With cert-manager v1.0 we're putting a seal of trust on 3 years of development on the cert-manager project.
In these 3 years cert-manager has grown in functionality and stability, but mostly in the community.
Today we see many people using cert-manager to secure their Kubernetes clusters, as well as cert-manager
being integrated into many other parts in the ecosystem.
In the past 16 releases many bugs got fixed, and things that needed to be broken were broken.
Several iterations on the API improved the user experience.
We solved 1500 GitHub Issues with even more PRs by 253 contributors.
With releasing v1.0 we're officially making a statement that cert-manager is a mature project now.
We will also be making a compatibility promise with our v1 API.
A big thank you to everyone who helped to build cert-manager in the past 3 years!
Let v1.0 be the first of many big achievements!
The v1.0 release is a stability release with a few focus areas:
v1APIkubectl cert-manager statuscommand to help with investigating issues- Using new and stable Kubernetes APIs
- Improved logging
- AMCE improvements
We invite you to read more about these changes on our website
Urgent Upgrade Notes
(No, really, you MUST read this before you upgrade)
- Old versions of
kubectlandhelmwill have issues updating the CRD resources once installed. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.16-1.0/ - Versions of Kubernetes lower than v1.16 need special upgrade instructions. For more info check https://cert-manager.io/docs/installation/upgrading/upgrading-0.16-1.0/
Changes by Kind
Feature
- Add Events of Issuer and Secret to the output of status certificate command (#3213, @hzhou97)
- Add Events of the Certificate and of the CertificateRequest to the output of the ctl command
status certificate(#3102, @hzhou97) - Add
priorityClassNamefield topodTemplatefor ACME HTTP01 issuers (#3112, @meyskens) - Add
serviceAccountNamefield topodTemplatefor ACME HTTP01 issuers (#3139, @paulwilljones) - Add
v1API version (#3177, @wallrj) - Add
webhook.hostNetworkoption to the Helm Chart to run the webhook in hostNetwork mode (#3113, @jfrancisco0) - Add boolean field
disableAccountKeyGenerationtoACMEIssuerto be able to not generate new account key and reuse existing ones. (#3141, @hzhou97) - Add info about Challenges related to a Certificate resource to the output of
status certificatecommand. (#3186, @hzhou97) - Add key usages into the CSR body (#3211, @meyskens)
- Add output about Order resource for
status certificatecommand if ACME Issuer is used. (#3154, @hzhou97) - Add output about the Issuer/ClusterIssuer of the Certificate resource and about creation time of the Certificate. (#3120, @hzhou97)
- Add output about the Secret resource for
status certificatecommand (#3131, @hzhou97) - Add support for alternate certs with
prefferedChainin ACME (#3208, @meyskens) - Add support for ctl convert over a list (#3205, @JoshVanL)
- Added Namespace to VaultIssuer to support vault roles from a different vault namespaces (#3106, @thejasbabu)
- Allow cert-manager.io/common-name annotation on ingresses (#3085, @meyskens)
- Change default output version of convert command to v1. (#3235, @hzhou97)
- Helm chart: add extra custom annotation block to the mutating and validating webhooks. (#3142, @Cyanopus)
- Helm chart: add image digest option (#3175, @guilhem)
- Helm chart: make webhook-probes configurable (#3192, @ckotzbauer)
- Updated controllers to use v1 API and make v1 the storage version (#3196, @wallrj)
Other (Bug, Cleanup or Flake)
- Add apiextensions.k8s.io/v1 CRDs (#3178, @meyskens)
- Add support for admissionregistration.k8s.io/v1 (#3167, @meyskens)
- Add validation webhooks in integration tests (#2958, @meyskens)
- Build using Go version 1.15 (#3228, @wallrj)
- Bump Kubernetes dependencies to 1.19 (#3166, @meyskens)
- Ensures Secrets created from the Certificates controller contains the annotation containing the Issuer Group Name. (#3151, @JoshVanL)
- Fix bug of status certificate command where the matching CR gets overwritten (#3117, @hzhou97)
- Fixes generation of ACME resources if the the 52nd character in a CR name is a symbol. (#3232, @meyskens)
- Let cert-manage handle ACME backoff when Retry-After is set on a rate limit error (#3215, @meyskens)
- Refactor the cainjector to only have 1 leader election (#3187, @meyskens)
- Remove Helm specific labels from static manifests (#3179, @meyskens)
- Remove stability warning from README for v1.0 (#3240, @munnerz)
- Updates kind cluster 1.19 SHA to use upstream kindest (#3227, @JoshVanL)
- Use klog v2 and improve the use of log levels (#3143, @meyskens)
- Use rbac.authorization.k8s.io/v1 (#3172, @meyskens)