Release notes for release-1.4

Changelog since v1.3.1

The CA issuer now attempts to store the root CA instead of the issuing CA into the ca.crt field for issued certificates; this is a change of behavior. All of the information which was previously available is still available: the intermediate should appear as part of the chain in tls.crt. (#3865, @erikgb)
RunAsNonRoot is now enabled by default in the securityContext values. If you're using custom containers with the chart that run as root, you will need to set this back to false. (#4036, @wallrj)

Add serviceLabels to helm chart for adding custom labels to the controller service (#4009, @eddiehoffman)
Adds an option for a Kubernetes CertificateSigningRequest controller to implement the CA Issuer. (#4064, @JoshVanL)
RunAsNonRoot is now enabled by default in the securityContext values. If you're using custom containers with the chart that run as root, you will need to set this back to false. (#4036, @wallrj)
The Vault issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. (#3982, @JoshVanL)
The CA issuer now constructs a certificate chain after signing, and populates the CertificateRequest.Status.CA with the root most certificate if available. Correctly passes down CA certificate when chaining CA Issuers together. (#3985, @JoshVanL)
Change Venafi Issuer to populate CertificateRequest.Status.CA with the root most certificate that was returned from signing. (#3983, @JoshVanL)
The webhook can now be configured to be accessible from outside of the cluster. (#3876, @anton-johansson)
Update Akamai issuer to use Open Edgegrid EdgeDNS v2 API (#4007, @edglynes)
The kubectl cert-manager plugin is now built for darwin/arm64 (cert-manager/release#37, @irbekrm)

Add @munnerz to SECURITY_CONTACTS.md (#3970, @SgtCoDFish)
Add both style info and warnings about importing cert-manager as a module to README (#3902, @SgtCoDFish)

Fix incorrect PublicKeysEqual comparison function for public keys and improve doc comments on related functions (#3914, @SgtCoDFish)
Fixes a bug where the default cert renewal duration (30d) was clashing with the duration of certs issued by Vault PKI. All Certificates are now renewed 2/3 through the duration unless custom renew period specified by setting spec.renewBefore on the Certificate. (#4092, @irbekrm)
Fixes an issue where an ACME Certificate with a long name (52 characters or more) does not get renewed due to non-unique Order names being generated. (#3866, @jandersen-plaid)
Fixes stuck Orders in case of a misbehaving ACME server (#3805, @irbekrm)

Cert-manager controller now uses ConfigMapsLeasesResourceLock for leader election. (#4016, @irbekrm)
Deprecates UsageContentCommittment (#3860, @jsoref)
Deprecates cert-manager.io/v1alpha2, cert-manager.io/v1alpha3, cert-manager.io/v1beta1, acme.cert-manager.io/v1alpha2, acme.cert-manager.io/v1alpha3, acme.cert-manager.io/v1beta1 APIs. These APIs will be removed in cert-manager v1.6 (#4021, @irbekrm)
Optimistic locking messages (the object has been modified) are now logged at the Info level instead of the Error level, as cert-manager controllers will automatically retry until successful. (#3794, @JoshVanL)
Panic when failing to register schemes during initialization for pkg/webhook/server
Various static analysis fixes across many files including removing unused or redundant code (#4037, @SgtCoDFish)
Testing: Adds Kubernetes CertificateSigningRequest CA Issuer E2E tests. (#4081, @JoshVanL)
Updated details of FindZoneByFqdn error message when an unexpected DNS response code is received. (#3906, @clatour)
Updates Kubernetes libaries to v1.21.0 (#3926, @tamalsaha)
Updates distroless/static base image to latest version as of 2021-05-20 (#4039, @SgtCoDFish)
Validating webhook returns a warning if the legacy ACME issuer EAB key algorithm is set. (#3936, @irbekrm)