github cert-manager/cert-manager v1.9.0-alpha.0

latest releases: v1.9.1, v1.9.0, v1.9.0-beta.1...
pre-releaseone month ago

Release notes for v1.9.0-alpha.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

Version 1.9 adds a variety of quality-of-life fixes and features including more improvements to the build and release process,
the ability to more precisely control how X.509 Certificate subjects are formatted for power users and a slew of other changes.

Thank you to the following community members who had a merged PR for this version - your contributions are at the heart of everything we do!

Thanks also to the following maintainers who worked on cert-manager 1.9:

Changes since v1.8.0


  • Adds make clean-all for starting a fresh development environment and make which-go for getting go version information when developing cert-manager (#5118, @SgtCoDFish)
  • Adds make upload-release target for publishing cert-manager releases to GCS, simplifying the cert-manager release process simpler and making it easier to change (#5205, @SgtCoDFish)
  • Adds a new alpha Prometheus summary vector metric certmanager_http_venafi_client_request_duration_seconds which allows tracking the latency of Venafi API calls. The metric is labelled by the type of API call. Example PromQL query: certmanager_http_venafi_client_request_duration_seconds{api_call="request_certificate"} will show the average latency of calls to the Venafi certificate request endpoint (#5053, @irbekrm)
  • Adds more verbose logging info for certificate renewal in the DynamicSource webhook to include DNSNames (#5142, @AcidLeroy)
  • Adds the annotation for Ingress resources, to limit the number of CertificateRequests which are kept for a Certificate (#5221, @oGi4i)
  • Adds the literalSubject field for Certificate resources. This is an alpha feature, enabled by passing the flag --feature-gates=LiteralCertificateSubject=true to the cert-manager controller and webhook. literalSubject allows fine-grained control of the subject a certificate should have when issued and is intended for power-users with specific use cases in mind (#5002, @spockz)
  • Change default build dir from bin to _bin, which plays better with certain tools which might treat bin as just another source directory (#5130, @SgtCoDFish)
  • Helm: Adds a new namespace parameter which allows users to override the namespace in which resources will be created. This also allows users to set the namespace of the chart when using cert-manager as a sub chart. (#5141, @andrewgkew)
  • Helm: Allow for users to not auto-mount service account tokens see also k/k#57601 (#5016, @sveba)

Bug or Regression

  • CertificateRequests controllers must wait for the core secrets informer to be synced (#5224, @rodrigorfk)
  • Ensure that make release-artifacts only builds unsigned artifacts as intended (#5181, @SgtCoDFish)
  • Ensure the startupapicheck is only scheduled on Linux nodes in the helm chart (#5136, @craigminihan)
  • Fixed a bug where the Venafi Issuer would not verify its access token (TPP) or API key (Cloud) before becoming ready. Venafi Issuers now remotely verify the access token or API key (#5212, @jahrlin)
  • Fixed release artifact archives generated by Make so that a leading ./ is stripped from paths. This ensures that behaviour is the same as v1.7 and earlier (#5050, @jahrlin)
  • Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5226, @SgtCoDFish)
  • Remove pkg/util/coverage which broke compatibility with go 1.18; thanks @davidsbond for finding the issue! (#5032, @SgtCoDFish)

Other (Cleanup or Flake)

Don't miss a new cert-manager release

NewReleases is sending notifications on new releases.