Add upgrade note for tokenrequest RBAC removal in 1.21#2171
Add upgrade note for tokenrequest RBAC removal in 1.21#2171wallrj-cyberark wants to merge 1 commit into
Conversation
cert-manager-prow
Bot
added
dco-signoff: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
Document the breaking change from cert-manager/cert-manager#8931 which removes the default tokenrequest Role and RoleBinding from the Helm chart. Add an upgrading note with migration guidance and a release note entry under Major Themes with the⚠️ Breaking change callout. Signed-off-by: Richard Wall <richard.wall@cyberark.com>
wallrj-cyberark
force-pushed
the
revert-default-tokenrequest-rbac-docs
branch
from
8642942 to
bcd8c3d
Compare
There was a problem hiding this comment.
Pull request overview
Documents a breaking change in cert-manager 1.21 where the Helm chart no longer creates the default tokenrequest Role/RoleBinding, and provides upgrade guidance for users who previously relied on the controller ServiceAccount being able to mint its own tokens.
Changes:
- Added a breaking-change upgrade note for v1.20 → v1.21 describing the RBAC removal and migration options.
- Added a “Major Themes” breaking-change callout and a corresponding entry under “Other (Cleanup or Flake)” in the 1.21 release notes.
- Updated the repository spelling allowlist with security reporter usernames.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| content/docs/releases/upgrading/upgrading-1.20-1.21.md | Replaces placeholder with a concrete breaking-change upgrade entry and migration guidance. |
| content/docs/releases/release-notes/release-notes-1.21.md | Adds a breaking-change callout and a cleanup entry documenting the RBAC removal and context. |
| .spelling | Extends spellcheck allowlist for newly mentioned usernames. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - create your own `Role` and `RoleBinding` granting `serviceaccounts/token: | ||
| create` on that ServiceAccount, or | ||
| - migrate to a dedicated ServiceAccount with its own RBAC (recommended — | ||
| see the [Vault](../../configuration/vault.md) or | ||
| [Route53](../../configuration/acme/dns01/route53.md) documentation). |
| - create your own `Role` and `RoleBinding` granting `serviceaccounts/token: | ||
| create` on that ServiceAccount, or |
| everping | ||
| kodareef |
Preview:
Summary
Document the breaking change from cert-manager/cert-manager#8931, which removes the default
tokenrequestRole and RoleBinding from the Helm chart in cert-manager 1.21.Motivation
cert-manager/cert-manager#8931 removes chart RBAC that no documented workflow requires. Users who relied on the undocumented pattern of pointing
serviceAccountRef.nameat the controller ServiceAccount need advance notice and migration guidance.Changes
upgrading-1.20-1.21.md: replace TODO with a numbered breaking-change entry explaining the removal and listing the two migration paths (create own RBAC, or use a dedicated ServiceAccount).release-notes-1.21.md: add a Major Themes subsection with⚠️ Breaking changecallout, full context (origin in #7213, docs removal in website#1555, threat-model credit to reporters), and an entry under "Other (Cleanup or Flake)"..spelling: addeverpingandkodareef(security reporter usernames).Test plan
vault.md,route53.md,upgrading-1.20-1.21.md, andthreat-modelling.mdare correctrelease-notes-1.18.mdfor breaking changesthreat-modelling.mdpageRef cert-manager/cert-manager#8931
Ref cert-manager/cert-manager#7213