Breaking Changes (You MUST read this before you upgrade!)
⚠ Following their deprecation in version 1.5, the cert-manager APIVersions v1alpha2, v1alpha3, and v1beta1 have been removed.
You must ensure that all cert-manager custom resources are stored in etcd at version v1
and that all cert-manager CustomResourceDefinition
s have only v1 as the stored version.
Since v1.7.0-alpha.1
cmctl
can automatically migrate any deprecated API resources.
Please download cmctl-v1.7.0-alpha.1
(from the Assets section below) and read Removing Deprecated API Resources
for full instructions.
Changelog since v1.7.0-alpha.0
Changes by Kind
Feature
- Add
cmctl upgrade migrate-api-version
to ensure all CRD resources are stored at 'v1' prior to upgrading to v1.7 onwards (#4711, @munnerz) - Add acme-http01-solver-nameservers flag to enable custom nameservers usage for ACME HTT01 challenges propagation checks. (#4287, @Adphi)
- Add goimports verification step for CI (#4710, @SgtCoDFish)
- Added additionalOutputFormats parameter to allow
DER
(binary) andCombinedPEM
(key + cert bundle) formats. (#4598, @seuf) - Certificate Secrets are now managed by the APPLY API call, rather than UPDATE/CREATE. The issuing controller actively reconciles Certificate SecretTemplate's against corresponding Secrets, garbage collecting and correcting key/value changes. (#4638, @JoshVanL)
Bug or Regression
- Fix unexpected exit when multiple DNS providers are passed to
RunWebhookServer
(#4702, @devholic) - Fixes a bug where a previous failed CertificateRequest was picked up during the next issuance. Thanks to @MattiasGees for raising the issue and help with debugging! (#4688, @irbekrm)
- Improve checksum validation in makefile-based tool installation (#4680, @SgtCoDFish)
Other (Cleanup or Flake)
- Added helm value
.Values.serviceAnnotations
(#4329, @jwenz723) - Cleanup: Pipe feature gate flag to the e2e binary. Test against shared Feature Gate map for feature enabled and whether they should be tested against. (#4703, @JoshVanL)
- Ensures that in cases where an attempt to finalize an already finalized order is made, the originally issued certificate is used (instead of erroring and creating a new ACME order) (#4697, @irbekrm)
- Update distroless base images for cert-manager (#4706, @SgtCoDFish)
- Upgrade Kubernetes dependencies to v0.23.1 (#4675, @munnerz)