All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Support multiarch images
- Update to alpine 3.12.0
- Revert to using the full service name for the CN. There is an open issue in EKS in which the SAN is not added to the signed certificates, making the TLS requests from the apiserver to the webhook fail. awslabs/amazon-eks-ami#341
- Validate that the length of the string "${service}.${namespace}.svc", which is used for the CN, is not greater than 64 characters as specified in the x509 spec.
- Use ca bundle to patch the webhook from the service account secret instead of fetching via kubectl.
- Set the number of retries for retrieving the issued certificate to 10 like the error message.
- Add the
--webhook-kindoption to specified between MutatingWebhookConfiguration or ValidatingWebhookConfiguration. Defaults to MutatingWebhookConfiguration
- Use a much shorter common name for the certificate (only the Service's name) to avoid problems due to the character limit in CNs.
- Updated musl library to avoid security vulnerability: https://app.snyk.io/vuln/SNYK-LINUX-MUSL-458116
- Container user is now is
1000instead ofroot
- Better compatibility with Openshift by patching the webhook configuration json with an
addoperation instead ofreplace.
- Initial version of the Kubernetes Webhook Certificate Manager.