github cert-manager/cert-manager v1.5.0-beta.0

latest releases: v1.9.1, v1.9.0, v1.9.0-beta.1...
pre-release12 months ago

Release notes for release-1.5

This release adds support for the upcoming Kubernetes 1.22 release. You must upgrade to this beta version if you are trying out Kubernetes 1.22.

Changelog since v1.4.0

Changes by Kind

Feature

  • Add a name to Prometheus scraping service port (#4072, @francescsanjuanmrf)
  • Add support for adding custom annotations and labels to the Secret containing the TLS key pair. (#3828, @jonathansp)
  • Add the deployed cert-manager version to 'kubectl cert-manager version' command (#4226, @inteon)
  • Added a new optional controller: gateway-shim. cert-manager now supports automatic
    creation of certificates for the sig-network Gateway API Gateway, when annotated
    similarly to existing support for Ingresses. (#4158, @maelvls)
  • Added a startup api check Job that waits for the cert-manager api to become ready (#4234, @inteon)
  • Added the kubectl 'cert-manager check api' command (#4205, @inteon)
  • Adds CLI command: ctl experimental create certificatesigningrequest for creating a Kuberenetes CertificateSigningRequest based upon a cert-manager Certificate manifest file (#4106, @JoshVanL)
  • Adds clock_time_seconds metric for calculating expiration time in monitoring systems without a built in function. (#4105, @kit837)
  • Adds support for Ed25519 private keys and signatures for Certificates (#4079, @annerajb)
  • cert-manager is now able to sign CertificateSigningRequests using the ACME issuer. Note that
    the CertificateSigningRequests support is experimental and requires the use of a flag on the
    controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4112, @JoshVanL)
  • cert-manager is now able to sign CertificateSigningRequests using the SelfSigned issuer. Note that
    the CertificateSigningRequests support is experimental and requires the use of a flag on the
    controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4100, @JoshVanL)
  • cert-manager is now able to sign CertificateSigningRequests using the Vault issuer. Note that
    the CertificateSigningRequests support is experimental and requires the use of a flag on the
    controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4103, @JoshVanL)
  • cert-manager is now able to sign CertificateSigningRequests using the Venafi issuer. Note that
    the CertificateSigningRequests support is experimental and requires the use of a flag on the
    controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4108, @JoshVanL)
  • cert-manager now supports the sig-network Gateway API to solve HTTP01 challenges. (#4276, @jakexks)
  • cert-manager now uses the networking.k8s.io/v1 Ingress type if available. (#4225, @jakexks)
  • Fire event when a CertificateSigningRequest has not yet been approved, so will skip processing until it is. (#4229, @JoshVanL)
  • kubectl cert-manager x install command is added (#4138, @inteon)

Bug or Regression

  • Cloudflare: Refactored DNS01 challenge to use API for finding the nearest Zone (fixing potential DNS-Issues) (#4147, @thiscantbeserious)
  • Fix a bug where failed Certificate Requests were not retried (#4130, @irbekrm)
  • Fix check for self-signed certificates in EncodeX509Chain which broke certs whose subject DN matched their issuer's subject DN (#4237, @SgtCoDFish)
  • Fix handling of chains which don't have a root in ParseSingleCertificateChain, and improve handling in situations where that function is passed a single certificate. (#4261, @SgtCoDFish)
  • Fixed a bug in the "gateway shim" controller that was causing the cert-manager controller to crash
    with a nil pointer exception when using the annotation "cert-manager.io/issuer" on a Gateway that
    had an empty tls block or with certificateRef left empty. (#4293, @maelvls)
  • Fixed a goroutine leak that was causing the controller's memory usage to grow with time (#4233, @maelvls)
  • Fixed a race condition introduced in v0.15.0 that would crash cert-manager for clusters
    with a large number of certificates. (#4231, @maelvls)
  • Set correct exit codes on ctrl+c event & process defer calls on error (#4230, @inteon)
  • Set correct labels on resources in static manifest yaml files (#4190, @inteon)

Other (Cleanup or Flake)

  • Adds conformance E2E suite for CertificateSigningRequests (#4101, @JoshVanL)
  • Allows to configure labels on cert-manager webhook service via a Helm value. (#4260, @mozz-lx)
  • Allows to configure which annotations get copied from Certificate to CertificateRequest. Annotations with keys prefixed with kubectl.kubernetes.io/, fluxcd.io, argocd.argoproj.io are now excluded by default. (#4251, @irbekrm)
  • Minor cleanup of make targets, to prepare for more use of make in cert-manager (#4109, @SgtCoDFish)
  • Pre-v1 cert-manager resource requests now must be converted to v1 in order to be validated/mutated by admission webhooks. (Default cert-manager validating and mutating webhook configurations ensure the resource requests are being converted) (#4172, @irbekrm)
  • Reduce binary sizes by adding "-w" as ldflag (#4181, @inteon)
  • Regression: CertificateSigningRequests will no longer have a experimental.cert-manager.io/ca annotation set. (#4143, @JoshVanL)
  • Remove v1beta1 as an accepted AdmissionReviewVersion. cert-manager now only supports v1, available since Kubernetes v1.16 (#4254, @JoshVanL)
  • Remove v1beta1 as an accepted ConversionReviewVersion. cert-manager now only supports v1, available since Kubernetes v1.16 (#4253, @JoshVanL)
  • The controllers now exit more cleanly (eg. the Leader Election Lease is freed properly on shutdown) (#4243, @inteon)

Don't miss a new cert-manager release

NewReleases is sending notifications on new releases.