Release notes for v1.9.0-alpha.0
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
Version 1.9 adds a variety of quality-of-life fixes and features including more improvements to the build and release process,
the ability to more precisely control how X.509 Certificate subjects are formatted for power users and a slew of other changes.
Thank you to the following community members who had a merged PR for this version - your contributions are at the heart of everything we do!
- @AcidLeroy
- @oGi4i
- @spockz (and @yongk802 who raised a similar PR)
- @andrewgkew
- @sveba
- @rodrigorfk
- @craigminihan
- @lucacome
- @Dean-Coakley
Thanks also to the following maintainers who worked on cert-manager 1.9:
Changes since v1.8.0
Feature
- Adds
make clean-all
for starting a fresh development environment andmake which-go
for getting go version information when developing cert-manager (#5118, @SgtCoDFish) - Adds
make upload-release
target for publishing cert-manager releases to GCS, simplifying the cert-manager release process simpler and making it easier to change (#5205, @SgtCoDFish) - Adds a new alpha Prometheus summary vector metric
certmanager_http_venafi_client_request_duration_seconds
which allows tracking the latency of Venafi API calls. The metric is labelled by the type of API call. Example PromQL query:certmanager_http_venafi_client_request_duration_seconds{api_call="request_certificate"}
will show the average latency of calls to the Venafi certificate request endpoint (#5053, @irbekrm) - Adds more verbose logging info for certificate renewal in the DynamicSource webhook to include DNSNames (#5142, @AcidLeroy)
- Adds the
cert-manager.io/revision-history-limit
annotation for Ingress resources, to limit the number of CertificateRequests which are kept for a Certificate (#5221, @oGi4i) - Adds the
literalSubject
field for Certificate resources. This is an alpha feature, enabled by passing the flag--feature-gates=LiteralCertificateSubject=true
to the cert-manager controller and webhook.literalSubject
allows fine-grained control of the subject a certificate should have when issued and is intended for power-users with specific use cases in mind (#5002, @spockz) - Change default build dir from
bin
to_bin
, which plays better with certain tools which might treatbin
as just another source directory (#5130, @SgtCoDFish) - Helm: Adds a new
namespace
parameter which allows users to override the namespace in which resources will be created. This also allows users to set the namespace of the chart when using cert-manager as a sub chart. (#5141, @andrewgkew) - Helm: Allow for users to not auto-mount service account tokens see also k/k#57601 (#5016, @sveba)
Bug or Regression
- CertificateRequests controllers must wait for the core secrets informer to be synced (#5224, @rodrigorfk)
- Ensure that
make release-artifacts
only builds unsigned artifacts as intended (#5181, @SgtCoDFish) - Ensure the startupapicheck is only scheduled on Linux nodes in the helm chart (#5136, @craigminihan)
- Fixed a bug where the Venafi Issuer would not verify its access token (TPP) or API key (Cloud) before becoming ready. Venafi Issuers now remotely verify the access token or API key (#5212, @jahrlin)
- Fixed release artifact archives generated by Make so that a leading
./
is stripped from paths. This ensures that behaviour is the same as v1.7 and earlier (#5050, @jahrlin) - Increase timeouts for issuer and clusterissuer controllers to 2 minutes and increase ACME client HTTP timeouts to 90 seconds, in order to enable the use of slower ACME issuers which take a long time to process certain requests. (#5226, @SgtCoDFish)
- Remove pkg/util/coverage which broke compatibility with go 1.18; thanks @davidsbond for finding the issue! (#5032, @SgtCoDFish)