Automatically provision and manage TLS certificates in Kubernetes
APACHE-2.0 License
Bot releases are visible (Hide)
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
đ See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.
v1.15.1
route53
: explicitly set the aws-global
STS region which is now required by the github.com/aws/aws-sdk-go-v2
library. (#7189, @cert-manager-bot
)grpc-go
to fix GHSA-xr7q-jx4m-x55m
(#7167, @SgtCoDFish
)@cert-manager-bot
)endpointAdditionalProperties
in the PodMonitor
template of the Helm chart (#7191, @inteon
)HTTPRoute
resources (#7186, @cert-manager-bot
)golang
from 1.22.3
to 1.22.5
(#7165, @github-actions
)Published by jetstack-release-bot 3 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.15.0
SecretRef
support for Venafi TPP issuer CA Bundle (#7036, @sankalp-at-gh
)@wallrj
)@wallrj
)@joshmue
)@mindw
)renewBeforePercentage
alternative to renewBefore
(#6987, @cbroglie
)config.apiVersion
and config.kind
within the Helm chart (#7126, @ThatsMrTalbot
)@inteon
)--controllers
flag only specifies disabled controllers, the default controllers are now enabled implicitly.disableAutoApproval
and approveSignerNames
Helm chart options. (#7049, @inteon
)cainjector
, by only caching the metadata of Secret resources.cainjector
starts up, by only listing the metadata of Secret resources. (#7161, @wallrj
)route53
: explicitly set the aws-global
STS region which is now required by the github.com/aws/aws-sdk-go-v2
library. (#7108, @inteon
)@inteon
)grpc-go
to fix GHSA-xr7q-jx4m-x55m
(#7164, @SgtCoDFish
)go-retryablehttp
dependency to fix CVE-2024-6104
(#7125, @SgtCoDFish
)@eplightning
)endpointAdditionalProperties
in the PodMonitor
template of the Helm chart (#7190, @wallrj
)@miguelvr
)@inteon
)@inteon
)github.com/Azure/azure-sdk-for-go/sdk/azidentity
to address CVE-2024-35255
(#7087, @dependabot[bot]
)Published by jetstack-release-bot 3 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
đ See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.
v1.15.1
route53
: explicitly set the aws-global
STS region which is now required by the github.com/aws/aws-sdk-go-v2
library. (#7189, @cert-manager-bot
)grpc-go
to fix GHSA-xr7q-jx4m-x55m
(#7167, @SgtCoDFish
)@cert-manager-bot
)endpointAdditionalProperties
in the PodMonitor
template of the Helm chart (#7191, @inteon
)HTTPRoute
resources (#7186, @cert-manager-bot
)golang
from 1.22.3
to 1.22.5
(#7165, @github-actions
)Published by jetstack-release-bot 4 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
đ See v1.15.0 for more information about cert-manager 1.15 and read-before-upgrade info.
Published by jetstack-release-bot 4 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Published by jetstack-release-bot 4 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Published by jetstack-release-bot 4 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Published by jetstack-release-bot 4 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Published by jetstack-release-bot 5 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.15 promotes several features to beta, including GatewayAPI support (ExperimentalGatewayAPISupport
), the ability to provide a subject in the Certificate that will be used literally in the CertificateSigningRequest (LiteralCertificateSubject
) and the outputting of additional certificate formats (AdditionalCertificateOutputFormats
).
[!NOTE]
The
cmctl
binary have been moved to https://github.com/cert-manager/cmctl/releases.
For the startupapicheck Job you should update references to point atquay.io/jetstack/cert-manager-startupapicheck
[!NOTE]
From this release, the Helm chart will no longer uninstall the CRDs when the chart is uninstalled. If you want the CRDs to be removed on uninstall use
crds.keep=false
when installing the Helm chart.
Thanks again to all open-source contributors with commits in this release, including: @Pionerd, @SgtCoDFish, @ThatsMrTalbot, @andrey-dubnik, @bwaldrep, @eplightning, @erikgb, @findnature, @gplessis, @import-shiburin, @inteon, @jkroepke, @lunarwhite, @mangeshhambarde, @pwhitehead-splunk & @rodrigorfk, @wallrj.
Thanks also to the following cert-manager maintainers for their contributions during this release: @SgtCoDFish, @SpectralHiss, @ThatsMrTalbot, @hawksight, @inteon, @maelvls & @wallrj.
Equally thanks to everyone who provided feedback, helped users and raised issues on GitHub and Slack and joined our meetings!
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
--enable-gateway-api
flag to enable the integration. (#6961, @ThatsMrTalbot)cert-manager-certificaterequests-issuer-venafi/v1.15.0+(linux/amd64)+cert-manager/ef068a59008f6ed919b98a7177921ddc9e297200
. (#6865, @wallrj)LiteralCertificateSubject
feature to Beta. (#7030, @inteon)extraObjects
; a list of yaml manifests which will helm will install and uninstall with the cert-manager manifests. (#6424, @gplessis)cert-manager.io/allow-direct-injection
in annotations (#6801, @jkroepke)preferredChain
is configured. (#6755, @import-shiburin)disableAutoApproval
and approveSignerNames
Helm chart options. (#7054, @inteon)crds.keep
and crds.enabled
Helm options can now be used instead of the installCRDs
option. (#6760, @inteon)slices
and k8s.io/apimachinery/pkg/util
packages.pkg/util/pki
package. (#6730, @inteon)cmctl
and kubectl cert-manger
have been moved to the https://github.com/cert-manager/cmctl repo and will be versioned separately starting with cmctl v2.0.0 (#6663, @inteon)pkg/util/pki/ParseSubjectStringToRawDERBytes
function. (#6994, @inteon)--controllers
flag only specifies disabled controllers, the default controllers are now enabled implicitly. (#7054, @inteon)GO-2024-2824
. (#6996, @github-actions[bot])Published by jetstack-release-bot 5 months ago
This is the second beta release of cert-manager 1.15, which will be released on 2024-06-05.
[!NOTE]
The
cmctl
andkubectl_cert-manager
binaries have been moved to https://github.com/cert-manager/cmctl/releases.
--controllers
flag only specifies disabled controllers, the default controllers are now enabled implicitly.disableAutoApproval
and approveSignerNames
Helm chart options. (#7054, @cert-manager-bot)Published by jetstack-release-bot 5 months ago
This is the first successful beta release of cert-manager 1.15, which will be released in April or May 2024.
[!NOTE]
The
cmctl
andkubectl_cert-manager
binaries have been moved to https://github.com/cert-manager/cmctl/releases.
LiteralCertificateSubject
feature to Beta. (#7030, @inteon)AdditionalCertificateOutputFormats
feature gate to Beta (enabled by default). (#6970, @erikgb)extraObjects
; a list of yaml manifests which will helm will install and uninstall with the cert-manager manifests. (#6424, @gplessis)DisallowInsecureCSRUsageDefinition
feature gate to GA. (#6927 and #6963, @yj-yoo and @inteon)--enable-gateway-api
flag to enable the integration. (#6961, @ThatsMrTalbot)pkg/util/pki/ParseSubjectStringToRawDERBytes
function. (#6994, @inteon)GO-2024-2824
. (#6996, @github-actions[bot])Published by jetstack-release-bot 6 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.14.5
fixes a bug in the DigitalOcean DNS-01 provider which could cause incorrect DNS records to be deleted when using a domain with a CNAME. Special thanks to @BobyMCbobs for reporting this issue and testing the fix!
It also patches CVE-2023-45288.
preferredChain
is configured: see 1.14 release notes for more information.Published by jetstack-release-bot 6 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.13.6
fixes a bug in the DigitalOcean DNS-01 provider which could cause incorrect DNS records to be deleted when using a domain with a CNAME. Special thanks to @BobyMCbobs for reporting this issue and testing the fix!
It also patches CVE-2023-45288.
preferredChain
is configured: see 1.14 release notes for more information.Published by jetstack-release-bot 6 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.12.10
fixes a bug in the DigitalOcean DNS-01 provider which could cause incorrect DNS records to be deleted when using a domain with a CNAME. Special thanks to @BobyMCbobs for reporting this issue and testing the fix!
It also patches CVE-2023-45288.
ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see release docs for more info and mitigations
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see https://github.com/cert-manager/cert-manager/pull/6406).
This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.
Published by jetstack-release-bot 7 months ago
This is the first alpha release of cert-manager 1.15, which will be released in April or May 2024. The aim of this first alpha is to let people try out using serviceAccountRef
with an external Vault. Read the page serviceAccountRef
with external Vault to know more.
[!NOTE]
The
cmctl
andkubectl_cert-manager
binaries have been moved to https://github.com/cert-manager/cmctl/releases.
serviceAccountRef
with external Vault to know more. (#6718, @andrey-dubnik)cert-manager-certificaterequests-issuer-venafi/v1.15.0+(linux/amd64)+cert-manager/ef068a59008f6ed919b98a7177921ddc9e297200
. (#6865, @wallrj)preferredChain
is configured. (#6755, @import-shiburin)slices
and k8s.io/apimachinery/pkg/util
packages.pkg/util/pki
package. (#6730, @inteon)cmctl
and kubectl cert-manger
have been moved to the https://github.com/cert-manager/cmctl repo and will be versioned separately starting with cmctl v2.0.0 (#6663, @inteon)cert-manager.io/allow-direct-injection
in annotations (#6801, @jkroepke)Published by jetstack-release-bot 7 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions.
Release notes
Upgrade notes
Installation instructions
See Breaking changes in v1.14.0 release notes
cert-manager.io/allow-direct-injection
in annotations (#6809, @jetstack-bot)Published by jetstack-release-bot 7 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Release notes
Upgrade notes
Installation instructions
See Breaking changes in v1.13.0 release notes
cert-manager.io/allow-direct-injection
in annotations (#6810, @jetstack-bot)Published by jetstack-release-bot 7 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Release notes
Upgrade notes
Installation instructions
See Breaking changes in v1.12.0 release notes
cert-manager.io/allow-direct-injection
in annotations (#6811, @jetstack-bot)Published by jetstack-release-bot 8 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions.
Release notes
Upgrade notes
Installation instructions
See Breaking changes in v1.14.0 release notes
Published by jetstack-release-bot 8 months ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Release notes
Upgrade notes
Installation instructions
See Breaking changes in v1.13.0 release notes
github.com/containerd/[email protected]
(#6684, @wallrj)