cloudflare/origin-ca-issuer v0.13.0

v0.13.0

Repository: cloudflare/origin-ca-issuer

Tag: v0.13.0

Published: 2025-10-24T12:35:04Z

Prerelease: no

Release notes:

What's Changed

:new: issuer-lib

The project is now based on cert-manager's issuer-lib a project to standardize the behavior of external issuers. The retry and backoff behavior should now more closely match that of cert-manager's in-tree issuers. Fixes #161.

:new: Leader Election

The controller now implements leader election, implemented with Kubernetes lease objects. This now allow multiple replicas without duplicative Origin CA certificates being created. Fixes #181.

:new: Validate Origin Issuer Authentication

The .spec.auth of OriginIssuers and ClusterOriginIssuers now enforces that only one of serviceKeyRef or tokenRef is set, enforced by the API server with CEL validation.

We continue to recommend the use of scoped API tokens over that of API service keys.

:warning: Certificate Default Durations

The default duration of certificates, if not specified on the Certificate resources, is now 90 days, up from 7. This matches the default validity of in-tree issuers, and the cert-manager FAQ.

Durations are still rounded the the nearest values accepted by the Cloudflare API.

Full Changelog: https://github.com/cloudflare/origin-ca-issuer/compare/v0.12.1...v0.13.0