Releases: cloudflare/origin-ca-issuer
v0.13.0
What's Changed
🆕 issuer-lib
The project is now based on cert-manager's issuer-lib a project to standardize the behavior of external issuers. The retry and backoff behavior should now more closely match that of cert-manager's in-tree issuers. Fixes #161.
🆕 Leader Election
The controller now implements leader election, implemented with Kubernetes lease objects. This now allow multiple replicas without duplicative Origin CA certificates being created. Fixes #181.
🆕 Validate Origin Issuer Authentication
The .spec.auth of OriginIssuers and ClusterOriginIssuers now enforces that only one of serviceKeyRef or tokenRef is set, enforced by the API server with CEL validation.
We continue to recommend the use of scoped API tokens over that of API service keys.
⚠️ Certificate Default Durations
The default duration of certificates, if not specified on the Certificate resources, is now 90 days, up from 7. This matches the default validity of in-tree issuers, and the cert-manager FAQ.
Durations are still rounded the the nearest values accepted by the Cloudflare API.
Full Changelog: v0.12.1...v0.13.0
v0.12.1
- Rebuild with Go 1.24.1 and cert-manager v1.17.1.
v0.12.0
What's Changed
🆕 Controller Versioning
The version of origin-ca-issuer is now embedded by Go 1.24's go build. This version is included as part of the User-Agent sent to the Cloudflare API when creating or renewing an Origin CA certificate.
🆕 CA Certificate
The CA Certificate is now included on secrets for new or renewed certificates, for compatibility with applications that require a chain instead of just a leaf certificate. Fixes #70.
🥇 Image Signatures
The OCI artifacts for this release have been signed using cosign with the GitHub Actions OIDC Token identity, and published to the public Rekor instance. The signing of Helm artifacts is planned.
cosign verify docker.io/cloudflare/origin-ca-issuer:v0.12.0 \
--certificate-identity https://github.com/cloudflare/origin-ca-issuer/.github/workflows/docker.yaml@refs/tags/v0.12.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
As this is the first release with signatures, they are experimental. Please report any issues you have.
Full Changelog: v0.11.0...v0.12.0
v0.11.0
Breaking Changes
Certificate Issuer References Group Now Required
The Origin CA Issuer now requires the spec.issuerRef.group field to be set to "cert-manager.k8s.cloudflare.com" on Certificate resources (and equivalent annotations, such as cert-manager.io/issuer-group on Ingresses). The documentation has always included this group in examples, but an empty group was previously accepted. Certificates without this group set will now be ignored by the Origin CA Issuer.
What's Changed
- fix(certificaterequest): ignore empty issuer group by @terinjokes in #150
Full Changelog: v0.10.0...v0.11.0
Contributors
Assets 2
v0.10.0
What's Changed
- feat(cfapi): replace Factory with Builder by @terinjokes in #141
- docs: support for api tokens by @terinjokes in #144
- chore(renovate): 🤖 beep-boop by @terinjokes in #145
Full Changelog: v0.9.0...v0.10.0
Contributors
Assets 2
v0.9.0
What's Changed
- feat: remove provisioners.Collection by @terinjokes in #124
- feat: add ClusterOriginIssuer by @terinjokes in #125
Full Changelog: v0.8.0...v0.9.0
Contributors
Assets 2
v0.8.0
What's Changed
- feat(cfapi): include Ray ID in signing errors by @terinjokes in #111
- feat(controllers): implement ObjectReconciler by @terinjokes in #113
- chore(deploy): increase cpu and memory by @terinjokes in #120
- fix(cfapi): requeue after DB error by @terinjokes in #121
- chore(docker): enable sbom and cache by @terinjokes in #122
Full Changelog: v0.7.0...v0.8.0
Contributors
Assets 2
v0.7.0
Breaking Change
- The certificate request type in the OriginIssuer now selects the correct Origin CA. The signature algorithm used will be corrected on the next renewal. Fixes #72
New Features
- A Helm chart compatible with Helm 3.8+ are now being released to GitHub Container Registry at
oci://ghcr.io/cloudflare/origin-ca-issuer-charts/origin-ca-issuer. Fixes #97