Merge pull request #1533 from wallrj/merge-master

Merge master into release-next

Author: cert-manager-prow[bot]

components/docs/VersionSelect.jsx

@@ -2,12 +2,12 @@ import { Listbox } from '@headlessui/react'
 import { useState } from 'react'
 import SidebarLink from './Sidebar/SidebarLink'
 
-import { compareVersions } from 'compare-versions';
+import { compareVersions } from 'compare-versions'
 
 function labelFromVersion(version) {
-    return version === 'docs'
-        ? 'latest'
-        : version.replace(/-docs$/, '').replace(/^v/, '');
+  return version === 'docs'
+    ? 'latest'
+    : version.replace(/-docs$/, '').replace(/^v/, '')
 }
 
 export default function VersionSelect({
@@ -25,7 +25,7 @@ export default function VersionSelect({
     .reverse()
 
   return (
-      <div className="bg-gray-1 rounded-md border-2 border-gray-2/50">
+    <div className="bg-gray-1 rounded-md border-2 border-gray-2/50">
       <Listbox value={selectedVersion} onChange={setSelectedVersion}>
         <Listbox.Button className="w-full">
           version: {labelFromVersion(version)}
@@ -55,7 +55,7 @@ export default function VersionSelect({
           ))}
           <div className="block px-2">
             <SidebarLink
-              href="https://release-next--cert-manager-website.netlify.app/docs/"
+              href="https://release-next--cert-manager.netlify.app/docs/"
               caption="next release"
               setSidebarCollapsed={setSidebarCollapsed}
               setParentOpen={setParentOpen}
@@ -64,5 +64,5 @@ export default function VersionSelect({
         </Listbox.Options>
       </Listbox>
     </div>
-  );
+  )
 }

content/docs/installation/helm.md

@@ -118,13 +118,14 @@ This static manifest can be tuned by providing the flags to overwrite the defaul
 helm template \
   cert-manager jetstack/cert-manager \
   --namespace cert-manager \
-  --create-namespace \
   --version [[VAR::cert_manager_latest_version]] \
   --set crds.enabled=true \
   # --set prometheus.enabled=false \   # Example: disabling prometheus using a Helm parameter
   > cert-manager.custom.yaml
 ```
 
+> ℹ️ The `helm template` command will not output a Namespace resource and ignores the `--create-namespace` flag. You must ensure the namespace you are deploying the generated YAML to exists.
+
 ## Uninstalling
 
 > **Warning**: To uninstall cert-manager you should always use the same process for

content/docs/installation/kubectl.md

@@ -31,7 +31,7 @@ you'll need to make modifications to the deployment manifests.
 Once you've installed cert-manager, you can verify it is deployed correctly by
 checking the `cert-manager` namespace for running pods:
 
-```bash
+```console
 $ kubectl get pods --namespace cert-manager
 
 NAME                                       READY   STATUS    RESTARTS   AGE
@@ -55,15 +55,15 @@ First, make sure that [cmctl is installed](../reference/cmctl.md#installation).
 cmctl performs a dry-run certificate creation check against the Kubernetes cluster.
 If successful, the message `The cert-manager API is ready` is displayed.
 
-```bash
+```console
 $ cmctl check api
 The cert-manager API is ready
 ```
 
 The command can also be used to wait for the check to be successful.
 Here is an output example of running the command at the same time that cert-manager is being installed:
 
-```bash
+```console
 $ cmctl check api --wait=2m
 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server
 Not ready: the cert-manager CRDs are not yet installed on the Kubernetes API server
@@ -81,7 +81,7 @@ Best way to fully verify the installation is to issue a test certificate. For th
 
 
 ```bash
-$ cat <<EOF > test-resources.yaml
+cat <<EOF > test-resources.yaml
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -111,12 +111,13 @@ EOF
 
 Create the test resources.
 ```bash
-$ kubectl apply -f test-resources.yaml
+kubectl apply -f test-resources.yaml
 ```
 
 Check the status of the newly created certificate. You may need to wait a few
 seconds before cert-manager processes the certificate request.
-```bash
+
+```console
 $ kubectl describe certificate -n cert-manager-test
 
 ...
@@ -140,8 +141,9 @@ Events:
 ```
 
 Clean up the test resources.
+
 ```bash
-$ kubectl delete -f test-resources.yaml
+kubectl delete -f test-resources.yaml
 ```
 
 If all the above steps have completed without error, you're good to go!

content/docs/reference/api-docs.md

@@ -6787,5 +6787,5 @@ description: >-
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>3403251</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>35e27b7</code>. </em>
 </p>

content/docs/releases/release-notes/release-notes-1.15.md

@@ -6,7 +6,7 @@ description: 'cert-manager release notes: cert-manager 1.14'
 > 📢 The cert-manager CLI has moved to a new GitHub repository
 >
 > From this release, `cmctl` is no longer be released with `cert-manager` itself,
-> and there will no further `quay.io/jetstack/cert-manager-ctl` OCI images. 
+> and there will no further `quay.io/jetstack/cert-manager-ctl` OCI images.
 >
 > For the startupapicheck Job you should update references to point at
 > `quay.io/jetstack/cert-manager-startupapicheck`
@@ -15,8 +15,8 @@ description: 'cert-manager release notes: cert-manager 1.14'
 
 > 📢 Change in how the Helm chart manages CRDs
 >
-> From this release, the Helm chart will no longer uninstall the CRDs when the 
-> chart is uninstalled. If you want the CRDs to be removed on uninstall use 
+> From this release, the Helm chart will no longer uninstall the CRDs when the
+> chart is uninstalled. If you want the CRDs to be removed on uninstall use
 > `crds.keep=false` when installing the Helm chart.
 
 cert-manager 1.15 promotes several features to beta, including GatewayAPI support (`ExperimentalGatewayAPISupport`), the ability to provide a subject in the Certificate that will be used literally in the CertificateSigningRequest (`LiteralCertificateSubject`) and the outputting of additional certificate formats (`AdditionalCertificateOutputFormats`).
@@ -33,6 +33,18 @@ Thanks also to the CNCF, which provides resources and support, and to the AWS op
 
 In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
 
+
+## `v1.15.2`
+
+### Bug or Regression
+
+- BUGFIX `route53`: explicitly set the `aws-global` STS region which is now required by the `github.com/aws/aws-sdk-go-v2` library. ([#7189](https://github.com/cert-manager/cert-manager/pull/7189), [`@cert-manager-bot`](https://github.com/cert-manager-bot))
+- Bump `grpc-go` to fix `GHSA-xr7q-jx4m-x55m` ([#7167](https://github.com/cert-manager/cert-manager/pull/7167), [`@SgtCoDFish`](https://github.com/SgtCoDFish))
+- Fix Azure DNS causing panics whenever authentication error happens ([#7188](https://github.com/cert-manager/cert-manager/pull/7188), [`@cert-manager-bot`](https://github.com/cert-manager-bot))
+- Fix incorrect value and indentation of `endpointAdditionalProperties` in the `PodMonitor` template of the Helm chart ([#7191](https://github.com/cert-manager/cert-manager/pull/7191), [`@inteon`](https://github.com/inteon))
+- Fixes ACME HTTP01 challenge behavior when using Gateway API to prevent unbounded creation of `HTTPRoute` resources ([#7186](https://github.com/cert-manager/cert-manager/pull/7186), [`@cert-manager-bot`](https://github.com/cert-manager-bot))
+- Upgrade `golang` from `1.22.3` to `1.22.5` ([#7165](https://github.com/cert-manager/cert-manager/pull/7165), [`@github-actions`](https://github.com/github-actions))
+
 ## `v1.15.1`
 
 ### Bug or Regression
@@ -104,4 +116,4 @@ In addition, massive thanks to Venafi for contributing developer time and resour
 - Remove deprecated `pkg/util/pki/ParseSubjectStringToRawDERBytes` function. ([#6994](https://github.com/cert-manager/cert-manager/pull/6994), [@inteon](https://github.com/inteon))
 - Upgrade Kind to `v0.23.0` and update supported node image digests ([#7020](https://github.com/cert-manager/cert-manager/pull/7020), @github-actions[bot])
 - If the `--controllers` flag only specifies disabled controllers, the default controllers are now enabled implicitly. ([#7054](https://github.com/cert-manager/cert-manager/pull/7054), [@inteon](https://github.com/inteon))
-- Upgrade to Go 1.22.3, fixing `GO-2024-2824`. ([#6996](https://github.com/cert-manager/cert-manager/pull/6996), @github-actions[bot])
+- Upgrade to Go 1.22.3, fixing `GO-2024-2824`. ([#6996](https://github.com/cert-manager/cert-manager/pull/6996), @github-actions[bot])

content/docs/trust/trust-manager/installation.md

@@ -5,7 +5,7 @@ description: 'Installation guide for trust-manager'
 
 ## Installation Steps
 
-### 1. Install trust-manager
+### 1. Update Helm Repository
 
 Helm is the easiest way to install trust-manager and comes with a publicly trusted certificate bundle package
 (for the`useDefaultCAs` source) derived from Debian containers.
@@ -14,9 +14,14 @@ Helm is the easiest way to install trust-manager and comes with a publicly trust
 helm repo add jetstack https://charts.jetstack.io --force-update
 ```
 
-When installed via Helm, trust-manager has a dependency on cert-manager for provisioning an application certificate,
-and as such cert-manager must also be installed into the cert-manager namespace.
-If you have not already installed cert-manager, you can install it using the following command:
+### 2. Install cert-manager (optional)
+
+When installed via Helm, trust-manager has a dependency on cert-manager for provisioning an application certificate
+unless you explicitly opt to use a Helm-generated certificate instead.
+
+In production, we recommend installing cert-manager first and having trust-manager depend on it.
+
+If you haven't already installed cert-manager, you can install it using the following command:
 
 ```bash
 # Run this command only if you haven't installed cert-manager already
@@ -27,13 +32,24 @@ helm install cert-manager jetstack/cert-manager \
   --set crds.enabled=true
 ```
 
+If you're running cert-manager without the default approver, see [approver-policy Integration](#approver-policy-integration)
+for details on how to avoid a stuck installation.
+
+If you don't want to rely on cert-manager, you can install using a Helm-generated cert; see [Installing trust-manager without cert-manager](./installation.md#install-without-cert-manager).
+
+### 3. Install trust-manager
+
+trust-manager is simple to install and is contained in a single Helm chart:
+
 ```bash
 helm upgrade trust-manager jetstack/trust-manager \
   --install \
   --namespace cert-manager \
   --wait
 ```
 
+Various options are available, and some are documented below.
+
 ## Installation Options
 
 #### Enable Secret targets
@@ -47,6 +63,8 @@ for details and trade-offs.
 
 #### approver-policy Integration
 
+<a name="approver-policy-integration"></a>
+
 If you're running [approver-policy](../../policy/approval/approver-policy/README.md) then cert-manager's default approver will be disabled which will mean that
 trust-manager's webhook certificate will - by default - block when you install the Helm chart until it's manually approved.
 
@@ -79,6 +97,27 @@ namespace to whichever is most appropriate for your environment.
 An ideal deployment would be a fresh namespace dedicated entirely to trust-manager, to minimize the number of actors in your
 cluster that can modify your trust sources.
 
+#### Installing trust-manager without cert-manager
+
+<a name="install-without-cert-manager"></a>
+
+As an alternative to generating a webhook certificate using cert-manager, it's possible to opt to use Helm to generate the webhook certificate instead.
+
+This isn't recommended for production, since Helm-generated certificates might be complicated to monitor or to reason about. The certificate is also rotated
+every time trust-manager is upgraded, which necessitates pod restarts and may complicate the upgrade process.
+
+Installing without cert-manager can be great for smaller, more resource-constrained deployments such as experiments, demos or home labs.
+
+Using a Helm-generated cert requires a single flag:
+
+```bash
+helm upgrade trust-manager jetstack/trust-manager \
+  --install \
+  --namespace cert-manager \
+  --wait \
+  --set app.webhook.tls.helmCert.enabled=true
+```
+
 ## Uninstalling
 
 To uninstall trust-manager installed via Helm, run:

content/docs/usage/istio-csr/installation.md

@@ -9,6 +9,20 @@ This guide will run through installing and using istio-csr from scratch. We'll u
 
 Note that if you're following the Platform Setup guide for OpenShift, do not run the `istioctl install` command listed in that guide; we'll run our own command later.
 
+### 0. Background
+
+istio-csr uses cert-manager to issue Istio certificates, and needs to be able to reference an issuer resource to do this.
+
+You can choose to configure an issuer when installing with the Helm chart and / or to configure a ConfigMap to watch which can then be used to configure an issuer at runtime.
+
+Configuring a ConfigMap for the issuer details is called "runtime configuration", and it's required if no issuer is specified in the Helm chart.
+
+If you configure an issuer in the chart, you'll be able to start issuing as soon as the istio-csr pods come online but you'll need to have already installed cert-manager and created the issuer.
+
+If you don't set an issuer in the chart, istio-csr will not become ready until an issuer is specified via runtime configuration, but you'll be able to install cert-manager and istio-csr concurrently.
+
+Note that the chart contains a default issuer name and so using runtime configuration requires an explicit opt-in. The guide below assumes you'll install istio-csr after an issuer is configured without runtime configuration; there are notes for runtime configuration at the bottom.
+
 ### 1. Initial Setup
 
 You'll need the following tools installed on your machine:
@@ -278,6 +292,97 @@ Assuming your running inside kind, you can simply remove the cluster:
 kind delete cluster
 ```
 
+## Installation with Runtime Configuration
+
+There are two options for installing with runtime configuration:
+
+1. Install after cert-manager, still providing an explicit `issuerRef` in the Helm chart
+2. Blank out the `issuerRef` in the Helm chart and use pure runtime configuration
+
+Both options will require a ConfigMap to be created to point at an issuer. This ConfigMap can be created
+before or after installation, and must be created in the same namespace as the istio-csr pods.
+
+### Creating the ConfigMap
+
+Three keys are required, specifying the issuer name, kind and group. Any method of creating a ConfigMap will work. For example:
+
+```bash
+kubectl create configmap -n cert-manager istio-issuer \
+  --from-literal=issuer-name=my-issuer-name \
+  --from-literal=issuer-kind=ClusterIssuer \
+  --from-literal=issuer-group=cert-manager.io
+```
+
+### Option 1: Installation after cert-manager
+
+If cert-manager is already installed, you can use the same `helm upgrade` command as above but also specifying the name of the runtime configuration ConfigMap:
+
+```bash
+helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
+  --install \
+  --namespace cert-manager \
+  --wait \
+  ...
+  --set "app.runtimeIssuanceConfigMap=istio-issuer"
+```
+
+In this scenario, the issuer defined in `app.certmanager.issuer` will be used at startup and to create the `istiod` certificate.
+
+When istio-csr detects the runtime ConfigMap, it'll use the issuer configured there. If the ConfigMap is updated, istio-csr will respect the update dynamically.
+
+If the runtime ConfigMap is deleted, istio-csr will revert to using the value from `app.certmanager.issuer`.
+
+### Option 2: Pure Runtime Configuration
+
+Pure runtime configuration is only practical with istio-csr `v0.11.0` or newer.
+
+Pure runtime configuration requires more values to be set:
+
+1. The `app.certmanager.issuer` values must be blanked out (as they're set to a default value in the chart)
+2. The `istiod` certificate must not be provisioned alongside the istio-csr resources. By passing `app.tls.istiodCertificateEnable=dynamic`, the istiod will be dynamically generated when runtime configuration is available.
+4. `app.runtimeIssuanceConfigMap` must be set.
+
+An example `values.yaml` file for pure runtime configuration is as follows:
+
+```yaml
+app:
+  runtimeIssuanceConfigMap: istio-issuer
+  certmanager:
+    issuer:
+      name: ""  # explicitly blanked out
+      kind: ""  # explicitly blanked out
+      group: "" # explicitly blanked out
+  tls:
+    rootCAFile: "/var/run/secrets/istio-csr/ca.pem"
+    istiodCertificateEnable: dynamic
+volumeMounts:
+- name: root-ca
+  mountPath: /var/run/secrets/istio-csr
+volumes:
+- name: root-ca
+  secret:
+    secretName: istio-root-ca
+```
+
+This file could then be used with the following command:
+
+```bash
+helm upgrade cert-manager-istio-csr jetstack/cert-manager-istio-csr \
+  --install \
+  --namespace cert-manager \
+  --wait \
+  --values values.yaml
+```
+
+#### Completing a Pure Runtime Installation
+
+While pure runtime configuration allows istio-csr to be installed at the same time as cert-manager, it's important to note that
+istio-csr pods will not become ready until an issuer is available. This means that Helm installations may hang until an issuer is
+configured since the istio-csr Deployment will not be ready.
+
+To complete a Helm installation of istio-csr with pure runtime installation, you must create the issuer and ConfigMap pointing to that
+issuer. Once detected, istio-csr will complete setup and issue any outstanding certificates.
+
 ## Usage
 
 > 📖 Read the [istio-csr docs](./README.md).

content/docs/variables.json

@@ -1,3 +1,3 @@
 {
-    "cert_manager_latest_version": "v1.16.0-alpha.0"
+  "cert_manager_latest_version": "v1.16.0-alpha.0"
 }

public/_redirects

@@ -6,7 +6,7 @@ https://trust-manager.io/* https://cert-manager.io/:splat 301!
 https://trust-manager.dev/* https://cert-manager.io/:splat 301!
 
 # Redirect all next-docs on the main site to the release-next preview
-https://cert-manager.io/next-docs/* https://release-next--cert-manager-website.netlify.app/docs/:splat 301!
+https://cert-manager.io/next-docs/* https://release-next--cert-manager.netlify.app/docs/:splat 301!
 
 # Various older renamed pages
 /docs/configuration/externalloadbalancer/ /docs/configuration/acme/http01/externalloadbalancer/ 301!