You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Version `1.18.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.18.3`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.18#v1183[cert-manager project release notes for v1.18.3].
*Istio-CSR integration with {cert-manager-operator} (Generally Available)*
34
+
35
+
With this release, the integration of the {cert-manager-operator} with Istio-CSR, which was previously provided as a Technology Preview feature, is fully supported. This feature offers enhanced support for securing workloads and control plane components within {SMProductName} or Istio environments. By utilizing the {cert-manager-operator} managed Istio-CSR agent, Istio can obtain, sign, deliver, and renew certificates required for mutual TLS (mTLS).
36
+
For more information, see xref:../../security/cert_manager_operator/cert-manager-operator-integrating-istio.adoc#cert-manager-operator-istio-csr-installing_cert-manager-operator-integrating-istio[Integrating the cert-manager Operator with Istio-CSR].
37
+
38
+
*Replica count configuration for {cert-manager-operator} operands*
39
+
40
+
With this release, you can override the default replica counts for the {cert-manager-operator} `controller`, `webhook`, and `cainjector` operands. To configure these values, specify the new `overrideReplicas` fields in the `CertManager` custom resource. With this enhancement, you can configure high availability (HA) and scale operands based on your specific operational requirements. For more information, see xref:../../security/cert_manager_operator/cert-manager-customizing-api-fields.adoc#cert-manager-explanation-of-certmanager-cr-fields_cert-manager-customizing-api-fields[Common configurable fields in the CertManager CR for the cert-manager components].
41
+
42
+
*Root filesystem is read-only for {cert-manager-operator} containers*
43
+
44
+
With this release, to improve security, the {cert-manager-operator} and all its operands have the `readOnlyRootFilesystem` security context set to `true` by default. This enhancement hardens the containers and prevents a potential attacker from modifying the contents of the container's root file system.
45
+
46
+
*Network policy hardening is now available for {cert-manager-operator} components*
47
+
48
+
With this release, the {cert-manager-operator} includes predefined `NetworkPolicy` resources to enhance security by controlling ingress and egress traffic for its components. These policies cover internal traffic, such as ingress to metrics and webhook servers, and egress to the OpenShift API and DNS servers.
49
+
50
+
By default, this feature is disabled to prevent connectivity issues during upgrades. You must explicitly enable it in the `CertManager` custom resource. For more information, see xref:../../security/cert_manager_operator/cert-manager-nw-policy.adoc#cert-manager-nw-policy[Network policy configuration for {cert-manager-operator}].
* The upstream cert-manager `v1.18` release updated the ACME HTTP-01 challenge ingress path type from `ImplementationSpecific` to `Exact`. The OpenShift Route API does not have an equivalent for the `Exact` path type, which prevents the ingress-to-route controller from supporting it. As a result, ingress resources created for HTTP-01 challenges cannot route traffic to the solver pod, causing the challenge to fail with a 503 error.
57
+
To mitigate this issue, the `ACMEHTTP01IngressPathTypeExact` feature gate is disabled by default in this release.
0 commit comments