From 9f369cb7133342e49fa5a65313cf40b39db82316 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Fri, 17 Nov 2023 14:34:07 +0100 Subject: [PATCH 1/2] add v1.13 upgrade note saying you should upgrade to v1.12 first Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- content/docs/releases/upgrading/upgrading-1.12-1.13.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/docs/releases/upgrading/upgrading-1.12-1.13.md b/content/docs/releases/upgrading/upgrading-1.12-1.13.md index 859ff22987a..927e1f93831 100644 --- a/content/docs/releases/upgrading/upgrading-1.12-1.13.md +++ b/content/docs/releases/upgrading/upgrading-1.12-1.13.md @@ -5,14 +5,16 @@ description: 'cert-manager installation: Upgrading v1.12 to v1.13' When upgrading cert-manager from 1.12 to 1.13, in few cases you might need to take additional steps to ensure a smooth upgrade: -1. BREAKING: If you deploy cert-manager using helm and have `.featureGates` value set, the features defined +1. **IMPORTANT NOTE**: Before upgrading to v1.13, upgrade to a v1.12+ version first. Otherwise, you might unexpectedly experience certificates to be re-issued (see https://github.com/cert-manager/cert-manager/issues/6494#issuecomment-1816112309) + +2. BREAKING: If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field instead to define features to be enabled on webhook. (https://github.com/cert-manager/cert-manager/pull/6093, https://github.com/irbekrm) -2. Potentially breaking: If you were, for some reason, passing cert-manager controller's features to webhook's --feature-gates flag, +3. Potentially breaking: If you were, for some reason, passing cert-manager controller's features to webhook's --feature-gates flag, this will now break (unless the webhook actually has a feature by that name). (https://github.com/cert-manager/cert-manager/pull/6093, https://github.com/irbekrm) -3. Potentially breaking: Webhook validation of CertificateRequest resources is stricter now: all `KeyUsages` and `ExtendedKeyUsages` must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. (https://github.com/cert-manager/cert-manager/pull/6182, https://github.com/inteon) +4. Potentially breaking: Webhook validation of CertificateRequest resources is stricter now: all `KeyUsages` and `ExtendedKeyUsages` must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. (https://github.com/cert-manager/cert-manager/pull/6182, https://github.com/inteon) ## Next Steps From dcf5d885dc96d955ab92674d9993f27d8220094a Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Fri, 17 Nov 2023 15:22:35 +0100 Subject: [PATCH 2/2] Update content/docs/releases/upgrading/upgrading-1.12-1.13.md Co-authored-by: Ashley Davis Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- content/docs/releases/upgrading/upgrading-1.12-1.13.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/releases/upgrading/upgrading-1.12-1.13.md b/content/docs/releases/upgrading/upgrading-1.12-1.13.md index 927e1f93831..6cd4d4e5038 100644 --- a/content/docs/releases/upgrading/upgrading-1.12-1.13.md +++ b/content/docs/releases/upgrading/upgrading-1.12-1.13.md @@ -5,7 +5,7 @@ description: 'cert-manager installation: Upgrading v1.12 to v1.13' When upgrading cert-manager from 1.12 to 1.13, in few cases you might need to take additional steps to ensure a smooth upgrade: -1. **IMPORTANT NOTE**: Before upgrading to v1.13, upgrade to a v1.12+ version first. Otherwise, you might unexpectedly experience certificates to be re-issued (see https://github.com/cert-manager/cert-manager/issues/6494#issuecomment-1816112309) +1. **IMPORTANT NOTE**: If upgrading from a version below v1.12, upgrade to the latest v1.12 release before upgrading to v1.13. Otherwise, some certificates may be unexpectedly re-issued (see https://github.com/cert-manager/cert-manager/issues/6494#issuecomment-1816112309) 2. BREAKING: If you deploy cert-manager using helm and have `.featureGates` value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use `webhook.featureGates` field