You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/docs/releases/release-notes/release-notes-1.18.md
+68-11Lines changed: 68 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,26 +11,56 @@ a new default for `Certificate.Spec.PrivateKey.RotationPolicy` now set to `Alway
11
11
the default `Certificate.Spec.RevisionHistoryLimit` now set to `1` (potentially breaking).
12
12
Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.
13
13
14
-
## Known Issues
14
+
## Major Themes
15
15
16
-
### ACME HTTP01 challenge paths are rejected by the ingress-nginx validating webhook
16
+
### ACME HTTP01 challenge paths now use `PathType``Exact` in Ingress routes
17
17
18
-
> 🐛 See [cert-manager/issues/7791](https://github.com/cert-manager/cert-manager/issues/7791).
18
+
> ⚠️ Breaking change
19
19
20
-
In cert-manager `v1.18.0`, we changed the default `PathType` from `ImplementationSpecific` to `Exact`, in the Ingress routes that are created by the ACME HTTP01 challenge controller.
21
-
This was to support Ingress controllers such as Cilium, which treat `ImplementationSpecific` paths as regular expressions.
20
+
We have changed the `PathType` for ACME HTTP01 Ingress-based challenges to `Exact`.
21
+
This security feature ensures that the challenge path (which is an exact path)
22
+
is not misinterpreted as a regular expression or some other Ingress-specific
23
+
(`ImplementationSpecific`) parsing.
24
+
This allows HTTP01 challenges to be solved when using standards compliant
25
+
Ingress controllers such as Cilium.
22
26
23
-
But the change is incompatible with certain versions and configurations of the `ingress-nginx` Ingress controller.
27
+
This change is incompatible with certain versions and configurations of the `ingress-nginx` Ingress controller.
24
28
Versions of [`ingress-nginx >=1.8.0`](https://github.com/kubernetes/ingress-nginx/blob/main/changelog/controller-1.8.0.md) support a [`strict-validate-path-type` configuration option](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) which, when enabled, disallows `.` (dot) in the path value. This is a [bug](https://github.com/kubernetes/ingress-nginx/issues/11176) which makes it impossible to use various legitimate URL paths, including the `http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>` URLs used for [ACME HTTP01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge).
25
29
To make matters worse, the buggy validation is [enabled by default](https://github.com/kubernetes/ingress-nginx/pull/11819) in [`ingress-nginx >= 1.12.0`](https://github.com/kubernetes/ingress-nginx/blob/main/changelog/controller-1.12.0.md).
30
+
You will see errors like this in the cert-manager controller logs:
26
31
27
-
We are working on a fix. The next cert-manager patch release `v1.18.1` (release date is yet to be decided) will gate the `PathType: Exact` change behind a feature gate, which will be enabled by default. This will allow you to reinstate the old `PathType: ImplementationSpecific` behavior, by disabling the feature gate.
32
+
> Error presenting challenge: admission webhook `validate.nginx.ingress.kubernetes.io` denied the request: ingress contains invalid paths: path `/.well-known/acme-challenge/oTw4h9_WsobTRn5COTSyaiAx3aWn0M7_aYisoz1gXQw` cannot be used with `pathType` Exact
28
33
29
-
Meanwhile, you have two options:
30
-
1. Do not upgrade cert-manager. Continue to use cert-manager 1.17.
31
-
2. Disable the `strict-validate-path-type` option in your ingress-nginx controller.
34
+
If you use `ingress-nginx`, choose **one** of the following two options:
32
35
33
-
## Major Themes
36
+
#### Option 1. Disable the `ACMEHTTP01IngressPathTypeExact` feature in cert-manager
37
+
38
+
To disable the `ACMEHTTP01IngressPathTypeExact` feature,
39
+
to reinstate the old `PathType: ImplementationSpecific` behavior,
40
+
use the following Helm values when installing cert-manager:
41
+
42
+
```yaml
43
+
# values.yaml
44
+
config:
45
+
featureGates:
46
+
# Disable the use of Exact PathType in Ingress resources, to work around a bug in ingress-nginx
@@ -152,6 +182,33 @@ And finally, thanks to the cert-manager steering committee for their feedback in
152
182
- [@TrilokGeer](https://github.com/TrilokGeer)
153
183
154
184
185
+
## `v1.18.1`
186
+
187
+
We have added a new feature gate `ACMEHTTP01IngressPathTypeExact`, to allow
188
+
`ingress-nginx` users to turn off the new default Ingress `PathType: Exact`
189
+
behavior, in ACME HTTP01 Ingress challenge solvers.
190
+
191
+
We have increased the ACME challenge authorization timeout to two minutes, which we hope will fix a timeout error (`error waiting for authorization`), which has been reported by multiple users, since the release of cert-manager `v1.16.0`.
192
+
This change should fix the following issues: [`#7337`][#7337], [`#7444`][#7444], and [`#7685`][#7685].
- Added a new feature gate `ACMEHTTP01IngressPathTypeExact`, to allow `ingress-nginx` users to turn off the new default Ingress `PathType: Exact` behavior, in ACME HTTP01 Ingress challenge solvers. ([`#7810`](https://github.com/cert-manager/cert-manager/pull/7810), [`@sspreitzer`](https://github.com/sspreitzer))
203
+
204
+
### Bug or Regression
205
+
206
+
- ACME: Increased challenge authorization timeout to 2 minutes to fix `error waiting for authorization`. ([`#7801`](https://github.com/cert-manager/cert-manager/pull/7801), [`@hjoshi123`](https://github.com/hjoshi123))
207
+
208
+
### Other (Cleanup or Flake)
209
+
210
+
- Use the latest version of ingress-nginx in E2E tests to ensure compatibility ([`#7807`](https://github.com/cert-manager/cert-manager/pull/7807), [`@wallrj`](https://github.com/wallrj))
0 commit comments