Skip to content

v0.7.0
Compare
Choose a tag to compare
@github-actions github-actions released this 03 Oct 13:56
· 55 commits to main since this release
v0.7.0
This tag was signed with the committer’s verified signature.
SgtCoDFish Ashley Davis
SSH Key Fingerprint: 2/r7Xip8D/TOyjbQBZcd6gKt41j0xlAUYgAvO5tqmb4 Learn about vigilant mode.
e8a79cc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

openshift-routes provides OpenShift Route support for cert-manager.

Version v0.7.0 is a major architectural change to the project which fundamentally alters how it works behind the scenes.

READ BEFORE UPGRADING: Issuing via Certificate Resources

Previously, openshift-routes worked by creating cert-manager CertificateRequest resources based on the annotations added to OpenShift Route resources.

This worked well most of the time, but caused several issues, details of which can be found in #55, #101, #34 and #49.

To address these issues, openshift-routes will now create cert-manager Certificate resources instead, which dramatically simplifies the login in openshift-routes and provides several benefits:

  1. Metrics are exposed by cert-manager for Certificate resources, improving observability
  2. Certificate resources are much more user friendly to read and understand
  3. Issued certificates are also stored in Kubernetes Secret resources, allowing use in your applications as well as on Routes

Among other benefits.

What action do I need to take?

We expect that most users should be able to upgrade using Helm without seeing much difference in behaviour. Existing annotated Routes with certificates will continue to function as before. When reissuance is triggered, the Route should be updated using a Certificate with no user interaction.

Still, given the nature of the change, it's advisable to check the state of issued certificates on your Route resources to be sure that they're being renewed. If you find any problems, please raise an issue and ideally reach out to us on slack to let us know.

It's important to note that:

  1. You must upgrade properly. There are important RBAC changes which come with the upgrade. Without those changes, openshift-routes will fail to issue any certificate.
  2. If you're using cert-manager's approval mechanism, the CertificateRequest resources will have different names to what they had before. The names now will be deterministic per-route.

What else should I be aware of?

To check if the TLS certificate on a Route needs to be reissued, openshift-routes needs to be able to compare it against the Secret resource which is created by the Certificates which are now used for issuance. That means that after you upgrade, openshift-routes will be able to read all Secrets across the cluster.

New Annotations Supported

openshift-route now supports more annotations on routes, allowing greater flexibility in issuing certificates:

  • cert-manager.io/private-key-algorithm now now supports Ed25519 keys
  • cert-manager.io/private-key-rotation-policy allows specifying how private keys should be rotated. Set this to Always unless you've got a good reason not to.
  • cert-manager.io/revision-history-limit controls how many CertificateRequests should be preserved when Certificates are (re-)issued. Set this to a low number to reduce cluster clutter.

What's Changed

Features

Bug Fixes

New Contributors

Full Changelog: v0.6.1...v0.7.0

Contributors

davidcollom, SgtCoDFish, and jacksgt
Assets 3
Loading