v0.8.0

• Breaking change: The sa secret type changed and now fully generated by cert-manager

  To update existing clusters, please run the following before the update:

  RELEASE_NAME=foo
  RELEASE_NAMESPACE=foo
  kubectl -n ${RELEASE_NAMESPACE} get secret ${RELEASE_NAME}-kubernetes-pki-sa -o yaml >/tmp/sa.yaml
  sed -i -e 's/sa.pub/tls.crt/' -e 's/sa.key/tls.key/' -e 's|^type: Opaque|type: kubernetes.io/tls|' /tmp/sa.yaml
  kubectl delete -f /tmp/sa.yaml
  kubectl apply -f /tmp/sa.yaml

  Most likely you will have to recreate keys for all service accounts and restart the associated workload any way:

  kubectl get secret --all-namespaces | grep 'kubernetes.io/service-account-token' | awk '{ print "kubectl delete secret -n " $1 " " $2}' | sh -x
  

• All client certificates used in kubeconfigs now generated by cert-manager

• ServiceAccount and roles to create secrets and configmaps in admin-cluster now fully removed

• Add server cerificates for controller-manager and scheduler (for the healthcheck and metrics collection)

• apiserver secrtificate renamed to apiserver-server

v0.7.0

Changelog:

• Breaking change: The -pki prefix removed from certificates names

  To update existing clusters, please add --set certnameOverride <releaseName>-kubernetes-pki option, otherwise all the certificates will be reissued with new names.

• Update to Kubernetes v1.19.3

• Fix requestheader-allowed-names for apiserver

• Add digest option for specifying images