cert-manager/cert-manager v1.2.0

on GitHub

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• ⚠️ BREAKING CHANGE ⚠️ The minimum supported Kubernetes version is now v1.16.0 as of cert-manager v1.2.0. Users still running Kubernetes v1.15 or below should upgrade to a supported version before installing cert-manager or use cert-manager v1.1.
• The User-Agent request header sent by cert-manager has changed to reflect the ownership transfer to the CNCF — see (#3515, @meyskens)
• The --renew-before-expiration-duration flag of the cert-manager controller-manager has been deprecated. Please set the Certificate.Spec.RenewBefore field instead. This flag will be removed in the next release.
• Certificates issued by the Vault issuer have changed — the root CA instead of the issuing CA is now stored in ca.crt — see (#3433, @sorah)

Changes by Kind

Feature

• Add cert-manager.io/usages to ingress-shim to specify key usages. Server Auth is now also added as default key usage of ingress-shim (#3545, @meyskens)
• Add kubectl cert-manager inspect secret to print certificate info from a secret resource (#3457, @meyskens)
• Add category names to our CRDs so they appear in kubectl get cert-manager and kubectl get cert-manager-acme (#3583, @meyskens)
• Add creation of PKCS12 truststore.p12 using Certificate Authority (#3489, @exceptionfactory)
• Add option to pass the Certificate duration to ACME (not supported by Let's Encrypt yet) (#3347, @meyskens)
• Added the ability to enable pprof profiling of the controller using the command line flag --enable-profiling. (#3477, @tharun208)
• Added the option to specify the OCSP server for certificates issued by the CA issuer (#3505, @hugoboos)
• Allows customization of cainjector leader-election leases with new flags --leader-election-lease-duration, --leader-election-renew-deadline and --leader-election-retry-period (#3527, @ndrpnt)
• The ingress-shim now checks for cert-manager.io/duration and cert-manager.io/renew-before annotations and uses those values to set the Certificate.Spec.Duration and Certificate.Spec.RenewBefore fields. (#3465, @wallrj)
• Venafi Issuer now sets the CA.crt field of the Secret. (#3533, @wallrj)

Bug or Regression

• Deprecated the --renew-before-expiration-duration flag of the cert-manager controller (#3464, @wallrj)
• Fix a bug in the AWS Route53 DNS01 challenge that to retrying over and over instead of observing an exponential back off (#3485, @maelvls)
• Relaxes Ingress validation rules to allow for Certificates to be created/updated for valid Ingress TLS entries even if the same Ingress contains some invalid TLS entries (#3623, @irbekrm)
• Fix Vault issuer not to store a root CA into a certificate bundle (tls.crt). Also, Vault issuer now stores a root CA instead of an issuing CA into a CA bundle (ca.crt), from a CA chain returned from Vault. (#3433, @sorah)
• Fix Helm chart type conversion bug (#3647, @irbekrm)

Other (Cleanup or Flake)

• Always install using admissionregistration.k8s.io/v1 (#3519, @meyskens)
• Change copyright owner to The cert-manager Authors (#3500, @meyskens)
• Migrate Ingress to networking.k8s.io/v1beta1 API group (#3499, @meyskens)
• Remove Jetstack from user-agent fields (#3515, @meyskens)
• Remove legacy release (#3487, @meyskens)