Update module github.com/jetstack/cert-manager to v1.15.1 - autoclosed
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
github.com/jetstack/cert-manager | require | minor |
v1.6.1 -> v1.15.1
|
MR created with the help of gitlab-org/frontend/renovate-gitlab-bot
Release Notes
jetstack/cert-manager (github.com/jetstack/cert-manager)
v1.15.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.15.0
Bug or Regression
- BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7111, @inteon)
Other (Cleanup or Flake)
- Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7092, @ThatsMrTalbot)
- Bump the go-retryablehttp dependency to fix CVE-2024-6104 (#7130, @SgtCoDFish)
v1.15.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.15 promotes several features to beta, including GatewayAPI support (ExperimentalGatewayAPISupport
), the ability to provide a subject in the Certificate that will be used literally in the CertificateSigningRequest (LiteralCertificateSubject
) and the outputting of additional certificate formats (AdditionalCertificateOutputFormats
).
[!NOTE]
The
cmctl
binary have been moved to https://github.com/cert-manager/cmctl/releases. For the startupapicheck Job you should update references to point atquay.io/jetstack/cert-manager-startupapicheck
[!NOTE]
From this release, the Helm chart will no longer uninstall the CRDs when the chart is uninstalled. If you want the CRDs to be removed on uninstall use
crds.keep=false
when installing the Helm chart.
Community
Thanks again to all open-source contributors with commits in this release, including: @Pionerd, @SgtCoDFish, @ThatsMrTalbot, @andrey-dubnik, @bwaldrep, @eplightning, @erikgb, @findnature, @gplessis, @import-shiburin, @inteon, @jkroepke, @lunarwhite, @mangeshhambarde, @pwhitehead-splunk & @rodrigorfk, @wallrj.
Thanks also to the following cert-manager maintainers for their contributions during this release: @SgtCoDFish, @SpectralHiss, @ThatsMrTalbot, @hawksight, @inteon, @maelvls & @wallrj.
Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings!
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
Changes by Kind
Feature
- GatewayAPI support has graduated to Beta. Add the
--enable-gateway-api
flag to enable the integration. (#6961, @ThatsMrTalbot) - Add support to specify a custom key alias in a JKS Keystore (#6807, @bwaldrep)
- Add the ability to communicate with Vault via mTLS when strict client certificates is enabled at Vault server side (#6614, @rodrigorfk)
- Added option to provide additional audiences in the service account auth section for vault (#6718, @andrey-dubnik)
- Venafi Issuer now sends a cert-manager HTTP User-Agent header in all Venafi Rest API requests.
For example:
cert-manager-certificaterequests-issuer-venafi/v1.15.0+(linux/amd64)+cert-manager/ef068a59008f6ed919b98a7177921ddc9e297200
. (#6865, @wallrj) - Add hint to validation error message to help users of external issuers more easily fix the issue if they specify a Kind but forget the Group (#6913, @SgtCoDFish)
- Add support for numeric OID types in LiteralSubject. Eg. "1.2.3.4=String Value" (#6775, @inteon)
- Promote the
LiteralCertificateSubject
feature to Beta. (#7030, @inteon) - Promoted the AdditionalCertificateOutputFormats feature gate to Beta (enabled by default). (#6970, @erikgb)
- The Helm chart now allows you to supply
extraObjects
; a list of yaml manifests which will helm will install and uninstall with the cert-manager manifests. (#6424, @gplessis) - Update the Route53 provider to support fetching credentials using AssumeRoleWithWebIdentity (#6878, @pwhitehead-splunk)
- Helm can now add optional hostAliases to cert-manager Pod to allow the DNS self-check to pass in custom scenarios. (#6456, @Pionerd)
- Added a new Ingress annotation for copying specific Ingress annotations to Certificate's secretTemplate (#6839, @mangeshhambarde)
- Added option to define additional token audiences for the Vault Kubernetes auth (#6744, @andrey-dubnik)
- Allow
cert-manager.io/allow-direct-injection
in annotations (#6801, @jkroepke)
Design
- Remove repetitive words (#6949, @findnature)
Bug or Regression
- BUGFIX: Fixes issue with JSON-logging, where only a subset of the log messages were output as JSON. (#6779, @inteon)
- BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#6806, @bwaldrep)
- BUGFIX: cainjector leaderelection flag/config option defaults are missing (#6816, @inteon)
- BUGFIX: cert-manager issuers incorrectly copied the critical flag from the CSR instead of re-calculating that field themselves. (#6724, @inteon)
- Breaking Change: Fixed unintended certificate chain is used if
preferredChain
is configured. (#6755, @import-shiburin) - Bugfix: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#6770, @inteon)
- DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge (#6875, @SgtCoDFish)
- Fix backwards incompatible removal of default prometheus Service resource. (#6699, @inteon)
- Fix broken cainjector image value in Helm chart (#6692, @SgtCoDFish)
- Helm: Fix a bug in the logic that differentiates between 0 and an empty value. (#6713, @inteon)
- Make sure the Azure SDK error messages are stable. (#6676, @inteon)
- When using the literalSubject on a Certificate, the webhook validation for the common name now also points to the literalSubject. (#6767, @lunarwhite)
- Bump golang.org/x/net to fix CVE-2023-45288 (#6929, @SgtCoDFish)
- Fix ACME issuer being stuck waiting for DNS propagation when using Azure DNS with multiple instances issuing for the same FQDN (#6351, @eplightning)
- Fix cainjector ConfigMap not mounted in the cainjector deployment. (#7055, @inteon)
- Added
disableAutoApproval
andapproveSignerNames
Helm chart options. (#7054, @inteon)
Other (Cleanup or Flake)
-
⚠ ️ Possibly breaking: Helm will now keep the CRDs when you uninstall cert-manager by default to prevent accidental data loss. (#6760, @inteon) - New
crds.keep
andcrds.enabled
Helm options can now be used instead of theinstallCRDs
option. (#6760, @inteon) - Bump base images (#6840, @inteon)
- Bump github.com/go-jose/go-jose to v3.0.3 to fix CVE-2024-28180 (#6854, @wallrj)
- Removed deprecated util functions that have been replaced by the
slices
andk8s.io/apimachinery/pkg/util
packages. Removed deprecated CSR functions which have been replaced with other functions in thepkg/util/pki
package. (#6730, @inteon) - Upgrade go to 1.21.8: fixes CVE-2024-24783 (#6823, @inteon)
- Upgrade go to latest version 1.22.1 (#6831, @inteon)
- Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#6827, @inteon)
-
cmctl
andkubectl cert-manger
have been moved to the https://github.com/cert-manager/cmctl repo and will be versioned separately starting with cmctl v2.0.0 (#6663, @inteon) - Graduate the 'DisallowInsecureCSRUsageDefinition' feature gate to GA. (part 2) (#6963, @inteon)
- Remove deprecated
pkg/util/pki/ParseSubjectStringToRawDERBytes
function. (#6994, @inteon) - Upgrade Kind to v0.23.0 and update supported node image digests (#7020, @github-actions[bot])
- If the
--controllers
flag only specifies disabled controllers, the default controllers are now enabled implicitly. (#7054, @inteon) - Upgrade to Go 1.22.3, fixing
GO-2024-2824
. (#6996, @github-actions[bot])
v1.14.7
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.14.6
Bugfixes
- BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7113, @cert-manager-bot)
Other (Cleanup or Flake)
- Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7093, @ThatsMrTalbot)
v1.14.6
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.14.5
Other (Cleanup or Flake)
- Upgrade Go to 1.21.10, fixing GO-2024-2824 (https://github.com/advisories/GHSA-2jwv-jmq4-4j3r). (#7008, @inteon)
- Helm: the cainjector ConfigMap was not mounted in the cainjector deployment. (#7053, @cert-manager-bot)
- Updated Go to 1.21.11 bringing in security fixes for archive/zip and net/netip. (#7076, @ThatsMrTalbot)
v1.14.5
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.14.5
fixes a bug in the DigitalOcean DNS-01 provider which could cause incorrect DNS records to be deleted when using a domain with a CNAME. Special thanks to @BobyMCbobs for reporting this issue and testing the fix!
It also patches CVE-2023-45288.
📜 Changes since v1.14.4
- ACME Issuer (Let's Encrypt): wrong certificate chain may be used if
preferredChain
is configured: see 1.14 release notes for more information.
Changes
Bug or Regression
- DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge (#6893 , @SgtCoDFish)
- Bump golang.org/x/net to address CVE-2023-45288 (#6931 , @SgtCoDFish)
v1.14.4
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions.
⚠ ️ Known Issues
- ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
ℹ ️ Documentation
Release notes Upgrade notes Installation instructions
🔧 Breaking changes
See Breaking changes in v1.14.0 release notes
📜 Changes since v1.14.3
Bug or Regression
- Allow
cert-manager.io/allow-direct-injection
in annotations (#6809, @jetstack-bot) - BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#6812, @jetstack-bot)
- BUGFIX: cainjector leaderelection flag/ config option defaults are missing (#6819, @jetstack-bot)
Other (Cleanup or Flake)
- Bump base images. (#6842, @inteon)
- Upgrade Helm: fix CVE-2024-26147 alert (#6834, @inteon)
- Upgrade go to 1.21.8: fixes CVE-2024-24783 (#6825, @jetstack-bot)
- Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#6829, @inteon)
v1.14.3
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions.
⚠ ️ Known Issues
- ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
- cainjector leaderelection is incorrectly disabled by default because the flag/ config option defaults are missing (https://github.com/cert-manager/cert-manager/pull/6819)
ℹ ️ Documentation
Release notes Upgrade notes Installation instructions
🔧 Breaking changes
See Breaking changes in v1.14.0 release notes
📜 Changes since v1.14.2
Bug or Regression
- BUGFIX: Fixes issue with JSON-logging, where only a subset of the log messages were output as JSON. (#6781, @jetstack-bot)
- BUGFIX: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#6774, @jetstack-bot)
v1.14.2
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions.
⚠ ️ Known Issues
- ACME Issuer (Let's Encrypt): wrong certificate chain may be used if
preferredChain
is configured: see release docs for more info and mitigations - Logging-format json sometimes writes plaintext messages (see https://github.com/cert-manager/cert-manager/issues/6768). FIXED in v1.14.3
ℹ ️ Documentation
Release notes Upgrade notes Installation instructions
🔧 Breaking changes
See Breaking changes
in v1.14.0 release notes
📜 Changes since v1.14.1
Bug or Regression
- BUGFIX: cert-manager CA and SelfSigned issuers incorrectly copied the critical flag from the CSR instead of re-calculating that field themselves. (#6727, @jetstack-bot)
- Helm: Fix a bug in the logic that differentiates between 0 and an empty value. (#6729, @jetstack-bot)
Other (Cleanup or Flake)
- Bump golang to 1.21.7 (#6735, @jetstack-bot)
v1.14.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions.
⚠ ️ This version has known issues. Please installv1.14.2
instead.
⚠ ️ Known Issues (please install v1.14.2
)
- ACME Issuer (Let's Encrypt): wrong certificate chain may be used if
preferredChain
is configured: see release docs for more info and mitigations - In cert-manager v1.14.0 and v1.14.1, the
CA
andSelfSigned
issuers issue certificates with SANs set to non-critical even when the subject is empty. It incorrectly copies the critical field from the CSR.
🔧 Breaking changes
See Breaking changes
in v1.14.0 release notes
ℹ ️ Documentation
📜 Changes since v1.14.0
Bug or Regression
- Fix broken cainjector image value in Helm chart (#6693, @SgtCoDFish)
- Fix bug in cmctl namespace detection which prevented it being used as a startupapicheck image in namespaces other than cert-manager. (#6706, @inteon)
- Fix bug in cmctl which caused
cmctl experimental install
to panic. (#6706, @inteon)
v1.14.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions.
⚠ ️ This version has known issues. Please installv1.14.2
instead.
⚠ ️ Known Issues (please install v1.14.2
)
- ACME Issuer (Let's Encrypt): wrong certificate chain may be used if
preferredChain
is configured: see release docs for more info and mitigations - In cert-manager v1.14.0 and v1.14.1, the
CA
andSelfSigned
issuers issue certificates with SANs set to non-critical even when the subject is empty. It incorrectly copies the critical field from the CSR. - During the release of
v1.14.0
, the Helm chart for this version was found to use the wrong OCI image for thecainjector
Deployment, which caused the Helm installation to fail. In order to complete the release, the cert-manager team have manually updated the Helm chart for this version, which contains all the Helm chart fixes which are inv1.14.1
. - A bug in cmctl namespace detection prevents it being used as a
startupapicheck
image in namespaces other than cert-manager. - A bug in cmctl causes
cmctl experimental install
to panic.
🔧 Breaking Changes
The startupapicheck job uses a new OCI image called "startupapicheck", instead of the ctl image. If you run in an environment in which images cannot be pulled, be sure to include the new image.
The KeyUsage and BasicConstraints extensions will now be encoded as critical in the CertificateRequest's CSR blob.
🗺 ️ Major Themes
New X.509 Features
The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs, which are described in the Subject Alternative Name section of RFC 5280 (on page 37).
We specifically support any otherName
type with a UTF-8
value, such as the User Principal Name or sAMAccountName
.
These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory.
For example you can create certificates with this block in the spec:
otherNames:
- oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID
utf8Value: upn@domain.local
The feature is still in alpha stage and requires you to enable the OtherName
feature flag in the controller and webhook components.
New CA certificate Features
You can now specify the X.509 v3 Authority Information Accessors extension, with URLs for certificates issued by the CA issuer.
Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC section https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
Security
An ongoing security audit of the cert-manager code revealed some weaknesses which we have addressed in this release, such as using more secure default settings in the HTTP servers that serve metrics, healthz and pprof endpoints. This will help mitigate denial-of-service attacks against those important services.
All the cert-manager containers are now configured with read only root file system by default, to prevent unexpected changes to the file system of the OCI image.
And it is now possible to configure the metrics server to use HTTPS rather than HTTP, so that clients can verify the identity of the metrics server.
Other
The liveness probe of the cert-manager controller Pod is now enabled by default.
There is a new option .spec.keystores.pkcs12.algorithms
to specify encryption and MAC algorithms for PKCS.
🤝 Community
Thanks again to all open-source contributors with commits in this release, including:
- @ABWassim
- @JoeNorth
- @allenmunC1
- @asapekia
- @jeremycampbell
- @jkroepke
- @jsoref
- @lauraseidler
- @pevidex
- @phillebaba
- @snorwin
- @tanujd11
- @tberreis
- @vinny
Thanks also to the following cert-manager maintainers for their contributions during this release:
Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings!
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
📜 Changes
Feature
- ACME challenge solver Pod for HTTP01 will get a default annotation of
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"
. You can provide an annotation of"cluster-autoscaler.kubernetes.io/safe-to-evict": "false"
in yourpodTemplate
if you don't like this. (#6349, @jsoref) - Added a clock skew detector liveness probe that will force a restart in case we detect a skew between the internal monotonic clock and the system clock of more than 5 minutes. Also, the controller's liveness probe is now enabled by default. (#6328, @inteon)
- Added a new flag (--dynamic-serving-leaf-duration) that can adjust the lifetime of the dynamic leaf certificates (#6552, @allenmunC1)
- Added support for
otherName
SANS in Certificates (#6404, @SpectralHiss) - Added the option to specify the X.509 v3 Authority Information Accessors extension CA Issuers URLs for certificates issued by the CA issuer. (#6486, @jeremycampbell)
- Adds cert-manager's new core infrastructure initiative badge! See more details on https://www.bestpractices.dev/projects/8079 (#6497, @SgtCoDFish)
- All Pods are now configured with
readOnlyRootFilesystem
by default. (#6453, @wallrj) - MAYBE BREAKING: The startupapicheck job is now handled by an entirely new container called "startupapicheck". This replaces the previous ctl container. If you run in an environment in which images cannot be pulled, be sure to include the new container. (#6549, @SgtCoDFish)
- New option
.spec.keystores.pkcs12.algorithms
to specify encryption and MAC algorithms for PKCS#12 keystores. Fixes issues #5957 and #6523. (#6548, @snorwin) - The ACME HTTP01 solver Pod is now configured with
readOnlyRootFilesystem: true
(#6462, @wallrj) - Updates the AWS SDK for Go to 1.48.7 to support Amazon EKS Pod Identity (#6519, @JoeNorth)
- Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC section https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 (#6500, @tanujd11)
-
⚠ ️ potentially breaking⚠ ️: The KeyUsage and BasicConstraints extensions will now be encoded as critical in the CertificateRequest's CSR blob. (#6053, @inteon) - Add TLS support to the metrics endpoint through either a certificate file or through dynamically issued certificates (#6574, @ThatsMrTalbot)
- Helm Chart: allow changing the default Deployment
revisionHistoryLimit
(#6248, @tberreis) - Security: Limit the size of the response body read from HTTP requests by cert-manager. (#6619, @ThatsMrTalbot)
- Support custom
spec.namespaceSelector
for webhooks (#6638, @jkroepke)
Bug or Regression
- BUGFIX[helm]: Fix issue where webhook feature gates were only set if controller feature gates are set. (#6380, @asapekia)
- Controller ConfigMap is now created only if
.Values.config
is set. (#6357, @ABWassim) - Fix runaway bug caused by multiple Certificate resources that point to the same Secret resource. (#6406, @inteon)
- Fix(helm): templating of required value in controller and webhook ConfigMap resources (#6435, @ABWassim)
- Fixed a webhook validation error message when the key algorithm was invalid. (#6571, @pevidex)
- Fixed error messaging when setting up vault issuer (#6433, @vinny)
-
GHSA-vgf6-pvf4-34rq
: The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size>= 3MiB
. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#6498, @inteon) - Increase the default webhook timeout to its maximum value of 30 seconds, so that the underlying timeout error message has more chance of being returned to the end user. (#6488, @wallrj)
- Listeners that do not support TLS on Gateway resources will now not raise
BadConfig
warnings anymore (#6347, @lauraseidler) - Mitigate potential Slowloris attacks by setting
ReadHeaderTimeout
in allhttp.Server
instances (#6534, @wallrj) - The Venafi issuer now properly resets the certificate and should no longer get stuck with
WebSDK CertRequest Module Requested Certificate
orThis certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. (#6398, @maelvls) - Update experimental install and uninstall commands to have flag parity with the rest of the CLI (#6562, @ThatsMrTalbot)
- Webhook ConfigMap if now created only if
.Values.webhook.config
is set. (#6360, @ABWassim) - BUGFIX: Ensure
otherName
SAN changes in Certificate resources trigger re-issuance. (#6620, @SpectralHiss) - Bugfix: Publish the
startupapicheck
image toquay.io
(#6609, @wallrj)
Other (Cleanup or Flake)
- Cert-manager is now built with Go 1.21.5 (#6545, @wallrj)
- Bump Go to
1.21.3
to addressCVE-2023-39325
. Also bumps base images. (#6410, @SgtCoDFish) - Bump
golang.org/x/net v0.15.0 => v0.17.0
as part of addressingCVE-2023-44487
/CVE-2023-39325
(#6427, @SgtCoDFish) - Check code for unintended use of
crypto/md5
, a weak cryptographic primitive; usinggolangci-lint
/gosec
(G501). (#6581, @wallrj) - Check code for unintended use of
crypto/sha1
, a weak cryptographic primitive; usinggolangci-lint
/gosec
(G505). (#6579, @wallrj) - Check code for unintended use of weak random number generator (
math/rand
instead ofcrypto/rand
); usinggolangci-lint
/gosec
(G404). (#6582, @wallrj) - Cleanup: Restrict MutatingWebhookConfiguration to only CertificateRequest resources (#6311, @hawksight)
- Deprecated
pkg/util.RandStringRunes
andpkg/controller/test.RandStringBytes
. Usek8s.io/apimachinery/pkg/util/rand.String
instead. (#6585, @wallrj) - Enabled verbose logging in startupapicheck by default, so that if it fails, users can know exactly what caused the failure. (#6495, @wallrj)
- Fix gosec G601: Implicit memory aliasing of items from a range statement (#6551, @wallrj)
- Fix handling of serial numbers in literal certificate subjects. Previously a serial number could be specified in
subject.serialNumber
while using a literal certificate subject. This was a mistake and has been fixed. (#6533, @inteon) - The end-to-end tests can now test the cert-manager Vault Issuer on an OpenShift cluster. (#6391, @wallrj)
- Update cert-manager's distroless base images from Debian 11 to Debian 12. This should have no practical effects on users. (#6583, @inteon)
- Updated all code using GatewayAPI to use the now GA v1 APIs (#6559, @ThatsMrTalbot)
- Upgrade Go from 1.20.7 to 1.20.8. (#6369, @inteon)
- Upgrade
github.com/emicklei/go-restful/v3
tov3.11.0
becausev3.10.2
is labeled as "DO NOT USE". (#6366, @inteon) - Use the new generic
sets.Set
type in place of the deprecatedsets.String
. (#6586, @wallrj) - cert-manager is now built with Go
v1.21.6
(#6628, @SgtCoDFish) - Update the Azure SDK and remove deprecated
autorest
dependency (#5452, @phillebaba) - The cert-manager E2E tests can now be run on Kubernetes 1.29 (#6641, @wallrj)
v1.13.6
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.13.6
fixes a bug in the DigitalOcean DNS-01 provider which could cause incorrect DNS records to be deleted when using a domain with a CNAME. Special thanks to @BobyMCbobs for reporting this issue and testing the fix!
It also patches CVE-2023-45288.
Known Issues
- ACME Issuer (Let's Encrypt): wrong certificate chain may be used if
preferredChain
is configured: see 1.14 release notes for more information.
Changes
Bug or Regression
- DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge (#6892, @SgtCoDFish)
- Bump golang.org/x/net to address CVE-2023-45288 (#6932, @SgtCoDFish)
v1.13.5
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠ ️ Known Issues
- ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
ℹ ️ Documentation
Release notes Upgrade notes Installation instructions
🔧 Breaking changes
See Breaking changes in v1.13.0 release notes
📜 Changes since v1.13.4
Bug or Regression
- Allow
cert-manager.io/allow-direct-injection
in annotations (#6810, @jetstack-bot) - BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#6814, @inteon)
- BUGFIX: fix race condition due to registering and using global runtime.Scheme variables (#6832, @inteon)
Other (Cleanup or Flake)
- Bump base images to the latest version. (#6841, @inteon)
- Upgrade go to 1.21.8: fixes CVE-2024-24783 (#6824, @inteon)
- Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#6828, @inteon)
v1.13.4
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠ ️ Known Issues
- ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
ℹ ️ Documentation
Release notes Upgrade notes Installation instructions
🔧 Breaking changes
See Breaking changes in v1.13.0 release notes
📜 Changes since v1.13.3
Bug or Regression
- BUGFIX: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#6772, @jetstack-bot)
Other (Cleanup or Flake)
- Bump go to 1.20.14 (#6736, @jetstack-bot)
- Cert-manager is now built with Go 1.20.12 (#6544, @wallrj)
- Cert-manager is now built with Go 1.20.13 (#6630, @SgtCoDFish)
- Fix CVE 2023 48795 by upgrading to golang.org/x/crypto@v0.17.0 (#6675, @wallrj)
- Fix GHSA-7ww5-4wqc-m92c by upgrading to
github.com/containerd/containerd@v1.7.12
(#6684, @wallrj)
v1.13.3
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠ ️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!
This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
-
GO-2023-2334
: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.
If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:
-
CVE-2023-47108
: DoS vulnerability inotelgrpc
due to unbound cardinality metrics.
An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.
Changes
Bug or Regression
- The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size
>= 3MiB
. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#6507, @inteon) - The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#6507, @inteon)
- The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#6507, @inteon)
- Mitigate potential "Slowloris" attacks by setting
ReadHeaderTimeout
in allhttp.Server
instances. (#6538, @wallrj) - Upgrade Go modules:
otel
,docker
, andjose
to fix CVE alerts. See https://github.com/advisories/GHSA-8pgv-569h-w5rw, https://github.com/advisories/GHSA-jq35-85cj-fj4p, and https://github.com/advisories/GHSA-2c7c-3mj9-8fqh. (#6514, @inteon)
Dependencies
Added
Nothing has changed.
Changed
-
cloud.google.com/go/firestore
:v1.11.0 → v1.12.0
-
cloud.google.com/go
:v0.110.6 → v0.110.7
-
github.com/felixge/httpsnoop
:v1.0.3 → v1.0.4
-
github.com/go-jose/go-jose/v3
:v3.0.0 → v3.0.1
-
github.com/go-logr/logr
:v1.2.4 → v1.3.0
-
github.com/golang/glog
:v1.1.0 → v1.1.2
-
github.com/google/go-cmp
:v0.5.9 → v0.6.0
-
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
:v0.45.0 → v0.46.0
-
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
:v0.44.0 → v0.46.0
-
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/exporters/otlp/otlptrace
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/metric
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/sdk
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/trace
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel
:v1.19.0 → v1.20.0
-
go.uber.org/goleak
:v1.2.1 → v1.3.0
-
golang.org/x/sys
:v0.13.0 → v0.14.0
-
google.golang.org/genproto/googleapis/api
:f966b18 → b8732ec
-
google.golang.org/genproto
:f966b18 → b8732ec
-
google.golang.org/grpc
:v1.58.3 → v1.59.0
Removed
Nothing has changed.
v1.13.2
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.13.2 fixes some CVE alerts and contains fixes for:
- a CertificateRequest runaway situation in case two Certificate resources point to the same Secret target resource
- a small bug in the Helm chart (feature gate options)
- a Venafi issuer bug
⚠ ️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version!
Changes since v1.13.1
Bug or Regression
- Bump golang.org/x/net v0.15.0 => v0.17.0 as part of addressing CVE-2023-44487 / CVE-2023-39325 (#6432, @SgtCoDFish)
- BUGFIX[helm]: Fix issue where webhook feature gates were only set if controller feature gates are set. (#6381, @asapekia)
- Fix runaway bug caused by multiple Certificate resources that point to the same Secret resource. (#6425, @inteon)
- The Venafi issuer now properly resets the certificate and should no longer get stuck with
WebSDK CertRequest Module Requested Certificate
orThis certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. (#6402, @maelvls)
Other (Cleanup or Flake)
- Bump go to 1.20.10 to address CVE-2023-39325. Also bumps base images. (#6411, @SgtCoDFish)
v1.13.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.13.1 contains a bugfix for a name collision bug in the StableCertificateRequestName feature that was enabled by default in v1.13.0.
⚠ ️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version!
Changes since v1.13.0
Bug or Regression
- BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. (#6358, @jetstack-bot)
Other (Cleanup or Flake)
- Upgrade
github.com/emicklei/go-restful/v3
tov3.11.0
becausev3.10.2
is labeled as "DO NOT USE". (#6368, @inteon) - Upgrade Go from 1.20.7 to 1.20.8. (#6370, @jetstack-bot)
v1.13.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This is the 1.13 release of cert-manager!
cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned config file for the cert-manager controller, and more. This release also includes the promotion of the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta.
Known issues
The StableCertificateRequestName
that was promoted to Beta contains a "name collision" bug: https://github.com/cert-manager/cert-manager/issues/6342
This is fixed in v1.13.1+
Breaking Changes (You MUST read this before you upgrade!)
- IMPORTANT NOTE: If upgrading from a version below v1.12, upgrade to the latest v1.12 release before upgrading to v1.13. Otherwise, some certificates may be unexpectedly re-issued (see https://github.com/cert-manager/cert-manager/issues/6494#issuecomment-1816112309)
-
BREAKING : If you deploy cert-manager using helm and have
.featureGates
value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Usewebhook.featureGates
field instead to define features to be enabled on webhook. (#6093, @irbekrm) -
Potentially breaking: If you were, for some reason, passing cert-manager controller's features to webhook's
--feature-gates
flag, this will now break (unless the webhook actually has a feature by that name). (#6093, @irbekrm) - Potentially breaking: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. (#6182, @inteon)
Community
Welcome to these new cert-manager members (more info - https://github.com/cert-manager/cert-manager/pull/6260): @jsoref @FlorianLiebhart @hawksight @erikgb
Thanks again to all open-source contributors with commits in this release, including: @AcidLeroy @FlorianLiebhart @lucacome @cypres @erikgb @ubergesundheit @jkroepke @jsoref @gdvalle @rouke-broersma @schrodit @zhangzhiqiangcs @arukiidou @hawksight @Richardds @kahirokunn
Thanks also to the following cert-manager maintainers for their contributions during this release: @SgtCoDFish @maelvls @irbekrm @inteon
Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings!
Special thanks to @AcidLeroy for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see https://github.com/cert-manager/cert-manager/pull/5337)
Also, thanks a lot to @FlorianLiebhart for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see https://github.com/cert-manager/cert-manager/pull/5003)
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
Changes since v1.12.0
Feature
- Add support for logging options to webhook config file. (#6243, @inteon)
- Add view permissions to the well-known (Openshift) user-facing
cluster-reader
aggregated cluster role (#6241, @erikgb) - Certificate Shim: distinguish dns names and ip address in certificate (#6267, @zhangzhiqiangcs)
- Cmctl can now be imported by third parties. (#6049, @SgtCoDFish)
- Make
enableServiceLinks
configurable for all Deployments andstartupapicheck
Job in Helm chart. (#6292, @ubergesundheit) - Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). (#6298, @inteon)
- The cert-manager controller options are now configurable using a configuration file. (#5337, @AcidLeroy)
- The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. (#6199, @inteon)
- [helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings (#6110, @jkroepke)
Design
- DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification.
The DNS check method to be used is controlled through the command line flag:
--dns01-recursive-nameservers-only=true
in combination with--dns01-recursive-nameservers=https://<DoH-endpoint>
(e.g.https://8.8.8.8/dns-query
). It keeps using DNS lookup as a default method. (#5003, @FlorianLiebhart)
Bug or Regression
- Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null (#6087, @rouke-broersma)
- BUGFIX:
cmctl check api --wait 0
exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code (#6109, @inteon) - BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. (#6147, @inteon)
- BUGFIX[cainjector]: 1-character bug was causing invalid log messages and a memory leak (#6232, @inteon)
- Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN (#6088, @cypres)
- Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. (#6220, @ubergesundheit)
- Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains (#6191, @Richardds)
- Fixes a bug where webhook was pulling in controller's feature gates.
⚠ ️⚠ ️ BREAKING⚠ ️⚠ ️ : If you deploy cert-manager using helm and have.featureGates
value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Usewebhook.featureGates
field instead to define features to be enabled on webhook.⚠ ️Potentially breaking: If you were, for some reason, passing cert-manager controller's features to webhook's--feature-gates
flag, this will now break (unless the webhook actually has a feature by that name). (#6093, @irbekrm) - Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's
net.IP.String()
function would have printed that address. (#6293, @SgtCoDFish) - We disabled the
enableServiceLinks
option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. (#6143, @schrodit) -
⚠ ️Potentially breaking: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. (#6182, @inteon)
Other (Cleanup or Flake)
- A subset of the klogs flags have been deprecated and will be removed in the future. (#5879, @maelvls)
- All service links in helm chart deployments have been disabled. (#6144, @schrodit)
- Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource (#6168, @inteon)
- Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. (#6156, @kahirokunn)
- Cleanup the controller configfile structure by introducing sub-structs. (#6242, @inteon)
- Don't run API Priority and Fairness controller in webhook's extension apiserver (#6085, @irbekrm)
- Helm: Add apache 2.0 license annotation (#6225, @arukiidou)
- Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. (#6034, @gdvalle)
- The SecretPostIssuancePolicyChain now also makes sure that the
cert-manager.io/common-name
,cert-manager.io/alt-names
, ... annotations on Secrets are kept at their correct value. (#6176, @inteon) - The cmctl logging has been improved and support for json logging has been added. (#6247, @inteon)
- Updates Kubernetes libraries to
v0.27.2
. (#6077, @lucacome) - Updates Kubernetes libraries to
v0.27.4
. (#6227, @lucacome) - We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. (#6152, @inteon)
v1.12.12
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.12.11
Bugfixes
- BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7114, @cert-manager-bot)
Other (Cleanup or Flake)
- Upgrade go-jose library to fix CVE-2024-28180 trivy alert. (#7109, @inteon)
- Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7099, @ThatsMrTalbot)
v1.12.11
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
📜 Changes since v1.12.10
Other (Cleanup or Flake)
- Updated Go to 1.21.11 bringing in security fixes for archive/zip and net/netip. (#7077, @ThatsMrTalbot )
- Upgrade Go to 1.21.10, fixing GO-2024-2824 (https://github.com/advisories/GHSA-2jwv-jmq4-4j3r). (#7010, @inteon)
v1.12.10
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.10
fixes a bug in the DigitalOcean DNS-01 provider which could cause incorrect DNS records to be deleted when using a domain with a CNAME. Special thanks to @BobyMCbobs for reporting this issue and testing the fix!
It also patches CVE-2023-45288.
⚠ ️ Known Issues
-
ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
-
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406). This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.
Changes
Bug or Regression
- DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge (#6894, @SgtCoDFish)
- Bump golang.org/x/net to address CVE-2023-45288 (#6933, @SgtCoDFish)
v1.12.9
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠ ️ Known Issues
-
ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
-
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406). This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.
ℹ ️ Documentation
Release notes Upgrade notes Installation instructions
🔧 Breaking changes
See Breaking changes in v1.12.0 release notes
📜 Changes since v1.12.8
Bug or Regression
- Allow
cert-manager.io/allow-direct-injection
in annotations (#6811, @jetstack-bot) - BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#6813, @inteon)
- BUGFIX: fix race condition due to registering and using global runtime.Scheme variables (#6833, @inteon)
Other (Cleanup or Flake)
- Bump base images to the latest version. (#6843, @jetstack-bot)
- Upgrade go to 1.21.8: fixes CVE-2024-24783 (#6826, @jetstack-bot)
- Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#6830, @inteon)
v1.12.8
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠ ️ Known Issues
-
ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
-
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406). This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.
ℹ ️ Documentation
Release notes Upgrade notes Installation instructions
🔧 Breaking changes
See Breaking changes in v1.12.0 release notes
📜 Changes since v1.12.7
Bug or Regression
- BUGFIX: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#6773, @jetstack-bot)
Other (Cleanup or Flake)
- Bump go to 1.20.14 (#6733, @SgtCoDFish)
- Cert-manager is now built with Go 1.20.13 (#6629, @SgtCoDFish)
- Fix CVE 2023 48795 by upgrading to golang.org/x/crypto@v0.17.0 (#6678, @wallrj)
- Fix GHSA-7ww5-4wqc-m92c by upgrading to
github.com/containerd/containerd@v1.7.12
(#6689, @wallrj)
v1.12.7
This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
-
GO-2023-2382
: Denial of service via chunk extensions innet/http
If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:
-
CVE-2023-47108
: DoS vulnerability inotelgrpc
due to unbound cardinality metrics.
An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.
Known bugs
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406).
This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.
Changes
Feature
Bug or Regression
- The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size
>= 3MiB
. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory (#6506, @inteon). - The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body (#6506, @inteon).
- The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request (#6506, @inteon).
- Mitigate potential Slowloris attacks by setting
ReadHeaderTimeout
in allhttp.Server
instances (#6539, @wallrj). - Upgrade
otel
anddocker
to fix:CVE-2023-47108
andGHSA-jq35-85cj-fj4p
(#6513, @inteon).
Dependencies
Added
-
cloud.google.com/go/dataproc/v2
:v2.0.1
Changed
-
cloud.google.com/go/aiplatform
:v1.45.0 → v1.48.0
-
cloud.google.com/go/analytics
:v0.21.2 → v0.21.3
-
cloud.google.com/go/baremetalsolution
:v0.5.0 → v1.1.1
-
cloud.google.com/go/batch
:v0.7.0 → v1.3.1
-
cloud.google.com/go/beyondcorp
:v0.6.1 → v1.0.0
-
cloud.google.com/go/bigquery
:v1.52.0 → v1.53.0
-
cloud.google.com/go/cloudbuild
:v1.10.1 → v1.13.0
-
cloud.google.com/go/cloudtasks
:v1.11.1 → v1.12.1
-
cloud.google.com/go/compute
:v1.21.0 → v1.23.0
-
cloud.google.com/go/contactcenterinsights
:v1.9.1 → v1.10.0
-
cloud.google.com/go/container
:v1.22.1 → v1.24.0
-
cloud.google.com/go/datacatalog
:v1.14.1 → v1.16.0
-
cloud.google.com/go/dataplex
:v1.8.1 → v1.9.0
-
cloud.google.com/go/datastore
:v1.12.1 → v1.13.0
-
cloud.google.com/go/datastream
:v1.9.1 → v1.10.0
-
cloud.google.com/go/deploy
:v1.11.0 → v1.13.0
-
cloud.google.com/go/dialogflow
:v1.38.0 → v1.40.0
-
cloud.google.com/go/documentai
:v1.20.0 → v1.22.0
-
cloud.google.com/go/eventarc
:v1.12.1 → v1.13.0
-
cloud.google.com/go/firestore
:v1.11.0 → v1.12.0
-
cloud.google.com/go/gkebackup
:v0.4.0 → v1.3.0
-
cloud.google.com/go/gkemulticloud
:v0.6.1 → v1.0.0
-
cloud.google.com/go/kms
:v1.12.1 → v1.15.0
-
cloud.google.com/go/maps
:v0.7.0 → v1.4.0
-
cloud.google.com/go/metastore
:v1.11.1 → v1.12.0
-
cloud.google.com/go/policytroubleshooter
:v1.7.1 → v1.8.0
-
cloud.google.com/go/pubsub
:v1.32.0 → v1.33.0
-
cloud.google.com/go/run
:v0.9.0 → v1.2.0
-
cloud.google.com/go/servicedirectory
:v1.10.1 → v1.11.0
-
cloud.google.com/go/speech
:v1.17.1 → v1.19.0
-
cloud.google.com/go/translate
:v1.8.1 → v1.8.2
-
cloud.google.com/go/video
:v1.17.1 → v1.19.0
-
cloud.google.com/go/vmwareengine
:v0.4.1 → v1.0.0
-
cloud.google.com/go
:v0.110.4 → v0.110.7
-
github.com/felixge/httpsnoop
:v1.0.3 → v1.0.4
-
github.com/go-logr/logr
:v1.2.4 → v1.3.0
-
github.com/golang/glog
:v1.1.0 → v1.1.2
-
github.com/google/go-cmp
:v0.5.9 → v0.6.0
-
github.com/google/uuid
:v1.3.0 → v1.3.1
-
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
:v0.45.0 → v0.46.0
-
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
:v0.44.0 → v0.46.0
-
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/exporters/otlp/otlptrace
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/metric
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/sdk
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/trace
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel
:v1.19.0 → v1.20.0
-
go.uber.org/goleak
:v1.2.1 → v1.3.0
-
golang.org/x/oauth2
:v0.10.0 → v0.11.0
-
golang.org/x/sys
:v0.13.0 → v0.14.0
-
google.golang.org/genproto/googleapis/api
:782d3b1 → b8732ec
-
google.golang.org/genproto/googleapis/rpc
:782d3b1 → b8732ec
-
google.golang.org/genproto
:782d3b1 → b8732ec
-
google.golang.org/grpc
:v1.58.3 → v1.59.0
Removed
-
cloud.google.com/go/dataproc
:v1.12.0
v1.12.6
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.6 fixes some CVE alerts and a Venafi issuer bug.
Known bugs
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406).
This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.
Changes since v1.12.5
Bug or Regression
- Bump golang.org/x/net v0.15.0 => v0.17.0 as part of addressing CVE-2023-44487 / CVE-2023-39325 (#6431, @SgtCoDFish)
- The Venafi issuer now properly resets the certificate and should no longer get stuck with
WebSDK CertRequest Module Requested Certificate
orThis certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. (#6401, @maelvls)
Other (Cleanup or Flake)
- Bump go to 1.20.10 to address CVE-2023-39325. Also bumps base images. (#6412, @SgtCoDFish)
v1.12.5
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.5 contains a backport for a name collision bug that was found in v1.13.0
Changes since v1.12.4
Bug or Regression
- BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. (#6359, @jetstack-bot)
Other (Cleanup or Flake)
- Updated base images to the latest version. (#6372, @inteon)
- Upgrade Go from 1.20.7 to 1.20.8. (#6371, @jetstack-bot)
v1.12.4
v1.12.4 contains an important security fix that addresses CVE-2023-29409.
Changes since v1.12.3
- Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's
net.IP.String()
function would have printed that address. (#6297, @SgtCoDFish) - Use Go 1.20.7 to fix a security issue in Go's
crypto/tls
library. (#6318, @maelvls)
v1.12.3
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.3 contains a bug fix for the cainjector which addresses a memory leak!
Changes since v1.12.2
Bugfixes
- BUGFIX[cainjector]: 1-character bug was causing invalid log messages and a memory leak (#6235, @jetstack-bot)
v1.12.2
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.2 is a bugfix release, but includes a known issue and you should prefer the latest patch release!
Known issues
- cainjector contains a memory leak in v1.12.0, v1.12.1 and v1.12.2 due to re-assignment of a log variable (see https://github.com/cert-manager/cert-manager/issues/6217). The fix was released in v1.12.3. See https://github.com/cert-manager/cert-manager/pull/6232 for further context.
Changes since v1.12.1
Bugfixes
- BUGFIX:
cmctl check api --wait 0
exited without output; we now make sure we perform the API check at least once (#6116, @jetstack-bot)
v1.12.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.1 release contains a couple dependency bumps and changes to ACME external webhook library.
Known issues
-
cmctl
API check is broken in v1.12.0 and v1.12.1. We suggest that you do not upgradecmctl
to this version. The fix was released in v1.12.2 (which has an additional issue, see below). See #6116 for context. - cainjector contains a memory leak in v1.12.0, v1.12.1 and v1.12.2 due to re-assignment of a log variable (see https://github.com/cert-manager/cert-manager/issues/6217). The fix was released in v1.12.3. See https://github.com/cert-manager/cert-manager/pull/6232 for further context.
Changes since v1.12.0
Other (Cleanup or Flake)
- Don't run API Priority and Fairness controller in webhook's extension apiserver (#6085, @irbekrm)
- Adds a warning for folks to not use controller feature gates helm value to configure webhook feature gates (#6100, @irbekrm)
Uncategorized
- Updates Kubernetes libraries to
v0.27.2
. (#6077, @lucacome) - Updates controller-runtime to
v0.15.0
(#6098, @lucacome)
v1.12.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.12 brings support for JSON logging, a lower memory footprint, support for ephemeral service account tokens with Vault, improved dependency management and support for the ingressClassName field.
The full release notes are available at https://cert-manager.io/docs/release-notes/release-notes-1.12.
Known issues
-
cmctl
API check is broken in v1.12.0 and v1.12.1. We suggest that you do not upgradecmctl
to this version. The fix was released in v1.12.2 (which has an additional issue, see below). See #6116 for context. - cainjector contains a memory leak in v1.12.0, v1.12.1 and v1.12.2 due to re-assignment of a log variable (see https://github.com/cert-manager/cert-manager/issues/6217). The fix was released in v1.12.3. See https://github.com/cert-manager/cert-manager/pull/6232 for further context.
Community
Thanks again to all open-source contributors with commits in this release, including:
- @malovme
- @e96wic
- @ExNG
- @waterfoul
- @jkroepke
- @andrewsomething
- @yulng
- @tobotg
- @maumontesilva
- @avi-08
- @vinzent
- @TrilokGeer
- @g-gaston
- @james-callahan
- @lucacome
- @yanggangtony
- @vidarno
- @ctrought
- @Robfz
- @dsonck92
- @rayandas
- @olekfur
- @ptrc-n
- @bradjones1
- @gdvalle
Thanks also to the following cert-manager maintainers for their contributions during this release:
Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack, joined our meetings and talked to us at Kubecon!
Special thanks to @erikgb for continuously great input and feedback and to @lucacome for always ensuring that our kube deps are up to date!
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.
Changes by Kind
Feature
- POTENTIALLY BREAKING: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Go, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details. (#5880, @SgtCoDFish)
- Added support for JSON logging (using --logging-format=json) (#5828, @malovme)
- Added the
--concurrent-workers
flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon) - Adds
acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets
field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme) - Cainjector:
- New flags were added to the cainjector binary. They can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectable resources; disabling the rest can improve memory consumption. By default all are enabled.
- The
--watch-certs
flag was renamed to--enable-certificates-data-source
. (#5766, @irbekrm)
- Helm: Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). (#3931, @e96wic)
- Helm: Egress 6443/TCP is now allowed in the webhook. This is required for OpenShift and OKD clusters for which the Kubernetes API server listens on port 6443 instead of 443. (#5788, @ExNG)
- Helm: you can now add volumes and volume mounts via Helm variables for the cainjector, webhook, and startupapicheck. (#5668, @waterfoul)
- Helm: you can now enable the flags
--dns01-recursive-nameservers
,--enable-certificate-owner-ref
, and--dns01-recursive-nameservers-only
through Helm values. (#5614, @jkroepke) - The DigitalOcean issuer now sets a cert-manager user agent string. (#5869, @andrewsomething)
- The HTTP-01 solver can now be configured to create Ingresses with an
ingressClassName
. The credit goes to @dsonck92 for implementing the initial MR. (#5849, @maelvls) - The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new
serviceAccountRef
field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check thevault.auth
field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value forvault.auth
. (#5502, @maelvls) - The cert-manager controller container of the controller Pod now has a
/livez
endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. (#5962, @wallrj) - Upgraded Gateway API to v0.6.0. (#5768, @yulng)
- Webhook now logs requests to mutating/validating webhook (with
--v=5
flag) (#5975, @tobotg)
Design
- Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests. This is not necessarily a breaking change as due to a race condition this may already have been the case. (#5887, @irbekrm)
- The cainjector controller can now use server-side apply to patch mutatingwebhookconfigurations, validatingwebhookconfigurations, apiservices, and customresourcedefinitions. This feature is currently in alpha and is not enabled by default. To enable server-side apply for the cainjector, add the flag --feature-gates=ServerSideApply=true to the deployment. (#5991, @inteon)
Documentation
- Helm: the dead links in
values.yaml
are now working (#5999, @SgtCoDFish)
Bug or Regression
- Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied (#5896, @maumontesilva)
- Cmctl: In order work around a hardcoded Kubernetes version in Helm, we now use a fake kube-apiserver version when generating the helm template when running
cmctl x install
. (#5720, @irbekrm) - Fix development environment and go vendoring on Linux arm64. (#5810, @SgtCoDFish)
- Fix ordering of remote git tags when preparing integration tests (#5910, @SgtCoDFish)
- Helm: the flag
--acme-http01-solver-image
given to the variableacmesolver.extraArgs
now has precedence over the variableacmesolver.image
. (#5693, @SgtCoDFish) - Ingress and Gateway resources will not be synced if deleted via foreground cascading. (#5878, @avi-08)
- The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 (#5674) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. (#5805, @inteon)
- Upgrade to go 1.19.6 along with newer helm and containerd versions and updated base images (#5813, @SgtCoDFish)
- When using the
jks
andpkcs12
fields on a Certificate resource with a CA issuer that doesn't set theca.crt
in the Secret resource, cert-manager no longer loop trying to copyca.crt
intotruststore.jks
ortruststore.p12
. (#5972, @vinzent) - When using the
literalSubject
field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. (#5747, @inteon)
Other (Cleanup or Flake)
- ACME account registration is now re-verified if account key is manually changed. (#5949, @TrilokGeer)
- Add
make go-workspace
target for generating a go.work file for local development (#5935, @SgtCoDFish) - Added a Makefile target to build a standalone E2E test binary: make e2e-build (#5804, @wallrj)
- Bump keystore-go to v4.4.1 to work around an upstream rewrite of history (#5724, @g-gaston)
- Bump the distroless base images (#5929, @maelvls)
- Bumps base images (#5793, @irbekrm)
- Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half.
**BREAKING:*- users who are relying on cainjector to work when
certificates.cert-manager.io
CRD is not installed in the cluster, now need to pass--watch-certificates=false
flag to cainjector else it will not start. Users who only use cainjector as cert-manager's internal component and have a large number ofCertificate
resources in cluster can pass--watch-certificates=false
to avoid cainjector from cachingCertificate
resources and save some memory. (#5746, @irbekrm) - Cainjector now only reconciles annotated objects of injectable kind. (#5764, @irbekrm)
- Container images are have an OCI source label (#5722, @james-callahan)
- Enable cmctl to be imported by third parties (#6050, @jetstack-bot)
- The acmesolver pods created by cert-manager now have
automountServiceAccountToken
turned off. (#5754, @wallrj) - The controller binary now uses much less memory on Kubernetes clusters with large or numerous Secret resources. The controller now ignores the contents of Secrets that aren't relevant to cert-manager. This functionality is currently placed behind
SecretsFilteredCaching
feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with thecontroller.cert-manager.io/fao: true
label. (#5824, @irbekrm) - The controller memory usage has been further decreased by ignoring annotations, labels and managed fields when caching Secret resources. (#5966, @irbekrm)
- The controller now makes fewer calls to the ACME server. POTENTIALLY BREAKING: this MR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm)
- The memory usage of the controller has been reduced by only caching the metadata of Pods and Services. (#5976, @irbekrm)
- The number of calls made to the ACME server during the controller startup has been reduced by storing the private key hash in the Issuer's status. (#6006, @vidarno)
- Updates Kubernetes libraries to
v0.26.2
. (#5820, @lucacome) - Updates Kubernetes libraries to
v0.26.3
. (#5907, @lucacome) - Updates Kubernetes libraries to
v0.27.1
. (#5961, @lucacome) - Updates base images (#5832, @irbekrm)
- Upgrade to Go 1.20 (#5969, @wallrj)
- Upgrade to go 1.19.5 (#5712, @yanggangtony)
- Validates that
certificate.spec.secretName
is a validSecret
name (#5967, @avi-08) - We are now testing with Kubernetes v1.27.1 by default. (#5979, @irbekrm)
-
certificate.spec.secretName
Secrets will now be labelled withcontroller.cert-manager.io/fao
label (#5660, @irbekrm)
Uncategorized
- We have replaced our python boilerplate checker with an installed Go version, removing the need to have Python installed when developing or building cert-manager. (#6000, @SgtCoDFish)
v1.11.5
v1.11.5 contains an important security fix that addresses CVE-2023-29409.
Changes since v1.11.4
v1.11.4
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.11.4 contains some version bumps to address reported CVEs (although we don't expect that cert-manager was actually vulnerable to anything!)
Changes by Kind
Other (Cleanup or Flake)
- Resolved docker/docker trivy CVE alert (#6164, @inteon)
- Upgraded base images (#6128, @SgtCoDFish)
Dependencies
Changed
- github.com/docker/distribution: v2.8.1+incompatible → v2.8.2+incompatible
v1.11.3
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.11.3 mostly contains ACME library changes. API Priority and Fairness feature is now disabled in the external webhook's extension apiserver.
Changes by Kind
Other (Cleanup or Flake)
- API Priority and Fairness controller is now disabled in extension apiserver for DNS webhook implementation. (#6092, @irbekrm)
- Adds a warning for folks to not use controller feature gates helm value to configure webhook feature gates (#6101, @irbekrm)
v1.11.2
Changelog since v1.11.1
Changes by Kind
Bug or Regression
- Build with go 1.19.9 (#6014, @SgtCoDFish)
Other (Cleanup or Flake)
-
Bumps Docker libraries to fix vulnerability scan alert for CVE-2023-28840, CVE-2023-28841, CVE-2023-28842 (#6037, @irbekrm) Cert-manager was not actually affected by these CVEs which are all to do with Docker daemon's overlay network.
-
Bumps Kube libraries v0.26.0 -> v0.26.4 (#6038, @irbekrm) This might help with running cert-manager v1.11 on Kubernetes v1.27, see #6038
v1.11.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
In v1.11.1, we updated the base images used for cert-manager containers. In addition, the users of the Venafi issuer will see less certificates repeatedly failing.
If you are a user of Venafi TPP and have been having issues with the error message This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry
, please use this version.
Changes since v1.11.0
Bug or Regression
- Bump helm and other dependencies to fix CVEs, along with upgrading go and base images (#5815, @SgtCoDFish)
- Bump the distroless base images (#5930, @maelvls)
- The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 (#5674) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. (#5819, @maelvls)
- Use a fake-kube apiserver version when generating helm template in
cmctl x install
, to work around a hardcoded Kubernetes version in Helm. (#5726, @SgtCoDFish)
Other (Cleanup or Flake)
- Bump keystore-go to v4.4.1 to work around an upstream rewrite of history (#5730, @SgtCoDFish)
v1.11.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.11.0
includes a drastic reduction in cert-manager's runtime memory usage, a slew of improvements to AKS integrations and various other tweaks, fixes and improvements, all towards cert-manager's goal of being the best way to handle certificates in modern Cloud Native applications.
Community
Thanks again to all open-source contributors with commits in this release, including:
- @cmcga1125
- @karlschriek
- @lvyanru8200
- @mmontes11
- @pinkfloydx33
- @sathyanarays
- @weisdd
- @yann-soubeyrand
- @joycebrum
- @Git-Jiro
- @thib-mary
- @yk
- @RomanenkoDenys
- @lucacome
- @yanggangtony
Thanks also to the following cert-manager maintainers for their contributions during this release:
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.
v1.10
Changes since cert-manager For an overview of new features, see the v1.11 release notes!
Feature
- Helm: allow configuring the image used by ACME HTTP-01 solver (#5554, @yann-soubeyrand)
- Add the
--max-concurrent-challenges
controller flag to the helm chart (#5638, @lvyanru8200) - Adds the ability to specify a custom CA bundle in Issuers when connecting to an ACME server (#5644, @SgtCoDFish)
- Enable testing against Kubernetes 1.26 and test with Kubernetes 1.26 by default (#5646, @SgtCoDFish)
- Experimental make targets for pushing images to an OCI registry using
ko
and redeploying cert-manager to the cluster referenced by your current KUBECONFIG context. (#5655, @wallrj) - Add ability to run acmesolver pods as root if desired. The default is still to run as non-root. (#5546, @cmcga1125)
- Add support for DC and UID in
LiteralSubject
field, all mandatory OIDs are now supported for LDAP certificates (rfc4514). (#5587, @SpectralHiss) - Add support for Workload Identity to AzureDNS resolver (#5570, @weisdd)
- Breaking: updates the gateway API integration to use the more stable v1beta1 API version. Any users of the cert-manager
ExperimentalGatewayAPISupport
alpha feature must ensure thatv1beta
of Gateway API is installed in cluster. (#5583, @lvyanru8200) - Certificate secrets get refreshed if the keystore format change (#5597, @sathyanarays)
- Introducing UseCertificateRequestBasicConstraints feature flag to enable Basic Constraints in the Certificate Signing Request (#5552, @sathyanarays)
- Return error when Gateway has a cross-namespace secret ref (#5613, @mmontes11)
- Signers fire an event on CertificateRequests which have not been approved yet. Used for informational purposes so users understand why a request is not progressing. (#5535, @JoshVanL)
Bug or Regression
- Don't log errors relating to self-signed issuer checks for external issuers (#5681, @SgtCoDFish)
- Fixed a bug in AzureDNS resolver that led to early reconciliations in misconfigured Workload Identity-enabled setups (when Federated Identity Credential is not linked with a controller's k8s service account) (#5663, @weisdd)
- Use manually specified temporary directory template when verifying CRDs (#5680, @SgtCoDFish)
-
vcert
was upgraded tov4.23.0
, fixing two bugs in cert-manager. The first bug was preventing the Venafi issuer from renewing certificates when using TPP has been fixed. You should no longer see your certificates getting stuck withWebSDK CertRequest Module Requested Certificate
orThis certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. The second bug that was fixed prevented the use ofalgorithm: Ed25519
in Certificate resources with VaaS. (#5674, @maelvls) - Upgrade
golang/x/net
to fix CVE-2022-41717 (#5632, @SgtCoDFish) - Bug fix: When using feature gates with the helm chart, enable feature gate flags on webhook as well as controller (#5584, @lvyanru8200)
- Fix
golang.org/x/text
vulnerability (#5562, @SgtCoDFish) - Fixes a bug that caused the Vault issuer to omit the Vault namespace in requests to the Vault API. (#5591, @wallrj)
- The Venafi Issuer now supports TLS 1.2 renegotiation, so that it can connect to TPP servers where the vedauth API endpoints are configured to accept client certificates. (Note: This does not mean that the Venafi Issuer supports client certificate authentication). (#5568, @wallrj)
- Upgrade to go 1.19.4 to fix CVE-2022-41717 (#5619, @SgtCoDFish)
- Upgrade to latest go minor release (#5559, @SgtCoDFish)
- Ensure
extraArgs
in Helm takes precedence over the new acmesolver image options (#5702, @SgtCoDFish) - Fix cainjector's --namespace flag. Users who want to prevent cainjector from reading all Secrets and Certificates in all namespaces (i.e to prevent excessive memory consumption) can now scope it to a single namespace using the --namespace flag. A cainjector that is only used as part of cert-manager installation only needs access to the cert-manager installation namespace. (#5694, @irbekrm)
- Fixes a bug where cert-manager controller was caching all Secrets twice (#5691, @irbekrm)
Other
-
certificate.spec.secretName
Secrets will now be labelled with thecontroller.cert-manager.io/fao
label (#5703, @irbekrm) - Upgrade to go 1.19.5 (#5714, @yanggangtony)
Known issues
- There is a bug in conformance tests for external DNS webhook implementations that was introduced in this release, see https://github.com/cert-manager/cert-manager/issues/5725 If you are importing cert-manager as a library to run conformance tests against your DNS webhook solver implementation, please make sure that you import a version with a fix, see https://github.com/cert-manager/cert-manager/issues/5725#issuecomment-1397245757
v1.10.2
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.10.2 is primarily a performance enhancement release which might reduce memory consumption by up to 50% in some cases thanks to some brilliant work by @irbekrm!
It also patches several vulnerabilities reported by scanners and updates the base images used for cert-manager containers. In addition, it removes a potentially confusing log line which had been introduced in v1.10.0 which implied that an error had occurred when using external issuers even though there'd been no error.
v1.10.1
Changes since Feature
- Enable support for Kubernetes 1.26 in tests (#5647, @SgtCoDFish)
Bug or Regression
- Fixes a bug where the cert-manager controller was caching all Secrets twice (#5704, @irbekrm)
- Bump helm version to fix CVE-2022-23525 (#5676, @SgtCoDFish)
- Don't log errors relating to selfsigned issuer checks for external issuers (#5687, @SgtCoDFish)
- Fix
golang.org/x/text
vulnerability (#5592, @SgtCoDfish) - Upgrade golang/x/net to fix CVE-2022-41717 (#5635, @SgtCoDFish)
- Upgrade to go 1.19.4 to fix CVE-2022-41717 (#5620, @SgtCoDfish)
- Use manually specified tmpdir template when verifying CRDs (#5682, @SgtCoDFish)
Other (Cleanup or Flake)
- Bump distroless base images to latest versions (#5677, @SgtCoDFish)
v1.10.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.10.1 is a bug fix release which fixes a problem which prevented the Venafi Issuer from connecting to TPP servers where the vedauth API endpoints were configured to accept client certificates. It is also compiled with a newer version of Go 1.19 (v1.19.3) which fixes some vulnerabilities in the Go standard library.
v1.10.0
Changes since Bug or Regression
- The Venafi Issuer now supports TLS 1.2 renegotiation, so that it can connect to TPP servers where the
vedauth
API endpoints are configured to accept client certificates. (Note: This does not mean that the Venafi Issuer supports client certificate authentication). (#5576, @wallrj) - Upgrade to latest go patch release (#5560, @SgtCoDFish )
v1.10.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Version 1.10 adds a variety of quality-of-life fixes and features including improvements to the test suite.
Changes since v1.9.1
Breaking Changes (You MUST read this before you upgrade!)
Container Name Changes
This change is only relevant if you install cert-manager using Helm or the static manifest files. v1.10.0
changes the names of containers in pods created by cert-manager.
The names are changed to better reflect what they do; for example, the container in the controller pod had its name changed from cert-manager
to cert-manager-controller
,
and the webhook pod had its container name changed from cert-manager
to cert-manager-webhook
.
This change could cause a break if you:
- Use Helm or the static manifests, and
- Have scripts, tools or tasks which rely on the names of the cert-manager containers being static
If both of these are true, you may need to update your automation before you upgrade.
On OpenShift the cert-manager Pods may fail until you modify Security Context Constraints
In cert-manager 1.10 the secure computing (seccomp) profile for all the Pods is set to RuntimeDefault. (See cert-manager#5259.) The securityContext fields of the Pod are set as follows:
...
### ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
seccompProfile:
type: RuntimeDefault
...
On some versions and configurations of OpenShift this can cause the Pod to be rejected by the Security Context Constraints admission webhook. Read full release notes to learn if this might affect you and how to fix it.
Feature
- Add
issuer_name
,issuer_kind
andissuer_group
labels tocertificate_expiration_timestamp_seconds
,certmanager_certificate_renewal_timestamp_seconds
andcertmanager_certificate_ready_status
metrics (#5461, @dkulchinsky) - Add make targets for running scans with trivy against locally built containers (#5358, @SgtCoDFish)
- CertificateRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed
cert-manager.io/private-key-secret-name
. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request. (#5336, @JoshVanL) - CertificateSigningRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed
experimental.cert-manager.io/private-key-secret-name
. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request. CertificateSigningRequets will also now no-longer be marked as failed when the target private key Secret is malformed- now only firing an event. When the Secret data is resolved, the request will attempt issuance. (#5379, @JoshVanL) - Upgraded Gateway API to v0.5.0 (#5376, @inteon)
- Add caBundleSecretRef to the Vault Issuer to allow referencing the Vault CA Bundle with a Secret. Cannot be used in conjunction with the in-line caBundle field. (#5387, @Tolsto)
- The feature to create certificate requests with the name being a function of certificate name and revision has been introduced under the feature flag "StableCertificateRequestName" and it is disabled by default. This helps to prevent the error "multiple CertificateRequests were found for the 'next' revision...". (#5487, @sathyanarays)
- Helm: Added a new parameter
commonLabels
which gives you the capability to add the same label on all the resource deployed by the chart. (#5208, @thib-mary)
Bug or Regression
- CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in
experimental.cert-manager.io/private-key-secret-name
doesn't exist. (#5323, @JoshVanL) - DNS Route53: Remove incorrect validation which rejects solvers that don't define either a
accessKeyID
orsecretAccessKeyID
. (#5339, @JoshVanL) - Enhanced securityContext for PSS/restricted compliance. (#5259, @joebowbeer) Breaking: this might require changes for OpenShift deployments. Read full release notes to learn more.
- Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests (#5366, @munnerz)
-
cmctl
andkubectl cert-manager
now report their actual versions instead of "canary", fixing issue #5020 (#5022, @maelvls)
Other
- Avoid hard-coding release namespace in helm chart (#5163, @james-callahan)
- Bump cert-manager's version of Go to
1.19
(#5466, @lucacome) - Remove
.bazel
and.bzl
files from cert-manager now that bazel has been fully replaced (#5340, @SgtCoDFish) - Updates Kubernetes libraries to
v0.25.2
. (#5456, @lucacome) - Add annotations for ServiceMonitor in helm chart (#5401, @sathieu)
- Helm: Add NetworkPolicy support (#5417, @mjudeikis)
- To help troubleshooting, make the container names unique.
BREAKING: this change will break scripts/ CI that depend on
cert-manager
being the container name. (#5410, @rgl)
Thank You!
Thank you to the following community members who had a merged MR for this version - your contributions are at the heart of everything we do!
- @joebowbeer
- @rgl
- @lucacome
- @sathieu
- @mjudeikis
- @james-callahan
- @dkulchinsky
- @thib-mary
- @Tolsto
- @sathyanarays
Thanks also to the following maintainers who worked on cert-manager 1.10:
v1.9.2
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.9.2
is a bug fix release which fixes an issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests, and a problem which prevented the Venafi Issuer from connecting to TPP servers where the vedauth
API endpoints were configured to accept client certificates.
It is also compiled with a newer version of Go 1.18 (v1.18.8
) which fixes some vulnerabilities in the Go standard library.
v1.9.1
Changes since Bug or Regression
- Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests. (#5371, @munnerz )
- The Venafi Issuer now supports TLS 1.2 renegotiation, so that it can connect to TPP servers where the
vedauth
API endpoints are configured to accept client certificates. (Note: This does not mean that the Venafi Issuer supports client certificate authentication). (#5577, @wallrj) - Upgrade to latest go patch release. (#5561, @SgtCoDFish)
v1.9.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Version 1.9.1 is a bugfix release which removes an incorrect check in the Route53 DNS solver. This accidental change prevented the use of credentials derived from instance metadata or AWS pod metadata.
Thanks to @danquack and @ArchiFleKs for raising this issue, and @danquack and @JoshVanL for fixing it!
Changes since v1.9.0
Bug
- DNS Route53: Remove incorrect validation which rejects solvers that don't define either a
accessKeyID
orsecretAccessKeyID
. (#5341, @JoshVanL @danquack )
v1.9.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
The new version adds alpha support for using cert-manager Certificate
s in scenarios where the ordering of the Relative Distinguished Names (RDN) sequence that constitutes an X.509 certificate's subject needs to be preserved; improves the ability to configure the Certificate
created via ingress-shim using annotations on the Ingress
resource; introduces various changes/improvements in contributor flow; and finishes the new make-based contributor workflow.
Major Themes
Literal Certificate Subjects
cert-manager's Certificate
allows users to configure the subject fields of the X.509 certificate via spec.subject
and spec.commonName
fields. The X.509 spec states that the subject is an (ordered) sequence of Relative Distinguished Names (RDN).
cert-manager does not strictly abide by this spec when encoding the subject fields from the Certificate
spec. For example, the order of the RDN sequence may not be preserved. This is because cert-manager uses Go's libraries for X.509 certificates, and the Go libraries don't preserve ordering.
For the vast majority of users this does not matter, but there are specific cases that require defining the exact ordered RDN sequence. For example, if the certificate is used for LDAP authentication and the RDN sequence represents a location in LDAP directory tree. See cert-manager#3203
.
For these use cases, a new alpha LiteralSubject
field has been added to the Certificate
spec where users can pass a literal RDN sequence:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test
spec:
secretName: test
literalSubject: "C=US,O=myOrg,CN=someName"
To use this field, the alpha feature gate LiteralCertificateSubject
needs to be enabled on both the cert-manager controller and webhook. Bear in mind that spec.literalSubject
is mutually exclusive with spec.commonName
and spec.subject
.
This feature is aimed at the specific scenario where an exact RDN sequence needs to be defined. We do not intend to deprecate the existing spec.subject
and spec.commonName
fields and we recommend that folks keep using those fields in all other cases; they're simpler, have better validation and are more obvious to read and change.
Certificate
Configuration
ingress-shim cert-manager 1.9 adds the ability to configure an ingress-shim Certificate
's spec.revisionHistoryLimit
and spec.privateKey
via annotations on the Ingress
resource.
This should allow folks to configure ingress-shim Certificate
s according to best practices (i.e by setting Certificate
's spec.privateKey.rotationPolicy
to Always
).
In the future we would like to design a better mechanism to configure these Certificate
s. We advise caution when using Ingress
annotations as there is no validation of the annotations at Ingress
creation time.
Contribution Workflow
Over the past couple of months there have been a number of discussions in regards to contributor experience and project health, partially triggered by the awesome community discussions in cert-manager's KubeCon booth and also by the work done to move cert-manager to CNCF's incubating stage.
For example, we've clarified our feature policy and discussed the process of building cert-manager's roadmap. If you're interested in these topics, we're happy to chat about them!
make
Workflow
cert-manager 1.8 introduced a new make
based workflow alongside the existing Bazel workflow. The work to improve the make
workflow was continued in 1.9 and our contributor documentation has been redefined to use make
commands. This should make building and testing cert-manager easier with faster build and test times, easier debugging and less complexity.
As part of this, Bazel has now been fully deprecated for building and testing cert-manager.
As usual, we welcome any feedback in regards to further improving contributor experience.
Thank You!
Thank you to the following community members who had a merged MR for this version - your contributions are at the heart of everything we do!
- @AcidLeroy
- @oGi4i
- @spockz (and @yongk802 who raised a similar MR)
- @andrewgkew
- @sveba
- @rodrigorfk
- @craigminihan
- @lucacome
- @Dean-Coakley
- @Compy
Thanks also to the following maintainers who worked on cert-manager 1.9:
Changes since v1.8.0
Feature
- Added support for pulling both AWS access key IDs and secret keys from Kubernetes secrets (#5194, @Compy)
- Adds
make clean-all
for starting a fresh development environment andmake which-go
for getting go version information when developing cert-manager (#5118, @SgtCoDFish) - Adds
make upload-release
target for publishing cert-manager releases to GCS, simplifying the cert-manager release process simpler and making it easier to change (#5205, @SgtCoDFish) - Adds a new alpha Prometheus summary vector metric
certmanager_http_venafi_client_request_duration_seconds
which allows tracking the latency of Venafi API calls. The metric is labelled by the type of API call. Example PromQL query:certmanager_http_venafi_client_request_duration_seconds{api_call="request_certificate"}
will show the average latency of calls to the Venafi certificate request endpoint (#5053, @irbekrm) - Adds more verbose logging info for certificate renewal in the DynamicSource webhook to include DNSNames (#5142, @AcidLeroy)
- Adds new LICENSES format and ability to verify and update licenses through make (#5243, @SgtCoDFish)
- Adds private key Ingress annotations to set private key properties for Certificate (#5239, @oGi4i)
- Adds the
cert-manager.io/revision-history-limit
annotation for Ingress resources, to limit the number of CertificateRequests which are kept for a Certificate (#5221, @oGi4i) - Adds the
literalSubject
field for Certificate resources. This is an alpha feature, enabled by passing the flag--feature-gates=LiteralCertificateSubject=true
to the cert-manager controller and webhook.literalSubject
allows fine-grained control of the subject a certificate should have when issued and is intended for power-users with specific use cases in mind (#5002, @spockz) - Change default build dir from
bin
to_bin
, which plays better with certain tools which might treatbin
as just another source directory (#5130, @SgtCoDFish) - Helm: Adds a new
namespace
parameter which allows users to override the namespace in which resources will be created. This also allows users to set the namespace of the chart when using cert-manager as a sub chart. (#5141, @andrewgkew) - Helm: Allow for users to not auto-mount service account tokens see also k/k#57601 (#5016, @sveba)
- Use multiple retries when provisioning tools using
curl
, to reduce flakes in tests and development environments (#5272, @SgtCoDFish)
Bug or Regression
- CertificateRequests controllers must wait for the core secrets informer to be synced (#5224, @rodrigorfk)
- Ensure that
make release-artifacts
only builds unsigned artifacts as intended (#5181, @SgtCoDFish) - Ensure the startupapicheck is only scheduled on Linux nodes in the helm chart (#5136, @craigminihan)
- Fixed a bug where the Venafi Issuer would not verify its access token (TPP) or API key (Cloud) before becoming ready. Venafi Issuers now remotely verify the access token or API key (#5212, @jahrlin)
- Fixed release artifact archives generated by Make so that a leading
./
is stripped from paths. This ensures that behaviour is the same as v1.7 and earlier (#5050, @jahrlin) - Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5226, @SgtCoDFish)
- Increases Venafi Issuer timeout for retrieving a certificate increased to 60 seconds, up from 10. This gives TPP instances longer to complete their workflows and make the certificate available before cert-manager times out and re-queues the request. (#5247, @hawksight)
- Remove pkg/util/coverage which broke compatibility with go 1.18; thanks @davidsbond for finding the issue! (#5032, @SgtCoDFish)
-
cmctl
andkubectl cert-manager
now report their actual versions instead of "canary", fixing issue #5020 (#5286, @jetstack-bot)
Other (Cleanup or Flake)
- Adds
make update-all
as a convenience target to run before raising a MR (#5251, @SgtCoDFish) - Adds make targets for updating and verifying CRDs and codegen (#5242, @SgtCoDFish)
- Bump cert-manager's version of Go to 1.18 (#5152, @lucacome)
- Bumps distroless base images to their latest versions (#5222, @irbekrm)
- CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in
experimental.cert-manager.io/private-key-secret-name
doesn't exist. (#5332, @jetstack-bot) - Only require python for the one test we have which needs it, rather than requiring it globally (#5245, @SgtCoDFish)
- Remove deprecated field
securityContext.enabled
from helm chart (#4721, @Dean-Coakley) - Removes support for networking/v1beta Ingresses in ingress-shim. (#5250, @irbekrm)
- Reverts additional check for ServiceMonitor (#5202, @irbekrm)
- Updates Kubernetes libraries to
v0.24.2
. (#5097, @lucacome) - Updates warning message that is thrown if issuance fails because private key does not match spec, but private key regeneration is disabled. See https://github.com/cert-manager/cert-manager/pull/5199. (#5199, @irbekrm)
v1.8.2
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.8.2 is in effect a bug fix release which increases some hard-coded timeouts which were preventing the use of certain ACME issuers which sometimes had slower response times. This is known to include ZeroSSL and Sectigo.
These issues were reported by many different users and We'd like to thank the following for their help, suggestions and feedback on this topic:
- @JoooostB
- @fatz
- @jgreat
- @sashokbg
- @mycloudedu
- @hadogenes
- @SudonymTM
- @amalucelli
- @MilheiroSantos
- @dverbeek84
- @kxs-jnadeau
- @fablarosa
- @nik-nazarov
- @omBratteng
- @shubham-root
- @alphabet5
- @hawksight
Thanks also to the cert-manager maintainers who were involved in reviewing this fix and helping to move things forwards:
Changes since v1.8.1
Bug
- Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5231, @JoooostB @SgtCoDFish)
Other (Cleanup)
- Bump distroless base images to latest versions (#5235, @SgtCoDFish)
v1.8.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
1.8.1 is a patch release rebuilding cert-manager 1.8 using the latest version of Go.
Changelog since cert-manager 1.7.1
-
Reverts a check for Prometheus APIs before creating cert-manager ServiceMonitors which broke users' GitOps flows (cert-manager#5204)
-
Bumps the version of Go used to build the cert-manager binaries to 1.17.11 which fixes a few CVEs (we don't think that those were likely to be exploited in cert-manager) (cert-manager#5203, @irbekrm )
v1.8.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.8 includes wider support for Kubernetes server-side-apply, a new build and development experience based around
Makefile
s rather than Bazel, and a range of other improvements, tweaks and bug fixes.
Version 1.8 also marks our first release in which the Go import path for cert-manager is that of the repo's new home:
github.com/cert-manager/cert-manager
Breaking Changes (You MUST read this before you upgrade!)
rotationPolicy
field
Validation of the The field spec.privateKey.rotationPolicy
on Certificate resources is now validated. Valid options are Never and Always. If you are using a GitOps flow and one of your YAML manifests contains a Certificate with an invalid value, you will need to update it with a valid value to prevent your GitOps tool from failing on the new validation. Please follow the instructions listed on the page Upgrading from v1.7 to v1.8. (#4913, @jahrlin)
What happens if I upgrade to 1.8.0 without doing the above steps?
After upgrading to 1.8.0, when updating existing Certificate objects that have an incorrect value for rotationPolicy
, Kubernetes clients such as kubectl, Helm, or ArgoCD will start showing the following message:
Certificate.cert-manager.io "my-cert" is invalid: spec.privateKey.rotationPolicy: Unsupported value: "Foo": supported values: "Never", "Always".
Why was this change necessary?
Previously, when the value of the rotationPolicy
field was set to an incorrect value, you would not know since no event or condition would be visible on the Certificate itself. The only way to know that something was wrong was to dig into the cert-manager-controller logs and see the message "Certificate with unknown certificate.spec.privateKey.rotationPolicy
value":
I0329 12:43:13.325771 1 keymanager_controller.go:176] cert-manager/certificates-key-manager "msg"="Certificate with unknown certificate.spec.privateKey.rotationPolicy value" "key"="default/my-cert" "rotation_policy"="Foo"
This change was implemented in #4913.
Changed Container Layouts
This only affects you if you're modifying cert-manager containers in some way, such as adding init scripts or otherwise changing how the binaries inside the containers are called.
Bazel has a unique way of creating containers, which places the actual binary at a long unusual path. For the v1.7.0 cert-manager-webhook
container for example, the binary is placed at /app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook
and /app/cmd/webhook/webhook
is provided as a symlink to the binary.
This is simplified in our new build system; we only place a single binary at /app/cmd/webhook/webhook
and the old path disappears.
This applies to all cert-manager containers.
We also removed the "LICENSES" file from the containers and replaced it with a link to the cert-manager repo.
.exe
Extension on Windows
We package cmctl
and kubectl_cert-manager
for Windows on amd64
platforms, but previously the binaries had the
same names as the binaries on other platforms, e.g. cmctl
with no file extension.
In 1.8.0 and later, the binaries now have a .exe
extension since this is standard practice on Windows. This could affect you
if you're calling the binary in a Powershell script, for example.
We've also now added zip-compressed versions of the cmctl
and kubectl_cert-manager
binaries on Windows, since .tar.gz
is less
common on Windows.
Changed Import Path
This will only affect you if you're writing code in Go which imports cert-manager as a module, which we generally recommend against doing in most cases.
All versions of cert-manager prior to v1.8.0 used a Go import path corresponding to the old cert-manager repository, github.com/jetstack/cert-manager
.
v1.8.0 marks the first release in which the import path changes to the new location, github.com/cert-manager/cert-manager
.
We have a guide for Importing cert-manager in Go on cert-manager.io with all the details, including details on why we don't recommend importing cert-manager as a module if that's avoidable.
Major Themes
Server-Side Apply
cert-manager v1.8.0 adds initial support for Kubernetes Server-Side Apply, which became stable in Kubernetes 1.22. This support is behind a feature gate for now, and is only supported by cert-manager on Kubernetes 1.22 and later.
Server-Side Apply helps to ensure that changes to resources are made in a managed way, and aims to prevent certain classes of bugs. Notably, it should eliminate conflicts when multiple controllers try to apply status changes to a single resource. You'll likely have seen messages relating to this kind of conflict in logs before, e.g.:
I0119 12:34:56.000000 1 controller.go:161] cert-manager/controller/certificaterequests-issuer-acme "msg"="re-queuing item due to optimistic locking on resource" "key"="my-namespace/my-cr" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"my-cr\": the object has been modified; please apply your changes to the latest version and try again"
These conflicts aren't usually actually a problem which will block the issuance of a certificate, but they can delay things as they cause extra reconcile loops. Server-side apply cleans things up, which should mean less noise in logs and fewer pointless reconcile loops.
If you want to test it out, you can enable alpha-level cert-manager Server-Side Apply support through the
--feature-gates
controller flag.
From Bazel to Make
A common theme when someone tries to make a change to cert-manager for the first time is that they ask for help with navigating Bazel, which cert-manager used as its build tool. Helping people with Bazel isn't easy; it's an incredibly powerful tool, but that power also brings a lot of complications which can seriously get in the way of being able to make even simple changes to the code base. Even developers who are familiar with contributing to open source projects in Go can find it daunting to make changes thanks to Bazel.
The problem isn't limited to open-source contributors; many of cert-manager's maintainers also struggle with configuring and changing Bazel, too.
cert-manager 1.8 is the first release which is built and tested using a newly written make
-based build system. We believe that this new build system should
make it much simpler to understand and change the commands which are being run behind the scenes to build and test cert-manager. In time, we'll fully
document the new build system, ensure it's at full feature-parity with Bazel and then remove all references to Bazel across the codebase.
A neat side effect of this change is that our build times have significantly improved. Bazel took around 14 minutes to build every cert-manager
artifact for every platform during a release, while the new make
build system can do the same (and more) in under 5 minutes.
Exponential backoff after a failed issuance
cert-manager v1.8.0 introduces exponential backoff after failed certificate issuance.
Previously, a failed issuance was retried every hour which — especially in larger cert-manager installations — could cause rate limits to be hit as well as overwhelm external services. Failed attempts
are now retried with a binary exponential backoff starting with 1h
then 2h
, 4h
up to a maximum of 32h
. As part of the new backoff behavior, a new failedIssuanceAttempts
field was added to the
Certificate
spec to track the number of currently failed issuances.
The cmctl renew
command command can still be used to force Certificate
renewal immediately.
We're also considering reducing the initial backoff from 1 hour. If you have a use case where this would be useful please do comment on our tracking issue.
Community
cert-manager thrives thanks to the community and we're always grateful for receiving open-source contributions!
Thanks to the following community members who landed a commit in this release:
- @illrill
- @tasharnvb
- @enj
- @vhosakot
- @fvlaicu
- @andreadecorte
- @davidsbond
- @4molybdenum2
- @ajvn
- @mikebryant
- @jayme-github
Thanks also to the cert-manager maintainer team involved with this release
- @maelvls (Release lead)
- @SgtCoDFish (Release lead)
- @jakexks
- @JoshVanL
- @irbekrm
- @wallrj
- @jahrlin
- @munnerz
Changelog since v1.7.0
Feature
- ACTION REQUIRED: The field
spec.privateKey.rotationPolicy
on Certificate resources is now validated. Valid options are Never and Always. If you are using a GitOps flow and one of your YAML manifests contains a Certificate with an invalid value, you will need to update it with a valid value to prevent your GitOps tool from failing on the new validation. (#4913, @jahrlin) - Build: add make targets for running unit and integration tests, as part of the Bazel replacement. (#4865, @SgtCoDFish)
- Build: add make targets for running the end-to-end tests, as part of the Bazel replacement. (#4914, @maelvls)
- cert-manager now supports the field
spec.expirationSeconds
on Kubernetes CertificateSigningRequest resources. Using this field requires Kubernetes 1.22. You can still use the annotationexperimental.cert-manager.io/request-duration
to request a duration. (#4957, @enj) - cert-manager now properly updates the content of the data keys
tls-combined.pem
andkey.der
on Secret resources that are associated to Certificate resources that use the fieldadditionalOutputFormats
. The fieldadditionalOutputFormat
is an alpha feature and can be enabled by passing the flag--feature-gates=AdditionalCertificateOutputFormats=true
to the cert-manager controller. (#4813, @JoshVanL) - ClusterRoles aggregation to user-facing admin/edit/view ClusterRoles can be optionally turned off (#4937, @illrill)
- ACTION REQUIRED: Server-Side Apply: the feature gate
ServerSideApply=true
now configures theingress-shim
andgateway-shim
controllers to use Kubernetes Server-Side Apply on Certificate resources. When upgrading to cert-manger 1.8 withServerSideApply=true
, do make sure there are no Challenge resources currently in the cluster. If there are some, you will need to manually delete them once they are in 'valid' state as cert-manager post-1.8 with the Server-Side Apply feature is not able to clean up Challenge resources created pre-1.8. (#4811, @JoshVanL) - Server-Side Apply: the feature gate
ServerSideApply=true
configures thecertificaterequests-*
controllers to use Kubernetes Server-Side Apply on CertificateRequest resources. (#4792, @JoshVanL) - Server-Side Apply: the feature gate
ServerSideApply=true
configures thecertificates-*
controllers to use Kubernetes Server-Side Apply on Certificate resources. (#4777, @JoshVanL) - Server-Side Apply: the feature gate
ServerSideApply=true
configures the CertificateSigningRequest controllers to use Kubernetes Server-Side Apply on CertificateSigningRequest resources. (#4798, @JoshVanL) - Server-Side Apply: the feature gate
ServerSideApply=true
configures theissuers
andclusterissuers
controllers to use Kubernetes Server-Side Apply on Issuer and ClusterIssuer resources. (#4794, @JoshVanL) - Server-Side Apply: the feature gate
ServerSideApply=true
configures theorders
controller to use Kubernetes Server-Side Apply on Order resources. (#4799, @JoshVanL) - The annotation
experimental.cert-manager.io/request-duration
now has a minimum value of 600 seconds. This annotation This change ensures compatibility with the Kubernetes resource CertificateSigningRequest, which requires a minimum of 600 seconds on the fieldspec.expirationSeconds
. (#4973, @irbekrm) - The annotation
ingress.kubernetes.io/whitelist-source-range
used by the Ingress shim when creating Ingress resources can now be overridden by setting the fieldingressTemplate
on the Issuer and ClusterIssuer. (#4789, @tasharnvb) - The experimental Gateway API support now uses the v1alpha2 CRDs. (#4791, @jakexks)
- The user-agent used by cert-manager in its Kubernetes API clients and ACME clients now takes the form
cert-manager-<component name>/<version> (<os>/<arch>) cert-manager/<git commit>
. Another change is the addition of specific field managers strings; previously, all the controllers had the same field managercert-manager
. Now, each controller has its own field manager string of the formcert-manager-<controller name>
. (#4773, @JoshVanL) - You can now uninstall cert-manager using the command
cmctl experimental uninstall
. (#4897, @jahrlin) - You can now use an external issuer resource as the default issuer when using the Ingress shim feature. The default issuer can be set using the flags
--default-issuer-group
,--default-issuer-kind
, and--default-issuer-name
. (#4833, @jakexks)
Design
- ACTION REQUIRED: The import path for cert-manager has been updated to
github.com/cert-manager/cert-manager
. If you import cert-manager as a go module (which isn't currently recommended), you'll need to update the module import path in your code to import cert-manager 1.8 or later. (#4587, @SgtCoDFish)
Bug or Regression
- ACTION REQUIRED: The field
additionalOutputFormats
, which is available as an alpha feature on Certificate resources, is now correctly validated. Previously, it would only get validated when theprivateKey
field was set on the Certificate. If you are using theadditionalOutputFormats
field, you will want to add the feature gateAdditionalCertificateOutputFormats
to both the webhook and the controller. Previously, you only needed to setAdditionalCertificateOutputFormats
on the controller. If the feature gate is missing on either the controller or the webhook, you won't be able to use theadditionalOutputFormat
field. (#4814, @JoshVanL) - The Go version used to build the cert-manager binaries has been bumped to 1.17.8 to fix a slew of CVEs (none of which were likely to be exploited). (#4970, @vhosakot)
- Helm: the default nodeSelector is now
kubernetes.io/os: linux
. If this label isn't present on any nodes in the cluster, thenodeSelector
will need to be overwritten, or that label added to some nodes. (#3605, @mikebryant) - Use multivalue records instead of simple records for the AWS Route53 ACME DNS challenge solver, to allow for multiple challenges for the same domain at the same time (#4793, @fvlaicu)
Other (Cleanup or Flake)
- Aggregated admin and edit roles will now include permissions to update certificates' status, which will allow namespace admins and editors to run the
cmctl renew
command in their namespaces. (#4955, @andreadecorte) - Cleanup: No longer log an error when cert-manager encounters a conflict in the secrets manager, in favor of always force applying. (#4815, @JoshVanL)
- Failed certificate issuances are now retried with an exponential backoff where the backoff periods are
1h
,2h
,4h
,8h
,16h
,32h
. A new fieldfailedIssuanceAttempts
is now set by cert-manager on the Certificate status. This field keeps track of consecutive failed issuances. The backoff period gets reset after a successful issuance. Like before, updating a field on a failed Certificate (such asspec.dnsNames
) or running the commandcmctl renew
continues to trigger a re-issuance. (#4772, @irbekrm) - When starting up, cert-manager now solely relies on Lease objects to perform the leader election. Previously, cert-manager supported both ConfigMap and Lease objects for leader election. Existing ConfigMap resources used for leader election will remain and will need deleting manually. A side effect of this is that you cannot upgrade to v1.8.0 from cert-manager 1.3 (although upgrading multiple versions at a time was never supported). (#4935, @davidsbond)
- Helm: you can now set custom labels on the ServiceAccount resources using the values
serviceAccount.labels
,cainjector.serviceAccount.labels
,webhook.serviceAccount.labels
, andstartupapicheck.serviceAccount.labels
. (#4932, @4molybdenum2)
Uncategorized
- Introducing a new metric
controller_sync_error_count
counting the number of errors during sync() of a controller. (#4987, @jayme-github) - When creating an acmesolver pod, cert-manager now sets
allowPrivilegeEscalation
tofalse
by default. The Helm chart now also setssecurityContext.allowPrivilegeEscalation
tofalse
by default for the controller, cainjector, and webhook pods as well as for the startupapicheck job. (#4953, @ajvn)
v1.7.3
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.7.3 is in effect a bug fix release which increases some hard-coded timeouts which were preventing the use of certain ACME issuers which sometimes had slower response times. This is known to include ZeroSSL and Sectigo.
These issues were reported by many users. We'd like to thank the following for their help and feedback on this topic:
- @JoooostB
- @fatz
- @jgreat
- @sashokbg
- @mycloudedu
- @hadogenes
- @SudonymTM
- @amalucelli
- @MilheiroSantos
- @dverbeek84
- @kxs-jnadeau
- @fablarosa
- @nik-nazarov
- @omBratteng
- @shubham-root
- @alphabet5
- @hawksight
Thanks also to the cert-manager maintainers who were involved in reviewing this fix and helping to move things forwards:
Changes since v1.7.2
Bug
- Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5232, @JoooostB @SgtCoDFish)
Other (Cleanup)
- Bumps go to 1.17.11 and base images to latest distroless base images (#5234, @SgtCoDFish)
v1.7.2
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
1.7.2 is a minor release rebuilding cert-manager 1.7 using the latest version of Go. This eliminates a few security vulnerabilities which have accumulated in Go since the last release.
We don't believe any of those vulnerabilities were practically exploitable or relevant to cert-manager, but we decided to rebuild to keep up to date anyway.
Changelog since cert-manager 1.7.1
Bug or Regression
- Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4976 , @vhosakot)
- Fixes an expired hardcoded certificate which broke unit tests (#4978, @SgtCoDFish @jakexks)
v1.7.1
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Version 1.7.1 fixes a bug which was discovered in 1.7.0 relating to the new additionalOutputFormat
feature.
Changelog since v1.7.0
Bug or Regression
- Fix: The alpha feature Certificate's
additionalOutputFormats
is now correctly validated at admission time, and no longer only validated if theprivateKey
field of the Certificate is set. The Webhook component now contains a separate feature set.AdditionalCertificateOutputFormats
feature gate (disabled by default) has been added to the webhook. This gate is required to be enabled on both the controller and webhook components in order to make use of the Certificate'sadditionalOutputFormat
feature. (#4816, @JoshVanL)
v1.7.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Version 1.7 brings new private key output formats, configuration improvements for the webhook, some long-awaited code cleanup, a fix for ingress class semantics and a bunch of other changes.
Breaking Changes (You MUST read this before you upgrade!)
Removal of Deprecated APIs
CustomResourceDefinition
s have only v1 as the stored version before upgrading.
Since release 1.7, cmctl
can automatically migrate any deprecated API resources. Please [download cmctl-v1.7.0
][download cmctl-v1.7.0] and read Migrating Deprecated API Resources for full instructions.
Ingress Class Semantics
In 1.7, we have reverted a change that caused a regression in the ACME Issuer. Before 1.5.4, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the kubernetes.io/ingress.class
annotation:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: istio # The `class` present on the Issuer.
After 1.5.4, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the ingressClassName
field:
apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
ingressClassName: istio # 🔥 Breaking change!
This broke many users that either don't use an Ingress controller that supports the field (such as ingress-gce and Azure AGIC), as well as people who did not need to create an IngressClass previously (such as with Istio and Traefik).
The regression is present in cert-manager 1.5.4, 1.6.0, 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.
In 1.7, we have restored the original behavior which is to use the annotation. We will also backport this fix to 1.5.5 and 1.6.2, allowing people to upgrade safely.
Most people won't have any trouble upgrading from a version that contains the regression to 1.7.0, 1.6.2 or 1.5.5. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g., istio
for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.
If you are using Traefik, Istio, Ambassador, or ingress-nginx and you are using a non-default value for the class (e.g., istio-internal
), or if you experience any issues with your HTTP-01 challenges please read the notes on Ingress v1 compatibility.
Upgrading with Server Side Apply
As part of the work to remove deprecated APIs cert-manager CustomResourceDefinition
s no longer require a conversion webhook. The related change in cert-manager CustomResourceDefinition
specs results in invalid CustomResourceDefinition
configurations for users who are upgrading to cert-manager 1.7 using kubectl apply --server-side=true -f <manifests>
. This can be solved either by performing the upgrade with client side apply or by manually patching the managed fields of cert-manager CustomResourceDefinitions
:
crds=("certificaterequests.cert-manager.io" "certificates.cert-manager.io" "challenges.acme.cert-manager.io" "clusterissuers.cert-manager.io" "issuers.cert-manager.io" "orders.acme.cert-manager.io")
for crd in "${crds[@​]}"; do
manager_index="$(kubectl get crd "${crd}" --show-managed-fields --output json | jq -r '.metadata.managedFields | map(.manager == "cainjector") | index(true)')"
kubectl patch crd "${crd}" --type=json -p="[{\"op\": \"remove\", \"path\": \"/metadata/managedFields/${manager_index}\"}]"
done
(Thanks to @stevehipwell for the above patch commands!)
See the original GitHub issue cert-manager#4831
Major Themes
Removal of Deprecated APIs
In 1.7 the cert-manager API versions v1alpha2, v1alpha3, and v1beta1, that were deprecated in 1.4, have been removed from the custom resource definitions (CRDs). As a result, you will notice that the YAML manifest files are much smaller.
In this release we have added a new sub-command to the cert-manager CLI (cmctl upgrade migrate-api-version
), which you SHOULD run BEFORE upgrading cert-manager to 1.7. Please read [Removing Deprecated API Resources] for full instructions.
Additional Certificate Output Formats
additionalOutputFormats
is a field on the Certificate spec
that allows specifying additional supplementary formats of issued certificates and their private key. There are currently two supported additional output formats: CombinedPEM
(the PEM-encoded private key followed by the certificate chain) and DER
(the DER-encoded private key only). Any combination of output formats can be requested for the same certificate. Read Additional Certificate Output Formats for more details and thanks to @seuf for getting this across the line!
Server-Side Apply
This is the first version of cert-manager which relies on Server-Side Apply. We use it to properly manage the annotations and labels on TLS secrets. For this reason cert-manager 1.7 requires at least Kubernetes 1.18 (see Supported Releases for further compatibility details).
Configuration Files
In this release we introduce a new configuration file for the cert-manager-webhook. Instead of configuring the webhook using command line flags, you can now modify the webhook Deployment to mount a ConfigMap containing a configuration file. Read the WebhookConfiguration Schema for more information.
In future releases we will introduce configuration files for the other cert-manager components: the controller and the cainjector.
Developing cert-manager Without Bazel
In a future release, we'll remove the use of bazel
for building and testing cert-manager, with the aim of making it as easy as possible for anyone to contribute and to get involved with the cert-manager project.
The work is ongoing, but for now we've ensured that cert-manager 1.7 can be built with go build
, and that all unit tests can be run with go test ./cmd/... ./internal/... ./pkg/...
.
Community
Thanks again to all open-source contributors with commits in this release, including:
Thanks as usual to @coderanger for helping people out on the [#cert-manager
Slack channel][#cert-manager Slack channel]; it's a huge help and much appreciated.
In addition, the following cert-manager maintainers were involved in this release:
Changelog since v1.6.0
Feature
- Add
--acme-http01-solver-nameservers
flag to enable custom nameservers usage for ACME HTT01 challenges propagation checks. (#4287, @Adphi) - Add
cmctl upgrade migrate-api-version
to ensure all CRD resources are stored at 'v1' prior to upgrading to v1.7 onwards (#4711, @munnerz) - Add goimports verification step for CI (#4710, @SgtCoDFish)
- Add support for loading webhook flags/options from a WebhookConfiguration file on disk (#4546, @munnerz)
- Added
additionalOutputFormats
parameter to allowDER
(binary) andCombinedPEM
(key + cert bundle) formats. (#4598, @seuf) - Added a makefile based build workflow which doesn't depend on bazel (#4554, @SgtCoDFish)
- Added a new Helm chart parameter
prometheus.servicemonitor.honorLabels
, which sets thehonor_labels
field of the Prometheus scrape config. (#4608, @thirdeyenick) - Breaking change: pprof now runs by default on localhost:6060 for webhook and controller, but only if explicitly enabled. Pprof can now be enabled also for cainjector. All three components have
--enable-profiling
,--profiler-address
CLI flags to configure profiling. Thanks to @bitscuit for help with this! (#4550, @irbekrm) - Certificate Secrets are now managed by the APPLY API call, rather than UPDATE/CREATE. The issuing controller actively reconciles Certificate SecretTemplate's against corresponding Secrets, garbage collecting and correcting key/value changes. (#4638, @JoshVanL)
Bug or Regression
- Ensures 1 hour backoff between errored calls for new ACME Orders. (#4616, @irbekrm)
- Fix unexpected exit when multiple DNS providers are passed to
RunWebhookServer
(#4702, @devholic) - Fixed a bug in the way the Helm chart handles service annotations on the controller and webhook services. (#4329, @jwenz723)
- Fixed a bug that can cause
cmctl version
to erroneously display the wrong webhook pod versions when older failed pods are present. (#4615, @johnwchadwick) - Fixes a bug where a previous failed CertificateRequest was picked up during the next issuance. Thanks to @MattiasGees for raising the issue and help with debugging! (#4688, @irbekrm)
- Fixes an issue in
cmctl
that prevented displaying the Order resource with cert-manager 1.6 when runningcmctl status certificate
. (#4569, @maelvls) - Improve checksum validation in makefile based tool installation (#4680, @SgtCoDFish)
- The HTTP-01 ACME solver now uses the
kubernetes.io/ingress.class
annotation instead of thespec.ingressClassName
in created Ingress resources. (#4762, @jakexks) - The
cmctl experimental install
command now uses the cert-manager namespace. This fixes a bug which was introduced in release 1.6 that caused cert-manager to be installed in the default namespace. (#4763, @wallrj) - Update to latest version of keystore-go to address a backwards-incompatible change introduced in v1.6.0 (#4563, @SgtCoDFish)
Other (Cleanup or Flake)
- Adds
clock_time_seconds_gauge
metric which returns the current clock time, based on seconds since 1970/01/01 UTC (#4640, @JoshVanL) - Adds an automated script for cert-manager developers to update versions of kind used for development and testing. (#4574, @SgtCoDFish)
- Breaking change: removes the deprecated
dns01-self-check-nameservers
flag. Use--dns01-recursive-nameservers
instead. (#4551, @irbekrm) - Bump kind image versions (#4593, @SgtCoDFish)
- Clean up: Remove
v1beta1
form the webhook'sadmissionReviewVersions
as cert-manager no longer supports v1.16 (#4639, @JoshVanL) - Cleanup: Pipe feature gate flag to the e2e binary. Test against shared Feature Gate map for feature enabled and whether they should be tested against. (#4703, @JoshVanL)
- Ensures that in cases where an attempt to finalize an already finalized order is made, the originally issued certificate is used (instead of erroring and creating a new ACME order) (#4697, @irbekrm)
- No longer log an error when a Certificate is deleted during normal operation. (#4637, @JoshVanL)
- Removed deprecated API versions from the cert-manager CRDs (#4635, @wallrj)
- Update distroless base images for cert-manager (#4706, @SgtCoDFish)
- Upgrade Kubernetes dependencies to v0.23.1 (#4675, @munnerz)
v1.6.3
v1.6.3 Release Notes
1.6.3 is a minor release rebuilding cert-manager 1.6 using the latest version of Go. This eliminates a few security vulnerabilities which have accumulated in Go since the last release.
We don't believe any of those vulnerabilities were practically exploitable or relevant to cert-manager, but we decided to rebuild to keep up to date anyway.
Changelog since cert-manager 1.6.2
Bug or Regression
- Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4975, @vhosakot)
- Fixes an expired hardcoded certificate which broke unit tests (#4977, @SgtCoDFish @jakexks)
v1.6.2
In 1.6.2, we have reverted a change present in 1.6.0 and 1.6.1 that caused a regression in the ACME Issuer. In 1.6.0 and 1.6.1, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the kubernetes.io/ingress.class
annotation:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: istio # The `class` present on the Issuer.
After 1.5, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the ingressClassName
field:
apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
ingressClassName: istio # 🔥 Breaking change!
This broke many users that either don't use an Ingress controller that supports the field (such as ingress-gce and Azure AGIC), as well as people who did not need to create an IngressClass previously (such as with Istio and Traefik).
The regression is present in cert-manager 1.5.4, 1.6.0, and 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.
In 1.6.2, we have restored the original behavior which is to use the annotation. This patch is also available in 1.5.5 and in 1.7.0.
Most people won't have any trouble upgrading from 1.6.0 or 1.6.1 to 1.6.2. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g., istio
for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.
If you are using Traefik, Istio, Ambassador, or ingress-nginx and you are using a non-default value for the class (e.g., istio-internal
), or if you experience any issues with your HTTP-01 challenges please read the notes on Ingress v1 compatibility.
Changelog since v1.6.1
Bug or Regression
- The HTTP-01 ACME solver now uses the
kubernetes.io/ingress.class
annotation instead of thespec.ingressClassName
in created Ingress resources. (#4785, @jetstack-bot)
Other (Cleanup or Flake)
- cert-manager now does one call to the ACME API instead of two when an Order fails. This fix is part of the effort towards mitigating the high load that cert-manager deployments have on the Let's Encrypt API (#4619, @irbekrm)
- Bump base images to latest versions (#4707, @SgtCoDFish)
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.