1.1.1

What's changed

ncm-issuer 1.1.1 introduces support for newer releases of Kubernetes.

Features

• Add support for Kubernetes versions v1.28 and v1.29

Other

• Versions of Kubernetes less than v1.24 have been considered not recommended for use with ncm-issuer
• Add note to required fields in CRDs

1.1.0

What's changed

ncm-issuer 1.1.0 introduces a number of improvements mainly related to the logic of handling and sending requests to NCM API, but also significant enhancement to Helm chart. Besides the improvements, there are also a few features, including sidecar, selection of the logging verbosity level and Prometheus metrics.

⚠️ Warning: Read this before upgrading from version <1.1.0!

New, more user-friendly fields names are used to simplify the definition of Issuer and ClusterIssuer. This means that the old names are not suggested way of declaring them, but they will remain supported for a few more releases.

New suggested way of defining Issuer or ClusterIssuer and their fields description: CRDs

Improvements

• The Issuer and ClusterIssuer definitions are improved to use more user-friendly names and grouped into appropriate sections (see mentioned warning)
• NCM API errors (indicating that API is not available) or statuses indicating that certificate has not yet been issued now results in CSRs being queued and processed after some time instead of being immediately re-processed and making unnecessary requests to NCM API
• Improve the mechanism responsible for the selection of NCM API - it's now based on the first-alive algorithm
• Helm chart is rewritten according to the rules given in the Helm documentation

Features

• Add option to set HTTP client timeout
• Add option to set a time indicating how often NCM API(s) availability should be checked (related to new NCM API selection mechanism)
• Add Prometheus support to allow monitoring of the total number of enrollment or renewal operations. Each of these operations also has metrics responsible for determining how many of them were successful or failed. The metrics attempt to reflect the number of CSRs or renewals sent to the NCM, if request is rejected or postponed by NCM, this state will be reflected as failure of the enrollment operation, while accepting and returning appropriate resource will result in successful enrollment or renewal operation (use the prefix ncm_issuer in Prometheus query to see all possible metrics)
• More efficient debugging of ncm-issuer is added with the option of using sidecar or defining logging level verbosity (for more information, see: Troubleshooting)

Fixes

• Fix occasionally encountered data-races when accessing saved Issuer or ClusterIssuer config

Other

• Add ncm-issuer documentation hosted on GitHub pages (visit: documentation)
• Helm chart is now hosted on GitHub pages (link: https://nokia.github.io/ncm-issuer/charts)

For more detailed view about new CRDs definition, troubleshooting and more, see: documentation

1.0.3

What's changed

1.0.3 includes several features and fixes for previously known issues.

Features

• Added possibility to specify backup NCM API server in case of lack of connection to the main one
• Added possibility to include certificate chain (without end-entity certificate) in ca.crt
• Added possibility to include only end-user certificate in tls.crt

For more detailed view about new features, see the or !

Fixes

• Fixed misinterpretation in case of manually triggering rotation of a private key (previously renewal operation was triggered instead of re-enrollment)
• Fixed bug related to certificates with long names
• Fixed several bugs during certificate renewal

Other

• Bumped go from 1.17 to 1.19.6

1.0.1

The first official version of NCM Issuer!

• Full integration with NCM ( fetching CA from db, setting pem chain, adding issued certs to db, renewal support etc. )
• Installation via Helm charts
• Well-developed "spec" section in the issuer .yaml file