Automatically provision and manage TLS certificates in Kubernetes
APACHE-2.0 License
Bot releases are visible (Hide)
Published by jetstack-release-bot over 1 year ago
cmctl check api --wait 0
exited without output; we now make sure we perform the API check at least once (#6116, @jetstack-bot)Published by jetstack-release-bot over 1 year ago
This release contains a couple dependency bumps and changes to ACME external webhook library.
cmctl
API check is broken in v1.12.1. We suggest that you do not upgrade cmctl
to this version. The fix will be released in v1.12.2.Published by jetstack-release-bot over 1 year ago
v1.11.3 mostly contains ACME library changes. API Priority and Fairness feature is now disabled in the external webhook's extension apiserver.
Published by jetstack-release-bot over 1 year ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.12 brings support for JSON logging, a lower memory footprint, support for ephemeral service account tokens with Vault, improved dependency management and support for the ingressClassName field.
The full release notes are available at https://cert-manager.io/docs/release-notes/release-notes-1.12.
cmctl
API check is broken in v1.12.1. We suggest that you do not upgrade cmctl
to this version. The fix will be released in v1.12.2.Thanks again to all open-source contributors with commits in this release, including:
Thanks also to the following cert-manager maintainers for their contributions during this release:
Equally thanks to everyone who provided feedback, helped users and raised issues on Github and Slack, joined our meetings and talked to us at Kubecon!
Special thanks to @erikgb for continuously great input and feedback and to @lucacome for always ensuring that our kube deps are up to date!
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.
--concurrent-workers
flag that lets you control the number of concurrent workers for each of our controllers. (#5936, @inteon)acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets
field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme)--watch-certs
flag was renamed to --enable-certificates-data-source
. (#5766, @irbekrm)--dns01-recursive-nameservers
, --enable-certificate-owner-ref
, and --dns01-recursive-nameservers-only
through Helm values. (#5614, @jkroepke)ingressClassName
. The credit goes to @dsonck92 for implementing the initial PR. (#5849, @maelvls)serviceAccountRef
field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the vault.auth
field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for vault.auth
. (#5502, @maelvls)/livez
endpoint and a default liveness probe, which fails if leader election has been lost and for some reason the process has not exited. The liveness probe is disabled by default. (#5962, @wallrj)--v=5
flag) (#5975, @tobotg)values.yaml
are now working (#5999, @SgtCoDFish)cmctl x install
. (#5720, @irbekrm)--acme-http01-solver-image
given to the variable acmesolver.extraArgs
now has precedence over the variable acmesolver.image
. (#5693, @SgtCoDFish)jks
and pkcs12
fields on a Certificate resource with a CA issuer that doesn't set the ca.crt
in the Secret resource, cert-manager no longer loop trying to copy ca.crt
into truststore.jks
or truststore.p12
. (#5972, @vinzent)literalSubject
field on a Certificate resource, the IPs, URIs, DNS names, and email addresses segments are now properly compared. (#5747, @inteon)make go-workspace
target for generating a go.work file for local development (#5935, @SgtCoDFish)certificates.cert-manager.io
CRD is not installed in the cluster, now need to pass --watch-certificates=false
flag to cainjector else it will not start.Certificate
resources in cluster can pass --watch-certificates=false
to avoid cainjector from caching Certificate
resources and save some memory. (#5746, @irbekrm)automountServiceAccountToken
turned off. (#5754, @wallrj)SecretsFilteredCaching
feature flag. The filtering mechanism might, in some cases, slightly slow down issuance or cause additional requests to kube-apiserver because unlabelled Secret resources that cert-manager controller needs will now be retrieved from kube-apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret resources with the controller.cert-manager.io/fao: true
label. (#5824, @irbekrm)v0.26.2
. (#5820, @lucacome)v0.26.3
. (#5907, @lucacome)v0.27.1
. (#5961, @lucacome)certificate.spec.secretName
is a valid Secret
name (#5967, @avi-08)certificate.spec.secretName
Secrets will now be labelled with controller.cert-manager.io/fao
label (#5660, @irbekrm)Published by jetstack-release-bot over 1 year ago
Published by jetstack-release-bot over 1 year ago
Bumps Docker libraries to fix vulnerability scan alert for CVE-2023-28840, CVE-2023-28841, CVE-2023-28842 (#6037, @irbekrm)
Cert-manager was not actually affected by these CVEs which are all to do with Docker daemon's overlay network.
Bumps Kube libraries v0.26.0 -> v0.26.4 (#6038, @irbekrm)
This might help with running cert-manager v1.11 on Kubernetes v1.27, see #6038
Published by jetstack-release-bot over 1 year ago
⚠️ cert-manager v1.12.0-beta.0 is a pre-release beta version intended for testing. It might not be suitable for production uses.
--v=5
flag) (#5975, @tobotg)ServerSideApply=true
configures the ca-injector controller to use Kubernetes Server Side Apply on CA Injector injectable target resources. (#5991, @inteon)v0.27.1
. (#5961, @lucacome)Published by jetstack-release-bot over 1 year ago
⚠️ cert-manager v1.12.0-beta.0 is a pre-release beta version intended for testing. It might not be suitable for production uses.
make go-workspace
target for generating a go.work file for local development (#5935, @SgtCoDFish)Secret
s. (#5966, @irbekrm)Secret
resources. The filtering functionality is currently placed behind SecretsFilteredCaching
feature flag.Secret
s that cert-manager controller needs will now be retrieved from kube apiserver instead of being cached locally. To prevent this from happening, users can label all issuer Secret
s with controller.cert-manager.io/fao: true
label. (#5824, @irbekrm)v0.26.3
. (#5907, @lucacome)certificate.spec.secretName
is a valid Secret
name (#5967, @avi-08)Published by jetstack-release-bot over 1 year ago
⚠️ cert-manager v1.12.0-alpha.2 is a pre-release alpha version intended for testing. It might not be suitable for production uses.
Challenge
names are calculated. To avoid duplicate issuances due to Challenge
s being recreated, ensure that there is no in-progress ACME certificate issuance when you upgrade to this version of cert-manager. (#5901, @irbekrm)Published by jetstack-release-bot over 1 year ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
In v1.11.1, we updated the base images used for cert-manager containers. In addition, the users of the Venafi issuer will see less certificates repeatedly failing.
If you are a user of Venafi TPP and have been having issues with the error message This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry
, please use this version.
cmctl x install
, to work around a hardcoded Kubernetes version in Helm. (#5726, @SgtCoDFish)Published by jetstack-release-bot over 1 year ago
⚠️ cert-manager v1.12.0-alpha.1 is a pre-release alpha version intended for testing. It might not be suitable for production uses.
acme.solvers.http01.ingress.podTemplate.spec.imagePullSecrets
field to issuer spec to allow to specify image pull secrets for the ACME HTTP01 solver pod. (#5801, @malovme)ingressClassName
. The credit goes to @dsonck92 for implementing the initial PR. (#5849, @maelvls)v0.26.2
. (#5820, @lucacome)Published by jetstack-release-bot over 1 year ago
⚠️ cert-manager v1.11.1-beta.0 is a pre-release patch version intended for testing and might not be suitable for production uses.
If you are a user of Venafi TPP and have been having issues with the error message This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry
, please try this version.
v1.11.0
cmctl x install
, to work around a hardcoded Kubernetes version in Helm. (#5726, @SgtCoDFish)Published by jetstack-release-bot over 1 year ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠️ cert-manager v1.12.0-alpha.0
is a pre-release alpha version intended for testing. It might not be suitable for production uses.
serviceAccountRef
field, cert-manager generates a short-lived token associated to the service account to authenticate to Vault. Along with this new feature, we have added validation logic in the webhook in order to check the vault.auth
field when creating an Issuer or ClusterIssuer. Previously, it was possible to create an Issuer or ClusterIssuer with an invalid value for vault.auth
. (#5502, @maelvls)--dns01-recursive-nameservers
, --enable-certificate-owner-ref
, and --dns01-recursive-nameservers-only
through Helm values. (#5614, @jkroepke)--acme-http01-solver-image
given to the variable acmesolver.extraArgs
now has precedence over the variable acmesolver.image
. (#5693, @SgtCoDFish)cmctl x install
, to work around a hardcoded Kubernetes version in Helm. (#5720, @irbekrm)certificates.cert-manager.io
CRD is not installed in the cluster, now need to pass --watch-certificates=false
flag to cainjector else it will not start.Certificate
resources in cluster can pass --watch-certificates=false
to avoid cainjector from caching Certificate
resources and save some memory. (#5746, @irbekrm)certificate.spec.secretName
Secrets will now be labelled with controller.cert-manager.io/fao
label (#5660, @irbekrm)Published by jetstack-release-bot almost 2 years ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.11.0
includes a drastic reduction in cert-manager's runtime memory usage, a slew of improvements to AKS integrations and various other tweaks, fixes and improvements, all towards cert-manager's goal of being the best way to handle certificates in modern Cloud Native applications.
Thanks again to all open-source contributors with commits in this release, including:
Thanks also to the following cert-manager maintainers for their contributions during this release:
Thanks also to the CNCF, which provides resources and support, and to the AWS open source team for being good community members and for their maintenance of the PrivateCA Issuer.
In addition, massive thanks to Jetstack (by Venafi) for contributing developer time and resources towards the continued maintenance of cert-manager projects.
v1.10
For an overview of new features, see the v1.11 release notes!
--max-concurrent-challenges
controller flag to the helm chart (#5638, @lvyanru8200)ko
and redeploying cert-manager to the cluster referenced by your current KUBECONFIG context. (#5655, @wallrj)LiteralSubject
field, all mandatory OIDs are now supported for LDAP certificates (rfc4514). (#5587, @SpectralHiss)ExperimentalGatewayAPISupport
alpha feature must ensure that v1beta
of Gateway API is installed in cluster. (#5583, @lvyanru8200)vcert
was upgraded to v4.23.0
, fixing two bugs in cert-manager. The first bug was preventing the Venafi issuer from renewing certificates when using TPP has been fixed. You should no longer see your certificates getting stuck with WebSDK CertRequest Module Requested Certificate
or This certificate cannot be processed while it is in an error state. Fix any errors, and then click Retry.
. The second bug that was fixed prevented the use of algorithm: Ed25519
in Certificate resources with VaaS. (#5674, @maelvls)golang/x/net
to fix CVE-2022-41717 (#5632, @SgtCoDFish)golang.org/x/text
vulnerability (#5562, @SgtCoDFish)extraArgs
in Helm takes precedence over the new acmesolver image options (#5702, @SgtCoDFish)certificate.spec.secretName
Secrets will now be labelled with the controller.cert-manager.io/fao
label (#5703, @irbekrm)Published by jetstack-release-bot almost 2 years ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
v1.10.2 is primarily a performance enhancement release which might reduce memory consumption by up to 50% in some cases thanks to some brilliant work by @irbekrm! 🎉
It also patches several vulnerabilities reported by scanners and updates the base images used for cert-manager containers. In addition, it removes a potentially confusing log line which had been introduced in v1.10.0 which implied that an error had occurred when using external issuers even though there'd been no error.
v1.10.1
golang.org/x/text
vulnerability (#5592, @SgtCoDfish)Published by jetstack-release-bot almost 2 years ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠️ cert-manager v1.11.0-beta.1 is a pre-release beta version intended for testing. It might not be suitable for production uses.
Thanks also to @wallrj, @lucacome and @inteon for their help/contributions to this release!
v1.11.0-beta.0
Secret
s and Certificate
s in all namespaces (i.e to prevent excessive memory consumption) can now scope it to a single namespace using the --namespace flag. A cainjector that is only used as part of cert-manager installation only needs access to the cert-manager installation namespace. (#5694, @irbekrm)certificate.spec.secretName
Secrets will now be labelled with controller.cert-manager.io/fao
label (#5703, @irbekrm)Published by jetstack-release-bot almost 2 years ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠️ cert-manager v1.11.0-beta.0 is a pre-release beta version intended for testing. It might not be suitable for production uses.
v1.11.0-alpha.2
algorithm: Ed25519
in Certificate resources with VaaS. (#5674, @maelvls)Published by jetstack-release-bot almost 2 years ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠️ cert-manager v1.11.0-alpha.2 is a pre-release alpha version intended for testing. It might not be suitable for production uses.
v1.11.0-alpha.1
--max-concurrent-challenges
controller flag to the helm chart (#5638, @lvyanru8200)ko
and redeploying cert-manager to the cluster referenced by your current KUBECONFIG context. (#5655, @wallrj)v0.26.0
. (#5629, @lucacome)Published by jetstack-release-bot almost 2 years ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠️ cert-manager v1.11.0-alpha.1
is a pre-release alpha version intended for testing. It might not be suitable for production uses.
v1.11.0-alpha.0
LiteralSubject
field; all mandatory OIDs are now supported for LDAP certificates (rfc4514). (#5587, @SpectralHiss)ExperimentalGatewayAPISupport
alpha feature must ensure that v1beta
of Gateway API is installed in cluster. (#5583, @lvyanru8200)Published by jetstack-release-bot almost 2 years ago
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
cert-manager v1.10.1 is a bug fix release which fixes a problem which prevented the Venafi Issuer from connecting to TPP servers where the vedauth API endpoints were configured to accept client certificates.
It is also compiled with a newer version of Go 1.19 (v1.19.3) which fixes some vulnerabilities in the Go standard library.
v1.10.0
vedauth
API endpoints are configured to accept client certificates.