v0.6.0-alpha.0

What's Changed

• fix: metrics service labels by @konnoska in #181
• Fix serviceaccount imagePullSecret by @craigmunro in #182
• A service isn't a requirement for the servicemonitor by @MattiasGees in #114
• Update go to 1.19, update dependencies by @malovme in #190
• Remove controller.rootCAConfigMapName from helm values by @jewertow in #188
• Add support for setting namespace for istio control plane. Fixes #152 by @knutejohKLP in #185
• Update OWNERS file by @inteon in #193
• Limit namespaces for configmaps, useful for multitenant environments by @knutejohKLP in #195
• Remove unused LeaderElectionNamespace field by @inteon in #198
• Seperate Role permissions between leases for leader election and cert… by @SpectralHiss in #196
• Release v0.6.0-alpha.0 by @SpectralHiss in #201

New Contributors

• @konnoska made their first contribution in #181
• @craigmunro made their first contribution in #182
• @MattiasGees made their first contribution in #114
• @malovme made their first contribution in #190
• @jewertow made their first contribution in #188
• @knutejohKLP made their first contribution in #185
• @inteon made their first contribution in #193

Full Changelog: v0.5.0...v0.6.0-alpha.0

v0.5.0

What's Changed

• Adds warning message for preserveCertificateRequests and resource consumption by @JoshVanL in #142
• Adds log warning output when preserve certificate request is enabled by @JoshVanL in #143
• update logo link + dimensions by @SgtCoDFish in #147
• Add an ability to select nodes for istio-csr by @grem11n in #148
• Update to smaller logo by @SgtCoDFish in #159
• Make cert install controllable in helm by @marcingy in #154
• upgrade istio, cert-manager, helm by @jahrlin in #158
• Removes docs from repo in favour of using cert-manager.io by @JoshVanL in #160
• Adds hack config for istio v1.14.1 and changes default istio test version to v1.14.1 by @JoshVanL in #162
• Adds verify-helm-docs.sh and update-helm-docs.sh scripts. Verify helm-docs during lint by @JoshVanL in #150
• Use a TokenRequest in token authentication tests by @JoshVanL in #165
• Create go.mod in hack/tools by @JoshVanL in #163
• Use updated helm chart apiVersion for helm v3 support by @nitishkrishna in #170
• Increase bits to 4096 for more security by @nitishkrishna in #167
• Increase the kubectl wait timeout for the e2e test carotation setup scripts by @JoshVanL in #171
• Updates go modules versions by @JoshVanL in #164
• Remove istio config manifests in /hack for istio versions v1.7 to v1.9 by @JoshVanL in #169
• Allows image pull secret parameter setting in helm chart by @SpectralHiss in #157
• Updates version to v0.5.0 by @JoshVanL in #173
• Update README.md to state that istio-csr only now supports istio v1.10+ by @JoshVanL in #174

New Contributors

• @grem11n made their first contribution in #148
• @marcingy made their first contribution in #154
• @jahrlin made their first contribution in #158
• @nitishkrishna made their first contribution in #170
• @SpectralHiss made their first contribution in #157

Full Changelog: v0.4.0...v0.5.0

v0.4.0

Changes

• Fixed lack of check that channel has closed for CertificateRequest watcher #109
• Add istiod's renewBefore Certificate field configurable in helm chart #109
• Add getting started guide #116 #124
• Fixed hard-coded namespace on eventsBroadcaster #127
• Allow filtering namespaces to create the ConfigMap istio-ca-root-cert #126
• Test with cert-manager 1.7 #128
• Updates istio to v1.13. Kube to v1.23. cert-manager to v1.7 #134

v0.3.0

This release comes with mostly improvements to existing behaviours and controller.

Changes

• Ensure that the cert-manager CertificateRequest watcher checks the object is not nil #95
• Write the full root CAs bundle to CSR clients #96
• Adds tests to ensure CA rotation in istio works #99
• Add a file watcher for automatically updating the root CAs trust store without restart #100
• Update the README.md with more documentation #101
• Only cache ConfigMap metadata to reduce memory usage, reconcile ConfigMaps on root CA changes #97

v0.2.1

This release comes with a small number of features to the helm chart and support for more image platforms.

Changes

• Adds .app.tls.certificateDuration to allow setting istiod's Certificate duration. #82
• Adds .app.istio.revisions for setting the istio revisions installed which effects the DNS requested for istiod. #88
• Adds istiod.istio-system.svc as the common name to istiod's Certificate. #91
• Adds image platform support for linux/amd64, linux/arm64, linux/arm/v7, linux/ppc64le. #93

v0.2.0

This release comes with a number of changes and bug fixes. Please read the notes before upgrading as it will include changes to your deployment manifests.

Breaking Changes

The Helm values variable structure has been changed to be in a more logical format. Please review the Chart README and change your values file accordingly.

The Chart no longer accepts a rootCA byte slice of an actual CA PEM bundle to be propagated. Instead, a user should now create a volume (ConfigMap or Secret) which is mounted to the istio-csr container. Users should make use of the volumes, volumeMounts and app.tls.rootCAFile variables.

To make use of revisionHistoryLimit on the istiod Certificate resource, the minimum required cert-manager version is v1.3.

Changes

• Refactor Helm Chart variable structure #71
• Change default values #63
• Expose metrics for gRPC service, controller, and Kubernetes client #72
• Fix istio-csr becoming unready but not exiting the program #62
• Fix istio-csr not cleaning up failed serving cert-manager CertificateRequests #74
• Use a "append last" strategy in istio operator configuration #70
• Test against istio v1.10

Contributors 🎉

• @janzantinge
• @irbekrm
• @JoshVanL

v0.1.3

This release:

• Adds support for setting a custom trust domain via the flag --trust-domain
• Makes the image run as non-root by default

v0.1.2

This release bolsters the amount of validation that is done for incoming CSR requests. Requests may now only request CSRs that contain:

• Only URI SANs that match the identity of the requester
• Digital Signature and Key Encipherment key usage extension
• Server Auth and Client Auth extended key usage

v0.1.1

This release is primarily to expose a "clusterID" option to enable using custom mesh IDs.

This release also updates the latest supported istio version to v1.9.

v0.1.0

Initial Release

cert-manager-istio-csr is an agent which allows for istio workload and control plane components to be secured using cert-manager. Certificates facilitating mTLS, inter and intra cluster, will be signed, delivered and renewed using cert-manager issuers.

Currently supports istio versions v1.7 and v1.8