github cert-manager/cert-manager v1.8.0-alpha.2

latest releases: v1.9.1, v1.9.0, v1.9.0-beta.1...
pre-release4 months ago

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.8 includes wider support for Kubernetes server-side-apply, a new build and development experience based around
Makefiles rather than Bazel, and a range of other improvements, tweaks and bug fixes.

v1.8 also marks our first release in which the Golang import path for cert-manager is that of the repo's new home:

Breaking Changes (You MUST read this before you upgrade!)

Changed Container Layouts

This only affects you if you're modifying cert-manager containers in some way, such as adding init scripts or otherwise
changing how the binaries inside the containers are called.

Bazel has a unique way of creating containers, which places the actual binary at a long, unusual path. For the v1.7.0 cert-manager-webhook
container for example, the binary is placed at /app/cmd/webhook/webhook.runfiles/com_github_jetstack_cert_manager/cmd/webhook/webhook_/webhook
and /app/cmd/webhook/webhook is provided as a symlink to the binary.

This is simplified in our new build system; we only place a single binary at /app/cmd/webhook/webhook and the old path disappears.
This applies to all cert-manager containers.

We also removed the "LICENSES" file from the containers and replaced it with a link to the cert-manager repo; this reduces container sizes since the LICENSES file was surprisingly large.

.exe Extension on Windows

We package cmctl and kubectl_cert-manager for Windows on amd64 platforms, but previously the binaries had the
same names as the binaries on other platforms, e.g. cmctl with no file extension.

In 1.8.0 and later, the binaries now have a .exe extension since this is standard practice on Windows. This could affect you
if you're calling the binary in a Powershell script, for example.

We've also now added zip-compressed versions of the cmctl and kubectl_cert-manager binaries on Windows, since .tar.gz is less
common on that platform.

Changed Import Path

This will only affect you if you're writing code in Go which imports cert-manager as a module, which we generally recommend against
doing in most cases.

All versions of cert-manager prior to v1.8.0 used a Go import path corresponding to the old cert-manager repository,

v1.8.0 marks the first release in which the import path changes to the new location,

We have a guide for Importing cert-manager in Go on with all the information you'll need, including details on why we don't recommend importing cert-manager as a module if at all possible.


cert-manager thrives thanks to the community and we're always grateful for receiving contributions from open-source community members!

Thanks to the following community members who landed a commit in this release:

Thanks also to the cert-manager maintainer team involved with this release

Changelog since v1.7.0


  • ACTION REQUIRED: The import path for cert-manager has been updated to "". If you import cert-manager as a go module (which isn't currently recommended), you'll need to update the module import path in your code to import cert-manager 1.8 or later. (#4587, @SgtCoDFish)


  • Add make targets for running unit and integration tests, as part of the Bazel replacement. (#4865, @SgtCoDFish)
  • Certificate AdditionalOutputFormat: AdditionalOutputFormats are actively reconciled, meaning cert-manager will always maintain the correct Secret data, both for fields being removed/added/modified on both the Certificate's AdditionalOutputFormat as well as the target Secret's Data. AdditionalOutputFormat is an Alpha feature, and is only enabled with the --feature-gates=AdditionalCertificateOutputFormats=true flag. (#4813, @JoshVanL)
  • Changes cert-manager controllers and ACME clients to use new user agent format cert-manager<component name>/<version> (<os>/<arch>) cert-manager/<git commit>. Field managers now take the form of cert-manager<component name>. (#4773, @JoshVanL)
  • ClusterRoles aggregation to user-facing admin/edit/view ClusterRoles can be optionally turned off (#4937, @illrill)
  • External issuers may now be referenced as the default Issuer name / group / kind for the ingress-shim. (#4833, @jakexks)
  • Ingress whitelist-source-range annotation prefix can now be overridden via an IngressTemplate (#4789, @tasharnvb)
  • Enforce minimum value of to 600s. This is done to ensure compatibility with CSR's spec.expirationSeconds. (#4973, @irbekrm)
  • ServerSideApply: The feature gate ServerSideApply=true configures the certificate-shim controllers to use Kubernetes Server Side Apply on Certificate resources. (#4811, @JoshVanL)
  • ServerSideApply: The feature gate ServerSideApply=true configures the order controller to use Kubernetes Server Side Apply on Order resources. (#4799, @JoshVanL)
  • ServerSideApply: The feature gate ServerSideApply=true configures the certificaterequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4792, @JoshVanL)
  • ServerSideApply: The feature gate ServerSideApply=true configures the certificates controllers to use Kubernetes Server Side Apply on Certificate resources. (#4777, @JoshVanL)
  • ServerSideApply: The feature gate ServerSideApply=true configures the certificatesigningrequest controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4798, @JoshVanL)
  • ServerSideApply: The feature gate ServerSideApply=true configures the issuer and clusterissuer controllers to use Kubernetes Server Side Apply on CertificateRequest resources. (#4794, @JoshVanL)
  • Signers now honor Kubernetes CSR duration expressed via the spec.expirationSeconds field. (#4957, @enj)
  • The experimental Gateway API support now uses the v1alpha2 CRDs. (#4791, @jakexks)
  • You can now uninstall cert-manager using the command cmctl experimental uninstall. (#4897, @jahrlin)
  • Post Issuance Check: proactively ensure that owner reference on issued Secret's reflects the --enable-certificate-owner-ref controller flag. (#4888, @JoshVanL)
  • Gateway API: with v1alpha2, the field labels on the gatewayHTTPRoute solver is now optional. (#4967, @maelvls)

Bug or Regression

  • Added kube validation for certificate.spec.privateKey.rotationPolicy. Valid options are Never and Always. Existing Certificate resources with incorrect values needs to be updated. (#4898 (#4913, @jahrlin)
  • Bumps the version of Go used to build the cert-manager binaries to 1.17.8, to fix a slew of CVEs (none of which were likely to be exploited) (#4970, @vhosakot)
  • Fix: The alpha feature Certificate's additionalOutputFormats is now correctly validated at admission time, and no longer only validated if the privateKey field of the Certificate is set. The Webhook component now contains a separate feature set. The AdditionalCertificateOutputFormats feature gate (disabled by default) has been added to the webhook. This gate is required to be enabled on both the controller and webhook components in order to make use of the Certificate's additionalOutputFormat feature. (#4814, @JoshVanL)
  • Use multivalue records instead of simple records for the AWS Route53 ACME DNS challenge solver, to allow for multiple challenges for the same domain at the same time (#4793, @fvlaicu)
  • The default nodeSelector is now linux. If this label isn't present on any nodes in the cluster, the nodeSelector will need to be overwritten, or that label added to some Nodes. (#3605, @mikebryant)

Other (Cleanup or Flake)

  • Aggregated admin and edit roles will now include permissions to update certificates' status, which will allow namespace admins and editors to run cmctl renew command in their namespaces. (#4955, @andreadecorte)
  • Cleanup: No longer log an error when cert-manager encounters a conflict in the secrets manager, in favour of always force applying. (#4815, @JoshVanL)
  • Failed certificate issuances are now retried with an exponential backoff where the backoff periods are 1h, 2h, 4h, 8h, 16h, 32h. A new field failedIssuanceAttempts is added to Certificate's status that keeps track of consecutive failed issuances. Backoff period gets reset by a successful issuance. The current behaviour where changing certain fields on Certificates spec (such as DNS names) or manually renewing using cmctl tool remains unchanged. (#4772, @irbekrm)
  • Previously, cert-manager supported both ConfigMap & Lease objects for leader election. This change modifies the leader-election code to now solely use Lease objects. Existing ConfigMap resources used for leader election will remain and will need deleting manually. A side effect of this is that you cannot upgrade to v1.8.0 from cert-manager 1.3 (although upgrading multiple versions at a time was never supported). (#4935, @davidsbond)
  • Support for serviceAccount labels in helm charts (#4932, @4molybdenum2)
  • Set allowPrivilegeEscalation in container security context to false by default when not set for acmesolver pod, and set allowPrivilegeEscalation to false by default for controller, cainjector, webhook pods and the startupapicheck job (#4953, @ajvn)
  • Introducing a new metric controller_sync_error_count counting the number of errors during sync() of a controller. (#4987, @jayme-github)

Don't miss a new cert-manager release

NewReleases is sending notifications on new releases.