v1.6.3 Release Notes

1.6.3 is a minor release rebuilding cert-manager 1.6 using the latest version of Go. This eliminates a few security vulnerabilities which have accumulated in Go since the last release.

We don't believe any of those vulnerabilities were practically exploitable or relevant to cert-manager, but we decided to rebuild to keep up to date anyway.

Changelog since cert-manager 1.6.2

Bug or Regression

• Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4975, @vhosakot)
• Fixes an expired hardcoded certificate which broke unit tests (#4977, @SgtCoDFish @jakexks)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.7.1 fixes a bug which was discovered in 1.7.0 relating to the new additionalOutputFormat feature.

Changelog since v1.7.0

Bug or Regression

• Fix: The alpha feature Certificate's additionalOutputFormats is now correctly validated at admission time, and no longer only validated if the privateKey field of the Certificate is set. The Webhook component now contains a separate feature set.
  AdditionalCertificateOutputFormats feature gate (disabled by default) has been added to the webhook. This gate is required to be enabled on both the controller and webhook components in order to make use of the Certificate's additionalOutputFormat feature. (#4816, @JoshVanL)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.7 brings new private key output formats, configuration improvements for the webhook, some long-awaited code cleanup, a fix for ingress class semantics and a bunch of other changes.

Breaking Changes (You MUST read this before you upgrade!)

Removal of Deprecated APIs

⚠ Following their deprecation in version 1.4, the cert-manager API versions v1alpha2, v1alpha3, and v1beta1 have been removed. You must ensure that all cert-manager custom resources are stored in etcd at version v1 and that all cert-manager CustomResourceDefinitions have only v1 as the stored version before upgrading.

Since release 1.7, cmctl can automatically migrate any deprecated API resources. Please download cmctl-v1.7.0 and read Migrating Deprecated API Resources for full instructions.

Ingress Class Semantics

In 1.7, we have reverted a change that caused a regression in the ACME Issuer. Before 1.5.4, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the kubernetes.io/ingress.class annotation:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio # The `class` present on the Issuer.

After 1.5.4, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the ingressClassName field:

apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
  ingressClassName: istio # 🔥 Breaking change!

This broke many users that either don't use an Ingress controller that supports the field (such as ingress-gce and Azure AGIC), as well as people who did not need to create an IngressClass previously (such as with Istio and Traefik).

The regression is present in cert-manager 1.5.4, 1.6.0, 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.

In 1.7, we have restored the original behavior which is to use the annotation. We will also backport this fix to 1.5.5 and 1.6.2, allowing people to upgrade safely.

Most people won't have any trouble upgrading from a version that contains the regression to 1.7.0, 1.6.2 or 1.5.5. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g., istio for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.

If you are using Traefik, Istio, Ambassador, or ingress-nginx and you are using a non-default value for the class (e.g., istio-internal), or if you experience any issues with your HTTP-01 challenges please read the notes on Ingress v1 compatibility.

Upgrading with Server Side Apply

As part of the work to remove deprecated APIs cert-manager CustomResourceDefinitions no longer require a conversion webhook. The related change in cert-manager CustomResourceDefinition specs results in invalid CustomResourceDefinition configurations for users who are upgrading to cert-manager 1.7 using kubectl apply --server-side=true -f <manifests>. This can be solved either by performing the upgrade with client side apply or by manually patching the managed fields of cert-manager CustomResourceDefinitions:

crds=("certificaterequests.cert-manager.io" "certificates.cert-manager.io" "challenges.acme.cert-manager.io" "clusterissuers.cert-manager.io" "issuers.cert-manager.io" "orders.acme.cert-manager.io")

for crd in "${crds[@]}"; do
  manager_index="$(kubectl get crd "${crd}" --show-managed-fields --output json | jq -r '.metadata.managedFields | map(.manager == "cainjector") | index(true)')"
  kubectl patch crd "${crd}" --type=json -p="[{\"op\": \"remove\", \"path\": \"/metadata/managedFields/${manager_index}\"}]"
done

(Thanks to @stevehipwell for the above patch commands!)

See the original GitHub issue cert-manager#4831

Major Themes

Removal of Deprecated APIs

In 1.7 the cert-manager API versions v1alpha2, v1alpha3, and v1beta1, that were deprecated in 1.4, have been removed from the custom resource definitions (CRDs). As a result, you will notice that the YAML manifest files are much smaller.

In this release we have added a new sub-command to the cert-manager CLI (cmctl upgrade migrate-api-version), which you SHOULD run BEFORE upgrading cert-manager to 1.7. Please read [Removing Deprecated API Resources] for full instructions.

Additional Certificate Output Formats

additionalOutputFormats is a field on the Certificate spec that allows specifying additional supplementary formats of issued certificates and their private key. There are currently two supported additional output formats: CombinedPEM (the PEM-encoded private key followed by the certificate chain) and DER (the DER-encoded private key only). Any combination of output formats can be requested for the same certificate. Read Additional Certificate Output Formats for more details and thanks to @seuf for getting this across the line!

Server-Side Apply

This is the first version of cert-manager which relies on Server-Side Apply. We use it to properly manage the annotations and labels on TLS secrets. For this reason cert-manager 1.7 requires at least Kubernetes 1.18 (see Supported Releases for further compatibility details).

Configuration Files

In this release we introduce a new configuration file for the cert-manager-webhook. Instead of configuring the webhook using command line flags, you can now modify the webhook Deployment to mount a ConfigMap containing a configuration file. Read the WebhookConfiguration Schema for more information.

In future releases we will introduce configuration files for the other cert-manager components: the controller and the cainjector.

Developing cert-manager Without Bazel

In a future release, we'll remove the use of bazel for building and testing cert-manager, with the aim of making it as easy as possible for anyone to contribute and to get involved with the cert-manager project.

The work is ongoing, but for now we've ensured that cert-manager 1.7 can be built with go build, and that all unit tests can be run with go test ./cmd/... ./internal/... ./pkg/....

Community

Thanks again to all open-source contributors with commits in this release, including:

• @Adphi
• @devholic
• @johnwchadwick
• @jsoref
• @jwenz723
• @seuf
• @thirdeyenick

Thanks as usual to @coderanger for helping people out on the #cert-manager Slack channel; it's a huge help and much appreciated.

In addition, the following cert-manager maintainers were involved in this release:

• @munnerz
• @JoshVanL
• @irbekrm
• @wallrj
• @maelvls
• @SgtCoDFish
• @jakexks
• @jahrlin

Changelog since v1.6.0

Feature

• Add --acme-http01-solver-nameservers flag to enable custom nameservers usage for ACME HTT01 challenges propagation checks. (#4287, @Adphi)
• Add cmctl upgrade migrate-api-version to ensure all CRD resources are stored at 'v1' prior to upgrading to v1.7 onwards (#4711, @munnerz)
• Add goimports verification step for CI (#4710, @SgtCoDFish)
• Add support for loading webhook flags/options from a WebhookConfiguration file on disk (#4546, @munnerz)
• Added additionalOutputFormats parameter to allow DER (binary) and CombinedPEM (key + cert bundle) formats. (#4598, @seuf)
• Added a makefile based build workflow which doesn't depend on bazel (#4554, @SgtCoDFish)
• Added a new Helm chart parameter prometheus.servicemonitor.honorLabels, which sets the honor_labels field of the Prometheus scrape config. (#4608, @thirdeyenick)
• Breaking change: pprof now runs by default on localhost:6060 for webhook and controller, but only if explicitly enabled. Pprof can now be enabled also for cainjector. All three components have --enable-profiling, --profiler-address CLI flags to configure profiling. Thanks to @bitscuit for help with this! (#4550, @irbekrm)
• Certificate Secrets are now managed by the APPLY API call, rather than UPDATE/CREATE. The issuing controller actively reconciles Certificate SecretTemplate's against corresponding Secrets, garbage collecting and correcting key/value changes. (#4638, @JoshVanL)

Bug or Regression

• Ensures 1 hour backoff between errored calls for new ACME Orders. (#4616, @irbekrm)
• Fix unexpected exit when multiple DNS providers are passed to RunWebhookServer (#4702, @devholic)
• Fixed a bug in the way the Helm chart handles service annotations on the controller and webhook services. (#4329, @jwenz723)
• Fixed a bug that can cause cmctl version to erroneously display the wrong webhook pod versions when older failed pods are present. (#4615, @johnwchadwick)
• Fixes a bug where a previous failed CertificateRequest was picked up during the next issuance. Thanks to @MattiasGees for raising the issue and help with debugging! (#4688, @irbekrm)
• Fixes an issue in cmctl that prevented displaying the Order resource with cert-manager 1.6 when running cmctl status certificate. (#4569, @maelvls)
• Improve checksum validation in makefile based tool installation (#4680, @SgtCoDFish)
• The HTTP-01 ACME solver now uses the kubernetes.io/ingress.class annotation instead of the spec.ingressClassName in created Ingress resources. (#4762, @jakexks)
• The cmctl experimental install command now uses the cert-manager namespace. This fixes a bug which was introduced in release 1.6 that caused cert-manager to be installed in the default namespace. (#4763, @wallrj)
• Update to latest version of keystore-go to address a backwards-incompatible change introduced in v1.6.0 (#4563, @SgtCoDFish)

Other (Cleanup or Flake)

• Adds clock_time_seconds_gauge metric which returns the current clock time, based on seconds since 1970/01/01 UTC (#4640, @JoshVanL)
• Adds an automated script for cert-manager developers to update versions of kind used for development and testing. (#4574, @SgtCoDFish)
• Breaking change: removes the deprecated dns01-self-check-nameservers flag. Use --dns01-recursive-nameservers instead. (#4551, @irbekrm)
• Bump kind image versions (#4593, @SgtCoDFish)
• Clean up: Remove v1beta1 form the webhook's admissionReviewVersions as cert-manager no longer supports v1.16 (#4639, @JoshVanL)
• Cleanup: Pipe feature gate flag to the e2e binary. Test against shared Feature Gate map for feature enabled and whether they should be tested against. (#4703, @JoshVanL)
• Ensures that in cases where an attempt to finalize an already finalized order is made, the originally issued certificate is used (instead of erroring and creating a new ACME order) (#4697, @irbekrm)
• No longer log an error when a Certificate is deleted during normal operation. (#4637, @JoshVanL)
• Removed deprecated API versions from the cert-manager CRDs (#4635, @wallrj)
• Update distroless base images for cert-manager (#4706, @SgtCoDFish)
• Upgrade Kubernetes dependencies to v0.23.1 (#4675, @munnerz)

In 1.6.2, we have reverted a change present in 1.6.0 and 1.6.1 that caused a regression in the ACME Issuer. In 1.6.0 and 1.6.1, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the kubernetes.io/ingress.class annotation:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio # The `class` present on the Issuer.

After 1.5, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the ingressClassName field:

apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
  ingressClassName: istio # 🔥 Breaking change!

This broke many users that either don't use an Ingress controller that supports the field (such as ingress-gce and Azure AGIC), as well as people who did not need to create an IngressClass previously (such as with Istio and Traefik).

The regression is present in cert-manager 1.5.4, 1.6.0, and 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.

In 1.6.2, we have restored the original behavior which is to use the annotation. This patch is also available in 1.5.5 and in 1.7.0.

Most people won't have any trouble upgrading from 1.6.0 or 1.6.1 to 1.6.2. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g., istio for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.

If you are using Traefik, Istio, Ambassador, or ingress-nginx and you are using a non-default value for the class (e.g., istio-internal), or if you experience any issues with your HTTP-01 challenges please read the notes on Ingress v1 compatibility.

Changelog since v1.6.1

Bug or Regression

• The HTTP-01 ACME solver now uses the kubernetes.io/ingress.class annotation instead of the spec.ingressClassName in created Ingress resources. (#4785, @jetstack-bot)

Other (Cleanup or Flake)

• cert-manager now does one call to the ACME API instead of two when an Order fails. This fix is part of the effort towards mitigating the high load that cert-manager deployments have on the Let's Encrypt API (#4619, @irbekrm)
• Bump base images to latest versions (#4707, @SgtCoDFish)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

Changelog since v1.5.4

In 1.5.5, we have reverted a change that caused a regression in the ACME Issuer.
Before 1.5.4, the Ingress created by cert-manager while solving an HTTP-01 challenge contained the kubernetes.io/ingress.class annotation:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: istio # The `class` present on the Issuer.

In 1.5.4, the Ingress does not contain the annotation anymore. Instead, cert-manager uses the ingressClassName field:

apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
  ingressClassName: istio # 🔥 Breaking change!

This broke many users that either don't use an Ingress controller that supports the field (such as ingress-gce and Azure AGIC), as well as people who did not need to create an IngressClass previously (such as with Istio and Traefik).

The regression is present in cert-manager 1.5.4, 1.6.0, 1.6.1. It is only present on Kubernetes 1.19+ and only appears when using an Issuer or ClusterIssuer with an ACME HTTP-01 solver configured.

In 1.5.5, we have restored the original behavior which is to use the annotation. We will also backport this fix to 1.5.5 and 1.6.2, allowing people to upgrade safely.

Most people won't have any trouble upgrading from a version that contains the regression to 1.7.0, 1.6.2 or 1.5.5. If you are using Gloo, Contour, Skipper, or kube-ingress-aws-controller, you shouldn't have any issues. If you use the default "class" (e.g., istio for Istio) for Traefik, Istio, Ambassador, or ingress-nginx, then these should also continue to work without issue.

If you are using Traefik, Istio, Ambassador, or ingress-nginx and you are using a non-default value for the class (e.g., istio-internal), or if you experience any issues with your HTTP-01 challenges please read the notes on Ingress v1 compatibility.

Changes by Kind

Bug or Regression

• Fixed a regression where cert-manager was creating Ingresses using the field ingressClassName instead of the annotation kubernetes.io/ingress.class. More details about this regression are available in the 1.7 release notes. (#4783, @maelvls)

Other (Cleanup or Flake)

• cert-manager now does one call to the ACME API instead of two when an Order fails. This belongs to the effort towards mitigating the high load that cert-manager deployments have on the Let's Encrypt API (#4618, @irbekrm)

Breaking Changes (You MUST read this before you upgrade!)

⚠ Following their deprecation in version 1.5, the cert-manager API versions v1alpha2, v1alpha3, and v1beta1 have been removed. You must ensure that all cert-manager custom resources are stored in etcd at version v1 and that all cert-manager CustomResourceDefinitions have only v1 as the stored version.

Since release 1.7, cmctl can automatically migrate any deprecated API resources. Please download cmctl-v1.7.0-beta.0 and read Removing Deprecated API Resources for full instructions.

Major Themes

Removal of Deprecated APIs

In 1.7 the cert-manager API versions v1alpha2, v1alpha3, and v1beta1 have been removed from the custom resource definitions (CRDs). You will notice that the YAML manifest files are much smaller as a result. These APIs have been deprecated since 1.5.

In this release, we have added a new sub-command to the cert-manager CLI (cmctl upgrade migrate-api-version), which you SHOULD run BEFORE upgrading cert-manager to 1.7. Please read Removing Deprecated API Resources for full instructions.

Server-Side Apply

This is the first version of cert-manager which relies on Server-Side Apply. We are using it to properly manage the annotations and labels on the TLS Secret. For this reason, cert-manager 1.7 requires at least Kubernetes 1.18.

Configuration Files

In this release, we introduce a new configuration file for the cert-manager-webhook. Instead of configuring the webhook using command-line flags, you can now modify the webhook Deployment to mount a ConfigMap containing a configuration file. Read the WebhookConfiguration Schema for more information.

In future releases, we will introduce configuration files for the other cert-manager components: controller-manager and cainjector.

Community

Thanks again to all open-source contributors with commits in this release, including:

• @Adphi
• @thirdeyenick
• @seuf
• @johnwchadwick
• @devholic
• @jwenz723

And thanks as usual to coderanger for helping people out on the Slack #cert-manager channel; it's a huge help and much appreciated.

Changes by Kind

Feature

• Add cmctl upgrade migrate to ensure all CRD resources are stored at 'v1' prior to upgrading to v1.7 onwards (#4711, @munnerz)
• Add acme-http01-solver-nameservers flag to enable custom nameservers usage for ACME HTT01 challenges propagation checks. (#4287, @Adphi)
• Add goimports verification step for CI (#4710, @SgtCoDFish)
• Add support for loading webhook flags/options from a WebhookConfiguration file on disk (#4546, @munnerz)
• Added a makefile-based build workflow which doesn't depend on bazel (#4554, @SgtCoDFish)
• Added a new Helm chart parameter "prometheus.servicemonitor.honorLabels", which sets the "honor_labels" field of the Prometheus scrape config. (#4608, @thirdeyenick)
• Added additionalOutputFormats parameter to allow DER (binary) and CombinedPEM (key + cert bundle) formats. (#4598, @seuf)
• Certificate Secrets are now managed by the APPLY API call, rather than UPDATE/CREATE. The issuing controller actively reconciles Certificate SecretTemplate's against corresponding Secrets, garbage collecting and correcting key/value changes. (#4638, @JoshVanL)
• Fixed a bug that can cause cmctl version to erroneously display the wrong webhook pod versions when older failed pods are present. (#4616) (#4615, @johnwchadwick)

Bug or Regression

• Fix unexpected exit when multiple DNS providers are passed to RunWebhookServer (#4702, @devholic)
• Fixes a bug where a previous failed CertificateRequest was picked up during the next issuance. Thanks to @MattiasGees for raising the issue and help with debugging! (#4688, @irbekrm)
• Improve checksum validation in makefile-based tool installation (#4680, @SgtCoDFish)
• The HTTP-01 ACME solver now uses the kubernetes.io/ingress.class annotation instead of the spec.ingressClassName in created Ingress resources. (#4762, @jakexks)
• The cmctl experimental install command now uses the cert-manager namespace. This fixes a bug which was introduced in release 1.6 that caused cert-manager to be installed in the default namespace. (#4763, @wallrj)

Other (Cleanup or Flake)

• Added helm value .Values.serviceAnnotations (#4329, @jwenz723)
• Adds clock_time_seconds_gauge metric which returns the current clock time, based on seconds since 1970/01/01 UTC (#4640, @JoshVanL)
• Adds an automated script for cert-manager developers to update versions of kind used for dev + testing (#4574, @SgtCoDFish)
• Bump kind image versions (#4593, @SgtCoDFish)
• Clean up: Remove v1beta1 form the webhook's admissionReviewVersions as cert-manager no longer supports v1.16 (#4639, @JoshVanL)
• Cleanup: Pipe feature gate flag to the e2e binary. Test against shared Feature Gate map for feature enabled and whether they should be tested against. (#4703, @JoshVanL)
• Ensures 1 hour backoff between errored calls for new ACME Orders. (#4616, @irbekrm)
• Ensures that in cases where an attempt to finalize an already finalized order is made, the originally issued certificate is used (instead of erroring and creating a new ACME order) (#4697, @irbekrm)
• No longer log an error when a Certificate is deleted during normal operation. (#4637, @JoshVanL)
• Removed deprecated API versions from the cert-manager CRDs (#4635, @wallrj)
• Update distroless base images for cert-manager (#4706, @SgtCoDFish)
• Upgrade Kubernetes dependencies to v0.23.1 (#4675, @munnerz)

Breaking Changes (You MUST read this before you upgrade!)

⚠ Following their deprecation in version 1.5, the cert-manager APIVersions v1alpha2, v1alpha3, and v1beta1 have been removed.
You must ensure that all cert-manager custom resources are stored in etcd at version v1
and that all cert-manager CustomResourceDefinitions have only v1 as the stored version.

Since v1.7.0-alpha.1 cmctl can automatically migrate any deprecated API resources.
Please download cmctl-v1.7.0-alpha.1 (from the Assets section below) and read Removing Deprecated API Resources
for full instructions.

Changelog since v1.7.0-alpha.0

Changes by Kind

Feature

• Add cmctl upgrade migrate-api-version to ensure all CRD resources are stored at 'v1' prior to upgrading to v1.7 onwards (#4711, @munnerz)
• Add acme-http01-solver-nameservers flag to enable custom nameservers usage for ACME HTT01 challenges propagation checks. (#4287, @Adphi)
• Add goimports verification step for CI (#4710, @SgtCoDFish)
• Added additionalOutputFormats parameter to allow DER (binary) and CombinedPEM (key + cert bundle) formats. (#4598, @seuf)
• Certificate Secrets are now managed by the APPLY API call, rather than UPDATE/CREATE. The issuing controller actively reconciles Certificate SecretTemplate's against corresponding Secrets, garbage collecting and correcting key/value changes. (#4638, @JoshVanL)

Bug or Regression

• Fix unexpected exit when multiple DNS providers are passed to RunWebhookServer (#4702, @devholic)
• Fixes a bug where a previous failed CertificateRequest was picked up during the next issuance. Thanks to @MattiasGees for raising the issue and help with debugging! (#4688, @irbekrm)
• Improve checksum validation in makefile-based tool installation (#4680, @SgtCoDFish)

Other (Cleanup or Flake)

• Added helm value .Values.serviceAnnotations (#4329, @jwenz723)
• Cleanup: Pipe feature gate flag to the e2e binary. Test against shared Feature Gate map for feature enabled and whether they should be tested against. (#4703, @JoshVanL)
• Ensures that in cases where an attempt to finalize an already finalized order is made, the originally issued certificate is used (instead of erroring and creating a new ACME order) (#4697, @irbekrm)
• Update distroless base images for cert-manager (#4706, @SgtCoDFish)
• Upgrade Kubernetes dependencies to v0.23.1 (#4675, @munnerz)

Changes by Kind

Following their deprecation in version 1.5, the cert-manager APIVersions v1alpha2, v1alpha3, and v1beta1 have been removed.
You must ensure that all cert-manager custom resources are stored in etcd at version v1 and all cert-manager CustomResourceDefinitions have only v1 as the stored version. Please see documentation for how to do this.

Feature

• Add support for loading webhook flags/options from a WebhookConfiguration file on disk (#4546, @munnerz)
• Added a makefile-based build workflow which doesn't depend on bazel (#4554, @SgtCoDFish)
• Added a new Helm chart parameter "prometheus.servicemonitor.honorLabels", which sets the "honor_labels" field of the Prometheus scrape config. (#4608, @thirdeyenick)
• Fixed a bug that can cause cmctl version to erroneously display the wrong webhook pod versions when older failed pods are present. (#4616) (#4615, @johnwchadwick)

Other (Cleanup or Flake)

• Adds clock_time_seconds_gauge metric which returns the current clock time, based on seconds since 1970/01/01 UTC (#4640, @JoshVanL)
• Adds an automated script for cert-manager developers to update versions of kind used for dev + testing (#4574, @SgtCoDFish)
• Bump kind image versions (#4593, @SgtCoDFish)
• Clean up: Remove v1beta1 form the webhook's admissionReviewVersions as cert-manager no longer supports v1.16 (#4639, @JoshVanL)
• Ensures 1 hour backoff between errored calls for new ACME Orders. (#4616, @irbekrm)
• No longer log an error when a Certificate is deleted during normal operation. (#4637, @JoshVanL)
• Removed deprecated API versions from the cert-manager CRDs (#4635, @wallrj)
• Upgrade Kubernetes dependencies to v0.23.1 (#4675, @munnerz)

Changelog since v1.6.0

Changes by Kind

Bug or Regression

• Fixes an issue in cmctl that prevented displaying the Order resource with cert-manager 1.6 when running cmctl status certificate. (#4572, @maelvls)
• Update to latest version of keystore-go to address a backwards incompatible change introduced in v1.6.0 (#4564, @SgtCoDFish)

Dependencies

Added

Nothing has changed.

Changed

• github.com/pavel-v-chernykh/keystore-go/v4: v4.1.0 → v4.2.0

Removed

Nothing has changed.

Changelog since v1.5.0

Breaking Changes (You MUST read this before you upgrade!)

⚠️ Following their deprecation in version 1.4, the cert-manager APIVersions v1alpha2, v1alpha3, and v1beta1 are no longer served.

This means if your deployment manifests contain any of these API versions, you will not be able to deploy them after upgrading. Our new cmctl utility or old kubectl cert-manager plugin can convert old manifests to v1 for you.

⚠️ JKS Keystores now have a minimum password length of 6 characters, as an unintended side effect of upgrading keystore-go from v2 to v4. This was fixed in cert-manager v1.6.1

Changes by Kind

Feature

• Add Certificate RenewBefore prometheus metrics (#4419, @artificial-aidan)
• Add option to specify managed identity id when using azure-dns dns-01 solver (#4332, @tomasfreund)
• Add support for building & developing on M1 macs (#4485, @munnerz)
• Adds release targets for both cmctl as well as kubectl-cert_manager (#4523, @JoshVanL)
• Allow setting Helm chart service annotations (#3639, @treydock)
• CLI: Adds cmctl completion command for generating shell completion scripts for bash, zsh, fish, and powershell (#4408, @JoshVanL)
• CLI: Adds support for auto-completion on runtime objects (Namespaces, CertificateRequests, Certificates etc.) (#4409, @JoshVanL)
• CLI: Only expose Kubernetes related flags on commands that use them (#4407, @JoshVanL)
• Enable configuring CLI command name and registering completion subcommand at build time. (#4522, @JoshVanL)

Bug or Regression

• FIX: Prevent Vault Client from panicing when request to Vault health endpoint fails. (#4456, @JoshVanL)
• Fix CRDs which were accidentally changed in cert-manager v1.5.0 (#4353, @SgtCoDFish)
• Fix regression in Ingress PathType introduced in v1.5.0 (#4373, @jakexks)
• Fixed the HTTP-01 solver creating ClusterIP instead of NodePort services by default. (#4393, @jakexks)
• Fixes renewal time issue for certs with skewed duration period. (#4399, @irbekrm)
• Pod Security Policy for startup api check job (#4364, @ndegory)
• The startupapicheck post-install hook in the Helm chart now deletes any post-install hook resources left after a previous failed install allowing helm install to be re-run after a previous failure. (#4433, @wallrj)
• The defaults for leader election parameters are now consistent across cert-manager and cainjector. (#4359, @johanfleury)
• Use GetAuthorization instead of GetChallenge when querying the current state of an ACME challenge. (#4430, @JoshVanL)

Other (Cleanup or Flake)

• Adds middleware logging back to ACME client for debugging (#4429, @JoshVanL)
• Deprecation: The API versions: v1alpha2, v1alpha3, and v1beta1, are no longer served in cert-manager 1.6 and will be removed in cert-manager 1.7. (#4482, @wallrj)
• Expose error messages (e.g., invalid access token) from the Cloudflare API to users; allow live testing using Cloudflare API token (not just key). (#4465, @andrewmwhite)
• Fix manually specified PKCS#10 CSR and X.509 Certificate version numbers (although these were ignored in practice) (#4392, @SgtCoDFish)
• Improves logging for 'owner not found' errors for CertificateRequests owning Orders. (#4369, @irbekrm)
• Refactor: move from io/ioutil to io and os package (#4402, @Juneezee)
• Removes status fields from CRD configs (#4379, @irbekrm)
• Update cert-manager base image versions (#4474, @SgtCoDFish)
• Uses Go 1.17 (#4478, @irbekrm)

Changelog since v1.6.0-alpha.2

Changes by Kind

Feature

• Adds release targets for both cmctl as well as kubectl-cert_manager (#4523, @JoshVanL)
• CLI: Adds cmctl completion command for generating shell completion scripts for bash, zsh, fish, and powershell (#4408, @JoshVanL)
• CLI: Adds support for auto-completion on runtime objects (Namespaces, CertificateRequests, Certificates etc.) (#4409, @JoshVanL)
• Enable configuring CLI command name and registering completion subcommand at build time. (#4522, @JoshVanL)

Changelog since v1.6.0-alpha.1

Changes by Kind

Feature

• Add support for building & developing on M1 macs (#4485, @munnerz)
• CLI: Adds cmctl completion command for generating shell completion scripts for bash, zsh, fish, and powershell (#4408, @JoshVanL)

Changelog since v1.6.0-alpha.0

Changes by Kind

Feature

• Add Certificate RenewBefore prometheus metrics (#4419, @artificial-aidan)
• Allow setting Helm chart service annotations (#3639, @treydock)

Bug or Regression

• FIX: Prevent Vault Client from panicing when request to Vault health endpoint fails. (#4456, @JoshVanL)
• Use GetAuthorization instead of GetChallenge when querying the current state of an ACME challenge. (#4430, @JoshVanL)

Other (Cleanup or Flake)

• Deprecation: The API versions: v1alpha2, v1alpha3, and v1beta1, are no longer served in cert-manager 1.6 and will be removed in cert-manager 1.7. (#4482, @wallrj)
• Expose error messages (e.g., invalid access token) from the Cloudflare API to users; allow live testing using Cloudflare API token (not just key). (#4465, @andrewmwhite)
• Update cert-manager base image versions (#4474, @SgtCoDFish)
• Uses Go 1.17 (#4478, @irbekrm)

Changelog since v1.5.3

Changes by Kind

Bug or Regression

• FIX: Prevent Vault Client from panicing when request to Vault health endpoint fails. (#4476, @JoshVanL)
• Pod Security Policy for startup api check job (#4432, @ndegory)
• The startupapicheck post-install hook in the Helm chart now deletes any post-install hook resources left after a previous failed install allowing helm install to be re-run after a previous failure. (#4435, @wallrj)

Other (Cleanup or Flake)

• Update cert-manager base image versions (#4479, @SgtCoDFish)

Changelog since v1.5.3

Changes by Kind

Feature

• Add option to specify managed identity id when using azure-dns dns-01 solver (#4332, @tomasfreund)
• CLI: Only expose Kubernetes related flags on commands that use them (#4407, @JoshVanL)

Bug or Regression

• Pod Security Policy for startup api check job (#4364, @ndegory)
• The startupapicheck post-install hook in the Helm chart now deletes any post-install hook resources left after a previous failed install allowing helm install to be re-run after a previous failure. (#4433, @wallrj)
• Use GetAuthorization instead of GetChallenge when querying the current state of an ACME challenge. (#4430, @JoshVanL)

Other (Cleanup or Flake)

• Adds middleware logging back to ACME client for debugging (#4429, @JoshVanL)

Dependencies

Added

• github.com/benbjohnson/clock: v1.1.0
• github.com/certifi/gocertifi: 2c3bb06
• github.com/client9/misspell: v0.3.4
• github.com/cncf/xds/go: fbca930
• github.com/cockroachdb/errors: v1.2.4
• github.com/cockroachdb/logtags: eb05cc2
• github.com/felixge/httpsnoop: v1.0.1
• github.com/getsentry/raven-go: v0.2.0
• github.com/gogo/googleapis: v1.1.0
• github.com/josharian/intern: v1.0.0
• github.com/lyft/protoc-gen-validate: v0.0.13
• github.com/stoewer/go-strcase: v1.2.0
• go.etcd.io/etcd/client/v3: v3.5.0
• go.etcd.io/etcd/pkg/v3: v3.5.0
• go.etcd.io/etcd/raft/v3: v3.5.0
• go.etcd.io/etcd/server/v3: v3.5.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.20.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.20.0
• go.opentelemetry.io/contrib: v0.20.0
• go.opentelemetry.io/otel/exporters/otlp: v0.20.0
• go.opentelemetry.io/otel/metric: v0.20.0
• go.opentelemetry.io/otel/oteltest: v0.20.0
• go.opentelemetry.io/otel/sdk/export/metric: v0.20.0
• go.opentelemetry.io/otel/sdk/metric: v0.20.0
• go.opentelemetry.io/otel/sdk: v0.20.0
• go.opentelemetry.io/otel/trace: v0.20.0
• go.opentelemetry.io/otel: v0.20.0
• go.opentelemetry.io/proto/otlp: v0.7.0
• google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.1.0
• k8s.io/code-generator: v0.22.0
• k8s.io/gengo: b6c5ce2

Changed

• cloud.google.com/go: v0.81.0 → v0.90.0
• github.com/Azure/azure-sdk-for-go: v56.0.0+incompatible → v56.2.0+incompatible
• github.com/Azure/go-ansiterm: d6e3b33 → d185dfc
• github.com/aws/aws-sdk-go: v1.40.14 → v1.40.21
• github.com/cncf/udpa/go: 269d4d4 → 5459f2c
• github.com/cockroachdb/datadriven: 80d97fb → bf6692d
• github.com/digitalocean/godo: v1.64.2 → v1.65.0
• github.com/envoyproxy/go-control-plane: v0.9.4 → 63b5d3c
• github.com/form3tech-oss/jwt-go: v3.2.2+incompatible → v3.2.3+incompatible
• github.com/go-openapi/jsonpointer: v0.19.3 → v0.19.5
• github.com/go-openapi/jsonreference: v0.19.3 → v0.19.5
• github.com/go-openapi/swag: v0.19.5 → v0.19.14
• github.com/gobuffalo/flect: v0.2.2 → v0.2.3
• github.com/golang/groupcache: 8c9f03a → 41bb18b
• github.com/golang/mock: v1.5.0 → v1.6.0
• github.com/golang/snappy: v0.0.1 → v0.0.3
• github.com/google/btree: v1.0.0 → v1.0.1
• github.com/google/martian/v3: v3.1.0 → v3.2.1
• github.com/google/pprof: cbba55b → 4bb14d4
• github.com/googleapis/gnostic: v0.4.1 → v0.5.5
• github.com/grpc-ecosystem/go-grpc-middleware: f849b54 → v1.3.0
• github.com/jonboulle/clockwork: v0.1.0 → v0.2.2
• github.com/mailru/easyjson: v0.7.0 → v0.7.6
• github.com/moby/term: df9cb8a → 9d4ed18
• github.com/onsi/gomega: v1.14.0 → v1.15.0
• github.com/soheilhy/cmux: v0.1.4 → v0.1.5
• github.com/tmc/grpc-websocket-proxy: 0ad062e → e5319fd
• go.etcd.io/bbolt: v1.3.5 → v1.3.6
• go.uber.org/zap: v1.17.0 → v1.18.1
• golang.org/x/oauth2: a41e5a7 → faf39c7
• golang.org/x/sys: ebe580a → e5e7981
• golang.org/x/text: v0.3.5 → v0.3.6
• golang.org/x/time: 38a9dc6 → 1f47c86
• golang.org/x/tools: v0.1.2 → v0.1.5
• google.golang.org/api: v0.44.0 → v0.53.0
• google.golang.org/genproto: f16073e → 89edb61
• google.golang.org/grpc: v1.29.1 → v1.39.1
• google.golang.org/protobuf: v1.26.0 → v1.27.1
• k8s.io/api: v0.21.3 → v0.22.0
• k8s.io/apiextensions-apiserver: v0.21.3 → v0.22.0
• k8s.io/apimachinery: v0.21.3 → v0.22.0
• k8s.io/apiserver: v0.21.3 → v0.22.0
• k8s.io/cli-runtime: v0.21.3 → v0.22.0
• k8s.io/client-go: v0.21.3 → v0.22.0
• k8s.io/component-base: v0.21.3 → v0.22.0
• k8s.io/component-helpers: v0.21.3 → v0.22.0
• k8s.io/klog/v2: v2.8.0 → v2.9.0
• k8s.io/kube-aggregator: v0.21.3 → v0.22.0
• k8s.io/kube-openapi: 591a79e → 3c81807
• k8s.io/kubectl: v0.21.3 → v0.22.0
• k8s.io/metrics: v0.21.3 → v0.22.0
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.19 → v0.0.22
• sigs.k8s.io/controller-runtime: v0.9.2 → v0.9.6
• sigs.k8s.io/controller-tools: v0.6.0 → v0.6.2
• sigs.k8s.io/kustomize/api: v0.8.8 → v0.8.11
• sigs.k8s.io/kustomize/cmd/config: v0.9.10 → v0.9.13
• sigs.k8s.io/kustomize/kustomize/v4: v4.1.2 → v4.2.0
• sigs.k8s.io/kustomize/kyaml: v0.10.17 → v0.11.0

Removed

• github.com/kmodules/code-generator: 7eafae0
• github.com/kmodules/gengo: a8850da
• github.com/pavel-v-chernykh/keystore-go: v2.1.0+incompatible

Changelog since v1.5.2

Bug or Regression

• Fixes renewal time issue for certs with skewed duration period. (#4403, @irbekrm). Thanks to @mfmbarros for help with debugging the issue!

Changelog since v1.4.3

Bug or Regression

• Fixes renewal time issue for certs with skewed duration period. (#4403, @irbekrm). Thanks to @mfmbarros for help with debugging the issue!

Changelog since v1.5.1

Changes by Kind

Bug or Regression

• Fix regression in Ingress PathType introduced in v1.5.0 (#4385, @jakexks)
• Fixed the HTTP-01 solver creating ClusterIP instead of NodePort services by default. (#4394, @jakexks)
• Removes status fields from CRD configs (#4387, @irbekrm)

Release notes for release-1.5

The CRDs for the cert-manager v1beta1 API were mistakenly changed in cert-manager v1.5.0. If you
installed the CRDs for v1.5.0, you should upgrade your CRDs to v1.5.1.

The only affected API version is v1beta1, so if you're using the latest version - v1 - you won't
be affected by the CRD changes. It's worth upgrading to v1 in any case, since v1alpha2, v1alpha3 and
v1beta1 are all deprecated and will be removed in a future release.

Changelog since v1.5.0

Changes by Kind

Bug or Regression

• Fix v1beta1 CRDs which were accidentally changed in cert-manager v1.5.0 (#4355, @jetstack-bot)

Release notes for release-1.5

cert-manager 1.5 is the first release to support Kubernetes 1.22.

Note: cert-manager API versions v1alpha2, v1alpha3 and v1beta1 that were deprecated in 1.4 will no longer be served in 1.6. If your cert-manager deployment was created before 1.0 and/or any cert-manager resources were created using any of the deprecated APIs, please ensure the resources and CRDs are updated before upgrading to 1.6, see the docs.

Changelog since 1.4

Changes by Kind

Feature

• Add a name to Prometheus scraping service port (#4072, @francescsanjuanmrf)
• Add support for adding custom annotations and labels to the Secret containing the TLS key pair. (#3828, @jonathansp)
• Add the deployed cert-manager version to 'kubectl cert-manager version' command (#4226, @inteon)
• Added a new optional controller: gateway-shim. cert-manager now supports automatic
  creation of ACME certificates for the sig-network Gateway API Gateway, when annotated
  similarly to existing support for Ingresses. (#4158, @maelvls)
• Added a startup api check Job that waits for the cert-manager api to become ready (#4234, @inteon)
• Added the kubectl 'cert-manager check api' command (#4205, @inteon)
• Adds CLI command: ctl experimental create certificatesigningrequest for creating a Kuberenetes CertificateSigningRequest based upon a cert-manager Certificate manifest file (#4106, @JoshVanL)
• Adds clock_time_seconds metric for calculating expiration time in monitoring systems without a built in function. (#4105, @kit837)
• Adds support for Ed25519 private keys and signatures for Certificates (#4079, @annerajb)
• cert-manager is now able to sign CertificateSigningRequests using the ACME issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4112, @JoshVanL)
• cert-manager is now able to sign CertificateSigningRequests using the SelfSigned issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4100, @JoshVanL)
• cert-manager is now able to sign CertificateSigningRequests using the Vault issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4103, @JoshVanL)
• cert-manager is now able to sign CertificateSigningRequests using the Venafi issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4108, @JoshVanL)
• cert-manager now supports the sig-network Gateway API to solve HTTP01 challenges. (#4276, @jakexks)
• cert-manager now uses the networking.k8s.io/v1 Ingress type if available. (#4225, @jakexks)
• Fire event when a CertificateSigningRequest has not yet been approved, so will skip processing until it is. (#4229, @JoshVanL)
• Reduce binary sizes by adding "-s -w" as ldflags (#4169, @inteon)
• kubectl cert-manager x install command is added (#4138, @inteon)

Bug or Regression

• Adds an explicit 10 second timeout when checking HTTP01 challenges for reachability (#4318, @SgtCoDFish)
• Cloudflare: Refactored DNS01 challenge to use API for finding the nearest Zone (fixing potential DNS-Issues) (#4147, @thiscantbeserious)
• Fix a bug where failed Certificate Requests were not retried (#4130, @irbekrm)
• Fix check for self-signed certificates in EncodeX509Chain which broke certs whose subject DN matched their issuer's subject DN (#4237, @SgtCoDFish)
• Fix handling of chains which don't have a root in ParseSingleCertificateChain, and improve handling in situations where that function is passed a single certificate. (#4261, @SgtCoDFish)
• Fixed a bug in the "gateway shim" controller that was causing the cert-manager controller to crash
  with a nil pointer exception when using the annotation "cert-manager.io/issuer" on a Gateway that
  had an empty tls block or with certificateRef left empty. (#4293, @maelvls)
• Fixed a goroutine leak that was causing the controller's memory usage to grow with time (#4233, @maelvls)
• Fixed a race condition introduced in v0.15.0 that would crash cert-manager for clusters
  with a large number of certificates. (#4231, @maelvls)
• Set correct exit codes on ctrl+c event & process defer calls on error (#4230, @inteon)
• Set correct labels on resources in static manifest yaml files (#4190, @inteon)

Other (Cleanup or Flake)

• Adds conformance E2E suite for CertificateSigningRequests (#4101, @JoshVanL)
• Allows to configure labels on cert-manager webhook service via a Helm value. (#4260, @mozz-lx)
• Allows to configure which annotations get copied from Certificate to CertificateRequest. Annotations with keys prefixed with kubectl.kubernetes.io/, fluxcd.io, argocd.argoproj.io are now excluded by default. (#4251, @irbekrm)
• Minor cleanup of make targets, to prepare for more use of make in cert-manager (#4109, @SgtCoDFish)
• Pre-v1 cert-manager resource requests now must be converted to v1 in order to be validated/mutated by admission webhooks. (Default cert-manager validating and mutating webhook configurations ensure the resource requests are being converted) (#4172, @irbekrm)
• Reduce binary sizes by adding "-w" as ldflag (#4181, @inteon)
• Regression: CertificateSigningRequests will no longer have a experimental.cert-manager.io/ca annotation set. (#4143, @JoshVanL)
• Remove v1beta1 as an accepted AdmissionReviewVersion. cert-manager now only supports v1, available since Kubernetes v1.16 (#4254, @JoshVanL)
• Remove v1beta1 as an accepted ConversionReviewVersion. cert-manager now only supports v1, available since Kubernetes v1.16 (#4253, @JoshVanL)
• The controllers now exit more cleanly (eg. the Leader Election Lease is freed properly on shutdown) (#4243, @inteon)