Urgent Upgrade Notes
(No, really, you MUST read this before you upgrade)
- ⚠️ BREAKING CHANGE ⚠️ The minimum supported Kubernetes version is now v1.16.0 as of cert-manager
v1.2.0
. Users still running Kubernetesv1.15
or below should upgrade to a supported version before installing cert-manager or use cert-managerv1.1
. - The
User-Agent
request header sent by cert-manager has changed to reflect the ownership transfer to the CNCF — see (#3515, @meyskens) - The
--renew-before-expiration-duration
flag of the cert-manager controller-manager has been deprecated. Please set theCertificate.Spec.RenewBefore
field instead. This flag will be removed in the next release. - Certificates issued by the Vault issuer have changed — the root CA instead of the issuing CA is now stored in
ca.crt
— see (#3433, @sorah)
Changes by Kind
Feature
- Add
cert-manager.io/usages
to ingress-shim to specify key usages. Server Auth is now also added as default key usage of ingress-shim (#3545, @meyskens) - Add
kubectl cert-manager inspect secret
to print certificate info from a secret resource (#3457, @meyskens) - Add category names to our CRDs so they appear in
kubectl get cert-manager
andkubectl get cert-manager-acme
(#3583, @meyskens) - Add creation of PKCS12 truststore.p12 using Certificate Authority (#3489, @exceptionfactory)
- Add option to pass the Certificate duration to ACME (not supported by Let's Encrypt yet) (#3347, @meyskens)
- Added the ability to enable pprof profiling of the controller using the command line flag --enable-profiling. (#3477, @tharun208)
- Added the option to specify the OCSP server for certificates issued by the CA issuer (#3505, @hugoboos)
- Allows customization of cainjector leader-election leases with new flags
--leader-election-lease-duration
,--leader-election-renew-deadline
and--leader-election-retry-period
(#3527, @ndrpnt) - The ingress-shim now checks for
cert-manager.io/duration
andcert-manager.io/renew-before
annotations and uses those values to set the Certificate.Spec.Duration and Certificate.Spec.RenewBefore fields. (#3465, @wallrj) - Venafi Issuer now sets the CA.crt field of the Secret. (#3533, @wallrj)
Bug or Regression
- Deprecated the --renew-before-expiration-duration flag of the cert-manager controller (#3464, @wallrj)
- Fix a bug in the AWS Route53 DNS01 challenge that to retrying over and over instead of observing an exponential back off (#3485, @maelvls)
- Relaxes Ingress validation rules to allow for Certificates to be created/updated for valid Ingress TLS entries even if the same Ingress contains some invalid TLS entries (#3623, @irbekrm)
- Fix Vault issuer not to store a root CA into a certificate bundle (
tls.crt
). Also, Vault issuer now stores a root CA instead of an issuing CA into a CA bundle (ca.crt
), from a CA chain returned from Vault. (#3433, @sorah) - Fix Helm chart type conversion bug (#3647, @irbekrm)
Other (Cleanup or Flake)
- Always install using admissionregistration.k8s.io/v1 (#3519, @meyskens)
- Change copyright owner to
The cert-manager Authors
(#3500, @meyskens) - Migrate Ingress to networking.k8s.io/v1beta1 API group (#3499, @meyskens)
- Remove Jetstack from user-agent fields (#3515, @meyskens)
- Remove legacy release (#3487, @meyskens)