Merge pull request #1708 from cert-manager/release-next

Release cert-manager v1.18.0

Author: cert-manager-prow[bot]

.spelling

@@ -544,6 +544,7 @@ ulrichgi
 uncomment
 unencrypted
 uninstallation
+unintuitive
 unredacted
 unschedule
 untrusted

content/docs/cli/cainjector.md

@@ -18,7 +18,7 @@ Flags:
       --config string                                        Path to a file containing a CAInjectorConfiguration object used to configure the controller
       --enable-apiservices-injectable                        Inject CA data to annotated APIServices. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might reduce memory consumption (default true)
       --enable-certificates-data-source                      Enable configuring cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. This data source can be disabled to reduce memory consumption if you only use cainjector as part of cert-manager's installation (default true)
-      --enable-customresourcedefinitions-injectable          Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjecor is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption (default true)
+      --enable-customresourcedefinitions-injectable          Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption (default true)
       --enable-mutatingwebhookconfigurations-injectable      Inject CA data to annotated MutatingWebhookConfigurations. This functionality is required for cainjector to work correctly as cert-manager's internal component (default true)
       --enable-profiling                                     Enable profiling for controller.
       --enable-validatingwebhookconfigurations-injectable    Inject CA data to annotated ValidatingWebhookConfigurations. This functionality is required for cainjector to correctly function as cert-manager's internal component (default true)

content/docs/cli/controller.md

@@ -27,8 +27,8 @@ Flags:
       --concurrent-workers int                               The number of concurrent workers for each controller. (default 5)
       --config string                                        Path to a file containing a ControllerConfiguration object used to configure the controller
       --controllers strings                                  A list of controllers to enable. '--controllers=*' enables all on-by-default controllers, '--controllers=foo' enables just the controller named 'foo', '--controllers=*,-foo' disables the controller named 'foo'.
-                                                             All controllers: issuers, clusterissuers, certificates-metrics, ingress-shim, gateway-shim, orders, challenges, certificaterequests-issuer-acme, certificaterequests-approver, certificaterequests-issuer-ca, certificaterequests-issuer-selfsigned, certificaterequests-issuer-vault, certificaterequests-issuer-venafi, certificates-trigger, certificates-issuing, certificates-key-manager, certificates-request-manager, certificates-readiness, certificates-revision-manager (default [*])
-      --copied-annotation-prefixes strings                   Specify which annotations should/shouldn't be copiedfrom Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes.A prefix starting with a dash(-) specifies an annotation that shouldn't be copied. Example: '*,-kubectl.kuberenetes.io/'- all annotationswill be copied apart from the ones where the key is prefixed with 'kubectl.kubernetes.io/'. (default [*,-kubectl.kubernetes.io/,-fluxcd.io/,-argocd.argoproj.io/])
+                                                             All controllers: issuers, clusterissuers, certificates-metrics, ingress-shim, gateway-shim, orders, challenges, certificaterequests-issuer-acme, certificaterequests-approver, certificaterequests-issuer-ca, certificaterequests-issuer-selfsigned, certificaterequests-issuer-vault, certificaterequests-issuer-venafi, certificates-trigger, certificates-issuing, certificates-key-manager, certificates-request-manager, certificates-readiness, certificates-revision-manager, certificatesigningrequests-issuer-acme, certificatesigningrequests-issuer-ca, certificatesigningrequests-issuer-selfsigned, certificatesigningrequests-issuer-venafi, certificatesigningrequests-issuer-vault (default [*])
+      --copied-annotation-prefixes strings                   Specify which annotations should/shouldn't be copiedfrom Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes.A prefix starting with a dash(-) specifies an annotation that shouldn't be copied. Example: '*,-kubectl.kubernetes.io/'- all annotationswill be copied apart from the ones where the key is prefixed with 'kubectl.kubernetes.io/'. (default [*,-kubectl.kubernetes.io/,-fluxcd.io/,-argocd.argoproj.io/])
       --default-issuer-group string                          Group of the Issuer to use when the tls is requested but issuer group is not specified on the ingress resource. (default "cert-manager.io")
       --default-issuer-kind string                           Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer")
       --default-issuer-name string                           Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource.
@@ -38,10 +38,11 @@ Flags:
       --enable-certificate-owner-ref                         Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.
       --enable-gateway-api                                   Whether gateway API integration is enabled within cert-manager. The ExperimentalGatewayAPISupport feature gate must also be enabled (default as of 1.15).
       --enable-profiling                                     Enable profiling for controller.
+      --extra-certificate-annotations strings                Extra annotation to be added by the ingress-shim controller to certificate object
       --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                             AdditionalCertificateOutputFormats=true|false (BETA - default=true)
                                                              AllAlpha=true|false (ALPHA - default=false)
                                                              AllBeta=true|false (BETA - default=false)
+                                                             DefaultPrivateKeyRotationPolicyAlways=true|false (BETA - default=true)
                                                              ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
                                                              ExperimentalGatewayAPISupport=true|false (BETA - default=true)
                                                              LiteralCertificateSubject=true|false (BETA - default=true)
@@ -51,7 +52,6 @@ Flags:
                                                              ServerSideApply=true|false (ALPHA - default=false)
                                                              StableCertificateRequestName=true|false (BETA - default=true)
                                                              UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
-                                                             UseDomainQualifiedFinalizer=true|false (BETA - default=true)
                                                              ValidateCAA=true|false (ALPHA - default=false)
   -h, --help                                                 help for controller
       --issuer-ambient-credentials                           Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.

content/docs/cli/webhook.md

@@ -22,12 +22,19 @@ Flags:
       --dynamic-serving-leaf-duration duration               leaf duration of serving certificates (default 168h0m0s)
       --enable-profiling                                     Enable profiling for webhook.
       --feature-gates mapStringBool                          A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
-                                                             AdditionalCertificateOutputFormats=true|false (BETA - default=true)
                                                              AllAlpha=true|false (ALPHA - default=false)
                                                              AllBeta=true|false (BETA - default=false)
+                                                             DefaultPrivateKeyRotationPolicyAlways=true|false (BETA - default=true)
+                                                             ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
+                                                             ExperimentalGatewayAPISupport=true|false (BETA - default=true)
                                                              LiteralCertificateSubject=true|false (BETA - default=true)
                                                              NameConstraints=true|false (BETA - default=true)
                                                              OtherNames=true|false (ALPHA - default=false)
+                                                             SecretsFilteredCaching=true|false (BETA - default=true)
+                                                             ServerSideApply=true|false (ALPHA - default=false)
+                                                             StableCertificateRequestName=true|false (BETA - default=true)
+                                                             UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
+                                                             ValidateCAA=true|false (ALPHA - default=false)
       --healthz-port int32                                   port number to listen on for insecure healthz connections (default 6080)
   -h, --help                                                 help for webhook
       --kubeconfig string                                    optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used

content/docs/configuration/acme/README.md

@@ -57,6 +57,9 @@ spec:
     # Let's Encrypt will use this to contact you about expiring
     # certificates, and issues related to your account.
     email: [email protected]
+    # If the ACME server supports profiles, you can specify the profile name here.
+    # See #acme-certificate-profiles below.
+    profile: tlsserver
     server: https://acme-staging-v02.api.letsencrypt.org/directory
     privateKeySecretRef:
       # Secret resource that will be used to store the account's private key.
@@ -80,6 +83,39 @@ Solvers come in the form of [`dns01`](./dns01/README.md) and
 these solver types, visit their respective documentation -
 [DNS01](./dns01/README.md), [HTTP01](./http01/README.md).
 
+### ACME Certificate Profiles
+
+> ℹ️ This feature is available in cert-manager `>= v1.18.0`.
+
+An ACME Server *may* offer a selection of different certificate profiles to ACME Clients.
+
+Use the optional `profile` field in the `Issuer` or `ClusterIssuer` to select a profile for your ACME orders.
+
+Let's Encrypt already offers [a selection of profiles](https://letsencrypt.org/docs/profiles/).
+Other ACME servers may not yet support profiles or they might offer different profiles, so check your ACME server's documentation to see what profiles are available.
+
+You can find out if your ACME server supports profiles by downloading the directory object.
+For example:
+
+```bash
+curl -fsSL https://acme-staging-v02.api.letsencrypt.org/directory
+```
+
+If profiles are supported you will see "profiles" among the fields of the JSON object.
+
+If you do not specify a profile, the ACME server will use its default profile,
+which in the case of Let's Encrypt, is the `classic` profile.
+
+> ⚠️ If you specify a profile and connect to an ACME server that does not yet support the [ACME Profiles Extension][rfc],
+> cert-manager will report an error on the CertificateRequest resource.
+>
+> ℹ️ If you specify a profile which the ACME server does not recognize,
+> cert-manager will report an error on the CertificateRequest resource.
+>
+> 📖 Read [ACME protocol extension for certificate profiles (IETF draft)][rfc] to learn more..
+
+[rfc]: https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/
+
 ### External Account Bindings
 
 cert-manager supports using External Account Bindings with your ACME account.

content/docs/contributing/api-compatibility.md

@@ -11,7 +11,8 @@ after an upgrade or downgrade of cert-manager.
 In some cases, we may need to require users to take actions before upgrading or may need to diverge from the API compatibility promise but we'll treat this as an absolute
 last resort. In general the main criteria by which we'd determine whether a change is acceptable would be user value.
 
-For example in the event of a truly critical bug, a fix that breaks the API compatibility promise by changing the default behavior of an API field _might_ be acceptable. As of yet, though, there has never been a need for such a change.
+Here are the breaking changes we have made to the `v1` API:
+* [cert-manger 1.18](../releases/release-notes/release-notes-1.18.md): The default value of `Certificate.Spec.PrivateKey.RotationPolicy` changed from `Never` to `Always`.
 
 ## Alpha / Beta API Versions
 

content/docs/devops-tips/scaling-cert-manager.md

@@ -76,6 +76,8 @@ might accidentally or maliciously cause a denial of service for other users on t
 
 ## Set `revisionHistoryLimit: 1` on all Certificate resources
 
+> ℹ️ Not needed with cert-manager `>= v1.18.0`, because the default value was changed to `1`.
+
 By default, cert-manager will keep all the `CertificateRequest` resources that **it** creates
 ([`revisionHistoryLimit`](../reference/api-docs.md#cert-manager.io/v1.CertificateSpec)):
 

content/docs/manifest.json

@@ -20,6 +20,14 @@
               "title": "Supported Releases",
               "path": "/docs/releases/README.md"
             },
+            {
+              "title": "1.18",
+              "path": "/docs/releases/release-notes/release-notes-1.18.md"
+            },
+            {
+              "title": "Upgrade 1.17 to 1.18",
+              "path": "/docs/releases/upgrading/upgrading-1.17-1.18.md"
+            },
             {
               "title": "1.17",
               "path": "/docs/releases/release-notes/release-notes-1.17.md"