Changelog since v1.2.0-alpha.1

Changes by Kind

Feature

• Add "cert-manager.io/usages" to ingress-shim to specify key usages. Server Auth is now also added as default key usage of ingress-shim (#3545, @meyskens)
• Added the option to specify the OCSP server for certificates issued by the CA issuer (#3505, @hugoboos)

Bug or Regression

• Relaxes Ingress validation rules to allow for Certificates to be created/updated for valid Ingress TLS entries even if the same Ingress contains some invalid TLS entries (#3623, @irbekrm)

Changes by Kind

Feature

• Add category names to our CRDs to they appear in kubectl get cert-manager and kubectl get cert-manager-acme (#3583, @meyskens)
• Allows customization of cainjector leader-election leases with new flags --leader-election-lease-duration, --leader-election-renew-deadline and --leader-election-retry-period (#3527, @ndrpnt)
• Venafi Issuer now sets the CA.crt field of the Secret. (#3533, @wallrj)

Other (Bug, Cleanup or Flake)

• Always install using admissionregistration.k8s.io/v1 (#3519, @meyskens)

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• This release of cert-manager only supports Kubernetes 1.16 and above

• Fix Vault issuer not to store a root CA into a certificate bundle (tls.crt). Also, Vault issuer now stores a root CA instead of an issuing CA into a CA bundle (ca.crt), from a CA chain returned from Vault. (#3433, @sorah)

Changes by Kind

Feature

• Add creation of PKCS12 truststore.p12 using Certificate Authority (#3489, @exceptionfactory)
• Added the ability to enable pprof profiling of the controller using the command line flag --enable-profiling. (#3477, @tharun208)
• The ingress-shim now checks for cert-manager.io/duration and cert-manager.io/renew-before annotations and uses those values to set the Certificate.Spec.Duration and Certificate.Spec.RenewBefore fields. (#3465, @wallrj)

Other (Bug, Cleanup or Flake)

• Always install using admissionregistration.k8s.io/v1 (#3519, @meyskens)
• Change copyright owner to The cert-manager Authors (#3500, @meyskens)
• Deprecated the --renew-before-expiration-duration flag of the cert-manager controller (#3464, @wallrj)
• Fix a bug in the AWS Route53 DNS01 challenge that to retrying over and over instead of observing an exponential back off (#3485, @maelvls)
• Migrate Ingress to networking.k8s.io/v1beta1 API group (#3499, @meyskens)
• Remove Jetstack from user-agent fields (#3515, @meyskens)
• Remove legacy release (#3487, @meyskens)

Changes by Kind

Feature

• Add encodeUsagesInRequest to Certificate spec to disable encoding usages in the CSR (#3304, @raphink)
• Add option to pass the Certificate duration to ACME (not supported by Let's Encrypt yet) (#3347, @meyskens)
• Add support for issuing IP certificates in ACME (#3288, @meyskens)
• Adds ability to Helm chart to set podLabels for the webhook and cainjector deployments (#3419, @logicbomb421)
• Helm: Allow custom timeout value for webhook calls (#3323, @renan)
• Make ACME dns01 propagation check period configurable (#3314, @freym)
• Make Kubernetes API QPS throttling configurable (#3382, @meyskens)
• TPP issuer now supports access-token credentials. See https://cert-manager.io/docs/configuration/venafi/#creating-a-venafi-trust-protection-platform-issuer for details. (#3379, @wallrj)

Other (Bug, Cleanup or Flake)

• Add Venafi Cloud e2e tests (#2966, @meyskens)
• Do not encode EextendedKeyUsage in the CSR is none is needed (#3262, @meyskens)
• Fix a panic when changing the max concurrent challenges to a lower value (#3399, @meyskens)
• Fix bug in AWS route53 zone lookup that caused too many IAM requests (#3354, @supriya-premkumar)
• Fix conversion webhook when given v1beta1 requests (#3242, @meyskens)
• Fix logic in patchDuplicateKeyUsage when signing and digital signature were set (#3343, @meyskens)
• Fix nil pointer error in Cloud DNS when specific config was used. (#3417, @meyskens)
• Fixes incorrect CSR validation when both "signing" and "digital signature" are set (#3279, @meyskens)
• Improve ACME backoff logic + prevent infinity retry without surfacing errors (#3321, @meyskens)
• Improved API validation for Venafi Issuer configuration (#3409, @wallrj)
• Include ACME resources aggregated ClusterRoles (#3330, @sharmaansh21)
• Put current year into manifest license (#3357, @meyskens)
• Refactor the cainjector to only have 1 leader election and to avoid duplicate caches (#3275, @wallrj)
• Remove stability warning from README for v1.0 (#3240, @munnerz)
• Replace Go's ACME retry logic with custom logic (#3384, @meyskens)
• Revert de-duplication of cainjector leader-election to fix scenario where it crashes at startup due to broken webhook. (#3254, @wallrj)
• Run e2e tests against Venafi TPP (#3328, @meyskens)
• Set the resync periods of informers to 10 hours instead of 30 seconds (#3403, @meyskens)⏎

Changes by Kind

Other (Bug, Cleanup or Flake)

• Fix a bug where the Venafi Issuer and ClusterIssuer did not set the Ready condition and message if there was an API connection or API authentication failure. The Ready condition will now always be set, including details of any errors during setup. (#3389, @wallrj)
• Fix a panic when changing the max concurrent challenges to a lower value (#3418, @meyskens)
• Fix bug in AWS route53 zone lookup that caused too many IAM requests (#3375, @supriya-premkumar)
• Fix logic in patchDuplicateKeyUsage when signing and digital signature were set (#3352, @meyskens)
• Fix nil pointer error in Cloud DNS when specific config was used. (#3420, @meyskens)

Changes by Kind

Feature

• Make Kubernetes API QPS throttling configurable (#3382, @meyskens)

Other (Bug, Cleanup or Flake)

• Fix a panic when changing the max concurrent challenges to a lower value (#3399, @meyskens)
• Improved API validation for Venafi Issuer configuration (#3409, @wallrj)
• Set the resync periods of informers to 10 hours instead of 30 seconds (#3403, @meyskens)

Changes by Kind

Feature

• Add encodeUsagesInRequest to Certificate spec to disable encoding usages in the CSR (#3304, @raphink)
• Add support for issuing IP certificates in ACME (#3288, @meyskens)
• Helm: Allow custom timeout value for webhook calls (#3323, @renan)
• Make ACME dns01 propagation check period configurable (#3314, @freym)
• Make Kubernetes API QPS throttling configurable (#3382, @meyskens)
• TPP issuer now supports access-token credentials. (#3379, @wallrj)

Other (Bug, Cleanup or Flake)

• Add Venafi Cloud e2e tests (#2966, @meyskens)
• Do not encode EextendedKeyUsage in the CSR is none is needed (#3262, @meyskens)
• Fix bug in AWS route53 zone lookup that caused too many IAM requests (#3354, @supriya-premkumar)
• Fix conversion webhook when given v1beta1 requests (#3242, @meyskens)
• Fix logic in patchDuplicateKeyUsage when signing and digital signature were set (#3343, @meyskens)
• Fixes incorrect CSR validation when both "signing" and "digital signature" are set (#3279, @meyskens)
• Improve ACME backoff logic + prevent infinity retry without surfacing errors (#3321, @meyskens)
• Include ACME resources aggregated ClusterRoles (#3330, @sharmaansh21)
• Put current year into manifest license (#3357, @meyskens)
• Refactor the cainjector to only have 1 leader election and to avoid duplicate caches (#3275, @wallrj)
• Remove stability warning from README for v1.0 (#3240, @munnerz)
• Revert de-duplication of cainjector leader-election to fix scenario where it crashes at startup due to broken webhook. (#3254, @wallrj)
• Run e2e tests against Venafi TPP (#3328, @meyskens)

Changes by Kind

Other (Bug, Cleanup or Flake)

• Fix logic in patchDuplicateKeyUsage when signing and digital signature were set (#3352, @meyskens)
• Fixes incorrect CSR validation when both "signing" and "digital signature" are set (#3306, @meyskens)
• Improve ACME backoff logic + prevent infinity retry without surfacing errors (#3322, @meyskens)

Changes by Kind

Bug or Regression

• Do not encode ExtendedKeyUsage in the CSR is none is needed (#3295, @meyskens)
• Fixes incorrect CSR validation when both "signing" and "digital signature" are set (#3306, @meyskens)

Changes by Kind

Other (Bug, Cleanup or Flake)

• Fix conversion webhook when given v1beta1 requests (#3243, @meyskens, @wallrj)
• Remove stability warning from README for v1.0 (#3240, @munnerz)
• Revert de-duplication of cainjector leader-election to fix scenario where it crashes at startup due to broken webhook. (#3255, @wallrj)

With cert-manager v1.0 we're putting a seal of trust on 3 years of development on the cert-manager project.
In these 3 years cert-manager has grown in functionality and stability, but mostly in the community.
Today we see many people using cert-manager to secure their Kubernetes clusters, as well as cert-manager
being integrated into many other parts in the ecosystem.
In the past 16 releases many bugs got fixed, and things that needed to be broken were broken.
Several iterations on the API improved the user experience.
We solved 1500 GitHub Issues with even more PRs by 253 contributors.

With releasing v1.0 we're officially making a statement that cert-manager is a mature project now.
We will also be making a compatibility promise with our v1 API.

A big thank you to everyone who helped to build cert-manager in the past 3 years!
Let v1.0 be the first of many big achievements!

The v1.0 release is a stability release with a few focus areas:

• v1 API
• kubectl cert-manager status command to help with investigating issues
• Using new and stable Kubernetes APIs
• Improved logging
• AMCE improvements

We invite you to read more about these changes on our website

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Old versions of kubectl and helm will have issues updating the CRD resources once installed. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.16-1.0/
• Versions of Kubernetes lower than v1.16 need special upgrade instructions. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.16-1.0/

Changes by Kind

Feature

• Add Events of Issuer and Secret to the output of status certificate command (#3213, @hzhou97)
• Add Events of the Certificate and of the CertificateRequest to the output of the ctl command status certificate (#3102, @hzhou97)
• Add priorityClassName field to podTemplate for ACME HTTP01 issuers (#3112, @meyskens)
• Add serviceAccountName field to podTemplate for ACME HTTP01 issuers (#3139, @paulwilljones)
• Add v1 API version (#3177, @wallrj)
• Add webhook.hostNetwork option to the Helm Chart to run the webhook in hostNetwork mode (#3113, @jfrancisco0)
• Add boolean field disableAccountKeyGeneration to ACMEIssuer to be able to not generate new account key and reuse existing ones. (#3141, @hzhou97)
• Add info about Challenges related to a Certificate resource to the output of status certificate command. (#3186, @hzhou97)
• Add key usages into the CSR body (#3211, @meyskens)
• Add output about Order resource for status certificate command if ACME Issuer is used. (#3154, @hzhou97)
• Add output about the Issuer/ClusterIssuer of the Certificate resource and about creation time of the Certificate. (#3120, @hzhou97)
• Add output about the Secret resource for status certificate command (#3131, @hzhou97)
• Add support for alternate certs with prefferedChain in ACME (#3208, @meyskens)
• Add support for ctl convert over a list (#3205, @JoshVanL)
• Added Namespace to VaultIssuer to support vault roles from a different vault namespaces (#3106, @thejasbabu)
• Allow cert-manager.io/common-name annotation on ingresses (#3085, @meyskens)
• Change default output version of convert command to v1. (#3235, @hzhou97)
• Helm chart: add extra custom annotation block to the mutating and validating webhooks. (#3142, @Cyanopus)
• Helm chart: add image digest option (#3175, @guilhem)
• Helm chart: make webhook-probes configurable (#3192, @ckotzbauer)
• Updated controllers to use v1 API and make v1 the storage version (#3196, @wallrj)

Other (Bug, Cleanup or Flake)

• Add apiextensions.k8s.io/v1 CRDs (#3178, @meyskens)
• Add support for admissionregistration.k8s.io/v1 (#3167, @meyskens)
• Add validation webhooks in integration tests (#2958, @meyskens)
• Build using Go version 1.15 (#3228, @wallrj)
• Bump Kubernetes dependencies to 1.19 (#3166, @meyskens)
• Ensures Secrets created from the Certificates controller contains the annotation containing the Issuer Group Name. (#3151, @JoshVanL)
• Fix bug of status certificate command where the matching CR gets overwritten (#3117, @hzhou97)
• Fixes generation of ACME resources if the the 52nd character in a CR name is a symbol. (#3232, @meyskens)
• Let cert-manage handle ACME backoff when Retry-After is set on a rate limit error (#3215, @meyskens)
• Refactor the cainjector to only have 1 leader election (#3187, @meyskens)
• Remove Helm specific labels from static manifests (#3179, @meyskens)
• Remove stability warning from README for v1.0 (#3240, @munnerz)
• Updates kind cluster 1.19 SHA to use upstream kindest (#3227, @JoshVanL)
• Use klog v2 and improve the use of log levels (#3143, @meyskens)
• Use rbac.authorization.k8s.io/v1 (#3172, @meyskens)

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Old versions of kubectl and helm will have issues updating the CRD resources once installed. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.15-0.16/
• Versions of Kubernetes lower than v1.16 need special upgrade instructions. For more info check https://github.com/cert-manager/website/blob/606e668307308b655eb0fd7421b420180cd6b878/content/en/docs/installation/upgrading/upgrading-0.16-1.0.md

Changes by Kind

Feature

• Add Events of Issuer and Secret to the output of status certificate command (#3213, @hzhou97)
• Add key usages into the CSR body (#3211, @meyskens)
• Add support for alternate certs with preferredChain in ACME (#3208, @meyskens)
• Add support for ctl convert over a list (#3205, @JoshVanL)

Other (Bug, Cleanup or Flake)

• Build using Go version 1.15 (#3228, @wallrj)
• Bump Kubernetes dependencies to 1.19 (#3166, @meyskens)
• Let cert-manager handle ACME backoff when Retry-After is set on a rate limit error (#3215, @meyskens)
• Updates kind cluster 1.19 SHA to use upstream kindest (#3227, @JoshVanL)

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Old versions of kubectl and helm will have issues updating the CRD resources once installed. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.15-0.16/
• Versions of Kubernetes lower than v1.16 need special upgrade instructions. For more info check https://github.com/cert-manager/website/blob/606e668307308b655eb0fd7421b420180cd6b878/content/en/docs/installation/upgrading/upgrading-0.16-1.0.md

Changes by Kind

Feature

• Add boolean field onlyUseExistingAccountKey to ACMEIssuer to be able to not generate new account key and reuse existing ones. (#3141, @hzhou97)
• Add info about Challenges related to a Certificate resource to the output of status certificate command. (#3186, @hzhou97)
• Add support for ctl convert over a list (#3205, @JoshVanL)
• Helm chart: make webhook-probes configurable (#3192, @ckotzbauer)
• Updated controllers to use v1 API and make v1 the storage version (#3196, @wallrj)

Other (Bug, Cleanup or Flake)

• Add apiextensions.k8s.io/v1 CRDs (#3178, @meyskens)
• Refactor the cainjector to only have 1 leader election (#3187, @meyskens)

Changes by Kind

Feature

• Add v1 API version (#3177, @wallrj)
• Add output about Order resource for status certificate command if ACME Issuer is used. (#3154, @hzhou97)
• Helm chart: add image digest option (#3175, @guilhem)

Other (Bug, Cleanup or Flake)

• Add apiextensions.k8s.io/v1 CRDs (#3178, @meyskens)
• Add support for admissionregistration.k8s.io/v1 (#3167, @meyskens)
• Add validation webhooks in integration tests (#2958, @meyskens)
• Remove Helm specific labels from static manifests (#3179, @meyskens)
• Use rbac.authorization.k8s.io/v1 (#3172, @meyskens)

Changes by Kind

Feature

• Add Events of the Certificate and of the CertificateRequest to the output of the ctl command status certificate (#3102, @hzhou97)
• Add priorityClassName field to podTemplate for ACME HTTP01 issuers (#3112, @meyskens)
• Add serviceAccountName field to podTemplate for ACME HTTP01 issuers (#3139, @paulwilljones)
• Add webhook.hostNetwork option to the Helm Chart to run the webhook in hostNetwork mode (#3113, @jfrancisco0)
• Add output about the Issuer/ClusterIssuer of the Certificate resource and about creation time of the Certificate. (#3120, @hzhou97)
• Add output about the Secret resource for status certificate command (#3131, @hzhou97)
• Added Namespace to VaultIssuer to support vault roles from a different vault namespaces (#3106, @thejasbabu)
• Allow cert-manager.io/common-name annotation on ingresses (#3085, @meyskens)
• Helm chart: add extra custom annotation block to the mutating and validating webhooks. (#3142, @Cyanopus)

Other (Bug, Cleanup or Flake)

• Ensures Secrets created from the Certificates controller contains the annotation containing the Issuer Group Name. (#3151, @JoshVanL)
• Fix bug of status certificate command where the matching CR gets overwritten (#3117, @hzhou97)
• Use klog v2 and improve the use of log levels (#3143, @meyskens)
• Use rbac.authorization.k8s.io/v1 (#3172, @meyskens)

Changes by Kind

Other (Bug, Cleanup or Flake)

• Ensures Secrets created from the Certificates controller contains the annotation containing the Issuer Group Name. (#3153, @JoshVanL)

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Old versions of kubectl and helm will have issues updating the CRD resources once installed. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.15-0.16/

• Support for AuditSink resources in the auditregistration.k8s.io/v1alpha1 API group has been removed (#3056, @munnerz)

Changes by Kind

Feature

• Acme: surface the 'reason' for Order's failing on Certificate & CertificateRequest resources for easier debugging of failures (#3075, @munnerz)
• Add Events of the Certificate and of the CertificateRequest to the output of the ctl command status certificate (#3102, @hzhou97)
• Add v1beta1 API version (#3038, @munnerz)
• Add a hostedZoneName field to Cloud DNS (#2975, @meyskens)
• Add cert-manager specific User-Agent to HTTP01 self-checks (#3046, @meyskens)
• Add information about the CertificateRequest resource related to the Certificate to the output of the status certificate command. (#3090, @hzhou97)
• Add new ctl command that outputs the details of the current status of a Certificate resource (#3026, @hzhou97)
• Add new ctl command to manually create a CertificateRequest from yaml description of a Certificate resource. (#2957, @hzhou97)
• Added the ability to set the container securityContext for each deployment in the helm chart (#2858, @sudermanjr)
• Enable the new certificate controller implementations for all users (#3049, @munnerz)
• Kubectl cert-manager: Added flags to wait for the CertificateRequest to be ready and store the certificate in a file. (#3044, @hzhou97)
• Venafi: make issuance of certificates asynchronous (#2979, @meyskens)

Other (Bug, Cleanup or Flake)

• Add e2e tests for OpenShift 3.11 (#2788, @meyskens)
• Add more information to the Cloudflare DNS errors (#3101, @meyskens)
• An empty ca.crt will no longer be added into the secret resource (#2947, @hzhou97)
• Build using Go version 1.14.4 (#3058, @munnerz)
• DNS01: make Cloudflare email optional if a token is used (#2989, @meyskens)
• Default to O = cert-manager in the Venafi issuer if DN is empty (#2946, @meyskens)
• Ensure Deleted Certificates no longer expose metrics and better cover all controller metrics. (#2923, @JoshVanL)
• Error on venafi CertificateRequest when DN is empty (#3053, @meyskens)
• Experimental certificate controllers encode private keys according to specification of user. (#3017, @hzhou97)
• Experimental certificates controllers: fix automated certificate renewal (#3027, @munnerz)
• Fix bug causing kubectl cert-manager convert to not work when conversions need to be performed (#3018, @hzhou97)
• Improve documentation of API types displayed via kubectl explain (#3031, @munnerz)
• Remove custom retry logic from Route53 DNS01 (#2898, @diversario)
• Tag the Docker image with the correct architecture attribute (#3001, @meyskens)
• Update the miekg/dns dependency (#2839, @meyskens)
• Updates AWS Go SDK to 1.31.3 to support Route53 in AWS China Region (#2940, @qqshfox)
• Upgrade to use Kubernetes 1.18.5 client libraries (#3059, @munnerz)
• Use ctl.Scheme in create cr ctl command (#3036, @hzhou97)

Changes by Kind

Feature

• Acme: surface the 'reason' for Order's failing on Certificate & CertificateRequest resources for easier debugging of failures (#3075, @munnerz)
• Add a hostedZoneName field to Cloud DNS (#2975, @meyskens)
• Add information about the CertificateRequest resource related to the Certificate to the output of the status certificate command. (#3090, @hzhou97)
• Add new ctl command that outputs the details of the current status of a Certificate resource (#3026, @hzhou97)
• Kubectl cert-manager: Added flags to wait for the CertificateRequest to be ready and store the certificate in a file. (#3044, @hzhou97)
• Venafi: make issuance of certificates asynchronous (#2979, @meyskens)

Other (Bug, Cleanup or Flake)

• Add e2e tests for OpenShift 3.11 (#2788, @meyskens)
• Add more information to the Cloudflare DNS errors (#3101, @meyskens)

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Support for AuditSink resources in the auditregistration.k8s.io/v1alpha1 API group has been removed (#3056, @munnerz)

Changes by Kind

Feature

• Add v1beta1 API version (#3038, @munnerz)
• Add cert-manager specific User-Agent to HTTP01 self-checks (#3046, @meyskens)
• Add new ctl command to manually create a CertificateRequest from yaml description of a Certificate resource. (#2957, @hzhou97)
• Added the ability to set the container securityContext for each deployment in the helm chart (#2858, @sudermanjr)
• Enable the new certificate controller implementations for all users (#3049, @munnerz)

Other (Bug, Cleanup or Flake)

• An empty ca.crt will no longer be added into the secret resource (#2947, @hzhou97)
• Build using Go version 1.14.4 (#3058, @munnerz)
• DNS01: make Cloudflare email optional if a token is used (#2989, @meyskens)
• Ensure Deleted Certificates no longer expose metrics and better cover all controller metrics. (#2923, @JoshVanL)
• Error on venafi CertificateRequest when DN is empty (#3053, @meyskens)
• Experimental certificate controllers encode private keys according to specification of user. (#3017, @hzhou97)
• Experimental certificates controllers: fix automated certificate renewal (#3027, @munnerz)
• Fix bug causing kubectl cert-manager convert to not work when conversions need to be performed (#3018, @hzhou97)
• Improve documentation of API types displayed via kubectl explain (#3031, @munnerz)
• Remove custom retry logic from Route53 DNS01 (#2898, @diversario)
• Tag the Docker image with the correct architecture attribute (#3001, @meyskens)
• Update the miekg/dns dependency (#2839, @meyskens)
• Updates AWS Go SDK to 1.31.3 to support Route53 in AWS China Region (#2940, @qqshfox)
• Upgrade to use Kubernetes 1.18.5 client libraries (#3059, @munnerz)
• Use ctl.Scheme in create cr ctl command (#3036, @hzhou97)

Changes by Kind

Other (Bug, Cleanup or Flake)

• Error on venafi CertificateRequest when DN is empty (#3054, @meyskens)
• Fix entrypoint being inside a shell in UBI images (cert-manager-olm#12, @meyskens)