cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager v1.9.2 is a bug fix release which fixes an issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests, and a problem which prevented the Venafi Issuer from connecting to TPP servers where the vedauth API endpoints were configured to accept client certificates.
It is also compiled with a newer version of Go 1.18 (v1.18.8) which fixes some vulnerabilities in the Go standard library.

Changes since v1.9.1

Bug or Regression

• Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests.
  (#5371, @munnerz )
• The Venafi Issuer now supports TLS 1.2 renegotiation, so that it can connect to TPP servers where the vedauth API endpoints are configured to accept client certificates. (Note: This does not mean that the Venafi Issuer supports client certificate authentication).
  (#5577, @wallrj)
• Upgrade to latest go patch release.
  (#5561, @SgtCoDFish)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.9.2-beta.0 is a pre-release of the forthcoming 1.9.2 patch release to allow wider community testing of the following bug fixes and updates before we make the patch release generally available.

Changes since v1.9.1

Bug or Regression

• Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests (#5371, @munnerz)
• The Venafi Issuer now supports TLS 1.2 renegotiation, so that it can connect to TPP servers where the vedauth API endpoints are configured to accept client certificates. (Note: This does not mean that the Venafi Issuer supports client certificate authentication). (#5577, @wallrj)
• Upgrade to latest go minor release (#5561, @SgtCoDFish)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.11.0-alpha.0 is the first alpha release of 1.11 and is not suitable for production use.

Changes since v1.10.0

Feature

• Introducing UseCertificateRequestBasicConstraints feature flag to enable Basic Constraints in the Certificate Signing Request (#5552, @sathyanarays)
• Signers fire an event on CertificateRequests which have not been approved yet. Used for informational purposes so users understand why a request is not progressing. (#5535, @JoshVanL)

Bug or Regression

• Fix golang.org/x/text vulnerability (#5562, @SgtCoDFish)
• The Venafi Issuer now supports TLS 1.2 renegotiation, so that it can connect to TPP servers where the vedauth API endpoints are configured to accept client certificates. (Note: This does not mean that the Venafi Issuer supports client certificate authentication). (#5568, @wallrj)
• Upgrade to latest go minor release (#5559, @SgtCoDFish)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.10 adds a variety of quality-of-life fixes and features including improvements to the test suite.

Changes since v1.9.1

Breaking Changes (You MUST read this before you upgrade!)

Container Name Changes

This change is only relevant if you install cert-manager using Helm or the static manifest files. v1.10.0 changes the names of containers in pods created by cert-manager.

The names are changed to better reflect what they do; for example, the container in the controller pod had its name changed from cert-manager to cert-manager-controller,
and the webhook pod had its container name changed from cert-manager to cert-manager-webhook.

This change could cause a break if you:

1. Use Helm or the static manifests, and
2. Have scripts, tools or tasks which rely on the names of the cert-manager containers being static

If both of these are true, you may need to update your automation before you upgrade.

On OpenShift the cert-manager Pods may fail until you modify Security Context Constraints

In cert-manager 1.10 the secure computing (seccomp) profile for all the Pods is set to RuntimeDefault. (See cert-manager#5259.) The securityContext fields of the Pod are set as follows:

...
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
  seccompProfile:
    type: RuntimeDefault
    ...

On some versions and configurations of OpenShift this can cause the Pod to be rejected by the Security Context Constraints admission webhook.
Read full release notes to learn if this might affect you and how to fix it.

Feature

• Add issuer_name, issuer_kind and issuer_group labels to certificate_expiration_timestamp_seconds, certmanager_certificate_renewal_timestamp_seconds and certmanager_certificate_ready_status metrics (#5461, @dkulchinsky)
• Add make targets for running scans with trivy against locally built containers (#5358, @SgtCoDFish)
• CertificateRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request. (#5336, @JoshVanL)
• CertificateSigningRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed experimental.cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request.
  CertificateSigningRequets will also now no-longer be marked as failed when the target private key Secret is malformed- now only firing an event. When the Secret data is resolved, the request will attempt issuance. (#5379, @JoshVanL)
• Upgraded Gateway API to v0.5.0 (#5376, @inteon)
• Add caBundleSecretRef to the Vault Issuer to allow referencing the Vault CA Bundle with a Secret. Cannot be used in conjunction with the in-line caBundle field. (#5387, @Tolsto)
• The feature to create certificate requests with the name being a function of certificate name and revision has been introduced under the feature flag "StableCertificateRequestName" and it is disabled by default. This helps to prevent the error "multiple CertificateRequests were found for the 'next' revision...". (#5487, @sathyanarays)
• Helm: Added a new parameter commonLabels which gives you the capability to add the same label on all the resource deployed by the chart. (#5208, @thib-mary)

Bug or Regression

• CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in experimental.cert-manager.io/private-key-secret-name doesn't exist. (#5323, @JoshVanL)
• DNS Route53: Remove incorrect validation which rejects solvers that don't define either a accessKeyID or secretAccessKeyID. (#5339, @JoshVanL)
• Enhanced securityContext for PSS/restricted compliance. (#5259, @joebowbeer)
  Breaking: this might require changes for OpenShift deployments. Read full release notes to learn more.
• Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests (#5366, @munnerz)
• cmctl and kubectl cert-manager now report their actual versions instead of "canary", fixing issue #5020 (#5022, @maelvls)

Other

• Avoid hard-coding release namespace in helm chart (#5163, @james-callahan)
• Bump cert-manager's version of Go to 1.19 (#5466, @lucacome)
• Remove .bazel and .bzl files from cert-manager now that bazel has been fully replaced (#5340, @SgtCoDFish)
• Updates Kubernetes libraries to v0.25.2. (#5456, @lucacome)
• Add annotations for ServiceMonitor in helm chart (#5401, @sathieu)
• Helm: Add NetworkPolicy support (#5417, @mjudeikis)
• To help troubleshooting, make the container names unique.
  BREAKING: this change will break scripts/ CI that depend on cert-manager being the container name. (#5410, @rgl)

Thank You!

Thank you to the following community members who had a merged PR for this version - your contributions are at the heart of everything we do!

• @joebowbeer
• @rgl
• @lucacome
• @sathieu
• @mjudeikis
• @james-callahan
• @dkulchinsky
• @thib-mary
• @Tolsto
• @sathyanarays

Thanks also to the following maintainers who worked on cert-manager 1.10:

• @irbekrm
• @SgtCoDFish
• @jakexks
• @wallrj
• @maelvls
• @JoshVanL
• @jahrlin
• @munnerz
• @inteon

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.10 adds a variety of quality-of-life fixes and features including improvements to the test suite.

Changes since v1.9.1

Feature

• Add issuer_name, issuer_kind and issuer_group labels to certificate_expiration_timestamp_seconds, certmanager_certificate_renewal_timestamp_seconds and certmanager_certificate_ready_status metrics (#5461, @dkulchinsky)
• Add make targets for running scans with trivy against locally built containers (#5358, @SgtCoDFish)
• CertificateRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request. (#5336, @JoshVanL)
• CertificateSigningRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed experimental.cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request.
  CertificateSigningRequets will also now no-longer be marked as failed when the target private key Secret is malformed- now only firing an event. When the Secret data is resolved, the request will attempt issuance. (#5379, @JoshVanL)
• Upgraded Gateway API to v0.5.0 (#5376, @inteon)
• Add caBundleSecretRef to the Vault Issuer to allow referencing the Vault CA Bundle with a Secret. Cannot be used in conjunction with the in-line caBundle field. (#5387, @Tolsto)
• The feature to create certificate requests with the name being a function of certificate name and revision has been introduced under the feature flag "StableCertificateRequestName" and it is disabled by default. This helps to prevent the error "multiple CertificateRequests were found for the 'next' revision...". (#5487, @sathyanarays)
• Helm: Added a new parameter commonLabels which gives you the capability to add the same label on all the resource deployed by the chart. (#5208, @thib-mary)

Bug or Regression

• CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in experimental.cert-manager.io/private-key-secret-name doesn't exist. (#5323, @JoshVanL)
• DNS Route53: Remove incorrect validation which rejects solvers that don't define either a accessKeyID or secretAccessKeyID. (#5339, @JoshVanL)
• Enhanced securityContext for PSS/restricted compliance. (#5259, @joebowbeer)
• Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests (#5366, @munnerz)
• cmctl and kubectl cert-manager now report their actual versions instead of "canary", fixing issue #5020 (#5022, @maelvls)

Other

• Avoid hard-coding release namespace in helm chart (#5163, @james-callahan)
• Bump cert-manager's version of Go to 1.19 (#5466, @lucacome)
• Remove .bazel and .bzl files from cert-manager now that bazel has been fully replaced (#5340, @SgtCoDFish)
• Updates Kubernetes libraries to v0.25.2. (#5456, @lucacome)
• Add annotations for ServiceMonitor in helm chart (#5401, @sathieu)
• Helm: Add NetworkPolicy support (#5417, @mjudeikis)
• To help troubleshooting, make the container names unique.
  BREAKING: this change will break scripts/ CI that depend on cert-manager being the container name. (#5410, @rgl)

Thank You!

Thank you to the following community members who had a merged PR for this version - your contributions are at the heart of everything we do!

• @joebowbeer
• @rgl
• @lucacome
• @sathieu
• @mjudeikis
• @james-callahan
• @dkulchinsky
• @thib-mary
• @Tolsto
• @sathyanarays

Thanks also to the following maintainers who worked on cert-manager 1.10:

• @irbekrm
• @SgtCoDFish
• @jakexks
• @wallrj
• @maelvls
• @JoshVanL
• @jahrlin
• @munnerz
• @inteon

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.10 adds a variety of quality-of-life fixes and features including improvements to the test suite.

Changes since v1.9.1

Feature

• Add issuer_name, issuer_kind and issuer_group labels to certificate_expiration_timestamp_seconds, certmanager_certificate_renewal_timestamp_seconds and certmanager_certificate_ready_status metrics (#5461, @dkulchinsky)
• Add make targets for running scans with trivy against locally built containers (#5358, @SgtCoDFish)
• CertificateRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request. (#5336, @JoshVanL)
• CertificateSigningRequests: requests that use the SelfSigned Issuer will be re-reconciled when the target private key Secret has been informed experimental.cert-manager.io/private-key-secret-name. This resolves an issue whereby a request would never be signed when the target Secret was not created or was misconfigured before the request.
  CertificateSigningRequets will also now no-longer be marked as failed when the target private key Secret is malformed- now only firing an event. When the Secret data is resolved, the request will attempt issuance. (#5379, @JoshVanL)
• Upgraded Gateway API to v0.5.0 (#5376, @inteon)
• Helm: Added a new parameter commonLabels which gives you the capability to add the same label on all the resource deployed by the chart. (#5208, @thib-mary)

Bug or Regression

• CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in experimental.cert-manager.io/private-key-secret-name doesn't exist. (#5323, @JoshVanL)
• DNS Route53: Remove incorrect validation which rejects solvers that don't define either a accessKeyID or secretAccessKeyID. (#5339, @JoshVanL)
• Enhanced securityContext for PSS/restricted compliance. (#5259, @joebowbeer)
• Fix issue where CertificateRequests marked as InvalidRequest did not properly trigger issuance failure handling leading to 'stuck' requests (#5366, @munnerz)
• cmctl and kubectl cert-manager now report their actual versions instead of "canary", fixing issue #5020 (#5022, @maelvls)

Other

• Avoid hard-coding release namespace in helm chart (#5163, @james-callahan)
• Bump cert-manager's version of Go to 1.19 (#5466, @lucacome)
• Remove .bazel and .bzl files from cert-manager now that bazel has been fully replaced (#5340, @SgtCoDFish)
• Updates Kubernetes libraries to v0.25.2. (#5456, @lucacome)
• Add annotations for ServiceMonitor in helm chart (#5401, @sathieu)
• Helm: Add NetworkPolicy support (#5417, @mjudeikis)
• To help troubleshooting, make the container names unique.
  BREAKING: this change will break scripts/ CI that depend on cert-manager being the container name. (#5410, @rgl)

Thank You!

Thank you to the following community members who had a merged PR for this version - your contributions are at the heart of everything we do!

• @joebowbeer
• @rgl
• @lucacome
• @sathieu
• @mjudeikis
• @james-callahan
• @dkulchinsky
• @thib-mary

Thanks also to the following maintainers who worked on cert-manager 1.10:

• @irbekrm
• @SgtCoDFish
• @jakexks
• @wallrj
• @maelvls
• @JoshVanL
• @jahrlin
• @munnerz
• @inteon

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.9.1 is a bugfix release which removes an incorrect check in the Route53 DNS solver. This accidental change prevented the use of credentials derived from instance metadata or AWS pod metadata.

Thanks to @danquack and @ArchiFleKs for raising this issue, and @danquack and @JoshVanL for fixing it!

Changes since v1.9.0

Bug

• DNS Route53: Remove incorrect validation which rejects solvers that don't define either a accessKeyID or secretAccessKeyID. (#5341, @JoshVanL @danquack )

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

The new version adds alpha support for using cert-manager Certificates in scenarios where the ordering of the Relative Distinguished Names (RDN) sequence that constitutes an X.509 certificate's subject needs to be preserved; improves the ability to configure the Certificate created via ingress-shim using annotations on the Ingress resource; introduces various changes/improvements in contributor flow; and finishes the new make-based contributor workflow.

Major Themes

Literal Certificate Subjects

cert-manager's Certificate allows users to configure the subject fields of the X.509 certificate via spec.subject and spec.commonName fields. The X.509 spec states that the subject is an (ordered) sequence of Relative Distinguished Names (RDN).

cert-manager does not strictly abide by this spec when encoding the subject fields from the Certificate spec. For example, the order of the RDN sequence may not be preserved. This is because cert-manager uses Go's libraries for X.509 certificates, and the Go libraries don't preserve ordering.

For the vast majority of users this does not matter, but there are specific cases that require defining the exact ordered RDN sequence. For example, if the certificate is used for LDAP authentication and the RDN sequence represents a location in LDAP directory tree. See cert-manager#3203.

For these use cases, a new alpha LiteralSubject field has been added to the Certificate spec where users can pass a literal RDN sequence:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test
spec:
  secretName: test
  literalSubject: "C=US,O=myOrg,CN=someName"

To use this field, the alpha feature gate LiteralCertificateSubject needs to be enabled on both the cert-manager controller and webhook. Bear in mind that spec.literalSubject is mutually exclusive with spec.commonName and spec.subject.

This feature is aimed at the specific scenario where an exact RDN sequence needs to be defined. We do not intend to deprecate the existing spec.subject and spec.commonName fields and we recommend that folks keep using those fields in all other cases; they're simpler, have better validation and are more obvious to read and change.

ingress-shim Certificate Configuration

cert-manager 1.9 adds the ability to configure an ingress-shim Certificate's spec.revisionHistoryLimit and spec.privateKey via annotations on the Ingress resource.

This should allow folks to configure ingress-shim Certificates according to best practices (i.e by setting Certificate's spec.privateKey.rotationPolicy to Always).

In the future we would like to design a better mechanism to configure these Certificates. We advise caution when using Ingress annotations as there is no validation of the annotations at Ingress creation time.

Contribution Workflow

Over the past couple of months there have been a number of discussions in regards to contributor experience and project health, partially triggered by the awesome community discussions in cert-manager's KubeCon booth and also by the work done to move cert-manager to CNCF's incubating stage.

For example, we've clarified our feature policy and discussed the process of building cert-manager's roadmap. If you're interested in these topics, we're happy to chat about them!

make Workflow

cert-manager 1.8 introduced a new make based workflow alongside the existing Bazel workflow. The work to improve the make workflow was continued in 1.9 and our contributor documentation has been redefined to use make commands. This should make building and testing cert-manager easier with faster build and test times, easier debugging and less complexity.

As part of this, Bazel has now been fully deprecated for building and testing cert-manager.

As usual, we welcome any feedback in regards to further improving contributor experience.

Thank You!

Thank you to the following community members who had a merged PR for this version - your contributions are at the heart of everything we do!

• @AcidLeroy
• @oGi4i
• @spockz (and @yongk802 who raised a similar PR)
• @andrewgkew
• @sveba
• @rodrigorfk
• @craigminihan
• @lucacome
• @Dean-Coakley
• @Compy

Thanks also to the following maintainers who worked on cert-manager 1.9:

• @irbekrm
• @SgtCoDFish
• @jakexks
• @wallrj
• @maelvls
• @JoshVanL
• @jahrlin
• @munnerz

Changes since v1.8.0

Feature

• Added support for pulling both AWS access key IDs and secret keys from Kubernetes secrets (#5194, @Compy)
• Adds make clean-all for starting a fresh development environment and make which-go for getting go version information when developing cert-manager (#5118, @SgtCoDFish)
• Adds make upload-release target for publishing cert-manager releases to GCS, simplifying the cert-manager release process simpler and making it easier to change (#5205, @SgtCoDFish)
• Adds a new alpha Prometheus summary vector metric certmanager_http_venafi_client_request_duration_seconds which allows tracking the latency of Venafi API calls. The metric is labelled by the type of API call. Example PromQL query: certmanager_http_venafi_client_request_duration_seconds{api_call="request_certificate"} will show the average latency of calls to the Venafi certificate request endpoint (#5053, @irbekrm)
• Adds more verbose logging info for certificate renewal in the DynamicSource webhook to include DNSNames (#5142, @AcidLeroy)
• Adds new LICENSES format and ability to verify and update licenses through make (#5243, @SgtCoDFish)
• Adds private key Ingress annotations to set private key properties for Certificate (#5239, @oGi4i)
• Adds the cert-manager.io/revision-history-limit annotation for Ingress resources, to limit the number of CertificateRequests which are kept for a Certificate (#5221, @oGi4i)
• Adds the literalSubject field for Certificate resources. This is an alpha feature, enabled by passing the flag --feature-gates=LiteralCertificateSubject=true to the cert-manager controller and webhook. literalSubject allows fine-grained control of the subject a certificate should have when issued and is intended for power-users with specific use cases in mind (#5002, @spockz)
• Change default build dir from bin to _bin, which plays better with certain tools which might treat bin as just another source directory (#5130, @SgtCoDFish)
• Helm: Adds a new namespace parameter which allows users to override the namespace in which resources will be created. This also allows users to set the namespace of the chart when using cert-manager as a sub chart. (#5141, @andrewgkew)
• Helm: Allow for users to not auto-mount service account tokens see also k/k#57601 (#5016, @sveba)
• Use multiple retries when provisioning tools using curl, to reduce flakes in tests and development environments (#5272, @SgtCoDFish)

Bug or Regression

• CertificateRequests controllers must wait for the core secrets informer to be synced (#5224, @rodrigorfk)
• Ensure that make release-artifacts only builds unsigned artifacts as intended (#5181, @SgtCoDFish)
• Ensure the startupapicheck is only scheduled on Linux nodes in the helm chart (#5136, @craigminihan)
• Fixed a bug where the Venafi Issuer would not verify its access token (TPP) or API key (Cloud) before becoming ready. Venafi Issuers now remotely verify the access token or API key (#5212, @jahrlin)
• Fixed release artifact archives generated by Make so that a leading ./ is stripped from paths. This ensures that behaviour is the same as v1.7 and earlier (#5050, @jahrlin)
• Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5226, @SgtCoDFish)
• Increases Venafi Issuer timeout for retrieving a certificate increased to 60 seconds, up from 10. This gives TPP instances longer to complete their workflows and make the certificate available before cert-manager times out and re-queues the request. (#5247, @hawksight)
• Remove pkg/util/coverage which broke compatibility with go 1.18; thanks @davidsbond for finding the issue! (#5032, @SgtCoDFish)
• cmctl and kubectl cert-manager now report their actual versions instead of "canary", fixing issue #5020 (#5286, @jetstack-bot)

Other (Cleanup or Flake)

• Adds make update-all as a convenience target to run before raising a PR (#5251, @SgtCoDFish)
• Adds make targets for updating and verifying CRDs and codegen (#5242, @SgtCoDFish)
• Bump cert-manager's version of Go to 1.18 (#5152, @lucacome)
• Bumps distroless base images to their latest versions (#5222, @irbekrm)
• CertificateSigningRequest: no longer mark a request as failed when using the SelfSigned issuer, and the Secret referenced in experimental.cert-manager.io/private-key-secret-name doesn't exist. (#5332, @jetstack-bot)
• Only require python for the one test we have which needs it, rather than requiring it globally (#5245, @SgtCoDFish)
• Remove deprecated field securityContext.enabled from helm chart (#4721, @Dean-Coakley)
• Removes support for networking/v1beta Ingresses in ingress-shim. (#5250, @irbekrm)
• Reverts additional check for ServiceMonitor (#5202, @irbekrm)
• Updates Kubernetes libraries to v0.24.2. (#5097, @lucacome)
• Updates warning message that is thrown if issuance fails because private key does not match spec, but private key regeneration is disabled. See https://github.com/cert-manager/cert-manager/pull/5199. (#5199, @irbekrm)

Changes since v1.9.0-beta.0

Feature

• Added support for pulling both AWS access key IDs and secret keys from Kubernetes secrets (#5194, @Compy)
• Use multiple retries when provisioning tools using curl, to reduce flakes in tests and development environments (#5272, @SgtCoDFish)

Changes since v1.9.0-alpha.0

Feature

• Adds new LICENSES format and ability to verify and update licenses through make (#5243, @SgtCoDFish)
• Adds private key Ingress annotations to set private key properties for Certificate (#5239, @oGi4i)

Bug or Regression

• Increases Venafi Issuer timeout for retrieving a certificate increased to 60 seconds, up from 10. This gives TPP instances longer to complete their workflows and make the certificate available before cert-manager times out and re-queues the request. (#5247, @hawksight)

Other (Cleanup or Flake)

• Adds make update-all as a convenience target to run before raising a PR (#5251, @SgtCoDFish)
• Adds make targets for updating and verifying CRDs and codegen (#5242, @SgtCoDFish)
• Only require python for the one test we have which needs it, rather than requiring it globally (#5245, @SgtCoDFish)
• Removes support for networking/v1beta Ingresses in ingress-shim. (#5250, @irbekrm)
• Updates Kubernetes libraries to v0.24.2. (#5097, @lucacome)
• Updates warning message that is thrown if issuance fails because private key does not match spec, but private key regeneration is disabled. See https://github.com/cert-manager/cert-manager/pull/5199. (#5199, @irbekrm)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.9 adds a variety of quality-of-life fixes and features including more improvements to the build and release process,
the ability to more precisely control how X.509 Certificate subjects are formatted for power users and a slew of other changes.

Thank you to the following community members who had a merged PR for this version - your contributions are at the heart of everything we do!

• @AcidLeroy
• @oGi4i
• @spockz (and @yongk802 who raised a similar PR)
• @andrewgkew
• @sveba
• @rodrigorfk
• @craigminihan
• @lucacome
• @Dean-Coakley

Thanks also to the following maintainers who worked on cert-manager 1.9:

• @irbekrm
• @SgtCoDFish
• @jakexks
• @wallrj
• @maelvls
• @JoshVanL
• @jahrlin
• @munnerz

Changes since v1.8.0

Feature

• Adds make clean-all for starting a fresh development environment and make which-go for getting go version information when developing cert-manager (#5118, @SgtCoDFish)
• Adds make upload-release target for publishing cert-manager releases to GCS, simplifying the cert-manager release process simpler and making it easier to change (#5205, @SgtCoDFish)
• Adds a new alpha Prometheus summary vector metric certmanager_http_venafi_client_request_duration_seconds which allows tracking the latency of Venafi API calls. The metric is labelled by the type of API call. Example PromQL query: certmanager_http_venafi_client_request_duration_seconds{api_call="request_certificate"} will show the average latency of calls to the Venafi certificate request endpoint (#5053, @irbekrm)
• Adds more verbose logging info for certificate renewal in the DynamicSource webhook to include DNSNames (#5142, @AcidLeroy)
• Adds the cert-manager.io/revision-history-limit annotation for Ingress resources, to limit the number of CertificateRequests which are kept for a Certificate (#5221, @oGi4i)
• Adds the literalSubject field for Certificate resources. This is an alpha feature, enabled by passing the flag --feature-gates=LiteralCertificateSubject=true to the cert-manager controller and webhook. literalSubject allows fine-grained control of the subject a certificate should have when issued and is intended for power-users with specific use cases in mind (#5002, @spockz)
• Change default build dir from bin to _bin, which plays better with certain tools which might treat bin as just another source directory (#5130, @SgtCoDFish)
• Helm: Adds a new namespace parameter which allows users to override the namespace in which resources will be created. This also allows users to set the namespace of the chart when using cert-manager as a sub chart. (#5141, @andrewgkew)
• Helm: Allow for users to not auto-mount service account tokens see also k/k#57601 (#5016, @sveba)

Bug or Regression

• CertificateRequests controllers must wait for the core secrets informer to be synced (#5224, @rodrigorfk)
• Ensure that make release-artifacts only builds unsigned artifacts as intended (#5181, @SgtCoDFish)
• Ensure the startupapicheck is only scheduled on Linux nodes in the helm chart (#5136, @craigminihan)
• Fixed a bug where the Venafi Issuer would not verify its access token (TPP) or API key (Cloud) before becoming ready. Venafi Issuers now remotely verify the access token or API key (#5212, @jahrlin)
• Fixed release artifact archives generated by Make so that a leading ./ is stripped from paths. This ensures that behaviour is the same as v1.7 and earlier (#5050, @jahrlin)
• Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5226, @SgtCoDFish)
• Remove pkg/util/coverage which broke compatibility with go 1.18; thanks @davidsbond for finding the issue! (#5032, @SgtCoDFish)

Other (Cleanup or Flake)

• Bump cert-manager's version of Go to 1.18 (#5152, @lucacome)
• Bumps distroless base images to their latest versions (#5222, @irbekrm)
• Remove deprecated field securityContext.enabled from helm chart (#4721, @Dean-Coakley)
• Reverts additional check for ServiceMonitor (#5202, @irbekrm)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.7.3 is in effect a bug fix release which increases some hard-coded timeouts which were preventing the use of certain ACME issuers
which sometimes had slower response times. This is known to include ZeroSSL and Sectigo.

These issues were reported by many users. We'd like to thank the following for their help and feedback on this topic:

• @JoooostB
• @fatz
• @jgreat
• @sashokbg
• @mycloudedu
• @hadogenes
• @SudonymTM
• @amalucelli
• @MilheiroSantos
• @dverbeek84
• @kxs-jnadeau
• @fablarosa
• @nik-nazarov
• @omBratteng
• @shubham-root
• @alphabet5
• @hawksight

Thanks also to the cert-manager maintainers who were involved in reviewing this fix and helping to move things forwards:

• @irbekrm
• @jahrlin
• @maelvls
• @JoshVanL
• @wallrj
• @jakexks
• @munnerz

Changes since v1.7.2

Bug

• Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5232, @JoooostB @SgtCoDFish)

Other (Cleanup)

• Bumps go to 1.17.11 and base images to latest distroless base images (#5234, @SgtCoDFish)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

v1.8.2 is in effect a bug fix release which increases some hard-coded timeouts which were preventing the use of certain ACME issuers
which sometimes had slower response times. This is known to include ZeroSSL and Sectigo.

These issues were reported by many different users and We'd like to thank the following for their help, suggestions and feedback on this topic:

• @JoooostB
• @fatz
• @jgreat
• @sashokbg
• @mycloudedu
• @hadogenes
• @SudonymTM
• @amalucelli
• @MilheiroSantos
• @dverbeek84
• @kxs-jnadeau
• @fablarosa
• @nik-nazarov
• @omBratteng
• @shubham-root
• @alphabet5
• @hawksight

Thanks also to the cert-manager maintainers who were involved in reviewing this fix and helping to move things forwards:

• @SgtCoDFish
• @irbekrm
• @jahrlin
• @maelvls
• @JoshVanL
• @wallrj
• @jakexks
• @munnerz

Changes since v1.8.1

Bug

• Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5231, @JoooostB @SgtCoDFish)

Other (Cleanup)

• Bump distroless base images to latest versions (#5235, @SgtCoDFish)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

1.8.1 is a patch release rebuilding cert-manager 1.8 using the latest version of Go.

Changelog since cert-manager 1.7.1

• Reverts a check for Prometheus APIs before creating cert-manager ServiceMonitors which broke users' GitOps flows (cert-manager#5204)

• Bumps the version of Go used to build the cert-manager binaries to 1.17.11 which fixes a few CVEs (we don't think that those were likely to be exploited in cert-manager) (cert-manager#5203, @irbekrm )

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.8 includes wider support for Kubernetes server-side-apply, a new build and development experience based around
Makefiles rather than Bazel, and a range of other improvements, tweaks and bug fixes.

Version 1.8 also marks our first release in which the Go import path for cert-manager is that of the repo's new home:

github.com/cert-manager/cert-manager

Breaking Changes (You MUST read this before you upgrade!)

Validation of the rotationPolicy field

The field spec.privateKey.rotationPolicy on Certificate resources is now validated. Valid options are Never and Always. If you are using a GitOps flow and one of your YAML manifests contains a Certificate with an invalid value, you will need to update it with a valid value to prevent your GitOps tool from failing on the new validation. Please follow the instructions listed on the page Upgrading from v1.7 to v1.8. (#4913, @jahrlin)

What happens if I upgrade to 1.8.0 without doing the above steps?

After upgrading to 1.8.0, when updating existing Certificate objects that have an incorrect value for rotationPolicy, Kubernetes clients such as kubectl, Helm, or ArgoCD will start showing the following message:

Certificate.cert-manager.io "my-cert" is invalid: spec.privateKey.rotationPolicy: Unsupported value: "Foo": supported values: "Never", "Always".

Why was this change necessary?

Previously, when the value of the rotationPolicy field was set to an incorrect value, you would not know since no event or condition would be visible on the Certificate itself. The only way to know that something was wrong was to dig into the cert-manager-controller logs and see the message "Certificate with unknown certificate.spec.privateKey.rotationPolicy value":

I0329 12:43:13.325771       1 keymanager_controller.go:176] cert-manager/certificates-key-manager "msg"="Certificate with unknown certificate.spec.privateKey.rotationPolicy value" "key"="default/my-cert" "rotation_policy"="Foo"

This change was implemented in #4913.

Changed Container Layouts

This only affects you if you're modifying cert-manager containers in some way, such as adding init scripts or otherwise
changing how the binaries inside the containers are called.

Bazel has a unique way of creating containers, which places the actual binary at a long unusual path. For the v1.7.0 cert-manager-webhook
container for example, the binary is placed at /app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook
and /app/cmd/webhook/webhook is provided as a symlink to the binary.

This is simplified in our new build system; we only place a single binary at /app/cmd/webhook/webhook and the old path disappears.
This applies to all cert-manager containers.

We also removed the "LICENSES" file from the containers and replaced it with a link to the cert-manager repo.

.exe Extension on Windows

We package cmctl and kubectl_cert-manager for Windows on amd64 platforms, but previously the binaries had the
same names as the binaries on other platforms, e.g. cmctl with no file extension.

In 1.8.0 and later, the binaries now have a .exe extension since this is standard practice on Windows. This could affect you
if you're calling the binary in a Powershell script, for example.

We've also now added zip-compressed versions of the cmctl and kubectl_cert-manager binaries on Windows, since .tar.gz is less
common on Windows.

Changed Import Path

This will only affect you if you're writing code in Go which imports cert-manager as a module, which we generally recommend against
doing in most cases.

All versions of cert-manager prior to v1.8.0 used a Go import path corresponding to the old cert-manager repository, github.com/jetstack/cert-manager.

v1.8.0 marks the first release in which the import path changes to the new location, github.com/cert-manager/cert-manager.

We have a guide for Importing cert-manager in Go on cert-manager.io with all the details, including
details on why we don't recommend importing cert-manager as a module if that's avoidable.

Major Themes

Server-Side Apply

cert-manager v1.8.0 adds initial support for Kubernetes Server-Side Apply, which became stable
in Kubernetes 1.22. This support is behind a feature gate for now, and is only supported by cert-manager on Kubernetes 1.22 and later.

Server-Side Apply helps to ensure that changes to resources are made in a managed way, and aims to prevent certain classes of bugs. Notably, it should
eliminate conflicts when multiple controllers try to apply status changes to a single resource. You'll likely have seen messages relating to this kind of
conflict in logs before, e.g.:

I0119 12:34:56.000000       1 controller.go:161] cert-manager/controller/certificaterequests-issuer-acme "msg"="re-queuing item due to optimistic locking on resource" "key"="my-namespace/my-cr" "error"="Operation cannot be fulfilled on certificaterequests.cert-manager.io \"my-cr\": the object has been modified; please apply your changes to the latest version and try again"

These conflicts aren't usually actually a problem which will block the issuance of a certificate, but they can delay things as they cause extra
reconcile loops. Server-side apply cleans things up, which should mean less noise in logs and fewer pointless reconcile loops.

If you want to test it out, you can enable alpha-level cert-manager Server-Side Apply support through the
--feature-gates controller flag.

From Bazel to Make

A common theme when someone tries to make a change to cert-manager for the first time is that they ask for help with navigating Bazel, which cert-manager
used as its build tool. Helping people with Bazel isn't easy; it's an incredibly powerful tool, but that power also brings a lot of complications
which can seriously get in the way of being able to make even simple changes to the code base. Even developers who are familiar with contributing
to open source projects in Go can find it daunting to make changes thanks to Bazel.

The problem isn't limited to open-source contributors; many of cert-manager's maintainers also struggle with configuring and changing Bazel, too.

cert-manager 1.8 is the first release which is built and tested using a newly written make-based build system. We believe that this new build system should
make it much simpler to understand and change the commands which are being run behind the scenes to build and test cert-manager. In time, we'll fully
document the new build system, ensure it's at full feature-parity with Bazel and then remove all references to Bazel across the codebase.

A neat side effect of this change is that our build times have significantly improved. Bazel took around 14 minutes to build every cert-manager
artifact for every platform during a release, while the new make build system can do the same (and more) in under 5 minutes.

Exponential backoff after a failed issuance

cert-manager v1.8.0 introduces exponential backoff after failed certificate issuance.

Previously, a failed issuance was retried every hour which — especially in larger cert-manager installations — could cause rate limits to be hit as well as overwhelm external services. Failed attempts
are now retried with a binary exponential backoff starting with 1h then 2h, 4h up to a maximum of 32h. As part of the new backoff behavior, a new failedIssuanceAttempts field was added to the
Certificate spec to track the number of currently failed issuances.

The cmctl renew command command can still be used to force Certificate renewal immediately.

We're also considering reducing the initial backoff from 1 hour. If you have a use case where this would be useful please do comment on our tracking issue.

Community

cert-manager thrives thanks to the community and we're always grateful for receiving open-source contributions!

Thanks to the following community members who landed a commit in this release:

• @illrill
• @tasharnvb
• @enj
• @vhosakot
• @fvlaicu
• @andreadecorte
• @davidsbond
• @4molybdenum2
• @ajvn
• @mikebryant
• @jayme-github

Thanks also to the cert-manager maintainer team involved with this release

• @maelvls (Release lead)
• @SgtCoDFish (Release lead)
• @jakexks
• @JoshVanL
• @irbekrm
• @wallrj
• @jahrlin
• @munnerz

Changelog since v1.7.0

Feature

• ACTION REQUIRED: The field spec.privateKey.rotationPolicy on Certificate resources is now validated. Valid options are Never and Always. If you are using a GitOps flow and one of your YAML manifests contains a Certificate with an invalid value, you will need to update it with a valid value to prevent your GitOps tool from failing on the new validation. (#4913, @jahrlin)
• Build: add make targets for running unit and integration tests, as part of the Bazel replacement. (#4865, @SgtCoDFish)
• Build: add make targets for running the end-to-end tests, as part of the Bazel replacement. (#4914, @maelvls)
• cert-manager now supports the field spec.expirationSeconds on Kubernetes CertificateSigningRequest resources. Using this field requires Kubernetes 1.22. You can still use the annotation experimental.cert-manager.io/request-duration to request a duration. (#4957, @enj)
• cert-manager now properly updates the content of the data keys tls-combined.pem and key.der on Secret resources that are associated to Certificate resources that use the field additionalOutputFormats. The field additionalOutputFormat is an alpha feature and can be enabled by passing the flag --feature-gates=AdditionalCertificateOutputFormats=true to the cert-manager controller. (#4813, @JoshVanL)
• ClusterRoles aggregation to user-facing admin/edit/view ClusterRoles can be optionally turned off (#4937, @illrill)
• ACTION REQUIRED: Server-Side Apply: the feature gate ServerSideApply=true now configures the ingress-shim and gateway-shim controllers to use Kubernetes Server-Side Apply on Certificate resources. When upgrading to cert-manger 1.8 with ServerSideApply=true, do make sure there are no Challenge resources currently in the cluster. If there are some, you will need to manually delete them once they are in 'valid' state as cert-manager post-1.8 with the Server-Side Apply feature is not able to clean up Challenge resources created pre-1.8. (#4811, @JoshVanL)
• Server-Side Apply: the feature gate ServerSideApply=true configures the certificaterequests-* controllers to use Kubernetes Server-Side Apply on CertificateRequest resources. (#4792, @JoshVanL)
• Server-Side Apply: the feature gate ServerSideApply=true configures the certificates-* controllers to use Kubernetes Server-Side Apply on Certificate resources. (#4777, @JoshVanL)
• Server-Side Apply: the feature gate ServerSideApply=true configures the CertificateSigningRequest controllers to use Kubernetes Server-Side Apply on CertificateSigningRequest resources. (#4798, @JoshVanL)
• Server-Side Apply: the feature gate ServerSideApply=true configures the issuers and clusterissuers controllers to use Kubernetes Server-Side Apply on Issuer and ClusterIssuer resources. (#4794, @JoshVanL)
• Server-Side Apply: the feature gate ServerSideApply=true configures the orders controller to use Kubernetes Server-Side Apply on Order resources. (#4799, @JoshVanL)
• The annotation experimental.cert-manager.io/request-duration now has a minimum value of 600 seconds. This annotation This change ensures compatibility with the Kubernetes resource CertificateSigningRequest, which requires a minimum of 600 seconds on the field spec.expirationSeconds. (#4973, @irbekrm)
• The annotation ingress.kubernetes.io/whitelist-source-range used by the Ingress shim when creating Ingress resources can now be overridden by setting the field ingressTemplate on the Issuer and ClusterIssuer. (#4789, @tasharnvb)
• The experimental Gateway API support now uses the v1alpha2 CRDs. (#4791, @jakexks)
• The user-agent used by cert-manager in its Kubernetes API clients and ACME clients now takes the form cert-manager-<component name>/<version> (<os>/<arch>) cert-manager/<git commit>. Another change is the addition of specific field managers strings; previously, all the controllers had the same field manager cert-manager. Now, each controller has its own field manager string of the form cert-manager-<controller name>. (#4773, @JoshVanL)
• You can now uninstall cert-manager using the command cmctl experimental uninstall. (#4897, @jahrlin)
• You can now use an external issuer resource as the default issuer when using the Ingress shim feature. The default issuer can be set using the flags --default-issuer-group, --default-issuer-kind, and --default-issuer-name. (#4833, @jakexks)

Design

• ACTION REQUIRED: The import path for cert-manager has been updated to github.com/cert-manager/cert-manager. If you import cert-manager as a go module (which isn't currently recommended), you'll need to update the module import path in your code to import cert-manager 1.8 or later. (#4587, @SgtCoDFish)

Bug or Regression

• ACTION REQUIRED: The field additionalOutputFormats, which is available as an alpha feature on Certificate resources, is now correctly validated. Previously, it would only get validated when the privateKey field was set on the Certificate. If you are using the additionalOutputFormats field, you will want to add the feature gate AdditionalCertificateOutputFormats to both the webhook and the controller. Previously, you only needed to set AdditionalCertificateOutputFormats on the controller. If the feature gate is missing on either the controller or the webhook, you won't be able to use the additionalOutputFormat field. (#4814, @JoshVanL)
• The Go version used to build the cert-manager binaries has been bumped to 1.17.8 to fix a slew of CVEs (none of which were likely to be exploited). (#4970, @vhosakot)
• Helm: the default nodeSelector is now kubernetes.io/os: linux. If this label isn't present on any nodes in the cluster, the nodeSelector will need to be overwritten, or that label added to some nodes. (#3605, @mikebryant)
• Use multivalue records instead of simple records for the AWS Route53 ACME DNS challenge solver, to allow for multiple challenges for the same domain at the same time (#4793, @fvlaicu)

Other (Cleanup or Flake)

• Aggregated admin and edit roles will now include permissions to update certificates' status, which will allow namespace admins and editors to run the cmctl renew command in their namespaces. (#4955, @andreadecorte)
• Cleanup: No longer log an error when cert-manager encounters a conflict in the secrets manager, in favor of always force applying. (#4815, @JoshVanL)
• Failed certificate issuances are now retried with an exponential backoff where the backoff periods are 1h, 2h, 4h, 8h, 16h, 32h. A new field failedIssuanceAttempts is now set by cert-manager on the Certificate status. This field keeps track of consecutive failed issuances. The backoff period gets reset after a successful issuance. Like before, updating a field on a failed Certificate (such as spec.dnsNames) or running the command cmctl renew continues to trigger a re-issuance. (#4772, @irbekrm)
• When starting up, cert-manager now solely relies on Lease objects to perform the leader election. Previously, cert-manager supported both ConfigMap and Lease objects for leader election. Existing ConfigMap resources used for leader election will remain and will need deleting manually. A side effect of this is that you cannot upgrade to v1.8.0 from cert-manager 1.3 (although upgrading multiple versions at a time was never supported). (#4935, @davidsbond)
• Helm: you can now set custom labels on the ServiceAccount resources using the values serviceAccount.labels, cainjector.serviceAccount.labels, webhook.serviceAccount.labels, and startupapicheck.serviceAccount.labels. (#4932, @4molybdenum2)

Uncategorized

• Introducing a new metric controller_sync_error_count counting the number of errors during sync() of a controller. (#4987, @jayme-github)
• When creating an acmesolver pod, cert-manager now sets allowPrivilegeEscalation to false by default. The Helm chart now also sets securityContext.allowPrivilegeEscalation to false by default for the controller, cainjector, and webhook pods as well as for the startupapicheck job. (#4953, @ajvn)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.8 includes wider support for Kubernetes server-side-apply, a new build and development experience based around
Makefiles rather than Bazel, and a range of other improvements, tweaks and bug fixes.

v1.8 also marks our first release in which the Golang import path for cert-manager is that of the repo's new home:
github.com/cert-manager/cert-manager

Breaking Changes (You MUST read this before you upgrade!)

Changed Container Layouts

This only affects you if you're modifying cert-manager containers in some way, such as adding init scripts or otherwise
changing how the binaries inside the containers are called.

Bazel has a unique way of creating containers, which places the actual binary at a long, unusual path. For the v1.7.0 cert-manager-webhook
container for example, the binary is placed at /app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook
and /app/cmd/webhook/webhook is provided as a symlink to the binary.

This is simplified in our new build system; we only place a single binary at /app/cmd/webhook/webhook and the old path disappears.
This applies to all cert-manager containers.

We also removed the "LICENSES" file from the containers and replaced it with a link to the cert-manager repo; this reduces container sizes since the LICENSES file was surprisingly large.

.exe Extension on Windows

We package cmctl and kubectl_cert-manager for Windows on amd64 platforms, but previously the binaries had the
same names as the binaries on other platforms, e.g. cmctl with no file extension.

In 1.8.0 and later, the binaries now have a .exe extension since this is standard practice on Windows. This could affect you
if you're calling the binary in a Powershell script, for example.

We've also now added zip-compressed versions of the cmctl and kubectl_cert-manager binaries on Windows, since .tar.gz is less
common on that platform.

Changed Import Path

This will only affect you if you're writing code in Go which imports cert-manager as a module, which we generally recommend against
doing in most cases.

All versions of cert-manager prior to v1.8.0 used a Go import path corresponding to the old cert-manager repository, github.com/jetstack/cert-manager.

v1.8.0 marks the first release in which the import path changes to the new location, github.com/cert-manager/cert-manager.

We have a guide for Importing cert-manager in Go on cert-manager.io with all the information you'll need, including details on why we don't recommend importing cert-manager as a module if at all possible.

Community

cert-manager thrives thanks to the community and we're always grateful for receiving contributions from open-source community members!

Thanks to the following community members who landed a commit in this release:

• @illrill
• @tasharnvb
• @enj
• @vhosakot
• @fvlaicu
• @andreadecorte
• @davidsbond
• @4molybdenum2
• @ajvn
• @mikebryant
• @jayme-github

Thanks also to the cert-manager maintainer team involved with this release

• @maelvls (Release lead)
• @SgtCoDFish (Release lead)
• @jakexks
• @JoshVanL
• @irbekrm
• @wallrj
• @jahrlin
• @munnerz

Changelog since v1.7.0

Design

• ACTION REQUIRED: The import path for cert-manager has been updated to "github.com/cert-manager/cert-manager". If you import cert-manager as a go module (which isn't currently recommended), you'll need to update the module import path in your code to import cert-manager 1.8 or later. (#4587, @SgtCoDFish)

Feature

• Add make targets for running unit and integration tests, as part of the Bazel replacement. (#4865, @SgtCoDFish)
• Certificate AdditionalOutputFormat: AdditionalOutputFormats are actively reconciled, meaning cert-manager will always maintain the correct Secret data, both for fields being removed/added/modified on both the Certificate's AdditionalOutputFormat as well as the target Secret's Data. AdditionalOutputFormat is an Alpha feature, and is only enabled with the --feature-gates=AdditionalCertificateOutputFormats=true flag. (#4813, @JoshVanL)
• Changes cert-manager controllers and ACME clients to use new user agent format cert-manager<component name>/<version> (<os>/<arch>) cert-manager/<git commit>. Field managers now take the form of cert-manager<component name>. (#4773, @JoshVanL)
• ClusterRoles aggregation to user-facing admin/edit/view ClusterRoles can be optionally turned off (#4937, @illrill)
• External issuers may now be referenced as the default Issuer name / group / kind for the ingress-shim. (#4833, @jakexks)
• Ingress whitelist-source-range annotation prefix can now be overridden via an IngressTemplate (#4789, @tasharnvb)
• Enforce minimum value of experimental.cert-manager.io/request-duration to 600s. This is done to ensure compatibility with CSR's spec.expirationSeconds. (#4973, @irbekrm)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificate-shim controllers to use Kubernetes Server Side Apply on Certificate resources. (#4811, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the order controller to use Kubernetes Server Side Apply on Order resources. (#4799, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificaterequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4792, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificates controllers to use Kubernetes Server Side Apply on Certificate resources. (#4777, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificatesigningrequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4798, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the issuer and clusterissuer controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4794, @JoshVanL)
• Signers now honor Kubernetes CSR duration expressed via the spec.expirationSeconds field. (#4957, @enj)
• The experimental Gateway API support now uses the v1alpha2 CRDs. (#4791, @jakexks)
• You can now uninstall cert-manager using the command cmctl experimental uninstall. (#4897, @jahrlin)
• Post Issuance Check: proactively ensure that owner reference on issued Secret's reflects the --enable-certificate-owner-ref controller flag. (#4888, @JoshVanL)
• Gateway API: with v1alpha2, the field labels on the gatewayHTTPRoute solver is now optional. (#4967, @maelvls)
• ServerSideApply: The feature gate ServerSideApply=true configures the challenges controller to use Kubernetes Server Side Apply on Challenge resources.
  Warning: if you upgrade to cert-manger v1.8 with ServerSideApply=true, do make sure there are no Challenge resources currently in the cluster. If there are some, you will need to manually delete them once they are in 'valid' state as cert-manager post-v1.8 with the SSA feature is not able to clean up Challenge CRs created pre-v1.8. (#4808, @JoshVanL)

Bug or Regression

• Added kube validation for certificate.spec.privateKey.rotationPolicy. Valid options are Never and Always. Existing Certificate resources with incorrect values needs to be updated. (#4898 (#4913, @jahrlin)
• Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4970, @vhosakot)
• Fix: The alpha feature Certificate's additionalOutputFormats is now correctly validated at admission time, and no longer only validated if the privateKey field of the Certificate is set. The Webhook component now contains a separate feature set. The AdditionalCertificateOutputFormats feature gate (disabled by default) has been added to the webhook. This gate is required to be enabled on both the controller and webhook components in order to make use of the Certificate's additionalOutputFormat feature. (#4814, @JoshVanL)
• Use multivalue records instead of simple records for the AWS Route53 ACME DNS challenge solver, to allow for multiple challenges for the same domain at the same time (#4793, @fvlaicu)
• The default nodeSelector is now kubernetes.io/os: linux. If this label isn't present on any nodes in the cluster, the nodeSelector will need to be overwritten, or that label added to some Nodes. (#3605, @mikebryant)

Other (Cleanup or Flake)

• Aggregated admin and edit roles will now include permissions to update certificates' status, which will allow namespace admins and editors to run cmctl renew command in their namespaces. (#4955, @andreadecorte)
• Cleanup: No longer log an error when cert-manager encounters a conflict in the secrets manager, in favour of always force applying. (#4815, @JoshVanL)
• Failed certificate issuances are now retried with an exponential backoff where the backoff periods are 1h, 2h, 4h, 8h, 16h, 32h. A new field failedIssuanceAttempts is added to Certificate's status that keeps track of consecutive failed issuances. Backoff period gets reset by a successful issuance. The current behaviour where changing certain fields on Certificates spec (such as DNS names) or manually renewing using cmctl tool remains unchanged. (#4772, @irbekrm)
• Previously, cert-manager supported both ConfigMap & Lease objects for leader election. This change modifies the leader-election code to now solely use Lease objects. Existing ConfigMap resources used for leader election will remain and will need deleting manually. A side effect of this is that you cannot upgrade to v1.8.0 from cert-manager 1.3 (although upgrading multiple versions at a time was never supported). (#4935, @davidsbond)
• Support for serviceAccount labels in helm charts (#4932, @4molybdenum2)
• Set allowPrivilegeEscalation in container security context to false by default when not set for acmesolver pod, and set allowPrivilegeEscalation to false by default for controller, cainjector, webhook pods and the startupapicheck job (#4953, @ajvn)
• Introducing a new metric controller_sync_error_count counting the number of errors during sync() of a controller. (#4987, @jayme-github)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.8 includes wider support for Kubernetes server-side-apply, a new build and development experience based around
Makefiles rather than Bazel, and a range of other improvements, tweaks and bug fixes.

v1.8 also marks our first release in which the Golang import path for cert-manager is that of the repo's new home:
github.com/cert-manager/cert-manager

Breaking Changes (You MUST read this before you upgrade!)

Changed Container Layouts

This only affects you if you're modifying cert-manager containers in some way, such as adding init scripts or otherwise
changing how the binaries inside the containers are called.

Bazel has a unique way of creating containers, which places the actual binary at a long, unusual path. For the v1.7.0 cert-manager-webhook
container for example, the binary is placed at /app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook
and /app/cmd/webhook/webhook is provided as a symlink to the binary.

This is simplified in our new build system; we only place a single binary at /app/cmd/webhook/webhook and the old path disappears.
This applies to all cert-manager containers.

We also removed the "LICENSES" file from the containers and replaced it with a link to the cert-manager repo; this reduces container sizes since the LICENSES file was surprisingly large.

.exe Extension on Windows

We package cmctl and kubectl_cert-manager for Windows on amd64 platforms, but previously the binaries had the
same names as the binaries on other platforms, e.g. cmctl with no file extension.

In 1.8.0 and later, the binaries now have a .exe extension since this is standard practice on Windows. This could affect you
if you're calling the binary in a Powershell script, for example.

We've also now added zip-compressed versions of the cmctl and kubectl_cert-manager binaries on Windows, since .tar.gz is less
common on that platform.

Changed Import Path

This will only affect you if you're writing code in Go which imports cert-manager as a module, which we generally recommend against
doing in most cases.

All versions of cert-manager prior to v1.8.0 used a Go import path corresponding to the old cert-manager repository, github.com/jetstack/cert-manager.

v1.8.0 marks the first release in which the import path changes to the new location, github.com/cert-manager/cert-manager.

We have a guide for Importing cert-manager in Go on cert-manager.io with all the information you'll need, including details on why we don't recommend importing cert-manager as a module if at all possible.

Community

cert-manager thrives thanks to the community and we're always grateful for receiving contributions from open-source community members!

Thanks to the following community members who landed a commit in this release:

• @illrill
• @tasharnvb
• @enj
• @vhosakot
• @fvlaicu
• @andreadecorte
• @davidsbond
• @4molybdenum2
• @ajvn
• @mikebryant
• @jayme-github

Thanks also to the cert-manager maintainer team involved with this release

• @maelvls (Release lead)
• @SgtCoDFish (Release lead)
• @jakexks
• @JoshVanL
• @irbekrm
• @wallrj
• @jahrlin
• @munnerz

Changelog since v1.7.0

Design

• ACTION REQUIRED: The import path for cert-manager has been updated to "github.com/cert-manager/cert-manager". If you import cert-manager as a go module (which isn't currently recommended), you'll need to update the module import path in your code to import cert-manager 1.8 or later. (#4587, @SgtCoDFish)

Feature

• Add make targets for running unit and integration tests, as part of the Bazel replacement. (#4865, @SgtCoDFish)
• Certificate AdditionalOutputFormat: AdditionalOutputFormats are actively reconciled, meaning cert-manager will always maintain the correct Secret data, both for fields being removed/added/modified on both the Certificate's AdditionalOutputFormat as well as the target Secret's Data. AdditionalOutputFormat is an Alpha feature, and is only enabled with the --feature-gates=AdditionalCertificateOutputFormats=true flag. (#4813, @JoshVanL)
• Changes cert-manager controllers and ACME clients to use new user agent format cert-manager<component name>/<version> (<os>/<arch>) cert-manager/<git commit>. Field managers now take the form of cert-manager<component name>. (#4773, @JoshVanL)
• ClusterRoles aggregation to user-facing admin/edit/view ClusterRoles can be optionally turned off (#4937, @illrill)
• External issuers may now be referenced as the default Issuer name / group / kind for the ingress-shim. (#4833, @jakexks)
• Ingress whitelist-source-range annotation prefix can now be overridden via an IngressTemplate (#4789, @tasharnvb)
• Enforce minimum value of experimental.cert-manager.io/request-duration to 600s. This is done to ensure compatibility with CSR's spec.expirationSeconds. (#4973, @irbekrm)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificate-shim controllers to use Kubernetes Server Side Apply on Certificate resources. (#4811, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the order controller to use Kubernetes Server Side Apply on Order resources. (#4799, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificaterequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4792, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificates controllers to use Kubernetes Server Side Apply on Certificate resources. (#4777, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificatesigningrequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4798, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the issuer and clusterissuer controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4794, @JoshVanL)
• Signers now honor Kubernetes CSR duration expressed via the spec.expirationSeconds field. (#4957, @enj)
• The experimental Gateway API support now uses the v1alpha2 CRDs. (#4791, @jakexks)
• You can now uninstall cert-manager using the command cmctl experimental uninstall. (#4897, @jahrlin)
• Post Issuance Check: proactively ensure that owner reference on issued Secret's reflects the --enable-certificate-owner-ref controller flag. (#4888, @JoshVanL)
• Gateway API: with v1alpha2, the field labels on the gatewayHTTPRoute solver is now optional. (#4967, @maelvls)

Bug or Regression

• Added kube validation for certificate.spec.privateKey.rotationPolicy. Valid options are Never and Always. Existing Certificate resources with incorrect values needs to be updated. (#4898 (#4913, @jahrlin)
• Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4970, @vhosakot)
• Fix: The alpha feature Certificate's additionalOutputFormats is now correctly validated at admission time, and no longer only validated if the privateKey field of the Certificate is set. The Webhook component now contains a separate feature set. The AdditionalCertificateOutputFormats feature gate (disabled by default) has been added to the webhook. This gate is required to be enabled on both the controller and webhook components in order to make use of the Certificate's additionalOutputFormat feature. (#4814, @JoshVanL)
• Use multivalue records instead of simple records for the AWS Route53 ACME DNS challenge solver, to allow for multiple challenges for the same domain at the same time (#4793, @fvlaicu)
• The default nodeSelector is now kubernetes.io/os: linux. If this label isn't present on any nodes in the cluster, the nodeSelector will need to be overwritten, or that label added to some Nodes. (#3605, @mikebryant)

Other (Cleanup or Flake)

• Aggregated admin and edit roles will now include permissions to update certificates' status, which will allow namespace admins and editors to run cmctl renew command in their namespaces. (#4955, @andreadecorte)
• Cleanup: No longer log an error when cert-manager encounters a conflict in the secrets manager, in favour of always force applying. (#4815, @JoshVanL)
• Failed certificate issuances are now retried with an exponential backoff where the backoff periods are 1h, 2h, 4h, 8h, 16h, 32h. A new field failedIssuanceAttempts is added to Certificate's status that keeps track of consecutive failed issuances. Backoff period gets reset by a successful issuance. The current behaviour where changing certain fields on Certificates spec (such as DNS names) or manually renewing using cmctl tool remains unchanged. (#4772, @irbekrm)
• Previously, cert-manager supported both ConfigMap & Lease objects for leader election. This change modifies the leader-election code to now solely use Lease objects. Existing ConfigMap resources used for leader election will remain and will need deleting manually. A side effect of this is that you cannot upgrade to v1.8.0 from cert-manager 1.3 (although upgrading multiple versions at a time was never supported). (#4935, @davidsbond)
• Support for serviceAccount labels in helm charts (#4932, @4molybdenum2)
• Set allowPrivilegeEscalation in container security context to false by default when not set for acmesolver pod, and set allowPrivilegeEscalation to false by default for controller, cainjector, webhook pods and the startupapicheck job (#4953, @ajvn)
• Introducing a new metric controller_sync_error_count counting the number of errors during sync() of a controller. (#4987, @jayme-github)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.8 includes wider support for Kubernetes server-side-apply, a new build and development experience based around
Makefiles rather than Bazel, and a range of other improvements, tweaks and bug fixes.

v1.8 also marks our first release in which the Golang import path for cert-manager is that of the repo's new home:
github.com/cert-manager/cert-manager

Breaking Changes (You MUST read this before you upgrade!)

Changed Container Layouts

⚠️ This section does not apply for cert-manager v1.8.0-alpha.1

This only affects you if you're modifying cert-manager containers in some way, such as adding init scripts or otherwise
changing how the binaries inside the containers are called.

Bazel has a unique way of creating containers, which places the actual binary at a long unusual path. For the v1.7.0 cert-manager-webhook
container for example, the binary is placed at /app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook
and /app/cmd/webhook/webhook is provided as a symlink to the binary.

This is simplified in our new build system; we only place a single binary at /app/cmd/webhook/webhook and the old path disappears.
This applies to all cert-manager containers.

We also removed the "LICENSES" file from the containers and replaced it with a link to the cert-manager repo.

.exe Extension on Windows

⚠️ This section does not apply for cert-manager v1.8.0-alpha.1

We package cmctl and kubectl_cert-manager for Windows on amd64 platforms, but previously the binaries had the
same names as the binaries on other platforms, e.g. cmctl with no file extension.

In 1.8.0 and later, the binaries now have a .exe extension since this is standard practice on Windows. This could affect you
if you're calling the binary in a Powershell script, for example.

We've also now added zip-compressed versions of the cmctl and kubectl_cert-manager binaries on Windows, since .tar.gz is less
common on that platform.

Changed Import Path

This will only affect you if you're writing code in Go which imports cert-manager as a module, which we generally recommend against
doing in most cases.

All versions of cert-manager prior to v1.8.0 used a Go import path corresponding to the old cert-manager repository, github.com/jetstack/cert-manager.

v1.8.0 marks the first release in which the import path changes to the new location, github.com/cert-manager/cert-manager.

We have a guide for Importing cert-manager in Go on cert-manager.io with all the details, including
details on why we don't recommend importing cert-manager as a module if that's avoidable.

Community

cert-manager thrives thanks to the community and we're always grateful for receiving contributions from open-source community members!

Thanks to the following community members who landed a commit in this release:

• @illrill
• @tasharnvb
• @enj
• @vhosakot
• @fvlaicu
• @andreadecorte
• @davidsbond
• @4molybdenum2
• @ajvn

Thanks also to the cert-manager maintainer team involved with this release

• @maelvls (Release lead)
• @SgtCoDFish (Release lead)
• @jakexks
• @JoshVanL
• @irbekrm
• @wallrj
• @jahrlin
• @munnerz

Changelog since v1.7.0

Design

• ACTION REQUIRED: The import path for cert-manager has been updated to "github.com/cert-manager/cert-manager". If you import cert-manager as a go module (which isn't currently recommended), you'll need to update the module import path in your code to import cert-manager 1.8 or later. (#4587, @SgtCoDFish)

Feature

• Add make targets for running unit and integration tests, as part of the Bazel replacement. (#4865, @SgtCoDFish)
• Certificate AdditionalOutputFormat: AdditionalOutputFormats are actively reconciled, meaning cert-manager will always maintain the correct Secret data, both for fields being removed/added/modified on both the Certificate's AdditionalOutputFormat as well as the target Secret's Data. AdditionalOutputFormat is an Alpha feature, and is only enabled with the --feature-gates=AdditionalCertificateOutputFormats=true flag. (#4813, @JoshVanL)
• Changes cert-manager controllers and ACME clients to use new user agent format cert-manager<component name>/<version> (<os>/<arch>) cert-manager/<git commit>. Field managers now take the form of cert-manager<component name>. (#4773, @JoshVanL)
• ClusterRoles aggregation to user-facing admin/edit/view ClusterRoles can be optionally turned off (#4937, @illrill)
• External issuers may now be referenced as the default Issuer name / group / kind for the ingress-shim. (#4833, @jakexks)
• Ingress whitelist-source-range annotation prefix can now be overridden via an IngressTemplate (#4789, @tasharnvb)
• Enforce minimum value of experimental.cert-manager.io/request-duration to 600s. This is done to ensure compatibility with CSR's spec.expirationSeconds. (#4973, @irbekrm)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificate-shim controllers to use Kubernetes Server Side Apply on Certificate resources. (#4811, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the order controller to use Kubernetes Server Side Apply on Order resources. (#4799, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificaterequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4792, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificates controllers to use Kubernetes Server Side Apply on Certificate resources. (#4777, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificatesigningrequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4798, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the issuer and clusterissuer controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4794, @JoshVanL)
• Signers now honor Kubernetes CSR duration expressed via the spec.expirationSeconds field. (#4957, @enj)
• The experimental Gateway API support now uses the v1alpha2 CRDs. (#4791, @jakexks)
• You can now uninstall cert-manager using the command cmctl experimental uninstall. (#4897, @jahrlin)

Bug or Regression

• Added kube validation for certificate.spec.privateKey.rotationPolicy. Valid options are Never and Always. Existing Certificate resources with incorrect values needs to be updated. (#4898 (#4913, @jahrlin)
• Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4970, @vhosakot)
• Fix: The alpha feature Certificate's additionalOutputFormats is now correctly validated at admission time, and no longer only validated if the privateKey field of the Certificate is set. The Webhook component now contains a separate feature set. The AdditionalCertificateOutputFormats feature gate (disabled by default) has been added to the webhook. This gate is required to be enabled on both the controller and webhook components in order to make use of the Certificate's additionalOutputFormat feature. (#4814, @JoshVanL)
• Use multivalue records instead of simple records for the AWS Route53 ACME DNS challenge solver, to allow for multiple challenges for the same domain at the same time (#4793, @fvlaicu)

Other (Cleanup or Flake)

• Aggregated admin and edit roles will now include permissions to update certificates' status, which will allow namespace admins and editors to run cmctl renew command in their namespaces. (#4955, @andreadecorte)
• Cleanup: No longer log an error when cert-manager encounters a conflict in the secrets manager, in favour of always force applying. (#4815, @JoshVanL)
• Failed certificate issuances are now retried with an exponential backoff where the backoff periods are 1h, 2h, 4h, 8h, 16h, 32h. A new field failedIssuanceAttempts is added to Certificate's status that keeps track of consecutive failed issuances. Backoff period gets reset by a successful issuance. The current behaviour where changing certain fields on Certificates spec (such as DNS names) or manually renewing using cmctl tool remains unchanged. (#4772, @irbekrm)
• Previously, cert-manager supported both ConfigMap & Lease objects for leader election. This change modifies the leader-election code to now solely use Lease objects. Existing ConfigMap resources used for leader election will remain and will need deleting manually. A side effect of this is that you cannot upgrade to v1.8.0 from cert-manager 1.3 (although upgrading multiple versions at a time was never supported). (#4935, @davidsbond)
• Support for serviceAccount labels in helm charts (#4932, @4molybdenum2)
• Set allowPrivilegeEscalation in container security context to false by default when not set for acmesolver pod, and set allowPrivilegeEscalation to false by default for controller, cainjector, webhook pods and the startupapicheck job (#4953, @ajvn)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.8 includes wider support for Kubernetes server-side-apply, a new build and development experience based around
Makefiles rather than Bazel, and a range of other improvements, tweaks and bug fixes.

v1.8 also marks our first release in which the Golang import path for cert-manager is that of the repo's new home:
github.com/cert-manager/cert-manager

Breaking Changes (You MUST read this before you upgrade!)

Changed Container Layouts

⚠️ This section does not apply for v1.8.0-alpha.0!

This only affects you if you're modifying cert-manager containers in some way, such as adding init scripts or otherwise
changing how the binaries inside the containers are called.

Bazel has a unique way of creating containers, which places the actual binary at a long unusual path. For the v1.7.0 cert-manager-webhook
container for example, the binary is placed at /app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook
and /app/cmd/webhook/webhook is provided as a symlink to the binary.

This is simplified in our new build system; we only place a single binary at /app/cmd/webhook/webhook and the old path disappears.
This applies to all cert-manager containers.

We also removed the "LICENSES" file from the containers and replaced it with a link to the cert-manager repo.

.exe Extension on Windows

⚠️ This section does not apply for v1.8.0-alpha.0!

We package cmctl and kubectl_cert-manager for Windows on amd64 platforms, but previously the binaries had the
same names as the binaries on other platforms, e.g. cmctl with no file extension.

In 1.8.0 and later, the binaries now have a .exe extension since this is standard practice on Windows. This could affect you
if you're calling the binary in a Powershell script, for example.

We've also now added zip-compressed versions of the cmctl and kubectl_cert-manager binaries on Windows, since .tar.gz is less
common on that platform.

Changed Import Path

This will only affect you if you're writing code in Go which imports cert-manager as a module, which we generally recommend against
doing in most cases.

All versions of cert-manager prior to v1.8.0 used a Go import path corresponding to the old cert-manager repository, github.com/jetstack/cert-manager.

v1.8.0 marks the first release in which the import path changes to the new location, github.com/cert-manager/cert-manager.

We have a guide for Importing cert-manager in Go on cert-manager.io with all the details, including
details on why we don't recommend importing cert-manager as a module if that's avoidable.

Community

cert-manager thrives thanks to the community and we're always grateful for receiving contributions from open-source community members!

Thanks to the following community members who landed a commit in this release:

• @illrill
• @tasharnvb
• @enj
• @vhosakot
• @fvlaicu
• @andreadecorte
• @davidsbond
• @4molybdenum2
• @ajvn

Thanks also to the cert-manager maintainer team involved with this release

• @maelvls (Release lead)
• @SgtCoDFish (Release lead)
• @jakexks
• @JoshVanL
• @irbekrm
• @wallrj
• @jahrlin
• @munnerz

Changelog since v1.7.0

Design

• ACTION REQUIRED: The import path for cert-manager has been updated to "github.com/cert-manager/cert-manager". If you import cert-manager as a go module (which isn't currently recommended), you'll need to update the module import path in your code to import cert-manager 1.8 or later. (#4587, @SgtCoDFish)

Feature

• Add make targets for running unit and integration tests, as part of the Bazel replacement. (#4865, @SgtCoDFish)
• Certificate AdditionalOutputFormat: AdditionalOutputFormats are actively reconciled, meaning cert-manager will always maintain the correct Secret data, both for fields being removed/added/modified on both the Certificate's AdditionalOutputFormat as well as the target Secret's Data. AdditionalOutputFormat is an Alpha feature, and is only enabled with the --feature-gates=AdditionalCertificateOutputFormats=true flag. (#4813, @JoshVanL)
• Changes cert-manager controllers and ACME clients to use new user agent format cert-manager<component name>/<version> (<os>/<arch>) cert-manager/<git commit>. Field managers now take the form of cert-manager<component name>. (#4773, @JoshVanL)
• ClusterRoles aggregation to user-facing admin/edit/view ClusterRoles can be optionally turned off (#4937, @illrill)
• External issuers may now be referenced as the default Issuer name / group / kind for the ingress-shim. (#4833, @jakexks)
• Ingress whitelist-source-range annotation prefix can now be overridden via an IngressTemplate (#4789, @tasharnvb)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificaterequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4792, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificates controllers to use Kubernetes Server Side Apply on Certificate resources. (#4777, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the certificatesigningrequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4798, @JoshVanL)
• ServerSideApply: The feature gate ServerSideApply=true configures the issuer and clusterissuer controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4794, @JoshVanL)
• Signers now honor Kubernetes CSR duration expressed via the spec.expirationSeconds field. (#4957, @enj)
• The experimental Gateway API support now uses the v1alpha2 CRDs. (#4791, @jakexks)
• You can now uninstall cert-manager using the command cmctl experimental uninstall. (#4897, @jahrlin)

Bug or Regression

• ACTION REQUIRED: Added kube validation for certificate.spec.privateKey.rotationPolicy. Valid options are Never and Always. Existing Certificate resources with incorrect values needs to be updated. (#4898 (#4913, @jahrlin)
• Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4970, @vhosakot)
• Fix: The alpha feature Certificate's additionalOutputFormats is now correctly validated at admission time, and no longer only validated if the privateKey field of the Certificate is set. The Webhook component now contains a separate feature set. The AdditionalCertificateOutputFormats feature gate (disabled by default) has been added to the webhook. This gate is required to be enabled on both the controller and webhook components in order to make use of the Certificate's additionalOutputFormat feature. (#4814, @JoshVanL)
• Use multivalue records instead of simple records for the AWS Route53 ACME DNS challenge solver, to allow for multiple challenges for the same domain at the same time (#4793, @fvlaicu)

Other (Cleanup or Flake)

• Aggregated admin and edit roles will now include permissions to update certificates' status, which will allow namespace admins and editors to run cmctl renew command in their namespaces. (#4955, @andreadecorte)
• Cleanup: No longer log an error when cert-manager encounters a conflict in the secrets manager, in favour of always force applying. (#4815, @JoshVanL)
• Failed certificate issuances are now retried with an exponential backoff where the backoff periods are 1h, 2h, 4h, 8h, 16h, 32h. A new field failedIssuanceAttempts is added to Certificate's status that keeps track of consecutive failed issuances. Backoff period gets reset by a successful issuance. The current behaviour where changing certain fields on Certificates spec (such as DNS names) or manually renewing using cmctl tool remains unchanged. (#4772, @irbekrm)
• Previously, cert-manager supported both ConfigMap & Lease objects for leader election. This change modifies the leader-election code to now solely use Lease objects. Existing ConfigMap resources used for leader election will remain and will need deleting manually. A side effect of this is that you cannot upgrade to v1.8.0 from cert-manager 1.3 (although upgrading multiple versions at a time was never supported). (#4935, @davidsbond)
• Support for serviceAccount labels in helm charts (#4932, @4molybdenum2)
• Set allowPrivilegeEscalation in container security context to false by default when not set for acmesolver pod, and set allowPrivilegeEscalation to false by default for controller, cainjector, webhook pods and the startupapicheck job (#4953, @ajvn)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

1.7.2 is a minor release rebuilding cert-manager 1.7 using the latest version of Go. This eliminates a few security vulnerabilities which have accumulated in Go since the last release.

We don't believe any of those vulnerabilities were practically exploitable or relevant to cert-manager, but we decided to rebuild to keep up to date anyway.

Changelog since cert-manager 1.7.1

Bug or Regression

• Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4976 , @vhosakot)
• Fixes an expired hardcoded certificate which broke unit tests (#4978, @SgtCoDFish @jakexks)