Releases: cloudflare/origin-ca-issuer
v0.12.0
What's Changed
🆕 Controller Versioning
The version of origin-ca-issuer is now embedded by Go 1.24's go build. This version is included as part of the User-Agent sent to the Cloudflare API when creating or renewing an Origin CA certificate.
🆕 CA Certificate
The CA Certificate is now included on secrets for new or renewed certificates, for compatibility with applications that require a chain instead of just a leaf certificate. Fixes #70.
🥇 Image Signatures
The OCI artifacts for this release have been signed using cosign with the GitHub Actions OIDC Token identity, and published to the public Rekor instance. The signing of Helm artifacts is planned.
cosign verify docker.io/cloudflare/origin-ca-issuer:v0.12.0 \
--certificate-identity https://github.com/cloudflare/origin-ca-issuer/.github/workflows/docker.yaml@refs/tags/v0.12.0 \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
As this is the first release with signatures, they are experimental. Please report any issues you have.
Full Changelog: v0.11.0...v0.12.0
v0.11.0
Breaking Changes
Certificate Issuer References Group Now Required
The Origin CA Issuer now requires the spec.issuerRef.group field to be set to "cert-manager.k8s.cloudflare.com" on Certificate resources (and equivalent annotations, such as cert-manager.io/issuer-group on Ingresses). The documentation has always included this group in examples, but an empty group was previously accepted. Certificates without this group set will now be ignored by the Origin CA Issuer.
What's Changed
- fix(certificaterequest): ignore empty issuer group by @terinjokes in #150
Full Changelog: v0.10.0...v0.11.0
Contributors
Assets 2
v0.10.0
What's Changed
- feat(cfapi): replace Factory with Builder by @terinjokes in #141
- docs: support for api tokens by @terinjokes in #144
- chore(renovate): 🤖 beep-boop by @terinjokes in #145
Full Changelog: v0.9.0...v0.10.0
Contributors
Assets 2
v0.9.0
What's Changed
- feat: remove provisioners.Collection by @terinjokes in #124
- feat: add ClusterOriginIssuer by @terinjokes in #125
Full Changelog: v0.8.0...v0.9.0
Contributors
Assets 2
v0.8.0
What's Changed
- feat(cfapi): include Ray ID in signing errors by @terinjokes in #111
- feat(controllers): implement ObjectReconciler by @terinjokes in #113
- chore(deploy): increase cpu and memory by @terinjokes in #120
- fix(cfapi): requeue after DB error by @terinjokes in #121
- chore(docker): enable sbom and cache by @terinjokes in #122
Full Changelog: v0.7.0...v0.8.0
Contributors
Assets 2
v0.7.0
Breaking Change
- The certificate request type in the OriginIssuer now selects the correct Origin CA. The signature algorithm used will be corrected on the next renewal. Fixes #72
New Features
- A Helm chart compatible with Helm 3.8+ are now being released to GitHub Container Registry at
oci://ghcr.io/cloudflare/origin-ca-issuer-charts/origin-ca-issuer. Fixes #97