Releases: cert-manager/istio-csr
v0.14.0
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.14.0 is a minor released focused around dependency upgrades and minor bugfixes. We recommend that all users upgrade to this latest version.
Importantly, this version of istio-csr depends on a patched version of cert-manager providing protections against GHSA-r4pg-vg54-wxx4 when parsing trust bundles - although exploitation would require an attacker to have privileged access inside your cluster and the effects of an exploit would be minimal.
What's Changed
Bug Fixes
- Use
istiod-
as the prefix for the DNS names for Istio revisions by @wallrj in #454 - Fix helm chart typos by @wallrj in #458
- Use specialised function for decoding trust bundles by @SgtCoDFish in #477
- Fix some more grammatical mistakes and typos in the comments of Helm chart values.yaml by @wallrj in #460
Other
Dependency Updates
- Bump the all group with 3 updates by @dependabot in #446
- Bump the all group across 1 directory with 3 updates by @dependabot in #455
- Bump the all group across 1 directory with 6 updates by @dependabot in #462
- Bump the all group across 1 directory with 2 updates by @dependabot in #467
- Bump istio.io/api from 1.24.1 to 1.24.2 in the all group by @dependabot in #468
- Bump the all group across 1 directory with 3 updates by @dependabot in #474
- Bump the all group across 1 directory with 9 updates by @dependabot in #483
Makefile Modules Upgrades
- [CI] Merge self-upgrade-main into main by @github-actions in #445
- [CI] Merge self-upgrade-main into main by @github-actions in #447
- [CI] Merge self-upgrade-main into main by @github-actions in #448
- [CI] Merge self-upgrade-main into main by @github-actions in #450
- [CI] Merge self-upgrade-main into main by @github-actions in #452
- [CI] Merge self-upgrade-main into main by @github-actions in #456
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #461
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #466
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #470
- [CI] Merge self-upgrade-main into main by @github-actions in #476
- [CI] Merge self-upgrade-main into main by @github-actions in #480
- [CI] Merge self-upgrade-main into main by @github-actions in #484
Full Changelog: v0.13.0...v0.14.0
v0.14.0-alpha.0
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
This pre-release is largely for testing some new automation behind the scenes. We don't recommend running this release.
What's Changed
- Use
istiod-
as the prefix for the DNS names for Istio revisions by @wallrj in #454 - Fix helm chart typos by @wallrj in #458
- Add Helm chart OCI release to GH automation by @inteon in #457
- Fix some more grammatical mistakes and typos in the comments of Helm chart values.yaml by @wallrj in #460
Other
- [CI] Merge self-upgrade-main into main by @github-actions in #445
- [CI] Merge self-upgrade-main into main by @github-actions in #447
- [CI] Merge self-upgrade-main into main by @github-actions in #448
- Bump the all group with 3 updates by @dependabot in #446
- [CI] Merge self-upgrade-main into main by @github-actions in #450
- [CI] Merge self-upgrade-main into main by @github-actions in #452
- [CI] Merge self-upgrade-main into main by @github-actions in #456
- Bump the all group across 1 directory with 3 updates by @dependabot in #455
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #461
- Bump the all group across 1 directory with 6 updates by @dependabot in #462
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #466
Full Changelog: v0.13.0...v0.14.0-alpha.0
v0.13.0
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.13.0 includes a change to istio-csr so it works with the latest version of Istio (v1.24).
Specifically, the new version of istio requires that ALPN be set by clients, which istio-csr didn't previously set.
What's Changed
- ⭐ fix: expose ALPN in TLS handshake by @howardjohn in #422
- fix(helm): quote
istiodAdditionalDNSNames
to support wildcard domains by @ashithwilson in #425 - Use a default (but configurable) test file for istio-csr by @SgtCoDFish in #429
- Various e2e setup tweaks by @SgtCoDFish in #430
New Contributors
- @ashithwilson made their first contribution in #425 🚀
- @howardjohn made their first contribution in #422 🚀
Full Changelog: v0.12.0...v0.13.0
v0.13.0-alpha.0
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.13.0-alpha.0 is a prerelease for testing changes to istio-csr with the new Istio 1.24. Specifically, the new version of istio requires that ALPN be set by clients, which istio-csr didn't previously set.
If you're having issues with istio-csr and Istio 1.24, try this prerelease and please let us know if it works for you!
IMPORTANT: The chart for this release might not be visible in the charts.jetstack.io
repository as of when this release is published. You can use the chart attached to this release until it becomes visible.
What's Changed
- ⭐ fix: expose ALPN in TLS handshake by @howardjohn in #422
- fix(helm): quote
istiodAdditionalDNSNames
to support wildcard domains by @ashithwilson in #425 - Use a default (but configurable) test file for istio-csr by @SgtCoDFish in #429
- Various e2e setup tweaks by @SgtCoDFish in #430
New Contributors
- @ashithwilson made their first contribution in #425 🚀
- @howardjohn made their first contribution in #422 🚀
Full Changelog: v0.12.0...v0.13.0-alpha.0
v0.12.0
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.12.0 introduces support for Istio Ambient Mode, expands upon the runtime configuration functionality introduced in previous releases, and includes various other improvements.
Features
Istio Ambient Mode Support
Istio Ambient Mode allows the use of Istio without requiring sidecar containers to run in your pods. This is powerful, but functions slightly differently and istio-csr previously didn't support this mode of operation.
Thanks to @paulwilljones istio-csr can now handle this mode of operation!
Istio Ambient Mode is enabled by setting the app.server.caTrustedNodeAccounts
Helm value to a comma-separated list of namespace/service-accounts
values indicating which service accounts are permitted to use node authentication, such as istio-system/ztunnel
.
As this is a new feature, we'd be keen to hear your feedback and learn how this can be improved!
Runtime Configuration Improvements
Provisioning Resources
Runtime configuration allows istio-csr to be installed at the same time as cert-manager itself, which can simplify the cluster setup process. It also enables issuers to be changed on the fly, which makes rotation of CA certificates simpler and reduces the risk of downtime.
An issue we noticed was that istio-csr would always report as unhealthy until runtime configuration was available. On the face of it, this seems like expected behavior - without a configured issuer, istio-csr can't issue workload certs or provision the istio serving cert / istiod cert. The issue we found was that this causes the Helm install of istio-csr to hang until the runtime configuration ConfigMap was provided, forcing the need to handle runtime configuration then and there.
To make this process simpler, we've made a few Helm chart changes:
- It's now possible to pass
extraObjects
as a Helm value specifying arbitrary resources to create alongside the istio-csr install. This enables creating an issuer during the Helm install, if desired. - There's a new
.app.runtimeConfiguration.create
value which, if set, will create a runtime configuration ConfigMap with the values specified inapp.runtimeConfiguration.issuer
.
Health Checks
In addition, we've changed how health checks work for istio-csr with runtime configuration. If using pure runtime configuration (app.certmanager.issuer
is blank), the istio-csr health checks will report healthy until runtime configuration is available for the first time. After runtime configuration is first detected, the health checks will return to normal.
Other Fixes
We now also propagate annotations onto the dynamic istiod cert which is used with runtime configuration, and a few roles have been fixed to ensure that installing into different namespaces works as expected.
What's Changed
Istio Ambient Mode
- feat: Add support for impersonation for certificate requests by @paulwilljones in #336
Runtime Configuration
- feat: add ability to create runtime config configmap by @ThatsMrTalbot in #379
- feat: add ability to specify extra objects to apply along with the chart by @ThatsMrTalbot in #378
- fix: Handle initial issuer config for dynamic istiod cert by @SgtCoDFish in #399
- fix: Propagate dynamic istiod cert annotations by @SgtCoDFish in #396
- feat: allow "runtime-only" configuration without default issuer by @ThatsMrTalbot in #395
- fix: do not track "originalIssuerRef" if default issuer is disabled by @ThatsMrTalbot in #397
- fix: Tweak roles to fix permission errors by @SgtCoDFish in #398
Test Improvements / Other
- feat: Add security context to istio-csr deployment by @wtzhang23 in #369
- test: Add end to end test for client certificate authenticator by @wtzhang23 in #370
- test: Add Istio 1.23 tests by @paulwilljones in #387
- feat: Added labels and annotations to deployment and pod by @chanakya-svt in #372
New Contributors
- @paulwilljones made their first contribution in #387
- @chanakya-svt made their first contribution in #372
Full Changelog: v0.11.0...v0.12.0
v0.12.0-alpha.1
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.12.0-alpha.1 is an initial pre-release of v0.12.0 to test new changes.
More complete release notes will be added with official release of v0.12.0
What's Changed
- Add Istio 1.23 tests by @paulwilljones in #387
- Add support for impersonation for certificate requests by @paulwilljones in #336
- feat: allow "runtime-only" configuration without default issuer by @ThatsMrTalbot in #395
- Propagate annotations by @SgtCoDFish in #396
- fix: do not track "originalIssuerRef" if default issuer is disabled by @ThatsMrTalbot in #397
- Tweak roles to fix permission errors by @SgtCoDFish in #398
- added labels and annotations to deployment and pod by @chanakya-svt in #372
New Contributors
- @paulwilljones made their first contribution in #387
- @chanakya-svt made their first contribution in #372
Full Changelog: v0.12.0-alpha.0...v0.12.0-alpha.1
v0.12.0-alpha.0
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.12.0-alpha.0 is an initial pre-release of v0.12.0 to test new Helm chart changes which help with provisioning resources alongside istio-csr.
More complete release notes will be added with official release of v0.12.0
What's Changed
- Add security context to istio-csr deployment by @wtzhang23 in #369
- Add end to end test for client certificate authenticator by @wtzhang23 in #370
- feat: add ability to create runtime config configmap by @ThatsMrTalbot in #379
- feat: add ability to specify extra objects to apply along with the chart by @ThatsMrTalbot in #378
Full Changelog: v0.11.0...v0.12.0-alpha.0
v0.11.0
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.11.0 further enhances support for runtime configuration, enabling "pure" runtime configuration where istio-csr can be installed at the same time as cert-manager. It also enables client cert auth via a great contribution from @wtzhang23, which provides an alternative method for workloads to renew their certificates.
JSON logging is also added for the first time, with some caveats!
Feature Overview
Pure Runtime Configuration
istio-csr v0.10.0 added initial support for runtime configuration, allowing the issuer to be changed easily after istio-csr starts. That release still, in practice, needed an issuer to be configured before istio-csr was installed, in order to provision the istiod cert and for initial configuration of istio serving certs.
v0.11.0 adds "pure" runtime configuration, allowing istio-csr and cert-manager to be installed entirely concurrently. To achieve this, istio-csr gains the ability to dynamically provision an istiod cert, and now waits for issuer configuration before any attempts to issue serving certs.
An example of runtime-configured istio-csr would use the following values.yaml:
app:
runtimeIssuanceConfigMap: runtime-config-map
certmanager:
issuer:
# explicitly blank these values out, since they're defaulted
name: ""
kind: ""
group: ""
tls:
istiodCertificateEnable: "dynamic" # new in v0.11.0!
Note that istio-csr pods won't report as "ready" until an issuer is configured, so a Helm install won't complete until you've created a ConfigMap specifying an issuer!
$ kubectl create configmap runtime-config-map -n cert-manager \
--from-literal=issuer-name=istio-ca \
--from-literal=issuer-kind=Issuer \
--from-literal=issuer-group=cert-manager.io
Client Cert Auth
Previously, workloads attempting to renew their serving certs with istio-csr were required to present their Kubernetes JWT for validatio. Istio (when used without istio-csr) allows for several auth methods, including client cert auth where the already-provisioned mTLS certificate can be used as auth.
Now, istio-csr has gained support for client cert auth, using the trusted CA bundle already supported in istio-csr. The functionality is behind a flag, and can be enabled with a Helm value: --set app.server.authenticators.enableClientCert=true
.
JSON Logging
Thanks to the new logFormat
Helm value, JSON logging can be enabled for istio-csr: --set app.logFormat=json
.
JSON logs are now used by default in several istio-csr tests, and are very useful for parseable structured logs. The caveats are twofold:
- First, there's no guarantee that all output will be in JSON format. In testing, logging seemed to consistently in JSON but it's possible that there could be some text output
- Second, log formats are not currently consistent - different log lines may have different keys.
We'd appreciate contributions if anyone is willing to work on these caveats!
What's Changed
Runtime Configuration
- Add ability to dynamically configure istiod cert by @SgtCoDFish in #359
- Add retries for issuing initial serving cert by @SgtCoDFish in #364
JSON Logs
- Add flag to set log-format by @seankhliao in #354
- Test with JSON logs, improve logs aesthetics for JSON by @SgtCoDFish in #356
- Configure istio logging when JSON selected by @SgtCoDFish in #358
Other
- Disable kubernetes client side rate limiting by @seankhliao in #352
- Implement client cert auth by @wtzhang23 in #357
- Add topologySpreadConstraints to Helm chart by @SgtCoDFish in #365
- Helm updates for istiod cert by @SgtCoDFish in #355
- Add some release detail which appears to be missing by @SgtCoDFish in #366
New Contributors
- @seankhliao made their first contribution in #354
- @wtzhang23 made their first contribution in #357
Full Changelog: v0.10.0...v0.11.0
v0.11.0-alpha.0
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.11.0-alpha.0 is a prerelease for testing of "pure" runtime configuration, topologySpreadConstraints support, JSON logs and client cert auth.
Full release notes will be provided when v0.11.0 is released!
What's Changed
Runtime Configuration
- Add ability to dynamically configure istiod cert by @SgtCoDFish in #359
- Add retries for issuing initial serving cert by @SgtCoDFish in #364
JSON Logs
- Add flag to set log-format by @seankhliao in #354
- Test with JSON logs, improve logs aesthetics for JSON by @SgtCoDFish in #356
- Configure istio logging when JSON selected by @SgtCoDFish in #358
Other
- Disable kubernetes client side rate limiting by @seankhliao in #352
- Implement client cert auth by @wtzhang23 in #357
- Add topologySpreadConstraints to Helm chart by @SgtCoDFish in #365
- Helm updates for istiod cert by @SgtCoDFish in #355
New Contributors
- @seankhliao made their first contribution in #354
- @wtzhang23 made their first contribution in #357
Full Changelog: v0.10.0...v0.11.0-alpha.0
v0.10.0
istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.
v0.10.0 provides some cool new features - initial support for easier runtime configuration, support for the s390x architecture and dependency updates!
Initial Runtime Configuration Support
istio-csr requires cert-manager to be installed to be able to issue certificates; using cert-manager to issue istio certificates is the whole reason to use istio-csr!
More subtly, istio-csr actually requires a cert-manager issuer to be created before istio-csr is installed. This issuer is used to issue the istiod certificate, the istio serving certificate and workload certificates.
This dependency means that it's not possible to install istio-csr and cert-manager at the same time, which can be a problem for some users and some installation methods. Runtime configuration aims to solve that problem, by allowing the issuer to be defined at runtime through a ConfigMap resource in the same namespace as the istio-csr pods.
Plus, since the issuer is defined at pod startup time (via the Helm chart) it's not possible to swap out an issuer on the fly while istio-csr pods are running. Runtime configuration changes this:
$ kubectl create configmap -n cert-manager istio-issuer \
--from-literal=issuer-name=my-issuer-name \
--from-literal=issuer-kind=ClusterIssuer \
--from-literal=issuer-group=cert-manager.io
$ cat values.yaml
app:
runtimeIssuanceConfigMap: istio-issuer
certmanager:
issuer:
name: ""
kind: ""
group: ""
tls:
rootCAFile: "/var/run/secrets/istio-csr/ca.pem"
istiodCertificateEnable: false
volumeMounts:
- name: root-ca
mountPath: /var/run/secrets/istio-csr
volumes:
- name: root-ca
secret:
secretName: istio-root-ca
$ helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
--install \
--namespace cert-manager \
--wait \
--values values.yaml
This initial support does require that the istiod certificate is disabled, which means there's a need to provision that certificate ahead of installing istio-csr.
Alternatively,istiodCertificateEnable
can be left as true
and app.certmanager.issuer
can be provided. This will still require cert-manager to be installed and configured before istio-csr, but this will enable being able to change certificates on the fly.
A future release of istio-csr should help with provisioning the istiod certificate dynamically, allowing for true runtime configuration.
s390x Support
Thanks to @rishikakedia istio-csr now supports the s390x architecture! While the cert-manager's project to test on s390x is limited, we hope this support is useful and we'd be happy to action any bugs you find!
What's Changed
Features
- Add ability to configure issuer at runtime by @SgtCoDFish in #343
- Add support for s390x for istio-csr by @rishikakedia in #323
- Bump dep for CVE-2024-28122, ignore false positive istio vulns by @SgtCoDFish in #344
- Add nameOverride to values.yaml so it is allowed by the jsonSchema validation by @inteon in #349
Testing / Documentation
- docs: add RELEASE.md file to document release by @ThatsMrTalbot in #316
- Add option to focus a specific e2e test by @SgtCoDFish in #341
- Add updated versions of istio config to enable tests by @SgtCoDFish in #345
- Increase timeout for namespace e2e test polling by @SgtCoDFish in #348
New Contributors
- @rishikakedia made their first contribution in #323 🎉
Full Changelog: v0.9.0...v0.10.0