Release v1.5.0

Release notes for release-1.5

cert-manager 1.5 is the first release to support Kubernetes 1.22.

Note: in cert-manager 1.7, the API versions v1alpha2, v1alpha3 and v1beta1 will be removed in cert-manager 1.7. Keep in mind that you will have to change all your YAML manifests that use a deprecated API version to use cert-manager.io/v1 instead, and re-apply them before cert-manager 1.7.

Changelog since 1.4

Changes by Kind

Feature

  • Add a name to Prometheus scraping service port (#4072, @francescsanjuanmrf)

  • Add support for adding custom annotations and labels to the Secret containing the TLS key pair. (#3828, @jonathansp)

  • Add the deployed cert-manager version to ‘kubectl cert-manager version’ command (#4226, @inteon)

  • Added a new optional controller: gateway-shim. cert-manager now supports automatic creation of ACME certificates for the sig-network Gateway API Gateway, when annotated similarly to existing support for Ingresses. (#4158, @maelvls)

  • Added a startup api check Job that waits for the cert-manager api to become ready (#4234, @inteon)

  • Added the kubectl ‘cert-manager check api’ command (#4205, @inteon)

  • Adds CLI command: ctl experimental create certificatesigningrequest for creating a Kuberenetes CertificateSigningRequest based upon a cert-manager Certificate manifest file (#4106, @JoshVanL)

  • Adds clock_time_seconds metric for calculating expiration time in monitoring systems without a built in function. (#4105, @kit837)

  • Adds support for Ed25519 private keys and signatures for Certificates (#4079, @annerajb)

  • cert-manager is now able to sign CertificateSigningRequests using the ACME issuer. Note that the CertificateSigningRequests support is experimental and requires the use of a flag on the controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4112, @JoshVanL)

  • cert-manager is now able to sign CertificateSigningRequests using the SelfSigned issuer. Note that the CertificateSigningRequests support is experimental and requires the use of a flag on the controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4100, @JoshVanL)

  • cert-manager is now able to sign CertificateSigningRequests using the Vault issuer. Note that the CertificateSigningRequests support is experimental and requires the use of a flag on the controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4103, @JoshVanL)

  • cert-manager is now able to sign CertificateSigningRequests using the Venafi issuer. Note that the CertificateSigningRequests support is experimental and requires the use of a flag on the controller: --feature-gates=ExperimentalCertificateSigningRequestControllers=true (#4108, @JoshVanL)

  • cert-manager now supports the sig-network Gateway API to solve HTTP01 challenges. (#4276, @jakexks)

  • cert-manager now uses the networking.k8s.io/v1 Ingress type if available. (#4225, @jakexks)

  • Fire event when a CertificateSigningRequest has not yet been approved, so will skip processing until it is. (#4229, @JoshVanL)

  • Reduce binary sizes by adding -s -w\ as ldflags (#4169, @inteon)

  • kubectl cert-manager x install command is added (#4138, @inteon)

Bug or Regression

  • Adds an explicit 10 second timeout when checking HTTP01 challenges for reachability (#4318, @SgtCoDFish)

  • Cloudflare: Refactored DNS01 challenge to use API for finding the nearest Zone (fixing potential DNS-Issues) (#4147, @thiscantbeserious)

  • Fix a bug where failed Certificate Requests were not retried (#4130, @irbekrm)

  • Fix check for self-signed certificates in EncodeX509Chain which broke certs whose subject DN matched their issuer’s subject DN (#4237, @SgtCoDFish)

  • Fix handling of chains which don’t have a root in ParseSingleCertificateChain, and improve handling in situations where that function is passed a single certificate. (#4261, @SgtCoDFish)

  • Fixed a bug in the \gateway shim\ controller that was causing the cert-manager controller to crash with a nil pointer exception when using the annotation \cert-manager.io/issuer\ on a Gateway that had an empty tls block or with certificateRef left empty. (#4293, @maelvls)

  • Fixed a goroutine leak that was causing the controller’s memory usage to grow with time (#4233, @maelvls)

  • Fixed a race condition introduced in v0.15.0 that would crash cert-manager for clusters with a large number of certificates. (#4231, @maelvls)

  • Set correct exit codes on ctrl+c event & process defer calls on error (#4230, @inteon)

  • Set correct labels on resources in static manifest yaml files (#4190, @inteon)

Other (Cleanup or Flake)

  • Adds conformance E2E suite for CertificateSigningRequests (#4101, @JoshVanL)

  • Allows to configure labels on cert-manager webhook service via a Helm value. (#4260, @mozz-lx)

  • Allows to configure which annotations get copied from Certificate to CertificateRequest. Annotations with keys prefixed with kubectl.kubernetes.io/, fluxcd.io, argocd.argoproj.io are now excluded by default. (#4251, @irbekrm)

  • Minor cleanup of make targets, to prepare for more use of make in cert-manager (#4109, @SgtCoDFish)

  • Pre-v1 cert-manager resource requests now must be converted to v1 in order to be validated/mutated by admission webhooks. (Default cert-manager validating and mutating webhook configurations ensure the resource requests are being converted) (#4172, @irbekrm)

  • Reduce binary sizes by adding -w\ as ldflag (#4181, @inteon)

  • Regression: CertificateSigningRequests will no longer have a experimental.cert-manager.io/ca annotation set. (#4143, @JoshVanL)

  • Remove v1beta1 as an accepted AdmissionReviewVersion. cert-manager now only supports v1, available since Kubernetes v1.16 (#4254, @JoshVanL)

  • Remove v1beta1 as an accepted ConversionReviewVersion. cert-manager now only supports v1, available since Kubernetes v1.16 (#4253, @JoshVanL)

  • The controllers now exit more cleanly (eg. the Leader Election Lease is freed properly on shutdown) (#4243, @inteon)