github cert-manager/cert-manager v1.6.0

latest releases: v1.9.1, v1.9.0, v1.9.0-beta.1...
9 months ago

Changelog since v1.5.0

Breaking Changes (You MUST read this before you upgrade!)

⚠️ Following their deprecation in version 1.4, the cert-manager APIVersions v1alpha2, v1alpha3, and v1beta1 are no longer served.

This means if your deployment manifests contain any of these API versions, you will not be able to deploy them after upgrading. Our new cmctl utility or old kubectl cert-manager plugin can convert old manifests to v1 for you.

⚠️ JKS Keystores now have a minimum password length of 6 characters, as an unintended side effect of upgrading keystore-go from v2 to v4. This was fixed in cert-manager v1.6.1

Changes by Kind


  • Add Certificate RenewBefore prometheus metrics (#4419, @artificial-aidan)
  • Add option to specify managed identity id when using azure-dns dns-01 solver (#4332, @tomasfreund)
  • Add support for building & developing on M1 macs (#4485, @munnerz)
  • Adds release targets for both cmctl as well as kubectl-cert_manager (#4523, @JoshVanL)
  • Allow setting Helm chart service annotations (#3639, @treydock)
  • CLI: Adds cmctl completion command for generating shell completion scripts for bash, zsh, fish, and powershell (#4408, @JoshVanL)
  • CLI: Adds support for auto-completion on runtime objects (Namespaces, CertificateRequests, Certificates etc.) (#4409, @JoshVanL)
  • CLI: Only expose Kubernetes related flags on commands that use them (#4407, @JoshVanL)
  • Enable configuring CLI command name and registering completion subcommand at build time. (#4522, @JoshVanL)

Bug or Regression

  • FIX: Prevent Vault Client from panicing when request to Vault health endpoint fails. (#4456, @JoshVanL)
  • Fix CRDs which were accidentally changed in cert-manager v1.5.0 (#4353, @SgtCoDFish)
  • Fix regression in Ingress PathType introduced in v1.5.0 (#4373, @jakexks)
  • Fixed the HTTP-01 solver creating ClusterIP instead of NodePort services by default. (#4393, @jakexks)
  • Fixes renewal time issue for certs with skewed duration period. (#4399, @irbekrm)
  • Pod Security Policy for startup api check job (#4364, @ndegory)
  • The startupapicheck post-install hook in the Helm chart now deletes any post-install hook resources left after a previous failed install allowing helm install to be re-run after a previous failure. (#4433, @wallrj)
  • The defaults for leader election parameters are now consistent across cert-manager and cainjector. (#4359, @johanfleury)
  • Use GetAuthorization instead of GetChallenge when querying the current state of an ACME challenge. (#4430, @JoshVanL)

Other (Cleanup or Flake)

  • Adds middleware logging back to ACME client for debugging (#4429, @JoshVanL)
  • Deprecation: The API versions: v1alpha2, v1alpha3, and v1beta1, are no longer served in cert-manager 1.6 and will be removed in cert-manager 1.7. (#4482, @wallrj)
  • Expose error messages (e.g., invalid access token) from the Cloudflare API to users; allow live testing using Cloudflare API token (not just key). (#4465, @andrewmwhite)
  • Fix manually specified PKCS#10 CSR and X.509 Certificate version numbers (although these were ignored in practice) (#4392, @SgtCoDFish)
  • Improves logging for 'owner not found' errors for CertificateRequests owning Orders. (#4369, @irbekrm)
  • Refactor: move from io/ioutil to io and os package (#4402, @Juneezee)
  • Removes status fields from CRD configs (#4379, @irbekrm)
  • Update cert-manager base image versions (#4474, @SgtCoDFish)
  • Uses Go 1.17 (#4478, @irbekrm)

Don't miss a new cert-manager release

NewReleases is sending notifications on new releases.