RHEA-2024:0260 - Product Enhancement Advisory

Topic

[OpenShift v4.13-v4.14] cert-manager Operator for Red Hat OpenShift 1.13.0

Description

The cert-manager Operator for Red Hat OpenShift builds on top of Kubernetes, introducing certificate authorities
and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide
certificates-as-a-service to developers working within your Kubernetes cluster.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Cert Manager support for Red Hat OpenShift release 1.13 x86_64
• Cert Manager support for Red Hat OpenShift release for Power 1.13 ppc64le
• Cert Manager support for Red Hat OpenShift release for IBM Z 1.13 s390x
• Cert Manager support for Red Hat OpenShift release ARM 64 1.13 aarch64

Fixes

• CM-189 - Bump cert-manager to v1.13
• CM-194 - Create branch on midstream (gitlab/cpaas-midstream-cfe/openshift-cert-manager)
• CM-190 - Rebase operator to v1.13.x version (github/openshift/cert-manager-operator)
• CM-201 - Add power/z architectures as labels in the CSV
• CM-208 - Add arm64 architecture as supported label in the CSV
• CM-215 - [cert-manager-1.13] Cert-manager-operator pod has incorrect nodeaffinitiy config
• CM-236 - Bump operator to use upstream cert-manager 1.13.2
• CM-183 - As a developer, I would require feature annotations in bundle for CVP tests to pass
• OCPBUGS-8665 - cert-manager does not work with "Managed Identity Using AAD Pod Identities"
• CM-144 - As a developer, I would like to test the workflow of changing default ingress in AWS, GCP, Azure with cert-manager certificates
• CM-145 - As a tester, I would like to test the workflow of changing default ingress in bare-metal, vSphere with cert-manager certificates
• CM-146 - As a tester, I would like to test renewal of certificates when cert-manager issued certificate is used with default ingresscontroller
• CM-148 - As a developer, I would like to test the workflow of adding a new cert-manager certificate with API server for day-2, in case of AWS, GCP, Azure
• CM-149 - As a tester, I would like to test the workflow of adding a new cert-manager certificate with API server for day-2, in case of bare-metal, vSphere
• CM-150 - As a tester, I would like to test upgrades from OCP vN-1 -> vN for a cluster which has both Ingress, API server configured with cert-manager certificates
• CM-151 - As a tester, verify if http01 solver is affected when changing the default ingresscontroller certificate
• CM-152 - As a developer, I would like to verify if default IngressController can be used with self-signed, CA-issued certificates and document it?s pitfalls if any
• CM-153 - As a developer, I would like to verify if adding serving cert for self-signed, CA-issued certificates can be used and document pitfalls if any
• CM-154 - As a developer, I would like to list steps and verify the behaviour of using the new API server endpoint from a non-default ingresscontroller and customize the domain/host
• CM-228 - As a tester, first get familiar with and practice OCP feature managing API Server certificate before involving cert-manager
• CM-229 - As a tester, first get familiar with and practice the OCP feature managing Ingress default certificate before involving cert-manager
• CM-252 - Bump operator to use upstream cert-manager 1.13.3
• CM-139 - Managing certs on day-2 for API Server and Ingress with cert-manager Operator for RedHat OpenShift
• CM-140 - Cert-manager builds for Non-x86 systems

CVEs

• CVE-2023-39615

References

(none)