Merge pull request #2001 from cert-manager/release-next

[master] (release 1.20) Merge release-next into master

Author: cert-manager-prow[bot]

.spelling

@@ -594,8 +594,17 @@ v1.18.0.
 v1.19
 v1.19.0
 v1.19.1
+v1.20.0
 v1.19.2
+v1.20.0
+v1.19.x
+v1.20.0
+v1.20.
+v1.19.2
+v1.20.0
+Rebranding
 alpha.0
+beta.0
 v1.4.1
 v1.5
 v1.5.0
@@ -861,6 +870,9 @@ example.org
 experimental.cert
 http01-edit-in-place
 http01-ingress-class
+http01-ingress-ingressclassname
+http01-parentrefkind
+http01-parentrefname
 ingress.class
 ip-sans
 kubernetes.io

content/docs/cli/controller.md

@@ -15,27 +15,21 @@ Usage:
 
 Flags:
       --api-server-host string                               Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
+      --client-ca-path string                                The client cert CA used to verify clients contacting webhooks.
+      --client-subject-names strings                         One or more client certificate subject names (CN or DNS SAN) that the apiserver may present when contacting the webhook. Should be a comma-separated list.
       --config string                                        Path to a file containing a WebhookConfiguration object used to configure the webhook
       --dynamic-serving-ca-secret-name string                name of the secret used to store the CA that signs serving certificates
       --dynamic-serving-ca-secret-namespace string           namespace of the secret used to store the CA that signs serving certificates
       --dynamic-serving-dns-names strings                    DNS names that should be present on certificates generated by the dynamic serving CA
       --dynamic-serving-leaf-duration duration               leaf duration of serving certificates (default 168h0m0s)
+      --enable-client-verification                           Enable client cert authenticate of apiserver to webhooks.
       --enable-profiling                                     Enable profiling for webhook.
       --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                             ACMEHTTP01IngressPathTypeExact=true|false (BETA - default=true)
                                                              AllAlpha=true|false (ALPHA - default=false)
                                                              AllBeta=true|false (BETA - default=false)
-                                                             DefaultPrivateKeyRotationPolicyAlways=true|false (BETA - default=true)
-                                                             ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
-                                                             ExperimentalGatewayAPISupport=true|false (BETA - default=true)
                                                              LiteralCertificateSubject=true|false (BETA - default=true)
                                                              NameConstraints=true|false (BETA - default=true)
-                                                             OtherNames=true|false (ALPHA - default=false)
-                                                             SecretsFilteredCaching=true|false (BETA - default=true)
-                                                             ServerSideApply=true|false (ALPHA - default=false)
-                                                             StableCertificateRequestName=true|false (BETA - default=true)
-                                                             UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
-                                                             ValidateCAA=true|false (ALPHA - default=false)
+                                                             OtherNames=true|false (BETA - default=true)
       --healthz-port int32                                   port number to listen on for insecure healthz connections (default 6080)
   -h, --help                                                 help for webhook
       --kubeconfig string                                    optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used

content/docs/cli/webhook.md

@@ -69,6 +69,9 @@ controllers support `ingressClassName`, with the notable exception of
 ingress-gce (as per the page [Configure Ingress for external load
 balancing](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress)).
 
+> You can override the `ingressClassName` on a per-Ingress basis using the
+[`acme.cert-manager.io/http01-ingress-ingressclassname`](https://cert-manager.io/docs/reference/annotations/#acmecert-manageriohttp01-ingress-ingressclassname) annotation.
+
 ### `class`
 
 If the `class` field is specified, a new Ingress resource with a randomly
@@ -79,6 +82,9 @@ value set to the value of the `class` field.
 This field is only recommended with ingress-gce. ingress-gce [doesn't support the
 `ingressClassName` field](https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress).
 
+> You can override the `class` on a per-Ingress basis using the
+[`acme.cert-manager.io/http01-ingress-class`](https://cert-manager.io/docs/reference/annotations/#acmecert-manageriohttp01-ingress-class) annotation.
+
 ### `name`
 
 If the `name` field is specified, cert-manager will edit the named

content/docs/configuration/acme/http01/README.md

@@ -304,3 +304,45 @@ metadata:
       ]
 ...
 ```
+
+### Issuer Custom Fields
+
+Starting `v1.20`, you can use `venafi.cert-manager.io/custom-fields` annotation on an `Issuer` or `ClusterIssuer` resource.
+This configuration would be applied to all Certificate requests created from `Issuer`.
+
+It is possible to override or append custom configuration to `Certificate` resources via the `Issuer` assigned to it. 
+For example with an `Issuer` such as:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: corp-issuer
+  annotations:
+    venafi.cert-manager.io/custom-fields: |-
+      [
+        {"name": "Environemnt", "value": "Dev"},
+      ]
+```
+
+and a `Certificate` resource:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: example-com-certificate
+  annotations:
+    venafi.cert-manager.io/custom-fields: |-
+      [
+        {"name": "Team", "value": "amber"},
+      ]
+...
+```
+
+Final configuration will be:
+
+```json
+{"name": "Environemnt", "value": "Dev"},
+{"name": "Team", "value": "amber"}
+```

content/docs/configuration/venafi.md

@@ -47,6 +47,44 @@ Or you may prefer to use the custom resources provided by your CNI software.
 > 📖 Learn about the [Kubernetes builtin NetworkPolicy API](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
 > and see [some example policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-policies).
 
+The cert-manager Helm chart allows you to create a `NetworkPolicy` resource for
+each `Deployment`.
+
+By default, it allows inbound traffic to all the listening ports of each component.
+And by default, it allows outbound traffic to:
+- TCP port 443: For connections to the Kubernetes API server and other
+  in-cluster and external HTTPS API servers.
+- TCP port 6443: For connections to the Kubernetes API server on OpenShift.
+- TCP and UDP port 53: To resolve DNS names using the in-cluster DNS and
+  external DNS servers when using DNS01.
+- TCP port 80: So that the controller can perform ACME HTTP01 self-checks before
+  accepting the ACME server challenge.
+
+These are over-permissive defaults to provide a good installation experience.
+
+You should customize the `ingress` and `egress` rules to restrict the inbound
+and outbound traffic to allow only those connections which are necessary for
+your cert-manager configuration.
+
+Example Helm values:
+
+```yaml
+# helm-values.yaml
+networkPolicy:
+  enabled: true
+
+webhook:
+  networkPolicy:
+    enabled: true
+
+cainjector:
+  networkPolicy:
+    enabled: true
+```
+
+There are examples of extended egress rules in the example Helm chart values
+file at the end of this document.
+
 ### Network Requirements
 
 Here is an overview of the network requirements:

content/docs/installation/best-practice.md

@@ -21,8 +21,16 @@
               "path": "/docs/releases/README.md"
             },
             {
-              "title": "1.19",
-              "path": "/docs/releases/release-notes/release-notes-1.19.md"
+              "title": "1.20",
+              "path": "/docs/releases/release-notes/release-notes-1.20.md"
+            },
+            {
+                "title": "Upgrade 1.19 to 1.20",
+                "path": "/docs/releases/upgrading/upgrading-1.19-1.20.md"
+            },
+            {
+                "title": "1.19",
+                "path": "/docs/releases/release-notes/release-notes-1.19.md"
             },
             {
                 "title": "Upgrade 1.18 to 1.19",

content/docs/manifest.json

@@ -27,12 +27,43 @@ This is useful for keeping compatibility with the `ingress-gce` component.
 ## acme.cert-manager.io/http01-ingress-class
 - [Ingress](../usage/ingress.md)
 
-this annotation allows you to configure the ingress class that will be used to
-solve challenges for this ingress. Customizing this is useful when you are
-trying to secure internal services, and need to solve challenges using a
-different ingress class to that of the ingress. If not specified and the
-`acme-http01-edit-in-place` annotation is not set, this defaults to the ingress
-class defined in the Issuer resource.
+Allows the `kubernetes.io/ingress.class` annotation to be configured.
+Customizing this is useful when you are trying
+to secure internal services, and need to solve challenges using a different ingress class
+to that of the ingress. If not specified and the `acme-http01-edit-in-place` annotation is
+not set, this defaults to the `http01.ingress.class` defined in the Issuer resource.
+
+## acme.cert-manager.io/http01-ingress-ingressclassname
+
+- [Ingress](../usage/ingress.md)
+
+Allows the Ingress's `spec.ingressClassName` to be configured.
+Customizing this is useful when you are trying
+to secure internal services, and need to solve challenges using a different ingress class
+to that of the ingress. If not specified and the `acme-http01-edit-in-place` annotation is
+not set, this defaults to the `http01.ingress.ingressClassName` defined in the Issuer resource.
+
+## acme.cert-manager.io/http01-parentrefkind
+
+- [Certificate](../usage/certificate.md)
+
+This annotation is automatically added by cert-manager to Certificate resources
+when they are created from a [Gateway](../usage/gateway.md) or
+[ListenerSet](../usage/gateway.md#listenerset) resource. It stores the kind of
+the parent resource (either `Gateway` or `ListenerSet`) that triggered the
+creation of the Certificate. This is used internally by the ACME HTTP-01 solver
+to know where to attach the temporary HTTPRoute for the challenge.
+
+## acme.cert-manager.io/http01-parentrefname
+
+- [Certificate](../usage/certificate.md)
+
+This annotation is automatically added by cert-manager to Certificate resources
+when they are created from a [Gateway](../usage/gateway.md) or
+[ListenerSet](../usage/gateway.md#listenerset) resource. It stores the name of
+the parent resource that triggered the creation of the Certificate. This is used
+internally by the ACME HTTP-01 solver to know where to attach the temporary
+HTTPRoute for the challenge.
 
 ## cert-manager.io/allow-direct-injection
 - `Secret`