mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
Merge pull request #105426 from openshift/revert-105419-cherry-pick-105110-to-enterprise-4.21
Revert "[enterprise-4.21] OSDOCS#17950: cert-manager 1.18.1 release notes"
This commit is contained in:
Shubha Narayanan
@@ -13,37 +13,6 @@ These release notes track the development of {cert-manager-operator}.
|
||||
|
||||
For more information, see xref:../../security/cert_manager_operator/index.adoc#cert-manager-operator-about[About the {cert-manager-operator}].
|
||||
|
||||
[id="cert-manager-operator-release-notes-1-18-1_{context}"]
|
||||
== {cert-manager-operator} 1.18.1
|
||||
|
||||
Issued: 2026-01-26
|
||||
|
||||
The following advisories are available for the {cert-manager-operator} 1.18.1:
|
||||
|
||||
* link:https://access.redhat.com/errata/RHSA-2026:1166[RHSA-2026:1166]
|
||||
* link:https://access.redhat.com/errata/RHSA-2026:1168[RHSA-2026:1168]
|
||||
* link:https://access.redhat.com/errata/RHSA-2026:1176[RHSA-2026:1176]
|
||||
* link:https://access.redhat.com/errata/RHBA-2026:1319[RHBA-2026:1319]
|
||||
|
||||
Version `1.18.1` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.18.4`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.18/#v1184[cert-manager project release notes for v1.18.4].
|
||||
|
||||
[id="cert-manager-operator-1-18-1-features-enhancements_{context}"]
|
||||
=== New features and enhancements
|
||||
|
||||
The final images use `ubi9-minimal` as base images::
|
||||
With this update, the {cert-manager-operator} images use ubi9-minimal as their base images providing improved security compliance. No manual action is required, as the Operator automatically uses the updated images upon installation or upgrade.
|
||||
|
||||
|
||||
[id="cert-manager-operator-1-18-1-cves_{context}"]
|
||||
=== CVEs
|
||||
|
||||
* link:https://access..redhat.com/security/cve/CVE-2025-66418[CVE-2025-66418]
|
||||
* link:https://access..redhat.com/security/cve/CVE-2025-66471[CVE-2025-66471]
|
||||
* link:https://access..redhat.com/security/cve/CVE-2025-61729[CVE-2025-61729]
|
||||
* link:https://access..redhat.com/security/cve/CVE-2026-21441[CVE-2025-21441]
|
||||
* link:https://access..redhat.com/security/cve/CVE-2025-61727[CVE-2025-61727]
|
||||
* link:https://access..redhat.com/security/cve/CVE-2025-61729[CVE-2025-61729]
|
||||
|
||||
[id="cert-manager-operator-release-notes-1-18-0_{context}"]
|
||||
== {cert-manager-operator} 1.18.0
|
||||
|
||||
@@ -59,26 +28,30 @@ The following advisories are available for the {cert-manager-operator} 1.18.0:
|
||||
Version `1.18.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.18.3`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.18#v1183[cert-manager project release notes for v1.18.3].
|
||||
|
||||
[id="cert-manager-operator-1-18-0-features-enhancements_{context}"]
|
||||
=== New features and enhancements
|
||||
== New features and enhancements
|
||||
|
||||
*Istio-CSR integration with {cert-manager-operator} (Generally Available)*
|
||||
|
||||
Istio-CSR integration with {cert-manager-operator} (Generally Available)::
|
||||
With this release, the integration of the {cert-manager-operator} with Istio-CSR, which was previously provided as a Technology Preview feature, is fully supported. This feature offers enhanced support for securing workloads and control plane components within {SMProductName} or Istio environments. By utilizing the {cert-manager-operator} managed Istio-CSR agent, Istio can obtain, sign, deliver, and renew certificates required for mutual TLS (mTLS).
|
||||
For more information, see xref:../../security/cert_manager_operator/cert-manager-operator-integrating-istio.adoc#cert-manager-operator-istio-csr-installing_cert-manager-operator-integrating-istio[Integrating the cert-manager Operator with Istio-CSR].
|
||||
|
||||
Replica count configuration for {cert-manager-operator} operands::
|
||||
*Replica count configuration for {cert-manager-operator} operands*
|
||||
|
||||
With this release, you can override the default replica counts for the {cert-manager-operator} `controller`, `webhook`, and `cainjector` operands. To configure these values, specify the new `overrideReplicas` fields in the `CertManager` custom resource. With this enhancement, you can configure high availability (HA) and scale operands based on your specific operational requirements. For more information, see xref:../../security/cert_manager_operator/cert-manager-customizing-api-fields.adoc#cert-manager-explanation-of-certmanager-cr-fields_cert-manager-customizing-api-fields[Common configurable fields in the CertManager CR for the cert-manager components].
|
||||
|
||||
Root filesystem is read-only for {cert-manager-operator} containers::
|
||||
*Root filesystem is read-only for {cert-manager-operator} containers*
|
||||
|
||||
With this release, to improve security, the {cert-manager-operator} and all its operands have the `readOnlyRootFilesystem` security context set to `true` by default. This enhancement hardens the containers and prevents a potential attacker from modifying the contents of the container's root file system.
|
||||
|
||||
Network policy hardening is now available for {cert-manager-operator} components::
|
||||
*Network policy hardening is now available for {cert-manager-operator} components*
|
||||
|
||||
With this release, the {cert-manager-operator} includes predefined `NetworkPolicy` resources to enhance security by controlling ingress and egress traffic for its components. These policies cover internal traffic, such as ingress to metrics and webhook servers, and egress to the OpenShift API and DNS servers.
|
||||
|
||||
By default, this feature is disabled to prevent connectivity issues during upgrades. You must explicitly enable it in the `CertManager` custom resource. For more information, see xref:../../security/cert_manager_operator/cert-manager-nw-policy.adoc#cert-manager-nw-policy[Network policy configuration for {cert-manager-operator}].
|
||||
|
||||
|
||||
[id="cert-manager-operator-1-18-0-known-issues_{context}"]
|
||||
=== Known issues
|
||||
== Known issues
|
||||
|
||||
* The upstream cert-manager `v1.18` release updated the ACME HTTP-01 challenge ingress path type from `ImplementationSpecific` to `Exact`. The OpenShift Route API does not have an equivalent for the `Exact` path type, which prevents the ingress-to-route controller from supporting it. As a result, ingress resources created for HTTP-01 challenges cannot route traffic to the solver pod, causing the challenge to fail with a 503 error.
|
||||
To mitigate this issue, the `ACMEHTTP01IngressPathTypeExact` feature gate is disabled by default in this release.
|
||||
|
||||
Reference in New Issue
Block a user