# Release v1.3.0
## Urgent Upgrade Notes

### (No, really, you MUST read this before you upgrade)

#### Venafi Cloud Issuer

This release updates the [Venafi Cloud Issuer][] to use `OutagePREDICT` instead of `DevOpsACCELERATE`.
The only impact to Venafi Cloud users is the change in zone syntax.
The zone is now `<Application Name>\<Issuing Template Alias>`
(e.g. `My Application\My CIT`).

[Venafi Cloud Issuer]: https://cert-manager.io/docs/configuration/venafi/

#### cert-manager controller

The `--renew-before-expiration-duration` flag has been removed from the cert-manager controller, having been deprecated in the previous release.

#### cert-manager CRDs

`CertificateRequests` are now immutable - the `spec` and `metadata.annotations` fields cannot be changed after creation. They were always designed to be immutable but this behavior is now *enforced* by the cert-manager webhook.

## Changes by Kind

### Feature

- Add automountServiceAccountToken field to service accounts in helm chart ([#3725](https://github.com/jetstack/cert-manager/pull/3725), [@joshuastern](https://github.com/joshuastern))
- Adds Approved condition type to CertificateRequest ([#3735](https://github.com/jetstack/cert-manager/pull/3735), [@JoshVanL](https://github.com/JoshVanL))
- Adds ObservedGeneration field to all Issuer conditions ([#3754](https://github.com/jetstack/cert-manager/pull/3754), [@JoshVanL](https://github.com/JoshVanL))
- Adds RevisionHistoryLimit field to Certificates to optionally garbage collect old CertificateRequests ([#3773](https://github.com/jetstack/cert-manager/pull/3773), [@JoshVanL](https://github.com/JoshVanL))
- Adds UserInfo fields to CertificateRequests containing the UserInfo of the requester: `Username`, `Groups`, `UID`, `Extra`. ([#3641](https://github.com/jetstack/cert-manager/pull/3641), [@JoshVanL](https://github.com/JoshVanL))
- Adds `kubectl cert-manager [approve|deny] CLI commands to manually approve or deny CertificateRequests ([#3792](https://github.com/jetstack/cert-manager/pull/3792), [@JoshVanL](https://github.com/JoshVanL))
- Adds an observedGeneration field to all Certificate conditions. This is set to the generation of that Certificate at the time of updating. ([#3613](https://github.com/jetstack/cert-manager/pull/3613), [@JoshVanL](https://github.com/JoshVanL))
- Allows disabling enabled cert-manager-controller controller, for example '--controllers=*,-foo' ([#3791](https://github.com/jetstack/cert-manager/pull/3791), [@JoshVanL](https://github.com/JoshVanL))
- Enforce CertificateRequest approvers have the permissions: verb=\approve\ resource=\signers\ group=\cert-manager.io\ name=<signer-kind>.<signer-group>/[*|[<signer-namespace>.]<signer-name>] at the Cluster level. ([#3785](https://github.com/jetstack/cert-manager/pull/3785), [@JoshVanL](https://github.com/JoshVanL))
- Retry issuance of Denied CertificateRequests after 1 hour. ([#3795](https://github.com/jetstack/cert-manager/pull/3795), [@JoshVanL](https://github.com/JoshVanL))
- The Venafi issuer in cert-manager is now compatible with Venafi Cloud OutagePREDICT. ([#3831](https://github.com/jetstack/cert-manager/pull/3831), [@wallrj](https://github.com/wallrj))
- `kubectl get certificaterequest` now outputs the Issuer name and the username of the requestor by default ([#3774](https://github.com/jetstack/cert-manager/pull/3774), [@JoshVanL](https://github.com/JoshVanL))

### Documentation

- Add a vulnerability reporting process in SECURITY.md ([#3818](https://github.com/jetstack/cert-manager/pull/3818), [@SgtCoDFish](https://github.com/SgtCoDFish))

### Bug or Regression

- Allow the usage of hostNetwork in the webhook PSP ([#3454](https://github.com/jetstack/cert-manager/pull/3454), [@Kirill-Garbar](https://github.com/Kirill-Garbar))
- Correct permissions on edit aggregate role ([#3697](https://github.com/jetstack/cert-manager/pull/3697), [@yann-soubeyrand](https://github.com/yann-soubeyrand))
- Fix a bug that prevented the immediate re-issuance of a failing certificate: even when the user
 edited the certificate to fix an incorrect field, no certificate request would get created. Editing
 a failed certificate now properly re-issues immediately. ([#3444](https://github.com/jetstack/cert-manager/pull/3444), [@maelvls](https://github.com/maelvls))
- Fixed approle login when namespaces were used in HashiCorp Vault 
 Fixed incorrectly failing health check that was caused when the Vault token did not have sufficient permission to call /sys/- endpoints ([#3582](https://github.com/jetstack/cert-manager/pull/3582), [@lalitadithya](https://github.com/lalitadithya))
- Fixes Helm upgrade bug ([#3647](https://github.com/jetstack/cert-manager/pull/3647), [@irbekrm](https://github.com/irbekrm))
- Fixes multiple Certificate Requests issue - see #3603 ([#3665](https://github.com/jetstack/cert-manager/pull/3665), [@irbekrm](https://github.com/irbekrm))
- Handle CA issuer working as intermediate correctly ([#3847](https://github.com/jetstack/cert-manager/pull/3847), [@erikgb](https://github.com/erikgb))
- Improve error messages when Vault Issuer has misconfigured auth method ([#3763](https://github.com/jetstack/cert-manager/pull/3763), [@JoshVanL](https://github.com/JoshVanL))
- Selfsigned issuer: warn when certs have empty issuer DNs, in violation of TLS RFC 5280 ([#3760](https://github.com/jetstack/cert-manager/pull/3760), [@SgtCoDFish](https://github.com/SgtCoDFish))
- Skip Google Cloud DNS test when gcloud hasn't been configured ([#3752](https://github.com/jetstack/cert-manager/pull/3752), [@SgtCoDFish](https://github.com/SgtCoDFish))
- Use port from helm values for service targetPort ([#3652](https://github.com/jetstack/cert-manager/pull/3652), [@7opf](https://github.com/7opf))

### Other (Cleanup or Flake)

- Bumps go version to v1.16 ([#3823](https://github.com/jetstack/cert-manager/pull/3823), [@irbekrm](https://github.com/irbekrm))
- Removes --renew-before-expiry flag that was deprecated in release v1.2.0 ([#3693](https://github.com/jetstack/cert-manager/pull/3693), [@irbekrm](https://github.com/irbekrm))
- Standardise controller names across the project ([#3789](https://github.com/jetstack/cert-manager/pull/3789), [@JoshVanL](https://github.com/JoshVanL))
- Update distroless/static base image ([#3741](https://github.com/jetstack/cert-manager/pull/3741), [@teejaded](https://github.com/teejaded))
- Updated `cainjector` to use v1 API versions of admissionregistration, apiextensions and apiregistration. ([#3838](https://github.com/jetstack/cert-manager/pull/3838), [@wallrj](https://github.com/wallrj))

## Dependencies

### Added
- github.com/pavel-v-chernykh/keystore-go/v4: [v4.1.0](https://github.com/pavel-v-chernykh/keystore-go/v4/tree/v4.1.0)

### Changed
- github.com/Venafi/vcert/v4: [v4.11.0 → v4.13.1](https://github.com/Venafi/vcert/v4/compare/v4.11.0...v4.13.1)
- gopkg.in/yaml.v2: v2.3.0 → v2.4.0

### Removed
_Nothing has changed._