v0.7.0

openshift-routes provides OpenShift Route support for cert-manager.

Version v0.7.0 is a major architectural change to the project which fundamentally alters how it works behind the scenes.

READ BEFORE UPGRADING: Issuing via Certificate Resources

Previously, openshift-routes worked by creating cert-manager CertificateRequest resources based on the annotations added to OpenShift Route resources.

This worked well most of the time, but caused several issues, details of which can be found in #55, #101, #34 and #49.

To address these issues, openshift-routes will now create cert-manager Certificate resources instead, which dramatically simplifies the login in openshift-routes and provides several benefits:

1. Metrics are exposed by cert-manager for Certificate resources, improving observability
2. Certificate resources are much more user friendly to read and understand
3. Issued certificates are also stored in Kubernetes Secret resources, allowing use in your applications as well as on Routes

Among other benefits.

What action do I need to take?

We expect that most users should be able to upgrade using Helm without seeing much difference in behaviour. Existing annotated Routes with certificates will continue to function as before. When reissuance is triggered, the Route should be updated using a Certificate with no user interaction.

Still, given the nature of the change, it's advisable to check the state of issued certificates on your Route resources to be sure that they're being renewed. If you find any problems, please raise an issue and ideally reach out to us on slack to let us know.

It's important to note that:

1. You must upgrade properly. There are important RBAC changes which come with the upgrade. Without those changes, openshift-routes will fail to issue any certificate.
2. If you're using cert-manager's approval mechanism, the CertificateRequest resources will have different names to what they had before. The names now will be deterministic per-route.

What else should I be aware of?

To check if the TLS certificate on a Route needs to be reissued, openshift-routes needs to be able to compare it against the Secret resource which is created by the Certificates which are now used for issuance. That means that after you upgrade, openshift-routes will be able to read all Secrets across the cluster.

New Annotations Supported

openshift-route now supports more annotations on routes, allowing greater flexibility in issuing certificates:

• cert-manager.io/private-key-algorithm now now supports Ed25519 keys
• cert-manager.io/private-key-rotation-policy allows specifying how private keys should be rotated. Set this to Always unless you've got a good reason not to.
• cert-manager.io/revision-history-limit controls how many CertificateRequests should be preserved when Certificates are (re-)issued. Set this to a low number to reduce cluster clutter.

What's Changed

Features

• ⚠️ Use Certificates over CertificateRequests (follow-up to #55) by @jacksgt and @SgtCoDFish in #101

Bug Fixes

• Fix logging issue where %s is presented by @davidcollom in #97

New Contributors

• @davidcollom made their first contribution in #97 🎉

Full Changelog: v0.6.1...v0.7.0

v0.6.1

openshift-routes provides OpenShift Route support for cert-manager

What's Changed

• Update README.md to reflect changes made to release artifacts and installation instructions by @inteon in #82
• Use v-prefixed value for appVersion in Helm chart by @inteon in #88
• Bugfix/ update openshift dependencies by @ctrought in #93

Update dependencies:

• Bump the all group across 1 directory with 6 updates by @dependabot in #84
• Bump github.com/cert-manager/cert-manager from 1.15.2 to 1.15.3 in the all group by @dependabot in #86

Update makefile modules:

• [CI] Merge self-upgrade-main into main by @github-actions in #83
• [CI] Merge self-upgrade-main into main by @github-actions in #85
• [CI] Merge self-upgrade-main into main by @github-actions in #87
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #89
• [CI] Merge self-upgrade-main into main by @github-actions in #90
• [CI] Merge self-upgrade-main into main by @github-actions in #91
• [CI] Merge self-upgrade-main into main by @github-actions in #92
• [CI] Merge self-upgrade-main into main by @github-actions in #94

Full Changelog: v0.6.0...v0.6.1

v0.6.0

openshift-routes provides OpenShift Route support for cert-manager

We changed the release process. The project now relies on Makefile modules like the other projects under the cert-manager org. The changes are:

• The file static/cert-manager-openshift-routes.yaml is no longer present in the repository. You now have to template your own manifests, for example:

  oc apply -f <(helm template openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes --set omitHelmLabels=true --version 0.6.0)

• Image tags now use the v prefix:

  -ghcr.io/cert-manager/cert-manager-openshift-routes:0.5.0
  +ghcr.io/cert-manager/cert-manager-openshift-routes:v0.6.0

Install instructions

helm install openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes --version 0.6.0

What changed between v0.5.0 and v0.6.0?

• Helm: it is now possible to use the namespace field in values.yaml for configuring the destination namespace. This is useful in the context of Helm subcharts. By @Jaydee94 in #59
• Migrate the project to Makefile modules by @inteon in #60
• Add E2E smoke tests by @inteon in #63
• Helm: add omitHelmLabels so that people can generate static manifests without the Helm-specific labels by @maelvls in #74

New Contributors

• @Jaydee94 made their first contribution in #59
• @inteon made their first contribution in #60
• @github-actions made their first contribution in #66

Full Changelog: v0.5.0...v0.6.0-alpha.0

v0.6.0-alpha.0

This is the first alpha release of openshift-routes v0.6.0.

We changed the release process. The project now relies on Makefile modules like the other projects under the cert-manager org. The changes are:

• The file static/cert-manager-openshift-routes.yaml is no longer present in the repository. You can continue relying on the generated cert-manager-openshift-routes.yaml, for example:

  oc apply -f https://github.com/cert-manager/openshift-routes/releases/download/v0.6.0-alpha.0/cert-manager-openshift-routes.yaml

• Image tags now use the v prefix:

  -ghcr.io/cert-manager/cert-manager-openshift-routes:0.5.0
  +ghcr.io/cert-manager/cert-manager-openshift-routes:v0.6.0-alpha.0

Install instructions

helm install openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes --version=0.6.0-alpha.0

You can also use the static manifests:

oc apply -f https://github.com/cert-manager/openshift-routes/releases/download/v0.6.0-alpha.0/cert-manager-openshift-routes.yaml

What changed between v0.5.0 and v0.6.0-alpha0?

• Helm: it is now possible to use the namespace field in values.yaml for configuring the destination namespace. This is useful in the context of Helm subcharts. By @Jaydee94 in #59
• Migrate the project to Makefile modules by @inteon in #60
• Add E2E smoke tests by @inteon in #63

New Contributors

• @Jaydee94 made their first contribution in #59
• @inteon made their first contribution in #60
• @github-actions made their first contribution in #66

Full Changelog: v0.5.0...v0.6.0-alpha.0

v0.5.0

What's Changed

You can now use more annotations! Thanks to @ctrought's work in #29, you can now use the following subject annotations:

• cert-manager.io/email-sans,
• cert-manager.io/subject-organizations,
• cert-manager.io/subject-organizationalunits,
• cert-manager.io/subject-countries,
• cert-manager.io/subject-provinces,
• cert-manager.io/subject-localities,
• cert-manager.io/subject-postalcodes,
• cert-manager.io/subject-streetaddresses,
• cert-manager.io/subject-serialnumber.

The documentation for the annotations is identical to the Ingress annotations and can be read in the Ingress Usage page.

Additionally, to help migrating the annotations from Ingresses to Routes, the annotation cert-manager.io/issuer can now be used as an alternative to cert-manager.io/issuer-name. Both annotations offer the same functionality. Note that the annotation cert-manager.io/cluster-issuer has not been brought to openshift-routes.

New Contributors

• @ctrought made their first contribution in #29

Full Changelog: v0.4.0...v0.5.0

v0.4.0

Changelog

• You can now use the annotation cert-manager.io/private-key-size on Route resources to configure the key size for the generation of the private key. The default key sizes are still 2048 bits for the RSA signature algorithm (and hashed with SHA-256), and the P-256 curve for the ECDSA signature algorithm (hashed with SHA-256). The possible values are the same as when using the annotation on Ingress resources described in the Ingress Usage page. Shout out to @snorwin for implementing the feature in #48!

• The Helm chart is now accessible as an OCI image thanks to @jacksgt! You can install the chart using the command:

  helm upgrade --install openshift-routes oci://ghcr.io/cert-manager/charts/openshift-routes

• ArgoCD will no longer complain due to the mis-indented automountServiceAccountToken in the Helm chart. Thank you @snorwin for spotting this.

New Contributors

• @snorwin made their first contribution in #47

Full Changelog: v0.3.1...v0.4.0

v0.3.1

What's Changed

• Openshift-routes now has an Helm chart thanks to @jacksgt! For now, using the Helm chart requires you to clone the project locally.
• Three CVEs were fixed (CVE-2023-39325, CVE-2023-3978, and CVE-2023-44487).

Note from @maelvls: this should have been a minor version bump since there was the addition of the Helm chart. But I had forgotten about theHelm chart addition and created a patch version instead. My bad!

Full Changelog: v0.3.0...v0.3.1

v0.3.0

What's Changed

• Openshift-routes now supports Route.spec.subdomain. This feature was contributed by @jacksgt in #27.
• Openshift-routes now supports ECDSA keys. This improvement was contributed by @vinny-sabatini in #28.
• Renewal was happening too early. @seandilda found that the renewal was happening at ⅓ of the duration of the certificate instead of ⅔. If you are using Let's Encrypt, your 90-days certificates would get rotated after 30 days instead of 60 days. This was fixed in the pull request #25.
• The static manifest contained an error that prevented the use of the /metrics endpoint. It is now fixed thanks to @vinny-sabatini in #33.

New Contributors

• @vinny-sabatini made their first contribution in #33
• @seandilda made their first contribution in #25

Full Changelog: v0.2.0...v0.3.0

v0.2.0

Changelog

• b2f988d The certificate is now re-issued when the host field changes on the Route resource (thanks to @jacksgt)
• 8787f37 Use Go 1.20

v0.1.3

Changelog

• 4d2d199 Ignore CA as it may cause extended validation errors (@jakexks)