Update module github.com/jetstack/cert-manager to v1.15.0 (!855) · Merge requests · GitLab.org / Cloud Native / GitLab Operator

GitLab Dependency Bot requested to merge gitlab-renovate-forks/gitlab-operator:renovate/github.com-jetstack-cert-manager-1.x into master Jun 25, 2024

This MR contains the following updates:

Package	Type	Update	Change
github.com/jetstack/cert-manager	require	minor	`v1.6.1` -> `v1.15.0`

MR created with the help of gitlab-org/frontend/renovate-gitlab-bot

Release Notes

jetstack/cert-manager (github.com/jetstack/cert-manager)

`v1.15.0`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.15 promotes several features to beta, including GatewayAPI support (ExperimentalGatewayAPISupport), the ability to provide a subject in the Certificate that will be used literally in the CertificateSigningRequest (LiteralCertificateSubject) and the outputting of additional certificate formats (AdditionalCertificateOutputFormats).

[!NOTE]

The cmctl binary have been moved to https://github.com/cert-manager/cmctl/releases. For the startupapicheck Job you should update references to point at quay.io/jetstack/cert-manager-startupapicheck

[!NOTE]

From this release, the Helm chart will no longer uninstall the CRDs when the chart is uninstalled. If you want the CRDs to be removed on uninstall use crds.keep=false when installing the Helm chart.

Community

Thanks again to all open-source contributors with commits in this release, including: @Pionerd, @SgtCoDFish, @ThatsMrTalbot, @andrey-dubnik, @bwaldrep, @eplightning, @erikgb, @findnature, @gplessis, @import-shiburin, @inteon, @jkroepke, @lunarwhite, @mangeshhambarde, @pwhitehead-splunk & @rodrigorfk, @wallrj.

Thanks also to the following cert-manager maintainers for their contributions during this release: @SgtCoDFish, @SpectralHiss, @ThatsMrTalbot, @hawksight, @inteon, @maelvls & @wallrj.

Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings!

Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.

In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.

Changes by Kind

Feature

GatewayAPI support has graduated to Beta. Add the --enable-gateway-api flag to enable the integration. (#6961, @ThatsMrTalbot)
Add support to specify a custom key alias in a JKS Keystore (#6807, @bwaldrep)
Add the ability to communicate with Vault via mTLS when strict client certificates is enabled at Vault server side (#6614, @rodrigorfk)
Added option to provide additional audiences in the service account auth section for vault (#6718, @andrey-dubnik)
Venafi Issuer now sends a cert-manager HTTP User-Agent header in all Venafi Rest API requests. For example: cert-manager-certificaterequests-issuer-venafi/v1.15.0+(linux/amd64)+cert-manager/ef068a59008f6ed919b98a7177921ddc9e297200. (#6865, @wallrj)
Add hint to validation error message to help users of external issuers more easily fix the issue if they specify a Kind but forget the Group (#6913, @SgtCoDFish)
Add support for numeric OID types in LiteralSubject. Eg. "1.2.3.4=String Value" (#6775, @inteon)
Promote the LiteralCertificateSubject feature to Beta. (#7030, @inteon)
Promoted the AdditionalCertificateOutputFormats feature gate to Beta (enabled by default). (#6970, @erikgb)
The Helm chart now allows you to supply extraObjects; a list of yaml manifests which will helm will install and uninstall with the cert-manager manifests. (#6424, @gplessis)
Update the Route53 provider to support fetching credentials using AssumeRoleWithWebIdentity (#6878, @pwhitehead-splunk)
Helm can now add optional hostAliases to cert-manager Pod to allow the DNS self-check to pass in custom scenarios. (#6456, @Pionerd)
Added a new Ingress annotation for copying specific Ingress annotations to Certificate's secretTemplate (#6839, @mangeshhambarde)
Added option to define additional token audiences for the Vault Kubernetes auth (#6744, @andrey-dubnik)
Allow cert-manager.io/allow-direct-injection in annotations (#6801, @jkroepke)

Design

Remove repetitive words (#6949, @findnature)

Bug or Regression

BUGFIX: Fixes issue with JSON-logging, where only a subset of the log messages were output as JSON. (#6779, @inteon)
BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#6806, @bwaldrep)
BUGFIX: cainjector leaderelection flag/config option defaults are missing (#6816, @inteon)
BUGFIX: cert-manager issuers incorrectly copied the critical flag from the CSR instead of re-calculating that field themselves. (#6724, @inteon)
Breaking Change: Fixed unintended certificate chain is used if preferredChain is configured. (#6755, @import-shiburin)
Bugfix: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#6770, @inteon)
DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge (#6875, @SgtCoDFish)
Fix backwards incompatible removal of default prometheus Service resource. (#6699, @inteon)
Fix broken cainjector image value in Helm chart (#6692, @SgtCoDFish)
Helm: Fix a bug in the logic that differentiates between 0 and an empty value. (#6713, @inteon)
Make sure the Azure SDK error messages are stable. (#6676, @inteon)
When using the literalSubject on a Certificate, the webhook validation for the common name now also points to the literalSubject. (#6767, @lunarwhite)
Bump golang.org/x/net to fix CVE-2023-45288 (#6929, @SgtCoDFish)
Fix ACME issuer being stuck waiting for DNS propagation when using Azure DNS with multiple instances issuing for the same FQDN (#6351, @eplightning)
Fix cainjector ConfigMap not mounted in the cainjector deployment. (#7055, @inteon)
Added disableAutoApproval and approveSignerNames Helm chart options. (#7054, @inteon)

Other (Cleanup or Flake)

⚠️ Possibly breaking: Helm will now keep the CRDs when you uninstall cert-manager by default to prevent accidental data loss. (#6760, @inteon)
New crds.keep and crds.enabled Helm options can now be used instead of the installCRDs option. (#6760, @inteon)
Bump base images (#6840, @inteon)
Bump github.com/go-jose/go-jose to v3.0.3 to fix CVE-2024-28180 (#6854, @wallrj)
Removed deprecated util functions that have been replaced by the slices and k8s.io/apimachinery/pkg/util packages. Removed deprecated CSR functions which have been replaced with other functions in the pkg/util/pki package. (#6730, @inteon)
Upgrade go to 1.21.8: fixes CVE-2024-24783 (#6823, @inteon)
Upgrade go to latest version 1.22.1 (#6831, @inteon)
Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#6827, @inteon)
cmctl and kubectl cert-manger have been moved to the https://github.com/cert-manager/cmctl repo and will be versioned separately starting with cmctl v2.0.0 (#6663, @inteon)
Graduate the 'DisallowInsecureCSRUsageDefinition' feature gate to GA. (part 2) (#6963, @inteon)
Remove deprecated pkg/util/pki/ParseSubjectStringToRawDERBytes function. (#6994, @inteon)
Upgrade Kind to v0.23.0 and update supported node image digests (#7020, @github-actions[bot])
If the --controllers flag only specifies disabled controllers, the default controllers are now enabled implicitly. (#7054, @inteon)
Upgrade to Go 1.22.3, fixing GO-2024-2824. (#6996, @github-actions[bot])

`v1.14.7`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📜 Changes since v1.14.6

Bugfixes

BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7113, @cert-manager-bot)

Other (Cleanup or Flake)

Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7093, @ThatsMrTalbot)

`v1.14.6`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📜 Changes since v1.14.5

Other (Cleanup or Flake)

Upgrade Go to 1.21.10, fixing GO-2024-2824 (https://github.com/advisories/GHSA-2jwv-jmq4-4j3r). (#7008, @inteon)
Helm: the cainjector ConfigMap was not mounted in the cainjector deployment. (#7053, @cert-manager-bot)
Updated Go to 1.21.11 bringing in security fixes for archive/zip and net/netip. (#7076, @ThatsMrTalbot)

`v1.14.5`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.14.5 fixes a bug in the DigitalOcean DNS-01 provider which could cause incorrect DNS records to be deleted when using a domain with a CNAME. Special thanks to @BobyMCbobs for reporting this issue and testing the fix!

It also patches CVE-2023-45288.

📜 Changes since v1.14.4

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see 1.14 release notes for more information.

Changes

Bug or Regression

DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge (#6893 , @SgtCoDFish)
Bump golang.org/x/net to address CVE-2023-45288 (#6931 , @SgtCoDFish)

`v1.14.4`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions.

⚠️ Known Issues

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations

ℹ️ Documentation

Release notes Upgrade notes Installation instructions

🔧 Breaking changes

See Breaking changes in v1.14.0 release notes

📜 Changes since v1.14.3

Bug or Regression

Allow cert-manager.io/allow-direct-injection in annotations (#6809, @jetstack-bot)
BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#6812, @jetstack-bot)
BUGFIX: cainjector leaderelection flag/ config option defaults are missing (#6819, @jetstack-bot)

Other (Cleanup or Flake)

Bump base images. (#6842, @inteon)
Upgrade Helm: fix CVE-2024-26147 alert (#6834, @inteon)
Upgrade go to 1.21.8: fixes CVE-2024-24783 (#6825, @jetstack-bot)
Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#6829, @inteon)

`v1.14.3`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known Issues

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
cainjector leaderelection is incorrectly disabled by default because the flag/ config option defaults are missing (https://github.com/cert-manager/cert-manager/pull/6819)

ℹ️ Documentation

Release notes Upgrade notes Installation instructions

🔧 Breaking changes

See Breaking changes in v1.14.0 release notes

📜 Changes since v1.14.2

Bug or Regression

BUGFIX: Fixes issue with JSON-logging, where only a subset of the log messages were output as JSON. (#6781, @jetstack-bot)
BUGFIX: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#6774, @jetstack-bot)

`v1.14.2`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known Issues

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
Logging-format json sometimes writes plaintext messages (see https://github.com/cert-manager/cert-manager/issues/6768). FIXED in v1.14.3

ℹ️ Documentation

Release notes Upgrade notes Installation instructions

🔧 Breaking changes

See Breaking changes in v1.14.0 release notes

📜 Changes since `v1.14.1`

Bug or Regression

BUGFIX: cert-manager CA and SelfSigned issuers incorrectly copied the critical flag from the CSR instead of re-calculating that field themselves. (#6727, @jetstack-bot)
Helm: Fix a bug in the logic that differentiates between 0 and an empty value. (#6729, @jetstack-bot)

Other (Cleanup or Flake)

Bump golang to 1.21.7 (#6735, @jetstack-bot)

`v1.14.1`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ This version has known issues. Please install v1.14.2 instead.

⚠️ Known Issues (please install `v1.14.2`)

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
In cert-manager v1.14.0 and v1.14.1, the CA and SelfSigned issuers issue certificates with SANs set to non-critical even when the subject is empty. It incorrectly copies the critical field from the CSR.

🔧 Breaking changes

See Breaking changes in v1.14.0 release notes

ℹ️ Documentation

📜 Changes since `v1.14.0`

Bug or Regression

Fix broken cainjector image value in Helm chart (#6693, @SgtCoDFish)
Fix bug in cmctl namespace detection which prevented it being used as a startupapicheck image in namespaces other than cert-manager. (#6706, @inteon)
Fix bug in cmctl which caused cmctl experimental install to panic. (#6706, @inteon)

`v1.14.0`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ This version has known issues. Please install v1.14.2 instead.

⚠️ Known Issues (please install `v1.14.2`)

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
In cert-manager v1.14.0 and v1.14.1, the CA and SelfSigned issuers issue certificates with SANs set to non-critical even when the subject is empty. It incorrectly copies the critical field from the CSR.
During the release of v1.14.0, the Helm chart for this version was found to use the wrong OCI image for the cainjector Deployment, which caused the Helm installation to fail. In order to complete the release, the cert-manager team have manually updated the Helm chart for this version, which contains all the Helm chart fixes which are in v1.14.1.
A bug in cmctl namespace detection prevents it being used as a startupapicheck image in namespaces other than cert-manager.
A bug in cmctl causes cmctl experimental install to panic.

🔧 Breaking Changes

The startupapicheck job uses a new OCI image called "startupapicheck", instead of the ctl image. If you run in an environment in which images cannot be pulled, be sure to include the new image.

The KeyUsage and BasicConstraints extensions will now be encoded as critical in the CertificateRequest's CSR blob.

🗺️ Major Themes

New X.509 Features

The cert-manager Certificate resource now allows you to configure a subset of "Other Name" SANs, which are described in the Subject Alternative Name section of RFC 5280 (on page 37).

We specifically support any otherName type with a UTF-8 value, such as the User Principal Name or sAMAccountName. These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. For example you can create certificates with this block in the spec:

  otherNames:
    - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID
      utf8Value: upn@domain.local

The feature is still in alpha stage and requires you to enable the OtherName feature flag in the controller and webhook components.

New CA certificate Features

You can now specify the X.509 v3 Authority Information Accessors extension, with URLs for certificates issued by the CA issuer.

Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC section https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10

Security

An ongoing security audit of the cert-manager code revealed some weaknesses which we have addressed in this release, such as using more secure default settings in the HTTP servers that serve metrics, healthz and pprof endpoints. This will help mitigate denial-of-service attacks against those important services.

All the cert-manager containers are now configured with read only root file system by default, to prevent unexpected changes to the file system of the OCI image.

And it is now possible to configure the metrics server to use HTTPS rather than HTTP, so that clients can verify the identity of the metrics server.

Other

The liveness probe of the cert-manager controller Pod is now enabled by default.

There is a new option .spec.keystores.pkcs12.algorithms to specify encryption and MAC algorithms for PKCS.

🤝 Community

Thanks again to all open-source contributors with commits in this release, including:

Thanks also to the following cert-manager maintainers for their contributions during this release:

Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings!

Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.

In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.

📜 Changes

Feature

ACME challenge solver Pod for HTTP01 will get a default annotation of "cluster-autoscaler.kubernetes.io/safe-to-evict": "true". You can provide an annotation of "cluster-autoscaler.kubernetes.io/safe-to-evict": "false" in your podTemplate if you don't like this. (#6349, @jsoref)
Added a clock skew detector liveness probe that will force a restart in case we detect a skew between the internal monotonic clock and the system clock of more than 5 minutes. Also, the controller's liveness probe is now enabled by default. (#6328, @inteon)
Added a new flag (--dynamic-serving-leaf-duration) that can adjust the lifetime of the dynamic leaf certificates (#6552, @allenmunC1)
Added support for otherName SANS in Certificates (#6404, @SpectralHiss)
Added the option to specify the X.509 v3 Authority Information Accessors extension CA Issuers URLs for certificates issued by the CA issuer. (#6486, @jeremycampbell)
Adds cert-manager's new core infrastructure initiative badge! See more details on https://www.bestpractices.dev/projects/8079 (#6497, @SgtCoDFish)
All Pods are now configured with readOnlyRootFilesystem by default. (#6453, @wallrj)
MAYBE BREAKING: The startupapicheck job is now handled by an entirely new container called "startupapicheck". This replaces the previous ctl container. If you run in an environment in which images cannot be pulled, be sure to include the new container. (#6549, @SgtCoDFish)
New option .spec.keystores.pkcs12.algorithms to specify encryption and MAC algorithms for PKCS#12 keystores. Fixes issues #5957 and #6523. (#6548, @snorwin)
The ACME HTTP01 solver Pod is now configured with readOnlyRootFilesystem: true (#6462, @wallrj)
Updates the AWS SDK for Go to 1.48.7 to support Amazon EKS Pod Identity (#6519, @JoeNorth)
Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC section https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 (#6500, @tanujd11)
⚠️ potentially breaking ⚠️: The KeyUsage and BasicConstraints extensions will now be encoded as critical in the CertificateRequest's CSR blob. (#6053, @inteon)
Add TLS support to the metrics endpoint through either a certificate file or through dynamically issued certificates (#6574, @ThatsMrTalbot)
Helm Chart: allow changing the default Deployment revisionHistoryLimit (#6248, @tberreis)
Security: Limit the size of the response body read from HTTP requests by cert-manager. (#6619, @ThatsMrTalbot)
Support custom spec.namespaceSelector for webhooks (#6638, @jkroepke)

Bug or Regression

BUGFIX[helm]: Fix issue where webhook feature gates were only set if controller feature gates are set. (#6380, @asapekia)
Controller ConfigMap is now created only if .Values.config is set. (#6357, @ABWassim)
Fix runaway bug caused by multiple Certificate resources that point to the same Secret resource. (#6406, @inteon)
Fix(helm): templating of required value in controller and webhook ConfigMap resources (#6435, @ABWassim)
Fixed a webhook validation error message when the key algorithm was invalid. (#6571, @pevidex)
Fixed error messaging when setting up vault issuer (#6433, @vinny)
GHSA-vgf6-pvf4-34rq: The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#6498, @inteon)
Increase the default webhook timeout to its maximum value of 30 seconds, so that the underlying timeout error message has more chance of being returned to the end user. (#6488, @wallrj)
Listeners that do not support TLS on Gateway resources will now not raise BadConfig warnings anymore (#6347, @lauraseidler)
Mitigate potential Slowloris attacks by setting ReadHeaderTimeout in all http.Server instances (#6534, @wallrj)
The Venafi issuer now properly resets the certificate and should no longer get stuck with WebSDK CertRequest Module Requested Certificate or This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.. (#6398, @maelvls)
Update experimental install and uninstall commands to have flag parity with the rest of the CLI (#6562, @ThatsMrTalbot)
Webhook ConfigMap if now created only if .Values.webhook.config is set. (#6360, @ABWassim)
BUGFIX: Ensure otherName SAN changes in Certificate resources trigger re-issuance. (#6620, @SpectralHiss)
Bugfix: Publish the startupapicheck image to quay.io (#6609, @wallrj)

Other (Cleanup or Flake)

Cert-manager is now built with Go 1.21.5 (#6545, @wallrj)
Bump Go to 1.21.3 to address CVE-2023-39325. Also bumps base images. (#6410, @SgtCoDFish)
Bump golang.org/x/net v0.15.0 => v0.17.0 as part of addressing CVE-2023-44487 / CVE-2023-39325 (#6427, @SgtCoDFish)
Check code for unintended use of crypto/md5, a weak cryptographic primitive; using golangci-lint / gosec (G501). (#6581, @wallrj)
Check code for unintended use of crypto/sha1, a weak cryptographic primitive; using golangci-lint / gosec (G505). (#6579, @wallrj)
Check code for unintended use of weak random number generator (math/rand instead of crypto/rand); using golangci-lint / gosec (G404). (#6582, @wallrj)
Cleanup: Restrict MutatingWebhookConfiguration to only CertificateRequest resources (#6311, @hawksight)
Deprecated pkg/util.RandStringRunes and pkg/controller/test.RandStringBytes. Use k8s.io/apimachinery/pkg/util/rand.String instead. (#6585, @wallrj)
Enabled verbose logging in startupapicheck by default, so that if it fails, users can know exactly what caused the failure. (#6495, @wallrj)
Fix gosec G601: Implicit memory aliasing of items from a range statement (#6551, @wallrj)
Fix handling of serial numbers in literal certificate subjects. Previously a serial number could be specified in subject.serialNumber while using a literal certificate subject. This was a mistake and has been fixed. (#6533, @inteon)
The end-to-end tests can now test the cert-manager Vault Issuer on an OpenShift cluster. (#6391, @wallrj)
Update cert-manager's distroless base images from Debian 11 to Debian 12. This should have no practical effects on users. (#6583, @inteon)
Updated all code using GatewayAPI to use the now GA v1 APIs (#6559, @ThatsMrTalbot)
Upgrade Go from 1.20.7 to 1.20.8. (#6369, @inteon)
Upgrade github.com/emicklei/go-restful/v3 to v3.11.0 because v3.10.2 is labeled as "DO NOT USE". (#6366, @inteon)
Use the new generic sets.Set type in place of the deprecated sets.String. (#6586, @wallrj)
cert-manager is now built with Go v1.21.6 (#6628, @SgtCoDFish)
Update the Azure SDK and remove deprecated autorest dependency (#5452, @phillebaba)
The cert-manager E2E tests can now be run on Kubernetes 1.29 (#6641, @wallrj)

`v1.13.6`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.13.6 fixes a bug in the DigitalOcean DNS-01 provider which could cause incorrect DNS records to be deleted when using a domain with a CNAME. Special thanks to @BobyMCbobs for reporting this issue and testing the fix!

It also patches CVE-2023-45288.

Known Issues

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see 1.14 release notes for more information.

Changes

Bug or Regression

DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge (#6892, @SgtCoDFish)
Bump golang.org/x/net to address CVE-2023-45288 (#6932, @SgtCoDFish)

`v1.13.5`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known Issues

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations

ℹ️ Documentation

Release notes Upgrade notes Installation instructions

🔧 Breaking changes

See Breaking changes in v1.13.0 release notes

📜 Changes since v1.13.4

Bug or Regression

Allow cert-manager.io/allow-direct-injection in annotations (#6810, @jetstack-bot)
BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#6814, @inteon)
BUGFIX: fix race condition due to registering and using global runtime.Scheme variables (#6832, @inteon)

Other (Cleanup or Flake)

Bump base images to the latest version. (#6841, @inteon)
Upgrade go to 1.21.8: fixes CVE-2024-24783 (#6824, @inteon)
Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#6828, @inteon)

`v1.13.4`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known Issues

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations

ℹ️ Documentation

Release notes Upgrade notes Installation instructions

🔧 Breaking changes

See Breaking changes in v1.13.0 release notes

📜 Changes since v1.13.3

Bug or Regression

BUGFIX: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#6772, @jetstack-bot)

Other (Cleanup or Flake)

Bump go to 1.20.14 (#6736, @jetstack-bot)
Cert-manager is now built with Go 1.20.12 (#6544, @wallrj)
Cert-manager is now built with Go 1.20.13 (#6630, @SgtCoDFish)
Fix CVE 2023 48795 by upgrading to golang.org/x/crypto@v0.17.0 (#6675, @wallrj)
Fix GHSA-7ww5-4wqc-m92c by upgrading to github.com/containerd/containerd@v1.7.12 (#6684, @wallrj)

`v1.13.3`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes

Bug or Regression

The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#6507, @inteon)
The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#6507, @inteon)
The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#6507, @inteon)
Mitigate potential "Slowloris" attacks by setting ReadHeaderTimeout in all http.Server instances. (#6538, @wallrj)
Upgrade Go modules: otel, docker, and jose to fix CVE alerts. See https://github.com/advisories/GHSA-8pgv-569h-w5rw, https://github.com/advisories/GHSA-jq35-85cj-fj4p, and https://github.com/advisories/GHSA-2c7c-3mj9-8fqh. (#6514, @inteon)

Dependencies

Added

Nothing has changed.

Changed

cloud.google.com/go/firestore: v1.11.0 → v1.12.0
cloud.google.com/go: v0.110.6 → v0.110.7
github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
github.com/go-jose/go-jose/v3: v3.0.0 → v3.0.1
github.com/go-logr/logr: v1.2.4 → v1.3.0
github.com/golang/glog: v1.1.0 → v1.1.2
github.com/google/go-cmp: v0.5.9 → v0.6.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
go.opentelemetry.io/otel: v1.19.0 → v1.20.0
go.uber.org/goleak: v1.2.1 → v1.3.0
golang.org/x/sys: v0.13.0 → v0.14.0
google.golang.org/genproto/googleapis/api: f966b18 → b8732ec
google.golang.org/genproto: f966b18 → b8732ec
google.golang.org/grpc: v1.58.3 → v1.59.0

Removed

Nothing has changed.

`v1.13.2`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.13.2 fixes some CVE alerts and contains fixes for:

a CertificateRequest runaway situation in case two Certificate resources point to the same Secret target resource
a small bug in the Helm chart (feature gate options)
a Venafi issuer bug

⚠️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version!

Changes since v1.13.1

Bug or Regression

Bump golang.org/x/net v0.15.0 => v0.17.0 as part of addressing CVE-2023-44487 / CVE-2023-39325 (#6432, @SgtCoDFish)
BUGFIX[helm]: Fix issue where webhook feature gates were only set if controller feature gates are set. (#6381, @asapekia)
Fix runaway bug caused by multiple Certificate resources that point to the same Secret resource. (#6425, @inteon)
The Venafi issuer now properly resets the certificate and should no longer get stuck with WebSDK CertRequest Module Requested Certificate or This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.. (#6402, @maelvls)

Other (Cleanup or Flake)

Bump go to 1.20.10 to address CVE-2023-39325. Also bumps base images. (#6411, @SgtCoDFish)

`v1.13.1`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.13.1 contains a bugfix for a name collision bug in the StableCertificateRequestName feature that was enabled by default in v1.13.0.

⚠️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version!

Changes since v1.13.0

Bug or Regression

BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. (#6358, @jetstack-bot)

Other (Cleanup or Flake)

Upgrade github.com/emicklei/go-restful/v3 to v3.11.0 because v3.10.2 is labeled as "DO NOT USE". (#6368, @inteon)
Upgrade Go from 1.20.7 to 1.20.8. (#6370, @jetstack-bot)

`v1.13.0`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This is the 1.13 release of cert-manager!

cert-manager 1.13 brings support for DNS over HTTPS, support for loading options from a versioned config file for the cert-manager controller, and more. This release also includes the promotion of the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta.

Known issues

The StableCertificateRequestName that was promoted to Beta contains a "name collision" bug: https://github.com/cert-manager/cert-manager/issues/6342 This is fixed in v1.13.1+

Breaking Changes (You MUST read this before you upgrade!)

IMPORTANT NOTE: If upgrading from a version below v1.12, upgrade to the latest v1.12 release before upgrading to v1.13. Otherwise, some certificates may be unexpectedly re-issued (see https://github.com/cert-manager/cert-manager/issues/6494#issuecomment-1816112309)
BREAKING : If you deploy cert-manager using helm and have .featureGates value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use webhook.featureGates field instead to define features to be enabled on webhook. (#6093, @irbekrm)
Potentially breaking: If you were, for some reason, passing cert-manager controller's features to webhook's --feature-gates flag, this will now break (unless the webhook actually has a feature by that name). (#6093, @irbekrm)
Potentially breaking: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. (#6182, @inteon)

Community

Welcome to these new cert-manager members (more info - https://github.com/cert-manager/cert-manager/pull/6260): @jsoref @FlorianLiebhart @hawksight @erikgb

Thanks again to all open-source contributors with commits in this release, including: @AcidLeroy @FlorianLiebhart @lucacome @cypres @erikgb @ubergesundheit @jkroepke @jsoref @gdvalle @rouke-broersma @schrodit @zhangzhiqiangcs @arukiidou @hawksight @Richardds @kahirokunn

Thanks also to the following cert-manager maintainers for their contributions during this release: @SgtCoDFish @maelvls @irbekrm @inteon

Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack and joined our meetings!

Special thanks to @AcidLeroy for adding "load options from a versioned config file" support for the cert-manager controller! This has been on our wishlist for a very long time. (see https://github.com/cert-manager/cert-manager/pull/5337)

Also, thanks a lot to @FlorianLiebhart for adding support for DNS over HTTPS for the ACME DNS self-check. This is very useful in case all traffic must be HTTP(S) trafic, eg. when using a HTTPS_PROXY. (see https://github.com/cert-manager/cert-manager/pull/5003)

Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.

In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.

Changes since v1.12.0

Feature

Add support for logging options to webhook config file. (#6243, @inteon)
Add view permissions to the well-known (Openshift) user-facing cluster-reader aggregated cluster role (#6241, @erikgb)
Certificate Shim: distinguish dns names and ip address in certificate (#6267, @zhangzhiqiangcs)
Cmctl can now be imported by third parties. (#6049, @SgtCoDFish)
Make enableServiceLinks configurable for all Deployments and startupapicheck Job in Helm chart. (#6292, @ubergesundheit)
Promoted the StableCertificateRequestName and SecretsFilteredCaching feature gates to Beta (enabled by default). (#6298, @inteon)
The cert-manager controller options are now configurable using a configuration file. (#5337, @AcidLeroy)
The pki CertificateTemplate functions now perform validation of the CSR blob, making sure we sign a Certificate that matches the IsCA and (Extended)KeyUsages that are defined in the CertificateRequest resource. (#6199, @inteon)
[helm] Add prometheus.servicemonitor.endpointAdditionalProperties to define additional properties on a ServiceMonitor endpoint, e.g. relabelings (#6110, @jkroepke)

Design

DNS over HTTPS (DoH) is now possible for doing the self-checks during the ACME verification. The DNS check method to be used is controlled through the command line flag: --dns01-recursive-nameservers-only=true in combination with --dns01-recursive-nameservers=https://<DoH-endpoint> (e.g. https://8.8.8.8/dns-query). It keeps using DNS lookup as a default method. (#5003, @FlorianLiebhart)

Bug or Regression

Allow overriding default pdb .minAvailable with .maxUnavailable without setting .minAvailable to null (#6087, @rouke-broersma)
BUGFIX: cmctl check api --wait 0 exited without output and exit code 1; we now make sure we perform the API check at least once and return with the correct error code (#6109, @inteon)
BUGFIX: the issuer and certificate-name annotations on a Secret were incorrectly updated when other fields are changed. (#6147, @inteon)
BUGFIX[cainjector]: 1-character bug was causing invalid log messages and a memory leak (#6232, @inteon)
Fix CloudDNS issuers stuck in propagation check, when multiple instances are issuing for the same FQDN (#6088, @cypres)
Fix indentation of Webhook NetworkPolicy matchLabels in helm chart. (#6220, @ubergesundheit)
Fixed Cloudflare DNS01 challenge provider race condition when validating multiple domains (#6191, @Richardds)
Fixes a bug where webhook was pulling in controller's feature gates. ⚠️ ⚠️ BREAKING ⚠️ ⚠️ : If you deploy cert-manager using helm and have .featureGates value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use webhook.featureGates field instead to define features to be enabled on webhook. ⚠️Potentially breaking: If you were, for some reason, passing cert-manager controller's features to webhook's --feature-gates flag, this will now break (unless the webhook actually has a feature by that name). (#6093, @irbekrm)
Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's net.IP.String() function would have printed that address. (#6293, @SgtCoDFish)
We disabled the enableServiceLinks option for our ACME http solver pods, because the option caused the pod to be in a crash loop in a cluster with lot of services. (#6143, @schrodit)
⚠️Potentially breaking: Webhook validation of CertificateRequest resources is stricter now: all KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there. (#6182, @inteon)

Other (Cleanup or Flake)

A subset of the klogs flags have been deprecated and will be removed in the future. (#5879, @maelvls)
All service links in helm chart deployments have been disabled. (#6144, @schrodit)
Cert-manager will now re-issue a certificate if the public key in the latest CertificateRequest resource linked to a Certificate resource does not match the public key of the key encoded in the Secret linked to that Certificate resource (#6168, @inteon)
Chore: When hostNetwork is enabled, dnsPolicy is now set to ClusterFirstWithHostNet. (#6156, @kahirokunn)
Cleanup the controller configfile structure by introducing sub-structs. (#6242, @inteon)
Don't run API Priority and Fairness controller in webhook's extension apiserver (#6085, @irbekrm)
Helm: Add apache 2.0 license annotation (#6225, @arukiidou)
Make apis/acme/v1/ACMEIssuer.PreferredChain optional in JSON serialization. (#6034, @gdvalle)
The SecretPostIssuancePolicyChain now also makes sure that the cert-manager.io/common-name, cert-manager.io/alt-names, ... annotations on Secrets are kept at their correct value. (#6176, @inteon)
The cmctl logging has been improved and support for json logging has been added. (#6247, @inteon)
Updates Kubernetes libraries to v0.27.2. (#6077, @lucacome)
Updates Kubernetes libraries to v0.27.4. (#6227, @lucacome)
We now only check that the issuer name, kind and group annotations on a Secret match in case those annotations are set. (#6152, @inteon)

`v1.12.12`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📜 Changes since v1.12.11

Bugfixes

BUGFIX: fix issue that caused Vault issuer to not retry signing when an error was encountered. (#7114, @cert-manager-bot)

Other (Cleanup or Flake)

Upgrade go-jose library to fix CVE-2024-28180 trivy alert. (#7109, @inteon)
Update github.com/Azure/azure-sdk-for-go/sdk/azidentity to address CVE-2024-35255 (#7099, @ThatsMrTalbot)

`v1.12.11`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

📜 Changes since v1.12.10

Other (Cleanup or Flake)

Updated Go to 1.21.11 bringing in security fixes for archive/zip and net/netip. (#7077, @ThatsMrTalbot )
Upgrade Go to 1.21.10, fixing GO-2024-2824 (https://github.com/advisories/GHSA-2jwv-jmq4-4j3r). (#7010, @inteon)

`v1.12.10`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.12.10 fixes a bug in the DigitalOcean DNS-01 provider which could cause incorrect DNS records to be deleted when using a domain with a CNAME. Special thanks to @BobyMCbobs for reporting this issue and testing the fix!

It also patches CVE-2023-45288.

⚠️ Known Issues

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406). This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.

Changes

Bug or Regression

DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge (#6894, @SgtCoDFish)
Bump golang.org/x/net to address CVE-2023-45288 (#6933, @SgtCoDFish)

`v1.12.9`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known Issues

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406). This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.

ℹ️ Documentation

Release notes Upgrade notes Installation instructions

🔧 Breaking changes

See Breaking changes in v1.12.0 release notes

📜 Changes since v1.12.8

Bug or Regression

Allow cert-manager.io/allow-direct-injection in annotations (#6811, @jetstack-bot)
BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer (#6813, @inteon)
BUGFIX: fix race condition due to registering and using global runtime.Scheme variables (#6833, @inteon)

Other (Cleanup or Flake)

Bump base images to the latest version. (#6843, @jetstack-bot)
Upgrade go to 1.21.8: fixes CVE-2024-24783 (#6826, @jetstack-bot)
Upgrade google.golang.org/protobuf: fixing GO-2024-2611 (#6830, @inteon)

`v1.12.8`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Known Issues

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406). This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.

ℹ️ Documentation

Release notes Upgrade notes Installation instructions

🔧 Breaking changes

See Breaking changes in v1.12.0 release notes

📜 Changes since v1.12.7

Bug or Regression

BUGFIX: LiteralSubjects with a #= value can result in memory issues due to faulty BER parser (github.com/go-asn1-ber/asn1-ber). (#6773, @jetstack-bot)

Other (Cleanup or Flake)

Bump go to 1.20.14 (#6733, @SgtCoDFish)
Cert-manager is now built with Go 1.20.13 (#6629, @SgtCoDFish)
Fix CVE 2023 48795 by upgrading to golang.org/x/crypto@v0.17.0 (#6678, @wallrj)
Fix GHSA-7ww5-4wqc-m92c by upgrading to github.com/containerd/containerd@v1.7.12 (#6689, @wallrj)

`v1.12.7`

Compare Source

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

GO-2023-2382: Denial of service via chunk extensions in net/http

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Known bugs

If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406).

This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.

Changes

Feature

cert-manager is now built with Go 1.20.12 (#6543, @wallrj).

Bug or Regression

The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory (#6506, @inteon).
The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body (#6506, @inteon).
The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request (#6506, @inteon).
Mitigate potential Slowloris attacks by setting ReadHeaderTimeout in all http.Server instances (#6539, @wallrj).
Upgrade otel and docker to fix: CVE-2023-47108 and GHSA-jq35-85cj-fj4p (#6513, @inteon).

Dependencies

Added

cloud.google.com/go/dataproc/v2: v2.0.1

Changed

cloud.google.com/go/aiplatform: v1.45.0 → v1.48.0
cloud.google.com/go/analytics: v0.21.2 → v0.21.3
cloud.google.com/go/baremetalsolution: v0.5.0 → v1.1.1
cloud.google.com/go/batch: v0.7.0 → v1.3.1
cloud.google.com/go/beyondcorp: v0.6.1 → v1.0.0
cloud.google.com/go/bigquery: v1.52.0 → v1.53.0
cloud.google.com/go/cloudbuild: v1.10.1 → v1.13.0
cloud.google.com/go/cloudtasks: v1.11.1 → v1.12.1
cloud.google.com/go/compute: v1.21.0 → v1.23.0
cloud.google.com/go/contactcenterinsights: v1.9.1 → v1.10.0
cloud.google.com/go/container: v1.22.1 → v1.24.0
cloud.google.com/go/datacatalog: v1.14.1 → v1.16.0
cloud.google.com/go/dataplex: v1.8.1 → v1.9.0
cloud.google.com/go/datastore: v1.12.1 → v1.13.0
cloud.google.com/go/datastream: v1.9.1 → v1.10.0
cloud.google.com/go/deploy: v1.11.0 → v1.13.0
cloud.google.com/go/dialogflow: v1.38.0 → v1.40.0
cloud.google.com/go/documentai: v1.20.0 → v1.22.0
cloud.google.com/go/eventarc: v1.12.1 → v1.13.0
cloud.google.com/go/firestore: v1.11.0 → v1.12.0
cloud.google.com/go/gkebackup: v0.4.0 → v1.3.0
cloud.google.com/go/gkemulticloud: v0.6.1 → v1.0.0
cloud.google.com/go/kms: v1.12.1 → v1.15.0
cloud.google.com/go/maps: v0.7.0 → v1.4.0
cloud.google.com/go/metastore: v1.11.1 → v1.12.0
cloud.google.com/go/policytroubleshooter: v1.7.1 → v1.8.0
cloud.google.com/go/pubsub: v1.32.0 → v1.33.0
cloud.google.com/go/run: v0.9.0 → v1.2.0
cloud.google.com/go/servicedirectory: v1.10.1 → v1.11.0
cloud.google.com/go/speech: v1.17.1 → v1.19.0
cloud.google.com/go/translate: v1.8.1 → v1.8.2
cloud.google.com/go/video: v1.17.1 → v1.19.0
cloud.google.com/go/vmwareengine: v0.4.1 → v1.0.0
cloud.google.com/go: v0.110.4 → v0.110.7
github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
github.com/go-logr/logr: v1.2.4 → v1.3.0
github.com/golang/glog: v1.1.0 → v1.1.2
github.com/google/go-cmp: v0.5.9 → v0.6.0
github.com/google/uuid: v1.3.0 → v1.3.1
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
go.opentelemetry.io/otel: v1.19.0 → v1.20.0
go.uber.org/goleak: v1.2.1 → v1.3.0
golang.org/x/oauth2: v0.10.0 → v0.11.0
golang.org/x/sys: v0.13.0 → v0.14.0
google.golang.org/genproto/googleapis/api: 782d3b1 → b8732ec
google.golang.org/genproto/googleapis/rpc: 782d3b1 → b8732ec
google.golang.org/genproto: 782d3b1 → b8732ec
google.golang.org/grpc: v1.58.3 → v1.59.0

Removed

cloud.google.com/go/dataproc: v1.12.0

`v1.12.6`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.12.6 fixes some CVE alerts and a Venafi issuer bug.

Known bugs

Changes since v1.12.5

Bug or Regression

Bump golang.org/x/net v0.15.0 => v0.17.0 as part of addressing CVE-2023-44487 / CVE-2023-39325 (#6431, @SgtCoDFish)
The Venafi issuer now properly resets the certificate and should no longer get stuck with WebSDK CertRequest Module Requested Certificate or This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.. (#6401, @maelvls)

Other (Cleanup or Flake)

Bump go to 1.20.10 to address CVE-2023-39325. Also bumps base images. (#6412, @SgtCoDFish)

`v1.12.5`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.12.5 contains a backport for a name collision bug that was found in v1.13.0

Changes since v1.12.4

Bug or Regression

BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature. (#6359, @jetstack-bot)

Other (Cleanup or Flake)

Updated base images to the latest version. (#6372, @inteon)
Upgrade Go from 1.20.7 to 1.20.8. (#6371, @jetstack-bot)

`v1.12.4`

Compare Source

v1.12.4 contains an important security fix that addresses CVE-2023-29409.

Changes since v1.12.3

Fixes an issue where cert-manager would incorrectly reject two IP addresses as being unequal when they should have compared equal. This would be most noticeable when using an IPv6 address which doesn't match how Go's net.IP.String() function would have printed that address. (#6297, @SgtCoDFish)
Use Go 1.20.7 to fix a security issue in Go's crypto/tls library. (#6318, @maelvls)

`v1.12.3`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.12.3 contains a bug fix for the cainjector which addresses a memory leak!

Changes since v1.12.2

Bugfixes

BUGFIX[cainjector]: 1-character bug was causing invalid log messages and a memory leak (#6235, @jetstack-bot)

`v1.12.2`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.12.2 is a bugfix release, but includes a known issue and you should prefer the latest patch release!

Known issues

⚠️ cert-manager v1.12.0, v1.12.1 and v1.12.2 all have known issues. You should install the latest patch release of v1.12 and skip over the affected versions.

cainjector contains a memory leak in v1.12.0, v1.12.1 and v1.12.2 due to re-assignment of a log variable (see https://github.com/cert-manager/cert-manager/issues/6217). The fix was released in v1.12.3. See https://github.com/cert-manager/cert-manager/pull/6232 for further context.

Changes since v1.12.1

Bugfixes

BUGFIX: cmctl check api --wait 0 exited without output; we now make sure we perform the API check at least once (#6116, @jetstack-bot)

`v1.12.1`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.12.1 release contains a couple dependency bumps and changes to ACME external webhook library.

Known issues

⚠️ cert-manager v1.12.0, v1.12.1 and v1.12.2 all have known issues. You should install the latest patch release of v1.12 and skip over the affected versions.

cmctl API check is broken in v1.12.0 and v1.12.1. We suggest that you do not upgrade cmctl to this version. The fix was released in v1.12.2 (which has an additional issue, see below). See #6116 for context.
cainjector contains a memory leak in v1.12.0, v1.12.1 and v1.12.2 due to re-assignment of a log variable (see https://github.com/cert-manager/cert-manager/issues/6217). The fix was released in v1.12.3. See https://github.com/cert-manager/cert-manager/pull/6232 for further context.

Changes since v1.12.0

Other (Cleanup or Flake)

Don't run API Priority and Fairness controller in webhook's extension apiserver (#6085, @irbekrm)
Adds a warning for folks to not use controller feature gates helm value to configure webhook feature gates (#6100, @irbekrm)

Uncategorized

Updates Kubernetes libraries to v0.27.2. (#6077, @lucacome)
Updates controller-runtime to v0.15.0 (#6098, @lucacome)

`v1.12.0`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager v1.12 brings support for JSON logging, a lower memory footprint, support for ephemeral service account tokens with Vault, improved dependency management and support for the ingressClassName field.

The full release notes are available at https://cert-manager.io/docs/release-notes/release-notes-1.12.

Known issues

⚠️ cert-manager v1.12.0, v1.12.1 and v1.12.2 all have known issues. You should install the latest patch release of v1.12 and skip over the affected versions.

cmctl API check is broken in v1.12.0 and v1.12.1. We suggest that you do not upgrade cmctl to this version. The fix was released in v1.12.2 (which has an additional issue, see below). See #6116 for context.
cainjector contains a memory leak in v1.12.0, v1.12.1 and v1.12.2 due to re-assignment of a log variable (see https://github.com/cert-manager/cert-manager/issues/6217). The fix was released in v1.12.3. See https://github.com/cert-manager/cert-manager/pull/6232 for further context.

Community

Thanks again to all open-source contributors with commits in this release, including:

Thanks also to the following cert-manager maintainers for their contributions during this release:

Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack, joined our meetings and talked to us at Kubecon!

Special thanks to @erikgb for continuously great input and feedback and to @lucacome for always ensuring that our kube deps are up to date!

Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.

In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.

Changes by Kind

Feature

POTENTIALLY BREAKING: the cert-manager binaries and some tests have been split into separate Go modules, allowing them to be easily patched independently. This should have no impact if you simply run cert-manager in your cluster. If you import cert-manager binaries, integration tests or end-to-end tests in Go, you may need to make code changes in response to this. See https://cert-manager.io/docs/contributing/importing/ for more details. (#5880, @SgtCoDFish)
Added support for JSON logging (using --logging-format=json) (#5828, @malovme)
Added the --concurrent-workers flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon)
Adds acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme)
Cainjector:
- New flags were added to the cainjector binary. They can be used to modify what injectable kinds are enabled. If cainjector is only used as a cert-manager's internal component it is sufficient to only enable validatingwebhookconfigurations and mutatingwebhookconfigurations injectable resources; disabling the rest can improve memory consumption. By default all are enabled.
- The --watch-certs flag was renamed to --enable-certificates-data-source. (#5766, @irbekrm)
Helm: Added PodDisruptionBudgets for cert-manager components to the Helm chart (disabled by default). (#3931, @e96wic)
Helm: Egress 6443/TCP is now allowed in the webhook. This is required for OpenShift and OKD clusters for which the Kubernetes API server listens on port 6443 instead of 443. (#5788, @ExNG)
Helm: you can now add volumes and volume mounts via Helm variables for the cainjector, webhook, and startupapicheck. (#5668, @waterfoul)
Helm: you can now enable the flags --dns01-recursive-nameservers, --enable-certificate-owner-ref, and --dns01-recursive-nameservers-only through Helm values. (#5614, @jkroepke)
The DigitalOcean issuer now sets a cert-manager user agent string. (#5869, @andrewsomething)
The HTTP-01 solver can now be configured to create Ingresses with an ingressClassName. The credit goes to @dsonck92 for implementing the initial MR. (#5849, @maelvls)
The Vault issuer can now be used with ephemeral Kubernetes tokens. With the new serviceAccountRef field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the vault.auth field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for vault.auth. (#5502, @maelvls)
The cert-manager controller container of the controller Pod now has a /livez endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. (#5962, @wallrj)
Upgraded Gateway API to v0.6.0. (#5768, @yulng)
Webhook now logs requests to mutating/validating webhook (with --v=5 flag) (#5975, @tobotg)

Design

Certificate issuances are always failed (and retried with a backoff) for denied or invalid CertificateRequests. This is not necessarily a breaking change as due to a race condition this may already have been the case. (#5887, @irbekrm)
The cainjector controller can now use server-side apply to patch mutatingwebhookconfigurations, validatingwebhookconfigurations, apiservices, and customresourcedefinitions. This feature is currently in alpha and is not enabled by default. To enable server-side apply for the cainjector, add the flag --feature-gates=ServerSideApply=true to the deployment. (#5991, @inteon)

Documentation

Helm: the dead links in values.yaml are now working (#5999, @SgtCoDFish)

Bug or Regression

Cmctl renew now prints an error message unless Certificate name(s) or --all are supplied (#5896, @maumontesilva)
Cmctl: In order work around a hardcoded Kubernetes version in Helm, we now use a fake kube-apiserver version when generating the helm template when running cmctl x install. (#5720, @irbekrm)
Fix development environment and go vendoring on Linux arm64. (#5810, @SgtCoDFish)
Fix ordering of remote git tags when preparing integration tests (#5910, @SgtCoDFish)
Helm: the flag --acme-http01-solver-image given to the variable acmesolver.extraArgs now has precedence over the variable acmesolver.image. (#5693, @SgtCoDFish)
Ingress and Gateway resources will not be synced if deleted via foreground cascading. (#5878, @avi-08)
The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 (#5674) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. (#5805, @inteon)
Upgrade to go 1.19.6 along with newer helm and containerd versions and updated base images (#5813, @SgtCoDFish)
When using the jks and pkcs12 fields on a Certificate resource with a CA issuer that doesn't set the ca.crt in the Secret resource, cert-manager no longer loop trying to copy ca.crt into truststore.jks or truststore.p12. (#5972, @vinzent)
When using the literalSubject field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. (#5747, @inteon)

Other (Cleanup or Flake)

ACME account registration is now re-verified if account key is manually changed. (#5949, @TrilokGeer)
Add make go-workspace target for generating a go.work file for local development (#5935, @SgtCoDFish)
Added a Makefile target to build a standalone E2E test binary: make e2e-build (#5804, @wallrj)
Bump keystore-go to v4.4.1 to work around an upstream rewrite of history (#5724, @g-gaston)
Bump the distroless base images (#5929, @maelvls)
Bumps base images (#5793, @irbekrm)
Cainjector memory improvements: removes second cache of secrets, CRDs, validating/mutatingwebhookconfigurations and APIServices that should reduce memory consumption by about half. **BREAKING:*- users who are relying on cainjector to work when certificates.cert-manager.io CRD is not installed in the cluster, now need to pass --watch-certificates=false flag to cainjector else it will not start. Users who only use cainjector as cert-manager's internal component and have a large number of Certificate resources in cluster can pass --watch-certificates=false to avoid cainjector from caching Certificate resources and save some memory. (#5746, @irbekrm)
Cainjector now only reconciles annotated objects of injectable kind. (#5764, @irbekrm)
Container images are have an OCI source label (#5722, @james-callahan)
Enable cmctl to be imported by third parties (#6050, @jetstack-bot)
The acmesolver pods created by cert-manager now have automountServiceAccountToken turned off. (#5754, @wallrj)
The controller binary now uses much less memory on Kubernetes clusters with large or numerous Secret resources. The controller now ignores the contents of Secrets that aren't relevant to cert-manager. This functionality is currently placed behind SecretsFilteredCaching feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with the controller.cert-manager.io/fao: true label. (#5824, @irbekrm)
The controller memory usage has been further decreased by ignoring annotations, labels and managed fields when caching Secret resources. (#5966, @irbekrm)
The controller now makes fewer calls to the ACME server. POTENTIALLY BREAKING: this MR slightly changes how the name of the Challenge resources are calculated. To avoid duplicate issuances due to the Challenge resource being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm)
The memory usage of the controller has been reduced by only caching the metadata of Pods and Services. (#5976, @irbekrm)
The number of calls made to the ACME server during the controller startup has been reduced by storing the private key hash in the Issuer's status. (#6006, @vidarno)
Updates Kubernetes libraries to v0.26.2. (#5820, @lucacome)
Updates Kubernetes libraries to v0.26.3. (#5907, @lucacome)
Updates Kubernetes libraries to v0.27.1. (#5961, @lucacome)
Updates base images (#5832, @irbekrm)
Upgrade to Go 1.20 (#5969, @wallrj)
Upgrade to go 1.19.5 (#5712, @yanggangtony)
Validates that certificate.spec.secretName is a valid Secret name (#5967, @avi-08)
We are now testing with Kubernetes v1.27.1 by default. (#5979, @irbekrm)
certificate.spec.secretName Secrets will now be labelled with controller.cert-manager.io/fao label (#5660, @irbekrm)

Uncategorized

We have replaced our python boilerplate checker with an installed Go version, removing the need to have Python installed when developing or building cert-manager. (#6000, @SgtCoDFish)

`v1.11.5`

Compare Source

v1.11.5 contains an important security fix that addresses CVE-2023-29409.

Changes since v1.11.4

Use Go 1.19.9 to fix a security issue in Go's crypto/tls library. (#6317, @maelvls)

`v1.11.4`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager v1.11.4 contains some version bumps to address reported CVEs (although we don't expect that cert-manager was actually vulnerable to anything!)

Changes by Kind

Other (Cleanup or Flake)

Resolved docker/docker trivy CVE alert (#6164, @inteon)
Upgraded base images (#6128, @SgtCoDFish)

Dependencies

Changed

github.com/docker/distribution: v2.8.1+incompatible → v2.8.2+incompatible

`v1.11.3`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.11.3 mostly contains ACME library changes. API Priority and Fairness feature is now disabled in the external webhook's extension apiserver.

Changes by Kind

Other (Cleanup or Flake)

API Priority and Fairness controller is now disabled in extension apiserver for DNS webhook implementation. (#6092, @irbekrm)
Adds a warning for folks to not use controller feature gates helm value to configure webhook feature gates (#6101, @irbekrm)

`v1.11.2`

Compare Source

Changelog since v1.11.1

Changes by Kind

Bug or Regression

Build with go 1.19.9 (#6014, @SgtCoDFish)

Other (Cleanup or Flake)

Bump the distroless base images (#5930, @maelvls)
Bumps Docker libraries to fix vulnerability scan alert for CVE-2023-28840, CVE-2023-28841, CVE-2023-28842 (#6037, @irbekrm) Cert-manager was not actually affected by these CVEs which are all to do with Docker daemon's overlay network.
Bumps Kube libraries v0.26.0 -> v0.26.4 (#6038, @irbekrm) This might help with running cert-manager v1.11 on Kubernetes v1.27, see #6038

`v1.11.1`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

In v1.11.1, we updated the base images used for cert-manager containers. In addition, the users of the Venafi issuer will see less certificates repeatedly failing.

If you are a user of Venafi TPP and have been having issues with the error message This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry, please use this version.

Changes since v1.11.0

Bug or Regression

Bump helm and other dependencies to fix CVEs, along with upgrading go and base images (#5815, @SgtCoDFish)
Bump the distroless base images (#5930, @maelvls)
The auto-retry mechanism added in VCert 4.23.0 and part of cert-manager 1.11.0 (#5674) has been found to be faulty. Until this issue is fixed upstream, we now use a patched version of VCert. This patch will slowdown the issuance of certificates by 9% in case of heavy load on TPP. We aim to release at an ulterior date a patch release of cert-manager to fix this slowdown. (#5819, @maelvls)
Use a fake-kube apiserver version when generating helm template in cmctl x install, to work around a hardcoded Kubernetes version in Helm. (#5726, @SgtCoDFish)

Other (Cleanup or Flake)

Bump keystore-go to v4.4.1 to work around an upstream rewrite of history (#5730, @SgtCoDFish)

`v1.11.0`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.11.0 includes a drastic reduction in cert-manager's runtime memory usage, a slew of improvements to AKS integrations and various other tweaks, fixes and improvements, all towards cert-manager's goal of being the best way to handle certificates in modern Cloud Native applications.

Community

Thanks again to all open-source contributors with commits in this release, including:

Thanks also to the following cert-manager maintainers for their contributions during this release:

Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.

In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.

Changes since cert-manager `v1.10`

For an overview of new features, see the v1.11 release notes!

Feature

Helm: allow configuring the image used by ACME HTTP-01 solver (#5554, @yann-soubeyrand)
Add the --max-concurrent-challenges controller flag to the helm chart (#5638, @lvyanru8200)
Adds the ability to specify a custom CA bundle in Issuers when connecting to an ACME server (#5644, @SgtCoDFish)
Enable testing against Kubernetes 1.26 and test with Kubernetes 1.26 by default (#5646, @SgtCoDFish)
Experimental make targets for pushing images to an OCI registry using ko and redeploying cert-manager to the cluster referenced by your current KUBECONFIG context. (#5655, @wallrj)
Add ability to run acmesolver pods as root if desired. The default is still to run as non-root. (#5546, @cmcga1125)
Add support for DC and UID in LiteralSubject field, all mandatory OIDs are now supported for LDAP certificates (rfc4514). (#5587, @SpectralHiss)
Add support for Workload Identity to AzureDNS resolver (#5570, @weisdd)
Breaking: updates the gateway API integration to use the more stable v1beta1 API version. Any users of the cert-manager ExperimentalGatewayAPISupport alpha feature must ensure that v1beta of Gateway API is installed in cluster. (#5583, @lvyanru8200)
Certificate secrets get refreshed if the keystore format change (#5597, @sathyanarays)
Introducing UseCertificateRequestBasicConstraints feature flag to enable Basic Constraints in the Certificate Signing Request (#5552, @sathyanarays)
Return error when Gateway has a cross-namespace secret ref (#5613, @mmontes11)
Signers fire an event on CertificateRequests which have not been approved yet. Used for informational purposes so users understand why a request is not progressing. (#5535, @JoshVanL)

Bug or Regression

Don't log errors relating to self-signed issuer checks for external issuers (#5681, @SgtCoDFish)
Fixed a bug in AzureDNS resolver that led to early reconciliations in misconfigured Workload Identity-enabled setups (when Federated Identity Credential is not linked with a controller's k8s service account) (#5663, @weisdd)
Use manually specified temporary directory template when verifying CRDs (#5680, @SgtCoDFish)
vcert was upgraded to v4.23.0, fixing two bugs in cert-manager. The first bug was preventing the Venafi issuer from renewing certificates when using TPP has been fixed. You should no longer see your certificates getting stuck with WebSDK CertRequest Module Requested Certificate or This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.. The second bug that was fixed prevented the use of algorithm: Ed25519 in Certificate resources with VaaS. (#5674, @maelvls)
Upgrade golang/x/net to fix CVE-2022-41717 (#5632, @SgtCoDFish)
Bug fix: When using feature gates with the helm chart, enable feature gate flags on webhook as well as controller (#5584, @lvyanru8200)
Fix golang.org/x/text vulnerability (#5562, @SgtCoDFish)
Fixes a bug that caused the Vault issuer to omit the Vault namespace in requests to the Vault API. (#5591, @wallrj)
The Venafi Issuer now supports TLS 1.2 renegotiation, so that it can connect to TPP servers where the vedauth API endpoints are configured to accept client certificates. (Note: This does not mean that the Venafi Issuer supports client certificate authentication). (#5568, @wallrj)
Upgrade to go 1.19.4 to fix CVE-2022-41717 (#5619, @SgtCoDFish)
Upgrade to latest go minor release (#5559, @SgtCoDFish)
Ensure extraArgs in Helm takes precedence over the new acmesolver image options (#5702, @SgtCoDFish)
Fix cainjector's --namespace flag. Users who want to prevent cainjector from reading all Secrets and Certificates in all namespaces (i.e to prevent excessive memory consumption) can now scope it to a single namespace using the --namespace flag. A cainjector that is only used as part of cert-manager installation only needs access to the cert-manager installation namespace. (#5694, @irbekrm)
Fixes a bug where cert-manager controller was caching all Secrets twice (#5691, @irbekrm)

Other

certificate.spec.secretName Secrets will now be labelled with the controller.cert-manager.io/fao label (#5703, @irbekrm)
Upgrade to go 1.19.5 (#5714, @yanggangtony)

Known issues

There is a bug in conformance tests for external DNS webhook implementations that was introduced in this release, see https://github.com/cert-manager/cert-manager/issues/5725 If you are importing cert-manager as a library to run conformance tests against your DNS webhook solver implementation, please make sure that you import a version with a fix, see https://github.com/cert-manager/cert-manager/issues/5725#issuecomment-1397245757

`v1.10.2`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.10.2 is primarily a performance enhancement release which might reduce memory consumption by up to 50% in some cases thanks to some brilliant work by @irbekrm! 🎉

It also patches several vulnerabilities reported by scanners and updates the base images used for cert-manager containers. In addition, it removes a potentially confusing log line which had been introduced in v1.10.0 which implied that an error had occurred when using external issuers even though there'd been no error.

Changes since `v1.10.1`

Feature

Enable support for Kubernetes 1.26 in tests (#5647, @SgtCoDFish)

Bug or Regression

Fixes a bug where the cert-manager controller was caching all Secrets twice (#5704, @irbekrm)
Bump helm version to fix CVE-2022-23525 (#5676, @SgtCoDFish)
Don't log errors relating to selfsigned issuer checks for external issuers (#5687, @SgtCoDFish)
Fix golang.org/x/text vulnerability (#5592, @SgtCoDfish)
Upgrade golang/x/net to fix CVE-2022-41717 (#5635, @SgtCoDFish)
Upgrade to go 1.19.4 to fix CVE-2022-41717 (#5620, @SgtCoDfish)
Use manually specified tmpdir template when verifying CRDs (#5682, @SgtCoDFish)

Other (Cleanup or Flake)

Bump distroless base images to latest versions (#5677, @SgtCoDFish)

`v1.10.1`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager v1.10.1 is a bug fix release which fixes a problem which prevented the Venafi Issuer from connecting to TPP servers where the vedauth API endpoints were configured to accept client certificates. It is also compiled with a newer version of Go 1.19 (v1.19.3) which fixes some vulnerabilities in the Go standard library.

Changes since `v1.10.0`

Bug or Regression

The Venafi Issuer now supports TLS 1.2 renegotiation, so that it can connect to TPP servers where the vedauth API endpoints are configured to accept client certificates. (Note: This does not mean that the Venafi Issuer supports client certificate authentication). (#5576, @wallrj)
Upgrade to latest go patch release (#5560, @SgtCoDFish )

`v1.10.0`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.10 adds a variety of quality-of-life fixes and features including improvements to the test suite.

Changes since v1.9.1

Breaking Changes (You MUST read this before you upgrade!)

Container Name Changes

This change is only relevant if you install cert-manager using Helm or the static manifest files. v1.10.0 changes the names of containers in pods created by cert-manager.

The names are changed to better reflect what they do; for example, the container in the controller pod had its name changed from cert-manager to cert-manager-controller, and the webhook pod had its container name changed from cert-manager to cert-manager-webhook.

This change could cause a break if you:

Use Helm or the static manifests, and
Have scripts, tools or tasks which rely on the names of the cert-manager containers being static

If both of these are true, you may need to update your automation before you upgrade.

On OpenShift the cert-manager Pods may fail until you modify Security Context Constraints

In cert-manager 1.10 the secure computing (seccomp) profile for all the Pods is set to RuntimeDefault. (See cert-manager#5259.) The securityContext fields of the Pod are set as follows:

...

### ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
  seccompProfile:
    type: RuntimeDefault
    ...

On some versions and configurations of OpenShift this can cause the Pod to be rejected by the Security Context Constraints admission webhook. Read full release notes to learn if this might affect you and how to fix it.

Feature

Add issuer_name, issuer_kind and issuer_group labels to certificate_expiration_timestamp_seconds, certmanager_certificate_renewal_timestamp_seconds and certmanager_certificate_ready_status metrics (#5461, @dkulchinsky)
Add make targets for running scans with trivy against locally built containers (#5358, @SgtCoDFish)
CertificateRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request. (#5336, @JoshVanL)
CertificateSigningRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed experimental.cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request. CertificateSigningRequets will also now no-longer be marked as failed when the target private key Secret is malformed- now only firing an event. When the Secret data is resolved, the request will attempt issuance. (#5379, @JoshVanL)
Upgraded Gateway API to v0.5.0 (#5376, @inteon)
Add caBundleSecretRef to the Vault Issuer to allow referencing the Vault CA Bundle with a Secret. Cannot be used in conjunction with the in-line caBundle field. (#5387, @Tolsto)
The feature to create certificate requests with the name being a function of certificate name and revision has been introduced under the feature flag "StableCertificateRequestName" and it is disabled by default. This helps to prevent the error "multiple CertificateRequests were found for the 'next' revision...". (#5487, @sathyanarays)
Helm: Added a new parameter commonLabels which gives you the capability to add the same label on all the resource deployed by the chart. (#5208, @thib-mary)

Bug or Regression

CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in experimental.cert-manager.io/private-key-secret-name doesn't exist. (#5323, @JoshVanL)
DNS Route53: Remove incorrect validation which rejects solvers that don't define either a accessKeyID or secretAccessKeyID. (#5339, @JoshVanL)
Enhanced securityContext for PSS/restricted compliance. (#5259, @joebowbeer) Breaking: this might require changes for OpenShift deployments. Read full release notes to learn more.
Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests (#5366, @munnerz)
cmctl and kubectl cert-manager now report their actual versions instead of "canary", fixing issue #5020 (#5022, @maelvls)

Other

Avoid hard-coding release namespace in helm chart (#5163, @james-callahan)
Bump cert-manager's version of Go to 1.19 (#5466, @lucacome)
Remove .bazel and .bzl files from cert-manager now that bazel has been fully replaced (#5340, @SgtCoDFish)
Updates Kubernetes libraries to v0.25.2. (#5456, @lucacome)
Add annotations for ServiceMonitor in helm chart (#5401, @sathieu)
Helm: Add NetworkPolicy support (#5417, @mjudeikis)
To help troubleshooting, make the container names unique. BREAKING: this change will break scripts/ CI that depend on cert-manager being the container name. (#5410, @rgl)

Thank You!

Thank you to the following community members who had a merged MR for this version - your contributions are at the heart of everything we do!

Thanks also to the following maintainers who worked on cert-manager 1.10:

`v1.9.2`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager v1.9.2 is a bug fix release which fixes an issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests, and a problem which prevented the Venafi Issuer from connecting to TPP servers where the vedauth API endpoints were configured to accept client certificates. It is also compiled with a newer version of Go 1.18 (v1.18.8) which fixes some vulnerabilities in the Go standard library.

Changes since `v1.9.1`

Bug or Regression

Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests. (#5371, @munnerz )
The Venafi Issuer now supports TLS 1.2 renegotiation, so that it can connect to TPP servers where the vedauth API endpoints are configured to accept client certificates. (Note: This does not mean that the Venafi Issuer supports client certificate authentication). (#5577, @wallrj)
Upgrade to latest go patch release. (#5561, @SgtCoDFish)

`v1.9.1`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.9.1 is a bugfix release which removes an incorrect check in the Route53 DNS solver. This accidental change prevented the use of credentials derived from instance metadata or AWS pod metadata.

Thanks to @danquack and @ArchiFleKs for raising this issue, and @danquack and @JoshVanL for fixing it!

Changes since v1.9.0

Bug

DNS Route53: Remove incorrect validation which rejects solvers that don't define either a accessKeyID or secretAccessKeyID. (#5341, @JoshVanL @danquack )

`v1.9.0`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

The new version adds alpha support for using cert-manager Certificates in scenarios where the ordering of the Relative Distinguished Names (RDN) sequence that constitutes an X.509 certificate's subject needs to be preserved; improves the ability to configure the Certificate created via ingress-shim using annotations on the Ingress resource; introduces various changes/improvements in contributor flow; and finishes the new make-based contributor workflow.

Major Themes

Literal Certificate Subjects

cert-manager's Certificate allows users to configure the subject fields of the X.509 certificate via spec.subject and spec.commonName fields. The X.509 spec states that the subject is an (ordered) sequence of Relative Distinguished Names (RDN).

cert-manager does not strictly abide by this spec when encoding the subject fields from the Certificate spec. For example, the order of the RDN sequence may not be preserved. This is because cert-manager uses Go's libraries for X.509 certificates, and the Go libraries don't preserve ordering.

For the vast majority of users this does not matter, but there are specific cases that require defining the exact ordered RDN sequence. For example, if the certificate is used for LDAP authentication and the RDN sequence represents a location in LDAP directory tree. See cert-manager#3203.

For these use cases, a new alpha LiteralSubject field has been added to the Certificate spec where users can pass a literal RDN sequence:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test
spec:
  secretName: test
  literalSubject: "C=US,O=myOrg,CN=someName"

To use this field, the alpha feature gate LiteralCertificateSubject needs to be enabled on both the cert-manager controller and webhook. Bear in mind that spec.literalSubject is mutually exclusive with spec.commonName and spec.subject.

This feature is aimed at the specific scenario where an exact RDN sequence needs to be defined. We do not intend to deprecate the existing spec.subject and spec.commonName fields and we recommend that folks keep using those fields in all other cases; they're simpler, have better validation and are more obvious to read and change.

ingress-shim `Certificate` Configuration

cert-manager 1.9 adds the ability to configure an ingress-shim Certificate's spec.revisionHistoryLimit and spec.privateKey via annotations on the Ingress resource.

This should allow folks to configure ingress-shim Certificates according to best practices (i.e by setting Certificate's spec.privateKey.rotationPolicy to Always).

In the future we would like to design a better mechanism to configure these Certificates. We advise caution when using Ingress annotations as there is no validation of the annotations at Ingress creation time.

Contribution Workflow

Over the past couple of months there have been a number of discussions in regards to contributor experience and project health, partially triggered by the awesome community discussions in cert-manager's KubeCon booth and also by the work done to move cert-manager to CNCF's incubating stage.

For example, we've clarified our feature policy and discussed the process of building cert-manager's roadmap. If you're interested in these topics, we're happy to chat about them!

`make` Workflow

cert-manager 1.8 introduced a new make based workflow alongside the existing Bazel workflow. The work to improve the make workflow was continued in 1.9 and our contributor documentation has been redefined to use make commands. This should make building and testing cert-manager easier with faster build and test times, easier debugging and less complexity.

As part of this, Bazel has now been fully deprecated for building and testing cert-manager.

As usual, we welcome any feedback in regards to further improving contributor experience.

Thank You!

Thank you to the following community members who had a merged MR for this version - your contributions are at the heart of everything we do!

@AcidLeroy
@oGi4i
@spockz (and @yongk802 who raised a similar MR)
@andrewgkew
@sveba
@rodrigorfk
@craigminihan
@lucacome
@Dean-Coakley
@Compy

Thanks also to the following maintainers who worked on cert-manager 1.9:

Changes since v1.8.0

Feature

Added support for pulling both AWS access key IDs and secret keys from Kubernetes secrets (#5194, @Compy)
Adds make clean-all for starting a fresh development environment and make which-go for getting go version information when developing cert-manager (#5118, @SgtCoDFish)
Adds make upload-release target for publishing cert-manager releases to GCS, simplifying the cert-manager release process simpler and making it easier to change (#5205, @SgtCoDFish)
Adds a new alpha Prometheus summary vector metric certmanager_http_venafi_client_request_duration_seconds which allows tracking the latency of Venafi API calls. The metric is labelled by the type of API call. Example PromQL query: certmanager_http_venafi_client_request_duration_seconds{api_call="request_certificate"} will show the average latency of calls to the Venafi certificate request endpoint (#5053, @irbekrm)
Adds more verbose logging info for certificate renewal in the DynamicSource webhook to include DNSNames (#5142, @AcidLeroy)
Adds new LICENSES format and ability to verify and update licenses through make (#5243, @SgtCoDFish)
Adds private key Ingress annotations to set private key properties for Certificate (#5239, @oGi4i)
Adds the cert-manager.io/revision-history-limit annotation for Ingress resources, to limit the number of CertificateRequests which are kept for a Certificate (#5221, @oGi4i)
Adds the literalSubject field for Certificate resources. This is an alpha feature, enabled by passing the flag --feature-gates=LiteralCertificateSubject=true to the cert-manager controller and webhook. literalSubject allows fine-grained control of the subject a certificate should have when issued and is intended for power-users with specific use cases in mind (#5002, @spockz)
Change default build dir from bin to _bin, which plays better with certain tools which might treat bin as just another source directory (#5130, @SgtCoDFish)
Helm: Adds a new namespace parameter which allows users to override the namespace in which resources will be created. This also allows users to set the namespace of the chart when using cert-manager as a sub chart. (#5141, @andrewgkew)
Helm: Allow for users to not auto-mount service account tokens see also k/k#57601 (#5016, @sveba)
Use multiple retries when provisioning tools using curl, to reduce flakes in tests and development environments (#5272, @SgtCoDFish)

Bug or Regression

CertificateRequests controllers must wait for the core secrets informer to be synced (#5224, @rodrigorfk)
Ensure that make release-artifacts only builds unsigned artifacts as intended (#5181, @SgtCoDFish)
Ensure the startupapicheck is only scheduled on Linux nodes in the helm chart (#5136, @craigminihan)
Fixed a bug where the Venafi Issuer would not verify its access token (TPP) or API key (Cloud) before becoming ready. Venafi Issuers now remotely verify the access token or API key (#5212, @jahrlin)
Fixed release artifact archives generated by Make so that a leading ./ is stripped from paths. This ensures that behaviour is the same as v1.7 and earlier (#5050, @jahrlin)
Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5226, @SgtCoDFish)
Increases Venafi Issuer timeout for retrieving a certificate increased to 60 seconds, up from 10. This gives TPP instances longer to complete their workflows and make the certificate available before cert-manager times out and re-queues the request. (#5247, @hawksight)
Remove pkg/util/coverage which broke compatibility with go 1.18; thanks @davidsbond for finding the issue! (#5032, @SgtCoDFish)
cmctl and kubectl cert-manager now report their actual versions instead of "canary", fixing issue #5020 (#5286, @jetstack-bot)

Other (Cleanup or Flake)

Adds make update-all as a convenience target to run before raising a MR (#5251, @SgtCoDFish)
Adds make targets for updating and verifying CRDs and codegen (#5242, @SgtCoDFish)
Bump cert-manager's version of Go to 1.18 (#5152, @lucacome)
Bumps distroless base images to their latest versions (#5222, @irbekrm)
CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in experimental.cert-manager.io/private-key-secret-name doesn't exist. (#5332, @jetstack-bot)
Only require python for the one test we have which needs it, rather than requiring it globally (#5245, @SgtCoDFish)
Remove deprecated field securityContext.enabled from helm chart (#4721, @Dean-Coakley)
Removes support for networking/v1beta Ingresses in ingress-shim. (#5250, @irbekrm)
Reverts additional check for ServiceMonitor (#5202, @irbekrm)
Updates Kubernetes libraries to v0.24.2. (#5097, @lucacome)
Updates warning message that is thrown if issuance fails because private key does not match spec, but private key regeneration is disabled. See https://github.com/cert-manager/cert-manager/pull/5199. (#5199, @irbekrm)

`v1.8.2`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.8.2 is in effect a bug fix release which increases some hard-coded timeouts which were preventing the use of certain ACME issuers which sometimes had slower response times. This is known to include ZeroSSL and Sectigo.

These issues were reported by many different users and We'd like to thank the following for their help, suggestions and feedback on this topic:

Thanks also to the cert-manager maintainers who were involved in reviewing this fix and helping to move things forwards:

Changes since v1.8.1

Bug

Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5231, @JoooostB @SgtCoDFish)

Other (Cleanup)

Bump distroless base images to latest versions (#5235, @SgtCoDFish)

`v1.8.1`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

1.8.1 is a patch release rebuilding cert-manager 1.8 using the latest version of Go.

Changelog since cert-manager 1.7.1

Reverts a check for Prometheus APIs before creating cert-manager ServiceMonitors which broke users' GitOps flows (cert-manager#5204)
Bumps the version of Go used to build the cert-manager binaries to 1.17.11 which fixes a few CVEs (we don't think that those were likely to be exploited in cert-manager) (cert-manager#5203, @irbekrm )

`v1.8.0`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.8 includes wider support for Kubernetes server-side-apply, a new build and development experience based around Makefiles rather than Bazel, and a range of other improvements, tweaks and bug fixes.

Version 1.8 also marks our first release in which the Go import path for cert-manager is that of the repo's new home:

github.com/cert-manager/cert-manager

Breaking Changes (You MUST read this before you upgrade!)

Validation of the `rotationPolicy` field

The field spec.privateKey.rotationPolicy on Certificate resources is now validated. Valid options are Never and Always. If you are using a GitOps flow and one of your YAML manifests contains a Certificate with an invalid value, you will need to update it with a valid value to prevent your GitOps tool from failing on the new validation. Please follow the instructions listed on the page Upgrading from v1.7 to v1.8. (#4913, @jahrlin)

What happens if I upgrade to 1.8.0 without doing the above steps?

After upgrading to 1.8.0, when updating existing Certificate objects that have an incorrect value for rotationPolicy, Kubernetes clients such as kubectl, Helm, or ArgoCD will start showing the following message:

Certificate.cert-manager.io "my-cert" is invalid: spec.privateKey.rotationPolicy: Unsupported value: "Foo": supported values: "Never", "Always".

Why was this change necessary?

Previously, when the value of the rotationPolicy field was set to an incorrect value, you would not know since no event or condition would be visible on the Certificate itself. The only way to know that something was wrong was to dig into the cert-manager-controller logs and see the message "Certificate with unknown certificate.spec.privateKey.rotationPolicy value":

I0329 12:43:13.325771       1 keymanager_controller.go:176] cert-manager/certificates-key-manager "msg"="Certificate with unknown certificate.spec.privateKey.rotationPolicy value" "key"="default/my-cert" "rotation_policy"="Foo"

This change was implemented in #4913.

Changed Container Layouts

This only affects you if you're modifying cert-manager containers in some way, such as adding init scripts or otherwise changing how the binaries inside the containers are called.

Bazel has a unique way of creating containers, which places the actual binary at a long unusual path. For the v1.7.0 cert-manager-webhook container for example, the binary is placed at /app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook and /app/cmd/webhook/webhook is provided as a symlink to the binary.

This is simplified in our new build system; we only place a single binary at /app/cmd/webhook/webhook and the old path disappears. This applies to all cert-manager containers.

We also removed the "LICENSES" file from the containers and replaced it with a link to the cert-manager repo.

`.exe` Extension on Windows

We package cmctl and kubectl_cert-manager for Windows on amd64 platforms, but previously the binaries had the same names as the binaries on other platforms, e.g. cmctl with no file extension.

In 1.8.0 and later, the binaries now have a .exe extension since this is standard practice on Windows. This could affect you if you're calling the binary in a Powershell script, for example.

We've also now added zip-compressed versions of the cmctl and kubectl_cert-manager binaries on Windows, since .tar.gz is less common on Windows.

Changed Import Path

This will only affect you if you're writing code in Go which imports cert-manager as a module, which we generally recommend against doing in most cases.

All versions of cert-manager prior to v1.8.0 used a Go import path corresponding to the old cert-manager repository, github.com/jetstack/cert-manager.

v1.8.0 marks the first release in which the import path changes to the new location, github.com/cert-manager/cert-manager.

We have a guide for Importing cert-manager in Go on cert-manager.io with all the details, including details on why we don't recommend importing cert-manager as a module if that's avoidable.

Major Themes

Server-Side Apply

cert-manager v1.8.0 adds initial support for Kubernetes Server-Side Apply, which became stable in Kubernetes 1.22. This support is behind a feature gate for now, and is only supported by cert-manager on Kubernetes 1.22 and later.

Server-Side Apply helps to ensure that changes to resources are made in a managed way, and aims to prevent certain classes of bugs. Notably, it should eliminate conflicts when multiple controllers try to apply status changes to a single resource. You'll likely have seen messages relating to this kind of conflict in logs before, e.g.:

I0119 12:34:56.000000       1 controller.go:161] cert-manager/controller/certificaterequests-issuer-acme "msg"="re-queuing item due to optimistic locking on resource" "key"="my-namespace/my-cr" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"my-cr\": the object has been modified; please apply your changes to the latest version and try again"

These conflicts aren't usually actually a problem which will block the issuance of a certificate, but they can delay things as they cause extra reconcile loops. Server-side apply cleans things up, which should mean less noise in logs and fewer pointless reconcile loops.

If you want to test it out, you can enable alpha-level cert-manager Server-Side Apply support through the --feature-gates controller flag.

From Bazel to Make

A common theme when someone tries to make a change to cert-manager for the first time is that they ask for help with navigating Bazel, which cert-manager used as its build tool. Helping people with Bazel isn't easy; it's an incredibly powerful tool, but that power also brings a lot of complications which can seriously get in the way of being able to make even simple changes to the code base. Even developers who are familiar with contributing to open source projects in Go can find it daunting to make changes thanks to Bazel.

The problem isn't limited to open-source contributors; many of cert-manager's maintainers also struggle with configuring and changing Bazel, too.

cert-manager 1.8 is the first release which is built and tested using a newly written make-based build system. We believe that this new build system should make it much simpler to understand and change the commands which are being run behind the scenes to build and test cert-manager. In time, we'll fully document the new build system, ensure it's at full feature-parity with Bazel and then remove all references to Bazel across the codebase.

A neat side effect of this change is that our build times have significantly improved. Bazel took around 14 minutes to build every cert-manager artifact for every platform during a release, while the new make build system can do the same (and more) in under 5 minutes.

Exponential backoff after a failed issuance

cert-manager v1.8.0 introduces exponential backoff after failed certificate issuance.

Previously, a failed issuance was retried every hour which — especially in larger cert-manager installations — could cause rate limits to be hit as well as overwhelm external services. Failed attempts are now retried with a binary exponential backoff starting with 1h then 2h, 4h up to a maximum of 32h. As part of the new backoff behavior, a new failedIssuanceAttempts field was added to the Certificate spec to track the number of currently failed issuances.

The cmctl renew command command can still be used to force Certificate renewal immediately.

We're also considering reducing the initial backoff from 1 hour. If you have a use case where this would be useful please do comment on our tracking issue.

Community

cert-manager thrives thanks to the community and we're always grateful for receiving open-source contributions!

Thanks to the following community members who landed a commit in this release:

Thanks also to the cert-manager maintainer team involved with this release

Changelog since v1.7.0

Feature

ACTION REQUIRED: The field spec.privateKey.rotationPolicy on Certificate resources is now validated. Valid options are Never and Always. If you are using a GitOps flow and one of your YAML manifests contains a Certificate with an invalid value, you will need to update it with a valid value to prevent your GitOps tool from failing on the new validation. (#4913, @jahrlin)
Build: add make targets for running unit and integration tests, as part of the Bazel replacement. (#4865, @SgtCoDFish)
Build: add make targets for running the end-to-end tests, as part of the Bazel replacement. (#4914, @maelvls)
cert-manager now supports the field spec.expirationSeconds on Kubernetes CertificateSigningRequest resources. Using this field requires Kubernetes 1.22. You can still use the annotation experimental.cert-manager.io/request-duration to request a duration. (#4957, @enj)
cert-manager now properly updates the content of the data keys tls-combined.pem and key.der on Secret resources that are associated to Certificate resources that use the field additionalOutputFormats. The field additionalOutputFormat is an alpha feature and can be enabled by passing the flag --feature-gates=AdditionalCertificateOutputFormats=true to the cert-manager controller. (#4813, @JoshVanL)
ClusterRoles aggregation to user-facing admin/edit/view ClusterRoles can be optionally turned off (#4937, @illrill)
ACTION REQUIRED: Server-Side Apply: the feature gate ServerSideApply=true now configures the ingress-shim and gateway-shim controllers to use Kubernetes Server-Side Apply on Certificate resources. When upgrading to cert-manger 1.8 with ServerSideApply=true, do make sure there are no Challenge resources currently in the cluster. If there are some, you will need to manually delete them once they are in 'valid' state as cert-manager post-1.8 with the Server-Side Apply feature is not able to clean up Challenge resources created pre-1.8. (#4811, @JoshVanL)
Server-Side Apply: the feature gate ServerSideApply=true configures the certificaterequests-* controllers to use Kubernetes Server-Side Apply on CertificateRequest resources. (#4792, @JoshVanL)
Server-Side Apply: the feature gate ServerSideApply=true configures the certificates-* controllers to use Kubernetes Server-Side Apply on Certificate resources. (#4777, @JoshVanL)
Server-Side Apply: the feature gate ServerSideApply=true configures the CertificateSigningRequest controllers to use Kubernetes Server-Side Apply on CertificateSigningRequest resources. (#4798, @JoshVanL)
Server-Side Apply: the feature gate ServerSideApply=true configures the issuers and clusterissuers controllers to use Kubernetes Server-Side Apply on Issuer and ClusterIssuer resources. (#4794, @JoshVanL)
Server-Side Apply: the feature gate ServerSideApply=true configures the orders controller to use Kubernetes Server-Side Apply on Order resources. (#4799, @JoshVanL)
The annotation experimental.cert-manager.io/request-duration now has a minimum value of 600 seconds. This annotation This change ensures compatibility with the Kubernetes resource CertificateSigningRequest, which requires a minimum of 600 seconds on the field spec.expirationSeconds. (#4973, @irbekrm)
The annotation ingress.kubernetes.io/whitelist-source-range used by the Ingress shim when creating Ingress resources can now be overridden by setting the field ingressTemplate on the Issuer and ClusterIssuer. (#4789, @tasharnvb)
The experimental Gateway API support now uses the v1alpha2 CRDs. (#4791, @jakexks)
The user-agent used by cert-manager in its Kubernetes API clients and ACME clients now takes the form cert-manager-<component name>/<version> (<os>/<arch>) cert-manager/<git commit>. Another change is the addition of specific field managers strings; previously, all the controllers had the same field manager cert-manager. Now, each controller has its own field manager string of the form cert-manager-<controller name>. (#4773, @JoshVanL)
You can now uninstall cert-manager using the command cmctl experimental uninstall. (#4897, @jahrlin)
You can now use an external issuer resource as the default issuer when using the Ingress shim feature. The default issuer can be set using the flags --default-issuer-group, --default-issuer-kind, and --default-issuer-name. (#4833, @jakexks)

Design

ACTION REQUIRED: The import path for cert-manager has been updated to github.com/cert-manager/cert-manager. If you import cert-manager as a go module (which isn't currently recommended), you'll need to update the module import path in your code to import cert-manager 1.8 or later. (#4587, @SgtCoDFish)

Bug or Regression

ACTION REQUIRED: The field additionalOutputFormats, which is available as an alpha feature on Certificate resources, is now correctly validated. Previously, it would only get validated when the privateKey field was set on the Certificate. If you are using the additionalOutputFormats field, you will want to add the feature gate AdditionalCertificateOutputFormats to both the webhook and the controller. Previously, you only needed to set AdditionalCertificateOutputFormats on the controller. If the feature gate is missing on either the controller or the webhook, you won't be able to use the additionalOutputFormat field. (#4814, @JoshVanL)
The Go version used to build the cert-manager binaries has been bumped to 1.17.8 to fix a slew of CVEs (none of which were likely to be exploited). (#4970, @vhosakot)
Helm: the default nodeSelector is now kubernetes.io/os: linux. If this label isn't present on any nodes in the cluster, the nodeSelector will need to be overwritten, or that label added to some nodes. (#3605, @mikebryant)
Use multivalue records instead of simple records for the AWS Route53 ACME DNS challenge solver, to allow for multiple challenges for the same domain at the same time (#4793, @fvlaicu)

Other (Cleanup or Flake)

Aggregated admin and edit roles will now include permissions to update certificates' status, which will allow namespace admins and editors to run the cmctl renew command in their namespaces. (#4955, @andreadecorte)
Cleanup: No longer log an error when cert-manager encounters a conflict in the secrets manager, in favor of always force applying. (#4815, @JoshVanL)
Failed certificate issuances are now retried with an exponential backoff where the backoff periods are 1h, 2h, 4h, 8h, 16h, 32h. A new field failedIssuanceAttempts is now set by cert-manager on the Certificate status. This field keeps track of consecutive failed issuances. The backoff period gets reset after a successful issuance. Like before, updating a field on a failed Certificate (such as spec.dnsNames) or running the command cmctl renew continues to trigger a re-issuance. (#4772, @irbekrm)
When starting up, cert-manager now solely relies on Lease objects to perform the leader election. Previously, cert-manager supported both ConfigMap and Lease objects for leader election. Existing ConfigMap resources used for leader election will remain and will need deleting manually. A side effect of this is that you cannot upgrade to v1.8.0 from cert-manager 1.3 (although upgrading multiple versions at a time was never supported). (#4935, @davidsbond)
Helm: you can now set custom labels on the ServiceAccount resources using the values serviceAccount.labels, cainjector.serviceAccount.labels, webhook.serviceAccount.labels, and startupapicheck.serviceAccount.labels. (#4932, @4molybdenum2)

Uncategorized

Introducing a new metric controller_sync_error_count counting the number of errors during sync() of a controller. (#4987, @jayme-github)
When creating an acmesolver pod, cert-manager now sets allowPrivilegeEscalation to false by default. The Helm chart now also sets securityContext.allowPrivilegeEscalation to false by default for the controller, cainjector, and webhook pods as well as for the startupapicheck job. (#4953, @ajvn)

`v1.7.3`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.7.3 is in effect a bug fix release which increases some hard-coded timeouts which were preventing the use of certain ACME issuers which sometimes had slower response times. This is known to include ZeroSSL and Sectigo.

These issues were reported by many users. We'd like to thank the following for their help and feedback on this topic:

Thanks also to the cert-manager maintainers who were involved in reviewing this fix and helping to move things forwards:

Changes since v1.7.2

Bug

Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5232, @JoooostB @SgtCoDFish)

Other (Cleanup)

Bumps go to 1.17.11 and base images to latest distroless base images (#5234, @SgtCoDFish)

`v1.7.2`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

1.7.2 is a minor release rebuilding cert-manager 1.7 using the latest version of Go. This eliminates a few security vulnerabilities which have accumulated in Go since the last release.

We don't believe any of those vulnerabilities were practically exploitable or relevant to cert-manager, but we decided to rebuild to keep up to date anyway.

Changelog since cert-manager 1.7.1

Bug or Regression

Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4976 , @vhosakot)
Fixes an expired hardcoded certificate which broke unit tests (#4978, @SgtCoDFish @jakexks)

`v1.7.1`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.7.1 fixes a bug which was discovered in 1.7.0 relating to the new additionalOutputFormat feature.

Changelog since v1.7.0

Bug or Regression

Fix: The alpha feature Certificate's additionalOutputFormats is now correctly validated at admission time, and no longer only validated if the privateKey field of the Certificate is set. The Webhook component now contains a separate feature set. AdditionalCertificateOutputFormats feature gate (disabled by default) has been added to the webhook. This gate is required to be enabled on both the controller and webhook components in order to make use of the Certificate's additionalOutputFormat feature. (#4816, @JoshVanL)

`v1.7.0`

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.7 brings new private key output formats, configuration improvements for the webhook, some long-awaited code cleanup, a fix for ingress class semantics and a bunch of other changes.

Breaking Changes (You MUST read this before you upgrade!)

Removal of Deprecated APIs

⚠ Following their deprecation in version 1.4, the cert-manager API versions v1alpha2, v1alpha3, and v1beta1 have been removed. You must ensure that all cert-manager custom resources are stored in etcd at version v1 and that all cert-manager CustomResourceDefinitions have only v1 as the stored version before upgrading.

Since release 1.7, cmctl can automatically migrate any deprecated API resources. Please [download cmctl-v1.7.0][download cmctl-v1.7.0] and read Migrating Deprecated API Resources for full instructions.

Ingress Class Semantics

In 1.7, we have reverted a change that caused a regression in the ACME Issuer. Before 1.5.4, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the kubernetes.io/ingress.class annotation:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio # The `class` present on the Issuer.

After 1.5.4, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the ingressClassName field:

apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
  ingressClassName: istio # 🔥 Breaking change!

This broke many users that either don't use an Ingress controller that supports the field (such as ingress-gce and Azure AGIC), as well as people who did not need to create an IngressClass previously (such as with Istio and Traefik).

The regression is present in cert-manager 1.5.4, 1.6.0, 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.

In 1.7, we have restored the original behavior which is to use the annotation. We will also backport this fix to 1.5.5 and 1.6.2, allowing people to upgrade safely.

Most people won't have any trouble upgrading from a version that contains the regression to 1.7.0, 1.6.2 or 1.5.5. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g., istio for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.

If you are using Traefik, Istio, Ambassador, or ingress-nginx and you are using a non-default value for the class (e.g., istio-internal), or if you experience any issues with your HTTP-01 challenges please read the notes on Ingress v1 compatibility.

Upgrading with Server Side Apply

As part of the work to remove deprecated APIs cert-manager CustomResourceDefinitions no longer require a conversion webhook. The related change in cert-manager CustomResourceDefinition specs results in invalid CustomResourceDefinition configurations for users who are upgrading to cert-manager 1.7 using kubectl apply --server-side=true -f <manifests>. This can be solved either by performing the upgrade with client side apply or by manually patching the managed fields of cert-manager CustomResourceDefinitions:

crds=("certificaterequests.cert-manager.io" "certificates.cert-manager.io" "challenges.acme.cert-manager.io" "clusterissuers.cert-manager.io" "issuers.cert-manager.io" "orders.acme.cert-manager.io")

for crd in "${crds[@&#8203;]}"; do
  manager_index="$(kubectl get crd "${crd}" --show-managed-fields --output json | jq -r '.metadata.managedFields | map(.manager == "cainjector") | index(true)')"
  kubectl patch crd "${crd}" --type=json -p="[{\"op\": \"remove\", \"path\": \"/metadata/managedFields/${manager_index}\"}]"
done

(Thanks to @stevehipwell for the above patch commands!)

See the original GitHub issue cert-manager#4831

Major Themes

Removal of Deprecated APIs

In 1.7 the cert-manager API versions v1alpha2, v1alpha3, and v1beta1, that were deprecated in 1.4, have been removed from the custom resource definitions (CRDs). As a result, you will notice that the YAML manifest files are much smaller.

In this release we have added a new sub-command to the cert-manager CLI (cmctl upgrade migrate-api-version), which you SHOULD run BEFORE upgrading cert-manager to 1.7. Please read [Removing Deprecated API Resources] for full instructions.

Additional Certificate Output Formats

additionalOutputFormats is a field on the Certificate spec that allows specifying additional supplementary formats of issued certificates and their private key. There are currently two supported additional output formats: CombinedPEM (the PEM-encoded private key followed by the certificate chain) and DER (the DER-encoded private key only). Any combination of output formats can be requested for the same certificate. Read Additional Certificate Output Formats for more details and thanks to @seuf for getting this across the line!

Server-Side Apply

This is the first version of cert-manager which relies on Server-Side Apply. We use it to properly manage the annotations and labels on TLS secrets. For this reason cert-manager 1.7 requires at least Kubernetes 1.18 (see Supported Releases for further compatibility details).

Configuration Files

In this release we introduce a new configuration file for the cert-manager-webhook. Instead of configuring the webhook using command line flags, you can now modify the webhook Deployment to mount a ConfigMap containing a configuration file. Read the WebhookConfiguration Schema for more information.

In future releases we will introduce configuration files for the other cert-manager components: the controller and the cainjector.

Developing cert-manager Without Bazel

In a future release, we'll remove the use of bazel for building and testing cert-manager, with the aim of making it as easy as possible for anyone to contribute and to get involved with the cert-manager project.

The work is ongoing, but for now we've ensured that cert-manager 1.7 can be built with go build, and that all unit tests can be run with go test ./cmd/... ./internal/... ./pkg/....

Community

Thanks again to all open-source contributors with commits in this release, including:

Thanks as usual to @coderanger for helping people out on the [#cert-manager Slack channel][#cert-manager Slack channel]; it's a huge help and much appreciated.

In addition, the following cert-manager maintainers were involved in this release:

Changelog since v1.6.0

Feature

Add --acme-http01-solver-nameservers flag to enable custom nameservers usage for ACME HTT01 challenges propagation checks. (#4287, @Adphi)
Add cmctl upgrade migrate-api-version to ensure all CRD resources are stored at 'v1' prior to upgrading to v1.7 onwards (#4711, @munnerz)
Add goimports verification step for CI (#4710, @SgtCoDFish)
Add support for loading webhook flags/options from a WebhookConfiguration file on disk (#4546, @munnerz)
Added additionalOutputFormats parameter to allow DER (binary) and CombinedPEM (key + cert bundle) formats. (#4598, @seuf)
Added a makefile based build workflow which doesn't depend on bazel (#4554, @SgtCoDFish)
Added a new Helm chart parameter prometheus.servicemonitor.honorLabels, which sets the honor_labels field of the Prometheus scrape config. (#4608, @thirdeyenick)
Breaking change: pprof now runs by default on localhost:6060 for webhook and controller, but only if explicitly enabled. Pprof can now be enabled also for cainjector. All three components have --enable-profiling, --profiler-address CLI flags to configure profiling. Thanks to @bitscuit for help with this! (#4550, @irbekrm)
Certificate Secrets are now managed by the APPLY API call, rather than UPDATE/CREATE. The issuing controller actively reconciles Certificate SecretTemplate's against corresponding Secrets, garbage collecting and correcting key/value changes. (#4638, @JoshVanL)

Bug or Regression

Ensures 1 hour backoff between errored calls for new ACME Orders. (#4616, @irbekrm)
Fix unexpected exit when multiple DNS providers are passed to RunWebhookServer (#4702, @devholic)
Fixed a bug in the way the Helm chart handles service annotations on the controller and webhook services. (#4329, @jwenz723)
Fixed a bug that can cause cmctl version to erroneously display the wrong webhook pod versions when older failed pods are present. (#4615, @johnwchadwick)
Fixes a bug where a previous failed CertificateRequest was picked up during the next issuance. Thanks to @MattiasGees for raising the issue and help with debugging! (#4688, @irbekrm)
Fixes an issue in cmctl that prevented displaying the Order resource with cert-manager 1.6 when running cmctl status certificate. (#4569, @maelvls)
Improve checksum validation in makefile based tool installation (#4680, @SgtCoDFish)
The HTTP-01 ACME solver now uses the kubernetes.io/ingress.class annotation instead of the spec.ingressClassName in created Ingress resources. (#4762, @jakexks)
The cmctl experimental install command now uses the cert-manager namespace. This fixes a bug which was introduced in release 1.6 that caused cert-manager to be installed in the default namespace. (#4763, @wallrj)
Update to latest version of keystore-go to address a backwards-incompatible change introduced in v1.6.0 (#4563, @SgtCoDFish)

Other (Cleanup or Flake)

Adds clock_time_seconds_gauge metric which returns the current clock time, based on seconds since 1970/01/01 UTC (#4640, @JoshVanL)
Adds an automated script for cert-manager developers to update versions of kind used for development and testing. (#4574, @SgtCoDFish)
Breaking change: removes the deprecated dns01-self-check-nameservers flag. Use --dns01-recursive-nameservers instead. (#4551, @irbekrm)
Bump kind image versions (#4593, @SgtCoDFish)
Clean up: Remove v1beta1 form the webhook's admissionReviewVersions as cert-manager no longer supports v1.16 (#4639, @JoshVanL)
Cleanup: Pipe feature gate flag to the e2e binary. Test against shared Feature Gate map for feature enabled and whether they should be tested against. (#4703, @JoshVanL)
Ensures that in cases where an attempt to finalize an already finalized order is made, the originally issued certificate is used (instead of erroring and creating a new ACME order) (#4697, @irbekrm)
No longer log an error when a Certificate is deleted during normal operation. (#4637, @JoshVanL)
Removed deprecated API versions from the cert-manager CRDs (#4635, @wallrj)
Update distroless base images for cert-manager (#4706, @SgtCoDFish)
Upgrade Kubernetes dependencies to v0.23.1 (#4675, @munnerz)

`v1.6.3`

Compare Source

v1.6.3 Release Notes

1.6.3 is a minor release rebuilding cert-manager 1.6 using the latest version of Go. This eliminates a few security vulnerabilities which have accumulated in Go since the last release.

We don't believe any of those vulnerabilities were practically exploitable or relevant to cert-manager, but we decided to rebuild to keep up to date anyway.

Changelog since cert-manager 1.6.2

Bug or Regression

Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4975, @vhosakot)
Fixes an expired hardcoded certificate which broke unit tests (#4977, @SgtCoDFish @jakexks)

`v1.6.2`

Compare Source

In 1.6.2, we have reverted a change present in 1.6.0 and 1.6.1 that caused a regression in the ACME Issuer. In 1.6.0 and 1.6.1, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the kubernetes.io/ingress.class annotation:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio # The `class` present on the Issuer.

After 1.5, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the ingressClassName field:

apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
  ingressClassName: istio # 🔥 Breaking change!

The regression is present in cert-manager 1.5.4, 1.6.0, and 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.

In 1.6.2, we have restored the original behavior which is to use the annotation. This patch is also available in 1.5.5 and in 1.7.0.

Most people won't have any trouble upgrading from 1.6.0 or 1.6.1 to 1.6.2. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g., istio for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.

Changelog since v1.6.1

Bug or Regression

The HTTP-01 ACME solver now uses the kubernetes.io/ingress.class annotation instead of the spec.ingressClassName in created Ingress resources. (#4785, @jetstack-bot)

Other (Cleanup or Flake)

cert-manager now does one call to the ACME API instead of two when an Order fails. This fix is part of the effort towards mitigating the high load that cert-manager deployments have on the Let's Encrypt API (#4619, @irbekrm)
Bump base images to latest versions (#4707, @SgtCoDFish)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Update module github.com/jetstack/cert-manager to v1.15.0

Release Notes

Community

Changes by Kind

Feature

Design

Bug or Regression

Other (Cleanup or Flake)

📜 Changes since v1.14.6

Bugfixes

Other (Cleanup or Flake)

📜 Changes since v1.14.5

Other (Cleanup or Flake)

📜 Changes since v1.14.4

Changes

Bug or Regression

⚠️ Known Issues

ℹ️ Documentation

🔧 Breaking changes

📜 Changes since v1.14.3

Bug or Regression

Other (Cleanup or Flake)

⚠️ Known Issues

ℹ️ Documentation

🔧 Breaking changes

📜 Changes since v1.14.2

Bug or Regression

⚠️ Known Issues

ℹ️ Documentation

🔧 Breaking changes

📜 Changes since v1.14.1

Bug or Regression

Other (Cleanup or Flake)

⚠️ Known Issues (please install v1.14.2)

🔧 Breaking changes

ℹ️ Documentation

📜 Changes since v1.14.0

Bug or Regression

⚠️ Known Issues (please install v1.14.2)

🔧 Breaking Changes

🗺️ Major Themes

New X.509 Features

New CA certificate Features

Security

Other

🤝 Community

📜 Changes

Feature

Bug or Regression

Other (Cleanup or Flake)

Known Issues

Changes

Bug or Regression

⚠️ Known Issues

ℹ️ Documentation

🔧 Breaking changes

📜 Changes since v1.13.4

Bug or Regression

Other (Cleanup or Flake)

⚠️ Known Issues

ℹ️ Documentation

🔧 Breaking changes

📜 Changes since v1.13.3

Bug or Regression

Other (Cleanup or Flake)

Changes

Bug or Regression

Dependencies

Added

Changed

Removed

⚠️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version!

Changes since v1.13.1

Bug or Regression

Other (Cleanup or Flake)

⚠️ READ https://github.com/cert-manager/cert-manager/releases/tag/v1.13.0 before you upgrade from a < v1.13 version!

Changes since v1.13.0

Bug or Regression

Other (Cleanup or Flake)

Known issues

📜 Changes since `v1.14.1`

⚠️ Known Issues (please install `v1.14.2`)

📜 Changes since `v1.14.0`

⚠️ Known Issues (please install `v1.14.2`)