Merge remote-tracking branch 'origin/master' into release-next

Signed-off-by: Jake Sanders <i@am.so-aweso.me>

Author: jakexks

.spelling

@@ -14,6 +14,7 @@ APIServices
 AppRole
 AWS
 awspca
+aws-pca-issuer
 AzureDNS
 backend
 backends
@@ -60,11 +61,14 @@ enablement
 eTLD
 external-dns
 FastDNS
+FreeIPA
+freeipa-issuer
 GCE
 GCLB
 gcloud
 GCP
 GKE
+google-cas-issuer
 HashiCorp
 Helmfile
 hostname
@@ -96,6 +100,7 @@ Kubernetes
 labelled
 lifecycle
 loadbalancer
+LuCI
 MacOS
 metadata
 misconfiguration
@@ -116,6 +121,7 @@ OpenAPI
 OpenFaaS
 OpenShift
 OperatorHub
+OpenWRT
 PEM
 PKCS#12
 PKCS#8
@@ -188,3 +194,14 @@ HTTP-01
 loopback
 mechanism
 retryable
+vendoring
+subchart
+cainjector
+Velero
+istio-csr
+pre-released
+pre-release
+unredacted
+ArtifactHub
+CryptoKey
+Encrypter

OWNERS

@@ -3,3 +3,5 @@ approvers:
 - JoshVanL
 - meyskens
 - jakexks
+- irbekrm
+- maelvls

_redirects

@@ -5,3 +5,6 @@ https://netlify.cert-manager.io/* https://cert-manager.io/:splat 301!
 
 # Optional: Redirect default Netlify subdomain to primary domain
 https://cert-manager.netlify.com/* https://cert-manager.io/:splat 301!
+
+# We previously released the external loadbalencer page under /configuration, and is now moved to /configuration/acme/http01/
+https://cert-manager.io/docs/configuration/externalloadbalancer/ https://cert-manager.io/docs/configuration/acme/http01/externalloadbalancer/ 301!

config/_default/params.toml

@@ -22,7 +22,7 @@
 # Set to "docs" path
 
 [[versions]]
- version = "v1.0"
+ version = "v1.1"
  # 'master' is used to store the 'current' version documentation.
  # Once the 'next' release becomes 'current', we branch master to
  # release-X.Y and merge 'release-next' into 'master'.
@@ -33,7 +33,7 @@
 # 'Next' version
 ################
 [[versions]]
- version = "v1.1"
+ version = "v1.2"
  ghbranchname = "release-next"
  url = "/next-docs/"
  dirpath = "next-docs"
@@ -42,6 +42,13 @@
 ###################
 # Use format `v0.#-docs` for past version's dirpath
 
+
+[[versions]]
+ version = "v1.0"
+ ghbranchname = "release-1.0"
+ url = "/v1.0-docs/"
+ dirpath = "v1.0-docs"
+
 [[versions]]
  version = "v0.16"
  ghbranchname = "release-0.16"

content/en/docs/concepts/project-maturity.md

@@ -18,7 +18,7 @@ cert-manager has a hard guarantee of compatibly with the current stable upstream
 Kubernetes version. Beyond this, cert-manager also aims to be compatible with
 versions down to `N-4`, where `N` is the current upstream version release. This
 means that if the current version is `v1.19`, cert-manager aims to be compatible
-with versions down to `v0.15`. This is done by running periodic end-to-end test
+with versions down to `v1.15`. This is done by running periodic end-to-end test
 jobs against each version of Kubernetes.
 
 Versions lower than the current Kubernetes version down to `N-4` is *not

content/en/docs/concepts/webhook.md

@@ -22,7 +22,7 @@ main functions:
 - [`MutatingAdmissionWebhook`](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook):
  Changes the contents of resources during create and update operations, for
  example to set default values.
-- [`CustomResourceConversionWebhook`](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definition-versioning/#webhook-conversion):
+- [`CustomResourceConversionWebhook`](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#webhook-conversion):
  The webhook is also responsible for implementing a conversion over versions
  in the cert-manager `CustomResources` (`cert-manager.io`). This means that
  multiple API versions can be supported simultaneously; from `v1alpha2` through to `v1`.

content/en/docs/configuration/acme/_index.md

@@ -125,7 +125,7 @@ most cert-manager users unless you know it is explicitly needed.
 External Account Bindings require three fields on an ACME `Issuer` which
 represents your ACME account. These fields are:
 
-- `keyID` - the key ID of which your external account binding is indexed by the
+- `keyID` - the key ID or account ID of which your external account binding is indexed by the
 external account manager
 - `keySecretRef` - the name and key of a secret containing a base 64 encoded 
 URL string of your external account symmetric MAC key
@@ -136,7 +136,7 @@ ACME server
 > Note: In _most_ cases, the MAC key must be encoded in `base64URL`. The 
 > following command will base64-encode a key and convert it to `base64URL`:
 > 
-> $ echo 'my-secret-key' | base64 | sed -e 's/+/-/g' -e 's///_/g' -e 's/=//g'
+> $ echo 'my-secret-key' | base64 -w0 | sed -e 's/+/-/g' -e 's/\//_/g' -e 's/=//g'
 > 
 > You can then create the Secret resource with: 
 > 
@@ -155,7 +155,7 @@ spec:
  email: user@example.com
  server: https://my-acme-server-with-eab.com/directory
  externalAccountBinding:
- keyID: my-kid-1
+ keyID: my-keyID-1
  keySecretRef:
  name: eab-secret
  key: secret
@@ -210,10 +210,10 @@ single solver.
 
 #### Match Labels
 
-The `matchLabel` selector requires that all `Certificates` match at least one of
+The `matchLabel` selector requires that all `Certificates` match all of
 the labels that are defined in the string map list of that stanza. For example,
 the following `Issuer` will only match on `Certificates` that have the labels
-`"user-cloudflare-solver": "true"`, or `"email": "user@example.com"`, or both.
+`"user-cloudflare-solver": "true"` and `"email": "user@example.com"`.
 
 ```yaml
 apiVersion: cert-manager.io/v1

content/en/docs/configuration/acme/dns01/_index.md

@@ -172,6 +172,7 @@ Links to these supported providers along with their documentation are below:
 - [`cert-manager-webhook-scaleway`](https://github.com/scaleway/cert-manager-webhook-scaleway)
 - [`cert-manager-webhook-selectel`](https://github.com/selectel/cert-manager-webhook-selectel)
 - [`cert-manager-webhook-softlayer`](https://github.com/cgroschupp/cert-manager-webhook-softlayer)
+- [`cert-manager-webhook-ibmcis`](https://github.com/jb-dk/cert-manager-webhook-ibmcis)
 
 You can find more information on how to configure webhook providers
 [here](./webhook/).

content/en/docs/configuration/acme/dns01/azuredns.md

@@ -5,6 +5,202 @@ weight: 30
 type: "docs"
 ---
 
+To configure the AzureDNS DNS01 Challenge in a Kubernetes cluster there are 3 ways available:
+
+- [Managed Identity Using AAD Pod Identities](#managed-identity-using-aad-pod-identities)
+- [Managed Identity Using AKS Kubelet Identity](#managed-identity-using-aks-kubelet-identity)
+- [Service Principal](#service-principal)
+
+## Managed Identity Using AAD Pod Identities
+
+[AAD Pod Identities](https://azure.github.io/aad-pod-identity) allows assigning a [Managed Identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) to a pod. This removes the need for adding explicit credentials into the cluster to create the required DNS records.
+
+> Note: When using Pod identity, even though assigning multiple identities to a single pod is allowed, currently cert-manager does not support this as it is not able to identify which identity to use.
+
+Firstly an identity should be created that has access to contribute to the DNS Zone.
+
+- Example creation using `azure-cli` and `jq`:
+```bash
+# Choose a unique Identity name and existing resource group to create identity in.
+IDENTITY=$(az identity create --name $IDENTITY_NAME --resource-group $IDENTITY_GROUP )
+
+# Gets principalId to use for role assignment
+PRINCIPAL_ID=$(echo $IDENTITY | jq -r '.principalId')
+
+# Used for identity binding
+CLIENT_ID=$(echo $IDENTITY | jq -r '.clientId')
+RESOURCE_ID=$(echo $IDENTITY | jq -r '.id')
+
+# Get existing DNS Zone Id
+ZONE_ID=$(az network dns zone show --name $ZONE_NAME --resource-group $ZONE_GROUP --query "id" -o tsv)
+
+# Create role assignment
+az role assignment create --role "DNS Zone Contributor" --assignee $PRINCIPAL_ID --scope $ZONE_ID
+```
+
+- Example creation using Terraform
+```terraform
+variable resource_group_name {}
+variable location {}
+variable dns_zone_id {}
+
+# Creates Identity
+resource "azurerm_user_assigned_identity" "dns_identity" {
+ name = "cert-manager-dns01"
+ resource_group_name = var.resource_group_name
+ location = var.location
+}
+
+# Creates Role Assignment
+resource "azurerm_role_assignment" "dns_contributor" {
+ scope = var.dns_zone_id
+ role_definition_name = "DNS Zone Contributor"
+ principal_id = azurerm_user_assigned_identity.dns_identity.principal_id
+}
+
+# Client Id Used for identity binding
+output "identity_client_id" {
+ value = azurerm_user_assigned_identity.dns_identity.client_id
+}
+
+# Resource Id Used for identity binding
+output "identity_resource_id" {
+ value = azurerm_user_assigned_identity.dns_identity.id
+}
+```
+
+Next we need to ensure we have installed [AAD Pod Identity](https://azure.github.io/aad-pod-identity) using their walk-through. This will install the CRDs and deployment required to assign the identity.
+
+Now we can create the identity resource and binding using the below manifest as an example:
+
+```yaml
+apiVersion: "aadpodidentity.k8s.io/v1"
+kind: AzureIdentity
+metadata:
+ annotations:
+ # recommended to use namespaced identites https://azure.github.io/aad-pod-identity/docs/configure/match_pods_in_namespace/
+ aadpodidentity.k8s.io/Behavior: namespaced 
+ name: certman-identity
+ namespace: cert-manager # change to your preferred namespace
+spec:
+ type: 0 # MSI
+ resourceID: <Identity_Id> # Resource Id From Previous step
+ clientID: <Client_Id> # Client Id from previous step
+---
+apiVersion: "aadpodidentity.k8s.io/v1"
+kind: AzureIdentityBinding
+metadata:
+ name: certman-id-binding
+ namespace: cert-manager # change to your preferred namespace
+spec:
+ azureIdentity: certman-identity
+ selector: certman-label # This is the label that needs to be set on cert-manager pods
+```
+
+Next we need to ensure the cert-manager pod has a relevant label to use the pod identity binding. This can be done by editing the deployment and adding the below into the `.spec.template.metadata.labels` field
+
+```yaml
+spec:
+ template:
+ metadata:
+ labels:
+ aadpodidbinding: certman-label # must match selector in AzureIdentityBinding
+```
+
+Or by using the helm values `podLabels`
+
+```yaml
+podLabels:
+ aadpodidbinding: certman-label
+```
+
+Lastly when we create the certificate issuer we only need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS zone. Example below:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: example-issuer
+spec:
+ acme:
+ ...
+ solvers:
+ - dns01:
+ azureDNS:
+ subscriptionID: AZURE_SUBSCRIPTION_ID
+ resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
+ hostedZoneName: AZURE_DNS_ZONE
+ # Azure Cloud Environment, default to AzurePublicCloud
+ environment: AzurePublicCloud
+```
+
+## Managed Identity Using AKS Kubelet Identity
+
+When creating an AKS cluster in Azure there is the option to use a managed identity that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the cert-manager pods to authenticate to Azure Active Directory. 
+
+There are some caveats with this approach, these mainly being:
+
+- You will need to ensure only 1 managed identity is assigned to the node pool. This is due to cert-manager not currently being able to select the identity to use
+- Any permissions granted to this identity will also be accessible to all containers running inside the Kubernetes cluster.
+- Using AKS extensions like `Kube Dashboard` will not work with this method as this creates an additional identity that is assigned to the node pools.
+
+To set this up, firstly you will need to retrieve the identity that the kubelet is using by querying the AKS cluster. This can then be used to create the appropriate permissions in the DNS zone.
+
+- Example commands using `azure-cli`:
+```bash
+# Get AKS Kubelet Identity
+PRINCIPAL_ID=$(az aks show -n $CLUSTERNAME -g $CLUSTER_GROUP --query "identityProfile.kubeletidentity.objectId" -o tsv)
+
+# Get existing DNS Zone Id
+ZONE_ID=$(az network dns zone show --name $ZONE_NAME --resource-group $ZONE_GROUP --query "id" -o tsv)
+
+# Create role assignment
+az role assignment create --role "DNS Zone Contributor" --assignee $PRINCIPAL_ID --scope $ZONE_ID
+``` 
+
+- Example terraform:
+```terraform
+variable dns_zone_id {}
+
+# Creating the AKS cluster, abbreviated.
+resource "azurerm_kubernetes_cluster" "cluster" {
+ ...
+ # Creates Identity associated to kubelet
+ identity {
+ type = "SystemAssigned"
+ }
+ ...
+}
+
+resource "azurerm_role_assignment" "dns_contributor" {
+ scope = var.dns_zone_id
+ role_definition_name = "DNS Zone Contributor" 
+ principal_id = azurerm_kubernetes_cluster.cluster.kubelet_identity[0].object_id 
+ skip_service_principal_aad_check = true # Allows skipping propagation of identity to ensure assignment succeeds.
+}
+```
+
+Then when creating the cert-manager issuer we only need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS Zone. Example below:
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: example-issuer
+spec:
+ acme:
+ ...
+ solvers:
+ - dns01:
+ azureDNS:
+ subscriptionID: AZURE_SUBSCRIPTION_ID
+ resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
+ hostedZoneName: AZURE_DNS_ZONE
+ # Azure Cloud Environment, default to AzurePublicCloud
+ environment: AzurePublicCloud
+```
+
+## Service Principal
+
 Configuring the AzureDNS DNS01 Challenge for a Kubernetes cluster requires
 creating a service principal in Azure.