You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<1> Provide a comma-separated list of `<host>:<port>`nameservers to query for the DNS-01 self check. For example, `--dns01-recursive-nameservers=1.1.1.1:53`.
50
+
<1> Provide a comma-separated list of nameservers to query for the DNS-01 self check. The nameservers can be specified either as `<host>:<port>`, for example, `1.1.1.1:53`, or use DNS over HTTPS (DoH), for example, `https://1.1.1.1/dns-query`.
51
51
<2> Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
52
52
<3> Provide a comma-separated list of `<host>:<port>` nameservers to query for the Automated Certificate Management Environment (ACME) HTTP01 self check. For example, `--acme-http01-solver-nameservers=1.1.1.1:53`.
53
53
<4> Specify to set the log level verbosity to determine the verbosity of log messages.
54
54
<5> Specify the host and port for the metrics endpoint. The default value is `--metrics-listen-address=0.0.0.0:9402`.
55
55
<6> You must use the `--issuer-ambient-credentials` argument when configuring an ACME Issuer to solve DNS-01 challenges by using ambient credentials.
56
+
+
57
+
[NOTE]
58
+
====
59
+
DNS over HTTPS (DoH) is supported starting only from {cert-manager-operator} version 1.13.0 and later.
60
+
====
56
61
57
62
. Save your changes and quit the text editor to apply your changes.
Version `1.12.1` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.12.5`. For more information, see the link:https://cert-manager.io/docs/release-notes/release-notes-1.12/#v1125[cert-manager project release notes for v1.12.5].
24
+
Version `1.13.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.13.3`. For more information, see the link:https://cert-manager.io/docs/release-notes/release-notes-1.13/#v1133[cert-manager project release notes for v1.13.0].
25
25
26
-
[id="cert-manager-operator-1.12.1-bug-fixes"]
27
-
=== Bug fixes
28
-
29
-
* Previously, in a multi-architecture environment, the cert-manager Operator pods were prone to failures because of the invalid node affinity configuration. With this fix, the cert-manager Operator pods run without any failures. (link:https://issues.redhat.com/browse/OCPBUGS-19446[*OCPBUGS-19446*])
Version `1.12.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.12.4`. For more information, see the link:https://cert-manager.io/docs/release-notes/release-notes-1.12/#v1124[cert-manager project release notes for v1.12.4].
54
-
55
-
56
-
[id="cert-manager-operator-1.12.0-bug-fixes"]
57
-
=== Bug fixes
58
-
59
-
* Previously, you could not configure the CPU and memory requests and limits for the cert-manager components such as cert-manager controller, CA injector, and Webhook. Now, you can configure the CPU and memory requests and limits for the cert-manager components by using the command-line interface (CLI). For more information, see xref:../../security/cert_manager_operator/cert-manager-customizing-api-fields.adoc#cert-manager-configure-cpu-memory_cert-manager-customizing-api-fields[Overriding CPU and memory limits for the cert-manager components]. (link:https://issues.redhat.com/browse/OCPBUGS-13830[*OCPBUGS-13830*])
60
-
61
-
* Previously, if you updated the `ClusterIssuer` object, the {cert-manager-operator} could not verify and update the change in the cluster issuer. Now, if you modify the `ClusterIssuer` object, the {cert-manager-operator} verifies the ACME account registration and updates the change. (link:https://issues.redhat.com/browse/OCPBUGS-8210[*OCPBUGS-8210*])
62
-
63
-
* Previously, the {cert-manager-operator} did not support enabling the `--enable-certificate-owner-ref` flag. Now, the {cert-manager-operator} supports enabling the `--enable-certificate-owner-ref` flag by adding the `spec.controllerConfig.overrideArgs` field in the `cluster` object. After enabling the `--enable-certificate-owner-ref` flag, cert-manager can automatically delete the secret when the `Certificate` resource is removed from the cluster. For more information on enabling the `--enable-certificate-owner-ref` flag and deleting the TLS secret automatically, see xref:../../security/cert_manager_operator/cert-manager-customizing-api-fields.adoc#cert-manager-override-flag-controller_cert-manager-customizing-api-fields[Deleting a TLS secret automatically upon Certificate removal] (link:https://issues.redhat.com/browse/CM-98[*CM-98*])
64
-
65
-
* Previously, the {cert-manager-operator} could not pull the `jetstack-cert-manager-container-v1.12.4-1` image. The cert-manager controller, CA injector, and Webhook pods were stuck in the `ImagePullBackOff` state. Now, the {cert-manager-operator} pulls the `jetstack-cert-manager-container-v1.12.4-1` image to run the cert-manager controller, CA injector, and Webhook pods successfully. (link:https://issues.redhat.com/browse/OCPBUGS-19986[*OCPBUGS-19986*])
66
-
67
-
[id="cert-manager-operator-release-notes-1.11.5"]
68
-
== Release notes for {cert-manager-operator} 1.11.5
69
-
70
-
Issued: 2023-11-15
71
-
72
-
The following advisory is available for the {cert-manager-operator} 1.11.5:
The golang version is updated to the version `1.20.10` to fix Common Vulnerabilities and Exposures (CVEs). Version `1.11.5` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.11.5`. For more information, see the link:https://cert-manager.io/docs/release-notes/release-notes-1.11/#v1115[cert-manager project release notes for v1.11.5].
77
-
78
-
[id="cert-manager-operator-1.11.5-bug-fixes"]
79
-
=== Bug fixes
80
-
81
-
* Previously, in a multi-architecture environment, the cert-manager Operator pods were prone to failures because of the invalid node affinity configuration. With this fix, the cert-manager Operator pods run without any failures. (link:https://issues.redhat.com/browse/OCPBUGS-19446[*OCPBUGS-19446*])
The golang version is updated to the version `1.19.10` to fix Common Vulnerabilities and Exposures (CVEs). Version `1.11.4` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.11.4`. For more information, see the link:https://cert-manager.io/docs/release-notes/release-notes-1.11/#v1114[cert-manager project release notes for v1.11.4].
112
-
113
-
[id="cert-manager-operator-1.11.4-bug-fixes"]
114
-
=== Bug fixes
115
-
116
-
* Previously, the {cert-manager-operator} did not allow you to install older versions of the {cert-manager-operator}. Now, you can install older versions of the {cert-manager-operator} using the web console or the command-line interface (CLI). For more information on how to use the web console to install older versions, see xref:../../security/cert_manager_operator/cert-manager-operator-install.adoc#cert-manager-operator-install[Installing the {cert-manager-operator}]. (link:https://issues.redhat.com/browse/OCPBUGS-16393[*OCPBUGS-16393*])
117
-
118
-
[id="cert-manager-operator-release-notes-1.11.1"]
119
-
== Release notes for {cert-manager-operator} 1.11.1
120
-
121
-
Issued: 2023-06-21
122
-
123
-
The following advisory is available for the {cert-manager-operator} 1.11.1:
Version `1.11.1` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.11.1`. For more information, see the link:https://cert-manager.io/docs/release-notes/release-notes-1.11/#v1111[cert-manager project release notes for v1.11.1].
This is the general availability (GA) release of the {cert-manager-operator}.
133
-
134
-
[id="cert-manager-log-level-1.11.1"]
135
-
==== Setting log levels for cert-manager and the {cert-manager-operator}
136
-
* To troubleshoot issues with cert-manager and the {cert-manager-operator}, you can now configure the log level verbosity by setting a log level for cert-manager and the {cert-manager-operator}. For more information, see xref:../../security/cert_manager_operator/cert-manager-log-levels.adoc#cert-manager-log-levels[Configuring log levels for cert-manager and the {cert-manager-operator}].
137
-
138
-
[id="cert-manager-authentication-aws-1.11.1"]
139
-
==== Authenticating the {cert-manager-operator} with AWS
140
-
* You can now configure cloud credentials for the {cert-manager-operator} on AWS clusters with Security Token Service (STS) and without STS. For more information, see xref:../../security/cert_manager_operator/cert-manager-authenticate-aws.adoc#cert-manager-authenticate-aws[Authenticating the {cert-manager-operator} on AWS Security Token Service] and xref:../../security/cert_manager_operator/cert-manager-authentication-non-sts.adoc#cert-manager-authentication-non-sts[Authenticating the {cert-manager-operator} on AWS].
141
-
142
-
[id="cert-manager-authentication-gcp-1.11.1"]
143
-
==== Authenticating the {cert-manager-operator} with GCP
144
-
* You can now configure cloud credentials for the {cert-manager-operator} on GCP clusters with Workload Identity and without Workload Identity. For more information, see xref:../../security/cert_manager_operator/cert-manager-authenticate-gcp.adoc#cert-manager-authenticate-gcp[Authenticating the {cert-manager-operator} with GCP Workload Identity] and xref:../../security/cert_manager_operator/cert-manager-authenticate-non-sts-gcp.adoc#cert-manager-authenticate-non-sts-gcp[Authenticating the {cert-manager-operator} with GCP]
29
+
* You can now manage certificates for API Server and Ingress Controller by using the {cert-manager-operator}.
30
+
For more information, see xref:../../security/cert_manager_operator/cert-manager-creating-certificate.adoc#cert-manager-creating-certificate[Configuring certificates with an issuer].
145
31
146
-
[id="cert-manager-operator-1.11.1-bug-fixes"]
147
-
=== Bug fixes
32
+
* With this release, the scope of the {cert-manager-operator}, which was previously limited to the {product-title} on AMD64 architecture, has now been expanded to include support for managing certificates on {product-title} running on {ibm-z-name} (`s390x`), {ibm-power-name} (`ppc64le`) and ARM64 architectures.
148
33
149
-
* Previously, the `cm-acme-http-solver` pod did not use the latest published Red Hat image `registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9`. With this release, the `cm-acme-http-solver` pod uses the latest published Red Hat image `registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9`. (link:https://issues.redhat.com/browse/OCPBUGS-10821[*OCPBUGS-10821*])
34
+
* With this release, you can use DNS over HTTPS (DoH) for performing the self-checks during the ACME DNS-01 challenge verification. The DNS self-check method can be controlled by using the command line flags, `--dns01-recursive-nameservers-only` and `--dns01-recursive-nameservers`.
35
+
For more information, see xref:../../security/cert_manager_operator/cert-manager-customizing-api-fields.html#cert-manager-override-arguments_cert-manager-customizing-api-fields[Customizing cert-manager by overriding arguments from the cert-manager Operator API].
150
36
151
-
* Previously, the {cert-manager-operator} did not support changing labels for cert-manager pods such as controller, CA injector, and Webhook pods. With this release, you can add labels to cert-manager pods. (link:https://issues.redhat.com/browse/OCPBUGS-8466[*OCPBUGS-8466*])
152
-
153
-
* Previously, you could not update the log verbosity level in the {cert-manager-operator}. You can now update the log verbosity level by using an environmental variable `OPERATOR_LOG_LEVEL` in its subscription resource. (link:https://issues.redhat.com/browse/OCPBUGS-9994[*OCPBUGS-9994*])
154
-
155
-
* Previously, when uninstalling the {cert-manager-operator}, if you select the *Delete all operand instances for this operator* checkbox in the {product-title} web console, the Operator was not uninstalled properly. The {cert-manager-operator} is now properly uninstalled. (link:https://issues.redhat.com/browse/OCPBUGS-9960[*OCPBUGS-9960*])
156
-
157
-
* Previously, the {cert-manager-operator} did not support using Google workload identity federation. The {cert-manager-operator} now supports using Google workload identity federation. (link:https://issues.redhat.com/browse/OCPBUGS-9998[*OCPBUGS-9998*])
158
-
159
-
[id="cert-manager-operator-1.11.1-known-issues"]
160
-
=== Known issues
161
-
162
-
* After installing the {cert-manager-operator}, if you navigate to *Operators → Installed Operators* and select *Operator details* in the {product-title} web console, you cannot see the cert-manager resources that are created across all namespaces. As a workaround, you can navigate to *Home -> API Explorer* to see the cert-manager resources. (link:https://issues.redhat.com/browse/OCPBUGS-11647[*OCPBUGS-11647*])
37
+
[id="cert-manager-operator-1.13-CVEs"]
38
+
=== CVEs
163
39
164
-
* After uninstalling the {cert-manager-operator} by using the web console, the {cert-manager-operator} does not remove the cert-manager controller, CA injector, and Webhook pods automatically from the `cert-manager` namespace. As a workaround, you can manually delete the cert-manager controller, CA injector, and Webhook pod deployments present in the `cert-manager` namespace. (link:https://issues.redhat.com/browse/OCPBUGS-13679[*OCPBUGS-13679*])
0 commit comments