Changelog since v1.5.0-beta.0

Changes by Kind

Feature

• Support for the sig-network Gateway API is gated behind the --feature-gates=ExperimentalGatewayAPISupport=true command line flag on the cert-manager controller (https://github.com/jetstack/cert-manager/pull/4320, @jakexks)

Bug or Regression

• Adds an explicit 10 second timeout when checking HTTP01 challenges for reachability (#4318, @SgtCoDFish)

Release notes for v1.4.3

Changelog since v1.4.2

Changes by Kind

Bug or Regression

• Adds an explicit 10 second timeout when checking HTTP01 challenges for reachability (#4319, @SgtCoDFish)

Other (Cleanup or Flake)

• Clarify the exact supported kubernetes version range for cert-manager 1.4 (#4315, @SgtCoDFish)

Release notes for v1.3.3

Changelog since v1.3.2

Changes by Kind

Bug or Regression

• Adds an explicit 10 second timeout when checking HTTP01 challenges for reachability (#4317, @SgtCoDFish )

Other (Cleanup or Flake)

• Clarify the exact supported kubernetes version range for cert-manager 1.3 (#4314, @SgtCoDFish)

Release notes for release-1.5

This release adds support for the upcoming Kubernetes 1.22 release. You must upgrade to this beta version if you are trying out Kubernetes 1.22.

Changelog since v1.4.0

Changes by Kind

Feature

• Add a name to Prometheus scraping service port (#4072, @francescsanjuanmrf)
• Add support for adding custom annotations and labels to the Secret containing the TLS key pair. (#3828, @jonathansp)
• Add the deployed cert-manager version to 'kubectl cert-manager version' command (#4226, @inteon)
• Added a new optional controller: gateway-shim. cert-manager now supports automatic
  creation of certificates for the sig-network Gateway API Gateway, when annotated
  similarly to existing support for Ingresses. (#4158, @maelvls)
• Added a startup api check Job that waits for the cert-manager api to become ready (#4234, @inteon)
• Added the kubectl 'cert-manager check api' command (#4205, @inteon)
• Adds CLI command: ctl experimental create certificatesigningrequest for creating a Kuberenetes CertificateSigningRequest based upon a cert-manager Certificate manifest file (#4106, @JoshVanL)
• Adds clock_time_seconds metric for calculating expiration time in monitoring systems without a built in function. (#4105, @kit837)
• Adds support for Ed25519 private keys and signatures for Certificates (#4079, @annerajb)
• cert-manager is now able to sign CertificateSigningRequests using the ACME issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4112, @JoshVanL)
• cert-manager is now able to sign CertificateSigningRequests using the SelfSigned issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4100, @JoshVanL)
• cert-manager is now able to sign CertificateSigningRequests using the Vault issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4103, @JoshVanL)
• cert-manager is now able to sign CertificateSigningRequests using the Venafi issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4108, @JoshVanL)
• cert-manager now supports the sig-network Gateway API to solve HTTP01 challenges. (#4276, @jakexks)
• cert-manager now uses the networking.k8s.io/v1 Ingress type if available. (#4225, @jakexks)
• Fire event when a CertificateSigningRequest has not yet been approved, so will skip processing until it is. (#4229, @JoshVanL)
• kubectl cert-manager x install command is added (#4138, @inteon)

Bug or Regression

• Cloudflare: Refactored DNS01 challenge to use API for finding the nearest Zone (fixing potential DNS-Issues) (#4147, @thiscantbeserious)
• Fix a bug where failed Certificate Requests were not retried (#4130, @irbekrm)
• Fix check for self-signed certificates in EncodeX509Chain which broke certs whose subject DN matched their issuer's subject DN (#4237, @SgtCoDFish)
• Fix handling of chains which don't have a root in ParseSingleCertificateChain, and improve handling in situations where that function is passed a single certificate. (#4261, @SgtCoDFish)
• Fixed a bug in the "gateway shim" controller that was causing the cert-manager controller to crash
  with a nil pointer exception when using the annotation "cert-manager.io/issuer" on a Gateway that
  had an empty tls block or with certificateRef left empty. (#4293, @maelvls)
• Fixed a goroutine leak that was causing the controller's memory usage to grow with time (#4233, @maelvls)
• Fixed a race condition introduced in v0.15.0 that would crash cert-manager for clusters
  with a large number of certificates. (#4231, @maelvls)
• Set correct exit codes on ctrl+c event & process defer calls on error (#4230, @inteon)
• Set correct labels on resources in static manifest yaml files (#4190, @inteon)

Other (Cleanup or Flake)

• Adds conformance E2E suite for CertificateSigningRequests (#4101, @JoshVanL)
• Allows to configure labels on cert-manager webhook service via a Helm value. (#4260, @mozz-lx)
• Allows to configure which annotations get copied from Certificate to CertificateRequest. Annotations with keys prefixed with kubectl.kubernetes.io/, fluxcd.io, argocd.argoproj.io are now excluded by default. (#4251, @irbekrm)
• Minor cleanup of make targets, to prepare for more use of make in cert-manager (#4109, @SgtCoDFish)
• Pre-v1 cert-manager resource requests now must be converted to v1 in order to be validated/mutated by admission webhooks. (Default cert-manager validating and mutating webhook configurations ensure the resource requests are being converted) (#4172, @irbekrm)
• Reduce binary sizes by adding "-w" as ldflag (#4181, @inteon)
• Regression: CertificateSigningRequests will no longer have a experimental.cert-manager.io/ca annotation set. (#4143, @JoshVanL)
• Remove v1beta1 as an accepted AdmissionReviewVersion. cert-manager now only supports v1, available since Kubernetes v1.16 (#4254, @JoshVanL)
• Remove v1beta1 as an accepted ConversionReviewVersion. cert-manager now only supports v1, available since Kubernetes v1.16 (#4253, @JoshVanL)
• The controllers now exit more cleanly (eg. the Leader Election Lease is freed properly on shutdown) (#4243, @inteon)

Release notes for release-1.4

Thanks to Wilson Júnior (@wpjunior) for the PR which originally exposed the certificate chain issue which this release fixes!

Changelog since v1.4.1

Changes by Kind

Bug or Regression

• Fix handling of chains which don't have a root in ParseSingleCertificateChain, and improve handling in situations where that function is passed a single certificate. (#4272, @jetstack-bot)
• Fixed a goroutine leak that was causing the controller's memory usage to grow with time (#4278, @SgtCoDFish)
• Fixed a race condition introduced in v0.15.0 that would crash cert-manager for clusters
  with a large number of certificates. (#4275, @jetstack-bot)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

Release notes for release-1.3

Documentation

Changelog since v1.3.1

Changes by Kind

Bug or Regression

• Fixed a goroutine leak that was causing the controller's memory usage to grow with time (#4279, @SgtCoDFish)
• Fixed a race condition introduced in v0.15.0 that would crash cert-manager for clusters
  with a large number of certificates. (#4280, @jetstack-bot)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

Release notes for release-1.4.1

Changelog since v1.4.0

Changes by Kind

Bug or Regression

• Fix check for self-signed certificates in EncodeX509Chain which broke certs whose subject DN matched their issuer's subject DN (#4238, @SgtCoDFish)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

Release notes for v1.5.0-alpha.0

Changelog since v1.4.0

Changes by Kind

Feature

• Added a new optional controller: gateway-shim. cert-manager now supports automatic
  creation of ACME certificates for the sig-network Gateway API Gateway, when annotated
  similarly to existing support for Ingresses. (#4158, @maelvls)
• Added the kubectl 'cert-manager check api' command (#4205, @inteon)
• Adds CLI command: ctl experimental create certificatesigningrequest for creating a Kuberenetes CertificateSigningRequest based upon a cert-manager Certificate manifest file (#4106, @JoshVanL)
• Adds clock_time_seconds metric for calculating expiration time in monitoring systems without a built in function. (#4105, @kit837)
• Adds support for Ed25519 private keys and signatures for Certificates (#4079, @annerajb)
• Cert-manager is now able to sign CertificateSigningRequests using the SelfSigned issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4100, @JoshVanL)
• Cert-manager is now able to sign CertificateSigningRequests using the Vault issuer. Note that
  the CertificateSigningRequests support is experimental and requires the use of a flag on the
  controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4103, @JoshVanL)
• Reduce binary sizes by adding "-s -w" as ldflags (#4169, @inteon)
• kubectl cert-manager x install command is added (#4138, @inteon)

Bug or Regression

• Cloudflare: Refactored DNS01 challenge to use API for finding the nearest Zone (fixing potential DNS-Issues) (#4147, @thiscantbeserious)
• Fix a bug where failed Certificate Requests were not retried (#4130, @irbekrm)
• Fixes a bug where the default cert renewal duration (30d) was clashing with the duration of certs issued by Vault PKI. All Certificates are now renewed 2/3 through the duration unless custom renew period specified by setting spec.renewBefore on the Certificate. (#4092, @irbekrm)
• Set correct labels on resources in static manifest yaml files (#4190, @inteon)

Other (Cleanup or Flake)

• Adds conformance E2E suite for CertificateSigningRequests (#4101, @JoshVanL)
• Minor cleanup of make targets, to prepare for more use of make in cert-mangaer (#4109, @SgtCoDFish)
• Pre-v1 cert-manager resource requests now must be converted to v1 in order to be validated/mutated by admission webhooks. (Default cert-manager validating and mutating webhook configurations ensure the resource requests are being converted) (#4172, @irbekrm)
• Reduce binary sizes by adding "-w" as ldflag (#4181, @inteon)
• Regression: CertificateSigningRequests will no longer have a experimental.cert-manager.io/ca annotation set. (#4143, @JoshVanL)

Dependencies

Added

• bazil.org/fuse: 371fbbd
• github.com/DATA-DOG/go-sqlmock: v1.5.0
• github.com/Masterminds/goutils: v1.1.1
• github.com/Masterminds/semver/v3: v3.1.1
• github.com/Masterminds/sprig/v3: v3.2.2
• github.com/Masterminds/squirrel: v1.5.0
• github.com/Masterminds/vcs: v1.13.1
• github.com/Microsoft/go-winio: v0.4.16
• github.com/Microsoft/hcsshim: v0.8.14
• github.com/Shopify/logrus-bugsnag: 577dee2
• github.com/ahmetb/gen-crd-api-reference-docs: df869c1
• github.com/bitly/go-simplejson: v0.5.0
• github.com/bmizerany/assert: b7ed37b
• github.com/bshuster-repo/logrus-logstash-hook: v0.4.1
• github.com/bugsnag/bugsnag-go: b1d1530
• github.com/bugsnag/osext: 0dd3f91
• github.com/bugsnag/panicwrap: e2c2850
• github.com/cilium/ebpf: 4032b1d
• github.com/containerd/cgroups: 0dbf7f0
• github.com/containerd/console: c12b1e7
• github.com/containerd/containerd: v1.4.4
• github.com/containerd/continuity: 1805252
• github.com/containerd/fifo: a9fb20d
• github.com/containerd/go-runc: 5a6d9f3
• github.com/containerd/ttrpc: 0e0f228
• github.com/containerd/typeurl: a93fcdb
• github.com/coreos/go-systemd/v22: v22.0.0
• github.com/cyphar/filepath-securejoin: v0.2.2
• github.com/deislabs/oras: v0.11.1
• github.com/denisenkom/go-mssqldb: cfbb681
• github.com/denverdino/aliyungo: a747050
• github.com/dnaeon/go-vcr: v1.0.1
• github.com/docker/cli: v20.10.5+incompatible
• github.com/docker/docker-credential-helpers: v0.6.3
• github.com/docker/go-connections: v0.4.0
• github.com/docker/go-metrics: 399ea8c
• github.com/docker/libtrust: fa56704
• github.com/garyburd/redigo: 535138d
• github.com/go-ini/ini: v1.25.4
• github.com/go-kit/log: v0.1.0
• github.com/go-task/slim-sprig: 348f09d
• github.com/gobuffalo/envy: v1.7.1
• github.com/gobuffalo/logger: v1.0.1
• github.com/gobuffalo/packd: v0.3.0
• github.com/gobuffalo/packr/v2: v2.7.1
• github.com/gobwas/glob: v0.2.3
• github.com/godbus/dbus/v5: v5.0.3
• github.com/godror/godror: v0.13.3
• github.com/gofrs/flock: v0.8.0
• github.com/golang-sql/civil: cb61b32
• github.com/gorilla/handlers: 60c7bfd
• github.com/gosuri/uitable: v0.0.4
• github.com/hpcloud/tail: v1.0.0
• github.com/huandu/xstrings: v1.3.1
• github.com/jmoiron/sqlx: v1.3.1
• github.com/joho/godotenv: v1.3.0
• github.com/lann/builder: 47ae307
• github.com/lann/ps: 62de8c4
• github.com/lib/pq: v1.10.0
• github.com/marstr/guid: v1.1.0
• github.com/mattn/go-oci8: v0.0.7
• github.com/mattn/go-shellwords: v1.0.11
• github.com/mattn/go-sqlite3: v1.14.6
• github.com/mitchellh/osext: 5e2d6d4
• github.com/morikuni/aec: v1.0.0
• github.com/ncw/swift: v1.0.47
• github.com/opencontainers/image-spec: v1.0.1
• github.com/opencontainers/runc: v0.1.1
• github.com/opencontainers/runtime-spec: v1.0.2
• github.com/phayes/freeport: 95f893a
• github.com/rubenv/sql-migrate: 8d140a1
• github.com/satori/go.uuid: v1.2.0
• github.com/shopspring/decimal: v1.2.0
• github.com/yvasiyarov/go-metrics: 57bccd1
• github.com/yvasiyarov/gorelic: a9bba5b
• github.com/yvasiyarov/newrelic_platform_go: b21fdbd
• github.com/ziutek/mymysql: v1.5.4
• google.golang.org/cloud: 975617b
• gopkg.in/fsnotify.v1: v1.4.7
• gopkg.in/gorp.v1: v1.7.2
• helm.sh/helm/v3: v3.6.2
• rsc.io/letsencrypt: v0.0.3
• sigs.k8s.io/gateway-api: v0.3.0

Changed

• github.com/asaskevich/govalidator: f61b66f → 21a406d
• github.com/docker/docker: be7ac8b → 9dc6525
• github.com/evanphx/json-patch: v4.9.0+incompatible → v4.11.0+incompatible
• github.com/fatih/color: v1.10.0 → v1.12.0
• github.com/golang/protobuf: v1.4.3 → v1.5.2
• github.com/google/go-cmp: v0.5.5 → v0.5.6
• github.com/imdario/mergo: v0.3.11 → v0.3.12
• github.com/json-iterator/go: v1.1.10 → v1.1.11
• github.com/mitchellh/copystructure: v1.0.0 → v1.1.1
• github.com/mitchellh/reflectwalk: v1.0.0 → v1.0.1
• github.com/nxadm/tail: v1.4.4 → v1.4.8
• github.com/onsi/ginkgo: v1.12.1 → v1.16.4
• github.com/onsi/gomega: v1.10.1 → v1.14.0
• github.com/prometheus/client_golang: v1.9.0 → v1.11.0
• github.com/prometheus/common: v0.15.0 → v0.26.0
• github.com/prometheus/procfs: v0.2.0 → v0.6.0
• github.com/rogpeppe/go-internal: v1.3.0 → v1.4.0
• github.com/russross/blackfriday/v2: v2.0.1 → v2.1.0
• github.com/sirupsen/logrus: v1.7.0 → v1.8.1
• github.com/spf13/cast: v1.3.0 → v1.3.1
• github.com/stretchr/testify: v1.6.1 → v1.7.0
• github.com/yuin/goldmark: v1.3.3 → v1.3.5
• go.uber.org/atomic: v1.6.0 → v1.7.0
• go.uber.org/multierr: v1.5.0 → v1.6.0
• go.uber.org/zap: v1.16.0 → v1.17.0
• golang.org/x/sys: 5e06dd2 → ebe580a
• golang.org/x/time: f8bda1e → 38a9dc6
• golang.org/x/tools: 6397a11 → v0.1.2
• google.golang.org/protobuf: v1.25.0 → v1.26.0
• k8s.io/api: v0.21.0 → v0.21.2
• k8s.io/apiextensions-apiserver: v0.21.0 → v0.21.2
• k8s.io/apimachinery: v0.21.0 → v0.21.2
• k8s.io/apiserver: v0.21.0 → v0.21.2
• k8s.io/cli-runtime: v0.21.0 → v0.21.1
• k8s.io/client-go: v0.21.0 → v0.21.2
• k8s.io/component-base: v0.21.0 → v0.21.2
• k8s.io/component-helpers: v0.21.0 → v0.21.1
• k8s.io/kubectl: v0.21.0 → v0.21.1
• k8s.io/metrics: v0.21.0 → v0.21.1
• k8s.io/utils: fddb29f → 6fdb442
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.15 → v0.0.19
• sigs.k8s.io/controller-runtime: v0.9.0-beta.2 → v0.9.2
• sigs.k8s.io/controller-tools: v0.6.0-beta.0 → v0.6.0
• sigs.k8s.io/kustomize/api: v0.8.5 → v0.8.8
• sigs.k8s.io/kustomize/cmd/config: v0.9.7 → v0.9.10
• sigs.k8s.io/kustomize/kustomize/v4: v4.0.5 → v4.1.2
• sigs.k8s.io/kustomize/kyaml: v0.10.15 → v0.10.17

Removed

• sigs.k8s.io/testing_frameworks: v0.1.2

Release notes for release-1.4

Changelog since v1.3.1

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• The CA issuer now attempts to store the root CA instead of the issuing CA into the ca.crt field for issued certificates; this is a change of behavior. All of the information which was previously available is still available: the intermediate should appear as part of the chain in tls.crt. (#3865, @erikgb)
• RunAsNonRoot is now enabled by default in the securityContext values. If you're using custom containers with the chart that run as root, you will need to set this back to false. (#4036, @wallrj)

Changes by Kind

Feature

• Add serviceLabels to helm chart for adding custom labels to the controller service (#4009, @eddiehoffman)
• Adds an option for a Kubernetes CertificateSigningRequest controller to implement the CA Issuer. (#4064, @JoshVanL)
• RunAsNonRoot is now enabled by default in the securityContext values. If you're using custom containers with the chart that run as root, you will need to set this back to false. (#4036, @wallrj)
• The Vault issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. (#3982, @JoshVanL)
• The CA issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. Correctly passes down CA certificate when chaining CA Issuers together. (#3985, @JoshVanL)
• Change Venafi Issuer to populate CertificateRequest.Status.CA with the root most certificate that was returned from signing. (#3983, @JoshVanL)
• The webhook can now be configured to be accessible from outside of the cluster. (#3876, @anton-johansson)
• Update Akamai issuer to use Open Edgegrid EdgeDNS v2 API (#4007, @edglynes)
• The kubectl cert-manager plugin is now built for darwin/arm64 (https://github.com/cert-manager/release/pull/37, @irbekrm)

Documentation

• Add @munnerz to SECURITY_CONTACTS.md (#3970, @SgtCoDFish)
• Add both style info and warnings about importing cert-manager as a module to README (#3902, @SgtCoDFish)

Bug or Regression

• Fix incorrect PublicKeysEqual comparison function for public keys and improve doc comments on related functions (#3914, @SgtCoDFish)
• Fixes a bug where the default cert renewal duration (30d) was clashing with the duration of certs issued by Vault PKI. All Certificates are now renewed 2/3 through the duration unless custom renew period specified by setting spec.renewBefore on the Certificate. (#4092, @irbekrm)
• Fixes an issue where an ACME Certificate with a long name (52 characters or more) does not get renewed due to non-unique Order names being generated. (#3866, @jandersen-plaid)
• Fixes stuck Orders in case of a misbehaving ACME server (#3805, @irbekrm)

Other (Cleanup or Flake)

• Cert-manager controller now uses ConfigMapsLeasesResourceLock for leader election. (#4016, @irbekrm)
• Deprecates UsageContentCommittment (#3860, @jsoref)
• Deprecates cert-manager.io/v1alpha2, cert-manager.io/v1alpha3, cert-manager.io/v1beta1, acme.cert-manager.io/v1alpha2, acme.cert-manager.io/v1alpha3, acme.cert-manager.io/v1beta1 APIs. These APIs will be removed in cert-manager v1.6 (#4021, @irbekrm)
• Optimistic locking messages (the object has been modified) are now logged at the Info level instead of the Error level, as cert-manager controllers will automatically retry until successful. (#3794, @JoshVanL)
• Panic when failing to register schemes during initialization for pkg/webhook/server
  Various static analysis fixes across many files including removing unused or redundant code (#4037, @SgtCoDFish)
• Testing: Adds Kubernetes CertificateSigningRequest CA Issuer E2E tests. (#4081, @JoshVanL)
• Updated details of FindZoneByFqdn error message when an unexpected DNS response code is received. (#3906, @clatour)
• Updates Kubernetes libaries to v1.21.0 (#3926, @tamalsaha)
• Updates distroless/static base image to latest version as of 2021-05-20 (#4039, @SgtCoDFish)
• Validating webhook returns a warning if the legacy ACME issuer EAB key algorithm is set. (#3936, @irbekrm)

Release notes for v1.4.0-beta.1

Changelog since v1.4.0-beta.0

Changes by Kind

Feature

• The kubectl cert-manager plugin is now built for darwin/arm64 (https://github.com/cert-manager/release/pull/37, @irbekrm)

Bug or Regression

• Fixes a bug where the default cert renewal duration (30d) was clashing with the duration of certs issued by Vault PKI. All Certificates are now renewed 2/3 through the duration unless custom renew period specified by setting spec.renewBefore on the Certificate. (#4092, @irbekrm)
• REVERTS: The ACME issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. (#4074, @JoshVanL)

Other (Cleanup or Flake)

• Testing: Adds Kubernetes CertificateSigningRequest CA Issuer E2E tests. (#4081, @JoshVanL)

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

Release notes for release-1.4.0-beta.0

Changelog since v1.4.0-alpha.1

Changes by Kind

Feature

• Add serviceLabels to helm chart for adding custom labels to the controller service (#4009, @eddiehoffman)
• Adds an option for a Kubernetes CertificateSigningRequest controller to implement the CA Issuer. (#4064, @JoshVanL)
• RunAsNonRoot is now enabled by default in the securityContext values. If you're using custom containers with the chart that run as root, you will need to set this back to false. (#4036, @wallrj)
• Update Akamai issuer to use Open Edgegrid EdgeDNS v2 API (#4007, @edglynes)

Bug or Regression

• Ensure issued Orders will not collide if CertificateRequests names are longer than 52 characters (#3866, @jandersen-plaid)
• Fixes cert renewal bug for Vault certificates with duration close to renewBefore period. Thanks to @andreas-p for raising the issue. (#4040, @irbekrm)
• Fixes stuck Orders in case of a misbehaving ACME server (#3805, @irbekrm)

Other (Cleanup or Flake)

• Cert-manager controller now uses ConfigMapsLeasesResourceLock for leader election. (#4016, @irbekrm)
• Change Venafi Issuer to populate CertificateRequest.Status.CA with the root most certificate that was returned from signing. (#3983, @JoshVanL)
• Deprecates UsageContentCommittment (#3860, @jsoref)
• Deprecates cert-manager.io/v1alpha2, cert-manager.io/v1alpha3, cert-manager.io/v1beta1, acme.cert-manager.io/v1alpha2, acme.cert-manager.io/v1alpha3, acme.cert-manager.io/v1beta1 APIs. These APIs will be removed in cert-manager v1.6 (#4021, @irbekrm)
• Panic when failing to register schemes during initialization for pkg/webhook/server
  Various static analysis fixes across many files including removing unused or redundant code (#4037, @SgtCoDFish)
• Update default development version of Kubernetes in kind from 1.17 to 1.20 (#4015, @SgtCoDFish)
• Updates distroless/static base image to latest version as of 2021-05-20 (#4039, @SgtCoDFish)
• Updates Kubernetes libraries to v1.21 (#3926,@tamalsaha)

Dependencies

Added

• github.com/Knetic/govaluate: 9aa4983
• github.com/Shopify/sarama: v1.19.0
• github.com/Shopify/toxiproxy: v2.1.4+incompatible
• github.com/VividCortex/gohistogram: v1.0.0
• github.com/afex/hystrix-go: fa1af6a
• github.com/akamai/AkamaiOPEN-edgegrid-golang: v1.1.0
• github.com/apache/thrift: v0.13.0
• github.com/aryann/difflib: e206f87
• github.com/aws/aws-lambda-go: v1.13.3
• github.com/aws/aws-sdk-go-v2: v0.18.0
• github.com/casbin/casbin/v2: v2.1.2
• github.com/cenkalti/backoff: v2.2.1+incompatible
• github.com/clbanning/x2j: 8252494
• github.com/codahale/hdrhistogram: 3a0bb77
• github.com/eapache/go-resiliency: v1.1.0
• github.com/eapache/go-xerial-snappy: 776d571
• github.com/eapache/queue: v1.1.0
• github.com/edsrzf/mmap-go: v1.0.0
• github.com/form3tech-oss/jwt-go: v3.2.2+incompatible
• github.com/franela/goblin: c9ffbef
• github.com/franela/goreq: bcd34c9
• github.com/fvbommel/sortorder: v1.0.1
• github.com/go-errors/errors: v1.0.1
• github.com/gobuffalo/here: v0.6.0
• github.com/gogo/googleapis: v1.1.0
• github.com/google/shlex: e7afc7f
• github.com/gorilla/context: v1.1.1
• github.com/gorilla/mux: v1.7.3
• github.com/h2non/parth: b4df798
• github.com/hudl/fargo: v1.3.0
• github.com/influxdata/influxdb1-client: 8bf82d3
• github.com/jessevdk/go-flags: v1.4.0
• github.com/jpillora/backoff: v1.0.0
• github.com/kmodules/code-generator: 7eafae0
• github.com/kmodules/gengo: a8850da
• github.com/lightstep/lightstep-tracer-common/golang/gogo: bc2310a
• github.com/lightstep/lightstep-tracer-go: v0.18.1
• github.com/lyft/protoc-gen-validate: v0.0.13
• github.com/markbates/pkger: v0.17.1
• github.com/moby/spdystream: v0.2.0
• github.com/monochromegane/go-gitignore: 205db1a
• github.com/nats-io/jwt: v0.3.2
• github.com/nats-io/nats-server/v2: v2.1.2
• github.com/nats-io/nats.go: v1.9.1
• github.com/nats-io/nkeys: v0.1.3
• github.com/nats-io/nuid: v1.0.1
• github.com/nbio/st: e9e8d98
• github.com/niemeyer/pretty: a10e7ca
• github.com/oklog/oklog: v0.3.2
• github.com/op/go-logging: 970db52
• github.com/opentracing-contrib/go-observer: a52f234
• github.com/opentracing/basictracer-go: v1.0.0
• github.com/opentracing/opentracing-go: v1.1.0
• github.com/openzipkin-contrib/zipkin-go-opentracing: v0.4.5
• github.com/openzipkin/zipkin-go: v0.2.2
• github.com/pact-foundation/pact-go: v1.0.4
• github.com/patrickmn/go-cache: v2.1.0+incompatible
• github.com/performancecopilot/speed: v3.0.0+incompatible
• github.com/pkg/profile: v1.2.1
• github.com/rcrowley/go-metrics: 3113b84
• github.com/samuel/go-zookeeper: 2cc03de
• github.com/sony/gobreaker: v0.4.1
• github.com/streadway/amqp: edfb901
• github.com/streadway/handy: d5acb31
• github.com/xeipuuv/gojsonpointer: 4e3ac27
• github.com/xeipuuv/gojsonreference: bd5ef7b
• github.com/xeipuuv/gojsonschema: v1.2.0
• github.com/xlab/treeprint: a009c39
• go.starlark.net: 8dd3e2e
• go.uber.org/goleak: v1.1.10
• go.uber.org/tools: 2cfd321
• gopkg.in/gcfg.v1: v1.2.3
• gopkg.in/h2non/gock.v1: v1.0.15
• gopkg.in/warnings.v0: v0.1.2
• k8s.io/component-helpers: v0.21.0
• rsc.io/quote/v3: v3.1.0
• rsc.io/sampler: v1.3.0
• sigs.k8s.io/kustomize/api: v0.8.5
• sigs.k8s.io/kustomize/cmd/config: v0.9.7
• sigs.k8s.io/kustomize/kustomize/v4: v4.0.5
• sigs.k8s.io/kustomize/kyaml: v0.10.15
• sourcegraph.com/sourcegraph/appdash: ebfcffb

Changed

• cloud.google.com/go/bigquery: v1.0.1 → v1.4.0
• cloud.google.com/go/datastore: v1.0.0 → v1.1.0
• cloud.google.com/go/pubsub: v1.0.1 → v1.2.0
• cloud.google.com/go/storage: v1.0.0 → v1.6.0
• cloud.google.com/go: v0.51.0 → v0.54.0
• github.com/Azure/azure-sdk-for-go: v46.3.0+incompatible → v43.0.0+incompatible
• github.com/Azure/go-autorest/autorest/adal: v0.9.4 → v0.9.5
• github.com/Azure/go-autorest/autorest/to: v0.4.0 → v0.2.0
• github.com/Azure/go-autorest/autorest/validation: v0.3.0 → v0.1.0
• github.com/Azure/go-autorest/autorest: v0.11.6 → v0.11.12
• github.com/NYTimes/gziphandler: 56545f4 → v1.1.1
• github.com/alecthomas/units: c3de453 → f65c72e
• github.com/blang/semver: v3.5.0+incompatible → v3.5.1+incompatible
• github.com/creack/pty: v1.1.7 → v1.1.11
• github.com/fatih/color: v1.7.0 → v1.10.0
• github.com/go-gl/glfw/v3.3/glfw: 12ad95a → 6f7a984
• github.com/go-kit/kit: v0.9.0 → v0.10.0
• github.com/go-logfmt/logfmt: v0.4.0 → v0.5.0
• github.com/go-logr/logr: ee2de8d → v0.4.0
• github.com/go-logr/zapr: v0.1.1 → v0.4.0
• github.com/go-openapi/spec: v0.19.3 → v0.19.5
• github.com/go-openapi/strfmt: v0.19.3 → v0.19.5
• github.com/go-openapi/validate: v0.19.5 → v0.19.8
• github.com/gobuffalo/flect: v0.2.0 → v0.2.2
• github.com/gogo/protobuf: v1.3.1 → v1.3.2
• github.com/golang/groupcache: 215e871 → 8c9f03a
• github.com/golang/mock: v1.3.1 → v1.4.1
• github.com/golang/protobuf: v1.4.2 → v1.4.3
• github.com/google/go-cmp: v0.4.1 → v0.5.5
• github.com/google/pprof: d4f498a → 1ebb73c
• github.com/google/uuid: v1.1.1 → v1.1.2
• github.com/hashicorp/consul/api: v1.1.0 → v1.3.0
• github.com/hashicorp/consul/sdk: v0.1.1 → v0.3.0
• github.com/hashicorp/go-version: v1.1.0 → v1.2.0
• github.com/imdario/mergo: v0.3.9 → v0.3.11
• github.com/julienschmidt/httprouter: v1.2.0 → v1.3.0
• github.com/kisielk/errcheck: v1.2.0 → v1.5.0
• github.com/kr/text: v0.1.0 → v0.2.0
• github.com/mattn/go-colorable: v0.1.2 → v0.1.8
• github.com/mattn/go-isatty: v0.0.8 → v0.0.12
• github.com/moby/term: 672ec06 → df9cb8a
• github.com/mwitkow/go-conntrack: cc309e4 → 2f06839
• github.com/opencontainers/go-digest: v1.0.0-rc1 → v1.0.0
• github.com/prometheus/client_golang: v1.7.1 → v1.9.0
• github.com/prometheus/common: v0.10.0 → v0.15.0
• github.com/prometheus/procfs: v0.1.3 → v0.2.0
• github.com/sirupsen/logrus: v1.6.0 → v1.7.0
• github.com/spf13/cobra: v1.0.0 → v1.1.3
• github.com/yuin/goldmark: v1.1.27 → v1.3.3
• go.etcd.io/etcd: 17cef6e → dd1b699
• go.opencensus.io: v0.22.2 → v0.22.3
• go.uber.org/atomic: v1.4.0 → v1.6.0
• go.uber.org/multierr: v1.1.0 → v1.5.0
• go.uber.org/zap: v1.10.0 → v1.16.0
• golang.org/x/exp: da58074 → 6cc2880
• golang.org/x/lint: fdd1cda → 738671d
• golang.org/x/mod: v0.3.0 → v0.4.2
• golang.org/x/net: e18ecbb → 3d97a24
• golang.org/x/sync: cd5d95a → 036812b
• golang.org/x/sys: f84b799 → 5e06dd2
• golang.org/x/term: 7de9c90 → 6a3ed07
• golang.org/x/text: v0.3.3 → v0.3.4
• golang.org/x/time: 3af7569 → f8bda1e
• golang.org/x/tools: c1934b7 → 6397a11
• golang.org/x/xerrors: 9bdfabe → 5ec99f8
• gomodules.xyz/jsonpatch/v2: v2.0.1 → v2.2.0
• google.golang.org/api: v0.15.0 → v0.20.0
• google.golang.org/appengine: v1.6.5 → v1.6.7
• google.golang.org/genproto: cb27e3a → 8816d57
• google.golang.org/grpc: v1.27.0 → v1.27.1
• google.golang.org/protobuf: v1.24.0 → v1.25.0
• gopkg.in/check.v1: 41f04d3 → 8fa4692
• gopkg.in/ini.v1: v1.52.0 → v1.51.1
• gopkg.in/yaml.v3: a5ece68 → 496545a
• gotest.tools/v3: v3.0.2 → v3.0.3
• honnef.co/go/tools: v0.0.1-2019.2.3 → v0.0.1-2020.1.3
• k8s.io/api: v0.19.0 → v0.21.0
• k8s.io/apiextensions-apiserver: v0.19.0 → v0.21.0
• k8s.io/apimachinery: v0.19.0 → v0.21.0
• k8s.io/apiserver: v0.19.0 → v0.21.0
• k8s.io/cli-runtime: v0.19.0 → v0.21.0
• k8s.io/client-go: v0.19.0 → v0.21.0
• k8s.io/component-base: v0.19.0 → v0.21.0
• k8s.io/klog/v2: v2.3.0 → v2.8.0
• k8s.io/kube-aggregator: v0.19.0 → v0.21.0
• k8s.io/kube-openapi: 6aeccd4 → 591a79e
• k8s.io/kubectl: v0.19.0 → v0.21.0
• k8s.io/metrics: v0.19.0 → v0.21.0
• k8s.io/utils: d5654de → fddb29f
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.9 → v0.0.15
• sigs.k8s.io/controller-runtime: v0.6.2 → v0.9.0-beta.2
• sigs.k8s.io/controller-tools: 645d44d → v0.6.0-beta.0
• sigs.k8s.io/structured-merge-diff/v4: v4.0.1 → v4.1.0

Removed

• github.com/golangplus/bytes: 45c989f
• github.com/golangplus/fmt: 2a5d6d7
• github.com/hpcloud/tail: v1.0.0
• github.com/mattbaird/jsonpatch: 81af803
• github.com/xlab/handysort: fb3537e
• gopkg.in/fsnotify.v1: v1.4.7
• k8s.io/code-generator: v0.19.0
• k8s.io/gengo: 8167cfd
• sigs.k8s.io/kustomize: v2.0.3+incompatible
• vbom.ml/util: db5cfe1

Changelog since v1.4.0-alpha.0

Changes by Kind

Feature

• The Vault issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. (#3982, @JoshVanL)

Documentation

• Add @munnerz to SECURITY_CONTACTS.md (#3970, @SgtCoDFish)

Bug or Regression

• The CA issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. Correctly passes down CA certificate when chaining CA Issuers together. (#3985, @JoshVanL)

Other (Cleanup or Flake)

• Change Venafi Issuer to populate CertificateRequest.Status.CA with the root most certificate that was returned from signing. (#3983, @JoshVanL)
• Optimistic locking messages (the object has been modified) are now logged at the Info level instead of the Error level, as cert-manager controllers will automatically retry until successful. (#3794, @JoshVanL)
• Istio VirtualService support has been reverted and moved to the next release. (#3988, @jakexks)
• The ACME issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. (#3984, @JoshVanL)
• Validating webhook returns a warning if the legacy ACME issuer EAB key algorithm is set. (#3936, @irbekrm)

Dependencies

Added

Nothing has changed.

Changed

• github.com/envoyproxy/go-control-plane: v0.9.4 → 5f8ba28
• google.golang.org/grpc: v1.28.1 → v1.27.0

Removed

• github.com/cncf/udpa/go: 269d4d4
• istio.io/api: 328c3a3
• istio.io/gogo-genproto: 4502960

Changelog since v1.3.0

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• The CA issuer now attempts to store the root CA instead of the issuing CA into the ca.crt field for issued certificates; this is a change of behavior. All of the information which was previously available is still available: the intermediate should appear as part of the chain in tls.crt. (#3865, @erikgb)

Changes by Kind

Feature

• Add support for routing ACME HTTP01 challenges using Istio VirtualService CRs. (#3724, @inteon)
• The webhook can now be configured to be accessible from outside of the cluster. (#3876, @anton-johansson)

Documentation

• Add a vulnerability reporting process in SECURITY.md (#3818, @SgtCoDFish)
• Add both style info and warnings about importing cert-manager as a module to README (#3902, @SgtCoDFish)

Bug or Regression

• Fix RFC2136 DNS-01 challenges with multiple DNS names (#3622, @foosinn)
• Fix incorrect PublicKeysEqual comparison function for public keys and improve doc comments on related functions (#3914, @SgtCoDFish)
• Fixes Helm upgrade issue (#3882, @irbekrm)
• Set the Ready condition to False when a CertificateRequest has been denied for all CertificateRequests that reference a cert-manager.io signer (#3878, @JoshVanL)

Other (Cleanup or Flake)

• Deprecate Issuer.spec.acme.externalAccountBinding.keyAlgorithm field. EAB MAC algorithm is now hardcoded to HS256. (#3877, @irbekrm)
• Removes legacy util functions for issuer generation from test/e2e/util/util.go. Use functions in test/unit/gen/issuer.go instead. (#3873, @irbekrm)
• Updated details of FindZoneByFqdn error message when an unexpected DNS response code is received. (#3906, @clatour)

Dependencies

Added

• github.com/cert-manager/crypto: d4c1975
• github.com/cncf/udpa/go: 269d4d4
• golang.org/x/term: 7de9c90
• istio.io/api: 328c3a3
• istio.io/gogo-genproto: 4502960

Changed

• github.com/envoyproxy/go-control-plane: 5f8ba28 → v0.9.4
• golang.org/x/net: c890458 → e18ecbb
• golang.org/x/sys: ed371f2 → f84b799
• google.golang.org/grpc: v1.27.0 → v1.28.1

Removed

• github.com/meyskens/crypto: 6ca9aec

Changelog since v1.3.0

Changes by Kind

Bug or Regression

• Fixes an upgrade issue with Helm. People upgrading from cert-manager v1.2 should now be able to upgrade with no error. (#3886, @irbekrm)
• Fixes a regression that was introduced in v1.3. Before v1.3, a CertificateRequest that would fail would have the condition Ready=False added to it. After v1.3, the Ready=False was not set anymore due to the addition of the Approval API. (#3892, @JoshVanL)

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

helm users

If you install cert-manager with helm, upgrade directly to v1.3.1 to avoid a CRD type conversion issue. (#3880)

Venafi Cloud Issuer

This release updates the Venafi Cloud Issuer to use OutagePREDICT instead of DevOpsACCELERATE.
The only impact to Venafi Cloud users is the change in zone syntax.
The zone is now <Application Name>\<Issuing Template Alias>
(e.g. My Application\My CIT).

cert-manager controller

The --renew-before-expiration-duration flag has been removed from the cert-manager controller, having been deprecated in the previous release.

cert-manager CRDs

CertificateRequests are now immutable - the spec and metadata.annotations fields cannot be changed after creation. They were always designed to be immutable but this behavior is now enforced by the cert-manager webhook.

Changes by Kind

Feature

• Add automountServiceAccountToken field to service accounts in helm chart (#3725, @joshuastern)
• Adds Approved condition type to CertificateRequest (#3735, @JoshVanL)
• Adds ObservedGeneration field to all Issuer conditions (#3754, @JoshVanL)
• Adds RevisionHistoryLimit field to Certificates to optionally garbage collect old CertificateRequests (#3773, @JoshVanL)
• Adds UserInfo fields to CertificateRequests containing the UserInfo of the requester: Username, Groups, UID, Extra. (#3641, @JoshVanL)
• Adds `kubectl cert-manager [approve|deny] CLI commands to manually approve or deny CertificateRequests (#3792, @JoshVanL)
• Adds an observedGeneration field to all Certificate conditions. This is set to the generation of that Certificate at the time of updating. (#3613, @JoshVanL)
• Allows disabling enabled cert-manager-controller controller, for example '--controllers=*,-foo' (#3791, @JoshVanL)
• Enforce CertificateRequest approvers have the permissions: verb="approve" resource="signers" group="cert-manager.io" name=./[*|[.]] at the Cluster level. You can find out more information about this syntax here. (#3785, @JoshVanL)
• Retry issuance of Denied CertificateRequests after 1 hour. (#3795, @JoshVanL)
• The Venafi issuer in cert-manager is now compatible with Venafi Cloud OutagePREDICT. (#3831, @wallrj)
• kubectl get certificaterequest now outputs the Issuer name and the username of the requestor by default (#3774, @JoshVanL)

Documentation

• Add a vulnerability reporting process in SECURITY.md (#3818, @SgtCoDFish)

Bug or Regression

• Allow the usage of hostNetwork in the webhook PSP (#3454, @Kirill-Garbar)
• Correct permissions on edit aggregate role (#3697, @yann-soubeyrand)
• Fix a bug that prevented the immediate re-issuance of a failing certificate: even when the user
  edited the certificate to fix an incorrect field, no certificate request would get created. Editing
  a failed certificate now properly re-issues immediately. (#3444, @maelvls)
• Fixed approle login when namespaces were used in HashiCorp Vault
  Fixed incorrectly failing health check that was caused when the Vault token did not have sufficient permission to call /sys/- endpoints (#3582, @lalitadithya)
• Fixes Helm upgrade bug (#3647, @irbekrm)
• Fixes multiple Certificate Requests issue - see #3603 (#3665, @irbekrm)
• Handle CA issuer working as intermediate correctly (#3847, @erikgb)
• Improve error messages when Vault Issuer has misconfigured auth method (#3763, @JoshVanL)
• Selfsigned issuer: warn when certs have empty issuer DNs, in violation of TLS RFC 5280 (#3760, @SgtCoDFish)
• Skip Google Cloud DNS test when gcloud hasn't been configured (#3752, @SgtCoDFish)
• Use port from helm values for service targetPort (#3652, @7opf)

Other (Cleanup or Flake)

• Bumps go version to v1.16 (#3823, @irbekrm)
• Removes --renew-before-expiry flag that was deprecated in release v1.2.0 (#3693, @irbekrm)
• Standardise controller names across the project (#3789, @JoshVanL)
• Update distroless/static base image (#3741, @teejaded)
• Updated cainjector to use v1 API versions of admissionregistration, apiextensions and apiregistration. (#3838, @wallrj)

Dependencies

Added

• github.com/pavel-v-chernykh/keystore-go/v4: v4.1.0

Changed

• github.com/Venafi/vcert/v4: v4.11.0 → v4.13.1
• gopkg.in/yaml.v2: v2.3.0 → v2.4.0

Removed

Nothing has changed.

Changelog since v1.3.0-alpha.1

Changes by Kind

Feature

• Retry issuance of Denied CertificateRequests after 1 hour. (#3795, @JoshVanL)

Bug or Regression

• Fix a bug that prevented the immediate re-issuance of a failing certificate: even when the user
  edited the certificate to fix an incorrect field, no certificate request would get created. Editing
  a failed certificate now properly re-issues immediately. (#3444, @maelvls)

Other (Cleanup or Flake)

• Bumps go version to v1.16 (#3823, @irbekrm)
• The Venafi issuer in cert-manager is now compatible with Venafi Cloud OutagePREDICT. (#3831, @wallrj)
• Updated cainjector to use v1 API versions of admissionregistration, apiextensions and apiregistration. (#3838, @wallrj)

Changelog since v1.3.0-alpha.0

Changes by Kind

Feature

• Allows disabling enabled cert-manager-controller controller, for example '--controllers=*,-foo' (#3791, @JoshVanL)
• Enforce CertificateRequest approvers have the permissions: verb="approve" resource="signers" group="cert-manager.io" name=./[*|[.]] at the Cluster level. (#3785, @JoshVanL)

Bug or Regression

• Fixed approle login when namespaces were used in HashiCorp Vault
  Fixed incorrectly failing health check that was caused when the Vault token did not have sufficient permission to call /sys/- endpoints (#3582, @lalitadithya)
• Selfsigned issuer: warn when certs have empty issuer DNs, in violation of TLS RFC 5280 (#3760, @SgtCoDFish)

Other (Cleanup or Flake)

• The Venafi issuer in cert-manager is now compatible with Venafi Cloud OutagePREDICT. (#3831, @wallrj)

Dependencies

Added

• github.com/pavel-v-chernykh/keystore-go/v4: v4.1.0

Changed

• github.com/Venafi/vcert/v4: v4.11.0 → v4.13.1

Changelog since release-1.2

Changes by Kind

Feature

• Add automountServiceAccountToken field to service accounts in helm chart (#3725, @joshuastern)
• Adds Approved condition type to CertificateRequest (#3735, @JoshVanL)
• Adds ObservedGeneration field to all Issuer conditions (#3754, @JoshVanL)
• Adds RevisionHistoryLimit field to Certificates to optionally garbage collect old CertificateRequests (#3773, @JoshVanL)
• Adds UserInfo fields to CertificateRequests containing the UserInfo of the requester: Username, Groups, UID, Extra. (#3641, @JoshVanL)
• Adds `kubectl cert-manager [approve|deny] CLI commands to manually approve or deny CertificateRequests (#3792, @JoshVanL)
• Adds an observedGeneration field to all Certificate conditions. This is set to the generation of that Certificate at the time of updating. (#3613, @JoshVanL)
• Allows disabling enabled cert-manager-controller controller, for example '--controllers=*,-foo' (#3791, @JoshVanL)
• kubectl get certificaterequest now outputs the Issuer name and the username of the requestor by default (#3774, @JoshVanL)

Bug or Regression

• Allow the usage of hostNetwork in the webhook PSP (#3454, @Kirill-Garbar)
• Correct permissions on edit aggregate role (#3697, @yann-soubeyrand)
• Fixes multiple Certificate Requests issue - see #3603 (#3665, @irbekrm)
• Improve error messages when Vault Issuer has misconfigured auth method (#3763, @JoshVanL)
• Skip Google Cloud DNS test when gcloud hasn't been configured (#3752, @SgtCoDFish)
• Use port from helm values for service targetPort (#3652, @7opf)

Other (Cleanup or Flake)

• Removes --renew-before-expiry flag that was deprecated in release v1.2.0 (#3693, @irbekrm)
• Standardise controller names across the project (#3789, @JoshVanL)
• Update distroless/static base image (#3741, @teejaded)

This is a maintenance release that allows users who have installed a pre-v1.1 version of cert-manager using the Helm chart with --set installCRDs=true to upgrade to the v1.1 release without hitting a CRD validation issue that causes helm upgrade to fail.

If you cannot upgrade to Kubernetes v1.16 or later but wish to use the latest version of cert-manager that supports Kubernetes v1.11 - v1.15 you should upgrade to this release.

Most users should upgrade to the latest v1.2.0 release below.

Changes by Kind

Bug or Regression

• Fix Helm chart type conversion bug (#3647, @irbekrm)

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• ⚠️ BREAKING CHANGE ⚠️ The minimum supported Kubernetes version is now v1.16.0 as of cert-manager v1.2.0. Users still running Kubernetes v1.15 or below should upgrade to a supported version before installing cert-manager or use cert-manager v1.1.
• The User-Agent request header sent by cert-manager has changed to reflect the ownership transfer to the CNCF — see (#3515, @meyskens)
• The --renew-before-expiration-duration flag of the cert-manager controller-manager has been deprecated. Please set the Certificate.Spec.RenewBefore field instead. This flag will be removed in the next release.
• Certificates issued by the Vault issuer have changed — the root CA instead of the issuing CA is now stored in ca.crt — see (#3433, @sorah)

Changes by Kind

Feature

• Add cert-manager.io/usages to ingress-shim to specify key usages. Server Auth is now also added as default key usage of ingress-shim (#3545, @meyskens)
• Add kubectl cert-manager inspect secret to print certificate info from a secret resource (#3457, @meyskens)
• Add category names to our CRDs so they appear in kubectl get cert-manager and kubectl get cert-manager-acme (#3583, @meyskens)
• Add creation of PKCS12 truststore.p12 using Certificate Authority (#3489, @exceptionfactory)
• Add option to pass the Certificate duration to ACME (not supported by Let's Encrypt yet) (#3347, @meyskens)
• Added the ability to enable pprof profiling of the controller using the command line flag --enable-profiling. (#3477, @tharun208)
• Added the option to specify the OCSP server for certificates issued by the CA issuer (#3505, @hugoboos)
• Allows customization of cainjector leader-election leases with new flags --leader-election-lease-duration, --leader-election-renew-deadline and --leader-election-retry-period (#3527, @ndrpnt)
• The ingress-shim now checks for cert-manager.io/duration and cert-manager.io/renew-before annotations and uses those values to set the Certificate.Spec.Duration and Certificate.Spec.RenewBefore fields. (#3465, @wallrj)
• Venafi Issuer now sets the CA.crt field of the Secret. (#3533, @wallrj)

Bug or Regression

• Deprecated the --renew-before-expiration-duration flag of the cert-manager controller (#3464, @wallrj)
• Fix a bug in the AWS Route53 DNS01 challenge that to retrying over and over instead of observing an exponential back off (#3485, @maelvls)
• Relaxes Ingress validation rules to allow for Certificates to be created/updated for valid Ingress TLS entries even if the same Ingress contains some invalid TLS entries (#3623, @irbekrm)
• Fix Vault issuer not to store a root CA into a certificate bundle (tls.crt). Also, Vault issuer now stores a root CA instead of an issuing CA into a CA bundle (ca.crt), from a CA chain returned from Vault. (#3433, @sorah)
• Fix Helm chart type conversion bug (#3647, @irbekrm)

Other (Cleanup or Flake)

• Always install using admissionregistration.k8s.io/v1 (#3519, @meyskens)
• Change copyright owner to The cert-manager Authors (#3500, @meyskens)
• Migrate Ingress to networking.k8s.io/v1beta1 API group (#3499, @meyskens)
• Remove Jetstack from user-agent fields (#3515, @meyskens)
• Remove legacy release (#3487, @meyskens)