github cert-manager/cert-manager v1.7.0-beta.0

latest releases: v1.9.1, v1.9.0, v1.9.0-beta.1...
pre-release6 months ago

Breaking Changes (You MUST read this before you upgrade!)

⚠ Following their deprecation in version 1.5, the cert-manager API versions v1alpha2, v1alpha3, and v1beta1 have been removed. You must ensure that all cert-manager custom resources are stored in etcd at version v1 and that all cert-manager CustomResourceDefinitions have only v1 as the stored version.

Since release 1.7, cmctl can automatically migrate any deprecated API resources. Please download cmctl-v1.7.0-beta.0 and read Removing Deprecated API Resources for full instructions.

Major Themes

Removal of Deprecated APIs

In 1.7 the cert-manager API versions v1alpha2, v1alpha3, and v1beta1 have been removed from the custom resource definitions (CRDs). You will notice that the YAML manifest files are much smaller as a result. These APIs have been deprecated since 1.5.

In this release, we have added a new sub-command to the cert-manager CLI (cmctl upgrade migrate-api-version), which you SHOULD run BEFORE upgrading cert-manager to 1.7. Please read Removing Deprecated API Resources for full instructions.

Server-Side Apply

This is the first version of cert-manager which relies on Server-Side Apply. We are using it to properly manage the annotations and labels on the TLS Secret. For this reason, cert-manager 1.7 requires at least Kubernetes 1.18.

Configuration Files

In this release, we introduce a new configuration file for the cert-manager-webhook. Instead of configuring the webhook using command-line flags, you can now modify the webhook Deployment to mount a ConfigMap containing a configuration file. Read the WebhookConfiguration Schema for more information.

In future releases, we will introduce configuration files for the other cert-manager components: controller-manager and cainjector.


Thanks again to all open-source contributors with commits in this release, including:

And thanks as usual to coderanger for helping people out on the Slack #cert-manager channel; it's a huge help and much appreciated.

Changes by Kind


  • Add cmctl upgrade migrate to ensure all CRD resources are stored at 'v1' prior to upgrading to v1.7 onwards (#4711, @munnerz)
  • Add acme-http01-solver-nameservers flag to enable custom nameservers usage for ACME HTT01 challenges propagation checks. (#4287, @Adphi)
  • Add goimports verification step for CI (#4710, @SgtCoDFish)
  • Add support for loading webhook flags/options from a WebhookConfiguration file on disk (#4546, @munnerz)
  • Added a makefile-based build workflow which doesn't depend on bazel (#4554, @SgtCoDFish)
  • Added a new Helm chart parameter "prometheus.servicemonitor.honorLabels", which sets the "honor_labels" field of the Prometheus scrape config. (#4608, @thirdeyenick)
  • Added additionalOutputFormats parameter to allow DER (binary) and CombinedPEM (key + cert bundle) formats. (#4598, @seuf)
  • Certificate Secrets are now managed by the APPLY API call, rather than UPDATE/CREATE. The issuing controller actively reconciles Certificate SecretTemplate's against corresponding Secrets, garbage collecting and correcting key/value changes. (#4638, @JoshVanL)
  • Fixed a bug that can cause cmctl version to erroneously display the wrong webhook pod versions when older failed pods are present. (#4616) (#4615, @johnwchadwick)

Bug or Regression

  • Fix unexpected exit when multiple DNS providers are passed to RunWebhookServer (#4702, @devholic)
  • Fixes a bug where a previous failed CertificateRequest was picked up during the next issuance. Thanks to @MattiasGees for raising the issue and help with debugging! (#4688, @irbekrm)
  • Improve checksum validation in makefile-based tool installation (#4680, @SgtCoDFish)
  • The HTTP-01 ACME solver now uses the annotation instead of the spec.ingressClassName in created Ingress resources. (#4762, @jakexks)
  • The cmctl experimental install command now uses the cert-manager namespace. This fixes a bug which was introduced in release 1.6 that caused cert-manager to be installed in the default namespace. (#4763, @wallrj)

Other (Cleanup or Flake)

  • Added helm value .Values.serviceAnnotations (#4329, @jwenz723)
  • Adds clock_time_seconds_gauge metric which returns the current clock time, based on seconds since 1970/01/01 UTC (#4640, @JoshVanL)
  • Adds an automated script for cert-manager developers to update versions of kind used for dev + testing (#4574, @SgtCoDFish)
  • Bump kind image versions (#4593, @SgtCoDFish)
  • Clean up: Remove v1beta1 form the webhook's admissionReviewVersions as cert-manager no longer supports v1.16 (#4639, @JoshVanL)
  • Cleanup: Pipe feature gate flag to the e2e binary. Test against shared Feature Gate map for feature enabled and whether they should be tested against. (#4703, @JoshVanL)
  • Ensures 1 hour backoff between errored calls for new ACME Orders. (#4616, @irbekrm)
  • Ensures that in cases where an attempt to finalize an already finalized order is made, the originally issued certificate is used (instead of erroring and creating a new ACME order) (#4697, @irbekrm)
  • No longer log an error when a Certificate is deleted during normal operation. (#4637, @JoshVanL)
  • Removed deprecated API versions from the cert-manager CRDs (#4635, @wallrj)
  • Update distroless base images for cert-manager (#4706, @SgtCoDFish)
  • Upgrade Kubernetes dependencies to v0.23.1 (#4675, @munnerz)

Don't miss a new cert-manager release

NewReleases is sending notifications on new releases.