v1.58.0

[github.com/gardener/cert-management:v0.21.0]

🐛 Bug Fixes

• [USER] Allow to specify the same domain name in .spec.CommonName and .spec.DNSNames by @MartinWeindel [#682]

Helm Charts

• shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.58.0

Container (OCI) Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.58.0

v1.57.0

[github.com/gardener/gardener-extension-shoot-cert-service:v1.57.0]

🏃 Others

• [OPERATOR] Update certificate CRD with additional field .spec.privateKey.encoding as introduced with cert-management v0.20.0. by @MartinWeindel [#514]
• [OPERATOR] Adjust controlplane-cert-service extension when seed uses a DNS provider with WorkloadIdentity credentials. by @MartinWeindel [#511]

Helm Charts

• shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.57.0

Container (OCI) Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.57.0

v1.56.0

[github.com/gardener/gardener-extension-shoot-cert-service:v1.56.0]

🏃 Others

• [OPERATOR] The base image is updated to gcr.io/distroless/static-debian13:nonroot. by @MartinWeindel [#497]
• [OPERATOR] Adjust DNS class if next generation dns-shoot-service settings detected. by @MartinWeindel [#505]

[github.com/gardener/cert-management:v0.20.0]

✨ New Features

• [USER] Support PKCS#8 encoding of certificate private key. For Certificate objects, set .spec.privateKey.encoding to PKCS8. For source objects like Ingress and Service, set the annotation cert.gardener.cloud/private-key-encoding=PKCS8. by @MartinWeindel [#638]

🏃 Others

• [OPERATOR] The base image is updated to gcr.io/distroless/static-debian13:nonroot. by @MartinWeindel [#633]

Helm Charts

• shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.56.0

Container (OCI) Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.56.0

v1.55.0

[github.com/gardener/cert-management:v0.19.0]

🏃 Others

• [USER] Allow to request intermediate CA certificates for CA issuers by @MartinWeindel [#601]
• [USER] Support annotation gardener.cloud/operation=reconcile for Certificate and Issuer resources.
  If it is set for a Certificate with back-off status, it is cleared to enable immediate reconciliation. by @MartinWeindel [#600]

Helm Charts

• shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.55.0

Container (OCI) Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.55.0

v1.54.0

[github.com/gardener/gardener-extension-shoot-cert-service:v1.54.0]

✨ New Features

• [USER] Validation for secrets of ACME issuers specified in shoot manifest is performed on reconciling the extension.
  Both the privateKey secret of the ACME issuer and the optional external account binding secret are validated for the allowed data keys and values. by @MartinWeindel [#458]

🐛 Bug Fixes

• [OPERATOR] Add networking policy label to allow access to virtual garden if the controlplane-cert-service extension is enabled and Garden runtime cluster and soil are the same. by @MartinWeindel [#469]

🏃 Others

• [OPERATOR] Migrate the extension VPAs from the deprecated update mode Auto to its only fallback strategy - update mode Recreate. by @vitanovs [#470]

Helm Charts

• shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.54.0

Container (OCI) Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.54.0

v1.53.0

[github.com/gardener/gardener-extension-shoot-cert-service:v1.53.0]

🐛 Bug Fixes

• [OPERATOR] Deployment on runtime cluster: cert-class needs also to be set for source controllers. by @MartinWeindel [#461]
• [USER] Control-plane certificate: Use dnsNames field instead of commonName for long domain names > 64 characters. by @MartinWeindel [#445]

🏃 Others

• [OPERATOR] shoot-cert-service no longer supports Shoots with Кubernetes version <= 1.28. by @MartinWeindel [#437]
• [OPERATOR] export testresults as inlined ocm-resource by @heldkat [#438]

Helm Charts

• shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.53.0

Container (OCI) Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.53.0

v1.52.0

[gardener/gardener-extension-shoot-cert-service]

🏃 Others

• [DEVELOPER] migrate CICD-Pipelines to GitHub-Actions by @ccwienk [#427]
• [OPERATOR] Add annotation cert.gardener.cloud/class for control plane issuers by @MartinWeindel [#422]
• [DEPENDENCY] Updated cert-management to v0.17.8. by @marc1404 [#435]

[gardener/cert-management]

✨ New Features

• [USER] Added cert.gardener.cloud/not-before annotation and IssuanceDate field to Certificate. by @marc1404 [gardener/cert-management#489]

🏃 Others

• [OPERATOR] Support cert.gardener.cloud/class annotation for issuers by @MartinWeindel [gardener/cert-management#512]

📖 Documentation

• [USER] Documented the correct minimum duration of Certificates assuming the default renewal window of 30 days. by @marc1404 [gardener/cert-management#495]

v1.51.0

[gardener/gardener-extension-shoot-cert-service]

✨ New Features

• [OPERATOR] Manage garden-cert and controlplane-cert for runtime cluster and seeds by @MartinWeindel [#369]

🏃 Others

• [OPERATOR] Introduce second extension type controlplane-cert-service with lifecycle reconcile: BeforeKubeAPIServer. by @MartinWeindel [#407]
• [OPERATOR] Drop sni-config webhook by @MartinWeindel [#405]

Helm Charts

• shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.51.0

Container (OCI) Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.51.0

v1.50.1

[gardener/gardener-extension-shoot-cert-service]

🐛 Bug Fixes

• [USER] Fix lookup of referenced secret for custom issuer in shoot manifest with privateKeySecretName specified. by Martin Weindel <martin.weindel@sap.com> [$282b42a2fc03b79fa1161fd3ff5a31894f72a801]

Helm Charts

• shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.50.1

Container (OCI) Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.50.1

v1.50.0

[gardener/cert-management]

🐛 Bug Fixes

• [USER] Fixed key algorithm and bit size in self-signed certificates from a CA issuer. by @marc1404 [gardener/cert-management#451]
• [OPERATOR] fix: ClusterRole needs dnsrecord permissions when issuerUseDnsrecords is true by @matthias-horne [gardener/cert-management#460]

🏃 Others

• [OPERATOR] Containers, which do not require privilege escalations, now forbid privilege escalations explicitly. by @georgibaltiev [gardener/cert-management#468]
• [OPERATOR] Update base image from debian11 to debian12. by @MartinWeindel [gardener/cert-management#456]
• [OPERATOR] Add condition for deployment of CRDs in Helm charts by @MartinWeindel [gardener/cert-management#447]

📖 Documentation

• [USER] Added documentation for triggering a manual Certificate renewal. by @marc1404 [gardener/cert-management#443]
• [USER] Replaced usages of secretName in the Certificate spec with secretRef. by @marc1404 [gardener/cert-management#438]

[gardener/gardener-extension-shoot-cert-service]

📰 Noteworthy

• [OPERATOR] Support for deploying the shoot-cert-service extension on the Garden runtime cluster. For runtime and seed clusters separate cert-controller-manager deployments can be triggered by extensions.extensions.gardener.cloud resources. by @MartinWeindel [#357]

🏃 Others

• [OPERATOR] Add patch verb for the gardener-extension-heartbeat resource in the RBAC rules by @MartinWeindel [#394]
• [OPERATOR] RBAC resources now explicitly state resources and verbs, replaced use of wildcards *. by @georgibaltiev [#362]

Helm Charts

• shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.50.0

Docker Images

• gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.50.0