahirokunn](https://togithub.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@​SgtCoDFish](https://togithub.com/SgtCoDFish) [@​maelvls](https://togithub.com/maelvls) [@​irbekrm](https://togithub.com/irbekrm) [@​inteon](https://togithub.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@​AcidLeroy](https://togithub.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see [cert-manager/cert-manager#5337) Also, thanks a lot to [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see [cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#​6243](https://togithub.com/cert-manager/cert-manager/issues/6243), [@​inteon](https://togithub.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#​6241](https://togithub.com/cert-manager/cert-manager/issues/6241), [@​erikgb](https://togithub.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#​6267](https://togithub.com/cert-manager/cert-manager/issues/6267), [@​zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#​6049](https://togithub.com/cert-manager/cert-manager/issues/6049), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#​6292](https://togithub.com/cert-manager/cert-manager/issues/6292), [@​ubergesundheit](https://togithub.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#​6298](https://togithub.com/cert-manager/cert-manager/issues/6298), [@​inteon](https://togithub.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#​5337](https://togithub.com/cert-manager/cert-manager/issues/5337), [@​AcidLeroy](https://togithub.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#​6199](https://togithub.com/cert-manager/cert-manager/issues/6199), [@​inteon](https://togithub.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#​6110](https://togithub.com/cert-manager/cert-manager/issues/6110), [@​jkroepke](https://togithub.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#​5003](https://togithub.com/cert-manager/cert-manager/issues/5003), [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#​6087](https://togithub.com/cert-manager/cert-manager/issues/6087), [@​rouke-broersma](https://togithub.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#​6109](https://togithub.com/cert-manager/cert-manager/issues/6109), [@​inteon](https://togithub.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#​6147](https://togithub.com/cert-manager/cert-manager/issues/6147), [@​inteon](https://togithub.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#​6232](https://togithub.com/cert-manager/cert-manager/issues/6232), [@​inteon](https://togithub.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#​6088](https://togithub.com/cert-manager/cert-manager/issues/6088), [@​cypres](https://togithub.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#​6220](https://togithub.com/cert-manager/cert-manager/issues/6220), [@​ubergesundheit](https://togithub.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#​6191](https://togithub.com/cert-manager/cert-manager/issues/6191), [@​Richardds](https://togithub.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates. **⚠️ ⚠️ BREAKING⚠️ ⚠️ ** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **⚠️ Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#​6293](https://togithub.com/cert-manager/cert-manager/issues/6293), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#​6143](https://togithub.com/cert-manager/cert-manager/issues/6143), [@​schrodit](https://togithub.com/schrodit)) - **⚠️ Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#​6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@​inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#​5879](https://togithub.com/cert-manager/cert-manager/issues/5879), [@​maelvls](https://togithub.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#​6144](https://togithub.com/cert-manager/cert-manager/issues/6144), [@​schrodit](https://togithub.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#​6168](https://togithub.com/cert-manager/cert-manager/issues/6168), [@​inteon](https://togithub.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#​6156](https://togithub.com/cert-manager/cert-manager/issues/6156), [@​kahirokunn](https://togithub.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#​6242](https://togithub.com/cert-manager/cert-manager/issues/6242), [@​inteon](https://togithub.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#​6085](https://togithub.com/cert-manager/cert-manager/issues/6085), [@​irbekrm](https://togithub.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#​6225](https://togithub.com/cert-manager/cert-manager/issues/6225), [@​arukiidou](https://togithub.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#​6034](https://togithub.com/cert-manager/cert-manager/issues/6034), [@​gdvalle](https://togithub.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#​6176](https://togithub.com/cert-manager/cert-manager/issues/6176), [@​inteon](https://togithub.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#​6247](https://togithub.com/cert-manager/cert-manager/issues/6247), [@​inteon](https://togithub.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#​6077](https://togithub.com/cert-manager/cert-manager/issues/6077), [@​lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#​6227](https://togithub.com/cert-manager/cert-manager/issues/6227), [@​lucacome](https://togithub.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#​6152](https://togithub.com/cert-manager/cert-manager/issues/6152), [@​inteon](https://togithub.com/inteon)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi45My42IiwidXBkYXRlZEluVmVyIjoiMzYuOTMuNiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: repo-jeeves <106431701+repo-jeeves[bot]@users.noreply.github.com>
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://togithub.com/cert-manager/cert-manager) | minor | `v1.12.3` -> `v1.13.1` | | [clickhouse](https://truecharts.org/charts/dependency/clickhouse) ([source](https://togithub.com/truecharts/charts)) | patch | `7.0.1` -> `7.0.8` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.1` -> `14.0.6` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.3` -> `14.0.6` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.4` -> `14.0.6` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `13.2.1` -> `13.2.2` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.2` -> `14.0.6` | | [redis](https://truecharts.org/charts/dependency/redis) ([source](https://togithub.com/truecharts/charts)) | patch | `8.0.0` -> `8.0.27` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.1`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.1) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.13.0...v1.13.1) v1.13.1 contains a bugfix for a name collision bug in the StableCertificateRequestName feature that was enabled by default in v1.13.0. #####⚠️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version! #### Changes since v1.13.0 ##### Bug or Regression - BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. ([#​6358](https://togithub.com/cert-manager/cert-manager/issues/6358), [@​jetstack-bot](https://togithub.com/jetstack-bot)) ##### Other (Cleanup or Flake) - Upgrade `github.com/emicklei/go-restful/v3` to `v3.11.0` because `v3.10.2` is labeled as "DO NOT USE". ([#​6368](https://togithub.com/cert-manager/cert-manager/issues/6368), [@​inteon](https://togithub.com/inteon)) - Upgrade Go from 1.20.7 to 1.20.8. ([#​6370](https://togithub.com/cert-manager/cert-manager/issues/6370), [@​jetstack-bot](https://togithub.com/jetstack-bot)) ### [`v1.13.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.5...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned config file for the cert-manager controller, and more. This release also includes the promotion of the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta. #### Known issues The `StableCertificateRequestName` that was promoted to Beta contains a "name collision" bug: [cert-manager/cert-manager#6342 This will be fixed in v1.13.1. #### Breaking Changes (You MUST read this before you upgrade!) 1. **BREAKING** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) 2. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) 3. **Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#​6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@​inteon](https://togithub.com/inteon)) #### Community Welcome to these new cert-manager members (more info - [cert-manager/cert-manager#6260): [@​jsoref](https://togithub.com/jsoref) [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@​hawksight](https://togithub.com/hawksight) [@​erikgb](https://togithub.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@​AcidLeroy](https://togithub.com/AcidLeroy) [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@​lucacome](https://togithub.com/lucacome) [@​cypres](https://togithub.com/cypres) [@​erikgb](https://togithub.com/erikgb) [@​ubergesundheit](https://togithub.com/ubergesundheit) [@​jkroepke](https://togithub.com/jkroepke) [@​jsoref](https://togithub.com/jsoref) [@​gdvalle](https://togithub.com/gdvalle) [@​rouke-broersma](https://togithub.com/rouke-broersma) [@​schrodit](https://togithub.com/schrodit) [@​zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs) [@​arukiidou](https://togithub.com/arukiidou) [@​hawksight](https://togithub.com/hawksight) [@​Richardds](https://togithub.com/Richardds) [@​kahirokunn](https://togithub.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@​SgtCoDFish](https://togithub.com/SgtCoDFish) [@​maelvls](https://togithub.com/maelvls) [@​irbekrm](https://togithub.com/irbekrm) [@​inteon](https://togithub.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@​AcidLeroy](https://togithub.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see [cert-manager/cert-manager#5337) Also, thanks a lot to [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see [cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#​6243](https://togithub.com/cert-manager/cert-manager/issues/6243), [@​inteon](https://togithub.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#​6241](https://togithub.com/cert-manager/cert-manager/issues/6241), [@​erikgb](https://togithub.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#​6267](https://togithub.com/cert-manager/cert-manager/issues/6267), [@​zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#​6049](https://togithub.com/cert-manager/cert-manager/issues/6049), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#​6292](https://togithub.com/cert-manager/cert-manager/issues/6292), [@​ubergesundheit](https://togithub.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#​6298](https://togithub.com/cert-manager/cert-manager/issues/6298), [@​inteon](https://togithub.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#​5337](https://togithub.com/cert-manager/cert-manager/issues/5337), [@​AcidLeroy](https://togithub.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#​6199](https://togithub.com/cert-manager/cert-manager/issues/6199), [@​inteon](https://togithub.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#​6110](https://togithub.com/cert-manager/cert-manager/issues/6110), [@​jkroepke](https://togithub.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#​5003](https://togithub.com/cert-manager/cert-manager/issues/5003), [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#​6087](https://togithub.com/cert-manager/cert-manager/issues/6087), [@​rouke-broersma](https://togithub.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#​6109](https://togithub.com/cert-manager/cert-manager/issues/6109), [@​inteon](https://togithub.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#​6147](https://togithub.com/cert-manager/cert-manager/issues/6147), [@​inteon](https://togithub.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#​6232](https://togithub.com/cert-manager/cert-manager/issues/6232), [@​inteon](https://togithub.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#​6088](https://togithub.com/cert-manager/cert-manager/issues/6088), [@​cypres](https://togithub.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#​6220](https://togithub.com/cert-manager/cert-manager/issues/6220), [@​ubergesundheit](https://togithub.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#​6191](https://togithub.com/cert-manager/cert-manager/issues/6191), [@​Richardds](https://togithub.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates. **⚠️ ⚠️ BREAKING⚠️ ⚠️ ** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **⚠️ Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#​6293](https://togithub.com/cert-manager/cert-manager/issues/6293), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#​6143](https://togithub.com/cert-manager/cert-manager/issues/6143), [@​schrodit](https://togithub.com/schrodit)) - **⚠️ Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#​6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@​inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#​5879](https://togithub.com/cert-manager/cert-manager/issues/5879), [@​maelvls](https://togithub.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#​6144](https://togithub.com/cert-manager/cert-manager/issues/6144), [@​schrodit](https://togithub.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#​6168](https://togithub.com/cert-manager/cert-manager/issues/6168), [@​inteon](https://togithub.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#​6156](https://togithub.com/cert-manager/cert-manager/issues/6156), [@​kahirokunn](https://togithub.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#​6242](https://togithub.com/cert-manager/cert-manager/issues/6242), [@​inteon](https://togithub.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#​6085](https://togithub.com/cert-manager/cert-manager/issues/6085), [@​irbekrm](https://togithub.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#​6225](https://togithub.com/cert-manager/cert-manager/issues/6225), [@​arukiidou](https://togithub.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#​6034](https://togithub.com/cert-manager/cert-manager/issues/6034), [@​gdvalle](https://togithub.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#​6176](https://togithub.com/cert-manager/cert-manager/issues/6176), [@​inteon](https://togithub.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#​6247](https://togithub.com/cert-manager/cert-manager/issues/6247), [@​inteon](https://togithub.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#​6077](https://togithub.com/cert-manager/cert-manager/issues/6077), [@​lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#​6227](https://togithub.com/cert-manager/cert-manager/issues/6227), [@​lucacome](https://togithub.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#​6152](https://togithub.com/cert-manager/cert-manager/issues/6152), [@​inteon](https://togithub.com/inteon)) ### [`v1.12.5`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.5) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.4...v1.12.5) v1.12.5 contains a backport for a name collision bug that was found in v1.13.0 #### Changes since v1.12.4 ##### Bug or Regression - BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. ([#​6359](https://togithub.com/cert-manager/cert-manager/issues/6359), [@​jetstack-bot](https://togithub.com/jetstack-bot)) ##### Other (Cleanup or Flake) - Updated base images to the latest version. ([#​6372](https://togithub.com/cert-manager/cert-manager/issues/6372), [@​inteon](https://togithub.com/inteon)) - Upgrade Go from 1.20.7 to 1.20.8. ([#​6371](https://togithub.com/cert-manager/cert-manager/issues/6371), [@​jetstack-bot](https://togithub.com/jetstack-bot)) ### [`v1.12.4`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.4) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.3...v1.12.4) v1.12.4 contains an important security fix that addresses [CVE-2023-29409](https://cve.report/CVE-2023-29409). #### Changes since v1.12.3 - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should hav e compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#​6297](https://togithub.com/cert-manager/cert-manager/issues/6297), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Use Go 1.20.7 to fix a security issue in Go's `crypto/tls` library. ([#​6318](https://togithub.com/cert-manager/cert-manager/issues/6318), [@​maelvls](https://togithub.com/maelvls)) </details> <details> <summary>truecharts/charts (clickhouse)</summary> ### [`v7.0.8`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.8) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.7...clickhouse-7.0.8) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.7`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.7) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.6...clickhouse-7.0.7) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.6`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.6) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.5...clickhouse-7.0.6) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.5`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.5) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.4...clickhouse-7.0.5) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.4`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.4) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.3...clickhouse-7.0.4) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.3`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.3) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.2...clickhouse-7.0.3) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.2`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.2) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.1...clickhouse-7.0.2) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). </details> <details> <summary>truecharts/library-charts (common)</summary> ### [`v14.0.6`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.6) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.5...common-14.0.6) Function library for TrueCharts ### [`v14.0.5`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.5) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.4...common-14.0.5) Function library for TrueCharts ### [`v14.0.4`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.4) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.3...common-14.0.4) Function library for TrueCharts ### [`v14.0.3`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.3) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.2...common-14.0.3) Function library for TrueCharts ### [`v14.0.2`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.2) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.1...common-14.0.2) Function library for TrueCharts </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10pm on tuesday" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zLjIiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zLjIiLCJ0YXJnZXRCcmFuY2giOiJtYXN0ZXIifQ==-->
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cert-manager](https://togithub.com/cert-manager/cert-manager) | minor | `v1.12.3` -> `v1.13.1` | | [clickhouse](https://truecharts.org/charts/dependency/clickhouse) ([source](https://togithub.com/truecharts/charts)) | patch | `7.0.1` -> `7.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.1` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.6` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.3` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.4` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `13.2.1` -> `13.2.2` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.2` -> `14.0.9` | | [common](https://togithub.com/truecharts/apps/tree/master/charts/common) ([source](https://togithub.com/truecharts/library-charts)) | patch | `14.0.8` -> `14.0.9` | | [kube-state-metrics](https://truecharts.org/charts/dependency/kube-state-metrics) ([source](https://togithub.com/truecharts/charts)) | patch | `3.0.22` -> `3.0.23` | | [mariadb](https://truecharts.org/charts/dependency/mariadb) ([source](https://togithub.com/truecharts/charts)) | patch | `9.0.25` -> `9.0.26` | | [node-exporter](https://truecharts.org/charts/dependency/node-exporter) ([source](https://togithub.com/truecharts/charts)) | patch | `3.0.24` -> `3.0.25` | | [redis](https://truecharts.org/charts/dependency/redis) ([source](https://togithub.com/truecharts/charts)) | patch | `8.0.0` -> `8.0.29` | | [redis](https://truecharts.org/charts/dependency/redis) ([source](https://togithub.com/truecharts/charts)) | patch | `8.0.28` -> `8.0.29` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>cert-manager/cert-manager (cert-manager)</summary> ### [`v1.13.1`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.1) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.13.0...v1.13.1) v1.13.1 contains a bugfix for a name collision bug in the StableCertificateRequestName feature that was enabled by default in v1.13.0. #####⚠️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version! #### Changes since v1.13.0 ##### Bug or Regression - BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. ([#​6358](https://togithub.com/cert-manager/cert-manager/issues/6358), [@​jetstack-bot](https://togithub.com/jetstack-bot)) ##### Other (Cleanup or Flake) - Upgrade `github.com/emicklei/go-restful/v3` to `v3.11.0` because `v3.10.2` is labeled as "DO NOT USE". ([#​6368](https://togithub.com/cert-manager/cert-manager/issues/6368), [@​inteon](https://togithub.com/inteon)) - Upgrade Go from 1.20.7 to 1.20.8. ([#​6370](https://togithub.com/cert-manager/cert-manager/issues/6370), [@​jetstack-bot](https://togithub.com/jetstack-bot)) ### [`v1.13.0`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.13.0) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.5...v1.13.0) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This is the 1.13 release of cert-manager! cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned config file for the cert-manager controller, and more. This release also includes the promotion of the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta. #### Known issues The `StableCertificateRequestName` that was promoted to Beta contains a "name collision" bug: [cert-manager/cert-manager#6342 This will be fixed in v1.13.1. #### Breaking Changes (You MUST read this before you upgrade!) 1. **BREAKING** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) 2. **Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) 3. **Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#​6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@​inteon](https://togithub.com/inteon)) #### Community Welcome to these new cert-manager members (more info - [cert-manager/cert-manager#6260): [@​jsoref](https://togithub.com/jsoref) [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@​hawksight](https://togithub.com/hawksight) [@​erikgb](https://togithub.com/erikgb) Thanks again to all open-source contributors with commits in this release, including: [@​AcidLeroy](https://togithub.com/AcidLeroy) [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) [@​lucacome](https://togithub.com/lucacome) [@​cypres](https://togithub.com/cypres) [@​erikgb](https://togithub.com/erikgb) [@​ubergesundheit](https://togithub.com/ubergesundheit) [@​jkroepke](https://togithub.com/jkroepke) [@​jsoref](https://togithub.com/jsoref) [@​gdvalle](https://togithub.com/gdvalle) [@​rouke-broersma](https://togithub.com/rouke-broersma) [@​schrodit](https://togithub.com/schrodit) [@​zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs) [@​arukiidou](https://togithub.com/arukiidou) [@​hawksight](https://togithub.com/hawksight) [@​Richardds](https://togithub.com/Richardds) [@​kahirokunn](https://togithub.com/kahirokunn) Thanks also to the following cert-manager maintainers for their contributions during this release: [@​SgtCoDFish](https://togithub.com/SgtCoDFish) [@​maelvls](https://togithub.com/maelvls) [@​irbekrm](https://togithub.com/irbekrm) [@​inteon](https://togithub.com/inteon) Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings! Special thanks to [@​AcidLeroy](https://togithub.com/AcidLeroy) for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see [cert-manager/cert-manager#5337) Also, thanks a lot to [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart) for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see [cert-manager/cert-manager#5003) Thanks also to the [CNCF](https://www.cncf.io/), which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the [PrivateCA Issuer](https://togithub.com/cert-manager/aws-privateca-issuer). In addition, massive thanks to [Venafi](https://www.venafi.com/) for contributing developer time and resources towards the continued maintenance of cert-manager projects. #### Changes since v1.12.0 ##### Feature - Add support for logging options to webhook config file. ([#​6243](https://togithub.com/cert-manager/cert-manager/issues/6243), [@​inteon](https://togithub.com/inteon)) - Add view permissions to the well-known (Openshift) user-facing `cluster-reader` aggregated cluster role ([#​6241](https://togithub.com/cert-manager/cert-manager/issues/6241), [@​erikgb](https://togithub.com/erikgb)) - Certificate Shim: distinguish dns names and ip address in certificate ([#​6267](https://togithub.com/cert-manager/cert-manager/issues/6267), [@​zhangzhiqiangcs](https://togithub.com/zhangzhiqiangcs)) - Cmctl can now be imported by third parties. ([#​6049](https://togithub.com/cert-manager/cert-manager/issues/6049), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Make `enableServiceLinks` configurable for all Deployments and `startupapicheck` Job in Helm chart. ([#​6292](https://togithub.com/cert-manager/cert-manager/issues/6292), [@​ubergesundheit](https://togithub.com/ubergesundheit)) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). ([#​6298](https://togithub.com/cert-manager/cert-manager/issues/6298), [@​inteon](https://togithub.com/inteon)) - The cert-manager controller options are now configurable using a configuration file. ([#​5337](https://togithub.com/cert-manager/cert-manager/issues/5337), [@​AcidLeroy](https://togithub.com/AcidLeroy)) - The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. ([#​6199](https://togithub.com/cert-manager/cert-manager/issues/6199), [@​inteon](https://togithub.com/inteon)) - \[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings ([#​6110](https://togithub.com/cert-manager/cert-manager/issues/6110), [@​jkroepke](https://togithub.com/jkroepke)) ##### Design - DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: `--dns01-recursive-nameservers-only=true` in combination with `--dns01-recursive-nameservers=https://<DoH-endpoint>` (e.g. `https://8.8.8.8/dns-query`). It keeps using DNS lookup as a default method. ([#​5003](https://togithub.com/cert-manager/cert-manager/issues/5003), [@​FlorianLiebhart](https://togithub.com/FlorianLiebhart)) ##### Bug or Regression - Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null ([#​6087](https://togithub.com/cert-manager/cert-manager/issues/6087), [@​rouke-broersma](https://togithub.com/rouke-broersma)) - BUGFIX: `cmctl check api --wait 0` exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code ([#​6109](https://togithub.com/cert-manager/cert-manager/issues/6109), [@​inteon](https://togithub.com/inteon)) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. ([#​6147](https://togithub.com/cert-manager/cert-manager/issues/6147), [@​inteon](https://togithub.com/inteon)) - BUGFIX\[cainjector]: 1-character bug was causing invalid log messages and a memory leak ([#​6232](https://togithub.com/cert-manager/cert-manager/issues/6232), [@​inteon](https://togithub.com/inteon)) - Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN ([#​6088](https://togithub.com/cert-manager/cert-manager/issues/6088), [@​cypres](https://togithub.com/cypres)) - Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. ([#​6220](https://togithub.com/cert-manager/cert-manager/issues/6220), [@​ubergesundheit](https://togithub.com/ubergesundheit)) - Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains ([#​6191](https://togithub.com/cert-manager/cert-manager/issues/6191), [@​Richardds](https://togithub.com/Richardds)) - Fixes a bug where webhook was pulling in controller's feature gates. **⚠️ ⚠️ BREAKING⚠️ ⚠️ ** : If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. **⚠️ Potentially breaking**: If you were, for some reason, passing cert-manager controller's features to webhook's `--feature-gates` flag, this will now break (unless the webhook actually has a feature by that name). ([#​6093](https://togithub.com/cert-manager/cert-manager/issues/6093), [@​irbekrm](https://togithub.com/irbekrm)) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#​6293](https://togithub.com/cert-manager/cert-manager/issues/6293), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - We disabled the `enableServiceLinks` option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. ([#​6143](https://togithub.com/cert-manager/cert-manager/issues/6143), [@​schrodit](https://togithub.com/schrodit)) - **⚠️ Potentially breaking**: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. ([#​6182](https://togithub.com/cert-manager/cert-manager/issues/6182), [@​inteon](https://togithub.com/inteon)) ##### Other (Cleanup or Flake) - A subset of the klogs flags have been deprecated and will be removed in the future. ([#​5879](https://togithub.com/cert-manager/cert-manager/issues/5879), [@​maelvls](https://togithub.com/maelvls)) - All service links in helm chart deployments have been disabled. ([#​6144](https://togithub.com/cert-manager/cert-manager/issues/6144), [@​schrodit](https://togithub.com/schrodit)) - Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource ([#​6168](https://togithub.com/cert-manager/cert-manager/issues/6168), [@​inteon](https://togithub.com/inteon)) - Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. ([#​6156](https://togithub.com/cert-manager/cert-manager/issues/6156), [@​kahirokunn](https://togithub.com/kahirokunn)) - Cleanup the controller configfile structure by introducing sub-structs. ([#​6242](https://togithub.com/cert-manager/cert-manager/issues/6242), [@​inteon](https://togithub.com/inteon)) - Don't run API Priority and Fairness controller in webhook's extension apiserver ([#​6085](https://togithub.com/cert-manager/cert-manager/issues/6085), [@​irbekrm](https://togithub.com/irbekrm)) - Helm: Add apache 2.0 license annotation ([#​6225](https://togithub.com/cert-manager/cert-manager/issues/6225), [@​arukiidou](https://togithub.com/arukiidou)) - Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. ([#​6034](https://togithub.com/cert-manager/cert-manager/issues/6034), [@​gdvalle](https://togithub.com/gdvalle)) - The SecretPostIssuancePolicyChain now also makes sure that the `cert-manager.io/common-name`, `cert-manager.io/alt-names`, ... annotations on Secrets are kept at their correct value. ([#​6176](https://togithub.com/cert-manager/cert-manager/issues/6176), [@​inteon](https://togithub.com/inteon)) - The cmctl logging has been improved and support for json logging has been added. ([#​6247](https://togithub.com/cert-manager/cert-manager/issues/6247), [@​inteon](https://togithub.com/inteon)) - Updates Kubernetes libraries to `v0.27.2`. ([#​6077](https://togithub.com/cert-manager/cert-manager/issues/6077), [@​lucacome](https://togithub.com/lucacome)) - Updates Kubernetes libraries to `v0.27.4`. ([#​6227](https://togithub.com/cert-manager/cert-manager/issues/6227), [@​lucacome](https://togithub.com/lucacome)) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. ([#​6152](https://togithub.com/cert-manager/cert-manager/issues/6152), [@​inteon](https://togithub.com/inteon)) ### [`v1.12.5`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.5) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.4...v1.12.5) v1.12.5 contains a backport for a name collision bug that was found in v1.13.0 #### Changes since v1.12.4 ##### Bug or Regression - BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. ([#​6359](https://togithub.com/cert-manager/cert-manager/issues/6359), [@​jetstack-bot](https://togithub.com/jetstack-bot)) ##### Other (Cleanup or Flake) - Updated base images to the latest version. ([#​6372](https://togithub.com/cert-manager/cert-manager/issues/6372), [@​inteon](https://togithub.com/inteon)) - Upgrade Go from 1.20.7 to 1.20.8. ([#​6371](https://togithub.com/cert-manager/cert-manager/issues/6371), [@​jetstack-bot](https://togithub.com/jetstack-bot)) ### [`v1.12.4`](https://togithub.com/cert-manager/cert-manager/releases/tag/v1.12.4) [Compare Source](https://togithub.com/cert-manager/cert-manager/compare/v1.12.3...v1.12.4) v1.12.4 contains an important security fix that addresses [CVE-2023-29409](https://cve.report/CVE-2023-29409). #### Changes since v1.12.3 - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's `net.IP.String()` function would have printed that address. ([#​6297](https://togithub.com/cert-manager/cert-manager/issues/6297), [@​SgtCoDFish](https://togithub.com/SgtCoDFish)) - Use Go 1.20.7 to fix a security issue in Go's `crypto/tls` library. ([#​6318](https://togithub.com/cert-manager/cert-manager/issues/6318), [@​maelvls](https://togithub.com/maelvls)) </details> <details> <summary>truecharts/charts (clickhouse)</summary> ### [`v7.0.9`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.9) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.8...clickhouse-7.0.9) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.8`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.8) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.7...clickhouse-7.0.8) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.7`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.7) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.6...clickhouse-7.0.7) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.6`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.6) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.5...clickhouse-7.0.6) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.5`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.5) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.4...clickhouse-7.0.5) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.4`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.4) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.3...clickhouse-7.0.4) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.3`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.3) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.2...clickhouse-7.0.3) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). ### [`v7.0.2`](https://togithub.com/truecharts/charts/releases/tag/clickhouse-7.0.2) [Compare Source](https://togithub.com/truecharts/charts/compare/clickhouse-7.0.1...clickhouse-7.0.2) ClickHouse is a column-oriented database management system (DBMS) for online analytical processing of queries (OLAP). </details> <details> <summary>truecharts/library-charts (common)</summary> ### [`v14.0.9`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.9) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.8...common-14.0.9) Function library for TrueCharts ### [`v14.0.8`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.8) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.7...common-14.0.8) Function library for TrueCharts ### [`v14.0.7`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.7) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.6...common-14.0.7) Function library for TrueCharts ### [`v14.0.6`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.6) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.5...common-14.0.6) Function library for TrueCharts ### [`v14.0.5`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.5) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.4...common-14.0.5) Function library for TrueCharts ### [`v14.0.4`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.4) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.3...common-14.0.4) Function library for TrueCharts ### [`v14.0.3`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.3) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.2...common-14.0.3) Function library for TrueCharts ### [`v14.0.2`](https://togithub.com/truecharts/library-charts/releases/tag/common-14.0.2) [Compare Source](https://togithub.com/truecharts/library-charts/compare/common-14.0.1...common-14.0.2) Function library for TrueCharts </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10pm on tuesday" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy43LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy43LjEiLCJ0YXJnZXRCcmFuY2giOiJtYXN0ZXIifQ==--> --------- Signed-off-by: TrueCharts-Bot <bot@truecharts.org> Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
This PR is part of #6132.
To apply for graduation, cert-manager is required to perform the two following steps:
In the cert-manager project, we don't make a distinction between "committer" and "maintainer". In the
GOVERNANCE.md
document, I use the term "maintainer" for simplicity. Since committers and maintainers are the same in our project, we will not have aMAINTAINERS.md
file.Back in 15 June 2023, I had presented the first proposal of
GOVERNANCE.md
[OLD, FOR REFERENCE ONLY] (hosted on HackMD); this PR is the "second iteration" of that proposal.Regarding the list of steering committee members, I propose that we update the
STEERING.md
as we go. For context, we have 1 volunteer and the goal is to have at least 3 (out of the 7 seats available).For this PR to be merged, all maintainers need to approve by posting a message such as "As a maintainer, I approve with this change" or a comment with a thumbs up emoji or a comment saying
/approve
. Since many things in these two documents had not been defined previously, I propose to have the documents adopted via a lazy consensus that ends on 12 Sept 2023 23:59 UTC+2 involving the cert-manager maintainers./kind documentation