github cert-manager/cert-manager v1.2.0

latest releases: v1.9.1, v1.9.0, v1.9.0-beta.1...
18 months ago

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

  • ⚠️ BREAKING CHANGE ⚠️ The minimum supported Kubernetes version is now v1.16.0 as of cert-manager v1.2.0. Users still running Kubernetes v1.15 or below should upgrade to a supported version before installing cert-manager or use cert-manager v1.1.
  • The User-Agent request header sent by cert-manager has changed to reflect the ownership transfer to the CNCF — see (#3515, @meyskens)
  • The --renew-before-expiration-duration flag of the cert-manager controller-manager has been deprecated. Please set the Certificate.Spec.RenewBefore field instead. This flag will be removed in the next release.
  • Certificates issued by the Vault issuer have changed — the root CA instead of the issuing CA is now stored in ca.crt — see (#3433, @sorah)

Changes by Kind


  • Add to ingress-shim to specify key usages. Server Auth is now also added as default key usage of ingress-shim (#3545, @meyskens)
  • Add kubectl cert-manager inspect secret to print certificate info from a secret resource (#3457, @meyskens)
  • Add category names to our CRDs so they appear in kubectl get cert-manager and kubectl get cert-manager-acme (#3583, @meyskens)
  • Add creation of PKCS12 truststore.p12 using Certificate Authority (#3489, @exceptionfactory)
  • Add option to pass the Certificate duration to ACME (not supported by Let's Encrypt yet) (#3347, @meyskens)
  • Added the ability to enable pprof profiling of the controller using the command line flag --enable-profiling. (#3477, @tharun208)
  • Added the option to specify the OCSP server for certificates issued by the CA issuer (#3505, @hugoboos)
  • Allows customization of cainjector leader-election leases with new flags --leader-election-lease-duration, --leader-election-renew-deadline and --leader-election-retry-period (#3527, @ndrpnt)
  • The ingress-shim now checks for and annotations and uses those values to set the Certificate.Spec.Duration and Certificate.Spec.RenewBefore fields. (#3465, @wallrj)
  • Venafi Issuer now sets the CA.crt field of the Secret. (#3533, @wallrj)

Bug or Regression

  • Deprecated the --renew-before-expiration-duration flag of the cert-manager controller (#3464, @wallrj)
  • Fix a bug in the AWS Route53 DNS01 challenge that to retrying over and over instead of observing an exponential back off (#3485, @maelvls)
  • Relaxes Ingress validation rules to allow for Certificates to be created/updated for valid Ingress TLS entries even if the same Ingress contains some invalid TLS entries (#3623, @irbekrm)
  • Fix Vault issuer not to store a root CA into a certificate bundle (tls.crt). Also, Vault issuer now stores a root CA instead of an issuing CA into a CA bundle (ca.crt), from a CA chain returned from Vault. (#3433, @sorah)
  • Fix Helm chart type conversion bug (#3647, @irbekrm)

Other (Cleanup or Flake)

Don't miss a new cert-manager release

NewReleases is sending notifications on new releases.